Privacy

1. Purpose and scope

UAB Unblock LT(“we”, “us”, “Unblock”, “Company”) is a cryptocurrency exchange operator, incorporated and existing in the Republic of Lithuania, company registration number 306159788 having its registered office at Prienų r. sav., Balbieriškis, Klevų g. 25-22.In any case, all personal data collected by us is processed in accordance with the EU General Data Protection Regulation No. 2016/679 (GDPR), Law on the Legal Protection of Personal Data of the Republic of Lithuania and other applicable legal acts.In this Privacy Policy, we provide you with explanation on what kind of personal data we collect when you use our services (Services).When writing ‘you’, we mean you as – a potential, existing or former client, our client’s employee or other parties, such as beneficial owners, authorised representatives, business partners, other associated parties or a person contacting us by e–mail or using other communication means.

‍

2. Principles relating to processing of personal data

We are responsible for ensuring security of your personal data made available to us, in particular to prevent unauthorized access to your data. We are also responsible for ensuring all users with the opportunity to benefit their rights regarding their own personal data.

When processing personal data, we follow the principles of:

● legality, fairness and transparency;

● purpose limitation;

● data reduction;

● accuracy;

● limitation of the length of the storage;

● integrity and confidentiality.

‍

3. What information we collect, for what purposes and on what legal basis

3.1 Categories of personal data being processed

The personal data we collect can be grouped into the following categories:

‍

Type of Information	Personal Data
Basic personal data	First, last, middle, maiden names, job title, etc.
Identification information and other background verification data (your, or your representatives’ and, ultimate beneficiary owner’s)	Name, surname, personal identity code, date of birth, any other unique sequence of symbols granted to you, intended for personal identification, country of birth, address, nationality (in the case of a stateless person – the state which issued the identity document), citizenship, gender, copy of passport or ID card and its details (e.g., type, number, place and date of issuance, expiry date, MRZ code, signature), evidence of beneficial ownership or the source of funds (funds for account opening or transactions, occupation/employment information), source of wealth (information on how wealth was obtained), tax information (tax residence, tax identification number), number of shares held, voting rights or part of share capital, title, visually scanned or photographed image of your face or image that you provide through a camera while using our identification application, video and audio recordings for identification.
Monetary operations details	Such as currency, amount, location, date, time, IP address, payer’s and payee's name and registration information, messages and documents sent or received with the payment.
Details of your activities in your website account	History of the actions performed in your website account, technical information, including the internet protocol (IP) address used to connect your computer to the internet, your log-in information (e.g., login time), browser type and version, time-zone setting, operating system and platform, type of device you use, unique device identifier.
Details of your activities in our website	History of the actions performed in our website, technical information, including the internet protocol (IP) address used to connect your computer to the internet, browser type and version, time zone setting, operating system and platform, type of device you use.
Details of your existing bank account/-s	Financial institution account number, IBAN number, payment card number.
Information related to legal requirements	Data that enables us to perform anti-money laundering requirements and ensure the compliance with international sanctions, including the purpose of the business relationship and whether you are a politically exposed person and other data that is required to be processed by us in order to comply with the legal obligation to “know your client” (collected data will differ depending on the client’s risk score). (KYC)
Information obtained and/or created in order to fulfil the requirements of applicable legislation	Data that the Company is required to provide to public authorities, such as tax administrators, courts, including data on income, payments and other information held by the Company.
Contact details	Phone number, e-mail, residential address.
Communication details	Content of email correspondence or any other form of communication with us (i.e., live chat, blogs, posts).
Information about your behaviour	Social media account details, interests, product or service preferences, other information about your behaviour and your activity on our website.
Special category data	Biometric data.

3.2 Purposes and legal basis for personal data processing

Purpose	Legal Basis	Categories of personal data
To conclude the contract with you, or to take steps at your request prior to entering into a contract	Taking necessary steps before conclusion of the contract and/or conclusion of the contract; Legal obligations.	Basic personal data; Identification and other background verification data; Contact details; Other personal data needed (in order to evaluate the possibility of providing services).
To perform the contract concluded with you, including (but not limited to) provision of the Services	Performance of the contract; Legal obligations.	Basic personal data; Identification and other background verification data; Monetary operation details; Details of your activities in your website account; Details of your existing bank account/-s;Information related to legal requirements; Contact details; Communication details; Other personal data needed (in order to evaluate the possibility of providing services).
To carry out ongoing Client Due Diligence (CDD) and manage risk obligations, identify, investigate and report suspicious transactions and potential market abuse	Legal obligations.	Basic personal data; Identification and other background verification data; Monetary operation details; Details of your existing bank account/-s; Information related to legal requirements; Contact details. (Scope of the processing of personal data depends on the specific operation being investigated)
To enable us to comply with anti-money laundering and anti-terrorist financing requirements and to enforce compliance with the requirements relating to sanctions (including Know Your Customer ("KYC") obligations, such as to determine the purpose of the business relationship and whether you are a politically exposed person, as well as the source of funds)	Legal obligations.	Basic personal data; Identification and other background verification data; Monetary operation details; Details of your existing bank account/-s; Information related to legal requirements; Contact details; Other personal data needed.
To comply with other legal requirements under applicable legislation in areas such as the provision of payment services (including client ongoing client due diligence (CDD), financial markets and financial services, market abuse, personal data protection, accounting and taxation	Legal obligations.	Basic personal data; Identification and other background verification data; Information obtained and/or created in order to fulfil the requirements of applicable legislation; Contact details; Other personal data needed.(the scope of processed personal data depends on the client's risk category, specific situation and may include all of the above categories of personal data or a part of this personal data)
To identify you remotely	Your consent.	Special category data.
To prevent, limit and investigate any misuse or unlawful use or disturbance of the Services or to establish, exercising and defend legal claims	Performance of the contract; Legitimate interest; Legal obligations.	Basic personal data; Identification and other background verification data; Monetary operation details; Details of your activities in your website account; Details of your activities in our website;Details of your existing bank account/-s; Information related to legal requirements; Contact details; Communication details; Other personal data needed (in order to evaluate the possibility of providing services).
To ensure adequate provisions of the Services, the safety of information within the Services, as well as to improve, develop and maintain applications, technical systems and IT-infrastructure	Legitimate interest.	Basic personal data; Contact details; Details of your activities in our website; Communication details; Other personal data needed (in order to evaluate the possibility of providing services).
To assess the quality of our Services and improve and deliver a more personalized experience	Legitimate interest	Information about your behaviour; Communication details; Details of your activities in your website account; Details of your activities in our website; Contact details.
To provide an answer when you contact us via our website or other communication means	Your consent.	Basic personal data; Contact details; Communication details; Other personal data needed (in order to evaluate the possibility of providing services).
To provide an answer when you contact us via our website or other communication means	Your consent.	Basic personal data; Contact details; Communication details; Other personal data needed (in order to evaluate the possibility of providing services).

‍

We do not process special category data relatedto your health, ethnicity, or religious or political beliefs unless required bylaw or in specific circumstances where, for example, you reveal such data whileusing the Services (e.g., in payments details).If you provide us personal dataabout other people (such as your spouse or family) or you ask us to share theirpersonal data with third parties, you confirm that you have brought thisPrivacy Policy to their attention beforehand.

4. How we collect your personaldata

We collect information you provide directly to us when you:
‍
a) fill out any forms on our website;
b) open an account or use any other Services;
c) contact us by using other means of communication (e.g., via our socialnetwork accounts).

We may also receive your personal data from third parties. In particular:

a) we may receive personal data from third parties such as public or privateregisters and databases. This includes information to help us check youridentity, if applicable, information about your spouse and family, andinformation relating to your transactions;
b) occasionally we will use publicly available information about you frompublicly available sources (e.g., media, online registers and directories) andwebsites for enhanced due diligence checks, security searches and otherpurposes related to client due diligence processes;
c) we may receive personal data from a third party which is connected to you oris dealing with us, for example, business partners, sub–contractors, serviceproviders, merchants and etc.;
d) we may receive personal data from banks or other financial institutions incase the personal data is received while executing payment operations;
e) we may receive personal data from other entities which we collaborate with.

5. Our identification tools
In order to perform your identity verification, we use the services provided byour partner ”Sumsub” (hereinafter – ”Sumsub”). The Service Provider takes thephoto images or video recordings of your face and your ID document that youprovide through a dedicated website using the camera. For more information on”Sumsub” please read their Privacy Policy.

‍“Sumsub” solution is used for comparing livephotographic data or video record of your and your ID document, to comply withlegal obligations (e.g., implementation of the obligations under the Law onPrevention of Money Laundering and Terrorist Financing of the Republic ofLithuania and other fraud and crime prevention purposes) and risk managementobligations.

The result of the face similarity (match or mismatch) will be retained for aslong as it is necessary to carry out verification and for the period requiredby anti-money laundering laws.

We ensure that your face similarity check is a process of comparing dataacquired at the time of verification, i.e., this is a one-time userauthorization by comparing person's photos to each other. Your facial templateis not created, recorded or stored. It is not possible to regenerate the rawdata from retained information.

Using “Sumsub” services, personal data is used for your identification, since“Sumsub” verifies the identity of the person in the identity document and theperson captured in the photo. This process shall allow us to verify youridentity more precisely and make the process quicker and easier to execute. Ifyou do not feel comfortable with this identification method, you may contact usby e-mail at info@getunblock.com foran alternative way to identify you.

6. Direct marketing
‍In case you are existing clients (i.e., you already use our Services), wemay use your e-mail address for direct marketing purposes, but only with regardto products and/or services that are similar or related to the Services, andonly if you do not object to such use of your e-mail address. You are alsogranted with a clear, free of charge and easily enforceable possibility toobject or withdraw from such use of your contact details.

In other cases, we may use your personal data for the purpose of directmarketing, only if you give us your prior consent regarding such use of thedata.

We are entitled to offer the services provided by our business partners orother third parties to you or find out your opinion on different matters inrelation to our business partners or other third parties taking account of thelegal basis for this, i.e., your prior consent.

In case you do not agree to receive these marketing messages offered by us, ourbusiness partners or third parties, this will not have any impact on theprovision of Services to you as the client.

We provide a clear, free-of-charge and easily enforceable possibility not togive your consent or, at any time, to withdraw your consent to receive ourmarketing messages. We shall state in each notification sent by e-mail that youare entitled to object to the processing of the personal data, and to refusereceiving messages from us. You shall be able to refuse to receiving ourmarketing messages by clicking on the respective link in each marketing e-mailreceived from us.

7. Automated decision making
‍In some cases, we may use automated decision-making which refers to a decisiontaken solely on the basis of automated processing of your personal data.

Automated decision-making refers to the processing using, for example, asoftware code or an algorithm, which does not require human intervention.

We may use forms of automated decision making on processing your personal datafor
some services and products. You can request a manual review of the accuracy ofan automated decision in case you are not satisfied with it.

For more information about your rights please see the section Your rights.

8. How we share your personal data
‍
‍The following is a list of key recipients, to whom your personal data might bedisclosed to:

a) public authorities, institutions, organisations, courts and other thirdparties, but only upon request and only when required by applicable laws, or incases and under procedures provided for by applicable laws;
b) third parties providing services to the Company including providers oflegal, financial, auditing, tax, business management, personnel administration,accounting, advertising (including online advertising), direct marketing,communications, data centres, hosting, cloud and/or other services. In eachcase, we provide such third parties with only as much data as necessary toprovide their services. Service providers engaged by us may process yourpersonal data only in accordance with our instructions and may not use them forother purposes;
c) third parties for the purpose of performance of the contract concluded withyou;
d) our affiliate companies – i.e., companies belonging to the same group;
e) third parties, when we intend to enter into a business sale transactionand/or to perform legal and/or financial due diligence of us prior to suchtransaction;
f) other persons with your consent.

9. International transfer ofpersonal data

‍In case your personal data is transferred outside the European Economic Area(EEA), we will take necessary steps to ensure that your data is treatedsecurely and in accordance with this Privacy Policy and we will ensure that itis protected and transferred in a manner consistent with the legal requirementsapplicable to the personal data. This can be done in a number of differentways, for example:
a) the country to which we send the personal data, a territory or one or morespecified sectors within that third country, or the international organizationis approved by the European Commission as having an adequate level ofprotection;
b) the recipient has signed or contains in its terms of service (serviceagreement) standard contractual clauses adopted by the European Commission;
c) special permission has been obtained from a supervisory authority.

We may transfer personal data to a third country by taking other measures if itensures appropriate safeguards as indicated in the GDPR or on the basis ofderogations.

10. How we protect your personaldata
‍Please note that, although no system of technology is completely secure, wehave to implement appropriate security measures in order to minimize the risksof unauthorized access to or improper use of your personal information.

We and our third-party service providers that may be engaged in the processingof personal data on our behalf (for the purposes indicated above) arecontractually obligated to respect the confidentiality of the personaldata.

A variety of logical and physical security measures are used to keep yourpersonal data safe and prevent unauthorized access, usage, or disclosure of it(the list indicated below is not exhaustive): we use antivirus software,information security policies, access restriction, we regularly review ourinformation collection, storage, and processing practices to preventunauthorized access to our systems, we use mandatory data encryption andpassword protection, carry out regular penetration tests and backup of data,etc.

11. How long we keep your personaldata
‍We will keep your personal data for as long as it is needed for the purposesfor which your data was collected and processed, including for the purposes tocomply with any legal, regulatory, tax, accounting or reporting obligations.This means that we store your data for as long as it is necessary for provisionof the Services and as required by the retention requirements in laws andregulations. If the legislation of the Republic of Lithuania does not provideany applicable data retention period, it shall be determined by us, taking intoaccount the legitimate purpose of the data retention, the legal basis and theprinciples of lawful processing of personal data.

The terms of data retention of the personal data for the purposes of theprocessing of the personal data as specified in this Privacy Policy are asfollows:
‍
a) as long as your consent remains in force, if there are no other legalrequirements which shall be fulfilled with regard to the personal dataprocessing;
b) in case of the conclusion and execution of contracts – until the contractconcluded between you and us remains in force and up to 10 years after therelationship between you and us has ended;
c) the personal data collected for the implementation of the obligations underthe Law on the Prevention of Money Laundering and Terrorist Financing shall bestored up to 8 (eight) years as provided in the Law on Prevention of MoneyLaundering and Terrorist Financing of the Republic of Lithuania. The retentionperiod may be extended for a period not exceeding 2 (two) years, provided thereis a reasoned request from a competent authority;
d) the personal data submitted by you through our Platform or via e-mail iskept for an extent necessary for the fulfilment of your request and to maintainfurther cooperation, but no longer than 6 months after the last day of thecommunication, if there are no legal requirements to keep them longer.In thecases when the terms of data keeping are indicated in the legislativeregulations, the legislative regulations are applied.

We may retain your personal data for a longer period when:

a) it is necessary in order for us to defend ourselves against existing orthreatened claims, or to exercise our rights, or for the proper resolution ofdispute, complaint or claim;
b) there is a reasonable suspicion of illegal activity;
c) it is required by applicable laws;

Upon expiration of the retention period, we will delete and/or reliably andirrevocably depersonalize your data as soon as possible, within a reasonabletime required to perform such action.

12.Your rights
a) The right to be informed.You have the right to be provided with clear, transparent and easilyunderstandable information about how we use your personal data.
b) The right to access. Youhave the right to request from us the copies of your personal data. Where yourrequests are excessive, in particular if they are being sent with a repetitivecharacter, we may refuse to act on the request, or charge a reasonable feetaking into account the administrative costs for providing the information. Theassessment of the excessiveness of the request will be made by us.
c) The right to rectification.You have the right to request us to correct or update your personal data at anytime, in particular if your personal data is incomplete or incorrect.
d) The right to data portability.The personal data provided by you is portable. You have the right to requestthat we transfer the data that we have collected to another organization, ordirectly to you, under certain conditions.
e) The right to be forgotten.When there is no good reason for us to process your personal data anymore, youcan ask us to delete your data. We will take reasonable steps to respond toyour request. If your personal data is no longer needed and we are not requiredby law to retain it, we will delete, destroy or permanently de-identify it.
f) The right to restrictprocessing. You have the right to restrict the processing of your personaldata in certain situations (e. g. you want us to investigate whether it isaccurate; we no longer need your personal data, but you want us to continueholding it for you in connection with a legal claim).
g) The right to object processing. Undercertain circumstances you have the right to object to certain types ofprocessing (e. g. receiving notification emails). However, if you object to ususing personal data which we need in order to provide our Services, we may needto close your payment account as we will not be able to provide the Services.
h) The right to file a complaintwith a supervisory authority. You have the right to file a complaintdirectly the State Data Protection Inspectorate of Lithuania if you believethat the personal data is processed in a way that violates your rights andlegitimate interests stipulated by applicable legislation. You may apply inaccordance with the procedures for handling complaints that are established bythe State Data Protection Inspectorate and which may be found by this link:https://vdai.lrv.lt/lt/veiklos-sritys-1/skundu-nagrinejimas.
i) Rights related to automateddecision-making. You have the right not to be subject to a decisionwhich is based solely on automated processing and which produces legal or othersignificant effects. In particular, you have the right: to obtain humanintervention;to express point of view;to obtain an explanation of the decisionreached after an assessment; andto challenge such a decision.
j) Right to withdraw yourpermission. If you have given us consent, we need to use your personaldata, you can withdraw your consent at any time. It will have been lawful forus to use the personal data up to the point you withdrew your permission

If you would like to exercise any of these rights, please contact us viae-mail: privacy@getunblock.com Forsecurity reasons, we will not be able to process your request if we are notsure of your identity, so we may ask for your ID as proof.

Your requests will be fulfilled, or fulfilment of your requests will be refusedby specifying the reasons for such refusal, within 30 (thirty) calendar daysfrom the date of submission of the request that complies with our internalrules and the GDPR. The afore-mentioned time frame may be extended by 60(sixty) calendar days taking into account the complexity and number of therequests. The Company will inform you of any such extension within 30 (thirty)calendar days of receipt of the request, together with the reasons for thedelay.

We may refuse to satisfy you request if the exception and/or limitation to theexercise of data subjects’ right set out in the GDPR apply, and/or if yourrequest is found to be manifestly unfounded or disproportionate. If we refuseto satisfy your request, we will give you our reason for such refusal inwriting.

13. Cookies policy
‍If you access our information or Services through our website, you should beaware that we use cookies.For more information on how to control your cookiesettings and browser settings or how to delete cookies from your device, pleaseread the Cookie Policy available on our website.

14. ‍Links to other websites

Our website may contain links to other websiteswhich are not operated by the Company. When you decide to click on these linksand be led to such websites, we recommend familiarising yourself with theirprivacy policies or notices, cookie policies and/or other documents. TheCompany assumes no responsibility for the content, policies or practices ofsuch third-party websites or services.

15.‍Changes to this Privacy Policy
‍We regularly review this Privacy Policy and reserve the right to modify it atany time in accordance with applicable laws and regulations. Any changes willtake effect immediately upon their publication on our website. Pleasereview this Privacy Policy from time to time to stay updated regarding anychanges.

16. ‍Contact us
‍You may contact us by writing an e-mail to privacy@getunblock.com .

17. Our Data Protection Officer
Our Data Protection Officer (DPO) continuously monitors our privacy complianceand communicates with us on data protection matters relevant to the provisionof our Services. You may contact our DPO regarding all issues relating to ourCompany’s processing of your personal data and the exercise of your data protection rights by sending an email to the address: privacy@getunblock.com

‍