Updated: October 08, 2025
- i information about the controller
- ii data protection officer (dpo)
- iii purposes and legal basis of personal data processing
- iv recipients of personal data
- vi users' rights related to the processing of their personal data
- vii voluntariness of providing personal data
- viii possibility of profiling the users' personal data by the controller
- ix data collected automatically upon entering the website of the service (cookie files)
- x changes to the privacy policy
- xi contact with the controller
Yellow Card (referred to as "Yellow Card," "we," "us," or "our") is committed to protecting the privacy and confidentiality of the personal data of our users, including individuals and businesses. This Privacy Policy outlines how we collect, use, store, share, and protect your information when you access or use the Yellow Card Site (www.yellowcard.io), our mobile applications, any Yellow Card API (directly or through third-party applications), or any Yellow Card product or service (collectively, "Yellow Card Services").
I. Information about the controller
The controller of the personal data of users (hereinafter referred to as "Users", and individually as "User") of Yellow Card Services operated in the domain www.yellowcard.io (hereinafter referred to as "Service" or “Website”), i.e. the entity deciding on the purposes and means of processing their personal data is Afritech Services Sp. z o.o. with its registered office in Warsaw, ul. Bartycka 22B/21A, 00 - 716 Warsaw, KRS no: 0001072280, (hereinafter referred to as the "Controller").
A User is understood to be any natural person using the Service. For B2B clients, while the primary User is a natural person interacting with the Service, we also process data related to the legal entity they represent.
II. Data Protection Officer (DPO)
The Controller has appointed a Data Protection Officer (DPO). Users may contact our DPO regarding the protection of their personal data by e-mail at: [email protected].
III. Purposes and legal basis of personal data processing
The Controller processes Users' personal data for the following purposes and on the specified legal bases:
- Account Setup and Maintenance: To allow the User to set up and for the Controller to maintain a Customer Account ("Account") in the Service.
- Legal Basis: Article 6(1)(b) of the GDPR (necessity for the conclusion and performance of the agreement for maintaining the Account). - Provision of Core Services: To enable the Controller to provide services via the Service, including:
- Virtual Currency Exchange: Enabling Users to sell/buy Virtual Currencies in exchange for other Virtual Currencies or for cash (FIAT).
- Cryptocurrency Wallet: Used by Users to store Virtual Currencies.
- Legal Basis: Article 6(1)(b) of the GDPR (necessity of processing to provide the aforementioned services to the User). - Customer Identification and AML Compliance: For the purpose of the Controller's customer identification in performance of its obligation under Article 34(1)(2) of the Polish Anti-Money Laundering Act of 1 March 2018 ("AMLA"). This also extends to B2B clients, where identification of the business entity and its beneficial owners/authorized persons is required.
- Legal Basis: Article 6(1)(c) of the GDPR (necessity of processing for the fulfillment of a legal obligation incumbent on the Controller). - Service Analytics and IT Security: For keeping statistics on the use of individual functionalities, facilitating Service use, and ensuring IT security. Personal data processed for this purpose includes User activity in the Service, time spent on subpages, search history, location, IP address, device ID, Internet browser data, and operating system.
- Legal Basis: Article 6(1)(f) of the GDPR (the Controller's legitimate legal interest in processing the User's personal data). - Marketing of Controller's Services: For marketing purposes, processing personal data provided during Account creation/update, and data on User activity recorded via cookies.
- Legal Basis: Article 6(1)(a) of the GDPR (User's consent to receive marketing content from the Controller) and Article 6(1)(f) of the GDPR (Controller's legitimate legal interest in conducting direct marketing of its services). - Claims Management: To determine, assert, and enforce possible claims of the Controller and to defend against possible claims of the User in court and out-of-court proceedings. This may involve personal data provided during Account creation and other data necessary for proving the claim or required by law.
- Legal Basis: Article 6(1)(f) of the GDPR (the Controller's legitimate legal interest in processing the User's data).
Withdrawal of Consent: If processing is based on your consent (Article 6(1)(a) GDPR), you have the possibility to withdraw your consent at any time. This withdrawal does not affect the lawfulness of processing carried out based on consent before its withdrawal. You can withdraw consent by sending a declaration (e.g., via email) to the Controller, effective upon receipt.
IV. Recipients of personal data
Personal data may be disclosed or entrusted by the Controller to the following categories of recipients:
- General Inspector for Financial Information (GIFF): As required by the Polish Anti-Money Laundering Act (AMLA).
- Third-Party Service Providers: Entities providing ongoing services to the Controller, such as legal or accounting services.
- Authorized Public Authorities: In situations where such an obligation clearly results from a demand of an authorized public authority or from applicable provisions of generally applicable law.
- Yellow Card Group Companies: Personal data may be transferred to the extent necessary to other companies within the Yellow Card group.
- Other Lawful Disclosures: We may share your information with third-party fraud prevention and identity verification service providers to prevent fraud and confirm validity against public records. These providers may retain and use your information solely for identity verification and fraud prevention services for Yellow Card and to improve their own services. We also engage service providers for marketing purposes (with your consent) and third-party advertising agencies. In the event of a merger, acquisition, or purchase of assets, the acquiring company will have access to your information and will be required to follow this Privacy Policy.
The Controller ensures that entities to whom Users' personal data are entrusted guarantee a high level of data protection and that appropriate data processing agreements are signed where required.
Transfers Outside the European Economic Area (EEA): Personal data may be transferred to countries outside the European Economic Area, but only to countries for which the European Commission has issued a decision declaring an adequate level of personal data protection within the meaning of Article 45 GDPR. Where an adequacy decision does not exist, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) to ensure data protection.
V. Storage period of User data
The Controller stores Users' personal data for specific periods:
- Account-related Data: Personal data processed for setting up and maintaining the Account is stored for the period of Account maintenance, i.e., until it is deleted by the User.
- Service Provision Data: Personal data processed to provide the services mentioned in Section III, item 2 of this Privacy Policy, shall be stored for a period of 5 years, counting from the date of termination of the business relationship with the Controller or from the date of execution of an occasional transaction, in accordance with Article 49 of the Polish AMLA.
- Cookie Data: Personal data from cookies stored on the User's terminal device will be stored for a period corresponding to the life cycle of the cookies or until they are deleted by the User.
- Marketing Data: Personal data processed for sending marketing content (including newsletters) will be stored until the User withdraws their consent to receive it.
- Claims-related Data: If the storage of personal data is necessary to assert or defend a claim to which the Controller is entitled or against the Controller, the data may be stored until the relevant court proceeding is finally ended and the decision is enforced.
Yellow Card will not retain your personal information longer than necessary.
VII. Voluntariness of providing personal data
Providing personal data by the User is always voluntary. However, it is necessary in order to contact the Controller through the contact form and in order to conclude and perform the contract between the User and the Controller, and to serve the User as the Controller 's customer. If you do not provide the necessary data, it will not be possible to contact the Controller to conclude and perform the contract between the User and the Controller or to receive services.
VIII. Possibility of profiling the Users' personal data by the Controller
Users' personal data concerning their preferences, behaviour and choice of marketing content may be used as the basis for making automated decisions in order to determine the sales opportunities of the Service. Therefore, pursuant to Article 21(2) of the GDPR, all Users have the right to object to the processing of their data by the Controller for this purpose.
X. Changes to the Privacy Policy
This Privacy Policy may be amended if it is necessary to update the information contained herein, or to ensure its compliance with applicable laws or technological conditions of the Website's functioning. Users will be informed of any changes through a notice displayed on the Website.
XI. Contact with the Controller
Contact with the Controller is possible via e-mail at [email protected] or through our Support Page with any questions or concerns regarding this Privacy. Policy.