Welcome to our website! We use cookies to enhance your experience. View our Privacy Policy for more information.
Accept
Deny

Legal & Privacy

Privacy Policy - Cifralfabeto Unipessoal Lda

Updated in October 2023

This Privacy Policy sets out the basis on which we protect the privacy of your communications and collect, process, use and store your Personal Data through your interaction with CIFRALFABETO - LDA., a company duly incorporated under the laws of Portugal, bearing company registration number 516299425, with a registered address at Avenida D. João II, 404, 4.º Andar, sala 42, 4715-275 Braga (hereinafter “Cifralfabeto”, “us”, “we”, “our”). Please read it carefully, along with our Terms of Service and other contractual documents, including but not limited to any agreements we may have with you. 

If you have any questions regarding this Privacy Policy, please contact us at compliance@cifralfabeto.com.  

1. About us

Cifralfabeto Lda. is a Company registered with the Bank of Portugal, approved to provide the following activities with virtual assets: 

(i) Exchange services between virtual assets and fiat currencies;

(ii) Exchange services between one or more virtual assets;

(iii) Services through which a virtual asset is moved from one address or wallet to another (transfer of virtual assets);

(iv) Custody of safekeeping services and administration of virtual assets or instruments that allow control, ownership, storage or transfer of such assets, including private encrypted keys. 

Cifralfabeto is bound by the General Data Protection Regulation EU 2016/679 (“GDPR”). We protect your personal information and respect your privacy in accordance with best business practices and applicable laws at all times. 

2. Proposition

Cifralfabeto allows you to perform the aforementioned operations via the mobile-based App - the xPortal app (“app”, “the app”) -, which enables you to use virtual assets as a means of exchange between virtual assets and fiat currency. You are an individual person, having citizenship and being domiciled in the European Union and/or in the European Economic Area, who wishes to exchange virtual assets for fiat currency.

3. Who is concerned about in this Privacy policy

This Privacy Policy applies to the Clients who use the service or to prospective Clients interested in the service, as well as to former Clients or persons who have applied to use the services in the past. This Policy also applies to former Clients or persons who have applied to use our services but have not successfully completed our verification process (KYC). 

4. Collected data

Personal information or data includes any information that relates to an identifiable individual. This includes information that is provided by you, information we collect about you automatically, and information that is obtained from third parties.

When you open an account and use our service, you are asked to provide us with some information. The mentioned data may be required by law (for example, any information related to the “Know your Customer” (KYC) process) or to provide the services (for example, contact information). 

We only collect the necessary data for our data usage. 

Data you provide us with:

  1. Identification Data
  • Name; Nickname; date of birth; place of birth; nationality; proof of your identification (ID number); tax number; signature. 
  1. Contact and Residence Data
  • Phone number; email address; country of residence; tax residence address; proof of your residence.
  1. Professional Data
  • Occupation; title; job level; role and employer’s name; employer industry.
  1. Financial Data
  • Source of wealth; source of funds; monthly revenue; reason for using the services provided via xPortal; monthly transactions volume; transaction data; bank account details. 
  1. Political Exposure Data
  • Self-declarations on the political exposure situation; country of political exposure; Political exposure (PEP) and public functions data; nature of the political exposure role; responsibilities and obligations tied to the political role; public/executive powers offered by the political role/job; close family members and persons recognized as closely associated with PEPs and/or holders of other known political or public offices. 
  1. Biometric Data
  • Facial image data. 
  1. Any other personally identifiable information directly provided by you during interaction with our communication channels. 

Data we collect about you:

  1. AML/CTF Data
  • International sanctions data; reputational data; public profile and adverse media data; criminal, civil and administrative procedures data. 
  1. Data we collect when you use the App
  • Your device IDs; your IP address; geographical location; information about your visit and how you interact with us. 

Data we receive from third parties:

We may process additional personal data on you, which we receive from our partner service providers, such as advertising networks, search engine providers, analytics and social networking sites, in order to help us understand visitor behaviour patterns, which we use to help us improve our services and platforms. 

While you are using the xPortal App or when you receive, access or respond to emails sent by us, we also use cookies and similar tracking technologies to enhance your user experience, understand your needs, preferences, interests, experiences and/or habits as a consumer, and to improve our services. Please note that disabling Cookies may prevent you from using certain parts of our services. 

If you fail to provide us with the required data, Cifralfabeto will not be able to provide you with our services. 

5. Data usage and processing

Personal data is processed by us pursuant to Article 6(1)(b) of the GDPR for the following purposes: 

  • To onboard you as a Client and maintain legal and regulatory compliance: the onboarding process is subject to strict and specific laws and regulations, that require us to store and use personal data and to process personal identity information (including biometric data). This includes the KYC process obligations and Anti-Money Laundering laws and regulations requirements. 
  • To maintain your account and our contractual relationship with you: We use your personal information to take and handle your transactions.  
  • Managing Clients and transactions for compliance and risk management purposes: we process personal data to prevent, detect and mitigate fraud and abuse of our services and to protect our Clients from fund losses or account compromise. We also process your personal information to verify accounts, find and address violations of our Terms of Service, detect and prevent unlawful behaviour, investigate suspicious activity and maintain our services' integrity. 
  • Keeping your data, documents and information up to date: we are legally obligated to change your data, documents and information when you notify us of any changes, or when we notice that the documents or information you provided us with are expired, not accurate or are out-of-date. 
  • To provide customer support, which involves registering your requests, notices, complaints, disputes, and troubleshooting problems when you contact us to provide support. For this purpose, you will need your authentication or identity, before providing the requested support. 
  • Enhancement of user experience: we process your personal data for a better user experience, to understand your needs, preferences, interests, experiences and/or habits as a consumer, and to improve our services, including the provision of personalized services available on the App. 
  • Collecting, processing and performing statistical and other research and analysis of information for the enhancement of the xPortal App.

  • Development of new products, utilities and offerings: we process your personal data to have a better understanding of your experience using our services and to develop new products and features that can be of your interest. 
  • To provide Commercial Communications to you: we use your personal data to send you marketing communications through email, in-app, social media, push notifications and/or any other appropriate communication channels, based on your consent. 

You have the right to withdraw your consent at any time by writing to compliance@cifralfabeto.com. The withdrawal of your consent does not affect the lawfulness of the treatment of your data prior to its revocation. Your consent is also revoked in the same manner as provided. 

6. Acting as a joint controller

We act as joint controllers with Capital Financial Services S.A., an e-money institution authorised to issue electronic money and to provide payment services under the National Bank of Romania authorisation number IEME-RO-0001 of 25th of April 2013, in relation to some of your AML/CTF personal data, which consists of your data obtained during the customer due diligence process. The joint controller relationship is duly regulated by contractual dispositions. 

Capital Financial Services S.A. is providing us with your full KYC profile data, which is obtained following the customer due diligence conducted during the onboarding process. Cifralfabeto will rely on and will use this information to fulfil the requirements of the KYC due diligence process and Anti-Money Laundering and Terrorist Financing laws and regulations. 

The data relating to your risk profile may also be exchanged between Capital Financial Services S.A. and Cifrafabeto. 

Each of the joint controllers is responsible for its own compliance with the applicable data protection legislation, including the protection of personal data. You can exercise your right concerning your AML/CTF data towards Capital Financial Services S.A. and Cifralfabeto. 

7. Failure to provide your personal data 

Failure to provide the personal data referred to in this Privacy Policy implies that Cifralfabeto will not be able to fully offer you our services. This may delay or prevent us from fulfilling our contract with you or complying with legal requirements. It may also mean that we cannot operate your account or perform your transactions, which may lead to service interruptions or termination. 

8. Data sharing with parties

We may share your personal data with other entities from the MultiversX group and our partners, in order to provide you with certain services. Our partners are entrusted to perform certain data processing activities on our behalf. Whenever we engage with them, we do our utmost to ensure that they process your data in compliance with all data protection laws, and securely and confidentially, following the best business practice standards. 

We currently share data with the following partners:

  • To perform identity verification, proof of address verification and signature services

We use a partner (IDnow - Privacy Policy is available here) to verify the validity of your ID and video, proof of address, as well as providing services of qualified signature. Once you proceed with a verification process, they will hold the shared documents and information for this stated purpose alone. 

  • To perform screening of sanctions/watchlists/warnings/adverse media/political exposure

We use a partner (ComplyAdvantage - Privacy Policy is available here) to screen your data against global watchlists, sanctions lists, PEPs and adverse media. They will hold the shared documents and information for this stated purpose alone. 

  • To protect against fraud

We use a partner (TRM Labs - Privacy Policy is available here) to validate and perform screenings on wallet addresses and transactions. Once you perform operations, they will store your data for this purpose alone. 

  • To send notifications and provide customer support

We use a partner to deliver customer support via email and in-app chat. Once you contact Cifralfabeto or MultiversX team via email or via in-app chat, they will hold the messages exchange for this purpose alone. They also have access to additional account-level information to allow Cifralfabeto’s Customer Support team to provide you with the best possible experience. This account-level information will include your email address, name and aggregated account activity information.  Additionally, as partners, we use Intercom (Privacy policy available here) and Gmail (Privacy Policy available here).

  • To improve our services

We use product and user behaviour analytics partners to make sure the functionality and content from our Mobile App is presented in the most effective way. Once you interact with our Mobile App, they will hold your usage data for this stated purpose. We use Google Analytics (Privacy Policy is available here), Mixpanel (Privacy Policy is available here) and  Segment (Privacy Policy is available here).

  • To advertise our services

We use social media partners to advertise the xPortal and xPortal services. Once you sign up on xPortal, they will hold your profile data to send (or not send) our adverts to you and people who have a similar profile to you (depending if the service being advertised is already in use or not). We use Facebook (Privacy Policy is available here), Twitter - their Privacy Policy (Privacy Policy available here), Instagram (Privacy Policy is available here) and TikTok (Privacy Policy is available here).

  • To meet our legal obligations

In addition to the circumstances described above, we may disclose your financial or personal information if required to do so by law, court order, as requested by other government or law enforcement authority, or when we have reason to believe that disclosing the information is necessary to identify, contact or bring legal action against someone who may be causing interference with our rights or properties, whether intentionally or otherwise, or when anyone else could be harmed by such activities. 

  • For your convenience 

In order to avoid duplicate requests, the information and documentation submitted as part of our due diligence process is shared with Capital Financial Services S.A., the company responsible for issuing and managing your card. 

9. Data security 

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal data on our instructions and are subject to a duty of confidentiality. 

While we take data protection precautions, no security measures are completely secure, and we cannot fully guarantee the security of user information. 

10. Data protection and storage 

We, our partners and service providers maintain appropriate administrative, technical and physical safeguards to protect personal data information against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access, use, and all other unlawful forms of processing of the personal data in our possession or processed on our behalf. 

We kindly advise you, however, to apply basic security measures, such as password confidentiality. If you have any reason to believe that your personal data is subject to unauthorised access, please contact us at compliance@cifralfabeto.com

All data we directly store is located on our secure servers located within the European Union. Nevertheless, it may be transferred to, and stored at a destination outside the European Economic Area (EEA), if our service providers are based in countries which do not form part of the EEA. It may also be processed by employees located outside the EEA who work for us, for one of our suppliers or to comply with our legal obligations. 

All our non-EEA service providers’ servers are located in countries with sufficient personal data protection adequacy. 

11. Data retention 

We keep your personal data for as long as necessary for the relevant purpose of their processing, in alignment with the “Data Minimisation and Storage Limitation” principles as defined in Article 5 of the GDPR. 

We may retain your personal data for as long as your user account is active and for up to 7 (seven) years after the termination of our contractual relationship. 

We may retain your personal data after the expiration of their relevant processing purposes in the following limited cases: 

  • In case there is a legal obligation under a relevant statutory provision;
  • For research or statistical purposes or for the proper organisation and operation of our business provided that anonymity or pseudonymization of your data takes place. 
  • In case of any claims against the xPortal, for as long as necessary to defend our rights and legitimate interests before any competent court and any other public authority. 

After the period of retention, your personal data is erased from our databases and systems in accordance with our Privacy Policy and provided that their retention is no longer required for the fulfilment of the purposes we have described above. 

For more information about data retention terms in relation to specific personal data, please contact us at compliance@cifralfabeto.com.

12. Your rights 

Right to Access: you have the right to access the data we hold about you and to get a copy of it. 

Right to Rectify: you have the right to rectify any data that is not accurate or up-to-date. 

Right to be Forgotten (data deletion): you can ask us to erase your data, although, for legal reasons, we might not always be able to do it. 

Right to Restriction of Processing: you have the right to temporarily restrict the processing of your personal data, provided that there are valid grounds for doing so. In this case, we can continue to store your data but we cannot, however, use nor process it further. 

Right to Object: you have the right to object to us using your data for direct marketing and in certain circumstances “legitimate interests”, research and statistical reasons and to object to the processing of your data in cases explicitly provided for by law. 

Right to Portability: you have the right to ask us to transfer your personal data to you or to another third party. 

Right to Withdraw your Consent: you may withdraw any consent you’ve previously given us on marketing and promotional material, although it will not affect the lawfulness of any processing carried out before you withdraw your consent. 

Right not to be subject to Automated Processing: you have the right to object to a decision that is taken solely on the basis of automated processing, including profiling, which has an impact on you or significantly affects you. 

Please contact us at compliance@cifralfabeto.com if you wish to exercise any of these rights. 

13. Complaints 

If your rights are infringed, it is your right to file a complaint with the Portuguese Supervisory Authority - “Comissão Nacional de Proteção de Dados” (CNPD) - which can be done electronically on the Authority website at www.cnpd.pt

We would appreciate the chance to deal with any concerns you may have before you approach the Supervisory Authority. Kindly contact us at compliance@cifralfabeto.com with any concerns you may have, and we will do our utmost to adequately address your concerns. 

We will respond to any of your requests within 1 (one) month from their receipt. Upon prior notice, this period may be extended by a further 3 (three) months if necessary, taking into account the complexity of the request and the number of any other pending requests. In case of rejection of your request, we will provide relevant justification. 

If your request does not meet the requirements of applicable law, Cifralfabeto reserves the right either to: (a) impose a reasonable fee, taking into account the administrative costs of providing the information or communicating or executing the requested action, or (b) reject your request.

In the event of any violation of your personal data, which may place your rights and freedoms at high risk, and provided that it does not fall under one of the exceptions expressly provided for by applicable law, we undertake to inform you without undue delay. 

If there are any doubts as to the identity of the individual submitting the request, we reserve the right to request the provision of additional information necessary to confirm your identity. 

14. Changes to the present Privacy Policy

This Privacy Policy may be amended over time, and changes made to it shall become effective promptly after being announced. The regular review of this Privacy Policy shall ensure that you will always be aware of the type of information we collect, how and for what purposes it is used, and under what circumstances (if any) we shall share it with other parties.