Collecting Personal Information

This Privacy Policy explains how ITwises s.r.o. (" ITwises", "we", "our", "us") collects, uses, shares and safeguards personal data when you visit or use our website, products, mobile applications and related services (collectively the "Services"). It also describes your rights and how to exercise them.

Controller
ITwises s.r.o.
Registered address: Bulharská 996/20, Vršovice, 101 00 Praha 10, Czech Republic.
Company ID (IČO): 216 13 460
General enquiries: contact@itwisescrypto.com

‍Postal: Data Protection Officer,  ITwises s.r.o., Bulharská 996/20, Vršovice, 101 00 Praha 10, Czech Republic.

We operate in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and Act No 110/2019 Sb. on the Processing of Personal Data.

1  Definitions

Personal Data – any information relating to an identified or identifiable natural person.
Special‑category data – personal data revealing racial or ethnic origin, biometric data used for unique identification, data concerning health, etc. (Art 9 GDPR).
Criminal‑offence data – personal data relating to criminal convictions and offences (Art 10 GDPR).
Processing – any operation performed on personal data.
Controller – the entity that determines the purposes and means of processing personal data.
Processor – a natural or legal person that processes personal data on behalf of the controller.

2  What data we collect

2.1 Data you provide

Context – Categories of data
Account registration & onboarding – Full name, date of birth, nationality, residential address, email, phone number, password
KYC/AML identity verification – Government‑issued ID images, liveness selfies/video, biometric data derived from those images, proof‑of‑address documents, source‑of‑funds information, tax/VAT numbers
Business accounts – Company incorporation documents, UBO/shareholder data, board member IDs, business address, corporate bank details
Transactions & wallet activity – Wallet addresses, transaction amounts, asset type, payment card or bank references
Support & communications – Content of emails, tickets, phone recordings, chat transcripts

2.2 Data we collect automatically

• Cookies and similar technologies – device identifiers, language, referral URL, on‑site actions.
• Log files – IP address, browser type, operating system, timestamps, clickstream.

2.3 Data from third parties

• Identity‑verification partner (Sum & Substance Ltd., UK) – verification result, risk score, AML watch‑list hits.
• Payment service providers – payment confirmations, partial card/BIC identifiers.
• Public & commercial sanctions databases – PEP, sanctions or adverse‑media flags.

3  Special‑category & criminal‑offence data

During KYC onboarding we process biometric data (face templates extracted from selfies/ID photos) and, where applicable, information on criminal convictions or sanctions. Processing is necessary for substantial public interest in preventing money‑laundering and terrorist financing (Art 9 §2 g GDPR) and to comply with Czech AML Act No 253/2008 Sb. (Art 10 GDPR).

4  Purposes and legal bases

Purpose – Legal basis – GDPR article
Create & maintain your account – Contract performance – Art 6 §1 b
KYC/AML identity verification – Legal obligation (AML Act 253/2008 Sb.) / Substantial public interest – Art 6 §1 c; Art 9 §2 g
Transaction processing & asset custody – Contract performance; Legitimate interest in secure operation – Art 6 §1 b; Art 6 §1 f
Fraud detection & security monitoring – Legitimate interest in preventing fraud & safeguarding assets – Art 6 §1 f
Marketing communications – Consent (you may withdraw at any time) – Art 6 §1 a
Regulatory reporting & audits – Legal obligation – Art 6 §1 c
Analytics & service improvement – Legitimate interest in business development – Art 6 §1 f

5  Automated decision‑making & profiling

We use automated risk‑scoring tools provided by SumSub to flag potentially fraudulent or high‑risk applicants. No decision with legal or similarly significant effect is taken solely by automated means. All automated rejections are reviewed by a human compliance officer before being final.

6  How we share your data

Recipient category – Purpose – Safeguard
Identity verification provider (Sum & Substance Ltd., UK) – KYC & AML checks – EU–UK adequacy decision
Payment processors (e.g. ZEN.com) – Card & bank payments – PCI‑DSS & GDPR‑compliant contracts
IT hosting & security vendors (EU data centres) – Infrastructure, backups, DDOS protection – Standard contractual clauses (SCCs) where relevant
Analytics/marketing partners – Usage analytics, ads (consent‑based) – Consent mechanism; opt‑out available
Regulators, law‑enforcement, courts – Compliance with legal obligations – Legal obligation
Group entities / successors – Corporate restructuring, M&A – GDPR Art 6 §1 f legitimate interest‍

We never sell your personal data.

7  International transfers

Most data are stored in the European Economic Area (EEA). Where we transfer data outside the EEA:

• United Kingdom: Our KYC processor operates under the EU adequacy decision.
• Other third countries: We rely on Standard Contractual Clauses approved by the European Commission and implement additional technical safeguards (encryption in transit and at rest).

After expiry we erase or irreversibly anonymise the data.

8  Data retention

Data category – Retention period
KYC metadata (name, address, ID number) – 5 years after account closure (AML Act §16)
Biometric images & liveness videos – 30 days after verification unless extended for fraud investigation
Transaction records & ledger – 10 years (accounting & tax law)
Marketing contact details – Until you withdraw consent or 24 months after last interaction
Support tickets & call recordings – 5 years from creation
Cookies & analytics identifiers – 1–13 months

9  Security measures

We apply administrative, technical and physical controls, including:

• TLS 1.3 encryption for all in‑transit data
• AES‑256 encryption for data at rest
• ISO 27001‑certified EU data centres
• Role‑based access controls, MFA, audited key management
• Regular penetration tests and vulnerability scans
• Incident‑response plan and 24 × 7 monitoring

10  Your rights

You may exercise the following rights free of charge:

• Access – obtain a copy of your personal data.
• Rectification – correct inaccurate or incomplete data.
• Erasure – request deletion where conditions in Art 17 GDPR are met.
• Restriction – limit processing in certain cases.
• Data portability – receive your data in a structured, machine‑readable format and transmit it to another controller.
• Object – object to processing based on legitimate interest or direct marketing.
• Withdraw consent – at any time, without affecting prior lawfulness.

How to exercise your rights

Email contact@itwisescrypto.com We will reply within one month (Art 12 §3 GDPR). We may request proof of identity.

Complaints

If you believe we have infringed your data‑protection rights you may complain to:
Office for Personal Data Protection (ÚOOÚ)
Pplk. Sochora 27, 170 00 Praha 7, Czech Republic
https://uoou.cz

11  Children's privacy

Our Services are not intended for children under 18. We do not knowingly collect data from minors. Parents who believe their child has provided personal data may contact us for deletion.

12  Changes to this Policy

We may update this Policy from time to time. Material changes will be announced on our website and, where appropriate, by email. The "Last updated" date at the top indicates the current version.

13  Contact us

Questions about this Policy or data protection at ITwises Email contact@itwisescrypto.com or write to  ITwises s.r.o., Bulharská 996/20, Vršovice, 101 00 Praha 10, Czech Republic.

© 2025  ITwises s.r.o. – All rights reserved.