Privacy Notice

This Privacy Notice is effective as of December 10, 2023.

1. INTRODUCTION

3Commas Technologies OÜ (“3Commas”, “our“, “we” or “us” as applicable) provides tools that allow managing cryptocurrency holdings, including application program interface(s) (“Software”). Your privacy is important to us and therefore, it is our policy to respect your privacy and take appropriate measures to protect your personal data. 

This privacy notice (“Notice”) explains how we process, including how we use, store and disclose your personal data when: (i) you visit or otherwise interact with our website at https://3commas.io/ (“Website”), our desktop application at https://app.3commas.io and/or our mobile application(s) (available via Apple App Store or Google Play Store) (jointly “App”); (ii) you access or interact with our 3Commas application programming interface (“3Commas API”); (iii) you (or the legal entity you represent) wish to register or have registered a user account, including agreeing to our Terms of Use, and using the Software; (iv) you subscribe to our newsletter and/or receive other direct marketing; (v) communicate with us through our Website, App or other communication channels (e.g., by email or our official social media accounts); or (vi) take any other actions on our Website, App, or 3Commas API, which entails us receiving and processing your personal data. The data we process may differ based on your interactions with us, so if anything here only applies to one specific use case, we’ll point this out to you.

Please note that this Notice does not describe how we process 3Commas’ potential employees data, thus if you are applying to a position at 3Commas please refer to our Recruitment Privacy Notice

We process your personal data as described in this Notice and in accordance with applicable legislation, including the European Union’s General Data Protection Regulation (2016/679) (“GDPR”) and other relevant laws and regulations, as applicable towards the controller stated in Section 2 of this Notice. 

In case you disclose any personal data regarding any third person(s) (e.g., your employee, management board member, co-worker, etc.) to us, you are obligated to refer them to this Notice.

We do not knowingly allow children (under the age of 18) to sign up for a 3Commas account, and therefore, do not knowingly process children’s personal data. Should we discover that an individual below the age of 18 has registered for a 3Commas account, we will take appropriate measures to promptly remove their personal data from our database. If you believe an underage person has signed up for a user account or is in any way using the Software, please reach out to us at dpo[at]3commas.io.

2. CONTROLLER

For the personal data processing purposes set out in Section 4 of this Notice, the controller of your personal data is 3Commas Technologies OÜ, registry code 14125515, address Laeva tn 2, Tallinn 10111, Estonia, with email address dpo[at]3commas.io. 

In case of personal data protection related inquiries, including questions or comments about this Notice or if you wish to exercise your data subject’s rights, please contact us by writing to dpo[at]3commas.io.

3. CATEGORIES AND SOURCES OF PERSONAL DATA

Personal data is any information that can be used to directly or indirectly uniquely identify you as a private individual. Anonymous data is not personal data, as it cannot be linked back to you. We may obtain and process the following categories of your personal data:

Category

Personal Data

Main Data

For concluding and managing the contractual relationship with you or the legal entity you represent, we may process the following personal data:
Name, e-mail address, the legal entity’s information you represent (e.g., name, address, registry code) (if applicable), user ID, 2FA key, data regarding account (e.g., internal and external activity IDs, results of the authentication), authentication and profile data received from third parties exchanges (e.g., ID, profile name and picture, e-mail).

Billing Data

For managing the contractual relationship and processing payments, we may process the following personal data:
Main Data, billing information, including payment method details (e.g., the service provider used, payment type, network, card’s brand, last four digits and expiration year and month, presence of a digital wallet), location (e.g., country, postal code), results of payment checks (e.g., CVC and address check, third-party checks (null or pass)). Additionally, your contact phone number, and specific preferences regarding invoice names.

Transaction Data

For managing the contractual relationship and executing transactions, we may process the following personal data:
API key and secret, exchange account data (e.g., exchange platform, account ID, deposit address, date when portfolio was generated), account status data (e.g., deleted, locked, hedge mode enabled), transaction data (e.g., transaction’s date, time, amount, currency action, order type, unique identifiers, transaction request and response).
When accessing the 3Commas API: data related to any changes, manipulations, or interactions developers make with end user accounts.

Communication Data

If you communicate with us through our Website, App or other communication channels (e.g., by email or our official social media), we may process the following personal data depending on the channel you communicate with us: 
Main Data, your username on the platform through which you interact with us, conversation ID, date, time and contents of your message.

Marketing Data

For marketing purposes, we may process the following personal data:
Main Data, Google Analytics client ID, information about interests, given and withdrawn consents, engagement data (e.g, actions made), responses to user surveys, data regarding sources (e.g., original source, identifiers including but not limited to Appsflyer ID, ad ID, media source, channel, campaign and Affise ID (also known as click ID)), data regarding performance of marketing campaigns and contents (e.g., UTM parameters), data regarding actions (e.g., email confirmation, subscription and bot activation, trade commencement).

Technical Data

When you visit our Website or App, or in any way use the Software, we may also collect data about the device you are using and automatically log standard data provided by your web browser or device, which may include your personal data:
IP address, data about device (e.g., device type, language, model, unique device identifiers, operating system, session key), log data (e.g., referring URL, visitor ID number, date and time of visit, location data (down to city level), browser type, version and language, internet service provider).
When accessing the 3Commas API: data related to developer identification and authentication, including developer IDs and app names.

Usage Data

When you visit our Website or App or in any way use the Software, we may process the following data, which may include your personal data:
Main Data (user ID), data about actions made (e.g., user role, attributes to that action, error logs, web pages visited on Website).

Cookie Data

We use cookies to understand how you use the Website in order to optimise the Website and its functionalities. We may also utilise cookies when you use our desktop application. Cookies may collect your personal data. To learn more about the cookies we use, please refer to our Cookies Notice.

4. PURPOSES OF PROCESSING AND LEGAL BASES

We process your personal data lawfully and in a transparent manner, including only where we have a legal basis for doing so. The legal basis for processing your personal data depends on the objective and context in which we collect personal data. The following depicts a descriptive list of processing purposes that are linked to the specific data categories and legal bases for processing:

Processing purpose

Legal basis

Personal data category used for the processing purpose

Handling pre-contractual negotiations and communications and concluding the Terms of Use, including creating a user account and providing a free trial

If you as a natural person wish to become a client: taking and implementing the pre-contractual measures of the potential Terms of Use to be concluded between us
If the legal entity you represent wishes to become a client: our legitimate interest in taking and implementing pre-contractual measures of the potential Terms of Use to be concluded between the legal entity and us

Main Data, Communication Data

Performing the contract and managing contractual relationship, including but not limited to providing the Software, executing transactions, managing the subscription, invoicing, mediating payments to Third-Party Services, determining location for designating applicable VAT rate, receiving payments, providing refunds (where applicable), providing customer support, monitoring the fulfilment of the Terms of Use

If you as a natural person are a client: performance of the Terms of Use concluded between us
If the legal entity you work for or represent is already a partner: our legitimate interest in performing the Terms of Use concluded between the legal entity and us

Main Data, Billing Data, Transaction Data, Communication Data

Offering you the opportunity to interact with pre-release or beta features of the Software (e.g., Beta testing)

Consent

Main Data, Transaction Data, Communication Data

Responding to your enquiries and requests submitted e.g., via the Website, App, social media platforms, sign-up forms, e-mail

If you are interested in our Software: legitimate interest in ensuring effective relationship management with potential clients and other interested parties
If you as a natural person wish to become or are already our client taking and implementing the pre-contractual measures of the potential Terms of Use to be concluded between us or performing the Terms of Use concluded between us
If the legal entity you work for or represent wishes to become or is already our client: our legitimate interest in taking and implementing pre-contractual measures of the potential Terms of Use to be concluded between the legal entity and us or our legitimate interest in performing the Terms of Use concluded between the legal entity and us

Main Data, Communication Data, depending on the purpose and content of the message all data categories

Sending information about Software’s updates, including new features and other news

Our legitimate interest in informing users about the Software’s updates

Main Data

Utilising Artificial Intelligence technologies for our provision of services (e.g., GPT for our FAQ Chatbot)

Our legitimate interest in providing an enhanced user experience and effective customer service

Main Data, Billing Data, Transaction Data, Communication Data
Please note however that as per Section 8 of this Notice, we do not actively process your personal data

Administering given and withdrawn consents list

Our legitimate interest in ensuring valid legal basis and recording given and withdrawn consents

Marketing Data

Offering prizes, promotions or discounts 

Our legitimate interest in improving client relationships and/or rewarding new or regular customers

Main Data, Marketing Data
Please note that to offer personalised information and promotions, we may carry out profiling, however such processing does not have legal or similarly significant impact on you

Providing information via notifications by your chosen channel (e.g., App, e-mail, Telegram Bot)

Consent

Sending general and personalised marketing information regarding our Software, features, offers, promotions and events via email, push notification, text message, in-App message or newsletter

If you are our client: our legitimate interest in informing you about Software and information that we consider may be interest to you
Consent

Sending our existing clients with  information about our other products and services that we think they might be interested in based on the products and services they have previously sourced from us

Our legitimate interest in providing information on our products and services similar to which you have already previously sourced from us

Carrying out marketing on social media platforms

Consent

Carrying out promotions and marketing competitions

Consent

Measuring the effectiveness of marketing tools

Our legitimate interest in improving the efficiency of marketing tools

Making available the basic functions of the Website, App and the Software and administering it, including gathering information about your navigation; enabling to customise or personalise experience

Our legitimate interest in providing the Website, App and the Software and understanding the use patterns to be able to improve the Website, App and the Software and enhance the user experience

Technical Data, Usage Data
Please note that to personalise the experience, we may carry out profiling, however such processing does not have legal or similarly significant impact on you

Diagnosing and repairing problems with the Website, App and Software

Our legitimate interest in ensuring the functioning of the Website, App and the Software; providing data security and preventing fraudulent actions related to the Website, App and the Software

Analysing the use of the Website, App and the Software

Our legitimate interest in ensuring security and integrity and detecting and deterring suspicious and fraudulent actions related to the Website, App and the Software

All data categories

Analysing the use of the Website, App and the Software, including anonymising data, carrying out predictive analytics and insights, and A/B testing

Our legitimate interest in (i) analysing the use of the Website, App and Software to understand the suitability; (ii) improving, upgrading and enhancing the operation of the Website, App and Software; (iii) developing new features and functionalities

Storing information containing personal data in our backup systems

Our legitimate interest in ensuring the continuity and security of data processing operations

Complying with legal or regulatory obligations or requests, including creating and managing accounting documents

Performance of legal obligations

Disclosing data to public sector authorities, supervisory and law enforcement authorities

Performance of legal obligations
Our legitimate interests in preventing and addressing fraud, violations to the Website, App and the Service or other harmful or illegal activity

Disclosing data to our legal advisors and establishing, exercising, or defending legal claims, whether in court proceedings or in an administrative or out-of-court procedure in relation to our, our clients’ or employees’ rights 

Our legitimate interest in seeking legal advice and managing legal claims, facilitating effective establishment, exercise, or defence of legal claims

Arranging the sale or merger of our company and providing information for conducting the legal or other audit and the data exchange thereof; disclosing data to legal successors and/or potential acquirers of the company

Our legitimate interest in facilitating proper due diligence process and business continuity by ensuring a successful merger, acquisition or restructuring of the company

Disclosing data to our service providers

Our legitimate interest in providing the Website, App and Software, utilising the IT infrastructure and services provider by our service providers and ensuring our proper economic activity

We may process your personal data for other purposes, provided that we disclose the purposes and use to you at the relevant time, and that you either consent to the proposed use of the personal data, other legal grounds exist for the new processing purposes, or the new purpose is compatible with the original purpose brought out above.

5. RECIPIENTS OF PERSONAL DATA AND DATA TRANSFERS

We may disclose your personal data to separate controllers, who process your personal data for their own purposes, and processors, who process your personal data on our behalf to help us to provide the Website, App and Software. These data recipients belong to the following categories:

Category

Purpose of disclosure

Public sector authorities, supervisory and law enforcement authorities

To fulfil our statutory obligation, a court order, to establish, exercise or defend our legal rights or in other cases where this is necessary to prevent and deter unlawful acts. 
For example: Estonian Police and Border Guard Board.

Professional advisors

To ensure our proper economic activity and to establish, exercise or defend our legal rights. 
For example: auditors, legal advisors.

Our legal successors and/or potential acquirers of the company

To successfully transfer our business or for the purposes of merger and/or acquisition, we would include data among the assets transferred to any parties who acquire us.

Group companies

For organisational and operational management in order to ensure unified work and strategy across all group companies.

Third-Party Services

To provide user-selected access to relevant external content, applications, and services, as specified in our Terms of Use.
For example: crypto-signallers

Service providers

To help us in providing the services, including our Website, App and overall Software, to you. 
For example, the service providers in the following categories:
- core service providers - who manage and optimise our primary operations and technical infrastructure, which we need to provide you with our services. They also assist us in protecting and securing our systems and services;
- payment service providers - who help us to accept payments by processing them;
- marketing and advertising service providers (partners) - who enable us to customise the advertising content you may receive, deliver relevant ads and promotional messages, including promotional email campaigns;
- data analytics and traffic attribution service providers - who help us understand the performance of our services, including identifying the sources you come from and improve our offerings and user experience.

The personal data that we collect from you is primarily processed within the European Economic Area (“EEA”), but we may transfer your data to and store it in countries outside of the EEA, which do not offer an equivalent level of protection. In such cases we use safeguards (e.g., standard contractual clauses approved by the European Commission) to ensure that a level of protection of personal data comparable to that applicable in the EEA is applied to your personal data. Upon your request to the contact details specified in Section 2 of the Notice, we can make available further information, including a copy of the safeguards applied.

6. SECURITY OF YOUR PERSONAL DATA

We take reasonable technical and organisational security measures designed to protect your personal data against accidental or unlawful destruction, loss or alteration, unauthorised disclosure, abuse or other processing in violation of applicable law. These measures vary based on the sensitivity of the personal data we process and the current state of technology. 

However, please be advised that no security measure can be 100% effective, and we cannot guarantee the security of your data, including against unauthorised acts, access, hacking or data breaches by third parties. 

We also encourage you to take measures to ensure the safety of your personal data, including protecting your account. In particular, we strongly recommend you to enable two-factor authentication for your account and keep your password, API key and API secret confidential and stored in a secure location. In addition, we advise you to make sure of your device security and avoid using public unencrypted internet connection spots.

7. PERSONAL DATA RETENTION PERIODS

We retain your personal data for the duration necessary to fulfil the objectives outlined in Section 4 of this Notice or for as long as we have a legal obligation to do so. In deciding the appropriate retention period for personal data, we consider the quantity, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the processing purposes and whether we can achieve these purposes through other means, and applicable statutory obligations. Whilst retaining your personal data, we take into account the viable need to resolve disputes and enforce the contract between us, or anonymise your personal data and retain this anonymised information indefinitely. The specific retention periods are the following:

Personal data category

Retention period

Main Data and Billing Data relating to transactions

7 years from the end of the financial year when the respective transaction took place, to comply with our obligations arising from applicable laws.

Other Main Data, Billing Data and Transaction Data relating to the taking and implementing the pre-contractual measures of the potential Terms of Use to be concluded between us or performing the Terms of Use concluded between us

3.5 years from the termination of the Terms of Use, including deletion of User Account, under our legitimate interests to establish, exercise, or defend against potential legal claims. In case we have reasonable doubt that a party has breached the contractual relationship between us intentionally, we may prolong such retention period for a maximum of 10 years.

Communication Data

3.5 years from the moment the respective communication-flow was closed, under our legitimate interests to establish, exercise, or defend against potential legal claims. In case we have reasonable doubt that a party has breached the contractual relationship between us intentionally, we may prolong such retention period for a maximum of 10 years.

Marketing Data

30 days after the termination of the Terms of Use, including deletion of the User Account, or upon withdrawal of consent.
In case the legal basis for processing your Personal Data is consent and you decide to withdraw the consent, we will stop processing the personal data for the previously communicated purpose, however, we will retain a note regarding your withdrawal of consent for the purposes of administering your decision and our data processing activities at least for a period of 3 years.

Technical Data and Usage Data

30 days as of the collection of such data. 

Following the retention period or if we no longer need the personal data for the purposes specified in Section 4 of the Notice, we shall destroy the respective personal data within a reasonable time, unless the retention of personal data is required to perform duties or requirements arising from the applicable law or to protect against ongoing or threatened disputes, in which case we retain the personal data as long as the dispute is solved.

After the expiry of the retention period determined above or the termination of the legal basis for processing purpose, we may retain the materials containing the personal data in our backup systems, from which the respective materials will be deleted after the end of the backup cycle. We ensure that during the backup period appropriate safeguards are applied and the backed-up materials are put beyond use. Access to these backups is strictly limited to essential personnel on a need-to-know basis.

8. AUTOMATED DECISION MAKING

We incorporate Artificial Intelligence technologies such as the Generative Pre-training Transformer technology (“GPT”) into our services, including but not limited to, our FAQ Chatbot. While we do not actively process your personal data within these services, any personal data you input may be subject to automated decision making. This activity will not result in any legal consequences for you. We prioritise the protection of your personal data and take all necessary precautions to ensure its security. Should you believe that your personal data has been processed in this regard, you may reach out to us for further actions regarding your data protection rights at dpo[at]3commas.io. For more detailed information about this use case, please also contact us at the aforementioned email address.

9. YOUR RIGHTS AS A DATA SUBJECT

You may, at any time, exercise the following rights with respect to our processing of your personal data:

  • Right to access: you have the right to request access, including receive a copy, of your personal data. This includes the right to be informed on whether we process your personal data, what personal data categories are being processed by us, and the purpose of the data processing.
  • Right to rectification: you have the right to request that we correct any of your personal data if you believe that we are processing incorrect, inaccurate or incomplete personal data.
  • Right to object: you are entitled to object to certain processing of your personal data, for example when we process your personal data based on our legitimate interest or for direct marketing purposes;
  • Right to restriction: you have the right to request that we restrict the processing of your personal data, for example if you wish to dispute the accuracy of certain personal data we are processing or if we no longer need the personal data for the purposes of the processing, but you require the personal data to establish, exercise or defend legal claims;
  • Right to erasure: you have the right to request that we erase your personal data for example if the personal data is no longer necessary for the purposes for which it was collected or if you consider that the processing is unlawful. 
    - You can initiate the deletion procedure of your Software’s Client Account in the App’s settings. Please note that an extended authentication procedure may be required before we proceed with the account deletion.
  • Right to data portability: you have the right to receive your personal data in a structured, commonly used and machine-readable format if the processing is carried out by automated means and is based on your consent or a mutual contractual relationship. Moreover, you may request that the personal data is transmitted to another controller. Bear in mind that the latter can only be done if that is technically feasible.
  • Right to withdraw your consent: in cases where the processing is based on your consent, you have the right to withdraw your consent to such processing at any time. 
    - To stop receiving our direct marketing messages, either reach out to us directly or click the ‘unsubscribe’ link provided in the message. Using this link will remove you from future messages of that type. For preferences regarding all categories of direct marketing, visit the Account Settings page. Please note however that essential service emails like password resets, billing information, or updates to our terms, will continue unless you deactivate your account.
  • Right not to be subject to a decision based solely on automated processing, including profiling: Our use of automated decision-making is limited, and should not result in any legal impact to you. You may read more about our use of automated decision-making in Section 8.
  • Complaints: If you wish to make a complaint, please contact us. We will promptly investigate your complaint and respond to you. If you are not satisfied with our response to your request in relation to personal data processing or you believe we are processing your personal data not in accordance with the applicable law, you can submit your claim to the data protection authority, e.g., in Estonia to the Estonian Data Protection Inspectorate (in Estonian: Andmekaitse Inspektsioon) at info[at]aki.ee or www.aki.ee).

To exercise the data subject’s rights please contact us as specified in Section 2 of this Notice. Please note that you should supply us with adequate information for us to respond to your requests concerning your rights. Prior to answering your request, we may ask you to provide additional information for the purposes of authenticating you and evaluating your request (e.g., if you seek to exercise the rights on behalf of someone else as a legal representative).

We will respond to your request promptly and in any case within one month from the date we receive it. If necessary, due to the complexity and number of the requests, this period may be extended by up to two additional months. We will inform you of any such extension within one month of receiving your request, along with the reasons for the delay.

10. OTHER JURISDICTIONS

You may also have certain additional rights regarding the information we hold about you under other data protection and privacy laws. Please contact us at dpo[at]3commas.io about your specific situation for more information.

11. LINKS TO OTHER WEBSITES, APPS OR SERVICES

Our Website and App may link to external sites that are not operated by us, or offer access to apps and services not under our operation or control. Therefore, this Notice applies solely to the personal data we may collect or receive from these third-party sources, but does not apply to data processing conducted by such third parties. Please be aware that we neither endorse nor have any control over the content and policies of those sites, apps or services, and thus cannot accept responsibility or liability for their respective practices. To find out more about how such third parties process your personal data, please refer to the respective privacy notices on the other websites you visit, or apps and services you use. 

12. CHANGES TO THIS NOTICE

We regularly review and revise this Notice as necessary to reflect the changes in the way we process personal data, and in such cases we publish any updates directly on this page. 

Please check back periodically, and especially before you provide any new personal data. In case of material changes, we will send a direct notification to the email address you’ve registered with us.