logo-guardarian

1. Privacy Policy

This Privacy Policy (the “Policy”) describes how Personal data of Data subjects is processed when they use the website at https://guardarian.com (the “Website”) and/or any API or third-party services, or interact with online advertisements or marketing e-mails (collectively, the “Services”).

Depending on your location and which Services you use, your Personal data will be processed by one of the following Controllers:

  • FinSeven CZ s.r.o., a company incorporated in the Czech Republic, registry code 22304681, registered address at Na Čečeličce 425/4, Smíchov, 15000, Prague, Czech Republic (“FinSeven CZ)”; and
  • GRNTECH SOLUTION Inc, a company incorporated in Canada, incorporation number 1001145678, registered address at 1270 Central Parkway West, Suite 102, Mississauga, Ontario, L5C 4P4, Canada. (“GRNTECH”).

FinSeven CZ and GRNTECH each act as an independent Controller with respect to the Personal data of Users located in their respective region, and each is separately responsible for its own compliance with applicable law — the General Data Protection Regulation (EU) 2016/679 (“GDPR”) for FinSeven CZ, and the Personal Information Protection and Electronic Documents Act (“PIPEDA”) for GRNTECH. References in this Policy to “Company”, “We”, “Ourselves” or “Us” mean whichever of FinSeven CZ or GRNTECH is the Controller of your Personal data as determined above, unless stated otherwise.

By accepting this Policy, you agree to be legally bound by it and all terms incorporated by reference. If you don’t agree with this Policy or any of its clauses, you shall immediately cease to use the Website.

The relevant Controller has implemented technical and organisational measures to comply with applicable data protection and privacy legislation in the countries where it operates. This Policy sets out the basic rules and principles by which your Personal data is processed, and each Controller’s responsibilities under its applicable transparency obligations.

2. Definitions

  • “Controller” or “Data controller” means, as applicable, FinSeven CZ or GRNTECH, as determined under Section 1.
  • “Processor” means a natural or legal person engaged in the processing of Personal data of Data subjects under a contract with a Controller.
  • “Data subject” or “User” means a natural person who visits the Website and/or uses the Services.
  • “Personal data” means information that relates to and identifies a Data subject (Section 5).
  • “Cookies” means small fragments of data sent by our web server and stored on a User’s device, used to make the Website work effectively and to remember settings and analyse traffic.
  • “Services” means the services provided by the Company via the Website.

3. Controllers and General Provisions

Under this Policy, the applicable Controller for your Personal data is determined by your location, as set out in Section 1. FinSeven CZ, being registered in the Czech Republic, complies with the GDPR and applicable Czech law. GRNTECH, being registered in Canada, complies with PIPEDA and applicable provincial legislation.

Where a User completes identity verification with one Controller and subsequently uses Services provided by the other Controller, the Controllers may share the User’s KYC/AML data with one another so that the User is not required to repeat identity verification, as further described in Section 9.

4. Guarantees

We do not process special categories of Personal data (data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, health data), except for biometric data processed for identity verification.

As part of identity verification, Our identity-verification partner (see Section 9) performs a liveness check that compares a live facial image against the photo on your identification document to confirm you are the person you claim to be. This constitutes biometric data within the meaning of Article 4(14) GDPR, because it involves specific technical processing used to confirm your identity. Both the image of your identification document and the facial image captured during the liveness check are retained as part of your KYC record for the retention period set out in Section 12. These images are used only for identity verification, fraud prevention, and compliance with Our AML/CTF obligations, and are not used to build a biometric template for matching you against any other database or for any other purpose. We rely on your explicit consent for the liveness check itself, and on Our legal obligation under applicable AML/KYC law for the retention of the resulting images once verification is complete. You may decline or withdraw consent to the liveness check before completing verification, though this will mean We are unable to complete identity verification and, as a result, unable to provide you with the Services - see Section 7. Once verification is complete, the retained images cannot be deleted on request during the mandatory KYC retention period, as this would conflict with Our AML record-keeping obligations.

We guarantee that We do not sell Users’ data directly for monetary reward. The Company will not sell, rent, or loan any Personal data to any third party.

5. Data Processed

We collect the following categories of Personal data from you:

  • identification information such as name, surname, citizenship, address, and documents required for KYC/AML compliance (passport, ID card, driving licence, or similar), phone number and e-mail;
  • biometric data (a facial liveness image) processed transiently for identity-verification purposes, as described in Section 4;
  • technical data - IP address, language, country, browser type and version, time-zone setting, browser plug-in types, approximate location, operating system and version;
  • data on how you use the Website, such as clickstreams, page response times, download errors, time spent on pages, and other usage actions;
  • cookies (see Section 6).

We may also collect Personal data from third parties, such as public databases, credit bureaus, identity-verification partners, resellers and channel partners, joint marketing partners, social media platforms, and fraud-prevention agencies, including where you consent to Us receiving data from another service provider you use, and from publicly available sources for enhanced due diligence, security searches, and KYC purposes.

6. Cookies

The Company uses cookies to help Data subjects navigate the Website and to perform its functions efficiently, including Necessary, Statistics, and Marketing cookies, as further described in Our Cookie Policy.

7. Purposes of Data Processing

The Company processes Personal data described in Section 5 for the following purposes: concluding contracts; statistical and analytical purposes; user support; sending marketing e-mails and newsletters; user authorisation on the Website; improving the Website; providing the Website’s functionality; the KYC procedure; and analysing interaction with the Website for marketing and advertising campaigns.

Where the provision of identification and KYC data is necessary to conclude or perform a contract with you, or to comply with a legal obligation (including AML/KYC law), providing this data is mandatory. If you do not provide it, We will not be able to open or maintain your account, process your transactions, or otherwise provide the Services.

As part of Our AML/CTFobligations, We use automated screening tools to check your details against sanctions lists, politically-exposed-persons databases, and fraud-risk indicators. Where such screening produces a potential match, it is reviewed by a member of Our compliance team before any decision affecting you (such as a delay, a request for further information, or an account restriction) is made. We do not make decisions producing legal or similarly significant effects about you based solely on automated processing without human involvement. You may contact Us using the details in Section 14 to ask about the logic involved or to contest a decision.

8. Legal Grounds for the Data Processing

We rely on four main legal grounds to process your Personal data: consent, contract, legal obligation, and legitimate interests, as defined below.

  • Consent - your freely given, informed, unambiguous agreement to processing for a specific purpose.
  • Contract - processing necessary to perform a contract with you, or to take steps at your request before entering into one.
  • Legal obligation - processing necessary for Us to comply with a legal obligation to which We are subject.
  • Legitimate interests - processing based on Our legitimate interests or those of a third party, provided those interests are not outweighed by your rights and are specific, necessary, and balanced.

The table below sets out what data We process, why, and under which specific legal basis, including the specific legitimate interest relied on where applicable.

TYPE OF DATAWHY WE NEED ITLEGAL BASIS
Name and e-mailContact you after a 'contact me' request on the WebsiteConsent
Name, address, phone number, e-mail, payment details (e.g., wallet address)Providing Services, accepting payments, registering the User, providing account accessContract
Name, address, phone number, e-mailProviding newsletters/offers/updates that may interest youConsent (newsletters); Legitimate interest - direct marketing to existing customers (offers/updates)
Identification and KYC/AML documentationCompliance with anti-money-laundering and know-your-customer lawLegal obligation
Facial image (liveness check)Confirming your identity for KYC/AML complianceExplicit consent, together with legal obligation for the underlying KYC requirement
Cookies, technical data, data on how you use the WebsiteKeeping the Website running and secure; improving the Website; statistical analysisLegitimate interest - network/website security and service improvement (necessary/statistics cookies); Consent (marketing cookies)
Name, e-mailCustomer support (service notices, issue resolution, bug fixing)Legitimate interest - maintaining service continuity and resolving support requests; Consent (proactive notifications)

9. Sharing Data with Third Parties

We may share your Personal data with the following third-party service providers, each engaged as a processor under contract: SumSub (identity verification, sanctions, adverse media, and PEP screening, and fraud prevention); Twilio (phone authentication); Maxmind (fraud prevention and risk modelling); Google Analytics (website analytics); Sendgrid (e-mail delivery); and social media platforms including Facebook, Instagram, LinkedIn, X, YouTube, Telegram, GitHub, Discord, Medium, and Reddit (marketing and presence).

Where Personal data is transferred outside the EEA, this is carried out under an applicable GDPR transfer mechanism. For providers certified under the EU-US Data Privacy Framework, We rely on that certification. For other non-EEA providers, We rely on the European Commission’s Standard Contractual Clauses, supplemented by a transfer impact assessment. Potential risks of such transfers include differing levels of legal protection and the possibility that public authorities in the recipient jurisdiction may access data under local law; the Company does not disclose Personal data to public authorities except where legally obliged to do so, and limits any such disclosure to the minimum required.

Where you use Services provided by GRNTECH, your Personal data may be transferred to Canada. This transfer is carried out in reliance on the European Commission’s adequacy decision for Canada (Commission Decision 2002/2/EC), which recognises that organisations subject to PIPEDA provide an adequate level of protection for commercial Personal data, supplemented where necessary by contractual protections between FinSeven CZ and GRNTECH.

Reuse of KYC data between Controllers: where a User who has completed identity verification with one Controller subsequently uses Services provided by the other Controller acting as an independent controller (FinSeven CZ or GRNTECH, as applicable), the Company may share the User’s identification and KYC data between the two Controllers so the User is not required to repeat identity verification. The legal basis for this sharing is compliance with AML/KYC legal obligations (Article 6(1)(c) GDPR) and the necessity to provide the Service requested by the User (Article 6(1)(b) GDPR). Each Controller remains responsible only for its own processing; where data has been transferred to the other Controller, the receiving Controller determines the purposes and means of its own further processing.

We may also share your KYC data with other third-party virtual asset service providers We partner with, where you choose to establish a business relationship with them, and only where they comply with the GDPR or an equivalent standard of protection.

10. Rights of the Data Subject

Each Data subject has the following rights, to the extent applicable under the law governing the relevant Controller’s processing: the right of access; the right to lodge a complaint with a supervisory authority; the right to rectification; the right to erasure; the right to data portability; the right to object; and the right to withdraw consent at any time (without affecting the lawfulness of processing carried out before withdrawal).

If FinSeven CZ processed your Personal data, you may lodge a complaint with the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic (www.uoou.cz), or with the supervisory authority of your own country of residence, place of work, or place of the alleged infringement. We will respond to your request within one month of receipt, extendable by a further two months where necessary given the complexity or number of requests.

If GRNTECH processed your Personal data, you may direct a complaint to the Office of the Privacy Commissioner of Canada (www.priv.gc.ca). We will respond to your request within thirty days of receipt, extendable where permitted under PIPEDA. Where GRNTECH relies on your consent, it will request this in clear, plain language, presented separately from other terms, at the time and in the context your Personal data is collected.

We may request specific information from you to confirm your identity before actioning a request, as a security measure. You do not need to pay a fee to exercise your rights, but We may charge a reasonable fee, or decline to act, where a request is manifestly unfounded, repetitive, or excessive.

Where Personal data has been shared with the other Controller under Section 9, you should direct requests relating to that Controller’s own processing to that Controller directly. Each Controller is responsible only for its own processing activities and does not determine the purposes or means of the other Controller’s processing.

11. Security and Protection of Personal Data

The Company takes reasonable measures to protect your Personal data from unauthorised access, loss, misuse, alteration, or destruction, including: restricting access to authorised personnel bound by confidentiality; not permitting third parties to contact you on an unsolicited basis about their own products; not selling, trading, or renting your Personal data; testing systems for vulnerabilities at least once every 12 months; protecting access to confidential data through passwords or access tokens; testing incident-response processes at least once every 12 months; and monitoring logs and security events through an automated system that generates alerts for abnormal activity.

12. Storage of Personal Data

We limit the period of Personal data processing to the necessary minimum. Retention periods are set by reference to the type of data, applicable legal obligations, and operational need, as follows:

  • Identification and KYC/AML data:
    • Where FinSeven CZ is the Controller: retained for 10 years after the end of the business relationship, in accordance with Section 16 of Czech Act No. 253/2008 Coll. on Selected Measures against Legalisation of Proceeds of Crime and Financing of Terrorism.
    • Where GRNTech is the Controller: retained for 5 years after the date the record was created or the transaction took place, in accordance with the record-keeping requirements of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and FINTRAC guidance.
  • Marketing consents and related data: retained until you withdraw consent or object to further processing.
  • Customer support records: retained for a reasonable period after resolution of your query, to allow for follow-up and quality review.
  • Cookies and analytics data: retained in accordance with the retention periods set out in Our Cookie Policy.

In some circumstances, We may anonymise your Personal data for research or statistical purposes, in which case We may retain and use this information indefinitely without further notice to you, as it no longer identifies you.

13. Changes to the Privacy Policy

This Policy is presented in its most up-to-date version. We may amend it over time, including to reflect changes in applicable law. Changes take effect once published on this page, unless a different date is indicated in the amendment. We will make reasonable efforts to notify Users of material amendments, but you should check this page periodically for the latest version.

14. Contacting Us

For matters relating to processing of your Personal data: e-mail [email protected], or use the support form at https://guardarian.freshdesk.com/support/tickets/new.