1. INTRODUCTION

1.1. Fincryptou UAB (hereinafter referred to as "Fincryptou", "we", "us", or "our") is committed to protecting your privacy, the confidentiality of your Personal Data, and ensuring compliance with applicable data protection laws. This Privacy Policy applies to visitors who access our Merchant Portal (the "Site") and users who utilize our Services, including any related functionalities, tools, or integrations owned or operated by Fincryptou UAB.

1.2. We encourage you to read this Privacy Policy carefully, as it forms an integral part of our Terms and Conditions. By accessing the Merchant Portal or using our Services, you confirm that you have read, understood, and agreed to this Privacy Policy. If you do not agree with any provisions in this Privacy Policy, you must immediately cease using the Merchant Portal and discontinue access to our Services.

1.3. This Privacy Policy provides a transparent explanation of how we collect, process, store, protect, and disclose your Personal Data. It covers:

1. The types of Personal Data we collect;
2. The purposes for which your Personal Data is used;
3. How we store and protect your Personal Data;
4. How long we retain your Personal Data;
5. Circumstances under which we share your Personal Data with third parties;
6. Your rights under GDPR and applicable laws.

1.4. We continuously improve our Services and may develop or offer new features. If any new features materially change how we collect or process your Personal Data, we will notify you in advance. Unless stated otherwise, new features or additional services will be subject to this Privacy Policy.

1.5. Fincryptou UAB is the data controller, meaning we determine the purposes and means of processing your Personal Data. In certain cases, we may share your Personal Data with affiliates or third-party service providers in compliance with this Privacy Policy and applicable laws.

2. DEFINITIONS

2.1. For the purposes of this Privacy Policy, the following definitions apply:

1. "Company", "we", "our", "us" – Fincryptou UAB, a private limited company incorporated under the laws of the Republic of Lithuania, registered with the Lithuanian Commercial Register under registry code 306068445, with a registered seat at Vytenio g. 9-101, LT-03113 Vilnius, Lithuania.
2. "Personal Data" – Any information related to an identified or identifiable natural person ("data subject"), as defined by GDPR. This includes, but is not limited to, name, email, address, phone number, government-issued identification, financial data, transaction details, and online identifiers.
3. "Merchant Portal", "Site" – The website https://fincryptou.com/, including all related webpages, content, products, features, APIs, and mobile applications operated by Fincryptou UAB.
4. "Services" – Any access to, interaction with, or use of the Merchant Portal, including payment processing, account verification, customer support, and financial transactions.
5. "Account" – A fully verified account registered by a user, enabling withdrawals, payments, and access to additional financial services provided by Fincryptou UAB.
6. "GDPR" – The General Data Protection Regulation (EU) 2016/679, which governs data protection and privacy within the European Union (EU) and European Economic Area (EEA), establishing rules for the collection, processing, and storage of Personal Data.
7. "Third-Party Data Processors" – Any external service providers or partners who process Personal Data on behalf of Fincryptou UAB, including payment processors, authentication providers, cloud services, legal and compliance advisors, and regulatory authorities.

3. PERSONAL DATA WE COLLECT

3.1. Below are the categories of Personal Data we collect, along with details on how we collect and process it:

3.1.1. Data Provided by You

We collect Personal Data that you voluntarily provide when you:

1. Register an Account on our Merchant Portal;
2. Use our Services, including financial transactions;
3. Contact customer support or communicate with us;
4. Submit identity verification documents as required by AML/KYC regulations.

This may include, but is not limited to:

1. Full name, email address, phone number;
2. Date of birth, gender, nationality, country of residence;
3. Home address, postal code, city, and country;
4. Photograph, signature, government-issued identification (passport, driver’s license, ID card);
5. Payment details, credit/debit card information, bank account details;
6. Company registration details (for legal entities);
7. Tax identification number;
8. Proof of address (utility bills, rental agreements, employer declaration, etc.);
1. Financial transactions history, transaction recipients, payment confirmations.

3.1.2.  Data Collected Automatically

When accessing the Merchant Portal, we automatically collect:

1. Device type and unique identification numbers;
2. Browser type, version, and language settings;
3. Date and time of site visits and requests;
4. Online identifiers, including cookies and IP addresses (see Section 8);
5. Interaction history, such as clicked links, visited pages, and session duration;
6. Geographic location (non-precise, based on IP address);
7. Operating system version and technical logs.

3.1.3. Data from Third-Party Sources

 We may collect Personal Data from external sources, including:

1. Public databases (e.g., regulatory compliance databases);
2. Payment service providers (e.g., transaction verification);
3. Identity verification partners (e.g., KYC/AML compliance);
4. Technical service partners (e.g., cybersecurity firms monitoring fraud and suspicious activity);
5. Advertising and marketing partners (e.g., analytics and targeted advertising).

3.2. We do not knowingly collect sensitive personal data, such as:

1. Racial or ethnic origin;
2. Religious or philosophical beliefs;
3. Biometric data (unless required for identity verification under KYC regulations).

3.3. If we receive any sensitive data unintentionally, it will be deleted unless required for regulatory compliance.

4. LEGAL BASIS AND PURPOSES FOR PROCESSING YOUR PERSONAL DATA

4.1. We process Personal Data based on one or more legal bases as outlined under Article 6 of the GDPR. Below are the primary legal grounds we rely upon and the associated purposes for which we use your data:

4.1.1. Contractual Obligations and Agreements

We collect, process, and store your Personal Data where necessary to:

1. Provide you with access to our Services under the Merchant Portal;
2. Register, verify, and manage your Account;
3. Process payments, withdrawals, and transactions;
4. Ensure compliance with contractual obligations under agreements with users, partners, and service providers.

Legal Basis: Article 6(1)(b) GDPR – Processing is necessary for the performance of a contract to which you are a party.

4.1.2. Compliance with Legal and Regulatory Requirements

We are subject to strict regulatory obligations under AML (Anti-Money Laundering), CFT (Counter Financing of Terrorism), and Data Protection Laws. To comply with these legal requirements, we may:

1. Identify and verify users under KYC (Know Your Customer) and AML procedures;
2. Monitor and report suspicious transactions to relevant regulatory authorities;
3. Retain transaction records in compliance with financial regulations;
4. Ensure compliance with taxation, anti-fraud, and risk management regulations.

Legal Basis: Article 6(1)(c) GDPR – Processing is necessary to comply with a legal obligation applicable to the Company.

4.1.3. Legitimate Interests for Security, Fraud Prevention, and Risk Management

We may process your Personal Data to:

1. Detect, investigate, and prevent fraudulent activities and unauthorized access;
2. Monitor system security and integrity to prevent cyber threats;
3. Enforce Terms & Conditions and investigate policy violations;
4. Protect our users, business, and reputation from security risks.

Legal Basis: Article 6(1)(f) GDPR – Processing is necessary for our legitimate interests, provided that such interests do not override your rights and freedoms.

4.1.4. Marketing, Promotion, and Advertising 

We may use Personal Data to:

1. Send you promotional offers, newsletters, and product updates via email or notifications;
2. Provide personalized content and recommendations based on your usage;
3. Analyze marketing effectiveness and user engagement trends.

You may opt-out of marketing communications at any time by adjusting your communication preferences or contacting us at info@fincryptou.com.

Legal Basis:

Article 6(1)(a) GDPR – We process your Personal Data for marketing purposes only with your explicit consent.

Article 6(1)(f) GDPR – We may process Personal Data for marketing based on our legitimate interests, where applicable.

4.1.5. Exercising or Defending Legal Claims 

We may use Personal Data in legal proceedings to:

1. Investigate, resolve, and respond to disputes;
2. Establish, enforce, or defend legal claims;
3. Cooperate with law enforcement, courts, or regulatory agencies as required by law.

Legal Basis: Article 6(1)(f) GDPR – Processing is necessary for our legitimate interest in exercising or defending legal claims.

4.1.6. Research and Service Development 

To improve our Merchant Portal and Services, we may:

1. Analyze usage trends and user behavior to optimize platform functionality;
2. Conduct research, statistical analysis, and product development;
3. Test and deploy new features and enhance customer experience.

Legal Basis: Article 6(1)(f) GDPR – Processing is necessary for our legitimate interests in improving and developing our Services.

4.1.7. Communication and Customer Support 

We use Personal Data to:

1. Send transactional emails, system updates, and service notifications;
2. Respond to inquiries, complaints, and customer support requests;
3. Collect feedback to improve customer service quality.

Legal Basis: Article 6(1)(b) GDPR – Processing is necessary for the performance of a contract (e.g., responding to support requests).

4.1.8. No Processing Beyond Stated Purposes 

We will not process your Personal Data for any purpose not mentioned above unless:

1. You have provided explicit consent;
2. Processing is required by law;
3. Processing is necessary to protect vital interests (e.g., preventing harm).

5. WITH WHOM WE MAY SHARE YOUR PERSONAL DATA

5.1. We only share your Personal Data when necessary for:

1. Providing our Services;
2. Fulfilling legal obligations;
3. Protecting our security and business interests.

5.2. We will never sell or rent your Personal Data to third parties. However, we may disclose your Personal Data under the circumstances below:

5.2.1. Financial Institutions and Payment Processors

We share Personal Data with banks, financial institutions, and payment processors to:

1. Facilitate payments, withdrawals, and transactions;
2. Verify your identity and comply with AML regulations;
3. Detect fraudulent activities and unauthorized transactions.

5.2.2. Legal and Regulatory Authorities

We may share Personal Data if required by:

1. A court order, arbitration ruling, or government directive;
2. Regulatory authorities for AML/KYC compliance;
3. Law enforcement agencies investigating fraud, cybercrime, or illegal activity.

5.2.3. Business Transfers (Mergers and Acquisitions)

In case of a merger, acquisition, restructuring, or asset sale, we may transfer Personal Data to the acquiring entity. Before such transfer:

1. We will ensure data protection safeguards are in place;
2. We will notify you before your data becomes subject to a different Privacy Policy.

5.2.4. Service Providers and Business Partners

We work with trusted third-party providers who support our operations, including:

1. Cloud storage and IT service providers;
2. Fraud prevention and cybersecurity firms;
3. Identity verification and authentication services;
4. Marketing and analytics platforms.

All third-party service providers are contractually bound to:

1. Use your Personal Data only for specified purposes;
2. Implement security measures to protect your data;
3. Comply with applicable data protection laws.

5.2.5. Legal, Banking, and Compliance Advisors

We may share Personal Data with law firms, auditors, tax consultants, and regulatory compliance advisors to:

1. Ensure legal and financial compliance;
2. Conduct internal audits and regulatory reporting;
3. Assess risks and maintain business continuity.

6. INTERNATIONAL TRANSFERS

6.1. Fincryptou UAB may share, transfer, or process your Personal Data outside of your country of residence, including to jurisdictions that may not have the same data protection laws as those within the European Economic Area (EEA), Switzerland, or the United Kingdom (UK). Such transfers may occur when:

1. We engage third-party service providers, affiliates, or business partners to support our operations and provide Services;
2. We store data on cloud servers or IT infrastructure providers located in different jurisdictions;
3. We facilitate international payments and financial transactions through banks, payment processors, or financial institutions operating globally;
4. We comply with legal obligations, including law enforcement requests and regulatory reporting in jurisdictions where we operate.

6.2. When transferring Personal Data outside the EEA, Switzerland, or UK, we ensure adequate protection by implementing one or more of the following safeguards:

1. Adequacy Decisions – If the country has been deemed by the European Commission to offer an adequate level of data protection, we may transfer Personal Data without additional safeguards.
2. Standard Contractual Clauses (SCCs) – Where no adequacy decision exists, we use SCCs approved by the European Commission, requiring third-party recipients to comply with EU data protection standards.
3. Binding Corporate Rules (BCRs) – Where relevant, we ensure that affiliates or service providers implement BCRs that are approved by EU regulators.
4. Other Legal Mechanisms – In certain situations, we may rely on specific derogations under Article 49 GDPR, such as your explicit consent or the necessity of data transfers to fulfill contractual obligations.

6.3. Additional Safeguards:

1. We conduct risk assessments before transferring any Personal Data outside the EEA;
2. We limit cross-border transfers to only what is necessary to fulfill our Services and legal obligations;
3. We continuously monitor the legal landscape to ensure compliance with changing data protection laws (e.g., post-Schrems II ruling).

6.4. If you require further details regarding international transfers, you may contact our Data Protection Officer (DPO) at info@fincryptou.com.

7. THIRD-PARTY WEBSITES

7.1. Our Merchant Portal and Services may contain links, advertisements, or integrations that redirect you to third-party websites, services, or platforms that are not owned or controlled by Fincryptou UAB. These third-party websites operate under their own privacy policies and terms of service, and we do not assume responsibility for their data collection, processing, or security practices.

7.2. If you click on a third-party link or use a third-party service, the collection, storage, and use of your Personal Data will be governed by that third party’s privacy policy, which may differ from ours. We strongly encourage you to review the privacy policies and terms of any external website or service before engaging with them.

7.3. Examples of third-party interactions may include:

1. Clicking on an advertisement displayed on our Merchant Portal and being redirected to an external website;
2. Using third-party payment gateways or financial service providers to complete a transaction;
3. Engaging with social media integrations (e.g., Facebook, Twitter, LinkedIn) that track user interactions.

7.4. If you create an Account or interact with our Services through a third-party platform (e.g., via a partner website, mobile app, or social media login), your Personal Data may be shared with the owner of that third-party site. This means that:

1. Your data will be subject to that third party’s privacy policy;
2. Fincryptou UAB is not responsible for how the third party processes your Personal Data;
3. Any disputes, data protection concerns, or privacy rights related to the third-party platform must be handled directly with that provider.

7.5. We do not control and are not liable for how third parties collect, use, or secure your data. If you have concerns about a third-party website or service, you should contact their support team or refer to their privacy policy.

8. RETENTION OF PERSONAL DATA

8.1. Fincryptou UAB retains your Personal Data only for as long as necessary to:

1. Provide, maintain, and improve our Services;
2. Fulfill contractual and legal obligations;
3. Ensure compliance with applicable laws and regulations;
4. Meet accounting, tax, audit, and financial reporting requirements;
5. Investigate security incidents, fraud, and enforce our legal rights;
6. Defend against potential claims and disputes.

8.2. The retention period for different types of Personal Data depends on:

1. The nature of the data and its processing purpose;
2. Legal and regulatory requirements applicable to our business;
3. The existence of ongoing disputes or investigations;
4. Our legitimate business interests, such as fraud prevention and cybersecurity.

8.3. Upon your request, we will delete or anonymize your Personal Data, provided that:

1. There are no pending legal or regulatory requirements that necessitate retention;
2. There is no ongoing dispute or unresolved issue related to your Account;
3. We do not need to retain your Personal Data for legitimate business purposes, such as: 
   • Preventing fraud;
   • Complying with AML/KYC regulations;
   • Ensuring platform security.

8.4. Personal Data Retention Periods:
We retain Personal Data according to the following categories:

1. User Account Information – Stored as long as the Account is active, and for a period required by applicable regulations after termination.
2. Transaction and Financial Data – Retained for at least 5 years after the transaction date, in compliance with AML and financial reporting regulations.
3. Identity Verification (KYC) Data – Retained for 5–10 years, as mandated by AML compliance laws.
4. Marketing and Communication Data – Retained until you withdraw consent or opt out of marketing communications.
5. Security Logs and Fraud Prevention Data – Retained for a minimum of 6 months and up to 5 years, depending on the risk level and applicable laws.

8.5. If you have closed your Account, we may continue to store limited Personal Data:

1. To comply with legal and regulatory obligations;
2. To defend against legal claims or prevent fraudulent activities;
3. To resolve any pending disputes.

8.6. Once the retention period expires, your Personal Data will be:

1. Permanently deleted from our systems;
2. Anonymized so it can no longer be linked to you;
3. Securely stored in an encrypted format, if required for historical or statistical purposes.

8.7. If you require further details about how long we retain specific data categories, please contact our Data Protection Officer (DPO) at info@fincryptou.com.

9. HOW WE PROTECT YOUE PERSONAL DATA

9.1. We take data security seriously and implement technical, administrative, and organizational measures to protect your Personal Data from:

1. Unauthorized access or disclosure;
2. Data breaches, cyberattacks, and hacking attempts;
3. Loss, alteration, or destruction of Personal Data;
4. Unlawful processing and misuse.

9.2. Our Security Measures Include:

1. Data Encryption: We use AES-256 and TLS/SSL encryption to protect data in transit and at rest.
2. Access Controls: We enforce strict access permissions based on the principle of least privilege (PoLP).
3. Multi-Factor Authentication (MFA): We require MFA for all administrative and privileged access.
4. Intrusion Detection Systems (IDS): We monitor for suspicious activities using real-time security analytics.
5. Regular Security Audits: We conduct penetration testing, vulnerability assessments, and internal security reviews.
6. Data Minimization: We limit data collection to what is strictly necessary for legitimate purposes.
7. Anonymization & Pseudonymization: We apply data anonymization techniques to protect sensitive information.
8. Incident Response Plan: We have a dedicated response team to handle potential security breaches.

9.3. User Responsibilities for Security
While we take extensive steps to secure your Personal Data, you also play a role in protecting your Account. We strongly recommend that you:

1. Use a strong, unique password for your Account;
2. Enable Multi-Factor Authentication (MFA);
3. Never share your login credentials with anyone;
4. Log out from your Account after each session, especially when using public or shared devices;
5. Beware of phishing emails and fraudulent requests pretending to be from Fincryptou UAB;
6. Regularly update your software and devices to protect against malware and security vulnerabilities.

9.4. If you believe your Personal Data has been compromised, accessed without authorization, or misused, please contact us immediately at:

Email: info@fincryptou.com
Address: Vytenio g. 9-101, LT-03113 Vilnius, Lithuania

9.5. We will investigate all security reports and take appropriate measures to resolve the issue.

10. COOKIES

10.1. Fincryptou UAB uses cookies and similar tracking technologies, such as flash cookies, pixel tags, web beacons, scripts, and local storage (collectively referred to as “Cookies”), to enhance your experience, improve security, and ensure compliance with financial and legal obligations when using our Merchant Portal.

10.2. Types of Cookies We Use:

1. Essential Cookies – Required for core functionalities, such as user authentication and fraud prevention.
2. Performance Cookies – Track how users interact with our Portal, allowing us to analyze and improve performance.
3. Functional Cookies – Enhance user experience, remembering preferences like language settings.
4. Marketing & Targeting Cookies – Used to deliver relevant ads and promotional content, including third-party tracking.

10.3. Some third-party service providers, such as Google Analytics, Meta, and LinkedIn, may also place cookies on your device when interacting with our Portal. These cookies are subject to the third-party provider’s privacy policies.

10.4. How You Can Control Cookies:

1. You can disable cookies via your browser settings.
2. You can opt-out of personalized advertising through relevant settings on platforms like Google Ads or Facebook Ads Manager.
3. Please note that blocking essential cookies may impact website functionality.

10.5. For further details on how we use Cookies, please refer to our Cookie Policy.

11. MARKETING

11.1. Marketing Communications & Promotions:

1. We may send you personalized marketing offers, service updates, and promotions about our Services.
2. Marketing communications may be delivered via email, SMS, push notifications, or targeted advertisements.

11.2. Your Consent & Opt-Out Options:

1. We rely on your explicit consent before sending marketing communications or sharing your Personal Data with third parties for marketing purposes.
2. You may withdraw your consent at any time by: 
   • Clicking "Unsubscribe" in marketing emails;
   • Adjusting communication preferences in your Account settings;
   • Sending a request to info@fincryptou.com.

11.3. Third-Party Marketing Partners:

1. We may collaborate with advertising networks, analytics platforms, and social media partners to provide relevant ads.
2. No Personal Data will be shared with third parties for marketing purposes without your explicit consent.

12. YOUR PRIVACY RIGHTS

12.1. Your Rights Under GDPR & Data Protection Laws

Depending on your jurisdiction, you may have the following privacy rights under the General Data Protection Regulation (GDPR) and other applicable laws:

1. Right to be Informed – You have the right to know how your Personal Data is collected, used, and stored.
2. Right to Access – You can request a copy of the Personal Data we process about you
3. Right to Rectification – You may request to update or correct inaccurate Personal Data.
4. Right to Erasure ("Right to be Forgotten") – You may request the deletion of your Personal Data, subject to legal obligations.
5. Right to Restrict Processing – You can request that we temporarily or permanently stop processing your Personal Data under certain conditions.
6. Right to Object – You can object to the processing of your Personal Data when it is based on legitimate interests or used for direct marketing.
7. Right to Data Portability – You may request a structured, machine-readable copy of your Personal Data to transfer it to another provider.
8. Right to Withdraw Consent – If processing is based on your consent, you have the right to withdraw it at any time.
1. Right Not to Be Subject to Automated Decision-Making – You have the right to request human intervention if decisions significantly affecting you are made through automated processes.

12.2. Limitations to Your Rights:

1. Your privacy rights are not absolute and may be subject to legal obligations, financial regulations, and compliance measures.
2. In cases where we must retain your Personal Data for regulatory or security reasons, we may deny deletion requests.
3. If we reject a request, we will provide a justification in accordance with applicable laws.

12.3. How to Exercise Your Rights.

1. To make a privacy request, please contact our Data Protection Officer (DPO) at info@fincryptou.com.
2. We will review your request and respond within one month, as per GDPR Article 12(3).
3. If you are not satisfied with our response, you have the right to lodge a complaint with the Lithuanian State Data Protection Inspectorate or your local data protection authority.

13. CHILDREN‘S PERSONAL DATA

13.1. Fincryptou UAB does not knowingly collect, process, or store Personal Data from individuals under the age of 18. Our Services are strictly intended for adults, and we do not target or provide access to minors.

13.2. If we become aware that a minor under 18 years old has provided us with Personal Data, we will:

1. Immediately close the associated Account;
2. Securely delete the minor’s Personal Data from our systems, unless retention is legally required;
3. Take additional security measures to prevent further access.

13.3. If you believe that a minor has provided us with Personal Data, please contact us immediately at info@fincryptou.com so we can take the appropriate action.

13.4. In cases where a minor has fraudulently provided false age-related information to gain access to our Services, we disclaim liability for any resulting data processing but will take appropriate corrective actions once identified.

14. AMENDMENTS TO THIS PRIVACY POLICY

14.1. We may update, amend, or modify this Privacy Policy periodically to reflect:

1. Changes in legal or regulatory requirements;
2. Updates to our Services, technologies, or business practices;
3. Security or compliance improvements;
4. User feedback and best practices in data protection.

14.2. When material changes are made to this Privacy Policy, we will:

1. Notify you via email, website notifications, or other appropriate means;
2. Update the "Last Updated" date at the beginning of this Privacy Policy;
3. Ensure continued compliance with GDPR and other relevant data protection laws.

14.3. Your Continued Use of Our Services

1. If you continue using our Merchant Portal and Services after changes take effect, it will be deemed as acceptance of the revised Privacy Policy.
2. If you do not agree with any modifications, you must stop using our Services and request account closure by contacting info@fincryptou.com.

14.4. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your Personal Data.

15. CONTACT DETAILS

15.1. If you have any questions, concerns, or requests regarding this Privacy Policy, or if you wish to exercise your privacy rights, please contact our Data Protection Officer (DPO) at:

Email: info@fincryptou.com
Address: Vytenio g. 9-101, LT-03113 Vilnius, Lithuania

15.2. We will respond to inquiries within the legally required timeframe, in accordance with GDPR and other applicable data protection laws.

15.3. If you are dissatisfied with our response, you have the right to lodge a complaint with the Lithuanian State Data Protection Inspectorate or your local data protection authority.