CASP.eu, also accessible via the domain names www.crypto-assets.lu and www.cryptoassets.lu (the "Website"), is a platform dedicated to providing information and insights on MiCA and related regulations, Crypto-assets, and CASPs. This Website privacy policy (the “Privacy Policy”) explains how is processed the personal data of the different natural persons visiting and using the Website (the "Users"), including you, who is now reading this Privacy Policy. The Privacy Policy informs how Users' personal data is collected, for what purposes, and how it is stored. It also explains Users' rights in relation to any personal data concerning them.
1. Personal data controller
Ruben Mendes, a practicing lawyer admitted to the Luxembourg Bar in 2016, and the principal author and curator of content on this Website, is the data controller responsible for Users’ personal data (the "Data Controller"). If Users have any questions about this Privacy Policy or want to exercise their rights set out in section 11, please contact the Data Controller by using the Website contact form.
2. Purposes of the personal data processing
The Data Controller processes Users’ personal data in connection with any of the following purposes:
- To have an overview of the Users' visits and the number of visits to this Website, the territories from where those Users are visiting the Website, and understand the different pages of the Website that are visited by those Users, in order to monitor the traffic of the Website and to improve the Website User experience;
- To respond and process inquiries or messages from Users, sent through the Website contact form;
- To send and notify Users, via their communicated e-mail addresses, the Website Newsletter, which may include recently published blog posts and/or updates to different pages of the Website, including updates to this Privacy Policy or to the Website Terms and Conditions.
3. Categories of collected and processed personal data
The Data Controller collects and processes the following personal data:
- Users’ contact data: Users’ name, surname, e-mail address, and other personal data that Users may decide to provide through the Website contact form;
- Users’ technical data: Users’ information collected during their visits to this Website, the Users’ Internet Protocol (IP) address, browser type and version, device type, time zone setting, browser plug-in types and versions, operating system and platform.
4. Sources of the collected personal data
The Data Controller collects personal data directly from Users when:
- Users use the Website contact form to reach out to the Data Controller;
- Users correspond with the Data Controller by e-mail or other electronic means, or in writing, or when Users provide other information directly to the Data Controller;
- Users browse or otherwise interact on/with the Website.
5. Processing legal basis
The Data Controller processes Users’ personal data based on the following legal basis:
- Users’ given consent: To respond and process inquiries or messages from Users, sent through the Website contact form; & To send and notify Users, via their communicated e-mail addresses, the Website Newsletter, which may include blog posts and/or updates to different pages of the Website, including updates to this Privacy Policy or to the Website Terms and Conditions;
- Legitimate interests pursued by the Data Controller: To have an overview of the Users’ visits and the number of visits to this Website, the territories from where those Users are visiting the Website, and understand the different Website pages consulted by Users, in order to monitor the traffic of the Website and to improve the Website User experience.
6. Cookies and similar technologies
This Website uses no cookies or similar technologies. In fact, privacy, even towards trusted third parties, was one of the main concerns of Satoshi Nakamoto with the creation of the blockchain. If someone is collecting a lot of personal data through different cookies or other technologies, something may not being done right. The Data Controller intends to fully respect Users’ fundamental right to respect for private life and communications.
7. Personal data storage
The Data Controller will only store Users’ personal data in accordance with applicable laws and regulations, and limited to what is strictly necessary to fulfill the purposes for which it was collected. The Data Controller will not store Users’ personal data for longer periods then following:
- Users' contact data will be stored for three (3) years from the date of the most recent contact message or e-mail;
- Users' e-mail addresses provided for the Newsletter subscriptions will be stored indefinitely, until such time as the User chooses to unsubscribe from the Newsletter. The e-mail address will then be automatically and immediately deleted upon that User's unsubscription from the Newsletter;
- Users' technical data will be stored for a period of thirty (30) days following each relevant visit.
8. Categories of recipients of personal data
The categories of recipients of Users' personal data are:
- the Data Controller;
- the person or persons in charge of developing this Website.
9. Transfer of personal data
The servers on which this Website is hosted, and from which all information is collected and processed, are located in Luxembourg and/or Germany.
The Data Controller does not transfer Users’ personal data outside of the European Economic Area. The Data Controller will only transfer Users’ personal data outside of the European Economic Area with the User's prior authorisation and if specific measures have been taken in order to ensure that the requirements of the applicable data protection law have been fulfilled.
10. Personal data security measures
The Data Controller has put in place appropriate security measures to prevent the Users’ personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures are based on the highest technical standards, taking into account all the risks of processing, and are:
- personal data minimisation;
- strong passwords and encryption;
- restricted access to personal data by few persons, on a ‘need to know’ basis;
- Personal data storage in a Luxembourg or EU data center.
11. User rights
Users have the following rights with respect to our use of their personal data:
- Access Rights
If so request by a User, the Data Controller will confirm whether it is processing their personal data and, where applicable, provide them with a copy of that personal data. If Users require additional copies, the Data Controller may need to charge a reasonable fee. There are exceptions to this right, so that access may be denied if, for example, making the information available to Users would reveal personal data about another person, or if the Data Controller is legally prevented from disclosing such information.
- Right to Rectification
If the personal data the Data Controller holds about Users is inaccurate or incomplete, Users are entitled to request to have it rectified. If Users are entitled to rectification and if the Data Controller has shared Users' personal data with others, the Data Controller will inform them about the rectification where possible.
- Right to Object
Users can ask the Data Controller to stop processing their personal data, and the Data Controller will do so, if the Data Controller is relying on its own or someone else’s legitimate interests to process Users' personal data, unless it can demonstrate compelling legal grounds for the processing.
- Right to Withdraw Consent
If Users have provided their consent to the collection, processing, and transfer of their personal data, they have the right to fully or partly withdraw their consent at any time. To withdraw their consent, Users should follow the opt-out links on any Newsletter sent to them or contact the Data Controller through the Website contact form.
- Right to Erasure
Users can request the Data Controller to delete or remove their personal data in some circumstances such as when the personal data is no longer necessary for the purposes for which it was collected, or when Users' personal data has been unlawfully processed or if Users withdraw their consent (where applicable).
- Right to Restrict Processing
Users can ask the Data Controller to restrict the processing of their personal data in certain circumstances, such as where Users contest the accuracy of that personal information or object to the Data Controller using it.
- Right to Data Portability
Users have the right, in certain circumstances, to obtain personal information they’ve provided the Data Controller with (in a structured, commonly used, and machine-readable format) and to reuse it elsewhere or to ask the Data Controller to transfer this to a third party of their choice.
Some of these rights may be limited where the Data Controller has an overriding interest or legal obligation to continue to process the data.
Users may, at any time, exercise any of the aforementioned rights by using the Website contact form along with proof of their identity, such as a copy of their ID card, passport, or any other valid identification document.
12. Changes to this privacy policy
The Data Controller reserves the right to update and change this Privacy Policy at any time to reflect any modifications in the way Users' personal data is processed or to evolving legal requirements. Any such changes to the Privacy Policy will be posted on this Website page and will take effect immediatly after their publication. If Users subscribed to our Newsletter, such Users will equally be notified of the new applicable version of this Privacy Policy via the Newsletter, upon publication of the changes. Users are encouraged to visit this Website page periodically to review the most recent up-to-date version of this Privacy Policy. The date of the last update of this Privacy Policy is displayed at the bottom.
13. Complaints
If the User believes that its personal data may have been breached or that the Data Controller has not resolved its query, the Users have the right to lodge a complaint with the national data protection authority. The Luxembourg data protection authority is:
Commission Nationale pour la Protection des Données
15, Boulevard du Jazz
L-4370 Belvaux
Tél.: (+352) 26 10 60 -1
14. Governing Law
This Privacy Policy shall only be governed by and construed in accordance with Luxembourg law. Any disputes relating to these Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Luxembourg-City, Grand Duchy of Luxembourg.