Privacy Policy BitBay Estonia

Privacy Policy

The data controller is BB Trade Estonia OÜ, with its registered office in Harju maakond, Tallinn, Lasnamäe linnaosa, Lõõtsa tn 8a, 11415, Estonia, incorporated under Estonian law and registered in the Register of Entrepreneurs of the Ministry of Justice of the Republic of Estonia with the number 14814864; share capital: EUR 50.000.00, fully paid-up, (hereinafter referred to as the ‘Controller’).

The Controller takes care to ensure a high standard of protection of the users, interested parties and visitors to This Privacy Policy, hereinafter the ‘Policy’, sets forth the rules for the collection, processing and use of the personal data of the website’s users, interested parties and visitors.

The purpose of this Policy is primarily to inform the users, visitors and interested parties about their rights in relation to the processing of their data by the Controller.

In our activities we commit to complying with this Policy and with the requirements of the provisions of the law in force, such as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter ‘GDPR’) and the Estonian Act on Personal Data Protection of 12 December 2018.

I. Definitions

Whenever this Policy mentions:

  • a) processing – this means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • b) controller – this means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • personal data – this means any information relating to an identified or identifiable natural person (‘data subject’). This includes the data of users and interested parties;
  • d) processor – this means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • e) profiling – this means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
  • f) pseudonymization – this means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
  • g) user – this means a person or entity having registered at and passed verification or being in the process of verification;
  • h) visitor – this means a person browsing the website;
  • i) interested party – this means a person having submitted an inquiry/report via or to the contact data specified at

II. Categories of data processed

The Controller collects and processes the following categories of personal data (without limitation):

  • user data – e-mail address, login, full name, safety code, citizenship, residency, country of birth, login history, telephone number, PESEL number, date of birth, data from their personal ID card/passport/residency card (series and number, expiry date, place of issue, state of issue), image (photo or video), residence address (street name, street number, apartment number, postal code, town, country), data from utility bills, information about business activity, purpose of creating an account, source of funds transferred into the exchange, source of funds available to the user, information about any political positions held (status of a Politically Exposed Person (‘PEP’) or a PEP’s family member or close collaborator); image (service link via a third-party tool, e.g. Facebook, Google or Weibo), details of orders (amount spent, date, time, vouchers or offers used), data for fraud prevention, data required by anti-money laundering (‘AML’) provisions, payment data (including verification data); data from your messages concerning the Services (e.g. chat logs and support requests) or your feedback about your experience with the Controller; additionally for corporate users: form of legal organisation, company name/business alias, Tax ID (NIP), KRS (Polish National Court Register) or some other company register, REGON (statistical number), country of business, date of formation, website, information about board members, information about real beneficiaries, information about partners/shareholders (equity structure, how many shares held);
  • visitor data – the computer’s IP address, pages opened, duration of the visit, number of the various page views, number of visits, referral source; however, these are only used for statistical purposes and to improve the website’s contents – use of Google Analytics, and, if the user uses portable devices, then the identification data of that device, data of the ISP and the subscriber’s data; however, these shall only be used for statistical purposes or to ensure the correct operation of the website;
  • data of interested parties – e-mail address, title, category, subject and body of the message, image (face photo and ID document) – where necessary to establish identity.

IV. Automated processing decision

Personal data of users are subject to an automated processing decision based when verification of user’s account on the site using the Onfido program (Onfido Limited). Decision based in an automated processing is used to use the services of the Data Administrator of services rendered for the service in accordance with art. 22 sec. 2 p. of GDPR. The Onfido program automatically decides whether the user account verification is approved, rejected or sent for manual checking by the Data Controller. The user verification process is not fully and solely automated.

V. Your rights

In the context of the processing of your personal data, you have the following rights:

  • right to access the data – the data subject has the right to receive from us confirmation that the subject’s data are indeed processed by us, or not, and if so, then to demand access to their own personal data. Information about access includes, without limitation, the purpose of data processing, the categories of data processed and the recipients or categories of recipients to whom your data have been or shall be disclosed. This is not an absolute right, however, and your right of access may find some limitations due to the interests of other people. You have the right to receive a copy of your data being processed. Receiving the first copy is free of charge.
  • right to have the data rectified – the data subject has the right to require the Controller to rectify the data subject’s personal data without delay when such data are inaccurate;
  • right to be forgotten – the data subject has the right to require the Controller to erasure the subject’s data without delay, and the Controller has the obligation to delete such data without unnecessary delay if one of the legal grounds for this is met;
  • right to restrict the processing – the data subject has the right to require the Controller to restrict the processing in the following cases:
  • a) the data subject disputes the accuracy of the data – for a period allowing the Controller to verify the accuracy of such data;
  • b) the processing is unlawful and the data subject opposes the deletion of the data, instead requiring that the processing be restricted;
  • c) the Controller no longer needs the data for the purposes of the processing, but the data subject needs the data for the purpose of determining, pursuing or defending themselves against claims;
  • d) the data subject has lodged an objection against the processing – until it can be determined whether the Controller’s legitimate reasons override the data subject’s objection;
  • right to object – the data subject may at any time object to the processing in the light of the subject’s individual situation. This is not an absolute right, and in some situations it shall not apply; for example when the processing is necessary in order to protect a right in judicial proceedings;
  • right to data portability – the data subject has the right to receive the personal data in a structured, commonly used and machine-readable format and the right to transmit such data to another controller without hindrance from the Controller, after meeting certain requirements specified by the provisions of the law;
  • right to lodge an objection with the supervisory body – the data subject has the right to lodge an objection with the supervisory body, which in this case is the Estonian Data Protection Inspectorate; you can exercise this right when you believe that we are processing your data without justification or not in compliance with the provisions of the law in force.

If you want to exercise any of the above-described rights or you have any questions concerning the processing of your data, please contact us at

  • (e-mail): [email protected]
  • or (by registered mail): BB Trade Estonia OÜ, Harju maakond, Tallinn, Lasnamäe linnaosa, Lõõtsa tn 8a, 11415, Estonia.

For security reasons, we may require your requests to be made in written form. We have the right to decline your requests if we have reasonable grounds to believe that they are unfair, impossible to comply with or could threaten the privacy of others.

If you believe that we are processing your personal data in violation of the provisions in force, you always have the right to lodge an objection with the supervisory body – the Estonian Data Protection Inspectorate at 39 Tatari, 10134 Tallinn, Estonia.

VI. Data transfer

If necessary, the Controller may transfer your data to the following third parties for processing:

  • business partners, banks, payment operators – if necessary in connection with our business activity, especially for the purpose of performing our contracts with such third parties, providing services and ensuring the appropriate standards of performance and compliance with the provisions of the law and safety requirements, communicating with you and with third parties, meeting financial obligations and responding to your requests and legal demands;
  • data processors (processing entities)

The Controller may enter into written data processing contracts with another entity (processor). The right to enter into such contracts arises from the provisions of the law. Processors may include, without limitation: IT service providers, auditors, accounting firms, outsourced workforce providers, customer service software providers, e-mail operators (Google Inc.), server hosting providers.

Processors shall be contractually required to implement appropriate technical and organisational measures in order to protect the data of interested persons and users and to process such data only in accordance with the Controller’s instructions.

For the purpose of registering an account on and for verification of your identity, your data shall be transferred for processing to entities providing the authentication of scans of documents as a service (Onfido Limited, LexisNexis Risk Solutions Europe Limited).

Additionally, please be informed that the data controller transfers your personal data to the business partner - Livechat Inc.(101 Arch Street, 8th Floor, Boston MA 02110, United States of America), while you use the chat on the website Currently, the USA does not ensure an adequate level of protection of your data (mainly due to the loss of legal force of the Privacy Shield) due to the lack of a decision by the European Commission regarding the determination of an adequate level of personal data protection, and we do not provide appropriate safeguards specified in art. 46 GDPR, including we have not concluded standard contractual clauses with the data recipient, and we do not have binding corporate rules. Therefore, we would like to inform you that due to the lack of appropriate safeguards, there is a risk of insufficient protection of your data. In this case, the basis for the transfer of personal data is your voluntary consent in accordance with the art. 46 sec. 1 p. A of GDPR.

Moreover, your personal data may be disclosed to competent public authorities if required by the current provisions of the law.

Your personal data may be disclosed to the Controller’s affiliates (companies with capital or personal ties) – viz. taXsaprent sp. z o. o., Orion Software sp. z o. o., Expofer Servis House s. r. o., Pinewood Holdings Limited, BITBAYPAY A.S. – to the extent necessary for business collaboration and the performance of contractual obligations.

VII. Security measures

Your personal data are stored and protected in accordance with the principles set out in the provisions of the law in force. The Controller undertakes appropriate measures to:

  • prevent data loss, unauthorised access, use, destruction, modification or disclosure;
  • ensure appropriate technical and organisational protections;
  • protect the personal data according to the risk level and any special category of personal data.

Taking into accounting the current state of technology, costs, nature, scope, context and purposes of the processing operations, as well as the rights and freedoms of individuals, such activities may include, without limitation, pseudonymization and encryption of personal data, measures ensuring confidentiality, integrity, availability and resilience, restoration measures, as well as procedures for regular testing, evaluation and assessment of the effectiveness of the security measures used.

VIII. Storage period

Having regard to the overriding principles of the GDPR and especially the principles of restricting the purpose, storage and scope of data, we process your data only for a period no longer than necessary to achieve the purposes of processing and no longer than permitted by the provisions of the law. After achieving the purpose of processing, your data shall be erasure, as long as the provisions of the law allow this to be done. Depending on the legal basis for processing, different storage periods may apply.

Your data shall be stored until the statute of limitation runs out on any claims or until the legal obligation to store your data expires (especially obligations arising from the AML Directive and the AML Act).

The personal data of interested parties shall be stored until they withdraw their consent or until the Controller’s response (as long as this is possible in the light of the provisions of the law).

Users’ personal data shall be stored for the duration of the contract, until the claims expire and for 5 years after the end of the business relationship/collaboration.

IX. Age policy

Our services are not intended for persons younger than eighteen (18) years of age. We have no intention of processing their personal data. If you are younger than 18, do not use our Services and do not send us any information about yourself. If we become aware that we have been processing the personal data of a person younger than 18, we shall erasure such data as soon as possible.

X. Modifications

We may amend this Privacy Policy from time to time. You shall be notified of any amendments by publication of a new, modified Privacy Policy. We recommend that you read through the contents regularly.