Privacy Policy of Torch Wallet

This Privacy Statement informs you about the processing of your personal data when you use our services through our app and/or website, communicate with us about our services, do business with us, or if you apply for a job with us.

Our service (the Services) consists of offering a smart wallet through which you can:
  • Send and receive ZIL and ZRC2 tokens
  • Initiate automated staking
  • Initiate instant unbonding
  • Initiate DEX token swaps
  • Initiate DEX limit orders

Controller

Torch Wallet B.V., is the controller of the processing operations described in this Privacy Statement, except where otherwise indicated for a specific processing operation.

The location and contact details of Torch Wallet B.V. are:
Torch Wallet B.V.
Kabelweg 57, 1014 BA, Amsterdam, the Netherlands
84250720
https://torchwallet.io
[email protected]

Purposes of the processing

If you use our Services, we may process your personal data for the following purposes:
  • To enable the provision of the Services;
  • To secure the Services, your personal data and/or our property;
  • To be able to contact you about the Services or similar services we offer;
  • To be able to charge you for the Services and to process this in our financial administration;
  • To examine how our Services are being used, so that we can make improvements where necessary;
  • In order to be able to transfer our company (including goodwill / customer base) one day, as part of a company takeover or relaunch.

Legal grounds for processing and retention periods

Processing operations that are necessary for our contract with you
These are the personal data that we may process in order to be able to enter into a contract for the Services with you and to be able to perform our contract with you (Article 6 Paragraph 1 (b) of the GDPR):
  • E-mail address;
  • IP address;
  • Wallet address (public key);
  • Device model and OS version;
  • Usage information on how you use our Services or interact with our app and website;
  • The communications you exchange with us in connection with the conclusion and performance of your contract with us, such as letters, e-mails, other text messages and/or notes or recordings from telephone or digital conversations.
Providing us with these personal data is a prerequisite for the conclusion of the contract for our Services, in the meaning of in Article 13 (2) (e) of the GDPR. We cannot provide our services to you without processing these personal data.

The retention period for personal data that we process on this basis is: one (1) year after the termination of your agreement with us. Your agreement with us ends when you inform us that you will no longer use our Services.

In some cases, we may retain the personal data that we mentioned above for a longer period. This is the case if we have reason to believe that retaining records relating to the conclusion and performance of our contract with you is necessary for the protection of our legal position in case of a dispute, or if we are required by law to retain certain data for a longer period. For more information about longer retention of personal data in such cases, please refer to the following paragraphs of this privacy statement.

Processing operations that we are legally obliged to carry out
These are the personal data that we must process in order to comply with legal obligations incumbent upon us (Art. 6 (1)(c) GDPR):
  • The personal data contained in our financial records, namely:
    • Your name, address, city and country of residence;
    • The amounts we charged to you;
    • The dates on which we have charged amounts to you;
    • The type of services to which the amounts charged relate, so that the correct VAT rate can be determined.
The retention period for the personal data we process for our financial administration is: seven (7) years after the data has lost its topicality. This means that billing data is destroyed in the eighth fiscal year after the billing has taken place. If we have an ongoing contract with you, under which we charge you, we will retain a copy of that contract for our tax data retention obligations for seven years after the contract ends. Your contract with us ends when you inform us that you will no longer be using our Services.

Processing operations that are necessary for a legitimate interest
These are the personal data that we process on the basis of a legitimate interest:
  • Personal data necessary to protect the Services against misuse and/or vandalism, namely
    • IP address;
    • Wallet address (public key);
    • Device model and OS version;
    • Usage information on how you use our Services or interact with our app and website;
The retention period for these data is two (2) years.
  • Data relating to our legal relationship with you, if we have reason to believe that this data may be important to our legal position (for our own information and for our burden of proof) in the context of a dispute or impending dispute, or if the personal data may otherwise be necessary for the protection of our legal position.
The retention period for these data is: until our legal relationship with you and/or the dispute over it has been fully settled.
  • Analytical data
Processing operations that we do on the basis of your consent
These are the personal data that we only process if you give us permission to do so:
  • Data for marketing / direct mailings
The retention period for these data is: until you withdraw your consent.

Sharing of personal data

We may share your personal data with third parties in the following cases:

Sharing with processors
For some parts of our business activities, we use service providers outside our own organization. If these service providers process personal data for us, they are our "processors". In that case, we conclude a processor's agreement with them, as referred to in article 28 paragraph 3 AVG.

We use the following types of processors:
  • A hosting provider, to allow us to store data in our DMS and CRM system;
  • An accounting and/or bookkeeping firm, to assist us in keeping our financial records and producing our financial accounts;
  • An IT service provider, to manage and maintain our databases and computer systems and provide IT support for our employees.
It is possible that one of our processors may collect your personal data directly from you, on our behalf. In such cases, we instruct our processor to collect only the personal data that is necessary for the provision of the services we have agreed with that processor. If you provide additional personal data to a processor of ours, please be aware that you do so of your own volition; in such a case, we are not the controller of those additional personal data.

Sharing based on a legal obligation
We will share your personal data with third parties if we are legally obliged to do so. For example:
  • If a circumstance arises that leads to an obligation to report a possible irregularity pursuant to the AML/CFT law;
  • If the police or any other investigative service, the tax authority, a governmental body or any other authority lawfully request personal data from us;
  • If a private party has a legitimate claim to receive or access your personal data on the basis of a judicial authorization.
If we receive a request from third party to share your personal data with them, we will inform you of this, unless informing you is not permitted by law. For example: if we have an obligation to report a possible irregularity pursuant to the AML/CFT law, the law prohibits us from informing the data subject about the report.

Sharing on the basis of a legitimate interest
  • Security and our legal interests
    • We may share your personal data with third parties such as our lawyer and/or a bailiff, a (forensic) accountant, detective agency, cyber security experts or other types of researchers and/or the police if this is reasonably necessary:
      • to protect rights, property or the safety of our organization, our users, our employees or the public;
      • to protect our organization and our users from fraudulent or otherwise unlawful, inappropriate or offensive use of our Services;
      • to respond to a (current or imminent) liability or other (current or imminent) legal consequences.
    • If we share your personal data on this basis, we will inform you about it if we can. We cannot inform you about sharing your personal data if doing so might interfere with the purpose and effectiveness of the investigation or other measures for which we have to share the data.

  • Sale or merger of our company
    • We may share your personal data with third parties if we intend to sell our company or a division within our company (either as part of a relaunch or otherwise), or if our company intends to merge with another. In the preparatory phase of the sale or merger, we may share your personal data with potential buyers or merger partners. When the company is actually transferred or merged, we will share your personal data with the final buyer or merger partner. In the preparatory phase of the sale or merger, we will try to anonymize the personal data that are part of our business information as much as possible.

    • We will not sell your personal data separately - outside of the context of a relaunch, company sale or merger - to an organization that will use your personal data for activities that are very different from ours.

    • If we intend to transfer your personal data to a third party in the course of a relaunch, company sale or merger, we will inform you about this as soon as we can do so without disrupting the preparatory phase of the relaunch, sale or merger.

    • If we share your personal data with a third party on the basis of a legitimate interest, and the third party is not already appropriately bound to confidentiality by law or by professional deontology, we will conclude a confidentiality agreement with the third party before we share the personal data.

Automatic decision-making and/or profiling

In order to provide our Services to you, we do not make use of automated decision-making or profiling.

Transfer of personal data outside the European Economic Area (EEA)

To the greatest extent possible, your personal data will be processed within the EEA. If we have to process personal data outside the EEA, we will try to this in a country that offers an adequate level of personal data protection within the meaning of Article 45 GDPR.

If we would ever need to process personal data in a country that is not covered by an adequacy decision within the meaning of Article 45 GDPR, we will make use of standard contractual clauses made or ratified by the European Commission (within the meaning of Article 46 paragraph 2 under c and d), to ensure that our processor offers adequate safeguards for your privacy.

Security of your personal data

We take the appropriate technical and organizational measures to secure your personal data. We will ensure that our systems are appropriately updated to remain in line with the state of the art regarding data security. Currently, we apply (at least) the following types of security measures:
  • We have taken physical measures in our business premises to ensure that unauthorized persons cannot access our documents, workstations and servers.
  • Our employees are contractually bound to secrecy.
  • We use SSL (Secure Socket Layer) technology where appropriate to encrypt sensitive information and personal data (such as account passwords and other identifying information) during transmission.
  • Sensitive information is stored in encrypted form, in so far as is reasonably possible within our company‚Äôs activities.
  • Back-ups of personal data are made to the reasonably possible extent.
  • Vulnerabilities in our software are always addressed as quickly as possible.
Insofar as we use the services of third parties, who act on our behalf as processors of personal data, these processors are contractually obliged to take appropriate technical and organizational measures to protect the personal data.

Although we do our best to ensure good security, we must point out that absolute security when storing personal data and sending data over the Internet can never be guaranteed.

Your rights

For all processing operations that we carry out on the basis of your consent, you have the right to withdraw your consent at any time. We will then discontinue the processing operations in question. The processing operations that previously took place on the basis of your granted consent will not become unlawful with retroactive effect.

You have the right to object against processing operations that we carry out on the basis of a legitimate interest, on grounds relating to your particular situation.

In all cases, you have the right to request access to the personal data we process about you, the right to have inaccuracies in your personal data corrected ('right to rectification') and the right to have your personal data erased if their processing is not/no longer based on a valid legal ground.

If there is no longer a valid legal ground for our processing of your personal data, but you do not want to have the data removed immediately, you can also make use of the right to 'restriction of processing'. Restriction of processing means that we retain your personal data for you, but do not use it for any other purpose.

In some cases, you may have the right to data portability. Data portability means that you can receive your personal data from us in a structured, commonly used and machine-readable format, or have it transferred to a new service provider (where technically feasible). This right only applies to personal data that you have provided directly to us and that we process on the basis of your consent, or because it is necessary for the performance of our contract with you.

To exercise your rights, please contact us using the contact details stated at the end of this Privacy Statement.

Your right to lodge a formal complaint

If you are dissatisfied with anything related to our processing of your personal data, please discuss it with us so that we can try to resolve it. You can contact us for this purpose using the contact details at the end of this privacy statement.

You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if we are unable to resolve your objection within a reasonable period. Please refer to the website of the Dutch Data Protection Authority for their most current contact details: https://autoriteitpersoonsgegevens.nl/en

Updates

This Privacy Statement was last updated on [*]. We may unilaterally change or update this Privacy Statement by amending this page, so make sure you check this page from time to time.

Contact

For questions or comments on our processing of personal data, or to exercise your rights, please contact us at:
Torch Wallet B.V.
Kabelweg 57, 1014 BA, Amsterdam, the Netherlands
84250720
https://torchwallet.io[email protected]
***