The Data Controller of the personal data is BB Trade Estonia OÜ with its registered office in Tallinn, Harju maakond, Lasnamäe linnaosa, Lõõtsa tn 8a, 11415, Estonia, an Estonian law company, entered to the Register of Entrepreneurs of the Ministry of Justice of the Republic of Estonia under number: 14814864, share capital: EUR 50,000.00, fully paid-up (hereinafter referred to as the “Data Controller”).

The Data Controller pursues its disclosure duties in line with Art. 13 and Art. 14 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter: “GDPR”).

This information clause, hereinafter referred to as the “Clause” sets forth the rules of collection, processing and use of personal data of customers and beneficial owners. The Data Controller shall take all reasonable efforts to provide information to data subjects when data is not collected directly from data subjects but from customers, in compliance with Art. 14 of the GDPR.

In the circumstances at hand, the provision of such information may prove impossible or hindered or may require disproportionate efforts as referred to in Art. 14.5.b of the GDPR. Therefore, the Data Controller has published this clause on its web site:, additionally, the Customer has agreed to provide this GDPR disclosure clause to beneficial owners.

I. The Data Controller shall process the personal data of:

  • Customers (users)
    • a) institutional customers – login/e-mail address, full name, registered office address, NIP/REGON/KRS, business objects, information on the source of funds: from its business operations, merger/acquisition, investments, cryptocurrency mining (ID of mined blocks), savings, other sources and all other data as provided in documents evidencing such sources of income (e.g. confirmation of bank transfers, court judgement, bank documents);
    • b) individual customers – first and last name, address, telephone number, login/e-mail address. Information on the source of funds: pursued profession / salary, donation, investments, cryptocurrency mining (ID of mined blocks), savings, other sources and all other data as provided in documents evidencing such sources of income (e.g. confirmation of bank transfers, payslips, donation agreements, notary deeds, tax returns).
  • Shareholders / members of institutional customers - information of the customer’s shareholding structure (first and last names, percentage shareholding, date when shareholding established);
  • Beneficial owners – first and last names, father’s/mother’s first names, PESEL, date of birth, place of birth, country of birth, citizenship, address of residence (city, street, house number, apartment number, postal code), ID document (type, number), telephone number, information on the status of a politically exposed person, information on the status of a person known to be a close collaborator to a politically exposed person, information on the status of a family member of a politically exposed person.

II. Legal basis for the personal data processing:

  • a) contractual requirements - data processing is required to perform the agreement with the Data Controller (use of the account in the portal, in compliance with Art. 6.1.b of GDPR – in relation to the customers’ personal data;
  • b) compliance with a legal duty imposed on the Data Controller - duties resulting from Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directive 648/2020 and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (Text with EEA relevance), hereinafter referred to as the “AML Directive” and the Estonian Act of 26 October 2017 on the prevention of money laundering or terrorist financing, hereinafter referred to as the “AML Act”, in compliance with Art. 6.1.c of GDPR - personal data of Customers, beneficial owners, shareholders / members of institutional customers;
  • c) legitimate interests of the Data Controller – consisting in particular in: ensuring security and property protection, protection of information, potential pursuance of claims and damages, improving service quality, adaptation of services, marketing of products of the Data Controller, in compliance with Art. 6.1.f of the GDPR - personal data of Customers;

III. The provision of personal data is required by law and is a condition to enter into an agreement with the Data Controller. Data subjects are obliged to disclose their personal data. If customers fail to disclose their personal data, the agreement with the Data Controller cannot be performed and the services provided on the portal can no longer be used.
The Data Controller has acquired the personal data of beneficial owners and personal data of shareholders/members of institutional customers directly from Customers.

IV. Customers’ personal data shall be subject to automatic decisions when Customers’ accounts are verified in the portal with Netverify software provided by Jumio Corporation. Automated decisions are required to use the services of the Data Controller provided via the portal in compliance with Art. 22.2. of the GDPR. Netverify software automatically suggests if Customer verification should be approved, rejected or forwarded for manual verification by the Data Controller. The Customer verification process is not fully automated. Final decisions are taken by BitBay employees. Automated decisions are also made in the assessment of customer risk as required by the Estonian Act on the prevention of money laundering or terrorist financing of 26 October 2017. On the basis of information collected in the KYC process, Customers are assigned a risk class. Assignment of a higher risk class results in application of an increased intensity of financial security measures. Despite an automatic risk class assignment, the risk class may be manually modified for a customer.

V. In connection with personal data processing, in certain situations you will be entitled to the following rights:

  • the right to access your data
  • the right to correct data
  • the right to have the data deleted
  • the right to have processing restricted
  • the right to object
  • the right to data portability
  • the right to file complaints with the supervisory authority – when personal data is processed contrary to the applicable laws, you can always file a complaint with the supervisory authority – the Estonian Data Protection Inspectorate, 39 Tatari, 10134 Tallinn, Estonia.

VI. In case of need, the Data Controller may transfer your personal data for processing to the following third parties:

  • business partners, banks, payment operators; this is required in connection with our business operations, in particular to pursue our contractual relations with such third parties, handle and provide appropriate services, comply with applicable laws and requirements concerning security, communication with you and third parties, compliance by the Data Controller with financial obligations and to respond to legal requests and demands;
  • processors.

The Data Controller may enter into written agreements entrusting the processing of personal data to other entities (Processor). The right to enter into such agreements is based on applicable laws. Such processors may include: companies providing IT services, audit firms, accounting firms, entities providing employee outsourcing services, entities offering software for customer services, companies providing e-mail services (Google Inc.), server hosting services, collection companies, law firms.

  • public bodies, institutions or third parties authorised to demand access or to receive personal data subject to applicable legal regulations, e.g.: Ministry of Finance, Financial Analysis Units, Internal Revenue Service.

Such processors shall be subject to contractual obligations relating to the implementation of technical and organisational measures to protect the personal data of the interested persons and users, and to process such data solely in compliance with the instructions of the Data Controller.

In order to open an account in the portal and to have your user identify verified, your personal data will be forwarded to entities providing verification services of scanned documents (Jumio Corporation, LexisNexis Risk Solutions Europe Limited).

We inform you that some of our business partners and certain processors may have their registered offices outside the European Union and the European Economic Area (EEA). In such instances, we always verify if those partners assure an adequate protection level for personal data. Such guarantees result in particular from the duty to apply standard contractual clauses set forth in Commission Decisions (2010/87/EC and/or 2004/915/EC) or the fact that the entity is a member of the EU-USA Privacy Shield.

Your personal data may be disclosed to entities related to the Data Controller by capital or personnel: taXsaprent sp. z o. o., Orion Software sp. z o. o., Expofer service house s. r. o, ICEO sp. z o. o., Pinewood Holdings Limited, BITBAYPAY AS., to the extent required for business cooperation with those entities and to perform contractual obligations.

VII. In view of the overriding principles of the GDPR, in particular the principles of restricted purposes, restricted storage and the principle of data minimisation, we process your personal data solely for the minimum period that is required to achieve the objectives of processing and as permitted by applicable regulations. When the processing objectives have been achieved, your personal data will be deleted as long as permitted by applicable laws. Depending on the legal basis underlying the processing of your personal data, different storage periods may apply.

Your personal data will be stored until any potential claims expire or when the duty to store your personal data as required by law expires (in particular as set forth in the AML Directive and in the AML Act or for 5 years after closing of business relationships/cooperation).

VIII. With respect to all matters, including those related to personal data, you may contact us by writing to the registered office address or by e-mail to: [email protected]