This Privacy Policy provides the necessary information on the processing of personal data in the context of the cashless purchase of virtual currencies (cryptocurrencies) operated on the website https://inflow-business.cz/ and on the rights of the persons whose personal data are concerned and the obligations of the controller who processes these personal data.

The data controller that processes personal data and determines the purposes and means of processing is inflow s.r.o., with registered office Bucharova 2657/12, 158 00 Prague 5 Stodůlky, ID No.: 06631363, registered in the Commercial Register under file number C 285787 administered by the Municipal Court in Prague.

Personal data means any information about an identified or identifiable natural person. An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to a specific identifier such as name, identification number, location data, network identifier or to one or more specific elements of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

Processing of personal data means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated processes, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other disclosure, alignment or combination, restriction, erasure or destruction.

The controller processes personal data provided or obtained in the context of registration, identification and control of the client, in the provision of services and in the performance of its obligations in accordance with the law.

The controller processes personal data for the following purposes:

Without the provision of personal data at least to the extent set out in Article 3, the controller cannot provide any services to the client to facilitate the purchase or sale of cryptocurrencies.

The controller processes personal data provided or obtained in the context of registration, identification and control of the client and in the performance of the obligations imposed on the controller by law.

The controller processes personal data to the extent set out below:

In the case of a registered client, the controller processes the following personal data of the client:

E-mail, IP address; cryptocurrency wallet address; order and transaction data; identification of bank account and other means of payment; record of email and other communications; and technical data such as cookies and web browser and operating system information; further details are set out in Article 14.

Beyond the personal data in Article 3.4.1, the controller further processes the following personal data of the client:

Name and surname; birth ID number or date of birth, gender and nationality; place of residence; login (username) and password for the user account; telephone; number, date of issue and validity of the identity card; other personal data entered in the identity card; copies of identity cards, including photographs on these cards; in the case of a natural person engaged in business, also his/her business name, distinctive supplement or other designation, place of business, personal identification number and tax identification number; whether the client is a person against whom the Czech Republic applies international sanctions.

The data referred to in Articles 3.4 and 3.5; information on the purpose and intended nature of the transaction or business relationship; if the client is a legal person, trust or other legal arrangement without legal personality, then information on the ownership and management structure of the client and its beneficial owner to the extent relevant to the natural persons concerned ; information on the sources of the funds or other assets to which the transaction or business relationship relates; and, in the context of a business relationship with a politically exposed person, also information on the origin of his or her assets.

For the purposes of the proper provision of services and also on the basis of the obligations imposed by the legislation on measures against the laundering of the proceeds of crime and terrorist financing, the controller carries out automated processing of the client’s personal data, including their profiling. Further details and the consequences of such processing of personal data for the client are set out in the AML rules of the controller.

The provision of virtual currency brokerage services by the controller is limited exclusively to persons over 18 years of age; therefore, the controller does not process any data on children or persons under 18 years of age.

Personal data are transmitted to the https://inflow-business.cz/ website in encrypted form. The controller secures its website, other systems and communication channels with third parties by means of technical and organizational measures against loss and destruction of personal data, against access, alteration or dissemination of personal data by unauthorized persons.

Access to the controller’s system is only possible by entering the appropriate username and password.

For any other recipients of personal data or their processors, the controller required proof of compliance of their systems with data protection legislation.

The controller may only transfer the client’s personal data or otherwise make it available to third parties under the following conditions:

To the extent necessary to verify the mandatory identification of the client;

In the case of a transfer to the extent necessary for the provision of services on the basis of a concluded contract;

On the basis of a legitimate interest of the controller;

If the client consents to it in advance; or

If the controller is required to do so by law, in particular by the rules on measures against money laundering and terrorist financing.

Under the conditions set out in Article 5.1, the controller may transfer or otherwise communicate the client’s personal data to, in particular, the following third parties:

Credit card companies, payment service providers for the purpose of payment processing and banks on the basis of services ordered or otherwise requested by the client;

Companies or other entities providing identification or control of the client;

Market operators and other virtual currency trading; and

Other service and technical infrastructure providers or third parties involved in the necessary data processing.

The controller shall retain personal data for the period necessary to exercise the rights and obligations arising from the contractual relationship with the client, namely:

For the period of time for which the controller is obliged to keep the personal data concerned in accordance with the relevant legal regulations; e.g. accounting documents shall be archived by the controller for a period of 10 years from their issue;

In the case of processing of personal data to the extent required by the legislation on measures against money laundering and terrorist financing, for a period of 10 years from the execution of the transaction or termination of the business relationship with the client;

In the case of processing of personal data for which the client has given consent, for the period of use of the controller’s services and for the following 7 years; and

In the case of processing of personal data for marketing purposes, for the period of use of the services of the controller and for the following 5 years, or until the client opposes such processing.

After the expiry of the retention period, the controller shall delete the client’s personal data.

The client has the right to obtain confirmation from the controller as to whether or not personal data relating to the client is being processed and, if so, the right to access such personal data and the following information:

The purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; the intended period for which the personal data will be stored or, if this cannot be determined, the criteria used to determine this period; the existence of the right to request the controller to rectify or erase personal data relating to the client or to restrict or object to the processing; the right to lodge a complaint with the Data Protection Authority; any available information on the source of the personal data, unless it is obtained from the client; where automated decision-making, including profiling, is involved, information concerning the procedure used as well as the relevance and foreseeable consequences of such processing for the client; and safeguards in relation to the necessary transfer of personal data to a third country or an international organisation.

The client has the right to have inaccurate personal data concerning him/her corrected by the controller without undue delay. Taking into account the purposes of the processing, the client has the right to have incomplete personal data completed, including by providing an additional statement.

The client has the right to have the controller erase the personal data relating to the client without undue delay and the controller is obliged to erase the personal data without undue delay if one of the following reasons applies:

The personal data are no longer necessary for the purposes for which they were collected or otherwise processed; the client has withdrawn the consent on the basis of which the data were processed and there is no further legal basis for the processing, in particular pursuant to Articles 2.2.1 and 2.2.2; the client has raised legitimate objections to the processing and there are no overriding legitimate grounds for the processing or the client objects to the processing for direct marketing purposes; the personal data were processed unlawfully; and pursuant to an obligation imposed on the controller by law or by a decision of a court or public authority.

The controller shall not delete personal data pursuant to Article 9.1 in cases provided for by law, in particular:

For compliance with a legal obligation requiring processing or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or where necessary for the establishment, exercise or defence of legal claims of the controller or of third parties.

The client has the right to have the controller restrict processing in any of the following cases:

The client disputes the accuracy of the personal data, for the period necessary for the controller to verify the accuracy of the personal data; the processing is unlawful and the client refuses to erase the personal data and instead requests that the controller restrict its use; the controller no longer needs the personal data for the purposes of the processing but the client requires it for the establishment, exercise or defence of legal claims; and the client has raised a legitimate objection to the processing, pending verification that the controller’s legitimate grounds outweigh the client’s legitimate grounds.

The client has the right to object at any time to the processing of personal data concerning him/her pursuant to Article 2.2.3, including profiling, for reasons relating to his/her particular situation. The controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests or rights and freedoms of the client or for the establishment, exercise or defence of legal claims.

Where personal data is processed for the purposes of direct marketing, the client has the right to object at any time to the processing of personal data relating to him or her for such marketing, which includes profiling insofar as it relates to such direct marketing.

The client has the right to obtain the personal data relating to him/her that he/she has provided to the controller in a structured, commonly used and machine-readable format and to transmit such data to another controller without being prevented from doing so by the controller to whom the personal data have been provided.

The client has the right to withdraw his/her consent to the processing of personal data at any time, except for the processing of personal data pursuant to Article 2.2.2.

The withdrawal of consent shall not affect the lawfulness of the processing of personal data based on the client’s consent given prior to the withdrawal.

Cookies are short text files created by a web server and stored on the client’s computer via the browser; the vast majority of websites use cookies for their operation. The next time you use the website in question, the browser sends the stored cookie back and the server thus retrieves all the information it has previously stored on the client’s computer.

When operating the https://inflow-business.cz/ website, the administrator uses short-lived first party cookies for basic technical functionality, i.e. logging in, using services, etc.; these are deleted from the client’s computer when the browser is closed.

The administrator never places sensitive or personal data in cookies. The administrator may place a user ID in the cookies, but this does not allow third parties to identify a specific person.

In particular, the website https://inflow-business.cz/ uses the following cookies:

User id – a feature that allows the measurement and analysis of user behaviour across devices; a string of numbers or letters is used as the user id, never personal data that would allow third parties to identify a specific person;

Account Type – enables recognition of the type of user account of the client; and

AUTH_TOKEN – allows for user identification.

Setting the use of cookies is part of the client’s internet browser. Cookies can be refused or restricted to selected types using the web browser.

Further information about cookies and their use can be found at https://www.aboutcookies.org.

Should any provision of the Terms and Conditions is or becomes invalid or ineffective, the invalid provision shall be replaced by a provision whose meaning is as close as possible to the invalid provision. The invalidity or ineffectiveness of one provision shall not affect the validity of the other provisions.

This Privacy Policy is effective as of 08 November 2021.