3Commas Wallet Privacy Notice
This 3Commas Wallet Privacy Notice is effective as of June 06, 2023
1. INTRODUCTION
This Privacy Notice describes the procedures of 3Commas Technologies OÜ, registry code 14125515, address Laeva 2, Kesklinn, Tallinn, Harjumaa, 10111 (“we,” “our,” or “us”) collection, use, and disclosure of your information in the product and related mobile application we offer (the “Services” or “3Commas Wallet”).
By using 3Comams Wallet, including downloading mobile applications, you acknowledge and accept the use, disclosure, and procedures outlined in this Privacy Notice.
Your right to privacy and the protection of your personal data is important to us. The following sections provide further details as to how we process your personal information through 3Commas Wallet. We don’t share your information with third parties except to deliver you our Services and products, comply with the law, make Wallet better, protect our rights, or effectuate a business transfer.
By accessing and using 3Commas Wallet, you will also have access to the 3Commas crypto trading platform 3Commas.io, and its mobile application subject to the according Terms and Conditions.
2. DATA WE COLLECT
We do our best to minimise the amount of personal information that we collect from Wallet users.
We have set out in the table below the categories of personal data we collect and use about you:
Category of personal data | Data collected | |
When you access the Wallet or contact us | Technical Data | Upon accessing the 3Commas Wallet, we process technical data related to your usage of the 3Commas Wallet, including but not limited to the mobile network, location data (down to city level), access-provider, date, time, access tokens, session key, device type and version, device language, operating system, amount and state of transferred data. We also collect usage and analytics data related to app performance such as the number of times the app is opened, duration of app usage, specific features or screens within the app that are accessed, app crashes, error messages and network requests. This information can be related to you, therefore, Personal Identification Information can be processed as well. These data may also be processed as anonymised statistical data. |
Communication Data | In case you interact with us via our 3Commas Wallet live chat, e-mails and sign-up forms, 3Commas Facebook page, Youtube channel, Twitter page or Telegram or any other official social media account, we process, in addition to Personal Identification Information (limited in case of contacting via social media), also the contents of your message. | |
When you use the Services | Personal Identification Information | Personal Identification Information is collected when you sign up or sign in to the Services. Name, e-mail address, 2FA key, IP address, KYC token, language, Google Analytics client ID, Gravatar image, and passcode; if you choose to sign up via Facebook we collect your Facebook UID, Facebook profile name, and Facebook e-mail; if you choose to sign up via Apple, we collect your Apple profile name, Apple e-mail or Apple generated email. |
Financial and Transaction Data | Public wallet address, transaction data (date/time/amount of transaction), API key, API secret, transaction request/response, Exchange Account username, the passphrase. |
3. WHAT DO WE USE YOUR PERSONAL DATA FOR
We have set out in the table below the reasons why we process your personal data:
Purpose for processing | Category of personal data processed | Legal basis |
Client authentication | Personal Identification Information | Performance of the Terms of Use |
Enabling the Services and its functionalities | Personal Identification Information, Financial and Transaction Data | Performance of the Terms of Use and if relevant performance of the Client Account |
Direct marketing campaigns - Client marketing campaigns in relation to the Software, its functionalities and products already provided to you | Personal Identification Information, Financial and Transaction Data (mainly the transaction activity) | Our legitimate interest in providing you with information relating to the services and products you have previously sourced from us |
Processing data for predictive analytics and insights, improvement and development of the 3Commas Wallet | All of the data categories indicated in Section 2 above | Our legitimate interest in improving and developing the 3Commas Wallet and the Software within the course of our business activities or performance of the Terms of Use |
Diagnosing and repairing technical issues related to the Services | Technical Data | Our legitimate interest in providing data security and preventing fraudulent actions related to the Services; ensuring the functioning of the 3Commas Wallet |
Storing information containing personal data in backup systems | All of the data categories indicated in Section 2 above | Our legitimate interest in ensuring the security of data processing operations |
Data disclosures to potential acquirers of 3Commas business, including legal advisors, auditing service providers in case of a merger, acquisition or selling the whole or part of our business | All of the data categories indicated in Section 2 above | Our legitimate interest in ensuring proper due diligence process and business continuity |
Data disclosures to our service providers | All of the data categories indicated in Section 2 above | Our legitimate interest in utilising the information technology infrastructure and services provided by our co-operation partners |
Mandatory disclosures to law enforcement and data protection authorities | All of the data categories indicated in Section 2 above | Performance of our legal obligation |
Client identity verification for recovery | Personal Identification Information | Performance of the Terms of Use |
Client’s transaction history | Financial and Transaction data | Performance of the Terms of Use |
Responding to your enquiries and requests submitted via the website, sign-up forms, live chat or e-mail or any social media platforms | Communication Data, however, depending on the nature of your enquiry we can process all the data indicated in Section 2 above | In case your question relates to matters connected to the Terms of Use or Client Account we process the data for the provision of the Services. In other cases, we rely on our legitimate interests in ensuring effective relations management with all the interested parties in our Services. |
Receiving and sending Virtual Currencies to your non-custodial wallet. | Financial and Transaction Data, Personal Identification Information | Performance of the Terms of Use |
We may process your personal data for other purposes, provided that we disclose the purposes and use to you at the relevant time, and that you either consent to the proposed use of the personal data, other legal grounds exist for the new processing purposes or the new purpose is compatible with the original purpose brought out above.
4. SHARING YOUR PERSONAL DATA
Information about our users is an important part of our business and we do not sell our users’ personal information to others. We may transfer personal data to our service providers or third parties in connection with 3Commas Wallet’s operation of its business, as certain features on 3Commas Wallet rely on various third-party products and services (collectively “third-party services”).
These third-party services providers only have access to certain personal information, such as your public 3Commas Wallet addresses, to perform their functions and may not use it for other purposes. Furthermore, they must process the personal information in accordance with our contractual agreements and only as permitted by applicable data protection laws.
We use third-party processors and separate data controllers to help provide our service. They will have access to your personal data as reasonably necessary to perform these tasks on our behalf and are obligated not to disclose or use it for other purposes.
We have set out in the table below the reasons why and with whom we share your personal data:
Categories of Recipients | Reason for sharing | Type of recipient |
Service providers | We work with service providers that work on our behalf which may need access to certain personal data to provide their services to us. These companies include those we have hired to operate the technical infrastructure that we need to provide service, assist in protecting and securing our systems and services, and help market our service. Most of the aforementioned service providers are located in the European Union or European Economic Area, however, some of those service providers are located in the United States. Standard contractual clauses, or other applicable means, are applied to ensure the safeguard of the transfer. | Data processors |
Advertising partners | We work with advertising partners to enable us to customise the advertising content you may receive. These partners help us deliver more relevant ads and promotional messages to you, which may include interest-based advertising (also known as online behavioral advertising), contextual advertising, and generic advertising. We and our advertising partners process certain personal data to help us understand your interests or preferences so that we can deliver advertisements that are more relevant to you. The aforementioned service providers are located in the United States. Standard contractual clauses, or other applicable means, are applied to ensure the safeguard of the transfer. | Data Processors |
Analytics partners | We work with service providers who help us to collect usage and analytics data related to app performance. The aforementioned service providers are located in the United States. Standard contractual clauses, or other applicable means, are applied to ensure the safeguard of the transfer. | Data Processors |
Professional advisors (legal advisors, accounting etc. bound to confidentiality) | In case not operating as data processors, the legitimate interests in conducting and supporting our regular business activities. | Data Processors |
Potential business acquirers and business transferee(s) | If necessary and required for successfully transferring our business or for the purposes of mergers and acquisitions, your personal data may be disclosed to the specified acquirers and their representatives and/or legal counsels. This is done based on our legitimate interests to sell and reorganise our business activities. | Separate data controllers |
In some cases, we may transfer your personal data outside the European Union or European Economic Area, if the recipient is located outside the European Union or European Economic Area. We shall opt to use special personal data protection safeguards, in order to ensure the safety of your personal data. For obtaining further information on the processors and recipients engaged by us or if you wish to get acquainted with or obtain information on the transferring of your personal data outside the European Union or European Economic Area and the safeguards implied thereof by contacting us using the contact information specified in this Privacy Policy.
5. YOUR RIGHTS WITH RESPECT TO THE PROCESSING OF PERSONAL DATA
Under data protection law, you have rights including
1. Right to be informed and to access. You may get information regarding your personal data processed by us.
2. Right to data portability. You have the right to receive your personal data from us in a structured, commonly used and machine-readable format. Moreover, you may request that the personal data be transmitted to another controller. Bear in mind that the latter can only be done if that is technically feasible.
3. Right to erasure. You have the right to have the personal data we process about you erased from our systems if the personal data are no longer necessary for related purposes. 3Commas Wallet addresses created through the 3Commas Wallet application cannot be deleted from the Ethereum blockchain, therefore we are unable to delete this personal information.
4. Right to object and restrict. You have the right to object to the processing of your personal data and restrict it in certain cases.
5. Right to rectification. You have the right to make corrections to your personal data.
6. Right to withdraw consent. When you have given us consent to process your personal data, you may withdraw said consent at any time.
7. Right to contact the supervisory authority. If you are not satisfied with our response to your request in relation to Personal Data or you believe we are processing your Personal Data not in accordance with the law, you can submit your claim with the Estonian Data Protection Inspectorate (in Estonian: Andmekaitse Inspektsioon) at [email protected] (https://www.aki.ee/).
To exercise any of the abovementioned rights, please contact our DPO via e-mail at [email protected]. We will provide you with an answer within one month of receipt of your request. Note however that we can extend that period by two further months where necessary, taking into account the complexity and number of the requests.
3Commas has appointed a Data Protection Officer (DPO) to guarantee high-level personal data protection safeguards and individuals’ rights regarding privacy and data protection. The DPO service for 3Commas is provided by Hedman Partners Law firm. In case you wish to contact our Data Protection Officer, please write to [email protected].
Under California Consumer Protection Act (“CCPA”) you also have the right not to be discriminated against because of the exercise of your rights. Please note that we do not sell your personal data.
6. DATA RETENTION AND DELETION
Please note that even if you delete your 3Commas Wallet or addresses from the 3Commas Wallet mobile application, uninstall 3Commas Wallet mobile applications from your device, or request that your information be deleted, we still may retain some information that you have provided to us to maintain 3Commas Wallet or to comply with the laws and regulations to which 3Commas Wallet is subject. If you have any questions or objections as to how we collect and process your personal information, please contact us.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the processing purposes and whether we can achieve these purposes through other means, and applicable statutory obligations. Whilst retaining the personal data, we take into account the viable need to resolve disputes and enforce the contract between us or anonymise your personal data and retain this anonymised information indefinitely.
In case you are Client, as a general rule we will retain all your data for 7 days after the termination of the Client Account in a manner that would allow you to re-activate the Client Account. Otherwise, please see the following non-exhaustive summary on storing your personal data:
- For accounting purposes, we retain Financial Data and Transaction Data and Personal Identification Information connected to it for a period of 7 years from the end of the financial year when the respective business transaction took place;
- Data connected to the Client Account, which is first and foremost Personal Identification Information, is retained for the whole period when the respective Client Account is valid and at least 3 years from the moment of termination of it under our legitimate interests to protect ourselves against potential disputes or enforce claims. In case we have a reasonable doubt that a party has acted in bad faith, has breached any obligations intentionally or has threatened us with a dispute, we may prolong such retention period for a maximum of 10 years.
- Technical Data will be retained for 30 days as of the collection of such data;
- Communication Data, unless clearly connected to the Client Account, will be retained for a period of 3 years from the moment the respective communication flow has been closed.
In case any of the data stipulated in Section 2 above is needed for purposes of protection against ongoing or threatened disputes, we shall retain the related data as long as the dispute is solved.
After the expiry of the retention period determined above or the termination of the legal basis for processing purposes, we may retain the materials containing the personal data in the backup systems, from which the respective materials will be deleted after the end of the backup cycle. We ensure that during the backup period, appropriate safeguards are applied, and the backed-up materials are put beyond use.
7. DATA SECURITY
We are committed to making sure your information is protected in accordance with applicable laws and our data privacy policies. We have selected third-party vendors that use the Ethereum network, that help us keep your personal information safe. Unfortunately, we do not control these third parties and therefore cannot guarantee complete security. We work to protect the security of your personal information during transmission by using encryption protocols and software. We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of your personal information and secure all connections with industry-standard transport layer security. Even with all these precautions, we cannot fully guarantee against the access, disclosure, alteration, or deletion of data through events, including but not limited to hardware or software failure or unauthorised use. Any information that you provide to us is done so entirely at your own risk.
8. CALIFORNIA PRIVACY RIGHTS
This section describes how we collect, use and share the Personal Information of California residents in our capacity as a "business" under the California Consumer Privacy Act of 2018 ("CCPA"), and their rights under the CCPA.
This section applies only if you are a California resident. For purposes of this section, "Personal Information" has the meaning given in the California Consumer Privacy Act ("CCPA").
This section does not apply to:
- information exempted from the scope of the CCPA;
- information collected in a business-to-business context, namely, where the information reflects our communications or transactions with you in the context of performing due diligence on, providing services to, or receiving services from, a company, partnership, sole proprietorship, non-profit or government agency where you are an employee, controlling owner, director, officer or contractor of that organisation;
- activities governed by a different privacy notice, such as notices we give to California personnel or job candidates; or
Personal Information we collect, use, and share on behalf of our customers as a "service provider" under the CCPA. You have the following rights:
- Right to Know – Information. You can request the following information about how we have collected and used your Personal Information during the past 12 months:
• The categories of Personal Information we have collected.
• The categories of sources from which we collected the Personal Information.
• The business or commercial purpose for collecting and/or selling Personal Information.
• The categories of third parties with whom we share Personal Information.
• The categories of Personal Information that we sold or disclosed for a business purpose.
• The categories of third parties to whom the Personal Information was sold or disclosed for a business purpose.
- Right to Know – Access. You can request a copy of the Personal Information that we have collected about you during the past 12 months.
- Right to Deletion. You can ask us to delete the Personal Information that we have collected from you.
- Right to Opt-Out. You have the right to opt out of any "sale" of your Personal Information as defined in the CCPA.
- Right to Nondiscrimination. You are entitled to exercise the rights described above free from discrimination prohibited by the CCPA.
How to exercise your rights
We will need to verify your identity to process your information, access, and deletion requests and reserve the right to confirm your California residency. To verify your identity, we may require you to log into the Client Account (if applicable), provide government identification, give a declaration as to your identity under penalty of perjury, and/or provide additional information. These rights are not absolute, and in some instances, we may decline your request as permitted by law.
Your authorised agent may make a request on your behalf upon our verification of the agent's identity and our receipt of a copy of the valid power of attorney given to your authorised agent pursuant to California Probate Code Sections 4000-4465. If you have not provided your agent with such a power of attorney, you must provide your agent with written and signed permission to exercise your CCPA rights on your behalf, provide the information we request to verify your identity and provide us with written confirmation that you have given the authorised agent permission to submit the request.
Personal information that we collect, use and disclose
The categories of Personal Information we collect are described below by reference to the statutory categories of Personal Information specified in the CCPA (California Civil Code section 1798.140):
- Identifiers (excluding online identifiers), such as first and last names, email addresses, phone numbers, 2FA key, passcode, social media account information (such as Facebook UID, Facebook profile name, Facebook email, Apple profile name, Apple e-mail or Apple generated email), in a case on an entity: business name, business registry code and VAT ID.
- Commercial information, such as records of your transactions; content of messages; and services considered.
- Financial information, such as billing and mailing address, exchange account username, API key, API secret, passphrase, transaction data (date/time/amount of transaction), and transaction request/response.
- Online identifiers, such as mobile network, access provider, date, time, access tokens, session key, device type and version, device language, operating system, amount and state of transferred data, session key, and 3Commas user ID.
- Geographical data, such as the city of your location identified by your device location (down to the city level).
- Analytics and network data, such as usage and analytics data related to app performance such as the number of times the app is opened, duration of app usage, specific features or screens within the app that are accessed, app crashes, error messages and network requests..
- Professional or employment information, such as your organisational affiliation.
- California Customer Records (listed in California Civil Code section 1798.80), such as the Professional or employment information, Financial information, Commercial information and Identifiers listed above.
- Inferences are drawn from any of the above information to create a profile reflecting your preferences, characteristics, and behaviour.
The sources from which we collect these categories of Personal Information are described in Section 2 of this Privacy Policy. The business/commercial purposes for which we use these categories of Personal Information are described in Section 3. The categories of third parties with which we share these categories of Personal Information are described in Section 4 above.
We do not sell your personal information in the conventional sense. However, like many companies, we use advertising services that try to tailor online ads to your interests based on information collected and similar technologies about your activity on ours and other online services. This is called interest-based advertising.
The above summary of how we collect, use and share Personal Information describes our practices currently and for the 12 months preceding the effective date of this Privacy Policy.
9. OTHER JURISDICTIONS
You may also have certain rights regarding the information we hold about you under other data protection and privacy laws. Please contact us at [email protected] for more information.
10. ADDITIONAL
Age limitations
We do not knowingly collect any information from individuals under 18 years of age. If we discover a user of being younger than 18 years old we will require the user to close their account, and we will take steps to delete any collected information as soon as possible.
Dispute Resolution
If you have questions, please feel free to contact us at [email protected].
Disputes relating to the processing of personal data are settled through our Complaint Procedure.
We may amend or modify this Privacy Policy from time to time to reflect changes in the way we process personal data. In case of material changes, we will notify you, as required under applicable laws.