“Service(s)” means any of Site(s), API, Webapp(s) or Third Party Service(s).
As part of our commitment to protect your personal data in a transparent manner, we want to inform you, according to the Swiss Federal Act on Data Protection (“FADP”), its Ordinances (“Loi fédérale sur la protection des données (LPD) et ses Ordonances”) and the European Union General Data Protection Regulation 2016/679 (“GDPR”):
why and how Tokenestate collects, uses and stores your personal data;
the lawful basis on which your personal data is processed; and
what your rights and our obligations are in relation to such processing
3. Personal Data We Collect
3.1. From Cookies
When consulting our Sites, cookies are placed on your computer, mobile or tablet. A cookie is a piece of data stored on your hard drive by the server for the site or mobile application that you are visiting. It contains the following data:
The name of the server that has placed it there
An identifier, in the form of a unique number
An expiration date (some cookies only)
Cookies are managed by the web browser on your computer (Internet Explorer, Firefox, Safari or Google Chrome).
Different types of cookies which have different purposes are used:
Essential cookies: These cookies are essential to allow you to browse our websites and use their functionalities. Without them, services such as shopping baskets and electronic invoicing would not be able to work.
Performance cookies: These cookies collect information on the use of our websites, such as which pages are consulted most often. These data enable us to optimise our websites and simplify browsing. These cookies do not collect any information which could be used to identify you. All the information collected is aggregated, and therefore anonymous.
Functionality cookies: These cookies enable our websites to remember the choices you have made when browsing. For example, we can store your geographical location in a cookie so that the website corresponding to your area is shown. We can also remember your preferences, such as the text size, font and other customisable aspects of the site. The cookies may also be able to keep track of the products or videos consulted to avoid repetition. The information collected by these cookies cannot be used to identify you and cannot monitor your browsing activity on sites which do not belong to Tokenestate.
3.2. From our Services
Depending on the Services, we collect:
personal details such as your name, identification number, date of birth, KYC/AML documents (national identity card or passport, utility bill, payslips, etc.), phone number, physical and electronic address, and family details such as the name of your spouse, partner, or children;
username, password, settings and preferences;
financial information, including payment and transaction records and information relating to your assets (including fixed properties), financial statements, liabilities, taxes, revenues, earnings and investments (including your investment objectives);
tax domicile and other tax-related documents and information;
where applicable, professional information about you, such as your job title and work experience;
your knowledge of and experience in investment matters;
details of our interactions with you and the products and services you use;
any records of emails/writen exchanges/phone calls between you and us;
where applicable, details of your nomination of a mandate;
identifiers we assign to you, such as your client or account number, including for accounting purposes;
when you access our Sites, data transmitted by your browser and automatically recorded by our server, including date and time of the access, name of the accessed file as well as the transmitted data volume and the performance of the access, your Operating System, web browser, browser language and requesting domain, and IP address.
We may obtain information about you from third party sources as required or permitted by applicable law, such as public databases, credit bureaus, ID verification partners, KCY/AML partners, resellers and channel partners, joint marketing partners, and social media platforms. In the case we obtain any additional information, we will be notified by email.
4. How your Personal Data is used
We will not use your personal information for purposes other than those purposes we have disclosed to you, without your permission.
4.1. To maintain legal and regulatory compliance
Some of our core Services are subject to laws and regulations requiring us to collect and use your personal identification information, formal identification information, financial information, transaction information, employment information, online identifiers, and/or usage data in certain ways. Tokenestate complies and not only to:
the Swiss Federal Act on Data Protection (FADP) and its Ordinances (“Loi fédérale sur la protection des données (LPD) et ses Ordonances”)
the European Union General Data Protection Regulation 2016/679 (GDPR)
the Swiss Federal Act on Combating Money Laundering and Terrorist Financing (Anti-Money Laundering Act, AMLA) and its Ordinances (“Loi fédérale concernant la lutte contre le blanchiment d’argent et le financement du terrorisme (LBA) et ses Ordonances”)
the Swiss Financial Market Supervisory Authority (FINMA) Ordinance on Combating Money Laundering and Terrorist Financing (“Ordonnance de l’Autorité fédérale de surveillance des marchés financiers sur la lutte contre le blanchiment d’argent et le financement du terrorisme dans le secteur financier (OBA-FINMA)”)
the Swiss Code of Obligations (“Code suisse des Obligations (CO)”)
4.2. To enforce our terms in our user agreement and other agreements
We handle very sensitive information, such as your identification and financial data, so it is very important for us and our customers that we are actively monitoring, investigating, preventing and mitigating any potentially prohibited or illegal activities, enforcing our agreements with third parties, and/or violations of our posted user agreement or agreement for other Services. In addition, we may need to collect fees based on your use of our Services. We collect information about your account usage and closely monitor your interactions with our Services. We may use any of your personal information collected on our Services for these purposes. The consequences of not processing your personal information for such purposes is the termination of your account as we cannot perform our Services in accordance with our terms.
4.3. To provide Tokenestate’s Services
We cannot provide you with Services without such information.
4.4. To provide Service communications
We send administrative or account-related information to you to keep you updated about our news, Services, inform you of relevant security issues or updates, or provide other transaction-related information. Without such communications, you may not be aware of important developments relating to your account that may affect how you can use our Services.
4.5. To provide customer service
We process your personal information when you contact us to resolve any questions, disputes, collect fees, or to troubleshoot problems. We may process your information in response to another customer’s request, as relevant. Without processing your personal information for such purposes, we cannot respond to your requests and ensure your uninterrupted use of the Services.
4.6. To ensure quality control
We process your personal information for quality control and staff training to make sure we continue to provide you with accurate information. If we do not process personal information for quality control purposes, you may experience issues on the Services such as inaccurate transaction records or other interruptions. Our basis for such processing is based on the necessity of performing our contractual obligations with you.
4.7. To ensure network and information security
We process your personal information in order to enhance security, monitor and verify identity or service access, combat spam or other malware or security risks and to comply with applicable security laws and regulations. The threat landscape on the internet is constantly evolving, which makes it more important than ever that we have accurate and up-to-date information about your use of our Services. Without processing your personal information, we may not be able to ensure the security of our Services.
4.8. For research and development purposes
We process your personal information to better understand the way you use and interact with Tokenestate’s Services. In addition, we use such information to customise, measure, and improve Tokenestate’s Services and the content and layout of our website and applications, and to develop new services. Without such processing, we cannot ensure your continued enjoyment of our Services. Our basis for such processing is based on legitimate interest.
4.9. To enhance your website experience
We process your personal information to provide a personalised experience, and implement the preferences you request. For example, you may choose to provide us with access to certain personal information stored by third parties. Without such processing, we may not be able to ensure your continued enjoyment of part or all of our Services.
4.10. To facilitate corporate acquisitions, mergers, or transactions
We may process any information regarding your account and use of our Services as is necessary in the context of corporate acquisitions, mergers, or other corporate transactions. You have the option of closing your account if you do not wish to have your personal information processed for such purposes.
4.11. To engage in marketing activities
Based on your communication preferences, we may send you marketing communications to inform you about our events or our partner events; to deliver targeted marketing; and to provide you with promotional offers based on your communication preferences. We use information about your usage of our Services and your contact information to provide marketing communications. You can opt-out of our marketing communications at any time.
5. Personal Data Disclosure & Sharing
5.1. Tokenestate’s Staff
Our staff use and process usually personal data in order to ensure a consistently high service standard, to provide services and products to you.
5.2. Third Parties
When providing products and services to you, we will share personal data with persons acting on our behalf or otherwise involved in the transaction (depending on the type of product or service you receive from us).
5.3. Service providers
In some instances, we also share personal data with our suppliers and other business partners who provide services to us, such as IT and hosting providers, marketing providers, communication services and printing providers, debt collection, tracing, debt recovery, fraud prevention, and credit reference agencies, KYC/AML, and others. When we do so we take steps to ensure they meet our data security standards, so that your personal data remains secure.
5.4. Public or regulatory authorities
If required from time to time, we disclose personal data to public authorities, regulators or governmental bodies, including when required by law or regulation, under a code of practice or conduct, or when these authorities or bodies require us to do so.
If our business is sold to another organisation or if it is re-organised, personal data will be shared so that you can continue to receive products and services. We will usually also share personal data with prospective purchasers when we consider selling or transferring part or all of a business. We take steps to ensure such potential purchasers keep the data secure.
We may need to disclose personal data to exercise or protect legal rights, including ours and those of our employees or other stakeholders, or in response to requests from individuals or their representatives who seek to protect their legal rights or such rights of others.
6. Location & Transfer of Personal Data
We use Swiss datacenters in order to enforce security and compliance. Due to technical requirements, data may be located outside Switzerland. In those cases, except where the relevant country has been determined by the Swiss Federal Data Protection and Information Commissioner and the European Commission to provide an adequate level of protection, Tokenestate requires such recipients to comply with appropriate measures designed to protect personal data contained within a binding legal agreement. A copy of these measures can be obtained by contacting by writing Tokenestate using the details in section 13 of this notice. If and to the extent required by applicable law, we implement the necessary legal, operational and technical measure and/or enter into an agreement with you before such transfers.
As Controller of your Personal Data, we work with Processors in order to provide high quality of the Services. All our Processors are GDPR compliant and agreements have been setup between them and us in order to define exactly which Personal Data are shared and which legal requirements should be applied.
8. Retention of Personal Data
We will only retain personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements. To help us do this, we apply criteria to determine the appropriate periods for retaining your personal data depending on its purpose, such as proper account maintenance, facilitating client relationship management, and responding to legal claims or regulatory requests.
We do not knowingly request to collect personal information from any person under the age of 18. If a user submitting personal information is suspected of being younger than 18 years of age, Tokenestate will require the user to close his or her account and will not allow the user to continue using any Service. We will also take steps to delete the information as soon as possible. Please notify us if you know of any individuals under the age of 18 using our Services so we can take action to prevent access to our Services.
Tokenestate ensures with the maximum of abilities the protection of your data against lost, unauthorized manipulation, access or modification. We use internal rules with our staff and partners and use software, hardware, IT providers and datacenters which provide maximum security.
Our Services use strong cryptographic standards such as HTTPS protocol.
We follow the evolving of the technology and the Art in order to continuously offer the best quality, security and protection of our Services. We continuously assess and change our internal procedures accordingly with our staff, partners and providers.
Although the security of your data is protected with our best effort, you agree that Tokenestate should not, in any case, be held responsible for any lost, damages, unauthorized manipulation, access or modification in case of events beyond our control, such as and not limited to:
Any electronic attack (not exhaustive): DDoS, Penetration, Brute-Force, Stolen Key.
Malicious attack (not exhaustive): Fishing by email/writing/call, MITM, Fake News.
Unsafe behaviour (not exhaustive): weak or disclosed user/password, Stolen user/password, Stolen Key.
Illegal Activities (not exhaustive): Fake ID, Stolen ID, physical break-in.
Any hardware or software malfunction.
Communications with unsecure means (not exhaustive): email, phone, SMS, Fax.
act of God (such as, but not limited to, fires, explosions, earthquakes, drought, tidal waves and floods);
any other natural disaster of overwhelming proportions;
act of war (whether declared or not), hostilities, invasion, act of foreign enemies, terrorism or civil disorder, rebellion, revolution, insurrection, or military or usurped power, or civil war;
contamination by radio-activity from any nuclear fuel, or from any nuclear waste from the combustion of nuclear fuel, radio-active toxic explosive, or other hazardous properties of any explosive nuclear assembly or nuclear component of such assembly;
pressure waves from devices travelling at supersonic speeds or damage caused by any aircraft or similar device;
riot, commotion, strikes, go slows, lock outs or disorder;
acts or threats of terrorism;
discontinuation of electricity or water supply;
other unforeseeable circumstances beyond the control of the Parties against which it would have been unreasonable for the affected party to take precautions and which the affected party cannot avoid even by using its best efforts
12. Yours Rights
You have a right to ask Tokenestate to rectify inaccurate personal data we collect and process and the right to request restriction of your personal data pending such a request being considered. Where we process your personal data on the basis of your consent, you have the right to withdraw that consent at any time. Please also note that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You have a right to ask us to stop processing your personal data, or to request deletion of your personal data – these rights are not absolute (as sometimes there may be overriding interests that require the processing to continue, for example), but we will consider your request and respond to you with the outcome. When personal data are processed for direct marketing purposes, your right to object extends to direct marketing, including profiling to the extent it is related to such marketing. You may object to direct marketing by clicking the “unsubscribe” link in any of our emails to you, or by contacting us by writing at the address set out in section 13. Where we process your personal data on the basis of your consent, or where such processing is necessary for entering into or performing our obligations under a contract with you, you may have the right under applicable data protection laws to request your personal data be transferred to you or to another controller. You have the right to ask Tokenestate for a copy of some or all of the personal data we collect and process about you. In certain circumstances Tokenestate may process your personal data through automated decision-making, including profiling. Where this takes place, you will be informed of such automated decision-making that uses your personal data, be given information on the logic involved, and be informed of the possible consequences of such processing. In certain circumstances, you can request not to be subject to automated decision-making, including profiling. You can exercise the rights by contacting us by writing using the details in section 13 of this notice.
Right to withdraw consent. You have the right to withdraw your consent to the processing of your personal information collected on the basis of your consent at any time. Your withdrawal will not affect the lawfulness of Tokenestate’s processing based on consent before your withdrawal.
Right of access to and rectification of your personal information. You have a right to request that we provide you a copy of your personal information held by us. This information will be provided without undue delay subject to some fee associated with gathering of the information (as permitted by law), unless such provision adversely affects the rights and freedoms of others. You may also request us to rectify or update any of your personal information held by Tokenestate that is inaccurate. Your right to access and rectification shall only be limited where the burden or expense of providing access would be disproportionate to the risks to your privacy in the case in question, or where the rights of persons other than you would be violated.
Right to erasure. You have the right to request erasure of your personal information that: (i) is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (ii) was collected in relation to processing that you previously consented, but later withdraw such consent; or (iii) was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing. If we have made your personal information public and are obliged to erase the personal information, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform other parties that are processing your personal information that you have requested the erasure of any links to, or copy or replication of your personal information. The above is subject to limitations by relevant data protection laws.
Right to data portability. If we process your personal information based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your personal information in a structured, commonly used and machine-readable format, and to have us transfer your personal information directly to another “controller”, where technically feasible, unless exercise of this right adversely affects the rights and freedoms of others. A “controller” is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of your personal information.
Right to restriction of or processing. You have the right to restrict or object to us processing your personal information where one of the following applies:
You contest the accuracy of your personal information that we processed. In such instances, we will restrict processing during the period necessary for us to verify the accuracy of your personal information.
The processing is unlawful and you oppose the erasure of your personal information and request the restriction of its use instead.
We no longer need your personal information for the purposes of the processing, but it is required by you to establish, exercise or defence of legal claims.
You have objected to processing, pending the verification whether the legitimate grounds of Coinbase’s processing override your rights.
Restricted personal information shall only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform you if the restriction is lifted.
Notification of erasure, rectification and restriction. We will communicate any rectification or erasure of your personal information or restriction of processing to each recipient to whom your personal information has been disclosed, unless this proves impossible or involves disproportionate effort. We will inform you about those recipients if you request this information.
Right to object to processing. Where the processing of your personal information is based on consent, contract or legitimate interests you may restrict or object, at any time, to the processing of your personal information as permitted by applicable law. We can continue to process your personal information if it is necessary for the defence of legal claims, or for any other exceptions permitted by applicable law.
Automated individual decision-making, including profiling. You have the right not to be subject to a decision based solely on automated processing of your personal information, including profiling, which produces legal or similarly significant effects on you, save for the exceptions applicable under relevant data protection laws.
Right to lodge a complaint. If you believe that we have infringed your rights, we encourage you to contact us by writing using the details in section 13 of this notice so that we can try to resolve the issue or dispute informally.
You can also complain about our processing of your personal information to:
In Switzerland: to any criminal prosecution authority and moreover notice the Swiss Federal Data Protection and Information Commissioner (section 14 of this notice)
In the European Union: the relevant data protection authority (list in section 14 of this notice)
General information requests may be addressed by e-mail to our Data Protection Officer: email@example.com
We will answer within 3 working days.
Any request regarding your Personal Data should be made by writing with a proof of your identity to:
Data Protection Office
Rue de la Place d’Armes 3
Be aware that communicating by e-mail/SMS/phone/FAX do not ensure confidentiality, integrity and authenticity. We will not answer to any request which will be considered unsafe or not ensuring your identity authenticity.
14. Relevant Authorities
Office of the Federal Data Protection and Information Commissioner FDPIC
CH – 3003 Berne
Tel. +43 1 52152 2550
Autorité de la protection des données (APD-GBA)
Rue de la Presse 35
Tel. +32 2 274 48 00
Fax +32 2 274 48 35
Member: Mr Willem Debeuckelaere, President
Commission for Personal Data Protection
2, Prof. Tsvetan Lazarov blvd.
Tel. + 359 2 915 3580
Fax +359 2 915 3525
Croatian Personal Data Protection Agency
Tel. +385 1 4609 000
Fax +385 1 4609 099
Commissioner for Personal Data Protection
1 Iasonos Street,
P.O. Box 23378, CY-1682 Nicosia
Tel. +357 22 818 456
Fax +357 22 304 565
Office for Personal Data Protection
Pplk. Sochora 27
170 00 Prague 7
Tel. +420 234 665 111
Fax +420 234 665 444
Borgergade 28, 5
Tel. +45 33 1932 00
Fax +45 33 19 32 18
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Tel. +372 6274 135
European Data Protection Supervisor
Rue Wiertz 60
Office: Rue Montoyer 30, 6th floor
Tel. +32 2 283 19 00
Fax +32 2 283 19 50
Office of the Data Protection Ombudsman
P.O. Box 800
Tel. +358 29 56 66700
Fax +358 29 56 66735
Commission Nationale de l’Informatique et des Libertés – CNIL
3 Place de Fontenoy
TSA 80715 – 75334 Paris, Cedex 07
Tel. +33 1 53 73 22 22
Fax +33 1 53 73 22 00
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Tel. +49 228 997799 0; +49 228 81995 0
Fax +49 228 997799 550; +49 228 81995 550
Hellenic Data Protection Authority
Kifisias Av. 1-3, PC 11523
Tel. +30 210 6475 600
Fax +30 210 6475 628
Hungarian National Authority for Data Protection and Freedom of Information
Szilágyi Erzsébet fasor 22/C
Tel. +36 1 3911 400
Data Protection Commission
21 Fitzwilliam Square
Tel. +353 76 110 4800
Garante per la protezione dei dati personali
Piazza di Monte Citorio, 121
Tel. +39 06 69677 1
Fax +39 06 69677 3785
Data State Inspectorate
Blaumana str. 11/13-15
Tel. +371 6722 3131
Fax +371 6722 3556
State Data Protection Inspectorate
A. Juozapaviciaus str. 6
Tel. + 370 5 279 14 45
Fax +370 5 261 94 94
Commission Nationale pour la Protection des Données
1, avenue du Rock’n’Roll
Tel. +352 2610 60 1
Fax +352 2610 60 29
Office of the Information and Data Protection Commissioner
Second Floor, Airways House
High Street, Sliema SLM 1549
Tel. +356 2328 7100
Fax +356 2328 7198
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel. +31 70 888 8500
Fax +31 70 888 8501
Urząd Ochrony Danych Osobowych (Personal Data Protection Office)
ul. Stawki 2
Tel. +48 22 531 03 00
Fax +48 22 531 03 01
email: firstname.lastname@example.org; email@example.com
Comissão Nacional de Protecção de Dados – CNPD
Av. D. Carlos I, 134, 1º
Tel. +351 21 392 84 00
Fax +351 21 397 68 32
The National Supervisory Authority for Personal Data Processing
B-dul Magheru 28-30
Sector 1, BUCUREŞTI
Tel. +40 31 805 9211
Fax +40 31 805 9602
Office for Personal Data Protection of the Slovak Republic
820 07 Bratislava 27
Tel.: + 421 2 32 31 32 14
Fax: + 421 2 32 31 32 34
Information Commissioner of the Republic of Slovenia
Ms Mojca Prelesnik
Tel. +386 1 230 9730
Fax +386 1 230 9778
Agencia Española de Protección de Datos (AEPD)
C/Jorge Juan, 6
Tel. +34 91399 6200
Fax +34 91455 5699
104 20 Stockholm
Tel. +46 8 657 6100
Fax +46 8 652 8652
The Information Commissioner’s Office
Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Tel. +44 1625 545 700
Tel: +354 510 9600
Website: https://www.personuvernd.is or https://www.dpa.is
Data Protection Office, Principality of Liechtenstein
Principality of Liechtenstein
Tel. +423 236 6090
Tel +47 22 39 69 00