Privacy policy for Clients

1. The data controller of your personal data is Match2Pay UAB based in Vilnius, Lvivo st. 25, Office No. 527, Vilnius, Lithuania, company no. 306063423 (hereinafter the “Data Controller”).
2. The data controller has appointed a Data Protection Officer (Mr. Krzysztof Teofilski). You can contact the Data Protection Officer by e-mail: privacy@match2pay.com.
3. Your personal data will be processed for the purpose of concluding and performing the agreement executed with the Data Controller as well as fulfilling the Data Controller’s obligations resulting from the status of an entity conducting virtual currency exchange and deposit services, in particular obligations arising from the counteracting money laundering and terrorism financing applicable law. Your personal data will also be processed in order to implement the legitimate interests of the Data Controller, such as making necessary settlements and pursuing claims arising from the executed agreement, security, counteracting fraud and direct marketing of the Data Controller.
4. Data processing for purposes other than the above may take place: (i) based on obtaining additional consent, (ii) based on applicable law, or (iii) when it is consistent with the purpose for which the personal data were originally collected (Article 6 Section 4 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter the “GDPR”).
5. The legal basis for the processing of your personal data is:
   a) to the extent that data processing is necessary to perform the agreement and to take actions before its conclusion – Art. 6 Section 1 Letter b of the GDPR);
   b) to the extent that data processing is necessary for the Data Controller to fulfill its legal obligations as an entity conducting virtual currency exchange and deposit services, in particular informing financial supervision authorities and financial information authorities about the services provided and transactions performed, verification and identification the Client’s identity and ongoing monitoring of economic relations – Art. 6 Section 1 Letter c of the GDPR;
   c) to the extent that data processing is necessary to achieve the purposes arising from the legitimate interests of the Data Controller, such as making necessary settlements and pursuing claims arising from the concluded agreement, security, counteracting fraud or direct marketing of the Data Controller – Art. 6 Section 1 Letter f of the GDPR.
6. You have the right to access your personal data, the right to rectify and delete it, as well as the right to limit data processing. To the extent that processing is necessary to perform the agreement to which you are a party or to take action at your request before concluding it (Article 6 Section 1 Letter b of the GDPR), you also have the right data transfer. If you believe that your data is processed contrary to legal requirements, you may lodge a complaint with the competent supervisory authority, which in Lithuania is the State Data Protection Inspectorate.
7. Providing personal data is voluntary, but necessary to conclude the agreement and use the Data Controller services. Failure to provide the personal data will result in refusal to conclude the agreement.
8. Your personal data may be transferred to the following categories of recipients: banks, payment institutions, virtual asset service providers, companies from the capital group to which the Data Controller belongs, postal operators, supervisory authorities, financial information authorities, , suppliers of tools and platform software used to handle transactions and financial operations performed in the course of the implementation of the agreement, as well as to send commercial information by electronic means of communication, legal advisors and entities providing servers and storing data.
9. In the case of transferring personal data to third countries, i.e. to recipients based outside the European Economic Area or Switzerland, in countries that, according to the European Commission, do not ensure sufficient data protection (third countries that do not ensure an adequate level of protection), the Data Controller transfers them using mechanisms in accordance with applicable law, which include, among others EU Standard Contractual Clauses.
10. Your personal data will be stored for the duration of the agreement, as well as after its termination, for a period of 5 years, counting from the first day of the year following the year in which the economic relationship with the client ended or until the limitation period for claims arising from legal provisions expires. Data included in the results of assessments of economic relations will be processed for a period of 5 years, counting from the first day of the year following the year in which they were passed. The above data storage periods may be extended if required by the relevant supervisory authority. To the extent that data processing is based on the legitimate interest of the Data Controller, the personal data will be processed for the time necessary for its implementation (in particular until the limitation period for claims under applicable law), but no longer than until the objection is deemed justified by your particular situation, and if the legally justified interest is the Data Controller’s direct marketing – until you express your objection.
11. To the extent that personal data is processed for the Data Controller’s direct marketing purposes, you have the right to object to data processing, which does not require justification. If the processing is based on other legitimate interests of the Data Controller, exercising your right to object requires justification by your special situation.
12. You will not be subject to a decision that is based solely on automated processing, including profiling, and produces legal effects concerning you or similarly significantly affects you.