Privacy Policy

At Colossos, we understand and value the protection of your personal data. This Privacy Policy explains how we collect, use, and safeguard your personal data when you use Colossos services.

It is essential that you read and understand this Privacy Policy to make informed decisions regarding the use of our app and the information you provide. By using Colossos services, you consent to this Privacy Policy.

This Privacy Policy applies to the collection and processing of personal data by the following entities, collectively referred to as “Colossos” hereinafter:

• Colossos Payments UAB, a company legally registered and operating under the legal acts of the Republic of Lithuania, company code 306087399, headquartered at Upes st. 21-1, LT-08128 Vilnius.
• Colossos Digital Assets UAB, a company legally registered and operating under the legal acts of the Republic of Lithuania, company code 306163726, headquartered at Upės g. 21-1, LT-08128 Vilnius, Lithuania.

We process your personal data in accordance with the General Data Protection Regulation (GDPR), which implies that we will only process your personal data when there is a lawful basis for doing so.

Our Legal Basis for processing your personal data will be one or several of the following:

• Consent: In certain situations, we may rely on your explicit consent to process specific categories of personal data. We will always obtain your consent in a clear and transparent manner, providing you with the necessary information to make an informed decision. You have the right to withdraw your consent at any time by contacting us.
• Contractual Necessity: If you enter into a contractual agreement with us, we may need to process your personal data to fulfil our obligations and provide you with the requested services. This includes processing your personal data for the purpose of user account registration, payment processing, and customer support.
• Legal Obligations: We may process your personal data to comply with legal obligations imposed on us, such as anti-money laundering (AML) and know-your-customer (KYC) requirements. This processing is necessary to ensure compliance with applicable laws and regulations.
• Legitimate Interests: We may process your personal data based on our legitimate interests, provided that such processing does not override your rights and interests. Our legitimate interests may include fraud prevention, improving our services, conducting analytics, and marketing our products or features. We always strive to strike a balance between our legitimate interests and your privacy rights.

In order to provide you with our Website and Services, depending on your use of our Website and Services and your profile, we may collect the following personal data:

• Identity Information, including without limitation: Full name, date of birth, country of nationality, country of residence, and other identification details necessary for account registration and verification.
• Contact information, including without limitation: Email address, phone number, and residential address.
• Professional information, including without limitation: employment status, occupation, professional sector, source of funds.
• Transaction Data, including without limitation: Data from your transactions, including without limitation the type, amount, date, time, recipient/counterparty information, account balance, payment information.
• Identification Information, including without limitation: user credentials, user pseudonym, security question(s) and answer(s), and biometrics information for the strictly limited purpose of verifying your identity and enhancing the security of our services.
• Usage Data, including without limitation: information about how you interact or intend to interact with our Website and Services, your preferences, device information, technical data, log files, analytical information.
• Communication data, including without limitation: information related to your communication with us, including email correspondence, chat logs, records of telephone conversations.
• Compliance Data, including without limitation: Supporting documents for information given, transaction monitoring information, risk assessment information, information related to sanction screening, etc.
• Company Information, including without limitation: company's name, country of incorporation, registration number, company type, legal address, information about the activity, regulatory status, identity information about representatives and Ultimate Beneficiary Owners, source of funds, financial information about the company.

To collect your personal data, we employ various methods and sources, including:

• Information you provide: We collect personal data that you voluntarily provide to us when using our Website and Services or interacting with us. This may include without limitation information provided during the account onboarding process, by filling forms, when communicating with us, when making transactions and when updating personal information.
• Information we generate or collect while you use our Website and Services: We collect data when you use our Website and Services, in accordance with the purposes set out in this Privacy Policy. This includes without limitation transaction data, usage data, compliance data.
• Third-Party Sources: In certain instances, we may obtain personal data from Third-Party Service Providers assisting us in the provision of our Website and Services. We may also collect Personal data from third-party sources, to supplement our own data or to verify the accuracy of the information provided. These sources may include identity verification services, credit reference agencies, and publicly available sources. We ensure that any data obtained from these sources is collected and processed in accordance with this Privacy Policy and with applicable laws and regulations.

We collect and process your personal data for specific purposes outlined below:

• Provision of Services: We collect your personal data to provide you with our Services. This includes facilitating transactions, managing your accounts, and enabling the use of our platform.
• Account Registration and Verification: We collect your personal data to ensure the security, conformity, and integrity of our Services. This helps us confirm your identity, eligibility to our Services, prevent and detect fraudulent activities, and comply with anti-money laundering (AML) and know-your-customer (KYC) obligations.
• Customer Support: We may use your personal data to address you inquiries, requests, and more generally to provide an efficient customer support. This helps us to assist you with any issues you might encounter or questions you may have.
• Legal and Regulatory Compliance: We collect and process your personal data to comply with applicable laws, in particular anti-money laundering and counter terrorist financing (AML/CTF) laws. This enables us to fulfil our reporting obligations to regulatory authorities, conduct risk assessment and transaction monitoring.
• Communication and updates: We collect and process your personal data to send you important information about your use of our services, updates and information related to our services. This helps us ensure that you can effectively use our services, and stay informed about changes, new features, security alerts, and relevant announcements that may affect your use of our services.
• Marketing and Promotions: With your consent, we may use your personal data to send promotional materials, offers, surveys, and newsletters about our Services. You have the right to withdraw your consent at any time.
• Security and Fraud Prevention: We collect and process your personal data to detect, prevent, and investigate fraudulent activities, unauthorized access, and potential security threats. This helps us protect you, our platform, and maintain a secure environment for all our users.
• Improvement of Services and Data Analysis: We may aggregate and anonymize your personal data for analytical purposes. This aggregated and anonymized data does not identify you personally and is used for purposes such as analysing trends, conducting market research, and improving our Services.

We may share your personal data in accordance with the legal basis on which and purposes for which we use your personal data, as set out in this Privacy Policy.

• Sharing with Subsidiaries and Affiliates: We may share your personal data to our Subsidiaries and Affiliated Companies within the Colossos group, where required to provide you with our Services, streamline operations, and enhance the overall customer experience.
• Other Customers: In certain circumstances, we may share your personal data with other customers on our platform. The sharing is typically limited to essential transactional information and is intended to enable seamless transactions and enhance the functionality of our Services.
• Third-Party Service Providers: We may engage trusted Third-Party Service Providers to assist un in delivering our Services. These Third-Party Service Providers may have access to your personal data for the purpose of performing specific tasks. We ensure that these Third-Party Service Providers adhere to strict confidentiality obligations and employ adequate security measures to safeguard your personal data.
• Legal reasons: We may disclose your personal data when required to comply with applicable laws and regulations. This may include sharing information with regulatory authorities, law enforcement agencies, or judicial bodies to address legal obligations, protect our rights and interests, or prevent fraudulent activities.
• Consent-based sharing: With your explicit consent, we may share your personal data with third parties for specific purposes not covered by the aforementioned categories. We will obtain your consent prior to any such sharing and ensure that the sharing is limited to the scope and purpose outlined in your consent.

We do not sell your personal data to third parties for marketing purposes. Any sharing of personal data is done in accordance with applicable data protection laws and regulations, and we take appropriate measures to ensure the security and confidentiality of your personal data during the sharing process.

In certain circumstances, your personal data may be transferred and processed in countries outside the European Economic Area (“EEA”), in accordance with the purposes and legal basis outlined above. Furthermore, it may also be processed by our personnel or by the staff of our suppliers who operate outside the EEA. We ensure that any such transfers of personal data to countries that do not offer a similar standard of protection equivalent to the EEA will be adequately safeguarded to protect your personal data. We implement appropriate measures, such as standard contractual clauses or other approved mechanisms, to ensure the security and confidentiality of your personal data during such transfers.

We take the security of your information seriously. We implement a range of measures to secure the information you provide on our computer servers. These servers are located in a controlled and secure environment, protected from unauthorized access, use, or disclosure. To safeguard your personal data in our control and custody, we maintain reasonable administrative, technical, and physical safeguards. These measures are designed to protect against unauthorized access, use, modification, and disclosure of personal data.

However, it is important to acknowledge that no method of data transmission over the Internet or wireless network can be guaranteed to be 100% secure. While we strive to protect your personal data, it is important to recognize the inherent security and privacy limitations of the Internet that are beyond our control. Despite our best efforts, the security, integrity, and privacy of any information and data exchanged between you and our Website and Services cannot be guaranteed.

We make ongoing efforts to mitigate the risks associated with data transmission and storage. Our mitigation measures include, but are not limited to, regularly updating and patching our systems, employing strong encryption protocols, utilizing firewalls and intrusion detection systems, conducting regular security assessments and audits, implementing strict access controls and authentication mechanisms, and enforcing stringent confidentiality obligations. These measures are designed to ensure the security and integrity of your personal data, although we acknowledge that no system is completely immune to risks. We remain committed to continuously improving our security practices to protect your personal data.

We will retain your personal data for the duration of your relationship with us and for a reasonable period afterward in accordance with the purposes for which it was collected. The specific retention periods for different categories of personal data may vary depending on the nature of the data and the purposes for which it was collected.

As a general guideline, Personal data collected in accordance with this Privacy Policy will be stored up to six years after the end of our relationship. Personal data collected to fulfil our obligations under AML/CFT laws will be stored up to eight years after the end of our relationship. Personal data collected on the basis of your consent will be deleted immediately after you recall your consent.

Please be aware that in certain circumstances, we may retain your personal data for a longer period than initially stated. This extended retention may be necessary to fulfil the following purposes: to defend ourselves against actual or potential legal claims, to exercise our legal rights, to resolve disputes, claims, or complaints, to address reasonable suspicions of illegal activities, and to comply with relevant laws and regulations. We will retain your personal data for as long as reasonably required to fulfil these purposes and to ensure compliance with our legal obligations.

In certain cases, we may anonymize your personal data so that it can no longer be associated with you. Anonymized data may be retained indefinitely for the purposes of analytical, research, and improvement of services, as it does not contain any identifiable information.

We may employ automated decision-making and profiling processes in certain instances, which involve utilizing technology to analyse your personal data and other relevant information, in order to predict risks or outcomes. The legal basis for using automated decision-making and profiling will be one of the following: Contractual Necessity, Legal Obligations, Legitimate Interests.

Our automated decision-making and profiling may relate to various aspects, including but not limited to:

• Opening accounts: When you apply to open an account with us, we may utilize automated decision-making and profiling to assess your eligibility and suitability. Automated processes help us streamline the account opening process, verify your identity, and ensure compliance with regulatory requirements.
• Risk Assessment: To safeguard our platform and users, we may employ automated decision-making and profiling to assess and mitigate risks associated with various activities. This includes evaluating transaction patterns, account behaviour, and other relevant factors to detect and prevent potentially fraudulent or suspicious activities.
• Detecting fraud: Automated decision-making and profiling may be used in our fraud detection and prevention efforts. Automated processes help us identify and respond swiftly to suspicious activities, minimizing the impact on our users and maintaining the integrity of our platform.

Our Website and Services use “cookies” to help personalize your online experience. A cookie is a text file that is placed on your hard disk by a web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you. If you choose to decline cookies, you may not be able to fully experience the features of the Website and Services. We may use cookies to collect, store, and track information for security and personalization, to operate the Website and Services, and for statistical purposes. For further information on the cookies we collect and their purpose, see our cookie policy. Please note that you have the ability to accept, select specific or decline all cookies.

You have certain rights concerning the control and processing of your personal data. To exercise any of your rights, or to file any complaint related to the control and processing of your personal data by Colossos, you can contact our DPO through our chatbot or by sending an email at [email protected]. These rights include:

• Right to be informed: You have the right to be informed about how your personal data is being processed. This includes providing you with transparent information about the purposes of processing, the categories of data involved, any recipients of the data, and the duration of data retention.
• Right to have access: You have the right to access the personal data we hold about you. This enables you to obtain confirmation as to whether or not your data is being processed and to receive a copy of the information we possess about you.
• Right to object to some processing: You have the right to request the restriction of processing your personal data. This allows you to temporarily limit the use of your data while its accuracy is being verified, or when you contest the lawfulness of the processing.
• Right to have your data deleted:
• Right to restrict processing:
• Right to data portability: You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another data controller without hindrance.
• Right to ask us about automated decision-making: If we employ automated decision-making processes, including profiling, you have the right to request information about the logic involved, as well as the significance and potential consequences of such processing.
• Right to rectification: You have the right to request the correction or rectification of any inaccurate or incomplete personal data we hold about you.
• Right to lodge a complaint with the competent data protection authority: If you believe that your data protection rights have been infringed, you have the right to lodge a complaint with the competent data protection authority. However, we encourage you to first contact us at [email protected] with any concerns or issues you may have, as we are committed to addressing and resolving your concerns in a satisfactory and timely manner.

We do not knowingly collect any Personal data from children under the age of 18. If you are under the age of 18, please do not submit any Personal data through the Website and Services. If you have reason to believe that a child under the age of 18 has provided Personal data to us through the Website and Services, please contact us to request that we delete that child's Personal data from our Services.

We encourage parents and legal guardians to monitor their children's Internet usage and to help enforce this Policy by instructing their children never to provide Personal data through the Website and Services without their permission. We also ask that all parents and legal guardians overseeing the care of children take the necessary precautions to ensure that their children are instructed to never give out Personal data when online without their permission.

When you open the Website, our servers automatically record information that your browser sends. This data may include information such as your device's IP address, browser type, and version, operating system type and version, language preferences or the webpage you were visiting before you came to the Website, pages of the Website that you visit, the time spent on those pages, information you search for on the Website, access times and dates, and other statistics. Information collected automatically is used only to identify potential cases of abuse and establish statistical information regarding the usage and traffic of the website. This statistical information is not otherwise aggregated in such a way that would identify any particular User of the system.

In the event that we become aware of a compromise in the security of the Website and Services or the unauthorized disclosure of users' personal data to unrelated third parties, resulting from external activities such as security attacks or fraud, we reserve the right to take necessary and appropriate actions. These actions may include conducting a thorough investigation, reporting the incident, and cooperating with law enforcement authorities. We prioritize the protection of users' personal data and are committed to taking swift and effective measures to address any breaches.

If a data breach occurs and we determine that there is a reasonable likelihood of the breach posing a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority without undue delay, and at the latest within 72 hours, in accordance with the GDPR. Additionally, if the breach is likely to result in a high risk to the affected individuals or where required by law, we will notify the individuals affected by the breach. Notifications will be sent via email to provide timely and relevant information about the breach and any recommended actions to mitigate potential harm.

Colossos may update or modify this Privacy Policy from time to time to reflect changes in our data practices, legal obligations, or to enhance transparency. We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your personal data. Your continued use of our services after the effective date of the updated Privacy Policy constitutes your acceptance of the revised terms.