PRIVACY POLICY
1. General Provisions, Contact Data
Your privacy is important to us; in relation to the data processing activities of INCOIN ("INCOIN" or "Data Controller" or "Controller"), please read carefully this Privacy Policy that generally describes what personal information INCOIN processes, how it is processed, and for what purposes.
The definitions used in this Privacy Policy are subject to the provisions of Regulation 2016/679/EU ("GDPR").
2. Scope
This Privacy Policy contains provisions regarding the processing of data of software users, contractors, recipients of marketing messages, visitors to marketing events, and visitors to websites ("Data Subject").
This Privacy Policy also describes how we collect and use personal data and what choices and rights are available to users regarding our data processing. If you have questions or concerns regarding this Policy, please contact us at info@incoin.biz.
3. The Rights of Data Subjects
Data Subjects may exercise certain rights regarding the data processing, in particular:
Transparent information: Concurrently as the data are collected, the Data Subject shall be entitled to receive information from the Data Controller in a concise, transparent, intelligible, and easily accessible form using clear and plain language about the followings:
- persons who have access to their personal data
- their rights as data subjects,
- the possibility of filing a complaint,
- the fact of data being transferred to a third country,
- all relevant data processing conditions
Access to data: Data Subjects shall be informed if their personal data is being processed; if such data processing is in progress, they are entitled to access their personal data and the conditions of data processing (purpose of data processing, categories of personal data, recipient(s) of personal data, duration of data management, where their personal data are collected, data subject rights).
Subject to data security requirements and to protect the rights of the Data Subject, the Controller shall verify the identity of the Data Subject and any person who wishes to exercise the right of access, therefore any access to personal data is subject to an identification process.
Right to rectification: Data Subjects shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her.
Right to be forgotten: The Data Subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies.
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the Data Subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- the Data Subject successfully objects to the processing,
- the data have been unlawfully processed by the Controller, or the personal data must be erased in order to comply with a legal obligation.
Right to restriction of processing: The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data;
- the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
- the Data Subject has objected to processing; pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.
Right to data portability: The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, if the processing is based on consent and the processing is carried out by automated means.
Right to object: Any requests to exercise Data Subjects rights can be directed to the Controller through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Controller as early as possible and always within one month.
The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on legitimate interest of the Controller. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims. Data Subjects must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn whether the Controller is processing Personal Data for direct marketing purposes, Data Subjects may refer to the relevant sections of this Policy.
Automated individual decision-making, including profiling: The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her; except if the processing
- is necessary for entering into, or performance of, a contract between the Data Subject and a Data Controller;
- is authorised by European Union or EU Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests;
- is based on the Data Subject's explicit consent.
Right to judicial remedy: If the Data Subject considers that the Data Controller has infringed the applicable data protection laws by processing his or her personal data, he or she may lodge a complaint with the applicable authority, (and/or) seeking a judicial remedy.
4. Technical and organizational security measures to ensure data security
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
In order to ensure the confidentiality, integrity, availability, and resilience of processing systems and services, the Controller has classified its IT systems into risk classes based on the confidentiality of the data handled in them and their impact on Data Subjects, and has assigned information security controls to these classes according to their level of confidentiality.
The Controller undertakes to use of two-factor identification and password management (requiring and enforcing password complexity and password changes) related to its IT systems, thereby ensuring controls on access rights. The Controller ensures that only controlled devices shall have access to the corporate infrastructure and only persons whose knowledge of the data is essential for their work performance.
The Controller operates heterogeneous protection system against commonly used malware (bots, malware, spyware) on its computers and network devices. The Controller provides a secure access channel to corporate device systems and protection against malware and network attacks; moreover, deploys firewalls and other intrusion detection software and perform continuous monitoring. The Controller preserves technical logs of the systems whereby able to detect and reconstruct technical incidents.
The Controller shall have lockable server rooms and internal policies to ensure that the stored devices are accessible only to authorized persons. The Controller shall print documents containing personal data only in case of necessity and after the use of such documents, the physical documents shall be stored in lockable cabinets.
The Controller shall monitor the internet access and browsing activity from its network and devices and block access to unsafe sites, preventing any external attack. Automated systems may be used to filter emails containing spam, phishing, and malware.
The Controller shall educate its employees and partners to ensure the highest possible level of data security.
5. Data processing related to Merchant’s registration
| The purposes of the data processing | Personal data necessary for the purposes for which they are processed | Legal basis of the processing | The period for which the personal data will be stored |
|---|---|---|---|
| Registration of Merchant’s account. | Name, Company Name, Public Username, Email Address, Crypto wallet address, and Password. Optional: A Declaration about how did you hear about us and a Declaration about the newsletter. |
Data Subject’s consent (Article 6 (1) point a) GDPR). | Until the Merchant deletes its account. The user's account will be deleted after permanent three-year-long inactivity and after a previous unsuccessful email request. In case of deletion, the users may re-enter their data. The re-entered data shall be matched with client data (if such data is available) thereby, restoring is possible. |
| Convenience functions that help the use of the system. | The chosen language and currency by the Merchant. | User’s consent (Article 6 (1) point a) GDPR). | Until the user deletes its account. The user's account will be deleted after permanent three-year-long inactivity and after a previous unsuccessful email request. |
6. Data processing related to the Customer’s transfers
| The purposes of the data processing | Personal data necessary for the purposes for which they are processed | Legal basis of the processing | The period for which the personal data will be stored |
|---|---|---|---|
| Fulfillment of transfers. | E-mail address if provided, crypto wallet address, and amount of the transfers. | If a registered user is a natural person: data processing is necessary for the performance of a contract between the Data Controller and user or to take steps at the request of the Data Subject prior to entering into a contract. (GDPR Article 6 (1) point b)). If the user is not a natural person: processing the data of contact persons acting on behalf of the user; the legitimate interest of the Data Controller related to the performance of the contract between the represented partner and the Data Controller (GDPR Article 6 (1) point f)). |
Until the existence of a contractual relationship between the Data Controller and the user. |
7. Data processing related to accepting transfers from the Merchant side
| Management and administration of Merchant accounts. | Name, Public Username, E-mail address, and Password. | If a registered user is a natural person: data processing is necessary for the performance of a contract between the Data Controller and user or to take steps at the request of the Data Subject prior to entering into a contract. (GDPR Article 6 (1) point b)). If the user is not a natural person: processing the data of contact persons acting on behalf of the user; the legitimate interest of the Data Controller related to the performance of the contract between the represented partner and the Data Controller (GDPR Article 6 (1) point f)). |
Until the existence of a contractual relationship between the Data Controller and the Data Subject. |
| Notifying Merchants about processed transfers. | Name, Company Name, Public Username, E-mail, List of Ordered Items, Order Status, Unique Identifier, Order Date, Quantity, Price (net and gross). | If a registered user is a natural person: data processing is necessary for the performance of a contract between the Data Controller and user or to take steps at the request of the Data Subject prior to entering into a contract. (GDPR Article 6 (1) point b)). If the user is not a natural person: processing the data of contact persons acting on behalf of the user; the legitimate interest of the Data Controller related to the performance of the contract between the represented partner and the Data Controller (GDPR Article 6 (1) point f)). |
Five years from the termination of the contractual relationship |
| Billing Information | Invoice imaging and metadata thereof: Invoice Serial Number, User Name, User's Tax Number, Date, and Fee (net and gross). | If a registered user is a natural person: data processing is necessary for the performance of a contract between the Data Controller and user or to take steps at the request of the Data Subject prior to entering into a contract. (GDPR Article 6 (1) point b)). If the user is not a natural person: processing the data of contact persons acting on behalf of the user; the legitimate interest of the Data Controller related to the performance of the contract between the represented partner and the Data Controller (GDPR Article 6 (1) point f)). |
Period governing the retention period of accounting documents: 8 years |