3COMMAS PRIVACY POLICY FOR WEBSITE AND SOFTWARE

This Privacy Policy was updated on April 13.04.2021.

1. INTRODUCTION

3Commas Technologies OÜ provides software as a service, which allows you to utilize several functionalities for managing their cryptocurrency holding across different accounts, including SmartTrade Terminal and automated Trading Bots. This Privacy Policy explains the principles on how 3Commas Technologies OÜ, registry code 14125515, address Telliskivi 60a/8, Tallinn, Estonia, 10412, e-mail support@3commas.io (“3Commas”, „our“, “we” or “us”) as the personal data controller collects and processes your (“you”) personal data when you visit the website https://3commas.io/ (“Website”) and in relation to the provision of the Software. In case you act as the Signals Provider, please see our privacy notice for signals providers.

Capitalised terms used in this Privacy Policy are used in the meaning given to them in the Terms of Use unless otherwise expressly set out herein.


2. DATA WE COLLECT

We have set out in the table below the categories of personal data we collect and use about you:

Category of personal data Data collected
When you visit our Website or contact with us Technical Data Upon visiting our Website, we process technical data related to your usage of the Website, including but not limited to IP address, location data (down to city level), access-provider, referring URL, date, time, access tokens, session key, browser type and version, browser language, operating system, amount and state of transferred data. This information can be related to you, therefore, Personal Identification Information can be processed as well. These data may also be processed as anonymized statistical data.
Cookie Data We apply cookies on the Website, for optimising the Website and its functionalities. The cookies may collect your personal data. To learn more about the cookies we use, please read our Cookie Policy
Communication Data In case you interact with us via our Website live chat, e-mails and sign-up forms, 3Commas Facebook page, Youtube channel, Twitter page or Telegram or any other official social media account, we process, in addition to Personal Identification Information (limited in case of contacting via social media), also the contents of your message.
When you use the Software Personal Identification Information Name, e-mail address, 2FA key, IP address, KYC token, language, Google Analytics client ID, Gravatar image, if you choose to sign up via Facebook, we collect your Facebook UID, Facebook profile name, Facebook e-mail
Financial and Transaction Data Exchange Account username, API key, API secret, passphrase, transaction data (date/time/amount of transaction), transaction request/response, Referral status, billing information (country, phone number, address, city, postal code; in case of an entity: business name, registry code and VAT ID)

The personal data we process is collected from one of the following sources:

  • the data is disclosed by you directly to us;

  • we receive the data from your Exchange Account provider due to you connecting your Exchange Accounts to the Client Account;

  • we receive the data from social media service provider due to you registering or contacting with us via your existing social media account;

  • we receive the data from the payment service provider due to you concluding the Purchase Agreement and paying for the Subscription;

  • we receive Technical Data automatically from your browser, our servers and systems;


3. What we use your personal data for

We have set out in the table below the reasons why we process your personal data:

Purpose for processing Category of personal data processed Legal basis
Client authentication Personal Identification Information Performance of the Terms of Use
Client identity verification (KYC) for recovery Personal Identification Information Performance of the Terms of Use
Client’s transaction history Financial and Transaction data Performance of the Terms of Use
Responding to your enquiries and requests submitted via the website, sign-up forms, live chat or e-mail or any social media platforms Communication Data, however, depending on the nature of your enquiry we can process all the data indicated in Section 2 above In case your question clearly relates to matters connected to the Terms of Use, Client Agreement or Purchase Agreement we process the data for the performance of the Contract. In other cases, we rely on our legitimate interests in ensuring effective relations management with all the interested parties in our Software and services
Client invoicing for the Purchase Agreement or for mediating your payments to Signals Providers (no personal data are shared with Signals Providers) Personal Identification Information, Financial and Transaction Data Performance of the Purchase Agreement or our legitimate interest in performing the Signaller Agreement concluded with the Signals Provider
Transfer of funds from a payment service provider to your Client Account and making out payments upon your withdrawal request via payment service provider Financial and Transaction Data, Personal Identification Information Performance of the Terms of Use
Determining your location for designating applicable VAT rate Personal Identification Information Performance of the Purchase Agreement
Handling the refunds related to Purchase Agreement Personal Identification Information, Financial and Transaction Data, Communication Data Performance of the Purchase Agreement or in certain situations performance of our legal obligation
Enabling your use of the Trial Personal Identification Information Performance of the Trial Terms
Enabling the Software and its functionalities Personal Identification Information, Financial and Transaction Data Performance of the Terms of Use and if relevant performance of the Purchase Agreement
Sending newsletters to your e-mail Personal Identification Information Consent
Providing you with notifications via your chosen channel (for example, mobile app, e-mail, Website, Telegram Bot) Personal Identification Information Consent given for the specific notification channel
Direct marketing campaigns - Client marketing campaigns in relation to the Software, its functionalities and products already provided to you Personal Identification Information, Financial and Transaction Data (mainly the transaction activity) Our legitimate interest in providing you with information relating to the services and products you have previously sourced from us
Processing data for predictive analytics and insights, improvement and development of the Software All of the data categories indicated in Section 2 above Our legitimate interest in improving and developing the Website and the Software within the course of our business activities or performance of the Terms of Use
Diagnosing and repairing technical issues related to the Software and the Website Technical Data Our legitimate interest in providing data security and preventing fraudulent actions related to the Software and the Website; ensuring the functioning of the Software and the Website
Storing information containing personal data in backup systems All of the data categories indicated in Section 2 above Our legitimate interest in ensuring the security of data processing operations
Data disclosures to potential acquirers of 3Commas business, including legal advisors, auditing service providers in case of a merger, acquisition or selling the whole or part of our business All of the data categories indicated in Section 2 above Our legitimate interest in ensuring proper due diligence process and business continuity
Data disclosures to our service providers All of the data categories indicated in Section 2 above Our legitimate interest in utilising the information technology infrastructure and services provided by our co-operation partners
Mandatory disclosures to law enforcement and data protection authorities All of the data categories indicated in Section 2 above Performance of our legal obligation

We may process your personal data for other purposes, provided that we disclose the purposes and use to you at the relevant time, and that you either consent to the proposed use of the personal data, other legal grounds exist for the new processing purposes or the new purpose is compatible with the original purpose brought out above.


4. SHARING YOUR PERSONAL DATA

Any data you provide will not be publicly displayed or shared to other Website visitors or clients. Certain employees of 3Commas have access to personal data to the extent necessary for the performance of their work duties.

We use third party processors and separate data controllers to help provide our service. They will have access to your personal data as reasonably necessary to perform these tasks on our behalf and are obligated not to disclose or use it for other purposes.

We have set out in the table below the reasons why and with whom we share your personal data:

Categories of Recipients Reason for sharing Type of recipient
Service providers

We work with service providers that work on our behalf which may need access to certain personal data to provide their services to us. These companies include those we have hired to operate the technical infrastructure that we need to provide service, assist in protecting and securing our systems and services, and help market our service.

Most of the aforementioned service providers are located in the European Union or European Economic Area, however, some of those service providers are located in the United States and in the Russian Federation. Standard contractual clauses, or other applicable means, are applied to ensure the safeguard of the transfer.

Data processors
Payment processors

We will share your personal data with our payment processors as necessary to enable them to process your payments.

The aforementioned service providers are located in the United States and Canada. Standard contractual clauses, or other applicable means, are applied to ensure the safeguard of the transfer.

Data processors or separate controllers
Advertising partners

We work with advertising partners to enable us to customize the advertising content you may receive. These partners help us deliver more relevant ads and promotional messages to you, which may include interest-based advertising (also known as online behavioral advertising), contextual advertising, and generic advertising. We and our advertising partners process certain personal data to help us understand your interests or preferences so that we can deliver advertisements that are more relevant to you.

The aforementioned service providers are located in the United States. Standard contractual clauses, or other applicable means, are applied to ensure the safeguard of the transfer.

Data Processors
Identity verification service provider, such as Synaps SAS, with registry code: 83860473400015, and address: 13, rue Rene Cassin – 69740 Genas, France You can verify your identity on our platform to recover your account when needed. The KYC verification process is operated by Synaps which provides us only a positive or negative response without other details. We do not receive a copy of your identification document or any biometric data. Data Processor
Professional advisors (legal advisors, accounting etc. bound to confidentiality) In case not operating as data processors, the legitimate interests in conducting and supporting our regular business activities. Data Processors
Potential business acquirers and business transferee(s)

If necessary and required for successfully transferring our business or for the purposes of mergers and acquisitions, your Personal data may be disclosed to the specified acquirers and their representatives and / or legal counsels.

This is done based on our legitimate interests to sell and reorganize our business activities.

Separate data controllers
Law enforcement and data protection authorities We disclose your personal data to law enforcement and data protection authorities only if we are under a duty to disclose or share these data in order to comply with legal obligations (for example, if required to do so under applicable law, by a court order or for the purposes of prevention of fraud or other crime) Separate data controllers

In addition to the information provided in the table above, in some cases, we may transfer your personal data outside the European Union or European Economic Area, if the recipient is located outside the European Union or European Economic Area. We shall opt to use special personal data protection safeguards, in order to ensure the safety of your personal data. For obtaining further information on the processors and recipients engaged by us or if you wish to get acquainted with or obtain information on the transferring of your personal data outside the European Union or European Economic Area and the safeguards implied thereof by contacting us using the contact information specified in this Privacy Policy.


5. ENSURING THE SECURITY OF PERSONAL DATA

We have taken necessary technical and organizational security measures to protect your personal data against accidental or unlawful destruction, loss or alteration and against the unauthorized disclosure, abuse or other processing in violation of applicable law.


6. RETENTION AND DELETION OF PERSONAL DATA

Your personal data (all data categories mentioned in Section 2) shall be stored insofar as reasonably necessary to attain the objectives stated in Section 3 above, or until the legal obligation stipulates that we do so. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the processing purposes and whether we can achieve these purposes through other means, and applicable statutory obligations. Whilst retaining the personal data, we take into account the viable need to resolve disputes and enforce the contract between us or anonymize your personal data and retain this anonymized information indefinitely.

In case you are Client, as a general rule we will retain all your data for 7 days after the termination of the Client Agreement in a manner that would allow you to re-activate the Client Account. Otherwise, please see the following non-exhaustive summary on storing your personal data:

  • -

    For accounting purposes, we retain Financial Data and Transaction Data and Personal Identification Information connected to it for a period of 7 years from the end of the financial year when the respective business transaction took place;

  • -

    Data connected to the Client Agreement or the Purchase Agreement, which is first and foremost Personal Identification Information, is retained for the whole period when the respective agreement is in force and at least 3 years from the moment of termination of the respective agreement under our legitimate interests to protection ourselves against potential disputes or enforce claims. In case we have a reasonable doubt that a party has acted in bad faith, has breached any obligations intentionally or has threatened us with a dispute, we may prolong such retention period for a maximum of 10 years.

  • -

    Technical Data will be retained for 30 days as of the collection of such data;

  • -

    Communication Data, unless clearly connected to the Client Agreement or the Purchase Agreement, will be retained for a period of 3 years from the moment the respective communication-flow has been closed.

In case any of the data stipulated in Section 2 above is needed for purposes of protection against ongoing or threatened disputes, we shall retain the related data as long as the dispute is solved.

After the expiry of the retention period determined above or the termination of the legal basis for processing purpose, we may retain the materials containing the personal data in the backup systems, from which the respective materials will be deleted after the end of the backup cycle. We ensure that during the backup period appropriate safeguards are applied and the backed-up materials are put beyond use.


7. YOUR RIGHTS AND PREFERENCES

Under data protection law, you have rights including:

  1. 1)

    Right to be informed and to access. You may get information regarding your personal data processed by us.

  2. 2)

    Right to data portability. You have the right to receive your personal data from us in a structured, commonly used and machine-readable format. Moreover, you may request that the personal data is transmitted to another controller. Bear in mind that the latter can only be done if that is technically feasible.

  3. 3)

    Right to erasure. You the right to have personal data we process about you erased from our systems if the personal data are no longer necessary for the related purposes.

  4. 4)

    Right to object and restrict. You have the right to object to the processing of your personal data and restrict it in certain cases.

  5. 5)

    Right to rectification. You have the right to make corrections to your personal data.

  6. 6)

    Right to withdraw consent. When you have given us consent to process your personal data, you may withdraw said consent at any time.

  7. 7)

    Right to contact the supervisory authority. If you are not satisfied with our response to your request in relation to Personal Data or you believe we are processing your Personal Data not in accordance with the law, you can submit your claim with the Estonian Data Protection Inspectorate (in Estonian: Andmekaitse Inspektsioon) at info@aki.ee (https://www.aki.ee/).

To exercise any of the abovementioned rights, please contact our customer support team via e-mail indicated in Section 8 below.


8. OTHER IMPORTANT INFORMATION

Newsletter, notifications and direct marketing campaigns

With your explicit consent, you may be subject to direct marketing campaigns, we may send you our newsletter or provide you with notifications. You may opt out of the direct marketing campaigns, newsletters and notifications on your account settings. We may also provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information.

Please note that email marketing messages include an opt-out mechanism within the message itself (e.g. an unsubscribe link in the emails we send to you). Clicking on the link in an email will opt you out of further messages of that category. You can use the Account Settings page to exercise choices about all categories of email and push marketing communication.

Dispute resolution

If you have questions, please feel free to contact us at support@3commas.io. Disputes relating to the processing of personal data are settled through our customer support. We may amend or modify this Privacy Policy from time to time to reflect changes in the way we process personal data. In case of material changes, we will notify you, as required under applicable laws.

Age limitations

We do not knowingly collect any information from individuals under 18 years of age. If we discover a user of being younger than 18 years old we will require the user to close their account and we will take steps to delete any collected information as soon as possible.


8. CALIFORNIA PRIVACY RIGHTS

This section describes how we collect, use and share Personal Information of California residents in our capacity as a "business" under the California Consumer Privacy Act of 2018 ("CCPA"), and their rights under the CCPA.

This section applies only if you are a California resident. For purposes of this section, "Personal Information" has the meaning given in the California Consumer Privacy Act ("CCPA").

This section does not apply to:

  • -

    information exempted from the scope of the CCPA;

  • -

    information collected in a business-to-business context, namely, where the information reflects our communications or transactions with you in the context of performing due diligence on, providing services to, or receiving services from, a company, partnership, sole proprietorship, non-profit or government agency where you are an employee, controlling owner, director, officer or contractor of that organization;

  • -

    activities governed by a different privacy notice, such as notices we give to California personnel or job candidates; or

Personal Information we collect, use, and share on behalf of our customers as a "service provider" under the CCPA. You have the following rights:

  • -

    Right to Know – Information. You can request the following information about how we have collected and used your Personal Information during the past 12 months:

    • The categories of Personal Information we have collected.

    • The categories of sources from which we collected the Personal Information.

    • The business or commercial purpose for collecting and/or selling Personal Information.

    • The categories of third parties with whom we share the Personal Information.

    • The categories of Personal Information that we sold or disclosed for a business purpose.

    • The categories of third parties to whom the Personal Information was sold or disclosed for a business purpose.

  • -

    Right to Know – Access. You can request a copy of the Personal Information that we have collected about you during the past 12 months.

  • -

    Right to Deletion. You can ask us to delete the Personal Information that we have collected from you.

  • -

    Right to Opt-Out. You have the right to opt-out of any "sale" of your Personal Information as defined in the CCPA.

  • -

    Right to Nondiscrimination. You are entitled to exercise the rights described above free from discrimination prohibited by the CCPA.

How to exercise your rights

We will need to verify your identity to process your information, access, and deletion requests and reserve the right to confirm your California residency. To verify your identity, we may require you to log into an 3Commas online account (if applicable), provide government identification, give a declaration as to your identity under penalty of perjury, and/or provide additional information. These rights are not absolute, and in some instances, we may decline your request as permitted by law.

Your authorized agent may make a request on your behalf upon our verification of the agent's identity and our receipt of a copy of the valid power of attorney given to your authorized agent pursuant to California Probate Code Sections 4000-4465. If you have not provided your agent with such a power of attorney, you must provide your agent with written and signed permission to exercise your CCPA rights on your behalf, provide the information we request to verify your identity and provide us with written confirmation that you have given the authorized agent permission to submit the request.

Personal information that we collect, use and disclose

The categories of Personal Information we collect are described below by reference to the statutory categories of Personal Information specified in the CCPA (California Civil Code section 1798.140):

  • -

    Identifiers (excluding online identifiers), such as first and last names, email addresses, phone numbers,2FA key, social media account information (such as Facebook UID, Facebook profile name, Facebook email), in case on an entity: business name, business registry code and VAT ID.

  • -

    Commercial information, such as records of your transactions with us; content of messages; and services considered.

  • -

    Financial information, such as billing and mailing address, exchange account username, API key, API secret, passphrase, transaction data (date/time/amount of transaction), transaction request/response, referral status, billing information (country, phone number, address, city, postal code; and other payment-related information.

  • -

    Online identifiers, such as operating system type and version number, manufacturer and model; browser type; screen resolution; IP address; unique device identifiers; and 3Commas user ID.

  • -

    Geographical data, such as city of your location identified by your IP address.

  • -

    Internet or network information, such as what 3Commas web pages you’ve seen and how long you spent on them; your access-provider; referring URL; navigation paths between pages; session date and time; access tokens; session key; amount and state of transferred data; and other information about your interaction with our sites and services, including the information described in our Cookie Policy.

  • -

    Professional or employment information, such as your organizational affiliation.

  • -

    California Customer Records (listed in California Civil Code section 1798.80), such as the Professional or employment information, Financial information, Commercial information and Identifiers listed above.

  • -

    Inferences drawn from any of the above information to create a profile reflecting your preferences, characteristics, and behavior.

The sources from which we collect these categories of Personal Information are described in Section 2 of this Privacy Policy. The business/commercial purposes for which we use these categories of Personal Information are described in Section 3. The categories of third parties with which we share these categories of Personal Information, are described in Section 4 above.

We do not sell your personal information in the conventional sense. However, like many companies, we use advertising services that try to tailor online ads to your interests based on information collected via cookies and similar technologies about your activity on ours and other online services. This is called interest-based advertising. The CCPA’s statutory definition of the term "sale" is broad and may include use of interest-based advertising services. You can get more information and opt-out of the use of cookies on our sites for interest-based advertising purposes by turning advertising cookies off in our Cookie Management Banner. You will need to set that preference from each device and each web browser from which you wish to opt-out. Some of these features use cookies to apply your preferences, so if you clear all cookies from your browser, you will need to re-set your settings.

The above summary of how we collect, use and share Personal Information describes our practices currently and for the 12 months preceding the effective date of this Privacy Policy.


Previous version before 13 April 2021