Elektrum SAS ('we,' 'us,' 'our') is committed to protecting your privacy. This Privacy Policy explains in detail how we collect, use, disclose, and safeguard your information, including personal and sensitive data, when you use our services, platform, and mobile application (collectively, the 'Services').
Please read this policy carefully. By using our Services, you consent to the practices described herein. If you do not agree, you must discontinue use of our Services immediately.
We collect information that you provide directly to us and information automatically collected.
A. Information You Provide:
* Account Information: Name, email address, phone number, date of birth.
* Verification Information (KYC/AML): For identity verification, we require:
- Government-issued ID (e.g., passport, driver's license): We collect the image, number, and all visible data.
- Proof of Address: Utility bills, bank statements.
- Business Information (for corporate accounts): Company registration details, ownership structure.
* Financial Information: Bank account details, payment card information (processed securely by our payment partners), and transaction history.
B. Information Collected Automatically:
* Usage Data: IP address, device type, browser type, pages visited, transaction history, and other diagnostic data.
* Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to track activity and hold certain information. You can control cookie settings through your browser.
C. Sensitive Biometric and Health Data (With Explicit Consent):
Our identity verification process may involve the collection of sensitive data. By proceeding with verification, you provide explicit consent for this processing.
* Biometric Data for Facial Recognition:
- What we collect: A digital scan of your facial geometry.
- How we collect it: Using your device's camera for a real-time facial scan and liveness detection.
- Why we collect it: To compare your live image with your government-issued ID, as required by KYC/AML regulations.
- Retention: The biometric template is processed in real-time and is not stored on our servers after the verification session is complete. Images of your ID are encrypted and stored only as long as required by law (typically 5+ years).
* Audio Data for Liveness Detection:
- What we collect: A short audio recording of you following a voice prompt.
- How we collect it: Using your device's microphone.
- Why we collect it: To confirm the presence of a live person and prevent fraud.
- Retention: Audio recordings are immediately deleted after the liveness check is complete and are not stored.
We process your personal data on the following legal bases:
* Performance of a Contract: To provide you with our Services.
* Legal Obligation: To comply with KYC, AML, CTF, and other financial regulations which require us to verify your identity and retain certain records.
* Consent: For processing sensitive biometric data and HealthKit data. You may withdraw consent for these specific processes at any time, though this may limit your access to certain Services that require verification.
* Legitimate Interests: For fraud prevention, network security, and improving our Services.
We use the information we collect to:
* Provide, maintain, and improve our Services.
* Verify your identity and comply with legal KYC/AML obligations.
* Process transactions and send related information.
* Prevent fraud, money laundering, and other illegal activities.
* Send technical notices and security alerts.
* Respond to your comments and support requests.
We do not sell or rent your personal information. We may share data only in the following circumstances:
* With Your Consent.
* Service Providers: We share data with trusted vendors who perform services on our behalf (e.g., cloud hosting, payment processing, identity verification, customer support) under strict contractual data processing agreements that prohibit them from using your data for any other purpose.
* For Legal Reasons: To comply with a law, regulation, legal process, or governmental request; to protect the rights and safety of Elektrum, our users, or the public.
* Business Transfers: In connection with a merger, sale, or acquisition of all or part of our company.
We implement a robust security framework that includes:
* Encryption: Data is encrypted in transit (using TLS/SSL) and at rest.
* Access Controls: Strict role-based access controls to ensure employees only access data necessary for their job functions.
* Security Certifications: We employ firewalls, intrusion detection, and regular security audits.
However, no electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
Your personal data may be processed in countries other than your own, including Colombia. We ensure all international transfers are governed by appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission, to provide a level of protection equivalent to your local laws.
We retain your personal data only as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law.
n* Account Data: Retained for as long as your account is active.
* KYC/AML Records (including ID copies): Retained for a minimum of 5 years after account closure as required by financial regulations.
* Biometric Data: Retained only for the duration of the verification session and then immediately deleted.
* Marketing Data: Retained until you opt-out or for a reasonable period after account closure.
Depending on your jurisdiction, you may have the following rights:
* Access & Portability: To request a copy of your data.
* Rectification: To correct inaccurate or incomplete data.
* Erasure (\"Right to be Forgotten\"): To request deletion of your data, subject to our legal obligations to retain it.
* Restriction & Objection: To object to or restrict certain processing.
* Withdraw Consent: To withdraw consent for data processing based on consent, such as for biometrics or HealthKit.
To exercise these rights, please contact us at soporte@elektrum.io. We will respond within the timeframe required by law. We may need to verify your identity before processing your request.
We may update this policy from time to time. The \"Last Updated\" date at the top will indicate changes. If we make material changes (e.g., changes to how we process sensitive data), we will provide at least 30 days' prior notice through the Services or via email, allowing you to review the changes before they become effective. Your continued use after the effective date constitutes acceptance of the updated policy.
If you have any questions, concerns, or wish to exercise your rights, please contact our Data Protection Office:
Elektrum SAS
Address: Edificio Smart Office, Cra 51B 80 53
Attn: Data Protection Officer
Email: soporte@elektrum.io.