Privacy Statement For Application Users
This Privacy Statement for Customers (the “Privacy Statement”) provides you with the information about how we, company Firefish Labs s.r.o., having the seat at Křižíkova 148/34, Karlín, 186 00 Prague 8, Czech Republic, ID number (IČO): 17 206 227, registered by the Municipal Court in Prague under the file No. C 368202 (the “Company”, or “we”, or “our”) process your personal data when you browse our website www.firefish.io (the “Website”), or when you use our application Firefish App (the “Application”) available on the Website.
Please note that the content of this Privacy Statement might be updated from time to time. This version of the Privacy Statement is effective as of 21 December 2022. You can always find an up-to-date version of this Privacy Statement on our Website.
With respect to the Privacy Statement, we will be responsible for protection of your personal data as a data controller. This Privacy Statement explains how we will use your personal data obtained directly from you. In this Privacy Statement we provide you with the following information:
- Whose data will be processed?
- Why do we process your personal data, which data do we process and on which legal basis?
- With whom may we share your personal data?
- Do we transfer your personal data to third countries?
- How long do we process your personal data?
- Are you subject to automated decision making or profiling?
- Which measures do we use to protect your personal data?
- What are your rights?
- How can you contact us?
For the purposes of this Privacy Statement, the abbreviation “GDPR” means General Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Please be informed that the information provided in this Privacy Statement shall fulfil our information obligation based on art. 13 of GDPR and we use all our efforts to ensure our compliance with the applicable data protection legislation
Please note that this Privacy Statement applies exclusively to the processing of personal data carried out by us. This Privacy Statement does not deal with the processing methods and data protection practices of other third parties for which we are not responsible. Further, note that we do not process personal data of persons younger than 18 years old.
1. Whose data will be processed?
We process personal data of the following categories of data subjects:
a) visitors of our Website,
b) customers, who use the Application dedicated to bitcoin-backed loans
(“you” or “your”).
2. Why do we process your personal data, which data do we process and on which legal basis?
Our main purpose for processing your data is (i) to enable you to use the Application with all of its benefits, (ii) fulfilment of our legal obligations arising from your use of the Application, (iii) our legitimate interest to promote our services and provide you with relevant marketing offers, (iv) to provide you with the best possible experience when browsing our Website.
Please note that we process your data obtained directly from you in a limited scope, securely, only when we have a justified reason and legal basis for such processing and in compliance with applicable data protection legislation.
If you are interested, please find below a more detailed overview of the purposes for processing of your data, concrete scope of processed data and applicable legal basis.
Purpose | Detailed purpose description | Scope of processed data | Applicable legal basis |
Account registration | If you want to use the Application, you have to create a user account. | We process your name, surname, e-mail address and your username. | Art. 6 (1) (b) of GDPR for the performance of a contract or to take steps prior to conclusion of a contract |
Verification of your identity for AML purposes | In order to benefit from the main functionality of the Application, i.e. bitcoin-backed loans, we need to verify your identity in compliance with the applicable anti-money laundering legislation. | We process your name, surname, date of birth, age, contact address, residency address, birth registration number, place of birth, sex, nationality, details included in your ID or passport, including the photo of this document, your photo or video with your image, and other data required by the applicable AML laws. | Art. 6 (1) (c) of GDPR for compliance with a legal obligation to which we are subject |
Preparation of peer-to-peer loan agreement | To enable you to benefit from the bitcoin-backed loans provided through the Application, you enter into a peer-to-peer agreement either as a loan provider or as a borrower. The process of agreement preparation and conclusion is directed through the Application. | We process your name, surname, residency address, contact details (phone number, e-mail address), bank details (e.g., name of the bank, bank account number), amount of the loan, information about terms of loan payment, information about your position in the peer-to-peer contractual relationship, details about your bitcoin resources. | Art. 6 (1) (b) of GDPR for the performance of a contract or to take steps prior to conclusion of a contract
Art. 6 (1) (c) of GDPR for compliance with a legal obligation to which we are subject |
Provision and loan, loan administration and loan repayment | We process your personal data to manage and facilitate the process of receipt of the financial resources from the loan and loan repayment. | We process your name, surname, residency address, e-mail address, bank details (including information from bank statements), details from peer-to-peer contact, details concerning the conditions of loan provision and loan payment, details about your bitcoin resources and possibly other necessary data. | Art. 6 (1) (b) of GDPR for the performance of a contract or to take steps prior to conclusion of a contract
Art. 6 (1) (c) of GDPR for compliance with a legal obligation to which we are subject |
Use of Application and further technical development of the Application | The Application provides several functionalities and enables us to communicate with you regarding the bitcoin-backed loans and other related matters. We also wish to further develop the Application and provide you with the best possible user experience, thus from time to time we run the technical tests and allow you to use the new features. | We process your account data, content of our communication with you, technical details of your device, your IP address, your behaviour when using the Application. | Art. 6 (1) (b) of GDPR for the performance of a contract or to take steps prior to conclusion of a contract
Art. 6 (1) (f) of GDPR for the purpose of our legitimate interest to solve potential issues related to the use of Application and to further develop functionalities of the Application |
Customer relationship management | When you decide to use the Application and accept the relevant terms and conditions, throughout the duration of our cooperation, we need to communicate with you to respond to your queries, to prepare your peer-to-peer agreement or its amendment, to adjust our terms and conditions, to discuss details of our cooperation and your use of the Application, etc. | We process your name, surname, your contact details, information about your account, data concerning your activity in the Application, technical details of your device, your IP address, content of our communication, content of our contract (terms and conditions) and your peer-to-peer agreement. | Art. 6 (1) (b) of GDPR for the performance of a contract or to take steps prior to conclusion of a contract |
Maintaining database of customers | We keep a database of the existing users of the Application for our internal administration purposes, as well as for our business development. | We process your name, surname, contact details (e-mail address), your account details. | Art. 6 (1) (f) of GDPR for the purpose of our legitimate interest to maintain database of our customers |
Marketing and promotion | We want to promote our services and develop our business. Therefore we provide you with some electronic marketing communication containing information about our company and services we offer. | We process your name, surname, email address. | Art. 6 (1) (f) of GDPR for the purpose of our legitimate interest to provide you with direct marketing communication |
Visiting our Website | When you look for certain information about us and our services, or if you decide to contact us, or when you browse our Website. | We process mostly technical data about your device which you use to access our Website and information about the browser you use when you visit the Website. | Art. 6 (1) (a) of GDPR based on your explicit consent
Art. 6 (1) (f) of GDPR for the purpose of our legitimate interest to ensure function of the Website (applicable only for technically necessary cookies) |
Dispute resolution, exercising and defending our legal claims | We may process your personal data for the purposes of solving legal disputes, claims complaints or other similar proceedings arising from or related to your use of the Application and your peer-to-peer agreement, including loan provisioning itself. | We will process your personal data mainly your name, surname, your contact details (address, e-mail address), your account details, content of your peer-to-peer agreement, information related to the contract between you and us, content of our communication, your requests, suggestions, complaints, any other personal data that may relate to the provision of services and use of the Application, or is necessary to solve the dispute. | Art. (6) (1) (f) of GDPR for the purpose of our legitimate interest to handle disputes that may arise our cooperation
Art. 6 (1) (c) of GDPR for compliance with a legal obligation to which we are subject |
Fulfilment of our legal obligations | We are obliged to process your personal data to fulfil our various legal obligations (e.g., tax obligations, accounting obligations, data protection obligations, etc.). We may also be obliged to provide your personal data in case of inspection by public authorities, based on the requirements of regulatory authorities, when requested by them and for preventing, monitoring and proving fraud, combating money laundering and other criminal activities. Further, we may have to process your personal data to comply with a decision of respective public authority or with a judicial order. | The scope of personal data we process for this purpose depends on the requirements imposed on us by the public authorities and by applicable law. | It is our legal obligation to process your personal data within the meaning of art. 6 (1) (c) of GDPR. |
In cases where we process your personal data based on our legitimate interest according to art. 6 (1) (f) of GDPR, you are entitled to object to such processing according to art. 21 of GDPR. If you decide to object to the processing, please do so by contacting us through the contact information below.
If the processing of your personal data is a contractual requirement according to art. 6 (1) (b) of GDPR and you decide not to provide us with this personal data, such action may result in the impossibility of concluding a contractual relationship with you, or other complications related to the fulfilment of our contractual obligations.
Whenever we process your personal data based on your consent given to us in accordance with the art. 6 (1) (a) of GDPR, you have the right to withdraw such consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. If you wish to withdraw your consent to the processing of your personal data, please contact us via the contact information below.
If we are legally required to process personal data, you may have an obligation to provide us with that personal data. If you refuse to do so, it may have various legal consequences for you and for us, including adverse consequences (e.g., impossibility to perform relevant action, impossibility of further cooperation, etc.).
3. With whom may we share your personal data?
We may share your personal data with our suppliers who support us in our business or provide us with partial services, e.g. marketing services, postal services, online payment method providers, legal, accounting and audit services, tax advisors, various IT and support services, technical subcontractors, etc. These include following entities:
- tedsig solutions s.r.o., Dukelskych hrdinu 567/52, Holesovice, 170 00 Praha 7, for the purpose of operation of certain technical features and functions of the Application.
We do not permit our suppliers to sell any personal data we share with them, or to use any personal data we share with them for their own purposes or for other purposes than to perform the services they provide to us. Before engaging any supplier, we perform extensive due diligence, including detailed privacy, security and legal analysis. We do not engage a supplier unless our quality standards are met. Our suppliers are all subject to contract terms that enforce compliance with applicable data protection laws.
Certain of our employees and coworkers may have access to your personal data as well. In such a case, access shall be granted only if it is necessary for the purposes described and only if the respective employee is bound by the confidentiality duty.
Further, please be informed that our suppliers may engage additional contractors to support them in their business and to provide them with certain services, which can possibly also require processing of your data. Such services may include but are not limited to: cloud services and website hosting, data analysis, information technology and related infrastructure, customer service, mail delivery and postal services, banks and payment method providers, accounting, legal, tax and audit services. These further contractors should provide their services based on the contract, under which they are obliged to follow applicable law, especially with respect to observance of applicable data protection legislation.
Lastly, please note that we may share your personal data if required to do so by law or decision of respective public authority or court order, for example with our suppliers or clients, tax authorities, social security agencies, law enforcement agencies or other governmental agencies.
4. Do we transfer your personal data to third countries?
We do not process your personal data outside the EU/EEA. Our partners are located in the EU/EEA, however they may have the subcontractors located in the third countries outside of the EU/EEA territory or process personal data in third countries in a different way. We strive to ensure that your personal data is transferred exclusively to countries that are considered to have an equivalent level of personal data protection in accordance with the relevant European Commission decision, or where the appropriate personal data protection measures are in place. Whenever necessary, we rely on standard contractual clauses for data transfers to third countries or require compliance with other additional guarantees and measures. Regardless of the country in which your personal data is processed, we take appropriate technical, security and organisational measures to ensure that the level of protection is the same as in the EU/EEA. If you have any concerns about the international transfer of your personal data and the relevant safeguards, you can contact us via email sent to the address mentioned above.
5. How long do we process your personal data?
We store your personal data as long as is necessary to fulfil the purpose mentioned in this Privacy Statement, for which the data were obtained (e.g. use of the Application and provision of bitcoin-backed loan), to pursue our legitimate interests and comply with applicable laws. This means that we will retain most of your personal data in our systems throughout the duration of your use of the Application and payment of the loan. However, if possible, we will erase certain of your data even before, once it is not needed for the original purpose. Please note that we may process some of your personal data for longer period of time, even after the termination of our contractual relationship, if e.g.: (i) the applicable law (e.g. tax, AML and accounting laws requires us to do so), (ii) if there is an ongoing legal proceeding, or (iii) in exceptional cases, if you have given us the permission to keep your personal data on record for a longer period of time. Please note that the above stated period may be prolonged in case of the request of the relevant public authority or of the court.
6. Are you subject to automated decision making or profiling?
Your personal data are not used for automated decision-making or for profiling.
7. Which measures do we use to protect your personal data?
We make reasonable efforts to ensure a level of security appropriate to the risk associated with the processing of your personal data. We maintain technical and organisational measures designed to protect your personal data within our organisation against relevant security threats, including against unauthorised access, destruction, loss, alteration, or misuse. As already mentioned above, your data are accessible only to a limited number of personnel who need access to perform their duties. In case you wish to learn more about our technical and organisational measures, please do not hesitate to contact us on the contact details mentioned below.
8. What are your rights?
You are entitled to exercise your rights as a data subject with respect to the processing of your personal data. Please see the table below for more details.
Your right | What does it mean? |
Right to access | You have the right to obtain the information whether your personal data are processed, and if yes, you can request a copy of your personal data we process, for which we may charge you with a fee.
If we process your personal data, you can request information about:
- why we process your personal data,
- which personal data we process,
- with whom do we share your personal data,
- for how long we store your personal data and how do we determine the period,
- your rights to rectification or erasure, restriction or objection of processing of your personal data,
- your right to lodge a complaint with a supervisory authority,
- from where we collected your personal data, if not directly from you,
- whether you are subject to automated decision making or profiling,
- whether we transfer your personal data to third countries.
All of the above-mentioned information is included in this Privacy Statement. |
Right to rectification | It is important that we have the correct information, and we request you to notify us if any of your personal data is incorrect or if any of your personal data have been changed. We will rectify your personal data without undue delay upon your notification. |
Right to erasure (“right to be forgotten”) | If the processing of your personal data is no longer necessary or has been unlawfully processed, you withdraw your consent or object to the processing of your personal data, you may request us to erase your personal data. |
Right to restrict processing | From the moment when you (i) asked for rectification of your personal data, or (ii) objected the processing, until we assess your request (e.g. to confirm the accuracy of your personal data or to rectify them according to your instructions), you are entitled to request us to restrict the processing.
You may also request us to restrict the processing of your personal data if the processing was unlawful, but you do not want us to delete your personal data, or if we do not need your data anymore for the original processing purposes, however the data are important for defending your legal claims.
This means that we (except for the retention of personal data) may process your personal data for which the processing was restricted, only if you consented with such processing, if it is necessary in connection with legal claims, to protect someone else's rights, or if there is a significant public interest in processing. |
Right to object processing | If we process your personal data based on our legitimate interest or for direct marketing purposes, you may object to such processing.
We can process your personal data further if we can demonstrate the compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims. |
Right to data portability | You may request us to provide you with the personal data that you provided to us for the processing based on the consent or for fulfilment of the contract. We should provide you with your personal data in a structured, commonly used and machine-readable format. You also have the right to request the transfer of these data directly to another data controller, if it is technically feasible. |
Right to withdraw your consent | When we process your personal data based on your consent, you have the right to withdraw such consent at any time. Please note that the withdrawal of your consent does not affect legality of the processing previously performed based on the originally granted valid consent. |
Rights related to automated decision making and profiling | You have the right not to be subjected to automated decision-making, including profiling, which produces legal effect for you or has a similar significant effect. We do not use automated decision-making or profiling for the outlined purposes of data processing. However, if you have been subject to an automated decision and do not agree with the outcome, you can contact us using the details below and ask us to review the decision in a non-automated manner. |
9. How can you contact us?
If you have any questions or complaints about this Privacy Statement or processing of your personal data, please do not hesitate and contact us electronically via e-mail to:
