Privacy Notice

Last updated: 29 April, 2024

Intro

IOOI Sp. z O.O (“Inqud” or “we”) welcomes you. This Privacy Notice (“Privacy Notice”) applies to our Website inqud.com and web-based platform app.inqud.com, including crypto widgets (collectively, the “Service”).

The Privacy Notice describes which of your personal data Inqud collects, how stores, processes, and uses it, and what happens when you use the Service.

Content

About us

About you

Personal data

        Sources of data

        Lawful bases for processing

        Visitors’ data

        Registration data

        General technical data

        Account

        Usage data

        Payment page

        Crypto exchange process

        Notification and marketing

        Report and customer support

        Data received from third parties

Data sharing with third parties

Data transfer outside the European Economic Area

Data protection

Data subjects rights

         European Economic Area residents

Cookies

Privacy Notice updates

About us

We are the controller of your personal data processed through the Service. This means that we determine the purposes and means of personal data processing. Pay attention that you can fall into several categories depending on your actions.

Name IOOI Sp. z O.O
Registration number 525273421
Address Gęsia 8/205, 31-535 Kraków, Polska
Email [email protected] – for general and privacy inquiries

About you

When you visit the Service, you become our user (“User”). We divide the Users into categories so you can easily find details about the processing of your personal data.

Type of User Description
Visitor User who visits the Website
User User who registers with the Service
Merchant User who registers and uses Business account
Other Requester User who fills out the “Contact us” form on another topic
Please note! We do not knowingly process the personal data of Users under the age of 18. If you are such a User or the legal representative of such a User, please contact us.

Personal data

Sources of data

We receive your data when you visit the Service and interact with it, depending on your actions on the Service. 

You can change your personal data by exercising your right to rectification or by the Service functionality. Please note that the same lawful basis and storage terms apply to the changed data.

We may also (although we do not necessarily do so) receive data from third parties. It depends on your settings and the features you use.

Lawful bases for processing

To process your personal data, we rely on the following lawful bases:

Visitors’ data

When you use the Website as the Visitor, we collect some data automatically. We need technical data to operate, support, and improve the Website’s functionality.

Data Description Reasons for processing Lawful basis
Necessary technical data Information about your operating system, device type, browser name and version The smooth operation of the Website Performance of the contract
Necessary cookies Information that is necessary for the operation of the Website Improving your experience of using the Website Performance of the contract
Marketing cookies Marketing information used to match relevant advertising to you Marketing Consent
Preference cookies Information necessary for operating some services on the Website The operation of some services on the Website Consent
Statistics cookies Information that helps us to understand how you interact with the Website by collecting and reporting information Improvement of the Website and analysis of the statistic for other purposes Consent
Data storage
Necessary technical data Stored during the use of the Website and for 2 years from the last visit.
Cookies Stored during the expiry period provided in our Cookie Policy.

Registration data 

When you register an account and start to use our service, we collect or assign the data to enable you access and correct work of the Service.

Data
Reasons for processing Lawful basis

Name, surname

Register and fill the account 

Performance of the contract

Email

Phone number

User ID

Company name

Data storage

Data that is processed based on performance of the contract

Stored for 3 years from the last interaction.

General technical data 

This section includes information collected for maintaining and optimising the technical aspects of the service, such as device information, browser details, and session logs. This data helps ensure the smooth functioning and security of the service.

Data

Reasons for processing

Lawful basis

IP

IP address from which the request originated.

Legitimate interest

User Id

Unique identifier for the user.

Performance of a contract

Browser Info

Information about the user's browser.

Performance of a contract

Event ID

Unique identifier for the audit event.

Performance of a contract

Creation Time

Timestamp indicating when the audit event occurred.

Performance of a contract

Action type

Indicates if the audit event is an administrative action.

Legitimate interest

Settings

Indicates if the user associated with the audit event is muted.

Performance of a contract

Event type

Type of audit event (e.g., login, logout, data access).

Performance of a contract

User Agent

User agent information associated with the audit event (e.g., browser, device).

Legitimate interest

Data storage

Data based on performance of the contract

Stored for 3 years from the last interaction.

Data based on legitimate interest.

Stored for 3 years from the last interaction, if you do not object.

Account data 

Account data consists of information related to user accounts, including registration details, authentication records, and account preferences. This data is essential for user access and customization of the service.

Data

Reasons for processing

Lawful basis

AML status

Indicates if AML (Anti-Money Laundering) is enabled for the user’s transactions.

Legal obligation

Company Name

Name of the company associated with the user.

Performance of a contract

Creation time

Timestamp indicating when the user account was created.

Performance of a contract

Email

Email address of the user.

Performance of a contract

Name and surname

Name of the user.

Legitimate interest

Group Id

Identifier for the group associated with the user.

Performance of a contract

Locale

Locale settings for the user.

Legitimate interest

Timestamp

Timestamp indicating when the user account was last modified.

Legal obligation

OIDC Provider

OpenID Connect (OIDC) provider type associated with the user.

Performance of a contract

Password hash

Password associated with the user.

Performance of a contract

Phone

Phone number associated with the user.

Performance of a contract

Referral data

Referral code associated with the user.

Identifier for the user who referred this user.

Legitimate interest

UserType

Type of user account.

Performance of a contract

Verification Level

Level of verification for the user.

Legal obligation

Data storage

Data based on legal obligation

Stored for 6 years from the collection.

Data based on performance of the contract

Stored for 3 years from the last interaction.

Usage data

Usage data encompasses information about how users interact with the service, including pages visited, actions performed, and duration of sessions. This data aids in understanding user behaviour and improving the service based on usage patterns.

Data

Reasons for processing

Lawful basis

Password_log

Password-related actions: password forgotten, changed, incorrect login attempt, and attempts counter reset.

Performance of the contract

 

 

 

Email_log

Password-related actions: password forgotten, changed, incorrect login attempt, and attempts counter reset.

Account status

Account security actions: temporary freezing, blocking, excessive login attempts, and unblocking.

API status

API token management: creation, deletion, activation, and deactivation.

2FA

Two-factor authentication (2FA) events: activation, deactivation, and incorrect TOTP entry.

Verification status

Account verification and completion: confirmation of signup, phone verification, and completion of KYC process.

History of changes

 

Account profile updates: changes in user type or role, and updates to associated names.

Data storage

Data based on performance of a contract

Stored for 3 years from the end of service usage.

Payment page

This section pertains to data collected during the payment process, such as transaction details, payment method used, and billing information. It is crucial for facilitating secure and efficient payment transactions.

Data

Reasons for processing

Lawful basis

User Id

Unique identifier for the user.

Legal obligation

Creation Time

Timestamp indicating when the user account was created.

Key request

Key associated with the payment service provider (PSP) used for the transaction request.

Transaction Id

Unique identifier for the transaction.

Currency 

Currency used for the transaction.

Amount

Amount of currency involved in the transaction.

Legal obligation

IP

IP address from which the request originated.

Performance of the contract

Fingerprint

Fingerprint data associated with the user (nullable).

Legal obligation

Card holder name

Name of the cardholder for the payment card used in the transaction.

Legal obligation

Card holder name

Name of the cardholder for the payment card used in the transaction.

Legal obligation

Card details

 

First 8 digits (partial) and last 4 digits (partial) of the payment card's PAN (Primary Account Number). Expiry date of the payment card

Legal obligation

 

Hash data

Hashed value associated with the payment card.

Legal obligation

Verification status

Data related to anti-fraud measures and integration.

Legal obligation

Fraud score

Risk score assigned by the anti-fraud system (Double).

Legal obligation

Card token 

Hashed values of the payment card's PAN and token.

Legal obligation

Time of transaction

Timestamp indicating when the transaction was created (OffsetDateTime).

Error Status

Status of any errors encountered during the transaction (CardPayErrorStatus).

Integration ID

Identifier for the integration.

Client Order Id

Identifier for the client's order associated with the transaction.

Data storage

Data based on legal obligation

Stored for 6 years from the collection.

Data based on performance of a contract

Stored for 3 years from the end of service usage.

Сrypto exchange process

Data related to cryptocurrency exchange processes, including transaction history, exchange rates, and wallet information. This data is necessary for executing and monitoring cryptocurrency transactions securely.

Data

Reasons for processing

Lawful basis

ID

Unique identifier for the transaction.

Performance of the contract

Amount

Amount of the transaction.

Creation time

Timestamp indicating when the transaction was created.

Currency

Currency type of the transaction.

Timestamp data

Timestamp indicating when the transaction expires.

Timestamp indicating the last update time of the transaction.

Transaction Name 

Name associated with the transaction.

Control ID

Reason for any conflicts in the Crypto Acquiring Deposit Request.

Status

Status of the Crypto Acquiring Checkout.

Transaction type

Type of the Crypto Acquiring transaction.

User Id

Identifier for the user associated with the transaction.

Data storage

Data based on performance of a contract

Stored for 3 years from the end of service usage.

Notification and marketing data

Information gathered for managing communication with users, including email preferences, notification settings, and marketing analytics. This data helps in delivering relevant updates and promotions to users.

Data

Reasons for processing

Lawful basis

Location

To inform you about useful information, promos and other activities

Consent

Email

Email

To send you emails related to the usage of the Service

Legitimate interest

History of interaction

Analyse and improve service

Legitimate interest

Data received from 3rd parties

Analyse and improve service

Legitimate interest, Consent

Data storage

Data based on legitimate interest.

Stored for 3 years from the last interaction, if you do not object.

Data based on consent.

Stored for 2 years from collection, if you do not withdraw consent.

Third-party providers

We use 3rd-party providers for our marketing activities. Here you can see the list and read how we involve them.

Name

Description

Google tag manager

Google service that allows quickly and easily updating measurement codes and related code fragments collectively known as tags on your website or mobile app. Please see details at Privacy Notice.

Apollo

A cloud-based sales automation tool that serves as a tool for lead generation, contact database management, and email outreach. Please see details at Privacy Notice

Report and customer support data

Data collected during customer support interactions, including issue reports, support tickets, and user feedback. This data is vital for resolving user queries and improving the overall service experience.

Data

Reasons for processing

Lawful basis

User ID

To identify the user

Performance of a contract

Request data

Understand and complete your request

Data storage

Data based on performance of a contract

Stored for 3 years from the end of service usage.

Data received from third parties

We may receive some personal data from third parties.

The amount of data collected, the purposes, and the lawful basis for processing is determined by the respective privacy documents of these third parties.

Party name

Type of data

Reasons for processing 

Google analytics

User behaviour

Contact Information

Analytics and monitoring

Google Search Console 

User behaviour on the site

Demographic Information

Improving user experience

ActiveCampaign CRM

History of interaction

Social Profile Information

Optimization of marketing campaigns

Calendly 

Interests and preferences

Communication preferences

Personal connection with clients

Hotjar 

Session Recordings, Surveys and Polls

Chat history

Evaluating the effectiveness of email marketing

Zoho Live Chat

Purchase and transaction data

Integration with external services

Brand reputation monitoring

GetResponse

Traffic data 

Events and interactions

Audience segmentation and targeting

Data storage

Legal basis

Legitimate interest

Сonsent

Term

3 years from the last interaction, if you do not object.

2 years from collection, if you do not withdraw consent.

Data sharing with third parties

We can share your personal data with third parties without any harm to you and in full compliance with applicable law. In addition, we have implemented organisational and technical measures to ensure the security of personal data during data transfer to third-party.

Third parties

Description

Analytics tools

We use analytics tools to understand and promote our business.

Messengers

We use messengers to communicate with you in ways that are convenient for you.

Contractors, services providers on Service

We cooperate with service providers and contractors to provide you with their services, operate, develop and improve the features and functionality of the Service, fulfil your support requests, complete payment transactions, etс.

Providers of the services our team use

We use CRM systems, messengers, and other services in our organisation to provide you with our services.

State authorities, courts, law enforcement agencies, etc

We may be obliged to transfer some of your data to tax authorities, courts, law enforcement agencies, and other governmental bodies:

  • to comply with a government request, court order, or applicable law;
  • to prevent unlawful use of the Service;
  • to protect against claims of third parties;
  • to help prevent or investigate fraud.

To get a detailed list of the third-party recipients of your personal data, contact us.

To share your data, we rely on the following lawful bases, depending on the case: consent, compliance with the law, and performance of a contract.

Data transfer outside the European Economic Area

The data is stored in Germany by default, but we may need to process your personal data in another country.

If there is no adequate decision by the European Commission regarding the country we transfer data to, we use the adopted Standard Contractual Clauses based on legislation assessments for data protection during transfer and storage.

If there is an adequate decision by the European Commission regarding the country we transfer data to, we can transfer personal data to that third country without any further safeguard being necessary.

You can read more detailed measures to protect your personal data here.

Data protection

We are regularly certified by ISO 27001 Standard. 

We apply a variety of security measures appropriate to the possible risks.

Organisational measures

Staff training

Internal policies and instructions

Non-disclosure agreements (NDA)

Transfer protection

Physical measures

Video monitoring

Signalling

Limited access to premises

Round the clock security

Technical measures

Two-factor authentication

Backups

Firewalls

Encryption technologies

Data subjects rights

You, as a data subject (individual), have the right to interact with your data directly or through a request to us. This section describes these rights and how you can exercise them depending on your residency.

European Economic Area residents

You, as a data subject, have the right to interact with its data directly or through a request to us. This section describes these rights and how you can exercise them:

Right

Description

Right to access

You can request an explanation of the processing of your personal data.

Right to rectification

You can change the data if it is inaccurate or incomplete.

Right to erasure

You can send us a request to delete your personal data from our systems. We will remove them unless otherwise provided by law.

Right to restrict the processing

You may partially or completely prohibit us from processing your personal data.

Right to data portability

You can request all the data you provided to us and request to transfer data to another controller.

Right to object

You may object to the processing of your personal data.

Right to withdraw consent

You can withdraw your consent at any time.

Right to file a complaint

If your request was not satisfied, you could file a complaint to the regulatory body.

To exercise your rights, contact us. If your request was not satisfied, you can submit a complaint to your local Data Protection Authority. You may find it here.

Cookies

We use cookies that are needed for the Website’s operation. By using cookies, we receive automatically collected data. You can read more in the Cookie Policy.

If you want to turn off cookies, you can find instructions for managing your browser settings at these links:

Internet Explorer

Firefox

Chrome

Opera

Microsoft Edge

Vivaldi

Safari

Brave

Privacy Notice updates

This Privacy Notice is developed according to the General Data Protection Regulation, other applicable privacy laws, and best privacy practices.

Existing laws and requirements for the processing of personal data are subject to change. In this case, we will publish a new version of the Privacy Notice.

If there are material changes to the Privacy Notice or the Service that affect your data privacy rights, we will notify you by displaying information via the Service and, if necessary, ask for your consent.