YOUR ACCEPTANCE OF THIS POLICY
By accessing or using the Services, are accepting all aspects of this policy. If we require additional or direct consent from you to further process your personal information, we will ask for your consent for the collection, use, or disclosure of your personal information. We may provide additional "just-in-time" disclosures or information about the data processing practices of specific Services. These notices may supplement or clarify our privacy practices or may provide you with additional choices about how we process your data. If you do not agree with or you are not comfortable with any aspect of this policy, you should immediately discontinue access or use of our Services.
HOW WE MAY CHANGE THIS POLICY
ShapeShift, in its sole discretion, may modify or update this policy at any time, so you should review this page periodically. If we update this policy, the “last modified” date will list the month when such update(s) were made. If we make any material changes to this policy, we notify our registered users via email and summarize those changes. Your continued use of our Services after any change to this policy is deemed your acceptance of such change(s).
WITH WHOM WE SHARE YOUR PERSONAL DATA
In connection with our Services, to protect our legitimate interests, to fulfill legal requirements, or to perform under agreements we enter into (including our Terms), we may be required to share your personal data with our affiliate ShapeShift US, Inc., with our business partners (described in more detail below), as well as with public authorities in connection with a facially valid official law enforcement request. Specifically, such sharing of data may be necessary to manage your registration (such as to verify your identity), to respond to your inquiries, to execute a transaction you request, to provide access to additional information, or to inform you about new Services or offers. Further, to the extent we are legally required by public authorities or courts, we will share your personal data with them or other third-parties. The data sharing may include transfers to companies or organizations in countries without an adequate standard of data protection. In these cases, we transfer personal data in accordance with applicable provisions on the international transfer of personal data, such as, where applicable, the respective provisions of the EU General Data Protection Regulation (“GDPR”). By accessing our Services, you expressly allow us to export data outside of the jurisdiction in which you reside or are located when you utilize the Services.
DATA WE COLLECT AND PROCESS IN ORDER TO MAKE THE SERVICES GENERALLY AVAILABLE
You can use some aspects of our Services, including our websites, and obtain information about our Services without telling us who you are, however, when accessing any website, a user makes a connection with a webserver, which automatically logs and stores certain technical data including: that user’s internet protocol address (“IP Address”), the operating system of that user’s device, the time the website was accessed, or the web browser used to access the site. Logging this data is required in order to make the Services available to you and other users and ensure the functionality of the Services. To the extent we, thereby, process such personal data, we do so based on our legitimate interest to bring you the best possible user experience and to safeguard the security and stability of our systems.
Similarly, our Services use Google Fonts (previously known as Google Web Fonts), a library of open-source font families that enhance your browsing experience, which are licensed by Google LLC (“Google”). To integrate Google Fonts into our websites, your browser establishes a connection to Google’s server and the IP Address of your device is transmitted to Google. Google logs records of font queries and protects this data from unauthorized access. Google analyzes aggregated data to optimize Google Fonts and identify which websites use Google Fonts. Further information on Google Fonts can be found here and information on how Google handles personal data can be found here.
We use Amazon Web Services (“AWS”) to host all of our websites. Thus, any data collected by us on any of our websites will be stored on AWS’s servers in the Republic of Ireland. Some of this data is either processed by us directly or transferred to and processed by one of our third-party partners, both of which are described in further detail in this policy. AWS provides a list of frequently asked questions about their data privacy practices here.
DATA WE COLLECT AND PROCESS TO PROVIDE SERVICES TO YOU, SPECIFICALLY
If you interact with registration, application, order, or inquiry forms on the Services (e.g. signing up for an account, namely in order to use our Services; application for becoming an affiliate of ShapeShift; or requesting support for the Services), we will collect and process the information that you provide to us providing the Services and information about the Services to you, including providing asset management dashboard services. This information may include your:
- full name;
- residence address;
- date of birth;
- phone number;
- social security number or other tax identification number;
- details about your government issued identification such as identification number and expiration date or a copy of the identification document;
- e-mail address; and
- election to use two-factor authentication (“2FA”) on our services.
Any wallet you connect to our Services will provide us with such wallet’s: extended public keys, which are used to derive public digital wallet addresses (known as “xPubs”); transaction history; and digital asset balance. You can select the “forget my wallet” option at any time to disconnect your wallet (and xPubs) from our services. Some aspects of the Services may be inaccessible without a connected wallet.
The collection of words associated with a wallet, commonly known as “Seed Phrases” are extremely important because they provide a back-up method to access your wallet. ShapeShift does not have access to or store Seed Phrases of its users. We highly encourage you to write down all Seed Phrases upon the time they are issued to you in connection with a wallet, and thereafter store them in a secure location. SHAPESHIFT MAY NOT BE ABLE TO ASSIST YOU IF YOU CANNOT ACCESS YOUR WALLET DUE TO A FORGOTTEN/LOST PASSWORD OR SEED PHRASE.
If you use the Google single-sign-on option (“SSO”), which is denoted by the “Sign up with Google button”, Google will automatically provide us with your email address upon your successful sign-in with Google.
Where such processing of your personal data is not strictly necessary to perform our contractual obligations (such as in connection with providing financial services to you) or at your request, we will use this personal data based on our legitimate interest to: verify your identity; respond to your inquiry; process your registration, applications, or orders; develop, enhance, and improve the Services to bring you the best possible experience; or to safeguard the security and stability of the Services.
Based on our legitimate interest to bring you the best possible user experience, we collect and process certain data to analyze how our users use of the Services to gain insight on how we may improve our Services. This data may include information on the type of web browser or device you use to access the website, the geographical region where you access the website, the date and time of your access, and the parts of the website you access.
We also use “Cookies”, which are text files that are downloaded to your computer or mobile device when you visit a website to analyze the use of the website, to optimize our Services, and to enable the use of marketing tools. You can prevent the storage of Cookies on your device and the collection of data. By adjusting your web-browser’s settings accordingly. Note, however, that some functions of the Services may be limited or unavailable if you disable the storing of Cookies.
In connection with the above, we use the following third-party services to collect and analyze the data of our users:
- We also use the Google Analytics tool Firebase (“Firebase”) for additional improvements to our Services, in which we have a legitimate interest. Firebase specifically tracks user analytics in our mobile app such as where a user is located, the user’s email address associated with their ShapeShift account, and the type of device they’re using to access the Services. We use Firebase to analyze our user testing and updating of features. Further information on data protection and your options in connection with Firebase’s services can be found here.
- We use Branch Metrics, Inc. (“Branch”) to collect and analyze data about the source of where a user came to download our mobile app (e.g., which link a user clicked on prior to and which led them to download our mobile app). This allows us to track and determine the success of our marketing campaigns. More information on Branch’s privacy policies can be found here.
- We use Catamorphic, Co. a/k/a LaunchDarkly ("LaunchDarkly") to enable or disable features for our users (also known as "feature flags") in our Services. In order to optimize our use of LaunchDarkly's services, we provide your email address to them to better enable use of feature flags which in turn optimize our Services and better serve your needs overall. LaunchDarkly commits to not selling any data it receives from us and all transmissions of data to and from LaunchDarkly are encrypted via SSL. LaunchDarkly's privacy practices can be found here.
DATA WE COLLECT AND PROCESS IN ORDER TO COMMUNICATE WITH YOU
If you provide us with your email address, either through our registration process, by inputting it in a field associated with a prompt about being added to our mailing list (e.g., “Let’s stay in touch” or similar language), or otherwise responding to an express request to contact you, we will, based on your consent, send you certain commercial information about ShapeShift generally, such as our email newsletter, updates on our Services or other products, blog posts, or other related communications. However, at any time you may opt-out of receiving these communications by utilizing the “unsubscribe” function in any email sent to you by us, or by contacting us here with the subject line “Unsubscribe”. ShapeShift does not engage in direct marketing.
In furtherance of the above, we use the following third-party services to communicate with our users:
- For transactional emails, such as account creation emails, password resets, purchase receipts, and other account notifications, we use Twilio SendGrid (“SendGrid”). Further information on data protection and your options in connection with SendGrid’s services can be found here.
- To better reach our registered users, we use AutopilotHQ, Inc. (“Autopilot”), an email automation platform. Through Autopilot’s platform, we send emails to our users to convey information related to the Services, such as general updates, product or feature additions, other product news, partnerships, event announcements, and survey requests. Autopilot does not sell or otherwise use the information it collects on behalf of ShapeShift, except as discussed in this policy. More information about data protection and your options in connection with AutoPilot’s services can be found here.
- We use OneSignal, Inc. (“OneSignal”) for sending push notifications and in-app messages to users. Further information on data protection and your options in connection with OneSignal’s services can be found here.
For general information regarding your choices in relation to usage-based online advertising, see: http://www.youronlinechoices.com.
DATA WE COLLECT AND PROCESS DUE TO LEGAL OBLIGATIONS
In various jurisdictions we are required by law to verify the identity or locations of a user before allowing such user to access certain aspects of the Services, in particular when that user seeks to trade digital assets with us directly through the Services. This practice is known as “Know-Your-Customer” or “KYC” (any data collected in connection with KYC, such as name, address, phone number, date of birth, government identification number, or a copy of a government issued identification, is referred to as “KYC Data”) and accordingly any collection or processing of KYC Data is done in compliance with a legal obligation. Additionally, ShapeShift has a commitment to prevent fraud or other criminal activity on the Services, thus we may contact you directly to better understand information about transactions that you initiate on the Services. We use the following third-party services to process KYC Data consistent with these obligations:
- We also use OnFido Limited (“OnFido”) to verify KYC Data provided by users. Further information on data protection and your options in connection with OnFido’s services can be found here.
- We use IVXS UK Limited a/k/a ComplyAdvantage (“ComplyAdvantage”) to analyze the personal data our registered users provide us for our legal compliance obligations. Further information on data protection and your options in connection with ComplyAdvantage’s services can be found here.
We do not collect or require any KYC Data when you trade on a decentralized exchange (DEX) on our Services.
HOW WE PROCESS AND PROTECT YOUR PERSONAL DATA; HOW LONG WE STORE IT
We collect, process, and protect your personal data responsibly and in accordance with applicable laws and best practices. We apply adequate technical and organizational security measures, commensurate with the level of known risk, in order to protect the confidentiality and integrity of the personal data we collect when using the Services. Specifically, we store all of the personal data you provide to us in an encrypted fashion and only allow access to certain employees or contractors who are required to perform the purposes for which you provide the personal data to us or as set forth in this policy. For more information on our encryption and securities practices see this article.
We store your personal data only for as long as this is necessary: in the case of KYC Data, we are required by law to store this for 5 years; and for all other data, we retain this indefinitely to assist our provision and maintenance of our Services, however, subject to the prior sentence, you may request that we delete your account information by emailing us at the address below.
THE RIGHTS YOU HAVE REGARDING YOUR PERSONAL DATA
You have certain rights regarding the personal data that we collect and process about you. In particular, generally, you have the following rights:
- to access or receive certain information about your personal data we collect in machine readable format;
- to have your personal data rectified;
- to object to the processing of your personal data, or to ask us to restrict processing; or
- to have us delete your personal data.
If the GDPR applies to you (i.e., if you reside in the EU or are an EU data subject) and we collect or process your personal data to perform a contract with you (such as providing the Service) or based on your consent, you also have the right to receive a copy of your personal data for the purpose of transferring such data to a third-party.
Please note, however, that your rights are subject to exceptions or derogations. Specifically, we may need to further process and retain your personal data to perform a contract with you, to protect our legitimate interests (such as the establishment, exercise or defense of legal claims), or to comply with legal requirements. To the extent permitted by law, namely, to protect the rights and freedoms of others or to protect our own legitimate interests, we may therefore refuse to satisfy your request or we may satisfy your request with qualifications. Lastly, you have a right to submit a complaint with a competent supervisory authority.
WHO WE ARE AND HOW TO CONTACT US
ShapeShift is the controller in relation to the collection and processing of personal data through the Services. To inquire about our collection or processing of your personal data, or if you have any questions or concerns about this policy, you may contact us via email at firstname.lastname@example.org. For all correspondence, please include any necessary identifying information such as your name, return e-mail, and any other information relevant to your request. Failure to do so may prevent us from or cause a delay in providing a response. TechGDPR DPC GmbH serves as our data protection officer, and it can be contacted by email here.