Data Protection & Privacy

Our Commitment to Data Protection

CriptoBanc is fully committed to safeguarding the privacy and confidentiality of our clients’ personal data. We operate in strict compliance with the Swiss Federal Act on Data Protection (FADP), the EU General Data Protection Regulation (GDPR) where applicable, and the Kingdom of Bahrain’s Personal Data Protection Law (PDPL).

This policy explains what personal data we collect, why we collect it, how we use it, and the rights you have over your information. We process personal data only for legitimate business purposes and with appropriate security measures.

What Personal Data We Collect

We may collect and process the following categories of personal data:

• Identity & contact data: Full name, date of birth, nationality, government‑issued ID (passport, national ID), residential address, email, phone number.
• Financial & transactional data: Bank account details, source of funds, investment history, digital asset wallet addresses, transaction records, trading activity.
• KYC/AML data: Proof of address, beneficial ownership declarations, tax identification numbers, PEP (Politically Exposed Persons) status, sanctions screening results.
• Technical data: IP address, browser type, device identifiers, cookies, website usage logs (for security and analytics).
• Communications data: Records of your correspondence with us (emails, phone calls, chat messages).

We never collect special categories of data (sensitive data such as health, religion, political opinions) unless explicitly required by law and with your consent.

How We Use Your Data

Your personal data is used exclusively for the following legitimate purposes:

• To open and manage your institutional account (performance of contract).
• To comply with anti‑money laundering (AML) and counter‑terrorist financing (CFT) obligations (legal obligation).
• To execute and settle transactions, provide custody, and deliver our services (performance of contract).
• To communicate with you regarding your account, service updates, or security alerts (legitimate interest).
• To monitor and prevent fraud, unauthorised access, and other security incidents (legal obligation and legitimate interest).
• To improve our website, client portal, and services (consent or legitimate interest).
• To fulfil regulatory reporting obligations to FINMA, CBB, and tax authorities (legal obligation).

We do not use automated decision‑making (including profiling) that produces legal effects concerning you without your explicit consent.

Legal Basis for Processing (GDPR & FADP)

Under Swiss and EU data protection laws, we rely on the following legal bases:

• Contractual necessity: Processing required to open your account, execute transactions, and provide our banking and custody services.
• Legal compliance: Processing required to comply with AML, KYC, sanctions, and tax reporting laws (FINMA, CBB, FATF).
• Legitimate interests: Fraud prevention, IT security, direct marketing (only where permitted and with opt‑out rights), and business analytics.
• Consent: For optional cookies, marketing communications, and any other processing not covered by the above (you may withdraw consent at any time).

Data Sharing & Third Parties

CriptoBanc does not sell or rent your personal data. We may share your data only in the following circumstances:

• Service providers: Third‑party vendors that assist us with IT hosting, KYC verification, sanctions screening, blockchain analytics, and customer support. These providers are bound by strict data processing agreements and may only process data for specified purposes.
• Regulators & law enforcement: FINMA, Central Bank of Bahrain, Swiss Financial Intelligence Unit (MROS), Bahrain Financial Intelligence Unit, tax authorities, or other competent bodies when required by law.
• Counterparties & financial institutions: For the purpose of executing transactions (e.g., SWIFT transfers, OTC settlements). Only minimal necessary data is shared.
• Auditors & legal advisors: Independent auditors and legal counsel for compliance and risk management purposes.

Any transfer of personal data outside Switzerland or the EEA is done in compliance with adequacy decisions (e.g., EU‑Switzerland adequacy) or using Standard Contractual Clauses (SCCs) with appropriate safeguards.

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, regulatory, accounting, and reporting requirements.

• Account data: Retained for the duration of your client relationship plus 10 years after account closure (as required by Swiss and Bahraini financial regulations).
• Transaction records: Retained for 10 years from the date of each transaction (FINMA and CBB requirements).
• KYC documents: Retained for 10 years after the end of the business relationship.
• Technical logs (IP addresses, cookies): Retained for up to 12 months unless needed for security investigations.

After the retention period, data is securely deleted or anonymised.

Your Rights

Under applicable data protection laws, you have the following rights:

• Right to access: Obtain confirmation of whether we process your data and request a copy.
• Right to rectification: Correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”): Request deletion of your data, subject to legal retention obligations.
• Right to restriction of processing: Limit how we use your data under certain circumstances.
• Right to data portability: Receive your data in a structured, machine‑readable format (for data processed by automated means based on consent or contract).
• Right to object: Object to processing based on legitimate interests (including direct marketing).
• Right to withdraw consent: Withdraw any previously given consent at any time (without affecting lawfulness of prior processing).
• Right to lodge a complaint: File a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or the Bahraini Personal Data Protection Authority.

To exercise your rights, please contact our Data Protection Officer at dpo@criptobanc.com. We will respond within one month (extendable by two months for complex requests).

Security Measures

We implement industry‑leading technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration, or disclosure:

• Encryption: All data transmitted between your browser and our systems uses TLS 1.3. Stored data is encrypted at rest using AES‑256.
• Access controls: Strict role‑based access, multi‑factor authentication, and principle of least privilege.
• Network security: Firewalls, intrusion detection/prevention systems, and regular penetration testing.
• Physical security: Data centres are located in Switzerland and Bahrain with 24/7 surveillance, biometric access, and disaster recovery.
• Employee training: All staff undergo annual data protection and information security awareness training.
• Incident response: A dedicated Data Breach Response Team and procedures to notify affected clients and regulators within 72 hours where required.

Cookies & Tracking Technologies

Our website uses cookies and similar technologies to enhance functionality, analyse traffic, and improve security. For detailed information, please refer to our Cookie Policy.

You can manage your cookie preferences through our cookie consent banner or your browser settings.

Changes to This Policy

We may update this Data Protection Policy from time to time to reflect changes in legal requirements, our services, or industry best practices. Material changes will be communicated via email or a prominent notice on our website.