Privacy Policy

CAMBIUMWAY SP. Z.O.O.

1. INTRODUCTION

1.1 About This Policy

This Privacy Policy ("Policy") describes how Cambiumway sp. z.o.o. ("the Company", "we", "us", or "our"), registered in the Republic of Poland under KRS number 0001143376, with its registered office at Hoza 86/210, 00-682 Warsaw, Poland, collects, uses, stores, and protects personal data of its clients and website visitors.

1.2 Data Controller

Cambiumway sp. z.o.o. is the data controller responsible for the processing of your personal data. We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Polish Act on the Protection of Personal Data, and other applicable data protection legislation.

1.3 Scope

This Policy applies to all personal data collected through our website, platform, services, and any other interactions with the Company. By using our services or accessing our website, you acknowledge that you have read and understood this Policy.

2. DATA COLLECTION

2.1 Data Provided by the Client

We collect personal data that you provide directly to us, including:

• Full name, date of birth, and nationality;
• Residential address and contact information (email address, phone number);
• Government-issued identification documents (passport, national ID card, driving license);
• Proof of residential address (utility bills, bank statements);
• Selfie or live photo for biometric verification;
• Source of funds documentation;
• Bank account details and payment information;
• Cryptocurrency wallet addresses;
• Employment and financial information;
• Any other information you provide in correspondence with us.

2.2 Data Collected Automatically

When you visit our website or use our services, we may automatically collect certain data, including:

• IP address and geolocation data;
• Browser type, version, and language settings;
• Operating system and device information;
• Pages visited, time spent on pages, and navigation paths;
• Referring URLs and search terms;
• Cookies and similar tracking technologies (see our Cookie Policy for details);
• Transaction history and activity logs.

2.3 Data from Third Parties

We may receive personal data from third-party sources, including:

• Identity verification and KYC service providers;
• Sanctions screening and PEP database providers;
• Blockchain analytics service providers;
• Credit reference agencies;
• Publicly available sources and government registers;
• Banking and payment partners.

3. PURPOSES OF PROCESSING

3.1 Legal Bases for Processing

We process your personal data on the following legal bases:

• Performance of a contract: Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract (Article 6(1)(b) GDPR);
• Legal obligation: Processing is necessary for compliance with a legal obligation to which we are subject, including AML/CTF regulations, tax reporting, and regulatory requirements (Article 6(1)(c) GDPR);
• Legitimate interest: Processing is necessary for the purposes of our legitimate interests, such as fraud prevention, security, and business development, provided that such interests are not overridden by your rights and freedoms (Article 6(1)(f) GDPR);
• Consent: Where you have given your consent to the processing of your personal data for specific purposes, such as marketing communications (Article 6(1)(a) GDPR).

3.2 Specific Purposes

We process personal data for the following purposes:

• Client identification and KYC verification;
• AML/CTF compliance, including transaction monitoring and sanctions screening;
• Execution and processing of transactions;
• Communication with clients regarding their transactions and accounts;
• Provision of customer support;
• Fraud prevention and detection;
• Compliance with legal and regulatory obligations;
• Improvement of our services, website, and user experience;
• Marketing communications (with your consent);
• Statistical analysis and reporting;
• Protection of our legal rights and interests.

4. DATA RETENTION

4.1 Retention Periods

We retain personal data for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Specific retention periods include:

• KYC and AML/CTF records: At least five (5) years from the end of the business relationship or the date of the transaction, in accordance with Polish AML legislation;
• Transaction records: At least five (5) years from the date of the transaction;
• Communication records: Up to three (3) years from the date of the communication;
• Marketing data: Until you withdraw your consent or for up to two (2) years from the last interaction;
• Website analytics data: Up to twenty-six (26) months.

4.2 Deletion

When personal data is no longer required for the purposes for which it was collected and there is no legal obligation to retain it, we will securely delete or anonymize the data.

5. DATA SECURITY

5.1 Technical Measures

We implement appropriate technical measures to protect personal data, including:

• Encryption of data in transit and at rest using industry-standard protocols (TLS/SSL, AES-256);
• Secure server infrastructure with firewall protection and intrusion detection systems;
• Regular security assessments and penetration testing;
• Multi-factor authentication for access to sensitive systems;
• Automated backup and disaster recovery procedures.

5.2 Organizational Measures

We also implement organizational measures to protect personal data, including:

• Access controls limiting data access to authorized personnel on a need-to-know basis;
• Regular staff training on data protection and security;
• Data processing agreements with third-party service providers;
• Internal policies and procedures for data handling and incident response;
• Regular review and updating of security measures.

6. DATA SUBJECT RIGHTS

6.1 Your Rights

Under the GDPR, you have the following rights with respect to your personal data:

• Right of access: You have the right to request a copy of the personal data we hold about you;
• Right to rectification: You have the right to request correction of any inaccurate or incomplete personal data;
• Right to erasure: You have the right to request deletion of your personal data, subject to legal retention obligations;
• Right to restriction of processing: You have the right to request restriction of the processing of your personal data in certain circumstances;
• Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format;
• Right to object: You have the right to object to the processing of your personal data based on our legitimate interests;
• Right to withdraw consent: Where processing is based on your consent, you have the right to withdraw your consent at any time;
• Right to lodge a complaint: You have the right to lodge a complaint with the Polish Data Protection Authority (Urzad Ochrony Danych Osobowych, UODO) or any other competent supervisory authority.

6.2 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@cambiumway.com. We will respond to your request within one (1) month of receipt. In complex cases or where we receive a large number of requests, this period may be extended by a further two (2) months, and we will notify you accordingly.

Please note that certain rights may be limited where we have a legal obligation to retain data or where exemptions apply under applicable law.

7. DATA TRANSFERS

7.1 Transfers Within the EEA

Your personal data is primarily processed within the European Economic Area (EEA), where it is protected by the GDPR and applicable national data protection laws.

7.2 Transfers Outside the EEA

In certain circumstances, we may transfer personal data to countries outside the EEA. In such cases, we ensure that appropriate safeguards are in place to protect your data, including:

• European Commission adequacy decisions;
• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Binding Corporate Rules;
• Other legally recognized transfer mechanisms.

7.3 Third-Party Recipients

We may share your personal data with the following categories of recipients:

• Identity verification and KYC service providers;
• Blockchain analytics providers;
• Banking and payment processing partners;
• Cloud hosting and IT infrastructure providers;
• Legal, accounting, and professional advisors;
• Regulatory and law enforcement authorities (when required by law);
• Analytics and marketing service providers (with your consent).

8. AUTOMATED DECISION-MAKING

The Company may use automated decision-making processes, including profiling, for the purposes of AML/CTF compliance, risk assessment, and transaction monitoring. Such automated processes may affect the services available to you, including the suspension or refusal of transactions.

You have the right to request human intervention in any automated decision-making process, to express your point of view, and to contest the decision. To exercise this right, please contact us at privacy@cambiumway.com.

9. DATA BREACH RESPONSE

9.1 Breach Notification

In the event of a personal data breach, the Company shall:

• Notify the Polish Data Protection Authority (UODO) within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of individuals;
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms;
• Document all breaches, including the facts, effects, and remedial actions taken;
• Implement measures to mitigate the impact of the breach and prevent recurrence.

9.2 Incident Response

The Company maintains a comprehensive data breach incident response plan that includes identification, containment, assessment, notification, and remediation procedures. All employees are trained on breach identification and reporting procedures.

10. CONTACT INFORMATION

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us at:

Data Protection Officer
Cambiumway sp. z.o.o.
Hoza 86/210, 00-682 Warsaw, Poland
Email: privacy@cambiumway.com

You also have the right to lodge a complaint with the Polish Data Protection Authority:

Urzad Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
Website: uodo.gov.pl

11. POLICY UPDATES

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or operational needs. Any material changes will be communicated to you via email or through a prominent notice on our website.

We encourage you to review this Policy periodically to stay informed about how we protect your personal data. The date of the last update will be indicated at the top of this page.