Privacy policy

This privacy policy (hereinafter – the “Privacy Policy”) governs the manner in which the WhiteBIT platform (hereinafter – the “WhiteBIT”, “we”, “us”, “our”) collects, uses, processes, stores, and discloses information received from users of our website https://whitebit.com (“Website”) in order to provide you with services available through the Website (hereinafter – the “Services”).

This Privacy Policy has incorporated provisions of the EU General Data Protection Regulation (GDPR), ePrivacy Directive, The Data Protection Act and is compliant with them and set in coherence with other valid generally binding legal regulations as we act in accordance with personal information processing rules within the European Economic Area (EEA).

We respect the privacy of all users of the Website and ensure that the Personal Data of the consumers are treated confidentially and in compliance with applicable laws and regulations.

This Privacy Policy applies to the Website, the Services, and products offered by WhiteBIT (whenever you use Services through the Website or mobile application or by corresponding with us - for example, by e-mail or by filling messaging form on the Website).

We assume that you have carefully read this document and accepted it.

By using the Website, our Services, and products offered by WhiteBIT, contacting us you express your consent to the terms of this Privacy Policy. By clicking the confirm-checkbox while creating the Account on the Platform you provide us with your explicit consent to the terms of this Privacy Policy and all the data practices described in this Privacy Policy and in the User Agreement including the processing, storage, and usage of your Personal Data.

If you disagree with this Privacy Policy, then you should refrain from using our Website, mobile application, and/or Services or opening an Account. This Privacy Policy is an integral part of our User Agreement.

If you have any questions regarding this Privacy Policy and/or questions/requests regarding your Personal Data, please contact our Data Protection Officer at [email protected].

The General Data Protection Regulation (“GDPR”) is EU privacy and data protection law. It calls for more granular privacy guardrails in an organization’s systems, more nuanced data protection agreements, and more consumer-friendly and detailed disclosures about an organization’s privacy and data protection practices.

This Regulation applies to the processing of Personal Data wholly or partly by automated means, and to the processing other than by automated means of Personal Data which form part of a filing system or are intended to form part of a filing system. Generally, The GDPR requirements apply to all companies, institutions, and organizations that process Personal Data.

The GDPR governs how the Personal Data of individuals may be processed by organizations. “Personal Data” and “processing” are frequently used terms in the legislation, and understanding their particular meanings under the GDPR illuminates the true reach of this law:

Personal Data is any information relating to an identified or identifiable individual. This is a very broad concept because it includes any information that could be used on its own or in combination with other pieces of information to identify a person. Personal Data is not just a person’s name or e-mail address. It can also encompass information such as financial information or even, in some cases, an IP address. Moreover, certain categories of Personal Data are given a higher level of data protection because of their sensitive nature and are not processed. These categories of data are information about an individual’s racial and ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data, health data, information about a person’s sex life or sexual orientation, and criminal record information (including Personal Data about criminal offenses, or alleged offenses).

Processing Personal Data is the key activity that triggers obligations under the GDPR. Processing means any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. In practical terms, this means any process that stores or consults Personal Data is considered processing.

The GDPR is relevant to any globally operating company, not just those located in the EU. Under the GDPR, organizations may be in scope if (i) the organization is established in the EU, or (ii) the organization is not established in the EU, but the data processing activities are with regard to EU individuals and relate to the offering of goods and services to them or the monitoring of their behavior.

We will collect, store and use your Personal Data for the purposes set in this Privacy Policy.

We have identified the types of Personal Data we may use about you and how and why we will use them.

During the provision of services, we may also use software and other means, tools of third parties (independent service providers) (hereinafter - Service Providers), which also collect Personal Data of our Users.

The procedure for collecting, processing, storing and using Personal Data is determined by the Privacy Policy of the relevant Service Provider.

The privacy policies of the software products of the Service Providers are available for review at the following links:

• Zendesk: https://www.zendesk.co.uk/company/agreements-and-terms/privacy-notice/
• Sumsub: https://sumsub.com/privacy-notice/

This list of Service Providers is non-exhaustive and may change and be supplemented. In any case, the User can review privacy policies of those Service Providers, with which WhiteBIT cooperates, on their official websites

1. Personal Data that our customers provide us for the registration, include:
   • your contact details, including your name, address, e-mail address, and telephone number(s);
   • your identification details, including your date of birth, gender, residence address.
2. Know Your Customer (KYC) Personal Data from you, third parties and/or publicly available sources including:
   • passport or another government-issued identity document (as well as the number and expiry date of the identity document);
   • your photo;
   • documents establishing your source of funds;
   • results of KYC or Politically Exposed Person (PEP) checks, including information collected by our suppliers;
   • other Personal Data if provided during passing KYC/compliance/verification procedures (including additional), etc.
3. Personal Data you provide as part of your account with us, including:
   • your password;
   • your account and marketing preferences.
4. Personal Data relating to your use of our Services, including:
   • your orders, instructions to us;
   • your transactions using your account(s), including your account(s) in third-party bank(s), financial institution(s), payment card details, etc., the amount, originator or beneficiary, and time/date of the transfers you make and receive;
   • information about the digital device through which you access our Services, such as device type, operating system, screen resolution, unique device identifiers, the mobile network system;
   • IP address;
   • date and time of log-in and requests;
   • Personal Data in your correspondence with us, by e-mail, telephone, messaging, texts, on-line chats, via social media, or otherwise;
   • whether you've clicked on links in electronic communications from us, including the URL clickstream to our website;
   • Personal Data that you provide in response to our surveys.
5. Personal Data that we collect from third parties in order to be able to register you as a customer or to provide Services to you:
   • Personal Data related to payments to or from your accounts with us, provided by payment processing services, banks, card schemes and other financial services firms;
   • Personal Data from credit reference agencies or fraud prevention agencies.
6. Personal Data that we collect through your use of our website (whether or not you have registered for our Services) including:
   • device information such as operating system, unique device identifiers, the mobile network system;
   • hardware and browser settings;
   • date and time of visits;
   • the pages you visit, the length of the visit, your interactions with the page (such as scrolling, clicks and mouse-overs), methods to browse away from our website, and search engine terms you use;
   • IP address.
7. Personal Data that we collect from individuals representing organizations such as our corporate customers and suppliers, including:
   • names, roles, and contact details of individuals working for organizations;
   • other Personal Data regarding such individuals;
   • any Personal Data contained in correspondence with those individuals.

We collect and process all types of Personal Data to provide you with our Services, ensure that Services function properly, as well as to verify your identity and ensure the security of our Services, as follows:

We may use Personal Data that you give us to register with us to:

• process your registration request;
• on-board you as a customer;
• provide our products and Services;
• manage and administer our Services, including your account with us;
• communicate with you about your account and our Services, including informing you of our products and Services;
• send personalized offers of Services and products.

We may use Know Your Customer (KYC) Personal Data to:

• carry out regulatory checks and meet our obligations to our regulators;
• help us ensure that our customers are genuine and to prevent and detect fraud, money laundering and other crime (such as terrorist financing and offenses involving identity theft).

We may use Personal Data that you provide as part of your account with us to:

• manage and administer your account with us;
• communicate with you regarding your account and our Services.

We may use Personal Data relating to your use of our Services to:

• manage and administer our Services and systems;
• check if you are in a location or using a device consistent with our records in order to help prevent fraud;
• develop and improve our Services based on analyzing this information, the behaviors of our users, and the technical capabilities of our users;
• improve our Services to better suit the behaviors and technical capabilities of the users of our Service;
• answer any issues or concerns;
• monitor customer communications for quality and training purposes.

We may use Personal Data that we collect from third parties in order to be able to register you as a customer or to provide Services to you to:

• manage and administer our Services and systems;
• help us to prevent and detect fraud.

We may use Personal Data that we collect through your use of our website (whether or not you have registered for our Services) to:

• develop new Services based on the information being collected, the behaviors of our users, and the technical capabilities of our users;
• identify issues with the website, including website security, and user's experience of it;
• monitor the way our website is used (including locations it is accessed from, devices it is accessed from, understanding peak usage times, and analyzing what functionality and information is most and least accessed), where our customers have come from online (such as from links on other websites or advertising banners), and the way in which our website is used by different users groups;
• do statistical analysis and research with the purpose of better understanding the breakdown of our customers, their use of our Services, and what attracts our customers to our Services.

We may use the Personal Data that we collect from individuals representing organizations such as our corporate customers and suppliers to:

• provide Services and products;
• build relationships and BtoB collaborations with other organizations;
• provide marketing communications to these individuals;
• improve our Services and develop new Services based on the preferences and behaviors of these individuals;
• obtain Services for our business.

You have certain rights with respect to your Personal Data, including those set forth below.

Right to be informed - you have the right to be informed about the collection and use of your Personal Data and the following information: who has collected Personal Data and processed, the purposes for processing your Personal Data, retention periods for Personal Data, who the Personal Data will be shared with etc.

Right to access - you have the right to obtain from us confirmation as to whether or not your Personal Data are being processed, the purposes of the processing, the categories of Personal Data collected, the recipients to whom the Personal Data have been or will be disclosed etc.

Right to rectification - you have the right to obtain from us the rectification of inaccurate Personal Data concerning you, as well as the right to have incomplete Personal Data completed.

Right to erasure (“right to be forgotten”) - you have a right to ask for the deletion of your Personal Data if the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed or if there is no other legal ground for the processing.

Right to restriction of processing - you have a right to ask us to restrict further processing of your Personal Data, so that in each case the data may be processed only upon separate consent from you.

Right to data portability - you have the right to receive your Personal Data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller where technically feasible.

Right to object - you have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data if there are no legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Right to withdraw - you can withdraw your consent for your Personal Data processing at any time and ask us to stop access, storage, usage and other processing of your Personal Data if you believe that we do not have the proper rights to do so.

Right to non-discrimination - we will not discriminate against you (as provided in applicable law) for exercising any of your rights as a Personal Data subject.

To exercise any of these rights, please contact our Data Protection Officer at [email protected].

Please note that if you have given explicit consent for marketing communications, this can be withdrawn at any time. You can also unsubscribe from our marketing communications.

Please be aware that from time to time we may need to contact you regarding operational issues or to adhere to the performance requirements of our agreement with you. These will not be marketing communications, and we will operate under legitimate interests in order to contact you for these reasons.

We need to collect certain types of Personal Data for compliance with legal requirements relating to our anti-fraud and Anti-Money Laundering/Countering Financing of Terrorism/Know Your Customer obligations. If this Personal Data is not provided we cannot agree to provide a Service to you.

Your Personal Data may also be processed if it is necessary on reasonable request by a law enforcement or regulatory authority, body, or agency or in the defense of a legal claim. We will not delete Personal Data if relevant to an investigation or a dispute. It will continue to be stored until those issues are fully resolved.

We do not collect or store any information about children under 18. Minors and children should not use our Website and Services. By using our Website and Services, you represent that you have the legal capacity to enter into a binding agreement.

We do not process any sensitive personal information, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

We use a variety of physical, technical, and administrative security measures to ensure the confidentiality of your Personal Data, and to protect your Personal Data from loss, theft, unauthorised access, misuse, alteration or destruction as well as from other illegal actions of third parties.

We implemented such security measures as data encryption when in transit and storage, data storage diversification, strict physical access controls to buildings & files, anonymization technology, data and asset diversification, and strict physical access of a minimum number of individuals, using multisign access tools, and subject to confidentiality commitments.

We make sure that we regularly review our information security policies and measures and, where necessary, improve them.

We do not sell, trade, or rent our Users’ Personal Data to any third parties. We may transfer certain Personal Data of Users (such as your contact and/or identification information) to third-party financial institutions in exceptional cases, when required by the rules and policies of such financial institutions, in order to identify Users and provide them with our Services.

Users acknowledge and consent that we can transfer their Personal Data to third parties that carry out KYC checks and fraud database checks. Such third parties have been assessed by us and guarantee compliance with the legislation on the processing of personal data and with this privacy policy.

We retain your Personal Data only for those periods necessary to fulfil the various purposes outlined in this Privacy Policy unless a longer retention period is required or allowed by law.

For the purposes of complying with our legal or regulatory obligations and the world industry standards for data storage, you give us consent and permission to keep records of such information throughout the term of your Account, as well as for 5 (five) years after the closure of your Account.

We store your Personal Data in in a depersonalized or aggregated form but not in a way that would identify you personally.

We may store your personal data for longer than is required by law, as long as it is in our legitimate business interests and is not prohibited by law.

We may disclose certain Personal Data to our business partners who provide us with services such as cloud services/servers, insurance, analytics, research, and other services or work with us to deliver our Services to users. We provide third parties with the minimum amount of Personal Data necessary only to provide the required service.

Personal Data will be provided by us only for the purpose of providing users with Services, as well as to improve these Services, related communications. Such information will not be provided to third parties for their marketing purposes.

We may disclose your Personal Data in accordance with the law, court order, in court proceedings and/or on the basis of public requests or requests from government authorities in or outside the territory of your country of residence. We may also disclose your Personal Data if we determine that such disclosure is necessary or appropriate for national security, law enforcement or other socially important reasons.

We may also disclose your Personal Data if we determine that the disclosure is necessary to enforce WhiteBIT User Agreement or to protect our activities and our users.

We may transfer to, and store your Personal Data we collect in, countries other than the country in which the data was originally collected, including the countries outside the European Economic Area (“EEA”), the United Kingdom and Switzerland. Those countries may not have the same data protection laws as the country in which you provided the data. When we transfer your Personal Data to other countries, we will protect the Data as described in this Privacy Policy and comply with applicable legal requirements providing adequate protection for the transfer of data to countries outside the EEA, the United Kingdom and Switzerland.

If you are located in the EEA, the United Kingdom or Switzerland, we will only transfer your Personal Data if:

• the country to which the Personal Data will be transferred has been granted a European Commission adequacy decision; or
• transfer, for example, we have entered into EU standard contractual clauses and required additional safeguards with the recipient, or the recipient is a party to binding corporate rules approved by an EU, UK or Swiss supervisory authority.

We reserve the right to amend the Privacy Policy at our discretion and at any time. Any changes to this Policy will take effect from the moment this Policy is published on https://whitebit.com/privacy-policy. You shall regularly review the Privacy Policy and pay attention to its revisions. Your continued use of our Website and Services following the posting of changes constitutes your acceptance of the amended Privacy Policy. We always indicate the date the last changes were published.