Privacy Policy

We are very keen on being compliant with the European data protection rules and principles to protect you and your personal data. We at Safello will always go the extra mile to protect your privacy data and never sell it to any third parties. This Privacy Policy contains all information related to the data processing of Safello, concerning the collection, use, storage, disclosure and erasure of data. Please, revise this Privacy Policy carefully before you disclose any of your personal data to us.

1. Preamble

1.1. Safello AB as data controller (hereinafter: ’Safello’) is a cryptocurrency exchange company registered in Sweden, operating a brokerage platform offering and enabling users to safely and securely buy and sell established cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH) and XRP (hereinafter: ‘Services’). If you, as our customer, use our Service or are interested in it (hereinafter: ‘Customer’ or ‘Data Subject’), you may disclose certain personal data to us.

1.2. For the purposes of this Privacy Policy, the terms ‘we’ or ‘our’ etc. shall mean Safello.

1.3. Capitalized words and terms used in this Privacy Policy have the same meaning as described in our Terms of Service.

1.4. This Privacy Policy requires your expressed consent, which you may withdraw at any time. You give your consent by placing a tick in the box during the Sign Up Process. Your consent shall be voluntary, expressed and based on the related, detailed information we provide to you.

1.5. Safello is responsible for the conclusion, enforcement, updating and amending of this Privacy Policy. Safello may amend this Privacy Policy unilaterally, at any time as the business processes and the relevant legal requirements develop. If you don’t agree with the modifications, you can delete your Account anytime. Please, keep in mind that deleting your Account does not mean that we delete your personal data too. This Policy gives you detailed information on how long we keep your personal data even after you delete your Account.

1.6. This Policy comes into effect upon its publication. The prevailing (current) version of this Policy is available on the website: https://safello.com/legal/privacy/.

1.7. Safello handles your personal data confidentiality and is committed to take all the safety, technical and organizational measures that guarantee the security of your data.

1.8. Safello is also committed to process your personal data lawfully, fairly and in a transparent manner; we only collect and process data that are suitable and relevant for the purposes of data processing, and are necessary to achieve such purposes.

1.9. Safello attempts to ensure the accuracy and up-to-date nature of the personal data; therefore, we take all necessary measures for the immediate erasure or rectification of inaccurate data.

1.10. Your personal data is only yours, therefore, you can request the restriction of data processing, rectification or erasure of your data and you can object to our data processing at any time, free of charge via email: . We respond to you without undue delay, but the latest within one month from the receipt of the request. If we have to reject to perform your request, we will provide a proper justification of rejection. In justified cases, depending on the complexity and number of requests, we may extend the deadline by two further months. We will inform you about such extension within one month of the receipt of your request, together with the reasons for the delay.

2. Service provider’s data

3. Applicable laws

Safello hereby declares to process your personal data in compliance with the prevailing laws and regulations, with special regard to the following:

• The related EU regulation: the General Data Protection Regulation of the European Union (Regulation 2016 / 679 (EU), the ‘GDPR’)
• Swedish Law (2018: 218) with supplementary provisions to the EU Data Protection Regulation [Lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning]
• Swedish Law (2017: 630) on measures against money laundering and terrorist financing [Lag (2017:630) om åtgärder mot penningtvätt och finansiering av terrorism]
• Swedish Accounting Act, [Bokföringslag (1999:1078)]

4. Legal Ground for Data Processing

4.1. The legal ground for personal data processing is one or more of the followings:

a) your voluntary consent (Article 6 (1) (a) of GDPR)

b) contract concluded by and between Safello and the Customer for contractual performance (Article 6(1) (b) of GDPR)

c) the processing of the personal data is necessary for the performance of Safello’s legal obligations, such as auditing and accounting liabilities, or anti-money laundering and counter-terrorist financing purposes (Article 6(1) (c) of GDPR).

d) for the enforcement of the legitimate interest of Safello or a third party (Article 6(1) (f) of GDPR).

4.2. You can grant and withdraw your consent to the use of your personal data for advertisement purposes. To do so you can choose such an option after logging in to https://app.safello.com

5. The Data Processed by Safello

5.1. In order to be able to use the Services, you shall disclose certain personal information to Safello through its Website, Widget or Mobile App. If you refuse to comply with such a request; Safello is entitled to lawfully reject the provision of Services, so you may be unable to use them.

5.2. Within the scope of data processing, we can in particular pursue the following activities: to collect, record, register, systematize, store and use the personal data for the purposes of data processing, to query, block, erase and destruct your data and to prevent the further use thereof. In lack of a related legal obligation, we never publish, align or coordinate your personal data with each other.

5.3. Mandatory data provision by Customers

5.3.1. Safello may process the following data provided by the Customers. The disclosure of these data is necessary for the provision of the Services with special regard to the Sign Up Process:

5.3.2. Safello may be obligated by law to process the following data provided by the Customers. In case Safello determines, based on internal policies, the disclosure of these data is necessary for the provision of the Services:

5.3.3. Safello may process the following data provided by the Customer to Safello in the course of the performance of Services, in addition to the data set out in 5.3.1 The disclosure of these data is necessary for the proper performance of the parties’ contractual obligations, and the actual categories of data in case of a Customer may depend on the individual circumstances, such as the payment options they choose or the content of the claim submitted:

5.4. Optional data provision by Customers or other persons

5.4.1. Safello may process the following data provided by the Customers voluntarily and manually. We do not collect them during the Sign Up Process and they are not collected automatically if not included in the data processing covered by 5.3.:

5.4.2. We may also collect data from other persons who are not our Customers. The collection of these data is carried out voluntarily and manually, they are not collected automatically:

5.5. Automatic collection of data in the course of the Services

5.6. Data collected from third parties

5.6.1. We only collect your personal data collected by third parties in order to comply with our legal obligations, or, in other cases, if you have given your explicit consent to the data transfer directly to/from those third parties, which is your responsibility to arrange. We do not supervise that your consent is properly given, we trust both you and those third parties who shall also be compliant with the data protection rules. Therefore, we are not liable for the collection and processing of such data by third parties.

5.6.2. Due to the nature of the Service, Customers use services of third parties, related to payment and payment methods. Safello has no influence on the operation of these service providers, they are obliged to ensure their data protection measures in their own competence. Currently, we support the following service providers: Swish, Bankgirot, SEPA, Bank Giro, Credit/Debit Cards (including Apple Pay and GPay), Direct Payment or Payment initiation (hereinafter together: Online Payment System).

5.6.3. Safello is not a cryptocurrency wallet provider. In order to use our Service, you also need to set up and use a cryptocurrency wallet, for which you may choose any third-party provider. Safello has no influence on the operation of these service providers, they are obliged to ensure their data protection measures in their own competence.

5.6.4. When using our Services, you have the option to increase your Tier Level, and therefore your Transaction Limit using the services of our Account Analysation Partner. The details of this voluntary option are described in our Terms of Service. During this verification, we receive certain data from them, which data are described in their Privacy Policy that you separately agree to when using the verification service.

5.6.5. If you use the services of a third-party service provider (such as Facebook, Linkedin, Instagram, Google, Skype, etc.) in order to contact Safello, we do not request any data of yours from the concerned third party. To the provision or change of such data, the privacy policies of the concerned third-party service provider shall apply.

5.7. Cookies applied by Safello

5.7.1. What is a cookie? Cookies are small data files of information that our website transfers to your hard drive or mobile device to store and sometimes track information about you. Although cookies do identify a Customer’s device, cookies do not personally identify Customers. Additionally, mobile devices may use other tracking files which are similar to cookies (for example iOS devices use Apple’s ‘identifier for advertisers’ (IDFA) and Android devices use Google’s Android ID). In the context of tracking within Safello, the concept of a cookie will include an IDFA and an Android ID for the purpose of this Policy.

5.7.2 Why we use cookies: Our website uses cookies to distinguish you from other Customers. This helps us to improve our website and to provide you with a good experience when you browse.

5.7.3. Types of cookies we use:

Strictly necessary cookies: these are cookies that are required for the operation of a website, such as to enable you to log into secure areas.

Performance cookies: these types of cookies recognise and count the number of visitors to a website and are used to see how users move around. This information is used to improve the way the website works.

Functionality cookies: these cookies recognise when you return to a website, enable personalised content and recognise and remember your preferences.

Targeting cookies: these cookies record your visit to a website, including the individual pages visited and the links followed.

Generally, the strictly necessary cookies and some performance and functionality cookies only last for the duration of your visit to a website or expire when you close the website: these are known as ‘session cookies’. The functionality cookies and some targeting and performance cookies will last for a longer period of time: these are known as ‘persistent cookies’.

Third party cookies: Some of the persistent and session cookies used by our website may be set by us, and some are set by third parties who are delivering services on our behalf. For example, we use Google Analytics to track what users do on the website so we can improve the design and functionality.

5.7.4. Blocking cookies: Most browsers, mobile devices and apps automatically accept cookies but, if you prefer, you can change your browser, device or app settings to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser or device. To block the IDFA on your iOS mobile device, you should follow this path: Settings > General > About > Advertising and then turn on ‘Limit Ad Tracking’. To block Android ID on your Android device, you should follow this path: Google Settings > Ads and then turn on ‘Opt out of interest-based ads’.

6. The method and term of the use of the data collected

6.1. We only process your personal data if it is essential, suitable for and limited to the extent and duration required to the achievement of the purposes set for processing.

7. The persons having access to the data processed, data transfers

7.1. To be able to provide you with undisturbed Services, for quality assurance purposes, as well as to enable the investigation of customer claims and complaints, we might have to transfer your data to third parties. By accepting this Privacy Policy you give your expressed consent to these data transfers.

7.2. Data transfer may take place in the following cases:

We do not transfer any data to a third country.

7.3. To be able to provide you with undisturbed Services, we use the contribution of the following third-party service providers:

7.4. The Data Processor assists Safello in the smooth operation of the IT infrastructure that facilitates the storage of personal data provided to Safello, Data Processor has no direct access to personal data. We expressly declare that we have no direct or indirect liability with respect to the data processing activity of the Data Processor and the security of personal data in the course thereof; in this regard, the privacy policies and regulations of the Data Processor shall apply.

7.5. If we need to involve further Data Processors, we will notify you about that by the modification of our Privacy Policy.

8. Rights and obligations of the Parties

8.1. Processing of Customer’ data, rights of information, access to data

8.1.1. You can access your personal data which have been collected by us. Please, notify us of any change in your data, at dataprotection@safello.com. You are responsible for ensuring the up-to-date status of the personal data. In order to protect you, in case of any requests coming concerning your data, we need to verify the person requesting the data. We do not retain personal data for the sole purpose of being able to react to potential requests.

8.1.2. Safello shall take appropriate measures to provide you with all information concerning the processing of personal data, in a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible way. The information is mainly provided electronically on request at the e-mail address . Proof of your identity is always required for the information.

8.1.3. Safello shall, without undue delay, but in any case within one month from the receipt of the request, inform you of the action taken following his / her request. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. Safello shall inform you of the extension of the deadline, indicating the reasons for the delay, within one month from the receipt of the request.

8.1.4. If Safello does not take action at your request, it shall inform you without delay, but no later than within one month from the receipt of the request, of the reasons for non-action and that you may lodge a complaint with one of its supervisory authorities and may exercise its right of judicial review.

8.1.5. The first request is free of charge. The second and all additional requests repeatedly filed can be subject to a fee, if the request is related to the same subject or subject matter in the ongoing year, the request is not for information purposes and Safello legally disregards the rectification, erasure or restriction of the personal data handled on the basis of the repeated application. The current fees can always be found here. If a repeated request is justified because the act giving rise to the request has been caused by omission or activity attributable to Safello, Safello may waive the charges set out.

8.1.6. If we process a large quantity of information concerning you, we may need you to specify the information or processing activities to which the request relates before the information is delivered.

8.2. Rectification and erasure: You can ask us to rectify your personal data if necessary or to delete them where the retention of such data infringes the provisions of the related laws and regulations or if they are no longer necessary in relation to the purposes for which they are originally processed. In practice, this means that we may deny erasure of your data in cases where we have legal grounds other than your consent for the processing of those data. For example, we are legally obligated to retain your personal data in case you have carried out a Transaction with Safello.

8.3. Withdrawal of consent and restriction of processing: In case you withdraw your consent to our processing of your personal data, we might not do that if processing is necessary for the protection of exercising the right of freedom of expression and information, for compliance with a legal obligation etc. The processing of personal data is essential until the proper, contractual completion of the contract concluded by and between Safello and you.

8.4. Right to object: You still have the right to object against the processing of your personal data considering your individual circumstances even if it is lawfully processed by Safello, for example on grounds of the legitimate interests of the controller or a third party.

8.5. Right to data portability: If you need it, we can provide you with a structured, commonly used and machine-readable format of all of your personal data processed by us and you can transmit those data to another controller.

8.6. The Obligation of the User: You are the only one who is responsible for the lawfulness, reality and accuracy (i.e. the quality) of your data under criminal liability.

9. Automated decision making, profiling

9.1. Safello carries out automated decision-making in applying the following functions:

9.2. The Age verification via BankID is applied through the integration of the BankID identification and verification into Safello’s Sign Up Process. In order to meet the legal requirements concerning money laundering and terrorism financing prevention, we must obtain certain knowledge of our Customers. For this reason, we have a legal obligation to check and verify the identity of our Customers, and we do that via BankID, to make the process as convenient as possible for our Customers. The only automated decision making we apply in relation to the Sign Up Process via BankID, is the automated dismissal of Customers who are underaged, and only for their own protection. This automated decision making is necessary for the conclusion and performance of the contract, because minors are considered an at-risk group for online fraud and other cybercrimes and they are less likely to comprehend the complexity of cryptocurrency transactions and understand their risks and consequences. Therefore, we are not offering our Services to minors and the safest way to avoid doing so, is by automated dismissal based on the BankID verification, so they are not able to finish the Sign Up Process. If, according to the Customer, a mistake happened and they are in fact over the age of eighteen, the Customer may always contact Safello support at .

9.3. Setting the Transaction Limit via our Account Analysation Partner will be applied only if Customers enable them specifically in their Account through an opt-in function within our Services. Customers may also opt out and disable the function in all cases upon their own discretion by sending a request to Safello support at . In the latter case, the automated decision-making in connection with the verification of the Customer’s bank account via our Account Analysation Partner will not be applied anymore, however, the increased Transaction Limits will decrease back to the previous state, before the verification and automated decision making. If, according to the Customer, a mistake happened and the Transaction Limits and Tier Level were set lower or higher than it should have been, or if Customer is unsure on the success of the verification process, the Customer may contact Safello support at .

9.4. Based on the above, we always ensure the right to request human intervention through Safello support, as well as, the right to object to a decision in accordance with our related complaint handling procedures. The Customer shall not be subject to discrimination or any legal disadvantage due to automated decision-making, such form of decision-making does not significantly affect the Customer either individually or as a group and it is subject to the Customer’s consent, or necessary for the performance of the contract. The use of the data collected is always limited to the direct purpose, such data shall not be used for other purposes (e.g. marketing) and may be stored only until when this is necessary for the contractual and complaint-free performance of the specific Service. The Customer may refuse automated decision-making at any time, however, in the first case, Safello cannot provide the Service, in the second case, Safello cannot provide the benefits to the increased Transaction Limits.

9.5. The following are considered to be important by us for the Customer to gain transparent information:

9.6. We do conduct profiling, e.g. individual examination of the transaction habits without making deduction in respect of the individual.

10. Further important information

10.1. Data Protection Officer: In our standpoint, Safello is obliged to appoint a data protection officer (“DPO”), because Safello processes in a narrow circle special categories of personal data or crime-related data, which is the criminal background check of our employees and subcontractors as we detailed in in point 10.3., furthermore our core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of our Customers on a large scale. Our DPO can be contacted at .

10.2. Supervisory organs and other authorities: The territorial scope of this Privacy Policy may cover also foreign authorities, if the Customer has a registered seat or business site out of Safello’s area of operation, in a foreign country. Our supervisory authority who you can turn to regarding our data processing is:

Foreign data protection authorities may also be involved if you have your location or place of business outside Sweden. You can search the relevant authority here.

10.3. Processing of sensitive data:

We do not process personal data of our Customers which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms, merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. If we decide to process such sensitive data, this activity shall be pursued with special care and diligence, having your expressed consent thereto, and only the extent it is required.

We do not process personal data of our Customers revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and we do not carry out processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

As a result of checking the criminal background of our employees and subcontractors, as mentioned in Section 5.3., we may have access to special categories of data. Legal ground of the data management of the criminal background check is that this is necessary for the performance of Safello’s legal obligations. We do not share this data with anyone outside of Safello’s organization and take all necessary precautions to maintain the safety and confidential nature of these data.

10.4. Processing children’s data:

We do not knowingly collect personal information online from children under the age of 18.

11. Personal data breach

11.1. In case of personal data breach, where the incident is likely to pose a high risk to the rights and freedoms of those concerned, we submit the report towards the data protection supervisory authority stated in sec. 10.2 and as required by the laws and regulations, without undue delay, but in any case, within 72 hours from getting aware of the incident. We have developed internal procedures in case of personal data breach, and personal data breaches are also recorded into a registry. If you are affected by such personal data breach you will also be notified, if the prevailing laws and regulations require so.

11.2. If you detect a threat of personal data breach, we ask to report it immediately via email at . Furthermore, in case of personal data breach, you may initiate a court case against Safello.

12. Changes of the Privacy Policy

12.1. Safello reserves the right to amend this Privacy Policy at any time. Amendments will be published immediately on the website.

12.2. In case of amendment, you will be notified thereof thirty (30) days prior to the date of effectiveness of amendment, via e-mail or through the website.

12.3. In case you object to such amendment, you may notify Safello thereof and disclose his/her respective comments and notices via email, furthermore, he/she may request the erasure of his/her personal data.