SmashFi Privacy Policy

Updated: August 7, 2024

1. Introduction

SMASHFI LLC (hereinafter referred to as the “Company”) respects the privacy of individual users (“User”) and is dedicated to safeguarding it in compliance with this Privacy Policy (hereinafter referred to as this “Policy”). This Policy pertains to personal data collected within the “SmashFi platform” services (“Platform”) managed by the Company. The Company is responsible for handling the personal data supplied by a User or sourced from a User within the Platform. This Policy outlines the kinds of personal data the Company might gather from a User or that a User might provide, alongside the Company’s approach to collecting, using, storing, protecting, and revealing that personal data.

This Policy will become effective on October 17, 2023. Should there be any alterations, the Company will notify users by making them publicly available on the Company’s Platform or through other means (e.g., text, e-mail, messenger, or a pop-up screen prompting acceptance upon sign-in).

Terms used in this Privacy Policy correspond with meanings established in applicable laws, regulations, and the Company's terms and conditions. Any other concerns will follow general commercial practices. To utilize the Platform, you must be at least eighteen (18) years old or of the equivalent minimum age in your jurisdiction ("Minimum Age"). By accessing the Platform, you confirm that you meet the Minimum Age requirement. The Company may require age verification and has the right to end your access to the Platform without prior notice if misrepresentation is detected.

2. GDPR Compliance

We are committed to ensuring that your personal data is protected in accordance with the General Data Protection Regulation (GDPR). This includes:

• Lawful, Fair, and Transparent Processing: We process personal data lawfully, fairly, and in a transparent manner. We will always inform you about how your data is being used at the time of collection.
• Purpose Limitation: We collect data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.
• Data Minimization: We collect only the data that is necessary for the purposes for which it is processed.
• Accuracy: We take reasonable steps to ensure that personal data is accurate and kept up to date.
• Storage Limitation: We keep personal data in a form that permits the identification of data subjects for no longer than necessary.
• Integrity and Confidentiality: We process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organizational measures.

3. Collection of Personal Data and Methods

3.1. Types of Personal Data Collected

(a) Data Provided by Users

When signing up and using the Platform, we collect data provided directly by the user, such as email and password. For identity verification, when a user withdraws digital assets, we collect the following types of personal data:

a) Personal Identification Data:

• Full name
• Date of birth
• Nationality
• Gender
• Home address
• Phone number
• Email address
• Government-issued identification documents (e.g., passport, national ID, driver's license)
• Proof of address (e.g., utility bills)
• Photographs
• Video or voice recordings

b) Biometric Data:

• Facial recognition data

c) Financial Information:

• Bank account details
• Payment card information
• Source of funds
• Source of wealth
• Transaction history

d) Account Information:

• SmashFi user ID
• Password (encrypted)
• Security questions and answers

e) Wallet Information:

• Wallet addresses
• Wallet IDs

f) Online Identifiers:

• IP address
• Device information
• Browser type and version
• Operating system

g) Usage Data:

• Login data
• Platform activity logs
• Service usage statistics

(b) Data Sourced When Users Access the Platform

Various details might be collected when a user interacts with the Platform, including browser types, device data, and usage details. Data such as IP addresses, cookies, device specifics, timestamps, service access records, and any misuse logs may also be collected.

We collect personal data through various methods:

a) Direct provision: When you register for an account, verify your identity, or use our services.

b) Automated collection: Through cookies and similar technologies when you use our Platform.

c) Third-party sources: From identity verification services, and public databases.

d) Customer interactions: Through customer support communications, surveys, and feedback forms.

(c) Data Received from Third-party Providers

• Collection: We collect Google account information only when users choose to log in using their Google credentials. This process is initiated through a secure OAuth protocol, ensuring that the user's login details are not shared directly with us but are handled securely by Google.
• Processing: The collected Google account information is integrated into the user’s profile on the Platform. This allows for seamless account creation and login, personalized user experience, and improved customer support. The information may also be used for user authentication and account recovery purposes.
• Protection: We are committed to protecting the personal data of our users. The Google account information collected is encrypted and stored securely in compliance with industry standards and regulations. Access to this data is restricted to authorized personnel only and is protected by multiple layers of security measures, including firewalls, encryption, and access controls.
• Data Retention: The Google account information is retained for as long as the user maintains an account with us. If the user chooses to delete their account, we ensure that all personal data, including information collected from Google, is permanently removed from our servers, except where retention is required by law.
• User Control: Users have the right to access, modify, and delete their personal data at any time. They can manage their Google account permissions through their Google account settings and can revoke SmashFi's access to their Google account information. Additionally, users can contact our support team for assistance with any data-related inquiries.
• Compliance: SmashFi adheres to all relevant data protection laws and regulations, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), ensuring that users' privacy rights are respected and protected.
  

3.2. Data Collection Techniques

The Company collects users’ personal data through web pages, written documents, fax, phone calls, emails, data tools, or via partner entities. For Google login, the data is collected through a secure OAuth authentication process facilitated by Google.

More details how data is collected:

• Through account registration and verification processes
• When using SmashFi services (e.g., depositing, requesting for investment, withdrawing)
• Through customer support interactions
• Via cookies and similar technologies on the website and mobile apps
• From third-party sources for verification purposes
• Through surveys and feedback forms

4. Usage of Collected Data

We process your personal data for the following purposes and on these legal bases:

a) Account Creation and Maintenance

Purpose: To create and manage your SmashFi account.

Legal Basis: Performance of a contract.

b) Identity Verification and KYC/AML Compliance

Purpose: To verify your identity and comply with regulatory requirements.

Legal Basis: Legal obligation and legitimate interests.

c) Providing Services

Purpose: To facilitate transactions, provide customer support, and improve our services.

Legal Basis: Performance of a contract and legitimate interests.

d) Security and Fraud Prevention

Purpose: To protect your account and our Platform from unauthorized access and fraudulent activities.

Legal Basis: Legitimate interests.

e) Communications

Purpose: To send you important updates about our services and respond to your inquiries.

Legal Basis: Performance of a contract and legitimate interests.

f) Marketing (with consent)

Purpose: To send you promotional materials and personalized offers.

Legal Basis: Consent.

If the data's intended use deviates from the reasons listed above, the Company will secure the user's consent.

5. KYC and AML Compliance

To comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations, we are required to collect and verify certain personal information. This process may include:

• Verification of your identity using government-issued documents
• Checks against sanctions lists and politically exposed persons (PEP) databases
• Ongoing monitoring of transactions for suspicious activities

Failure to provide the required information may result in limited access to our services or account closure.

6. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law. Specifically:

• Account information: Retained for the duration of your account plus 5 years after closure.
• KYC/AML data: Retained for 5 years after account closure, as required by financial regulations.
• Transaction data: Retained for 7 years for tax and accounting purposes.

7. International Data Transfers

SmashFi may transfer your data to countries outside your country of residence. When we do so, we implement appropriate safeguards, such as Standard Contractual Clauses, to ensure your data is protected.

8. Data Security

The Company implements appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption, access controls, and regular security assessments.

We implement robust security measures to protect your personal data, including:

• Encryption of sensitive data in transit and at rest
• Multi-factor authentication
• Regular security audits and penetration testing
• Strict access controls and employee training

9. Third-Party Sharing

We may share your personal data with:

• Service providers (e.g., identity verification services, cloud hosting providers)
• Financial institutions to facilitate transactions
• Regulatory authorities and law enforcement agencies when required by law

10. Automated Decision Making

We use automated decision-making processes for fraud detection and risk assessment. You have the right to request human intervention, express your point of view, and contest any decision made solely by automated means.

11. Disclosing Collected Data

The Company will not share personal data unless:

• Legally mandated.
• Requested for investigative purposes.
• Necessary for Company partners and service providers.
• The user has previously agreed or has given express consent.

12. Cookies, Beacons, and Similar Tools

Cookies and web beacons may be used to collect aggregated, non-personal information. They help improve user experience and ensure better services.

13. User Rights

Under the GDPR, users have the following rights concerning their data:

• Access: Users have the right to request access to their personal data and obtain a copy.
• Rectification: Users have the right to request correction of inaccurate or incomplete personal data.
• Erasure: Users have the right to request the deletion of their personal data under certain circumstances.
• Restriction: Users have the right to request the restriction of processing of their personal data.
• Data Portability: Users have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another data controller.
• Objection: Users have the right to object to the processing of their personal data based on legitimate interests or for direct marketing purposes.
• Withdrawal of Consent: Users have the right to withdraw their consent at any time where we rely on consent to process their personal data.

To exercise any of these rights, please contact us at [contact@smashfi.me].

14. User Responsibilities

Users must ensure their data is accurate and safeguard their credentials. Users are accountable for inaccuracies or damages stemming from their negligence.

15. Protection for Minors

The Company does not register or collect data from individuals below 18 years of age.

16. Technical and Managerial Safeguards

The Company has implemented comprehensive technical and managerial safeguards to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include:

• Encryption: We use encryption to protect personal data during transmission and storage.
• Access Controls: We restrict access to personal data to authorized personnel only.
• Regular Security Assessments: We conduct regular security assessments to identify and mitigate potential vulnerabilities.
• Incident Response Plans: We have incident response plans in place to handle potential data breaches swiftly and effectively.

17. Destruction of Personal Data

Personal data is destroyed once its purpose is fulfilled, but certain data might be retained as required by laws.

18. Policy Modifications

We may update this Privacy Policy from time to time. We will notify you of any significant changes through the Platform or via email.

19. Contact Information

If you have any questions about this Privacy Policy, please contact our Data Protection Officer

Company Name: SMASHFI LLC

Email: contact@smashfi.com

20. Exclusions

This Policy doesn’t cover third-party service providers or linked sites.

By using SmashFi, you consent to the collection and use of your personal data as described in this Privacy Policy. We are committed to ensuring that your personal data is protected in accordance with GDPR standards. If you have any questions or concerns about our privacy practices, please contact us at [contact@smashfi.me].