Privacy Dashboard
EN

Global Marketing Privacy Notice

Crypto.com Global Marketing Privacy Notice

Welcome to Crypto.com’s Global Marketing Privacy Notice (“Marketing Privacy Notice”). Please spend a few minutes to read it carefully before providing us with any information about you or any other person in relation to a Campaign, as defined below.
Last Update: 11 Mar 2025

1. Introduction

We respect your privacy and we are committed to protecting your personal data. Throughout this Marketing Privacy Notice, “personal data” shall mean any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, email, an identification number, location data, IP address, physical address, phone number, device specifications, clothing size, information contained in government issued identification documents, photos, information related to social media accounts, etc. In this Marketing Privacy Notice the terms “personal data” and “personal information” are used interchangeably.
This Marketing Privacy Notice applies to the processing of your personal data in connection with your participation in any promotional initiative organized by or on behalf of Crypto.com that aims to promote the Crypto.com products and services, including but not limited to campaigns, giveaways, sweepstakes, draws, physical and online events, games, surveys, competitions, targeted email marketing (“Campaign”).
Please note that any such Campaign is not intended for minors below the age of 18 years and we do not knowingly collect data relating to minors.

2. Purpose

This Marketing Privacy Notice aims to give you information on why and how we collect and process your personal data, as well as what your privacy rights are and how the data protection principles set out in the applicable privacy legislation protect you.It is important that you read this Marketing Privacy Notice together with any other notice or policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of why and how we are using your data.

3. Who we are

3.1. Data Controllers
The controller of your personal data is the legal entity that determines the “means” and the “purposes” of any processing activities that it carries out. Since Crypto.com is operating around the globe, this Marketing Privacy Notice applies to the processing of personal data by the following entities within the Crypto.com group. One or more of those entities might be involved in organizing the Campaign depending on your residency and/or used services: (“Crypto.com”, “we”, “us”, “our”)
Data Controller
Contact Details
    Foris DAX Global Limited
    Kilmore House, Park Lane, Spencer Dock, Dublin 1, D01 XN99, Ireland
    Foris DAX Inc.
    110 N. College Ave, STE 500, Tyler, Texas 75702
    Foris Inc.
    110 N. College Ave, STE 500, Tyler, Texas 75702
    Foris DAX MT Limited
    St. Julians, SPK 1000, level 7, Spinola park, Triq Mikiel ang Borg, Malta
    Foris MT Limited
    St. Julians, SPK 1000, level 7, Spinola park, Triq Mikiel ang Borg, Malta
    Foris DAX AU Pty. Ltd.
    Vistra (Australia) Pty Ltd
    Suite 902, Level 9
    146 Arthur Street
    North Sydney, NSW 2060
    Foris DAX Asia Pte. Ltd.
    1 Raffles Quay, #25-01 Singapore 048583
    Foris DAX Limited
    94 Solaris Avenue Camana Bay PO Box 1348 Grand Cayman KY1-1108 Cayman Islands.
    Foris DAX UK Limited
    Suite 5, 7th Floor 50 Broadway, London, United Kingdom, SW1H 0DB
or the relevant Crypto.com entity that provides you with relevant Crypto.com services.
3.2. Data Protection Officer
We have appointed a Data Protection Officer (“DPO”) who is responsible for overseeing questions in relation to this Marketing Privacy Notice. If you have any questions or complaints related to this Marketing Privacy Notice or our privacy practices, or if you want to exercise your legal rights, please contact our DPO at dpo@crypto.com.

4. What data we collect about you

Depending on the particular Campaign and its stage, as defined in the applicable written rules, we will collect, use, store and transfer different kinds of personal data about you which we have grouped in categories as follows:
Category of Personal Data
Examples of specific pieces of personal data
Identity Data
  • first name,
  • maiden name,
  • last name,
  • username or similar identifier,
  • title,
  • date of birth and gender,
  • information contained in an identification document,
  • information relating to your physical well being,
  • information relating to your personal preferences (e.g. clothing size, dietary preferences).
Social Identity Data
  • information on referrals related to you,
  • information made publicly available by you on social media with regards to the applicable campaign (e.g. publicly shared social media posts).
Contact Data
  • delivery address,
  • email address and telephone number.
Financial Data
  • virtual currency account,
  • stored value account,
  • amounts associated with accounts,
  • external account details.
Transactional Data
  • details about payments to and from you,
  • other details of any transactions you enter into using the Services.
Technical Data
  • internet connectivity data,
  • internet protocol (IP) address,
  • login data,
  • device type,
  • time zone setting and location data,
  • language data,
  • other information stored on or available regarding the devices you allow us access to when you participate in a Campaign.
Profile Data
  • your username,
  • your identification number as our user,
  • information on whether you have Crypto.com App account and the email associated with your accounts,
  • requests by you for products or services,
  • your interests, preferences and feedback,
  • other information generated by you when you communicate with us.
Marketing and Communications Data
  • your preferences in receiving marketing from us or third parties,
  • your communication preferences,
  • your survey responses.

5. How we collect your data

We may get information about you from the following sources:
  • directly from you, including by filling in forms, by email or otherwise;
  • in case you have been selected as a guest by the winner of the Campaign, your personal data will by provided by the winner using the above means;
  • where applicable, third parties or publicly available sources, such as social media.
You are not obliged to provide your personal data. However, if the requested data is not provided, you will not be able to participate in the Campaign.

6. How we use your data

6.1. Lawful basis
We will only use your personal data when the applicable legislation allows us to. In other words, we have to ensure that we have a lawful basis for such use.
We process your personal data relying on the following lawful bases:
  • processing is necessary for performance of a contract or in order to take steps at your request prior to entering into a contract; when you participate in the Campaign a contractual relationship is formed between you and Crypto.com;
  • processing is necessary for compliance with a legal obligation to which we are subject;
  • processing is necessary for the purposes of the legitimate interests pursued by us as a contracting entity and our interests do not contradict your interests, fundamental rights or freedoms (for instance, the interest in assessing your eligibility to participate in the Campaign);
  • consent, if required.
We do not usually need your consent for processing personal data concerning you. If we need it, we will ask for it and provide you with the respective information as required by law. Depending on the applicable data protection framework, for example, if you are a resident of the European Economic Area (“EEA”) or the United Kingdom (“UK”), you may also have the right to withdraw your consent at any time, but please note that this will not affect the lawfulness of processing based on your consent before its withdrawal.
If the prize of a Campaign includes passes to an event for you and a guest of your choosing, you guarantee that your guest who will receive a pass has acknowledged and agreed for their information to be used for the purposes listed herein. In addition, you guarantee that you and your guest have acknowledged and shall adhere to the event-specific rules as provided by the event organizer.
6.2. Purposes for which we will use your personal data
When you participate in the Campaign, we use the personal data you provide to conduct the Campaign. Namely, we collect and use your personal data for the purposes of carrying out the Campaign, monitoring for compliance with the applicable written rules, assessing your eligibility to participate in the Campaign, prize draw, identity verification and prize delivery.
Further information on the purposes can be found in the respective written rules governing the Campaign.
Note that we may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your personal data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data.

7. Disclosures of your data

We share your personal data with our third-party service providers, agents, subcontractors and other associated organizations, our group companies, and affiliates (as described below) in order to organize and carry out the Campaign. When using third party service providers, they are required to respect the security of your personal data and to treat it in accordance with the law.
We may pass your personal data to the following third parties:
  • entities organizing the event related to the Campaign in cases of giveaways and sweepstakes;
  • entities assisting us with the organization of the Campaign;
  • companies and organizations that assist us in processing, verifying or refunding transactions/orders you make in relation to the Campaign;
  • anyone to whom we lawfully transfer or may transfer our rights and duties under the relevant terms and conditions governing the Campaign;
  • any third party because of any restructure, sale or acquisition of our group or any affiliates, provided that any recipient uses your information for the same purposes as it was originally supplied to us and/or used by us; and
  • regulatory and law enforcement authorities, whether they are outside or inside of the EEA, where the law allows or requires us to do so.
We disclose collected personal data to the relevant internal departments on a “need to know” basis. We may also provide personal data to other affiliated companies within the Group or to
external service providers, contract processors (e.g. platform, hosting, shipping service providers) in order to carry out the campaign. Platform and hosting service providers may have access to personal data from a country outside the EEA. Where needed, as an appropriate safeguard we have agreed on standard contractual clauses pursuant to Art. 46 GDPR with these providers. More information on this topic is published here (attention: a link to a third-party website).

8. International transfers

We share your personal data within our group. This will involve transferring your personal data outside Hong Kong, EEA, the UK or the origin of where your data is collected.
We follow the specific legal framework applicable to such transfers. For example, whenever we transfer your personal data out of the EEA or the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
  • the country to which we transfer your personal data has been deemed to provide an adequate level of protection (attention: a link to a third-party website) for personal data by the European Commission or the UK government, as applicable to your particular case;
  • a specific contract approved by the European Commission or the UK government, which gives safeguards to the processing of personal data, the so-called Standard Contractual Clauses, as applicable to your particular case.
Please contact our Data Protection Officer at dpo@crypto.com if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA or the UK.

9. Data security

While there is an inherent risk in any data being shared over the internet, we have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, damaged, or accessed in an unauthorised or unlawful way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a legitimate business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
Depending on the nature of the risks presented by the proposed processing of your personal data, we will have in place the following appropriate security measures:
  • organisational measures (including but not limited to staff training and policy development);
  • technical measures (including but not limited to physical protection of data, pseudonymization and encryption); and
  • securing ongoing availability, integrity, and accessibility (including but not limited to ensuring appropriate back-ups of personal data are held).
We have put in place procedures to deal with any suspected personal data breach and will notify you and any relevant regulator of a breach where we are legally required to do so.
If you want to know more about our security practice, please visit this link.

10. Data retention

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Here are some exemplary factors which we usually consider when determining how long we need to retain your personal data:
  • in the event of a complaint;
  • if we reasonably believe there is a prospect of litigation in respect to our relationship with you or if we consider that we need to keep information to defend possible future legal claims;
  • to comply with any applicable legal and/or regulatory requirements with respect to certain types of personal data;
  • if information is needed for audit purposes;
  • in accordance with relevant industry standards or guidelines;
  • in accordance with our legitimate business need to prevent abuse of the Campaign. We will retain your personal data for the time of the Campaign to prevent the appearance of abusive behavior. For the same purpose we may also retain your’ personal data for a certain period after the Campaign’s end.
Please note that under certain condition(s), you can ask us to delete your data: see your legal rights below for further information. We will honor your deletion request ONLY if the condition(s) is met.

11. Your legal rights

You have rights we need to make you aware of. The rights available to you depend on our reason for processing your personal data. If you need more detailed information or wish to exercise any of the rights set out below, please contact us.
You may:
  • request access to your personal data, which enables you to obtain confirmation of whether we are processing your personal data, to receive a copy of the personal data we hold about you and information regarding how your personal data is being used by us;
  • request rectification of your personal data by asking us to rectify information you think is inaccurate and to complete information you think is incomplete, though we may need to verify the accuracy of the new data you provide to us;
  • request erasure of your personal data by asking us to delete or remove personal data we hold about you; note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you;
  • object to the processing of your personal data, where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms; in some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms; you also have the right to object where we are processing your personal data for direct marketing purposes;
  • require that decisions be reconsidered if they are made solely by automated means, without human involvement; we use automated tools to make sure that you are eligible to participate in the Campaign taking into account our interests and legal obligations; if these automated tools indicate that you do not meet our acceptance criteria, you shall not be considered eligible to participate in the Campaign;
  • request restriction of processing your personal data, which enables you to ask us to suspend the processing of your personal data, if you want us to establish the data accuracy; where our use of the data is unlawful, but you do not want us to erase it; where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims, or if you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it;
  • request the transfer of your personal data to you or to a third party, and we will provide to you, or a third party you have chosen (where technically feasible), your personal data in a structured, commonly used, machine-readable format; note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you;
  • withdraw consent at any time where we are relying on consent to process your personal data; however, this will not affect the lawfulness of any processing carried out before you withdraw your consent; if you withdraw your consent, we may not be able to provide certain products or services to you, but we will advise you if this is the case at the time you withdraw your consent;
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is manifestly unfounded or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
Period for replying to a legitimate request
We shall reply to a legitimate request within the legally prescribed period according to the applicable legislation. If you are a resident of the EEA or the UK, the statutory period for us to
reply to a legitimate request is one month. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.Please note that we may request that you provide some details necessary to verify your identity when you request to exercise a legal right regarding your personal data.
Complaints
You have the right to make a complaint about the way we process your personal data to a supervisory authority. If you reside in an EEA Member State, you have the right to make a complaint about the way we process your personal data to the supervisory authority in the EEA Member State of your habitual residence, place of work or place of the alleged infringement. Information about your supervisory authority could be found here.
  • You may contact the Information and Data Protection Commissioner (IDPC), Malta's supervisory authority for data protection matters, if you are a customer of Foris DAX MT Limited or Foris MT Limited.
  • You may contact the Data Protection Commission (DPC), Ireland’s supervisory authority for data protection matters, if you are a customer of Foris DAX Global Limited.
  • You may contact the Office of the Australian Information Commissioner, Australia’s supervisory authority for data protection matters, if you are a customer of Foris DAX AU Pty. Ltd.
  • You may contact the California Privacy Protection Agency (CPPA), California’s supervisory authority for data protection matters, and/or the U.S. Federal Trade Commission (FTC), United States of America’s federal supervisory authority for data protection matters, if you are a customer of Foris DAX Inc. or Foris Inc.
  • You may contact the Personal Data Protection Commission Singapore (PDPC), Singapore’s supervisory authority for data protection matters, if you are a customer of Foris DAX Asia Pte. Ltd.
  • You may contact the Office of the Privacy Commissioner (OPC), Canada’s supervisory authority for data protection matters, if you are a customer of Foris DAX Inc. or Foris Inc.
  • You may contact the Cayman Islands Ombudsman, the Cayman Islands’ supervisory authority for data protection matters, if you are a customer of CRO DAX Limited.
  • You may contact the Information Commissioner’s Office, United Kingdom’s supervisory authority for data protection matters, if you are a customer of Foris DAX UK Limited.
  • If you are not required to be our customer in order to participate in the Campaign or you are a customer of another Crypto.com entity that is not listed in Section 3. Who we are, you may also contact your local data protection regulatory authority.
We would, however, appreciate the chance to deal with your concerns before you approach a data protection regulatory authority, so please feel free to contact us in the first instance.
Depending on the geographical scope of the Campaign, you may also contact one of the representatives listed below.
EU Representative
Our EU representative is Foris MT Limited, with registered address Level 7, Spinola Park, Triq Mikiel ang Borg, St. Julians, SPK 1000, Malta. You may also contact it at euprivrep@crypto.com.

UK Representative
Our UK representative is ForisGFS UK Limited, with registered address Suite 5, 7th Floor 50 Broadway, London, United Kingdom, SW1H 0DB. You may also contact it at ukprivrep@crypto.com.