PRIVACY POLICY

Last Updated: October 20, 2023

1. Scope

“We”, “our”, “us”, or “RockWallet” refers to the entity listed at the end of this privacy notice with which you or your organization have a relationship.

This privacy notice describes how RockWallet collects, use, and process personal information in relation to your use of our services supplied through the RockWallet platform (“Platform”), website (“Site”) and applications (“Apps”) (together, the “Services”).

Undefined capitalized terms used in this privacy notice can be found in the applicable agreement or terms of use for the Services (each, an “Agreement”). If you are a Customer, Authorized Customer (in this privacy notice each, a “Customer”) of RockWallet Services, this privacy notice applies to you as well as any Agreement or other disclosure that may be provided to you by us.

Our privacy notice is applicable to all Customers who access or utilize our Services and covers personal data processing activities carried out by us in our Services.

2. Entity responsible for processing your personal data (Controller)

The designated data controller of your personal data (“Controller”) will vary depending on where you are as indicated at the end of this privacy notice.

3. Protection and storing of your personal data

RockWallet is committed to implementing security measures that are reasonably expected to safeguard Customer’s personal data from destruction, loss, modification, or any other unauthorized processing. Some of the security measures that RockWallet will implement include, without limitation:

3.1 Encryption. We employ industry-standard encryption protocols to secure the transmission and storage of personal data. This encryption helps prevent unauthorized access and ensures the confidentiality and integrity of the information.

3.2 Access Controls. Access controls are in place to restrict access to personal data to only those employees or authorized personnel who require it for legitimate purposes. These individuals are bound by strict confidentiality obligations and are aware of the importance of protecting personal data.

3.3 Self Help. Customers are encouraged to take their own precautions, such as using strong and unique passwords and regularly updating their devices and software, to further enhance the security of their personal data.

3.4 Private IP. Customer data is stored on a server with no public IP address. Only specific servers can contact this server in a separate private network.

3.5 Connections. SSH connection to public servers can only be done from the (virtual) private network of RockWallet.

3.6 Passwords. Customer passwords and private keys are always hashed (not stored in plain text). Customer data is stored in a database with access control and all user data (which is inside the database) is encrypted at rest.

4. Information and data collected

At RockWallet, we value transparency and strive to provide clarity on our data collection and processing practices. The table below presents an overview of the data we collect, its source, category, a brief description, and the lawful basis for processing.

Please keep in mind that the specific data we collect may vary depending on the RockWallet Service you are using. Therefore, the table provides a comprehensive list but does not limit the data we collect or imply that we collect this data in all instances.

We collect data through various methods, such as customer registration, Transactions, program participation, industry events, and customer service communications. While you have the option to decline providing personal data, not providing essential information may limit our ability to offer certain services.

*For entities, we may collect some of this information for individual members such as beneficial owners, directors, etc., as applicable.

We may also collect, use, and share aggregated data, such as statistical or demographic data, for various purposes. Aggregated data is derived from your personal data but is considered non-personal data under the law, as it does not directly or indirectly disclose your identity. For example, we may analyze your Service Usage Information in an aggregated form to determine the percentage of users accessing specific features on our Sites. However, if we combine or link aggregated data with your personal data in a way that allows us to identify you directly or indirectly, we will treat the combined data as personal data and handle it in accordance with this privacy notice. Our approach to handling aggregated data aligns with industry-standard privacy practices.

*

5. Purposes of the collection and processing

RockWallet can process personal data for (one of or several) the following purposes, based on one or more legal grounds:

5.1. Performance of contract. Customer information will be utilized for account creation and identity verification to provide our Services. It may also be used for Services related to Transactions and for technical support, issue resolution, and ensuring the safety and quality of the services.

5.2. Ensure Functionality. To ensure the proper functioning of the Services, as well as the provision of ordered Services, the information listed above may be processed.

5.3. Communicate with You. We utilize the information to address your inquiries, fulfill your requests, and send crucial notifications. This encompasses activities such as sending periodic emails concerning company updates, policy changes, product/service enhancements, or press releases.

5.4. Marketing. We use the information we have about you to market our services. This includes, for example, sending you email communications about products, offerings, events, competitions, surveys, and webinars or customized offers or materials. Our marketing efforts are aligned with your communication preferences, and you always retain the right to unsubscribe.

5.5. Improve Services. We use the information we have about you to improve our services. This includes, for example, identifying usage trends, developing data analysis, determining the effectiveness of our promotional campaigns, evaluating our business performance, researching, demonstrating, developing, and improving our products and services, and ensuring quality control.

5.6. Comply with Laws. We use the information we have about you to comply with applicable laws, regulations, and contractual obligations. This includes, for example, “know your customer” (KYC), “know your business” (KYB) obligations, conducting compliance and/or security checks, audits, or assessments, and any related reporting obligations.

5.7. Protect assets. We use the information we have about you to protect our rights and interests, ensure the security of our assets, systems, and networks, prevent, detect, and investigate fraud, unlawful or criminal activities in relation to our services, and enforce our terms and conditions.

5.8. Other Purposes that require your consent. Except as required by Applicable Law, we may share or disclose your information only if you provide your prior consent.

6. Third-party access to Customer’s personal data

We do not share personal information with companies, outside organizations, individuals, or other recipients unless one of the following circumstances apply:

6.1. Legal, Regulatory, Safety, and Compliance Purposes. In certain situations, we may be required to share your information as required by law. These situations may include but are not limited to complying with a subpoena or other legal process requests; protecting your rights; protecting your safety or the safety of others; investigating fraud; and responding to a government request.

6.2. Sharing with Service Providers and Third Parties. RockWallet may disclose your information to third-party service providers who assist us in managing the Services. These providers may include IT service providers, data storage providers, identity verification service providers, payment processors, cloud service providers, and marketing service providers. However, we ensure that these providers are only allowed to use your personal information for the sole purpose of providing their services to us and not for their own promotional purposes. Your personal data may be stored within their systems, but we require them to uphold the confidentiality of your information and comply with all privacy and data protection laws. Rest assured; we do not sell your personal information to third parties.

6.3. Plaid. For Services provided by RockWallet LLC, to ensure fraud prevention and mitigation, we utilize Plaid, Inc. for third-party identity verification. Plaid, Inc. performs bank account verification, balance confirmation, and transaction history review to approve transactions. Your personal and financial information is handled in compliance with Plaid's privacy notice, which can be accessed at https://plaid.com/legal/#privacy-policy. By utilizing our services, you authorize RockWallet and Plaid, Inc. to access and transmit your personal and financial information from your bank.

6.4. RockWallet Affiliates. We may share your information within RockWallet Affiliates for various purposes, including providing you with our services, preventing fraud, conducting identity verifications, complying with the law, facilitating sales, mergers, acquisitions, or other liquidity events, and offering products and services to you. However, we do not share information about your creditworthiness with our Affiliates.

6.5. With your consent. We will share personal information with companies, outside organizations or individuals if we have your consent to do so.

7. Data transfers

RockWallet may transfer your data to countries outside of the country from where you have accessed our Services. To ensure compliance with applicable data protection rules, we have implemented suitable technical, organizational, and contractual safeguards, including the use of Standard Contractual Clauses. When transferring personal data outside of the EEA or the UK, we adhere to lawful transfer mechanisms. If the European Commission has determined that a country provides an essentially equivalent standard of data protection as the EEA, we may rely on an 'adequacy decision' to facilitate the transfer of personal data. When transferring personal data from the EEA or UK to the US, we may rely on standard contractual clauses.

8. Privacy when using digital assets and blockchains

We emphasize the protection and confidentiality of personal data when using digital assets. Public blockchains are designed to record transactions across networks of computer systems, and the use of digital assets are usually publicly recorded on these blockchains. It is important to note that public blockchains can undergo forensic analysis, which may potentially lead to the re-identification of individuals and the disclosure of personal data, particularly when combined with other data sources.

As a rule, cryptocurrency transactions are less private than fiat banking transactions because they occur on public blockchains.

As RockWallet does not have control over or operate these decentralized or third-party networks, we are unable to erase, modify, or alter personal data on such blockchains. We are committed to implementing appropriate safeguards and complying with applicable privacy laws and regulations to protect personal information within our control. However, we advise users to exercise caution and take necessary precautions when utilizing digital assets on public blockchains.

9. Your rights

You have the following rights in respect of Customer’s personal data being processed by RockWallet:

• Right to request free access to your personal data being processed.
• Right to request the rectification or removal of your data.
• Right to request a restriction of the processing.
• Right to request the portability of your data.
• Right to object to the processing of your personal data (in the case of direct marketing without any substantiation).
• Right to revoke a consent: in case the processing of your personal data is based on your consent, you have the right to revoke this consent at any time. However, such a revocation does not affect the lawfulness of any processing prior to the revocation.
• Right to limit or opt-out the sharing of your personal data.
  
  

9.1. Data protection authorities.

If you have concerns about the processing of your personal data or believe that your rights under applicable data protection laws have been violated, you have the right to lodge a complaint with the relevant supervisory authority.

In the European Union, each member state has its own supervisory authority responsible for data protection matters. You can find the contact details of the supervisory authority in your country of residence or where the alleged violation occurred listed below or by searching your local governmental authority sites: https://edpb.europa.eu/about-edpb/board/members_en

We encourage you to contact the supervisory authority directly if you have any concerns or complaints regarding the processing of your personal data. However, we would appreciate the opportunity to address your concerns first, so please contact us and we will do our best to resolve any issues in a timely and satisfactory manner.

Please note that you are not obligated to contact us before lodging a complaint with the supervisory authority. You have the right to file a complaint directly with the supervisory authority at any time.

9.2. Contact us

If Customer intends to use any of its above-mentioned rights, please do so by directing Customer’s request to legal@RockWallet.com or by a letter to RockWallet (see address above). RockWallet cannot handle Customer’s request without proof of Customer’s identity and the applicable legislation may impose conditions on exercising the above rights.

RockWallet will request a copy of Customer’s identification document as proof that Customer are indeed concerned by the personal data and thus entitled to rights mentioned above.

RockWallet will use its best efforts to respond to Customer’s request without undue delay after receipt of Customer’s request.

Customer should bear in mind that RockWallet will not always be obliged to comply with a request for access, correction, removal or transfer, taking into consideration the requirements related to the establishment, exercise or substantiation of a legal claim or the legitimate exercise of the right of freedom of expression and / or information.

10. Retention

We retain personal information for as long as needed or as permitted in light of the purpose(s) for which it was obtained and consistent with applicable law and, in any case, not less than five (5) years. The criteria used to determine our retention periods include:

• the length of time we have an ongoing relationship with you (for example, for as long as you have an account with us or keep using RockWallet),
• whether there is a legal obligation to which we are subject (for example, certain laws, such as anti-money laundering requirements) require us to keep records of your transactions for a certain period before we can delete them); and/or
• whether retention is advisable considering our legal position or to protect the safety of individuals (such as regarding applicable statutes of limitations, litigation, or regulatory investigations).
  
  

The processing of personal data under this Agreement is also subject to the provisions of the General Data Protection Regulation (GDPR) https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=NL.

11. Legal rights of California residents

In addition to the legal rights provided above, in compliance with the California Privacy Act of 2018 (“CCPA”), residents of California may contact us at legal@RockWallet.com to request information on the types of personal information that we have disclosed during the preceding 12 months to third parties for their direct marketing purposes and the identities of those third parties.

For personal information collected by us during the preceding 12 months that is not otherwise subject to an exception pursuant to the CCPA, you have the right to access, correct and delete your personal information, and we hereby declare that we shall not discriminate against those who exercise those rights. Specifically, we shall not:

• deny you our services.
• charge you differently.
• provide you with a different level of quality of services; or
• suggest that you may receive a different price or rate for services or a different level or quality of services.

We further declare that we do not sell your personal information in our ordinary course of business and will never sell your personal information to third parties without your explicit consent.

If you seek to exercise CCPA access or deletion rights on behalf of another person, you must confirm that the person has authorized you to act as their agent under the CCPA by providing us with a completed, signed, and notarized CCPA Agent Authorisation Form pursuant to California Probate Code Section 4000 to 4465. Please note that we may deny requests from agents who do not submit the relevant proof of authorization or agents we are unable to verify their identity.

Under the CCPA, you have the right, if certain parts of your personal information are part of a data security breach, to initiate a private cause of action.

You have the right to limit our use of sensitive personal information (“SPI”) to what is necessary or reasonably expected of us to perform the Services. If we use SPI beyond what is necessary to provide the Services, we shall provide you notice of the additional purposes for our use of SPI and remind you of your right to request that we limit the use of the SPI.

SPI is a subset of personal information that reveals (i) your social security number, driver’s license number, state identification card or passport number; (ii) your account log-in, financial account information, debit or credit card number in combination with any password or access code to grant access; (iii) your precise geolocation; (iv) your racial or ethnic origin, religious or philosophical beliefs, or union membership; (v) the content of your mail, email or text messages unless we are the intended recipient of said communications; and (vi) your genetic data.

12. Updates to the privacy notice

We may update or modify this privacy notice from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. Any changes we make will be posted on this page with a revised "Last Updated" date. We encourage you to review this privacy notice periodically to stay informed about how we collect, use, and protect your personal data.

If we make any material changes to this privacy notice, we will provide notice by email (if we have your email address) or by posting a notice on our website prior to the change becoming effective. We will also seek your consent for any material changes to the extent required by applicable data protection laws.

Your continued use of our services after the effective date of any revised privacy notice constitutes your acceptance of the updated privacy notice. If you do not agree with the updated privacy notice, please refrain from using our services and contact us to deactivate your account, if applicable.

Please note that we are not responsible for the privacy practices of third-party websites or services that may be linked to or from our website. We recommend reviewing the privacy policies of those third parties directly.

If you have any questions or concerns about our privacy notice or practices, please contact us using the information provided in the "Contact Us" section above.

13. Your data Controller

Depending on where you are located, your data Controller and the Rockwallet entity providing you with this privacy notice will vary as follows: