Data Protection Policy

1. Introduction

SollCard is committed to protecting the privacy and security of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant privacy regulations.

This Data Protection Policy outlines our comprehensive approach to data protection, including our legal basis for processing personal data, the rights of data subjects, and our technical and organizational measures to ensure data security.

2. Legal Basis for Processing

We process personal data based on the following legal grounds under GDPR Article 6:

2.1 Consent (Article 6(1)(a))

• Marketing communications and promotional materials
• Non-essential cookies and tracking technologies
• Optional data processing activities
• Special categories of personal data (with explicit consent)

2.2 Contract Performance (Article 6(1)(b))

• Account creation and management
• Service delivery and transaction processing
• Customer support and communication
• Payment processing and billing

2.3 Legal Obligation (Article 6(1)(c))

• KYC and AML compliance requirements
• Tax reporting and regulatory filings
• Anti-fraud and security measures
• Record keeping obligations

2.4 Legitimate Interests (Article 6(1)(f))

• Website analytics and performance monitoring
• Security monitoring and fraud prevention
• Service improvement and development
• Business operations and administration

3. Categories of Personal Data

We process the following categories of personal data:

3.1 Identity Data

• Full name, date of birth, and nationality
• Government-issued identification numbers
• Biometric data (where applicable)
• Photographs and video recordings

3.2 Contact Data

• Email addresses and phone numbers
• Physical and mailing addresses
• Social media profiles and handles
• Emergency contact information

3.3 Financial Data

• Bank account information and statements
• Income and employment information
• Transaction history and patterns
• Credit and risk assessment data

3.4 Technical Data

• IP addresses and device identifiers
• Browser type and operating system
• Website usage and analytics data
• Location data and geolocation information

3.5 Special Categories

• Biometric data for identity verification
• Health information (where relevant)
• Political opinions (for PEP screening)
• Criminal conviction data (for AML purposes)

4. Processing Purposes

We process personal data for the following purposes:

4.1 Service Delivery

• Account creation and management
• Cryptocurrency card issuance and management
• Transaction processing and settlement
• Customer support and communication

4.2 Compliance and Risk Management

• KYC and AML verification procedures
• Sanctions screening and monitoring
• Fraud detection and prevention
• Regulatory reporting and compliance

4.3 Business Operations

• Website and service improvement
• Analytics and performance monitoring
• Marketing and promotional activities
• Research and development

4.4 Legal and Regulatory

• Dispute resolution and legal proceedings
• Regulatory investigations and audits
• Law enforcement cooperation
• Court orders and legal requirements

5. Data Subjects and Rights

Under GDPR, data subjects have the following rights:

5.1 Right of Access (Article 15)

• Request confirmation of data processing
• Obtain copies of personal data
• Receive information about processing purposes
• Access data retention periods

5.2 Right to Rectification (Article 16)

• Correct inaccurate personal data
• Complete incomplete personal data
• Update outdated information
• Request verification of corrections

5.3 Right to Erasure (Article 17)

• Request deletion of personal data
• Withdraw consent for data processing
• Object to unlawful processing
• Request data removal from systems

5.4 Right to Restrict Processing (Article 18)

• Limit processing of personal data
• Suspend data processing activities
• Maintain data for legal purposes only
• Prevent automated decision-making

5.5 Right to Data Portability (Article 20)

• Receive personal data in structured format
• Transfer data to another controller
• Obtain data in machine-readable format
• Request direct transmission where feasible

5.6 Right to Object (Article 21)

• Object to processing based on legitimate interests
• Opt out of direct marketing
• Object to automated decision-making
• Withdraw consent at any time

6. Data Security Measures

We implement comprehensive technical and organizational measures to protect personal data:

6.1 Technical Safeguards

• Encryption: AES-256 encryption for data at rest and in transit
• Access Controls: Multi-factor authentication and role-based access
• Network Security: Firewalls, intrusion detection, and monitoring
• Data Backup: Regular backups with secure storage and recovery procedures

6.2 Organizational Safeguards

• Staff Training: Regular data protection training and awareness programs
• Access Management: Principle of least privilege and regular access reviews
• Incident Response: Comprehensive breach response and notification procedures
• Vendor Management: Due diligence and contractual obligations for third parties

6.3 Physical Safeguards

• Data Centers: Secure facilities with 24/7 monitoring and access controls
• Equipment Security: Secure disposal of hardware and media
• Environmental Controls: Climate control and disaster protection
• Visitor Management: Strict visitor policies and escort requirements

7. Data Retention

We retain personal data only for as long as necessary for the purposes outlined in this policy:

7.1 Retention Periods

• Account Data: 5 years after account closure or last activity
• Transaction Records: 7 years for regulatory compliance
• KYC/AML Data: 5 years after account closure
• Marketing Data: Until consent is withdrawn or 3 years of inactivity

7.2 Retention Criteria

• Legal and regulatory requirements
• Business operational needs
• Dispute resolution and legal proceedings
• Legitimate business interests

7.3 Data Deletion

• Secure deletion using industry-standard methods
• Verification of complete data removal
• Notification to data subjects where required
• Documentation of deletion activities

8. International Data Transfers

We may transfer personal data to countries outside the European Economic Area (EEA):

8.1 Adequacy Decisions

• Transfers to countries with adequate protection
• Recognition by European Commission
• Equivalent level of data protection
• Regular review of adequacy status

8.2 Appropriate Safeguards

• Standard Contractual Clauses: EU Commission approved contracts
• Binding Corporate Rules: Internal data protection policies
• Certification Schemes: Approved certification mechanisms
• Codes of Conduct: Industry-specific data protection codes

8.3 Derogations

• Explicit consent for specific transfers
• Contract performance and execution
• Important reasons of public interest
• Protection of vital interests

9. Data Breach Notification

We have comprehensive procedures for handling data breaches:

9.1 Breach Detection and Assessment

• 24/7 security monitoring and alerting
• Automated breach detection systems
• Incident response team activation
• Risk assessment and impact analysis

9.2 Notification Procedures

• Supervisory Authority: Within 72 hours of breach discovery
• Data Subjects: Without undue delay if high risk
• Internal Stakeholders: Immediate notification to management
• Law Enforcement: Where required by law

9.3 Breach Response

• Immediate containment and mitigation
• Forensic investigation and analysis
• Remediation and security improvements
• Documentation and reporting

10. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our data protection activities:

10.1 DPO Responsibilities

• Monitor compliance with data protection laws
• Provide advice and guidance on data protection
• Conduct data protection impact assessments
• Serve as point of contact for supervisory authorities

10.2 DPO Independence

• Direct reporting to senior management
• No conflicts of interest with other duties
• Adequate resources and support
• Protection from dismissal or penalty

11. Contact Information

For questions about this Data Protection Policy or to exercise your data protection rights, please contact:

You also have the right to lodge a complaint with your local data protection authority if you believe we have not handled your personal data in accordance with applicable law.

This Data Protection Policy is effective as of January 1, 2024, and was last updated on January 1, 2024.