Sign In Sign Up

CryptoBridge Privacy Notice (Poland / EU)

Last revision: December 2025

  1. Scope

This Privacy Notice explains how we process personal data when you visit our website, create an account, use our services (including any exchange, custody, investment or related services offered by CryptoBridge), contact us, or otherwise interact with us online. It also explains your rights under the EU General Data Protection Regulation (GDPR).

  1. Controller and contact details

Data Controller: CryptoBridge sp. z o.o.
Registered office: Hoża 86 / 210, 00-682 Warszawa, Poland
KRS: 0001058371 | NIP: 7011164795 | REGON: 526399029

Contact (privacy): privacy@cryptobridge.pl
General contact: support@cryptobridge.pl

  1. Categories of personal data we process

Depending on how you use our website/services, we may process:

  • Identification and contact data: name, email, phone, address, date of birth.
  • Account and service data: username, account identifiers, settings, support tickets, communication history.
  • Transaction and financial data: transaction identifiers, wallet addresses, deposit/withdrawal details, payment references, and related records.
  • KYC/AML data (if applicable): identity document data, verification results, source of funds/wealth information, sanctions/PEP screening results (where required).
  • Technical and usage data: IP address, device identifiers, browser type, operating system, referrer URL, timestamps, and similar log data.
  • Cookies/analytics data: identifiers and events collected via cookies/SDKs (only where consent is given for non-essential cookies—see Section 8).
  1. Purposes and legal bases of processing

We process personal data for the following purposes and legal bases under GDPR:

4.1 Website operation and security

Purpose: operate the website, ensure IT security, prevent fraud/abuse, maintain logs.
Legal basis: our legitimate interests (GDPR Art. 6(1)(f)).

4.2 Account creation and service delivery

Purpose: create and manage your account, provide our services, process requests, provide customer support, communicate service updates.
Legal basis: performance of a contract or steps prior to entering into a contract (GDPR Art. 6(1)(b)).

4.3 Legal and regulatory compliance (incl. AML/CFT where applicable)

Purpose: comply with legal obligations (e.g., financial, accounting, AML/CFT, sanctions compliance where applicable to our services), respond to lawful requests by authorities, keep legally required records.
Legal basis: compliance with a legal obligation (GDPR Art. 6(1)(c)); in limited cases also legitimate interests (Art. 6(1)(f)) where appropriate.

4.4 Communication and handling inquiries

Purpose: respond to messages, process complaints, provide support, maintain correspondence.
Legal basis: contract/pre-contract steps (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f)), depending on the context.

4.5 Analytics and improving our website (only with consent)

Purpose: understand website performance and usage to improve user experience (e.g., via analytics tools).
Legal basis: consent (GDPR Art. 6(1)(a)) and the cookie rule for non-essential cookies. You can withdraw consent at any time (see Section 8).

4.6 Marketing communications

Purpose: send newsletters or marketing updates.
Legal basis: consent (Art. 6(1)(a)) or legitimate interests (Art. 6(1)(f)) where legally permissible and depending on channel and applicable rules.

  1. Whether providing data is mandatory
  • Some data is required to provide the services (e.g., account and transaction data). If you do not provide it, we may not be able to create an account or deliver services.
  • Where processing is based on consent, providing data is voluntary and you may withdraw consent at any time without affecting processing carried out before withdrawal.
  1. Recipients of personal data

We may share personal data with:

  • Service providers (processors) supporting us, such as hosting, IT/security, customer support tools, analytics (where consent applies), email/SMS delivery, and identity verification/KYC providers (if applicable).
  • Professional advisers (lawyers, auditors) where necessary.
  • Public authorities and law enforcement where we are legally required to disclose data or to protect our rights.

We require processors to process data on our instructions and to apply appropriate security measures.

  1. International transfers (outside the EEA)

Some of our service providers, including providers of analytics, cloud infrastructure, and other IT or support services (such as Google Analytics 4), may process personal data on servers or infrastructure located outside the European Economic Area (EEA), including in the United States. Where personal data is transferred outside the EEA, the Company ensures that such transfers are carried out in accordance with applicable data protection laws and are subject to appropriate safeguards, including reliance on an adequacy decision of the European Commission (such as the EU-US Data Privacy Framework, where the recipient is certified) and/or the use of the European Commission’s Standard Contractual Clauses (SCCs), together with additional technical or organisational safeguards where required. You may obtain further information about the safeguards applied to a specific transfer, or request a copy of the relevant safeguards, by contacting the Company using the contact details set out in Section 2 of this Privacy Notice.

  1. Cookies and similar technologies

We use cookies and similar technologies for the following categories:

8.1 Strictly necessary cookies

These are required for the website to function (e.g., security, session management). They do not require consent.

8.2 Analytics cookies (GA4) — only with consent

We use Google Analytics 4 (GA4) to understand how users interact with our website (e.g., which pages are visited, session duration, and general usage patterns) in order to improve the website and our services. GA4 is enabled only if you provide consent through our cookie banner / Consent Management Platform (CMP). If you do not consent, GA4 analytics cookies will not be set and analytics data will not be collected for this purpose.

For users in the European Union / EEA, Google Analytics 4 does not log or store IP addresses; IP addresses collected for communication are dropped before logging.

Google Analytics is used under Google’s Data Processing Terms / Data Processing Amendment, under which we act as the controller and Google processes data on our behalf as a processor (except where optional “data sharing” settings apply).

8.3 Cookie banner/CMP, withdrawal of consent, and preference changes

When you first visit our website (and periodically thereafter), our cookie banner / CMP allows you to accept, reject, or customise non-essential cookies (including analytics cookies). You can change your preferences at any time via the cookie settings link available on our website.

Withdrawing consent does not affect processing that occurred before the withdrawal. Where consent is withdrawn or not provided, we will stop using the relevant cookies and will not collect analytics data via GA4 for that device/browser going forward.

You can also manage cookies via your browser settings. Please note that blocking strictly necessary cookies may affect website functionality.

  1. Server logs and IP addresses

When you visit our website, we (or our hosting provider) process server logs such as IP address, timestamps, device and browser information, and requested pages. We use this information to operate the website, maintain security, prevent abuse, and troubleshoot incidents. The legal basis is our legitimate interest (Art. 6(1)(f)).

  1. Data retention

We keep personal data only as long as necessary for the purposes described above, including:

  • Website/server logs: up to 90 days, unless needed longer for security investigations.
  • Account data: for the duration of the account and afterwards as required for legal compliance and dispute handling.
  • Support communications: up to 5 years depending on the nature of the inquiry and limitation periods.
  • Regulatory/financial records (incl. AML/CFT where applicable): for the period required by law (often several years), and longer if required for proceedings or audits.
  1. Your rights

Under GDPR, you have the right to:

  • access your personal data,
  • rectification (correction),
  • erasure (in certain cases),
  • restriction of processing,
  • data portability (where applicable),
  • object to processing based on legitimate interests,
  • withdraw consent at any time (where processing is based on consent).

You can exercise your rights by contacting us (Section 2).

  1. Right to lodge a complaint (Poland – UODO)

You have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO) if you believe your personal data is processed in breach of data protection law.

UODO contact details:
Personal Data Protection Office (UODO)
1A, St. Moniuszki Street, 00-014 Warsaw, Poland
Tel: +48 22 531 03 00
Email: kancelaria@uodo.gov.pl

  1. Automated decision-making and profiling

We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you, unless this is necessary for providing the service, authorised by law, or based on your explicit consent. Where we use automated checks (e.g., fraud or compliance screening), we apply appropriate safeguards and allow you to request human review where required by GDPR.

  1. Changes to this Privacy Notice

We may update this Privacy Notice from time to time. The latest version will be published on our website with the revision date.