Privacy Policy

Privacy Policy

Privacy Policy of CFX Labs Inc.

Effective as of: August 16, 2023

This Privacy Policy governs your access and use of this website, our application(s), and any other services provided by CFX Labs Inc. (collectively, the "Application"). The Application collects some Personal Data from its Users.

Users may be subject to different protection standards and broader standards may therefore apply to some. In order to learn more about the protection criteria, Users can refer to the applicability section.

This document can be printed for reference by using the print command in the settings of any browser.

Owner and Data Controller

CFX Labs Inc.

2045 W Grand Ave, Ste B, PMB 71816, Chicago, IL 60612-1577

Owner contact email: hello@cfxlabs.com

Types of Data collected

Data Provided by a User

Users may provide certain Data as part of the use or access to this Application, including as part of Account registration, payment processing, and direct communications, as further described below.

• Account Registration:  In order to create an Account for use of this Application, Users will need to provide certain Personal Data, including as necessary for KYC Verification (as defined in our Terms of Use), compliance with laws relating to anti-money laundering, anti-corruption, and anti-terrorism. This Personal Data may include, but is not limited to, a User’s name, date of birth, age, nationality, residential address, email address, phone number, country of residence, gender, social security number, and other government-issued ID information.
• Financial Data: In order for Users to conduct transactions using this Application, the Owner may collect certain financial Data to enable these transactions. This Data may include, but is not limited to, a User’s bank account number, digital wallet address, credit/debit card numbers, and bank statements. Additionally, the Owner may collect Data about the transactions Users make while using this Application, including, but not limited to, the source of funds, sender and receiver information, and the amount of the transactions.
• Direct Communications: If a User chooses to contact the Owner directly, such as to learn more about this Application or to request customer support, the Owner may collect Data about such correspondence, including, but not limited to, the User’s name, email address, phone number, and mailing address.
• Other Data: The Owner may also collect any other Data that a User chooses to provide as part of this Application, including, but not limited to, information a User provides in order to give feedback, subscribe to newsletters or other publication, take part in surveys or promotions, or to submit applications for employment. If you use this Application on your mobile device, we also may collect mobile device information like operating system and hardware type, numbers or codes that are unique to your particular device, device information, default device language, the location of your device, and app usage information.

Data Collected Automatically

Usage Data and Trackers may be collected automatically through a User’s use of or access to this Application. For further information on Trackers, please refer to the Cookie Policy. If you have enabled location services on your phone, tablet, or other mobile device, we may collect your location information including for the purpose of verifying whether you are eligible to participate in certain services or other offerings.

Data Collected from Other Sources

Data about a User may be obtained from third party sources, such as credit bureaus, ID verification partners, third party service providers, and Data on the blockchain. Unless specified otherwise, all Data requested by this Application is mandatory and failure to provide this Data may make it impossible for this Application to provide its services. In cases where this Application specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service. Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner. Users are responsible for any third-party Personal Data obtained, published or shared through this Application and confirm that they have the third party's consent to provide the Data to the Owner.

Mode and place of processing the Data

Methods of processing

The Owner incorporates commercially reasonable safeguards to help protect and secure Personal Data. However, no data transmission over the Internet, mobile networks, wireless transmission, or electronic storage of information can be guaranteed 100% secure. As a result, the Owner cannot guarantee or warrant the security of any information Users transmit to or from this Application, and Users provide the Owner with User Data at the Users’ own risk. If Users have any questions about security on this Application or if a User becomes aware of any unauthorized use of an Account or suspects a security breach, notify the Owner immediately via email at hello@cfxlabs.com. If the Owner’s security system is breached, the Owner will notify Users of the breach only if and to the extent required under applicable law. The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Owner, in some cases, the Data may be accessible to certain types of persons in charge, involved with the operation of this Application (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner. The updated list of these parties may be requested from the Owner at any time.

Legal basis of processing‍

The Owner may process Personal Data relating to Users if one of the following applies:

• Users have given their consent for one or more specific purposes. Note: Under some legislations the Owner may be allowed to process Personal Data until the User objects to such processing (“opt-out”), without having to rely on consent or any other of the following legal bases. This, however, does not apply, whenever the processing of Personal Data is subject to European data protection law;
• provision of Data is necessary for the performance of an agreement with the User and/or for any pre-contractual obligations thereof;
• processing is necessary for compliance with a legal obligation to which the Owner is subject;
• processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Owner;
• processing is necessary for the purposes of the legitimate interests pursued by the Owner or by a third party.

In any case, the Owner will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

Place

The Data is processed at the Owner's operating offices and in any other places where the parties involved in the processing are located. Depending on the User's location, data transfers may involve transferring the User's Data to a country other than their own. To find out more about the place of processing of such transferred Data, Users can check the section containing details about the processing of Personal Data. If broader protection standards are applicable, Users are also entitled to learn about the legal basis of Data transfers to a country outside the European Union or to any international organization governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by the Owner to safeguard their Data.

If any such transfer takes place, Users can find out more by checking the relevant sections of this document or inquire with the Owner using the information provided in the contact section.

Retention time

Personal Data shall be processed and stored for as long as required by the purpose they have been collected for.

Therefore:

• Personal Data collected for purposes related to the performance of a contract between the Owner and the User shall be retained until such contract has been fully performed.
• Personal Data collected for the purposes of the Owner’s legitimate interests shall be retained as long as needed to fulfill such purposes. Users may find specific information regarding the legitimate interests pursued by the Owner within the relevant sections of this document or by contacting the Owner.

The Owner may be allowed to retain Personal Data for a longer period whenever the User has given consent to such processing, as long as such consent is not withdrawn. Furthermore, the Owner may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority.

Once the retention period expires, Personal Data shall be deleted. Therefore, the right of access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.

The purposes of processing

The Data concerning the User is collected to allow the Owner to provide its Service, comply with its legal obligations, respond to enforcement requests, protect its rights and interests (or those of its Users or third parties), detect any malicious or fraudulent activity, as well as the following: Contacting the User, User database management, remarketing and behavioral targeting, displaying content from external platforms, platform services and hosting and handling payments.

For specific information about the Personal Data used for each purpose, the User may refer to the section “Detailed information on the processing of Personal Data”.

Detailed information on the processing of Personal Data

Personal Data is collected for the following purposes and using the following services:

• Contacting the User
• Displaying content from external platforms
• Handling payments
• Platform services and hosting
• Remarketing and behavioral targeting
• User database management

Information on opting out of interest-based advertising

In addition to any opt-out feature provided by any of the services listed in this document, Users may learn more on how to generally opt out of interest-based advertising within the dedicated section of the Cookie Policy.

Sharing of Personal Data

We may share the Personal Data we collect (as described above) in the following situations:

• With other users of this Application, for instance to complete a transaction, enable other users to ensure they are transacting with the correct user.
• With our affiliates in order to fulfill and enhance this Application.
• With service providers, such as financial institutions, payment networks, and other third-party payment processors in order to complete payments to other Users.
• With advertising partners and technology service providers to enable us to run our marketing campaigns and to send you information about this Application or our other products or services.
• With law enforcement or other agencies in response to a request for information if we believe disclosure is in accordance with any applicable law, regulation, or legal process, or as otherwise required by any applicable law, rule, or regulation or otherwise as required by law.
• We may also share aggregated or de-identified information, which cannot reasonably be used to identify you.

THE ABOVE EXCLUDES TEXT MESSAGING ORIGINATOR OPT-IN DATA AND CONSENT; THIS INFORMATION WILL NOT BE SHARED WITH ANY THIRD PARTIES.

Other Disclosures

In the event the Owner is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or a transition of service to another provider, Data may be sold or transferred as part of such transaction, as permitted by law and/or contract. Please note, parts of this Application may be hosted on or interact with the blockchain. Data relating to User transactions will be provided to the applicable blockchain network and may be accessible by third parties due to the nature of the blockchain.

Messaging and Promotional Communications

By using this Application, you agree to receive text messages, including recurring automated promotional and personalized marketing text (e.g., SMS and MMS) messages, to the phone number you provided when creating your Account. Consent to receive automated marketing text messages is not a condition of any purchase. Standard message and data rates may apply.

We may use information you provide us to send you marketing and other information about this Application and our other products and services, including through email and text. You can opt out of receiving these marketing communications at any time. If you decide to opt out, we may still send you non-marketing communications, including via email and text, such as transaction receipts and messages about your account, or our processing of your information in accordance with the provision of this Application. If you choose to opt-out of these non-marketing communications, your use of this Application may be limited.

Third-Party Service Providers

As part of your use of this Application, we may share your Personal Data with third-party service providers in order to complete transactions or process payments. You may be directed from this Application to the website or application of a third-party service provider in order to complete a transaction, in which case your use and access of such third-party services will be subject to their privacy policy. We assume no responsibility for any data you may share or any other interactions you may have with any such third-party service providers, and we recommend you carefully review their terms of use and privacy policies carefully.

Children’s Data

This Application is not directed to children under the age of 13 (or other age as may be required by local law), and the Owner does not knowingly collect Personal Data from children. If you are the parent or guardian of a child under 13 who has provided Data to the Owner, please contact the Owner at hello@cfxlabs.com to request the deletion of that Data.

The rights of Users

Users may exercise certain rights regarding their Data processed by the Owner. Users entitled to broader protection standards may exercise any of the rights described below. In all other cases, Users may inquire with the Owner to find out which rights apply to them.

In particular, Users have the right to do the following:

• Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.
• Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.
• Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.
• Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.
• Restrict the processing of their Data. Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, the Owner will not process their Data for any purpose other than storing it.
• Have their Personal Data deleted or otherwise removed. Users have the right, under certain circumstances, to obtain the erasure of their Data from the Owner.
• Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the Data is processed by automated means and that the processing is based on the User's consent, on a contract which the User is part of or on pre-contractual obligations thereof.
• Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.

Details about the right to object to processing

Where Personal Data is processed for a public interest, in the exercise of an official authority vested in the Owner or for the purposes of the legitimate interests pursued by the Owner, Users may object to such processing by providing a ground related to their particular situation to justify the objection. Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.

How to exercise these rights

Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month.

Applicability of broader protection standards

While most provisions of this document concern all Users, some provisions expressly only apply if the processing of Personal Data is subject to broader protection standards.

Such broader protection standards apply when the processing:

• is performed by an Owner based within the EU;
• concerns the Personal Data of Users who are in the EU and is related to the offering of paid or unpaid goods or services, to such Users;
• concerns the Personal Data of Users who are in the EU and allows the Owner to monitor such Users’ behavior taking place in the EU.

DATA PROTECTION RIGHTS UNDER THE GENERAL DATA PROTECTION REGULATION (GDPR)

‍If a User is a resident of or located within the European Economic Area (EEA), Switzerland or the UK, that User has certain additional data protection rights. These rights include:

• The right to access, update or delete the User’s Data. Whenever made possible, a User can access, update or request deletion of the User’s Data directly within the User’s Account settings section.
• The right of rectification. A User has the right to have the User’s Data rectified if that Data is inaccurate or incomplete.
• The right to object. A User has the right to object to the Owner’s processing of the User’s Data.
• The right of restriction. A User has the right to request that the Owner restrict the processing of the User’s Data.
• The right to data portability. A User has the right to be provided with a copy of the Data the Owner has on the User in a structured, machine-readable and commonly used format.
• The right to withdraw consent. A User also has the right to withdraw consent at any time where the Owner relied on the User’s consent to process the User’s Data.

To exercise any of the above rights, please contact the Owner at hello@cfxlabs.com. In order to comply with such requests, the Owner may require additional information from the User in order to confirm the User’s identity. Should a User wish to raise a concern about the use of the User’s Data (and without prejudice to any other rights the User may have), the User has the right to do so with the User’s local supervisory authority; however, the Owner hopes to assist with any queries or concerns Users may have about the Owner’s use of Data first.

For more information, please contact the applicable local data protection authority.

Legal Basis for Processing Personal Information Under GDPR

The Owner’s legal basis for collecting and using the Data described in this privacy policy depends on the Data collected and the specific context in which the Data has been collected.

The Owner may process Data because:

• The Owner needs to perform a contract with a User;
• A User has given the Owner permission to do so;
• The processing is in the Owner’s legitimate interests and it is not overridden by the User’s rights; or
• To comply with the law.

Transfer of Information

Data, including Personal Data, may be transferred to – and maintained on – computers located outside of a User’s state, province, country or other governmental jurisdiction where the data protection laws may differ from those of the User’s jurisdiction. If a User is located outside the United States and chooses to provide Data to the Owner, please note that the Owner transfers the Data to the United States and processes it there. A User’s consent to this privacy policy followed by the User’s submission of such Data represents the User’s agreement to that transfer. The Owner will take all the steps reasonably necessary to ensure that a User’s Data is treated securely and in accordance with this privacy policy and no transfer of a User’s Data will take place to an organization or a country unless there are adequate controls in place including the security of such Data.

STATE PRIVACY RIGHTS

Under some U.S. state laws, including the California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act CPRA), residents may have the following rights:

• Right to Know: The right to request the Personal Data that the Owner collects, uses or discloses and information about the Owner’s data practices;
• Right to Request Deletion: The right to request that the Owner delete the Personal Data the Owner has collected about a User;
• Right to Opt-Out of Data Sales: The right to restrict the sale of a User’s personal information that the Owner has collected to third parties;
• Right to Non-Discrimination: The right to not be discriminated against for exercising any of these rights;
• Right to Correct Information: The right to update or correct the personal information that the Owner collects;
• Right to Limit Use or Disclosure of Sensitive Personal Information: The right to limit the use and disclosure of Sensitive Personal Information (as defined under the CPRA);
• Right to Access Information Related to Automated Decision Making: The right to inquire about the Owner’s logic involved in automated decision-making applied to personal information the Owner collect; and
• Right to Opt-Out of Automated Decision-Making Technology: The right to request a User’s removal from having automated decision-making applied to a User’s personal information that the Owner collects.

To request further information pursuant to a User’s “right to know” or to request deletion of Personal Data pursuant to the User’s “right to request deletion”, please contact us at hello@cfxlabs.com.

The Owner will acknowledge receipt of such request within 10 business days, and provide a substantive response within 45 calendar days, or inform the User of the reason and extension period (up to 90 days) in writing.

Only a User or an authorized agent may make a request related to the User’s Personal Data. Note that to respond to a User’s requests to access or delete Personal Data as outlined in applicable state laws, the Owner must verify the User’s identity.

California’s Shine the Light Law

California Civil Code Section 1798.83 permits California residents to request and obtain a list of what Data (if any) that the Owner disclosed to third parties for direct marketing purposes in the preceding calendar year and the names and addresses of those third parties.  Requests may be made only once a year and are free of charge. Under Section 1798.83, California residents are entitled to request and obtain such information, by e-mailing a request to hello@cfxlabs.com.

US Consumer Privacy Notice

This Consumer Privacy Notice applies to you if you are an individual who resides in the United States and uses the Services for your own personal, family or household purposes.

‍FACTS: The why, what & how of what CFX does with your personal information.

Why?

Companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand what we do.

What?

The types of personal information we collect and share depend on how you use our services. This information can include, but is not limited to:

- Name, email address, date of birth, country of residence, gender, social security number, passport number, or driver’s license number

- Bank account information, trading data, or transaction history

- Digital wallet address and transactions

How?

Companies need to share customers’ personal information to run their everyday business. In the section below, we list the reasons companies can share their customers’ personal information; the reasons CFX chooses to share; and whether you can limit this sharing.

Reasons we share your personal information

‍For our everyday business purposes – such as to process your transactions, maintain your Account(s), respond to regulators, financial institutions, court orders and legal investigations, or report to credit bureaus.

For our affiliates’ everyday business purposes – to enable our affiliates to fulfill and process your transactions, as necessary.

For our marketing purposes – to offer our products and services to you.

We do not share your personal information:

• For joint marketing with other companies

• For our affiliates to market their products to you

• For our non-affiliates to market their products to you

Contact us at: hello@cfxlabs.com

Who we are

Who is providing this privacy notice?

CFX Labs Inc.

What we do

How does CFX protect my personal information?

To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings.

How does CFX collect my personal information?

We collect your personal information, for example, when you:

- Create an Account

- Place or complete an order or transaction using the Services

- Use your debit or credit card or any other permissible payment method to purchase or sell digital currency

Why can’t I limit all sharing?

Federal law gives you the right to limit only:

- Sharing for affiliates’ everyday business purposes—information about your creditworthiness

- Affiliates from using your information to market to you

- Sharing for non-affiliates to market to you

State laws and individual companies may give you additional rights to limit sharing.