Privacy Notice until December 28th, 2024
This Privacy Notice is effective as of August 14, 2024.
1. INTRODUCTION
3Commas Technologies OÜ (“3Commas”, “our“, “we” or “us” as applicable) provides tools that allow managing cryptocurrency holdings, including application program interface(s) (“Software”). Your privacy is important to us and therefore, it is our policy to respect your privacy and take appropriate measures to protect your personal data.
This privacy notice (“Notice”) explains how we process, including how we use, store and disclose your personal data when: (i) you visit or otherwise interact with our website at https://3commas.io/ (“Website”), our desktop application at https://app.3commas.io and/or our mobile application(s) (available via Apple App Store or Google Play Store) (jointly “App”); (ii) you access or interact with our 3Commas application programming interface (“3Commas API”); (iii) you (or the legal entity you represent) wish to register or have registered a user account, including agreeing to our Terms of Use, and using the Software; (iv) you subscribe to our newsletter and/or receive other direct marketing; (v) communicate with us through our Website, App or other communication channels (e.g., by email or our official social media accounts); or (vi) take any other actions on our Website, App, or 3Commas API, which entails us receiving and processing your personal data. The data we process may differ based on your interactions with us, so if anything here only applies to one specific use case, we’ll point this out to you.
Please note that this Notice does not describe how we process 3Commas’ potential employees data, thus if you are applying to a position at 3Commas please refer to our Recruitment Privacy Notice.
We process your personal data as described in this Notice and in accordance with applicable legislation, including the European Union’s General Data Protection Regulation (2016/679) (“GDPR”) and other relevant laws and regulations, as applicable towards the controller stated in Section 2 of this Notice.
In case you disclose any personal data regarding any third person(s) (e.g., your employee, management board member, co-worker, etc.) to us, you are obligated to refer them to this Notice.
We do not knowingly allow children (under the age of 18) to sign up for a 3Commas account, and therefore, do not knowingly process children’s personal data. Should we discover that an individual below the age of 18 has registered for a 3Commas account, we will take appropriate measures to promptly remove their personal data from our database. If you believe an underage person has signed up for a user account or is in any way using the Software, please reach out to us at dpo[at]3commas.io.
2. CONTROLLER
For the personal data processing purposes set out in Section 4 of this Notice, the controller of your personal data is 3Commas Technologies OÜ, registry code 14125515, address Laeva tn 2, Tallinn 10111, Estonia, with email address dpo[at]3commas.io.
In case of personal data protection - related inquiries, including questions or comments about this Notice or if you wish to exercise your data subject’s rights, please contact us by writing to dpo[at]3commas.io.
3. CATEGORIES AND SOURCES OF PERSONAL DATA
Personal data is any information that can be used to directly or indirectly uniquely identify you as a private individual. Anonymous data is not personal data, as it cannot be linked back to you. We may obtain and process the following categories of your personal data:
Category | Personal Data |
---|---|
Main Data | For concluding and managing the contractual relationship with you or the legal entity you represent, we may process the following personal data: |
Billing Data | For managing the contractual relationship and processing payments, we may process the following personal data: |
Transaction Data | For managing the contractual relationship and executing transactions, we may process the following personal data: |
Communication Data | If you communicate with us through our Website, App or other communication channels (e.g., by email or our official social media), we may process the following personal data depending on the channel you communicate with us: |
Marketing Data | For marketing purposes, we may process the following personal data: |
Technical Data | When you visit our Website or App, or in any way use the Software, we may also collect data about the device you are using and automatically log standard data provided by your web browser or device, which may include your personal data: |
Usage Data | When you visit our Website or App or in any way use the Software, we may process the following data, which may include your personal data: |
Cookie Data | We use cookies to understand how you use the Website in order to optimise the Website and its functionalities. We may also utilise cookies when you use our desktop application. Cookies may collect your personal data. To learn more about the cookies we use, please refer to our Cookies Notice. |
4. PURPOSES OF PROCESSING AND LEGAL BASES
We process your personal data lawfully and in a transparent manner, including only where we have a legal basis for doing so. The legal basis for processing your personal data depends on the objective and context in which we collect personal data. The following depicts a descriptive list of processing purposes that are linked to the specific data categories and legal bases for processing:
Processing purpose | Legal basis | Personal data category used for the processing purpose |
---|---|---|
Handling pre-contractual negotiations and communications and concluding the Terms of Use, including creating a user account and providing a free trial | If you as a natural person wish to become a client: taking and implementing the pre-contractual measures of the potential Terms of Use to be concluded between us | Main Data, Communication Data |
Performing the contract and managing contractual relationship, including but not limited to providing the Software, executing transactions, managing the subscription, invoicing, mediating payments to Third-Party Services, determining location for designating applicable VAT rate, receiving payments, providing refunds (where applicable), providing customer support, monitoring the fulfilment of the Terms of Use | If you as a natural person are a client: performance of the Terms of Use concluded between us | Main Data, Billing Data, Transaction Data, Communication Data |
Offering you the opportunity to interact with pre-release or beta features of the Software (e.g., Beta testing) | Consent | Main Data, Transaction Data, Communication Data |
Responding to your enquiries and requests submitted e.g., via the Website, App, social media platforms, sign-up forms, e-mail | If you are interested in our Software: legitimate interest in ensuring effective relationship management with potential clients and other interested parties | Main Data, Communication Data, depending on the purpose and content of the message all data categories |
Sending information about Software’s updates, including new features and other news | Our legitimate interest in informing users about the Software’s updates | Main Data |
Utilising Artificial Intelligence technologies for our provision of services (e.g., GPT for our FAQ Chatbot) | Our legitimate interest in providing an enhanced user experience and effective customer service | Main Data, Billing Data, Transaction Data, Communication Data |
Administering given and withdrawn consents list | Our legitimate interest in ensuring valid legal basis and recording given and withdrawn consents | Marketing Data |
Offering prizes, promotions or discounts | Our legitimate interest in improving client relationships and/or rewarding new or regular customers | Main Data, Marketing Data |
Providing information via notifications by your chosen channel (e.g., App, e-mail, Telegram Bot) | Consent | |
Sending general and personalised marketing information regarding our Software, features, offers, promotions and events via email, push notification, text message, in-App message or newsletter | If you are our client: our legitimate interest in informing you about Software and information that we consider may be interest to you | |
Sending our existing clients with information about our other products and services that we think they might be interested in based on the products and services they have previously sourced from us | Our legitimate interest in providing information on our products and services similar to which you have already previously sourced from us | |
Carrying out marketing on social media platforms | Consent | |
Carrying out promotions and marketing competitions | Consent or legitimate interest in communicating necessary information regarding the promotions or competitions and providing and delivering competition prizes or performance of the terms and conditions concluded between you and us regarding the promotions or competitions | |
Measuring the effectiveness of marketing tools | Our legitimate interest in improving the efficiency of marketing tools | |
Making available the basic functions of the Website, App and the Software and administering it, including gathering information about your navigation; enabling to customise or personalise experience | Our legitimate interest in providing the Website, App and the Software and understanding the use patterns to be able to improve the Website, App and the Software and enhance the user experience | Technical Data, Usage Data |
Diagnosing and repairing problems with the Website, App and Software | Our legitimate interest in ensuring the functioning of the Website, App and the Software; providing data security and preventing fraudulent actions related to the Website, App and the Software | |
Analysing the use of the Website, App and the Software | Our legitimate interest in ensuring security and integrity and detecting and deterring suspicious and fraudulent actions related to the Website, App and the Software | All data categories |
Analysing the use of the Website, App and the Software, including anonymising data, carrying out predictive analytics and insights, and A/B testing | Our legitimate interest in (i) analysing the use of the Website, App and Software to understand the suitability; (ii) improving, upgrading and enhancing the operation of the Website, App and Software; (iii) developing new features and functionalities | |
Storing information containing personal data in our backup systems | Our legitimate interest in ensuring the continuity and security of data processing operations | |
Complying with legal or regulatory obligations or requests, including creating and managing accounting documents | Performance of legal obligations | |
Disclosing data to public sector authorities, supervisory and law enforcement authorities | Performance of legal obligations | |
Disclosing data to our legal advisors and establishing, exercising, or defending legal claims, whether in court proceedings or in an administrative or out-of-court procedure in relation to our, our clients’ or employees’ rights | Our legitimate interest in seeking legal advice and managing legal claims, facilitating effective establishment, exercise, or defence of legal claims | |
Arranging the sale or merger of our company and providing information for conducting the legal or other audit and the data exchange thereof; disclosing data to legal successors and/or potential acquirers of the company | Our legitimate interest in facilitating proper due diligence process and business continuity by ensuring a successful merger, acquisition or restructuring of the company | |
Disclosing data to our service providers | Our legitimate interest in providing the Website, App and Software, utilising the IT infrastructure and services provider by our service providers and ensuring our proper economic activity |
We may process your personal data for other purposes, provided that we disclose the purposes and use to you at the relevant time, and that you either consent to the proposed use of the personal data, other legal grounds exist for the new processing purposes, or the new purpose is compatible with the original purpose brought out above.
5. RECIPIENTS OF PERSONAL DATA AND DATA TRANSFERS
We may disclose your personal data to separate controllers, who process your personal data for their own purposes, and processors, who process your personal data on our behalf to help us to provide the Website, App and Software. These data recipients belong to the following categories:
Category | Purpose of disclosure |
Public sector authorities, supervisory and law enforcement authorities | To fulfil our statutory obligation, a court order, to establish, exercise or defend our legal rights or in other cases where this is necessary to prevent and deter unlawful acts. |
Professional advisors | To ensure our proper economic activity and to establish, exercise or defend our legal rights. |
Our legal successors and/or potential acquirers of the company | To successfully transfer our business or for the purposes of merger and/or acquisition, we would include data among the assets transferred to any parties who acquire us. |
Group companies | For organisational and operational management in order to ensure unified work and strategy across all group companies. |
Third-Party Services | To provide user-selected access to relevant external content, applications, and services, as specified in our Terms of Use. |
Service providers | To help us in providing the services, including our Website, App and overall Software, to you. |
The personal data that we collect from you is primarily processed within the European Economic Area (“EEA”), but we may transfer your data to and store it in countries outside of the EEA, which do not offer an equivalent level of protection. In such cases we use safeguards (e.g., standard contractual clauses approved by the European Commission) to ensure that a level of protection of personal data comparable to that applicable in the EEA is applied to your personal data. Upon your request to the contact details specified in Section 2 of the Notice, we can make available further information, including a copy of the safeguards applied.
6. SECURITY OF YOUR PERSONAL DATA
We take reasonable technical and organisational security measures designed to protect your personal data against accidental or unlawful destruction, loss or alteration, unauthorised disclosure, abuse or other processing in violation of applicable law. These measures vary based on the sensitivity of the personal data we process and the current state of technology.
However, please be advised that no security measure can be 100% effective, and we cannot guarantee the security of your data, including against unauthorised acts, access, hacking or data breaches by third parties.
We also encourage you to take measures to ensure the safety of your personal data, including protecting your account. In particular, we strongly recommend you to enable two-factor authentication for your account and keep your password, API key and API secret confidential and stored in a secure location. In addition, we advise you to make sure of your device security and avoid using public unencrypted internet connection spots.
7. PERSONAL DATA RETENTION PERIODS
We retain your personal data for the duration necessary to fulfil the objectives outlined in Section 4 of this Notice or for as long as we have a legal obligation to do so. In deciding the appropriate retention period for personal data, we consider the quantity, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the processing purposes and whether we can achieve these purposes through other means, and applicable statutory obligations. Whilst retaining your personal data, we take into account the viable need to resolve disputes and enforce the contract between us, or anonymise your personal data and retain this anonymised information indefinitely. The specific retention periods are the following:
Personal data category | Retention period |
---|---|
Main Data and Billing Data relating to transactions | 7 years from the end of the financial year when the respective transaction took place, to comply with our obligations arising from applicable laws. |
Other Main Data, Billing Data and Transaction Data relating to the taking and implementing the pre-contractual measures of the potential Terms of Use to be concluded between us or performing the Terms of Use concluded between us | 3.5 years from the termination of the Terms of Use, including deletion of User Account, under our legitimate interests to establish, exercise, or defend against potential legal claims, or termination or expiration of other applicable terms and conditions. In case we have reasonable doubt that a party has breached the contractual relationship between us intentionally, we may prolong such retention period for a maximum of 10 years. |
Communication Data | 3.5 years from the moment the respective communication-flow was closed, under our legitimate interests to establish, exercise, or defend against potential legal claims. In case we have reasonable doubt that a party has breached the contractual relationship between us intentionally, we may prolong such retention period for a maximum of 10 years. |
Marketing Data | 30 days after the termination of the Terms of Use, including deletion of the User Account, or upon withdrawal of consent, or termination or expiration of other applicable terms and conditions. |
Technical Data and Usage Data | 30 days as of the collection of such data. |
Following the retention period or if we no longer need the personal data for the purposes specified in Section 4 of the Notice, we shall destroy the respective personal data within a reasonable time, unless the retention of personal data is required to perform duties or requirements arising from the applicable law or to protect against ongoing or threatened disputes, in which case we retain the personal data as long as the dispute is solved.
After the expiry of the retention period determined above or the termination of the legal basis for processing purpose, we may retain the materials containing the personal data in our backup systems, from which the respective materials will be deleted after the end of the backup cycle. We ensure that during the backup period appropriate safeguards are applied and the backed-up materials are put beyond use. Access to these backups is strictly limited to essential personnel on a need-to-know basis.
8. AUTOMATED DECISION MAKING
We incorporate Artificial Intelligence technologies such as the Generative Pre-training Transformer technology (“GPT”) into our services, including but not limited to, our FAQ Chatbot. While we do not actively process your personal data within these services, any personal data you input may be subject to automated decision making. This activity will not result in any legal consequences for you. We prioritise the protection of your personal data and take all necessary precautions to ensure its security. Should you believe that your personal data has been processed in this regard, you may reach out to us for further actions regarding your data protection rights at dpo[at]3commas.io. For more detailed information about this use case, please also contact us at the aforementioned email address.
9. YOUR RIGHTS AS A DATA SUBJECT
You may, at any time, exercise the following rights with respect to our processing of your personal data:
- Right to access: you have the right to request access, including receive a copy, of your personal data. This includes the right to be informed on whether we process your personal data, what personal data categories are being processed by us, and the purpose of the data processing.
- Right to rectification: you have the right to request that we correct any of your personal data if you believe that we are processing incorrect, inaccurate or incomplete personal data.
- Right to object: you are entitled to object to certain processing of your personal data, for example when we process your personal data based on our legitimate interest or for direct marketing purposes;
- Right to restriction: you have the right to request that we restrict the processing of your personal data, for example if you wish to dispute the accuracy of certain personal data we are processing or if we no longer need the personal data for the purposes of the processing, but you require the personal data to establish, exercise or defend legal claims;
- Right to erasure: you have the right to request that we erase your personal data for example if the personal data is no longer necessary for the purposes for which it was collected or if you consider that the processing is unlawful.
- You can initiate the deletion procedure of your Software’s Client Account in the App’s settings. Please note that an extended authentication procedure may be required before we proceed with the account deletion. - Right to data portability: you have the right to receive your personal data in a structured, commonly used and machine-readable format if the processing is carried out by automated means and is based on your consent or a mutual contractual relationship. Moreover, you may request that the personal data is transmitted to another controller. Bear in mind that the latter can only be done if that is technically feasible.
- Right to withdraw your consent: in cases where the processing is based on your consent, you have the right to withdraw your consent to such processing at any time.
- To stop receiving our direct marketing messages, either reach out to us directly or click the ‘unsubscribe’ link provided in the message. Using this link will remove you from future messages of that type. For preferences regarding all categories of direct marketing, visit the Account Settings page. Please note however that essential service emails like password resets, billing information, or updates to our terms, will continue unless you deactivate your account. - Right not to be subject to a decision based solely on automated processing, including profiling: Our use of automated decision-making is limited, and should not result in any legal impact to you. You may read more about our use of automated decision-making in Section 8.
- Complaints: If you wish to make a complaint, please contact us. We will promptly investigate your complaint and respond to you. If you are not satisfied with our response to your request in relation to personal data processing or you believe we are processing your personal data not in accordance with the applicable law, you can submit your claim to the data protection authority, e.g., in Estonia to the Estonian Data Protection Inspectorate (in Estonian: Andmekaitse Inspektsioon) at info[at]aki.ee or www.aki.ee).
To exercise the data subject’s rights please contact us as specified in Section 2 of this Notice. Please note that you should supply us with adequate information for us to respond to your requests concerning your rights. Prior to answering your request, we may ask you to provide additional information for the purposes of authenticating you and evaluating your request (e.g., if you seek to exercise the rights on behalf of someone else as a legal representative).
We will respond to your request promptly and in any case within one month from the date we receive it. If necessary, due to the complexity and number of the requests, this period may be extended by up to two additional months. We will inform you of any such extension within one month of receiving your request, along with the reasons for the delay.
10. OTHER JURISDICTIONS
You may also have certain additional rights regarding the information we hold about you under other data protection and privacy laws. Please contact us at dpo[at]3commas.io about your specific situation for more information.
11. LINKS TO OTHER WEBSITES, APPS OR SERVICES
Our Website and App may link to external sites that are not operated by us, or offer access to apps and services not under our operation or control. Therefore, this Notice applies solely to the personal data we may collect or receive from these third-party sources but does not apply to data processing conducted by such third parties. Please be aware that we neither endorse nor have any control over the content and policies of those sites, apps or services, and, thus, cannot accept responsibility or liability for their respective practices. To find out more about how such third parties process your personal data, please refer to the respective privacy notices on the other websites you visit, or apps and services you use.
12. CHANGES TO THIS NOTICE
We regularly review and revise this Notice as necessary to reflect the changes in the way we process personal data, and in such cases, we publish any updates directly on this page.
Please check back periodically, and especially before you provide any new personal data. In case of material changes, we will send a direct notification to the email address you’ve registered with us.