Privacy Policy

This policy is effective as of December 20, 2023.

Introduction

Zero Hash Holdings Ltd., together with its subsidiaries and affiliates (referred to herein as, "Zero Hash," “ZH,” “Company,” “our,” "we," or “us”) are committed to the privacy of all who visit our Website (“Visitors”) and those who sign-up for, access, or use our Services, whether directly or indirectly (“Users,” together with Visitors referred to throughout the Policy as “you” or “your”). In our commitment to protect user privacy, we have adopted and implemented this privacy policy ("Privacy Policy" or “Policy”).

This Privacy Policy describes how we collect, use, and share your personal information when you review or access our Services, which include access to any services or products offered on or through our websites, including without limitation zerohash.com and any subdomains (“Websites”), when you use our Services through an application programming interface (“API”), or when you access our Websites or Services through any third-party applications relying on any such APIs or otherwise access our Services through any other authorized point of access (“Third-Party Access”).

Because we collect, use, and are responsible for certain personal information about you, we are subject to various laws in the United States and other jurisdictions, including the EU’s General Data Protection Regulation (“EU GDPR”) which applies across the European Union and its United Kingdom GDPR equivalent (“UK GDPR” and collectively with EU GDPR, “GDPR”). If you reside outside of the UK and the European Economic Area (the “EEA”), accessing and using our Services means that you accept this Privacy Policy and its terms. Please see Exhibit A to this Policy for additional information about jurisdictional specific applications of this Policy.

The identity of the data controller of the personal information we hold about you will depend on which Zero Hash subsidiary or affiliate that you are engaging with (as identified in “Our representative” below), or if you access, use or receive our Services.

It is important that you understand how we use your information. You should read this page in full, but below are the key highlights and some helpful links:

  • Our goal is to simplify your experience. If you do not wish for your personal information to be collected, used, or disclosed as described in this Privacy Policy, or you are under 18 years of age, you should stop accessing our Services.
  • We collect and use your information in order to provide and improve our Services and your experience, protect the security and integrity of your data and our platform, and meet our legal obligations.
  • We share your information with other Zero Hash companies, as well as trusted third-parties and service providers, in order to offer our Services and fulfill our legal requirements.
  • We offer privacy tools for you to request access to or deletion of information we hold about you. You can use these tools by visiting our Support Portal. Depending on where you live, you may also have other applicable privacy rights.
  • If you have any questions, please Contact Us on our Support Portal or at [email protected].

Key Terms

  • “We”, “us”, “our”: Zero Hash Holdings Ltd. or any applicable subsidiaries or affiliates (including those listed in as Our representative) (collectively, the “Zero Hash Group”)
  • “Our representative”: Zero Hash US LLC (USA), Zero Hash LLC (USA), Zero Hash Liquidity Services LLC (USA), Zero Hash Worldwide Ltd (Bermuda), Zero Hash Global Liquidity Ltd (Bermuda), Zero Hash Europe B.V. (European Union), Zero Hash UK Ltd. (United Kingdom), Zero Hash Brazil Limitada (Brazil), Zero Hash Australia Ltd. (Australia & New Zealand)
  • “Data Privacy Office Contact”: [email protected]
  • “Personal information”: Any information or an opinion about an identified individual or individual who is reasonably identifiable
  • “Special category personal information”: Personal information revealing racial or ethnic origin, political opinions or membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership in or of a professional or trade union or similar association; sexual orientation; or criminal record; Genetic information about an individual (that is not health information), biometric templates and biometric data (that is to be used for the purpose of automated biometric verification or identification); Health information about an individual
  • “Applicable Law”: Any and all laws, ordinances, constitutions, regulations, statutes, treaties, rules, codes, licenses, certificates, franchises, permits, principles of common law, requirements and orders adopted, enacted, implemented, promulgated, issued, entered, or deemed applicable by or under the authority of any governmental, quasi-governmental, or other regulatory body having jurisdiction over the Zero Hash Group or you, including without limitation: Australian Privacy Policy 1988, General Data Protection Law (“LGPD”), GDPR, New Zealand Privacy Act 2020, and Gramm-Leach-Bliley Act 1999

Information Collected

We collect data about Visitors to our Websites and any affiliated blogs, mobile sites, or applications; about Users that access, directly or indirectly, our Services, or any other Visitors that attend events organized or hosted by us; and about our clients (where these are natural persons) or their employees, agents and representatives (and these individuals about whom we collect data are incorporated into any reference to "you" in this Privacy Policy).

We may collect data that identifies or is associated with you ("personal information") when you access our websites, blogs, mobile sites, applications, widgets, APIs, and other interactive features, when you register or attend an event organized or hosted by us, or when you otherwise contact us (our "Services"). We may also collect personal information about you from another Zero Hash Group affiliate (e.g. personal information provided to a Zero Hash Group affiliate) or other third parties as part of normal business practices. Please refer to the below for further information about the personal information or documentation we may collect and how it may be collected:

Information You Provide to Us

Information CategoryDescription
Basic Customer InformationName, Address, Date of birth, Nationality, Country of residence, Phone number, Email Address, or similar
Supplemental Identification InformationPhotographs or videos, Government-issued identity document (e.g., passport, driver’s license, or state identification card), Social security number, Employment information (e.g. company name), Proof of residency, including visa information, Gender, or similar
Electronic Identification (“EIDV”) InformationBiometric information generated based on photos, videos, or other electronically identifiable biometric data you provide in order for us to verify your identity or location
Institutional Information (if you are a non-natural person, institutional User)Employer Identification number (or comparable number issued by a government), Personal identification information for all material beneficial owners of your business
Financial InformationBank account number, Payment card primary account number ("PAN"), Tax identification number, Account balance
Crypto InformationWhen you sign up to use our Services that use or leverage cryptocurrency, digital asset, or other cryptographic assets, we may collect your associated personal information, including your digital wallet address, digital Transaction Information, and information related to integrations that you select
PreferencesUser Settings and preferences you select on the Website
Transaction InformationInformation about the transactions made on our Services, such as the name of the sender, the name of the recipient, the amount, currency preferences, payment method, date, and/or timestamp
Additional information you submit to usCommunications such as survey responses or information (including call recordings) provided by you to our customer service teams

Information Collected Automatically

Information CategoryDescription
App, browser, and device informationInformation about the device, operating system, and browser you’re using; Other device characteristics or identifiers (e.g. network connection characteristics); IP addresses
Product Usage InformationInformation about the your viewing history and traffic logs from visiting the Websites or using our Services, including diagnostic information about the performance of Website or Services
Information from cookies and similar technologiesPlease see “Cookies and other tracking technologies” below

Information we may obtain from affiliates or third parties

Information CategoryDescription
Zero Hash Group shared informationWe may obtain information about you, such as Basic Customer Information, Supplemental Identification Information, EIDV, Transaction Information and Product Usage Information, from another Zero Hash Group affiliate as part of normal business practices. For instance, if you utilize the various Zero Hash Services, including services provided by Zero Hash Affiliates located outside the United States, we may utilize certain information you provide to a Zero Hash Group affiliate to provide you with Services from another Zero Hash Group affiliate and to otherwise adhere to applicable laws and regulations.
Public database informationWe obtain information about you from public databases – including without limitation from the UN Sanctions List, OFAC Screening List, and EDGAR – which may include your name, address, email address, phone number, gender, national ID number and nationality/country of residence, date of birth, job role, public employment profile, listing on any sanctions lists maintained by public or regulatory authorities, and other data as necessary
Blockchain dataWe may analyze public blockchain data, including timestamps of transactions or events, transaction IDs, digital signatures, transaction amounts, and wallet addresses
Information from our Marketing and Advertising PartnersWe receive information such as your name and contact information from our marketing partners, potentially including in what content you viewed or the actions you take on our Website
Information from Analytics and ProvidersWe receive information about your Website usage, interactions, age group, and survey responses (including, in some cases, prior to any account creation)
Retail Merchant InformationIf you use your Zero Hash account to conduct a transaction with a third-party merchant, the merchant may provide us with data about you, such as your name and contact details, and your transaction with that merchant
Research and Survey InformationWe may from time to time utilize internal or third-party service providers to conduct surveys to better understand our Visitors’ experience and to improve our Services.

This personal information is required to provide our Services to you. If you do not provide personal information we ask for, it may delay or prevent us from providing our Services to you. When we collect your personal information from third parties, we will take reasonable steps to notify you of the circumstances of that collection.

How We Use Your Information

We use your personal information to deliver, personalize, operate, improve, create, and develop our Services, to provide you with a secure, smooth, efficient and customized experience as you use them, and for legal compliance, loss prevention, and anti-fraud purposes. Below is additional information about how we use your personal information and our legal basis for doing so:

As Necessary to Perform a Contract with Users

We may use certain information that is necessary to conclude and perform our duties under the applicable Zero Hash Group company user agreement (e.g., the Zero Hash & Zero Hash Liquidity Services User Agreement in the United States) or similar customer or end-user agreement(s) or relevant contract(s) with you. We will need to suspend or terminate your user account if we cannot process your personal information or similar data for such purposes.

How We Use Your Information

To create and maintain your User account

  • Purpose: In order to provide you with our Services, and to allow you to set up a customer account and profile.
  • Relevant Categories of Information:
    • Basic Customer Information.
    • Supplemental Identification Information.
    • EIDV Information.
    • Financial Information.
    • Crypto Information.

To provide you with Crypto Services

  • Purpose: In order to provide you with Services to buy, sell, save, trade, or spend digital assets within your account, including hosting and maintaining your digital wallets.
  • Relevant Categories of Information:
    • Basic Customer Information
    • Supplemental Identification Information
    • Financial Information
    • Institutional Information
    • Transaction Information
    • Crypto Information
    • Preferences
    • Blockchain Data
    • Product Usage Information (including Location Information)
    • Additional information you may submit to us

To provide you with Third-Party Access

  • Purpose: In order to provide you with Third-Party Access, which may include tools, such as APIs and other infrastructure for accessing our Services.
  • Relevant Categories of Information:
    • Basic Customer Information
    • Supplemental Identification Information
    • Financial Information
    • Institutional Information
    • Transaction Information
    • Crypto Information
    • Preferences
    • Blockchain Data
    • Product Usage Information (including Location Information)
    • Additional information you may submit to us

To provide customer support

  • Purpose: To address your request for support on the Websites or by email and to respond to customer care and other inquiries, including providing telephone-based support to Users (who provide their telephone numbers), chat message support, and other social support.
  • Relevant Categories of Information:
    • Basic Customer Information
    • Supplemental Identification Information
    • Transaction Information
    • Product Usage Information (including Location Information)
    • Communications

To send Service communications

  • Purpose: To send you administrative or account-related communications about our Services, which can include security updates or transaction-related information, through email, telephone, or in-product/push notifications.
  • Note: You may not opt-out of receiving critical service communications, such as emails or mobile notifications sent for legal or security purposes.
  • Relevant Categories of Information:
    • Basic Customer Information
    • Product Usage Information
    • Communications
    • Transaction Information

To promote the safety, security, and integrity of our Services

  • Purpose: To verify accounts and related activity, find and address violations of a Zero Hash Group company User Agreement, investigate suspicious activity, detect, prevent and combat harmful or unlawful behavior, detect fraudulent behavior, comply with applicable laws and to maintain the integrity of our Services.
  • Relevant Categories of Information:
    • Basic Customer Information
    • Supplemental Identification Information
    • EIDV Information
    • Financial Information
    • Institutional Information
    • Transaction Information
    • Crypto Information
    • Blockchain Data
    • Product Usage Information
    • Product Usage Information (including Location Information)

To Comply with Legal Obligations

The Services are subject to laws and regulations requiring us to collect, use, and store your personal information in certain ways. If you do not provide the personal information required by law we may have to suspend or close your user account.

How We Use Your Information

To verify your identity

  • Purpose: We are generally required to collect various pieces of personal information to properly identify or verify your identity and comply with other specific anti-money laundering (“AML”) or sanctions laws/regulations (e.g., funds transfer rules).
  • Details: Our verification processes may also involve electronic identification through the comparison of your photo against your provided verification information. All such information is securely maintained by Zero Hash and its service providers, and is only disclosed where required by law.
  • Relevant Categories of Information:
    • Basic Customer Information
    • Supplemental Identification Information
    • EIDV Information

To determine your legal eligibility for certain regulated products

  • Purpose: When you use certain locally regulated products or engage in certain advanced trading activities, we may be required to carry out additional checks to ensure your suitability (e.g., under the European Market Infrastructure Regulation).
  • Relevant Categories of Information:
    • Basic Customer Information
    • Supplemental Identification Information
    • Financial Information
    • Institutional Information
    • Crypto Information

To comply with other legal and regulatory obligations

  • Purpose: We may access, read, preserve, and disclose information when we believe it is reasonably necessary to comply with applicable law, legal obligations, regulations, law enforcement, governmental, and other legal requests, court orders, or for disclosure to tax authorities.
  • Relevant Categories of Information:
    • Basic Customer Information
    • Supplemental Identification Information
    • EIDV Information
    • Financial Information
    • Institutional Information
    • Crypto Information
    • Blockchain Data
    • Transaction Information
    • Product Usage Information
    • Communications Information

Information Used with Your Consent

When we use your information based on your consent, you have the right to withdraw your consent at any time on a go-forward basis (which will not affect our prior use of your data, based on your previously given consent). Please see our Privacy Opt Out or contact Customer Support to make changes to your consent preferences.

How We Use Your Information

To enable device-based settings

  • Purpose: Collecting information that you allow us to receive through the device-based settings you enable (such as access to your location, camera, or photos) which we use to provide the features or services described when you enable the setting.
  • Relevant Categories of Information:
    • App, browser, and device information

To provide marketing communications to you

  • Purpose: To send you targeted marketing communications through email, mobile, or push notifications or by SMS or text message.
  • Relevant Categories of Information:
    • Basic Customer Information
    • Institutional Information
    • Product Usage Information
    • Transaction Information
    • Information from our Marketing Partners
    • Additional information You Provide to Us

Information Used to Protect a Vital Interest

We may use your information from time to time to protect either your or another’s vital interest as described herein:

How We Use Your Information

Preserving, reviewing, and sharing information with law enforcement and others

Purpose: We may preserve, review, and share information with law enforcement and others in circumstances where someone’s vital interests require protection, such as in the case of emergencies. For example, where there is a risk to the well-being or life of a Zero Hash Customer.

Relevant Categories of Information:

  • Basic Customer Information
  • Supplemental Identification Information
  • EIDV Information
  • Financial Information
  • Institutional Information
  • Crypto Information
  • Blockchain Data
  • Transaction Information
  • Product Usage Information
  • Communications Information

Who We Share Your Information With

We share personal information as set out in the following table:

We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers to ensure they comply with Applicable Law and can only use your personal information to provide services to us and to you. We may also share personal information with external auditors (e.g. in relation to ISO accreditation and the audit of our accounts).

We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a re-structuring. We will typically anonymize information, but this may not always be possible. The recipient of the information will be bound by appropriate confidentiality and data privacy obligations.

How and Where We Store Your Information

Personal information may be held at our offices and those of the Zero Hash Group of companies, at third party service providers (e.g., data storage providers), representatives and agents as described above (see above: “Who We Share Your Personal Information with”). For more information on how we safeguard your personal information, see below: “Keeping Your Personal Information Secure”.

Some of these third party service providers may be based outside the jurisdiction in which it was collected (e.g., European Economic Area). For more information, including on how we safeguard your personal information when this occurs, see below: “International Transfers.”


How Long We Retain Your Personal Information

We will keep your personal information while you have an account with us or while we are providing our Services to you. Thereafter, we will keep your personal information for as long as is necessary:

  • To respond to any questions, complaints or claims made by you or on your behalf;
  • To show that we treated you fairly.
  • To keep records required by law.

We will not retain your personal information for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of personal information. When it is no longer necessary to retain your personal information, we will delete or anonymize it.

International Transfer

It is sometimes necessary for us to transfer your personal data to other countries. The identity of the data controller of the personal information we hold about you will depend on which Zero Hash Group entity you engage with or Service you access, use or receive. Please see Exhibit A for more information on specific international transfers and applicable disclosures applicable to you.

Keeping Your Personal Information Secure

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorized way. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality. We continually test our systems and are ISO 27001 certified, which means we follow top industry standards for information security. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Changes to the Policy

We may change this privacy notice from time to time–when we do, we will inform you via website or other means of contact such as email.

Cookies and other tracking technologies

A cookie is a small text file which is placed onto your device (e.g., computer, smartphone or other electronic device) when you use our website. We use cookies and similar technologies (e.g., web beacons, gifs, etc.) on our website. These tools help us recognize you and your device and store some information about your preferences or past actions. We use these cookies for necessary purposes to ensure legitimate access to our Website and Services, and to ensure the Website and Services are functioning and performing properly.

Access and Correction

You may have the right to request access to and the correction of your personal information at any time, subject to the Applicable Law. You may request access to or the correction of your personal information by reaching out to us using the details set out below under “How to Contact Us”.

Any request for information must be as specific as possible so we can accommodate the request. We may ask you to put your request in writing. We will respond to your request as quickly as reasonably possible or as required by Applicable Law – typically within 30 days for access or correction. If you request is refused for any reason, we will give you a written notice with the reasons why your request has been refused and your options in respect of our decision.

How to Contact Us

Please contact us by email or post if you have any questions or concerns about this Privacy Policy or the information we hold about you.

Our contact details are shown below:

Contact MethodContact
Contact Number+1 (855) 744-7333
Contact Email[email protected]
[email protected]

Exhibit A: Additional Jurisdictional Notifications & Disclosures

European Union and the United Kingdom

Your Rights Under the GDPR

  1. You generally have the following rights in respect of your Personal Information. If you wish to exercise any of the rights set out above, please contact us.
    1. Right to Access: The right to be provided with a copy of your personal information (the right of access).
    2. Right to Rectification: The right to require us to correct any mistakes in your personal information.
    3. Right to be Forgotten: The right to require us to delete your personal information—in certain situations.
    4. Right to Restriction of Processing: The right to require us to restrict processing of your personal information—in certain circumstances, e.g., if you contest the accuracy of the data.
    5. Right to Data Portability: The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations.
    6. Right to Object:
      1. At any time to your personal information being processed for direct marketing (including profiling).
      2. In certain other situations to our continued processing of your personal information, e.g., processing carried out for the purpose of our legitimate interests.
    7. Right Not to be Subject to Automated Individual Decision-Making: The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
  2. Transferring Your Personal Information out of the UK and/or EEA
    1. To deliver services to you, it is sometimes necessary for us to share your personal information outside the EEA and/or the UK, e.g.:
      1. With our Zero Hash Group offices outside the EEA;
      2. With your and our service providers located outside the EEA;
      3. If you are based outside the EEA; or
      4. Where there is an international dimension to the services we are providing to you.
    2. Under UK and EU data protection laws, we can only transfer your personal data to a country outside the UK and/or EEA where:
      1. In the case of transfers subject to UK data protection law, the UK government has decided the particular country ensures an adequate level of protection of personal data (known as an '“adequacy regulation”’). A list of countries the UK currently has adequacy regulations in relation to is available here. We rely on adequacy regulations for transfers to the following countries: EEA countries.
      2. In the case of transfers subject to EU data protection laws, the European Commission has decided that the particular country ensures an adequate level of protection of personal data (known as an '“adequacy decision”’). A list of countries the European Commission has currently made adequacy decisions in relation to is available here. We rely on adequacy decisions for transfers to the following countries: the UK.
      3. There are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you, or
      4. A specific exception applies under relevant data protection law.
    3. These non-EEA countries do not have the same data protection laws as the United Kingdom and EEA. We will, however, ensure the transfer complies with data protection law and all personal information will be secure. Our standard practice is to use standard data protection contract clauses that have been approved by the European Commission and/or the UK’s Information Commissioner Office (as applicable).
      If you would like further information, please contact our Data Protection Office (see “How To Contact Us” above).
  3. How to File a Complaint
    1. We hope that we can resolve any query or concern you raise about our use of your information. However, the GDPR also gives you right to lodge a complaint with the supervisory authority.
    2. For the UK, this is the Information Commissioner, who may be contacted using the details at https://ico.org.uk/make-a-complaint or by telephone: 0303 123 1113.
    3. For the EEA, this will be the relevant authority in the EEA state of your habitual residence, place of work or of an alleged infringement of data protection laws in the EEA. For a list of EEA data protection supervisory authorities and their contact details see here.

California (USA)

You have the right under the California Consumer Privacy Act of 2018 (CCPA) and certain other privacy and data protection laws, as applicable, to exercise free of charge:

Disclosure of Personal Information We Collect About You

You have the right to know:

  • The categories of personal information we have collected about you;
  • The categories of sources from which the personal information is collected;
  • Our business or commercial purpose for collecting or selling personal information;
  • The categories of third parties with whom we share personal information, if any; and
  • The specific pieces of personal information we have collected about you.

Please note that we are not required to:

  • Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained;
  • Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information; or
  • Provide the personal information to you more than twice in a 12-month period.

Personal Information Sold or Used for a Business Purpose

In connection with any personal information we may sell or disclose to a third party for a business purpose, you have the right to know:

  • The categories of personal information about you that we sold and the categories of third parties to whom the personal information was sold; and
  • The categories of personal information that we disclosed about you for a business purpose.

You have the right under the California Consumer Privacy Act of 2018 (CCPA) and certain other privacy and data protection laws, as applicable, to opt-out of the sale [or disclosure] of your personal information. If you exercise your right to opt-out of the sale [or disclosure] of your personal information, we will refrain from selling your personal information, unless you subsequently provide express authorization for the sale of your personal information. To opt-out of the sale [or disclosure] of your personal information, visit our homepage and click on the Do Not Sell My Personal Information link here.

Right to Deletion

Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will:

  • Delete your personal information from our records; and
  • Direct any service providers to delete your personal information from their records.

Please note that we may not delete your personal information if it is necessary to:

  • Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us;
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
  • Debug to identify and repair errors that impair existing intended functionality;
  • Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;
  • Comply with the California Electronic Communications Privacy Act;
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent;
  • Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
  • Comply with an existing legal obligation; or
  • Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.

Protection Against Discrimination

You have the right to not be discriminated against by us because you exercised any of your rights under the CCPA. This means we cannot, among other things:

  • Deny goods or services to you;
  • Charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
  • Provide a different level or quality of goods or services to you; or
  • Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

Please note that we may charge a different price or rate or provide a different level or quality of [goods and/or services] to you if that difference is reasonably related to the value provided to our business by your personal information.

Brazil LGPD Statement

Updated: Feb/2023

This statement (“Statement”) is part of the Zero Hash Privacy Policy and is applicable to customers, users, or clients of Zero Hash Brazil Limitada (“Zero Hash” or “Zero Hash Brazil” herein this Section III), a limited company enrolled with the CNPJ No. 46.534.916/0001-22, with its head office at Avenida Brigadeiro Luis Antonio, 300, 10th floor, conjunto 104, in the city of São Paulo, state of São Paulo, CEP 01318-903, which is an affiliate of Zero Hash Holdings Ltd, a US based company.

The purpose of this statement is to illustrate Zero Hash's commitment to processing data in accordance with its responsibilities under the Law No. 13,709 of August 14th, 2018 - General Data Protection Law (“LGPD”). Zero Hash is committed to protecting the privacy and security of your personal data. The information you share with Zero Hash Brazil and its affiliates worldwide (the “Zero Hash Group”) allows Zero Hash to provide you the best experience with our products and services. Zero Hash has implemented a privacy program to protect all personal data collected and to help Zero Hash properly handle your personal data.

This Statement explains our specific privacy practices in Brazil. Please read this notice together with the Zero Hash Privacy Policy to understand how Zero Hash collects and uses your personal data. Should any terms conflict, the terms of this Statement shall control.

If you do not agree with the practices or policies described in this Statement or the Zero Hash Privacy Policy, we ask that you discontinue use of our website or other services. Likewise, both this Statement and Zero Hash Holdings Privacy Policy may change from time to time and your continued use will be deemed to be acceptance of such changes.

Definitions

  • Anonymization: Refers to the process of using reasonable and available technical means to render data unable to be directly or indirectly associated with an individual.
  • Anonymized data: Data that has undergone the anonymization process, resulting in information that can no longer be linked to an identifiable individual, considering the use of reasonable and available technical means.
  • ANPD: The National Data Protection Authority, responsible for ensuring the protection of personal data and for regulating, implementing, and supervising compliance with the LGPD (Lei Geral de Proteção de Dados) in Brazil.
  • Blocking: Temporary suspension of any processing operation, achieved by retaining the personal data or the database.
  • Consent: Freely given, specific, informed, and unambiguous indication of the data subject's wishes, signifying agreement to the processing of personal data relating to them.
  • Controller: A natural person or legal entity, public or private, that determines the purposes and means of processing personal data.
  • Data Protection Officer: A person appointed by a company to serve as a liaison between the controller, data subjects, and the National Data Protection Authority (ANPD).
  • Data subject: Any natural person to whom personal data refers, including individuals such as customers, prospects, employees, and contact persons.
  • Database: A structured set of personal data, stored in one or multiple locations, in electronic or physical form.
  • Deletion: The removal of data or a set of data stored in a database, regardless of the method used.
  • International transfer of data: The movement of personal data to a foreign country or international organization, of which the country is a member.
  • Operator (or Processor): A natural person or legal entity, public or private, that processes personal data on behalf of the controller.
  • Personal data: Any information relating to an identified or identifiable natural person (data subject).
  • Processing: Any operation or set of operations performed on personal data, including collection, use, access, transmission, storage, evaluation, or deletion.
  • Processing Agents: Refers to both the controller and the operator (or processor) involved in the processing of personal data.
  • Research body/entity: A public or private legal entity, organized under Brazilian law, engaged in basic or applied research of historical, scientific, technological, or statistical nature.
  • Sensitive personal data: Personal data concerning racial or ethnic origin, religious belief, political opinion, trade union membership, health, sex life, genetic, or biometric data.
  • Shared use of data: Communication, dissemination, international transfer, or shared processing of personal data by public and private entities, in compliance with legal powers and specific authorizations.
  • Third Party: A natural or legal person, public authority, agency, or body other than the data subject, controller, or processor, authorized to process personal data under the direction of the controller or processor.

Lawful Purpose of Processing

All data processed by Zero Hash will be done in accordance with the lawful bases provided by Article 5 of LGPD:

  • With your consent¹. Zero Hash will seek consent before using your personal data for commercial purposes, especially when/if the processing involves sensitive personal data. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent will be kept with your personal data.
  • For compliance with legal or regulatory obligations by the controller.
  • For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data.
  • When necessary for the execution of a contract, agreement or preliminary procedures related to a contract of which you are a party³.
  • For the regular exercise of rights in judicial, administrative or arbitration procedures.
  • For the protection of life or physical safety of you or a third party, if applicable.
  • When necessary to fulfill our legitimate interests controller or of a third party, except when your fundamental rights and liberties which require personal data protection prevail.¹
  • For the protection of credit, including as provided in specific legislation.

¹ If we process information based on your consent, you may withdraw such consent at any time, through a free and facilitated procedure. Please contact the Data Protection Officer outlined below to withdraw your consent.

Where communications are sent to you based on your previous consent, the option to revoke your consent (unsubscribe) should be clearly available and systems should be in place to ensure such unsubscription is reflected accurately in Zero Hash’s systems.

² Note that Zero Hash gathers and processes personal data to fulfill its anti-money laundering and know your customer obligations, open and manage your account, and track and monitor account activity. Besides being a regulatory obligation, Zero Hash has determined these activities to be in its legitimate business interest.

³ Zero Hash also processes your personal data in furtherance of the User Agreement you have entered with Zero Hash, including when onboarding you as a customer, funding your account, processing your orders, facilitating transactions, and processing withdrawals. Zero Hash may share your personal data between its affiliated entities, in Brazil or abroad, or with Third Parties, also both in Brazil or abroad, to facilitate these actions, which are necessary in furtherance of your agreement(s) with Zero Hash.

Zero Hash will take reasonable steps to ensure personal data is accurate, so that, where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date, in accordance with the principle of quality of data.

The Data We Collect

Zero Hash collects the data as described in the item “3. Personal Information We Collect About You” of the Zero Hash Privacy Policy, such as, but no limited to:

  • Identifying Information, including names, government issued identification, Taxpayer ID number, passport numbers, birth dates, addresses, telephone number, e-mail address, occupation and all other background information necessary for AML/KYC requirements, including a copy of your ID.
  • Financial Information, including bank account number(s), transaction history, net worth, account balances, assets and liabilities, wallet address.
  • Account Authenticating Information, including hashed representations of account passwords, PINs, and account recovery information.
  • Biometric information generated based on photos or videos you provide to verify your identity
  • Technical data such as IP address and device fingerprinting.
  • Compliance and reputational data, such as news and media search, sanctions and PEP screenings.
  • Personal Data does not include generic email address or general business information that is not linked to an individual.

How We Collect Your Data

We collect this personal information directly from you – from in person contact, telephone, text, email, text or messaging service, or via our website. However, we may also collect information:

  • Automatically via our IT systems or automatic electronic record capture and retention methods (e.g., logs, system files, electronic usage trackers, or cookies)
  • From publicly accessible sources (e.g., property records);
  • Directly from a third party (e.g., sanctions screening providers, credit reporting agencies, or customer due diligence providers);
  • From a third party with your consent (e.g., your bank or platform provider);

Zero Hash may also receive your data indirectly from vendors and third parties when conducting “know your customer” background checks or confirming the personal information you have provided. We only collect information that is reasonably necessary to fulfill the identified purpose. Although you access our services through an application provided by a platform based in Brazil, the data is processed in the United States given that Zero Hash Brazil is a affiliate of a US based company that uses the systems based in the US.

How We Will Use Your Data

Zero Hash will use your data:

  • To properly identify you.
  • To manage your account(s) with Zero Hash.
  • To determine your eligibility for products and services and the products and services of companies with whom we are affiliated.
  • To respond to questions, requests, or concerns regarding the products and services provided by Zero Hash.
  • To process your orders related to the digital asset trading/custody/settlement/account servicing and related services contracted for.
  • To communicate with you and email you with offers on other products and services we think you might like and inform you about the products and services we provide.
  • To recruit for positions at Zero Hash.
  • To investigate legal claims.
  • To detect suspicious activities and protect against fraud, money laundering and other illicit activities.
  • To administer Zero Hash websites and any Zero Hash software applications.
  • For such purposes for which Zero Hash may obtain your consent from time to time.
  • For such other uses as may be permitted or required by law.

Your data may also be anonymized or aggregated to enable Zero Hash to manage its business, develop statistical information, test our performance, or develop products. Anonymized and/or aggregated data will not identify you. Zero Hash does not sell your Personal Data or information.

Sharing Data With Third Parties

Zero Hash may share your Personal Data with Third Parties, both within your jurisdiction and abroad:

  • To provide and support Zero Hash's products and services. For example, Zero Hash may submit your information to credit bureaus or KYC vendors for identification purposes.
  • To comply with legal obligations, such as responding to regulatory or criminal investigations or mandatory reporting to our regulators.
  • To protect you from fraud, abuse, or illegal activity. In such cases, Zero Hash may disclose your information to an appropriate governmental authority or next of kin to prevent illegal or fraudulent activity in your account.
  • If, in our best judgment, we believe someone is seeking your information as your agent, with your consent, or if otherwise permitted by law.
  • Any other situation or purpose for which Zero Hash obtains your consent to share, as described in the Zero Hash Privacy Policy.

Please note that Zero Hash Brazil, in accordance with LGPD and other Data Protection laws applicable to the Zero Hash Group, has the right to share your personal data without your consent with any national/federal, state, local and international legal, governmental and regulatory entities, authorities and officials in order to cooperate with any investigation or governmental, legal or regulatory proceeding relating to any information collected and/or website content or to any purported unlawful activities of any visitor.

How We Protect Your Data

Zero Hash has many processes and controls in place to protect your personal data. Controls include limiting access to private data and confidential information to authorized employees, service providers, representatives, or agents who have all been made aware of the importance of keeping your information confidential. That is, Zero Hash only allows access to confidential information on a need-to-know basis and appropriate security will be in place to avoid unauthorized sharing of information.

Additionally, Zero Hash uses safeguards that are consistent with the industry standard, including firewalls, data encryption, physical access controls, appropriate back-up and disaster recovery solutions. As stated above, Zero Hash Brazil is an affiliate of a US based company and may store your personal data both in Brazil and in the United States. Data transfers are carried out in accordance with applicable laws and regulations, and transfers to another jurisdiction will also be subject to the laws of the jurisdiction where the data is held.

In the event of a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data, Zero Hash shall promptly assess the risk to people’s rights and freedoms and report the breach, if applicable, to the impacted individual(s) and the ANPD, within the deadline and format defined by the ANPD.

Retention and Deletion

According to LGPD, personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities, but the storage is authorized for the following purposes:

  1. Compliance with a legal or regulatory obligation by the controller.
  2. Study by a research entity, ensuring, whenever possible, the anonymization of the personal data.
  3. Transfer to third parties, provided that the requirements for data processing as provided in the Law are obeyed
  4. Exclusive use of the controller, with access by third parties being prohibited, and provided the data has been anonymized.

To ensure that personal data is kept for no longer than necessary, Zero Hash adopts a records retention policy for each area in which personal data is processed and reviews this process periodically.

The records retention policy considers what data should/must be retained, for how long, and why. Your data is only retained for as long as reasonably necessary to fulfill the purpose for which it was collected. Your data will be destroyed or de-identified once no longer necessary or required to be stored by law. When personal data is deleted this must be done safely such that the data is irrecoverable.

Zero Hash Brazil is required by regulators to keep and maintain much of your personal data for prescribed periods from 5 (five) to 10 (ten) years, this last one to comply with AML requirements provided by the Central Bank of Brazil.

Some of your personal data may be deleted prior to the expiration of the above period, if such deletion is permitted by the local laws and regulations.

Marketing

Zero Hash would like to send you information about products and services of ours that we think you might like. If you have agreed to receive marketing, you may opt out at a later date.

You have the right at any time to stop Zero Hash from contacting you for marketing purposes. If you no longer wish to be contacted for marketing purposes, you can unsubscribe through the link available in the communication or submit a request to our data privacy officer through the email: [email protected].

Your Data Protection Rights

  • Confirmation of the existence of treatment: In response to this request, we will inform you if we process your Personal Data or not. Note that, if you are an User of our website or any of our services, we necessarily process your Personal Data, as explained in this Statement and in the Zero Hash Privacy Policy.
  • The right to access - You have the right to request, free of charge, a copy of your personal data that is processed by us.
  • The right to rectification: If you consider that your personal data is incomplete, inaccurate or outdated, you can request the rectification, indicating what needs to be changed and why. It is possible that we request a proof or supporting document to make this change.
  • The right to anonymization, blocking or erasure: If you consider that we are processing your Personal Data in an unnecessary and excessive manner or in breach of the LGPD, you can request that the Personal Data be anonymized, blocked or erased, under certain conditions.
  • The right to data portability: You can request the transfer of your Personal Data to another service or product supplier, by the means of an express request, pursuant with the regulations of the national authority, and subject to commercial and industrial secrets. The portability does not include data that has already been anonymized.
  • The right to deletion: You can request deletion of your personal data processed on the basis of your consent, except in the events of retention of Personal Data prescribed by law.
  • The right to obtain information about:
    • Public and private entities with which we share your Personal Data.
    • The possibility of denying consent and the consequences of such denial, when the consent is used as legal basis for processing of personal data.
  • The right to Withdraw your consent: If your personal data is processed based on your consent, you can withdraw this consent. With that, any processing of your data that is made based on consent will be interrupted. Please note that we may not be able to offer our services or features of the services without your consent.
  • Request the revision of decisions taken based on automated processes: It is possible that decisions are taken based on automated processing of your Personal Data. You have the right to request the review of such decisions that affect your interests, including decisions aimed at defining your personal, professional, consumption and credit profile.
  • Right to lodge a complaint before the ANPD.

Cookies

Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology. You may refuse to accept browser cookies by activating the appropriate setting on your browser. Check the cookies settings information available in the Zero Hash Privacy Policy.

For further information about cookies visit the ANPD Orientation Guide here.

Minors

In the event that our products or services are made available to minors and the processing of personal data of children and teenagers under the age of 18 years old is necessary, it will be necessarily carried out with the specific and prominent parental (or legal guardian) consent. Measures to verify and validate the parent’s or legal guardian identity will also be applied.

Changes to Our Privacy Policy

Zero Hash keeps its Statement and the Zero Hash Holdings Privacy Policy under regular review and will place any updates on this web page. Your continued use of this Website after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates.

Contact Information

Our Data Protection Officer is available through the email: [email protected]

Contact us if you have any questions or comments regarding this Statement, the Zero Hash Privacy Policy or our privacy practices.

You can find more information about the LGPD here.