Privacy Policy (European Union)

Yellow Card (referred to as "Yellow Card," "we," "us," or "our") is committed to protecting the privacy and confidentiality of the personal data of our users, including individuals and businesses. This Privacy Policy outlines how we collect, use, store, share, and protect your information when you access or use the Yellow Card Site (www.yellowcard.io), our mobile applications, any Yellow Card API (directly or through third-party applications), or any Yellow Card product or service (collectively, "Yellow Card Services").

I. Information about the controller

The controller of the personal data of users (hereinafter referred to as "Users", and individually as "User") of Yellow Card Services operated in the domain www.yellowcard.io (hereinafter referred to as "Service" or “Website”), i.e. the entity deciding on the purposes and means of processing their personal data is Afritech Services Sp. z o.o. with its registered office in Warsaw, ul. Bartycka 22B/21A, 00 - 716 Warsaw, KRS no: 0001072280, (hereinafter referred to as the "Controller"). 

A User is understood to be any natural person using the Service. For B2B clients, while the primary User is a natural person interacting with the Service, we also process data related to the legal entity they represent.

II. Data Protection Officer (DPO)

The Controller has appointed a Data Protection Officer (DPO). Users may contact our DPO regarding the protection of their personal data by e-mail at: [email protected].

III. Purposes and legal basis of personal data processing

The Controller processes Users' personal data for the following purposes and on the specified legal bases:

• Account Setup and Maintenance: To allow the User to set up and for the Controller to maintain a Customer Account ("Account") in the Service.
  - Legal Basis: Article 6(1)(b) of the GDPR (necessity for the conclusion and performance of the agreement for maintaining the Account).
• Provision of Core Services: To enable the Controller to provide services via the Service, including:
  - Virtual Currency Exchange: Enabling Users to sell/buy Virtual Currencies in exchange for other Virtual Currencies or for cash (FIAT).
  - Cryptocurrency Wallet: Used by Users to store Virtual Currencies.
  - Legal Basis: Article 6(1)(b) of the GDPR (necessity of processing to provide the aforementioned services to the User).
• Customer Identification and AML Compliance: For the purpose of the Controller's customer identification in performance of its obligation under Article 34(1)(2) of the Polish Anti-Money Laundering Act of 1 March 2018 ("AMLA"). This also extends to B2B clients, where identification of the business entity and its beneficial owners/authorized persons is required.
  - Legal Basis: Article 6(1)(c) of the GDPR (necessity of processing for the fulfillment of a legal obligation incumbent on the Controller).
• Service Analytics and IT Security: For keeping statistics on the use of individual functionalities, facilitating Service use, and ensuring IT security. Personal data processed for this purpose includes User activity in the Service, time spent on subpages, search history, location, IP address, device ID, Internet browser data, and operating system.
  - Legal Basis: Article 6(1)(f) of the GDPR (the Controller's legitimate legal interest in processing the User's personal data).
• Marketing of Controller's Services: For marketing purposes, processing personal data provided during Account creation/update, and data on User activity recorded via cookies.
  - Legal Basis: Article 6(1)(a) of the GDPR (User's consent to receive marketing content from the Controller) and Article 6(1)(f) of the GDPR (Controller's legitimate legal interest in conducting direct marketing of its services).
• Claims Management: To determine, assert, and enforce possible claims of the Controller and to defend against possible claims of the User in court and out-of-court proceedings. This may involve personal data provided during Account creation and other data necessary for proving the claim or required by law.
  - Legal Basis: Article 6(1)(f) of the GDPR (the Controller's legitimate legal interest in processing the User's data).

Withdrawal of Consent: If processing is based on your consent (Article 6(1)(a) GDPR), you have the possibility to withdraw your consent at any time. This withdrawal does not affect the lawfulness of processing carried out based on consent before its withdrawal. You can withdraw consent by sending a declaration (e.g., via email) to the Controller, effective upon receipt. 

IV. Recipients of personal data

Personal data may be disclosed or entrusted by the Controller to the following categories of recipients:

• General Inspector for Financial Information (GIFF): As required by the Polish Anti-Money Laundering Act (AMLA).
• Third-Party Service Providers: Entities providing ongoing services to the Controller, such as legal or accounting services.
• Authorized Public Authorities: In situations where such an obligation clearly results from a demand of an authorized public authority or from applicable provisions of generally applicable law.
• Yellow Card Group Companies: Personal data may be transferred to the extent necessary to other companies within the Yellow Card group.
• Other Lawful Disclosures: We may share your information with third-party fraud prevention and identity verification service providers to prevent fraud and confirm validity against public records. These providers may retain and use your information solely for identity verification and fraud prevention services for Yellow Card and to improve their own services. We also engage service providers for marketing purposes (with your consent) and third-party advertising agencies. In the event of a merger, acquisition, or purchase of assets, the acquiring company will have access to your information and will be required to follow this Privacy Policy.

The Controller ensures that entities to whom Users' personal data are entrusted guarantee a high level of data protection and that appropriate data processing agreements are signed where required.

Transfers Outside the European Economic Area (EEA): Personal data may be transferred to countries outside the European Economic Area, but only to countries for which the European Commission has issued a decision declaring an adequate level of personal data protection within the meaning of Article 45 GDPR.  Where an adequacy decision does not exist, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) to ensure data protection.

V. Storage period of User data

The Controller stores Users' personal data for specific periods:

• Account-related Data: Personal data processed for setting up and maintaining the Account is stored for the period of Account maintenance, i.e., until it is deleted by the User.
• Service Provision Data: Personal data processed to provide the services mentioned in Section III, item 2 of this Privacy Policy, shall be stored for a period of 5 years, counting from the date of termination of the business relationship with the Controller or from the date of execution of an occasional transaction, in accordance with Article 49 of the Polish AMLA.
• Cookie Data: Personal data from cookies stored on the User's terminal device will be stored for a period corresponding to the life cycle of the cookies or until they are deleted by the User.
• Marketing Data: Personal data processed for sending marketing content (including newsletters) will be stored until the User withdraws their consent to receive it.
• Claims-related Data: If the storage of personal data is necessary to assert or defend a claim to which the Controller is entitled or against the Controller, the data may be stored until the relevant court proceeding is finally ended and the decision is enforced.

Yellow Card will not retain your personal information longer than necessary.

VI. Users' rights related to the processing of their personal data

As a User, you have the following rights regarding the processing of your personal data, based on the GDPR

A. Right to withdraw consent: You have the right to withdraw consent at any time if the processing of your personal data is based on that consent. Withdrawal is effective from the moment the Controller receives your declaration (e.g., via email). Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

• Legal Basis: Article 7(3) of the GDPR. 

B. Right to demand access to data: You have the right to obtain confirmation from the Controller as to whether your personal data is being processed. If so, you have the right to:

• Obtain access to your personal data.
• Obtain information on the purposes of processing, categories of data processed, recipients, storage period or criteria for determining it, your GDPR rights (including the right to complain to the supervisory authority), data source, automated decision-making (including profiling), and safeguards for transfers outside the EEA.
• Obtain a copy of your personal data.
• Legal Basis: Article 15 of the GDPR.

C. Right to rectification: You have the right to rectify and complete the personal data you have provided. You may do so by submitting a request to rectify such data (if incorrect) or to complete it (if incomplete).

• Legal Basis: Article 16 of the GDPR

D. Right to erasure ("right to be forgotten"): You have the right to request the erasure of all or some of the data concerning you if:

• Your personal data is no longer necessary for the purposes for which it was collected or processed.
• Your personal data is processed unlawfully.
• You object to processing where the basis is the Controller's legitimate legal interest.
• The personal data must be erased to comply with a legal obligation under Union or Member State law.
• The personal data was collected in connection with the offering of information society services.
• Even with an erasure request, the Controller may continue processing data if necessary for establishing, asserting, or defending claims, or to comply with a legal obligation.
• Legal Basis: Article 17 of the GDPR.

E. Right to restrict processing: You have the right to request the Controller to restrict the processing of your personal data, (i.e. limit activities beyond storage) in the following cases:

• You question the correctness of your data, for a period allowing verification.
• Processing is unlawful, but you oppose erasure and request restriction instead.
• Your data is no longer needed for its original purposes but is necessary for establishing, asserting, or defending claims.
• You have objected to the use of your data, during the time needed to assess if your interests outweigh the Controller's legitimate interests.
• Legal Basis: Article 18 of the GDPR.

F. Right to data portability to another controller: Where your personal data is processed based on consent or for entering into a contract (Article 6(1)(a) and (b) of the GDPR), you have the right to receive the data you provided in a structured, commonly used, readable format, and to transfer this data to another controller without hindrance from the Controller, provided it is technically feasible.

• Legal Basis: Article 20 of the GDPR

G. Right to object to processing: You have the right to object at any time to the processing of your personal data where the processing is based on the Controller's legitimate legal interest (Article 6(1)(f) GDPR). 61If your objection is justified and the Controller has no other legitimate basis for processing or for claims, the Controller will delete the data you objected to. 62

• Legal Basis: Article 21 of the GDPR.

Response Times: If you submit a request concerning the rights described in items A-G, the request will be met or refused immediately, but no later than within one month of its receipt. If the request is complex or numerous, the response may be extended by up to two additional months, with prior notification to you

H. Right to lodge a complaint with a supervisory authority: If you consider that your data protection rights under the GDPR have been violated, you have the right to lodge a complaint with the supervisory authority – the President of the Office for Personal Data Protection in Poland.

• Legal Basis: Article 77 of the GDPR.

VII. Voluntariness of providing personal data

Providing personal data by the User is always voluntary. However, it is necessary in order to contact the Controller through the contact form and in order to conclude and perform the contract between the User and the Controller, and to serve the User as the Controller 's customer. If you do not provide the necessary data, it will not be possible to contact the Controller to conclude and perform the contract between the User and the Controller or to receive services.

VIII. Possibility of profiling the Users' personal data by the Controller

Users' personal data concerning their preferences, behaviour and choice of marketing content may be used as the basis for making automated decisions in order to determine the sales opportunities of the Service. Therefore, pursuant to Article 21(2) of the GDPR, all Users have the right to object to the processing of their data by the Controller for this purpose.

IX. Data collected automatically upon entering the website of the Service (cookie files)

The Controller informs that while using the Website, short text information called "cookies" are stored in the User's end device. Cookie files contain such IT data as: the User’s IP address, website origin, storage time on the device, parameters, statistics and a unique number. Cookies are sent to the Service server via the User’s web browser. 

Cookies are used on the Website to: 

• Maintain technical correctness and continuity of the session between the Service server and the User's device.
• Optimize Website use and adjust its display on the User's device.
• Ensure the security of Service use.
• Gather statistics on Website visits, supporting improvement of structure and content.
• Display advertising content optimally adapted to the User's preferences.

The Service uses two types of "cookies": "session" and "permanent".

• "Session" cookies are temporary files automatically removed from the User's device after logging out, leaving the website, or closing the browser.
• "Permanent" cookies are stored on the User's device for a specified time or until removed by the User. "Permanent" cookies are installed only with the User's consent.

Cookie Management:

• Internet browsers by default accept the installation of "cookies".
• You can change your browser settings at any time to block "cookies" automatically or to be notified when they are placed on your device.
• Detailed information on managing cookies is available in your Internet browser settings.
• Restricting the use of cookies may adversely affect the correctness and continuity of the Services on the Website.
• Cookies installed on your device may be used by advertisers or business partners cooperating with the Controller.
• Cookies may be considered personal data only in connection with other identifying data provided by the User while using the Service.
• Only the Controller has access to cookies processed by the Website's server.
• If you do not agree to save and receive information in cookies, you can change the rules regarding cookies through your Internet browser settings.

X. Changes to the Privacy Policy

This Privacy Policy may be amended if it is necessary to update the information contained herein, or to ensure its compliance with applicable laws or technological conditions of the Website's functioning. Users will be informed of any changes through a notice displayed on the Website.

XI. Contact with the Controller

Contact with the Controller is possible via e-mail at [email protected] or through our Support Page with any questions or concerns regarding this Privacy. Policy.