Blockchain.

com Privacy Policy

Last Updated: 14 January 2022

Privacy is of utmost importance at the Blockchain.com group of companies. We recognise

the significance of protecting information which is stored on our servers or network or is
intended to be stored on our servers or network and which relates to an individual. The
data we protect are the “Personal Data” which is any information relating to an identified or
identifiable natural person, sometimes called a data subject, and have made protecting the
privacy and the confidentiality of Personal Data a fundamental component of the way we
do business. This Privacy Policy informs you of the ways we work to ensure privacy and
the confidentiality of Personal Data and describes the information we gather, how we use
those Personal Data and the circumstances under which we disclose such information to
third-parties.

This Privacy Policy is designed to address regulatory requirements of the jurisdictions in

which Blockchain.com offers its Services, including the General Data Protection Regulation
(“GDPR”), as enacted by the European Commission. In this Privacy Policy, the term
“Service” and “Services” has the same meaning as described in the User Agreement, but
excludes API services, which are governed by a separate agreement. If you do not agree
with this Privacy Policy, in general, or any part of it, you should not use the Services. This
Privacy Policy is periodically reviewed to ensure that any new obligations and changes to
our business model are taken into consideration. We may amend this Privacy Policy at any
time by posting an amended version on our website.
CONTENTS
1. Information About Blockchain.com
2. Collection of Personal Data
3. Use of Personal Data
4. Disclosure of Personal Data
5. Security of Personal Data
6. Retention of Personal Data
7. Storage of Personal Data
8. Your Rights
9. Acceptance
10. Questions and Complaints

1. INFORMATION ABOUT BLOCKCHAIN.COM

Our Services are offered through one or more subsidiaries of Blockchain.com Group
Holdings, Inc (Cayman). By using the Services, you understand that your Personal Data
may be processed by one or more of those subsidiaries (each, a “Data Controller”):

You may contact our Data Protection Officer (“DPO”) by email at [email protected].

2. COLLECTION OF PERSONAL DATA

When you access or use the Services, we collect the following information:

Information you may provide to us: You may give us information about you by filling in
forms on our website or through our app or by corresponding with us by phone, email or
otherwise. This includes information you provide when you register to use the Services
and when you report a problem with the website or with our app.

Information we collect about you: With regard to each of your visits to our website or our
app we automatically collect the following information:
 ● Login Information: We log technical information about your use of the Services,
including the type of browser and version you use, the wallet identifier, the last
access time of your wallet, the Internet Protocol IP address used to create the
wallet and the most recent IP address used to access the wallet.
● Device Information: We collect information about the device you use to access your
account, including the hardware model, operating system and version, and unique
device identifiers, but this information is anonymised and not tied to any particular
person.
● Wallet Information If you create a Blockchain.com Wallet through our Services, you
will generate a public and private key pair. When you log-out of the Wallet, we
collect an encrypted file that, if unencrypted, would contain these keys, along with
your transaction history. When you enable notifications through your Account
Settings, we will collect the unencrypted public key in order to provide such
notifications. Under no circumstances do we collect an unencrypted private key
from you, nor can we decrypt any Wallet file data.
● Transaction Information: In connection with our Conversion Service, as such term is
defined in our User Agreement, we may collect and maintain information relating to
transactions you effect in your Wallet that convert one virtual currency to another
(e.g. Bitcoin for Ether).

Information We Collect Required By Law, Rule, or Regulation: Depending on the Service,

we may collect information from you in order to meet regulatory obligations around
know-your-customer (“KYC”) and anti-money laundering (“AML”) requirements. Information
that we collect from you includes the following:

● Full name
● Residential address
● Contact details (telephone number, email address)
● Date and place of birth, gender, place of citizenship
● Bank account information and/or credit card details
● Your status as a politically exposed person
● Source of funds & proof of address
 ● Passport and/or national driver’s license or government-issued identification card to
verify your identity
● Transaction history and account balances in connection with your use of certain
Services.

Information We Collect from Other Sources: We also receive information from other
sources and combine that with the information we collect through our Services. For
instance:

● We use third-party services that may be co-branded as Blockchain.com but will do

so with clear notice. Any third-party services may collect information as determined
by their own privacy policies.
● We also use "cookies" from time to time to help personalise your online experience
with us. A cookie is a small text file that is stored on your computer to help us make
your visit to our site more “user-friendly.” Please see our Cookies Policy for more
details about the cookies we use. Cookies provide us with information about your
use of the site that can help us improve the site and your experience with it. We will
process Personal Data collected through cookies in accordance with this Privacy
Policy. If you have set your browser to alert you before accepting cookies, you
should receive an alert message with each cookie. You may refuse cookies by
turning them off in your browser, however, you should be aware that our site, like
most other popular sites, may not work well with cookies disabled.
● Banks or payment processors that you use to transfer fiat currency may provide us
with basic Personal Data, such as your name and address, as well as, your bank
account information.
● Advertising or analytics providers may provide us with anonymised information about
you, including but not limited to, how you found our website.

3. USE OF PERSONAL DATA

We will use your Personal Data, to:

● Understand and strive to meet your needs and preferences in using our Services;
 ● Develop new and enhance existing service and product offerings; ● Manage and
develop our business and operations;
● Carry out any actions for which we have received your consent;
● Prevent and investigate fraudulent or other criminal activity;
● To address service requests and resolve user questions; and
● Meet legal and regulatory requirements.

We also reserve the right to use aggregated Personal Data to understand how our users
use our Services, provided that those data cannot identify any individual.

We also use third-party web analytics tools that help us understand how users engage
with our website. These third-parties may use first-party cookies to track user interactions
to collect information about how users use our website. This information is used to compile
reports and to help us improve our website. The reports disclose website trends without
identifying individual visitors. You can opt-out of such third-party analytic tools without
affecting how you visit our site. For more information on opting-out, please contact
[email protected].

We will process your Personal Data legally and fairly and not use it outside the purposes of
which we have informed you, including selling it individually or in the aggregate for
commercial use.

4. DISCLOSURE OF PERSONAL DATA

We may share your information with selected recipients to perform functions required to
provide certain Services to you and/or in connection with our efforts to prevent and
investigate fraudulent or other criminal activity. All such third parties will be contractually
bound to protect data in compliance with our Privacy Policy. The categories of recipients
include:

● Companies within the Blockchain.com corporate family located in the United States, the
United Kingdom, and the EEA in order to provide the Services to you.
● Cloud service providers to store certain personal data and for disaster recovery services,
as well as, for the performance of any contract we enter into with you.
● Fraud detection service providers who will run certain fraud detection checks against
Personal Data provided.
● Spam and abuse detection providers making software available designed to prevent
users from programmatically using the Services in unsupported ways.

We also may share Personal Data with a buyer or other successor in the event of a merger,
divestiture, restructuring, reorganisation, dissolution or other sale or transfer of some or all
of Blockchain.com’s assets, whether as a going concern or as part of bankruptcy,
liquidation or similar proceeding, in which Personal Data held by Blockchain.com is among
the assets transferred.

Except where we are required by law to disclose Personal Data, or are exempted from,
released from or not subject to any legal requirement concerning the disclosure of
Personal Data, we will require any person to whom we provide your Personal Data to agree
to comply with our Privacy Policy in force at that time or requirements substantially similar
to such policy. We will make reasonable commercial efforts to ensure that they comply
with such policy or requirements, however, where not expressly prohibited by law, we will
have no liability to you, if any person fails to do so.

We shall require any third-party, including without limitation, any government or

enforcement entity, seeking access to the data we hold to a court order, or equivalent
proof that they are statutorily authorised to access your data and that their request is valid
and within their statutory or regulatory power.

Funding and transaction information related to your use of certain Services may be
recorded on a public block chain. Public block chains are distributed ledgers, intended to
immutably record transactions across wide networks of computer systems. Many block
chains are open to forensic analysis which can lead to deanonymisation and the
unintentional revelation of private financial information, especially when block chain data is
combined with other data.

Because block chains are decentralised or third-party networks that are not controlled or
operated by Blockchain.com or its affiliates, we are not able to erase, modify, or alter
Personal Data from such networks.
5. SECURITY OF YOUR PERSONAL DATA

We protect Personal Data with appropriate physical, technological and organisational

safeguards and security measures. Your Personal Data comes to us via the internet which
chooses its own routes and means, whereby information is conveyed from location to
location. We audit our procedures and security measures regularly to ensure they are
being properly administered and remain effective and appropriate. Every member of
Blockchain.com is committed to our privacy policies and procedures to safeguard Personal
Data. Our site has security measures in place to protect against the loss, misuse and
unauthorised alteration of the information under our control. More specifically, our server
uses TLS Transport Layer Security) security protection by encrypting your Personal Data
to prevent individuals from accessing such Personal Data as it travels over the internet.

6. RETENTION OF YOUR PERSONAL DATA

The length of time we retain Personal Data outside our back-up system varies depending
on the purpose for which it was collected and used, as follows:

● Data you provide to us when subscribing for our Services: while user remains active,
stored in the UK.
● Country location data: while user remains active, stored in the UK.
● Data on your preferences: while user remains active, stored in the UK.
● IP address login: until subsequent login from a new IP, stored in the UK.

When Personal Data is no longer necessary for the purpose for which it was collected, we
will remove any details that identifies you or we will securely destroy the records, where
permissible. However, we may need to maintain records for a significant period of time
(after you cease using a particular Service) as mandated by regulation. For example, we
are subject to certain anti-money laundering laws that require us to retain the following, for
a period of five 5 years after our business relationship with you has ended.
 ● A copy of the records we used in order to comply with our client due diligence
obligations;
● Supporting evidence and records of transactions with you and your relationship with
us.

Except where prohibited by law, this period may extend beyond the end of the particular
relationship with us, but only for as long as we are bound to do so for the audit, regulatory
or other accounting purposes. When Personal Data is no longer needed, we have
procedures either to destroy, delete, erase or convert it to an anonymous form. If you have
opted-out of receiving marketing communications, we will hold your details on our
suppression list so that we know you do not want to receive these communications.

After you have terminated the use of our Services, we reserve the right to maintain your
Personal Data as part of our standard back-up procedures in an aggregated format.

7. STORAGE OF PERSONAL DATA

Blockchain.com stores your Personal Data at secure locations in the EU. Blockchain.com
ensures that appropriate security standards are in place regarding the safeguarding,
confidentiality, and security of Data.

The information that we collect from you will be transferred to, and stored in, destinations
outside of your country and the European Economic Area ("EEA") as described below:

We may transfer your Personal Data outside the EEA and the UK to other company
subsidiaries, service providers and business partners (i.e., Data Processors) who are
engaged on our behalf. To the extent that we transfer your Personal Data outside of the
EEA and UK, we will ensure that the transfer is lawful and that Data Processors in third
countries are obliged to comply with the GDPR and the UK Data Protection Act 2018. If
transfers of Personal Data are processed in the US, we may in some cases rely on
applicable standard contractual clauses.
8. YOUR RIGHTS

The rights that are available to you in relation to the Personal Data we hold about you are
outlined below.

Information Access

If you ask us, we will confirm whether we are processing your Personal Data and, if so,
what information we process and, if requested, provide you with a copy of that information
within 30 days from the date of your request.

Rectification

It is important to us that your Personal Data is up-to-date. We will take all reasonable steps
to make sure that your Personal Data remains accurate, complete and up-to-date. If the
Personal Data we hold about you is inaccurate or incomplete, you are entitled to have it
rectified. If we have disclosed your Personal Data to others, we will let them know about
the rectification where possible. If you ask us, if possible and lawful to do so, we will also
inform you with whom we have shared your Personal Data so that you can contact them
directly.

You may inform us at any time that your personal details have changed by emailing us at
[email protected] and we will change your Personal Data in accordance with your
instructions. To proceed with such requests, in some cases we may need supporting
documents from you as proof that we are required to keep for regulatory or other legal
purposes.

Erasure

You can ask us to delete or remove your Personal Data in certain circumstances such as if
we no longer need it, provided that we have no legal or regulatory obligation to retain that
data. Such requests will be subject to any agreements that you have entered into with us,
and to any retention limits, we are required to comply with in accordance with applicable
laws and regulations. If we have disclosed your Personal Data to others, we will let them
know about the erasure request where possible. If you ask us, if possible and lawful to do
so, we will also inform you with whom we have shared your Personal Data so that you can
contact them directly.

Processing restrictions

You can ask us to block or suppress the processing of your Personal Data in certain
circumstances, such as, if you contest the accuracy of that Personal Data or object to us
processing it. It will not stop us from storing your Personal Data. We will inform you before
we decide not to agree with any requested restriction. If we have disclosed your Personal
Data to others, we will let them know about the restriction of processing where possible. If
you ask us, if possible and lawful to do so, we will also inform you with whom we have
shared your Personal Data so that you can contact them directly.

Data portability

In certain circumstances, you might have the right to obtain Personal Data you have
provided us with (in a structured, commonly used and machine-readable format) and to
re-use it elsewhere or ask us to transfer this to a third party of your choice.

Objection

You can ask us to stop processing your Personal Data, and we will do so if we are:

● Relying on our own or someone else’s legitimate interests to process your Personal
Data, except if we can demonstrate compelling legal grounds for the processing;
● Processing your Personal Data for direct marketing; or
● Processing your Personal Data for research, unless we reasonably believe such
processing is necessary or prudent for the performance of a task carried out in the
public interest (such as by a regulatory or enforcement agency).
Automated decision-making and profiling

If we make a decision about you based solely on an automated process (e.g. through
automatic profiling) that affects your ability to access our Services or has another
significant effect on you, you can request not to be subject to such a decision unless we
can demonstrate to you that such a decision is necessary for entering into, or the
performance of, a contract between us. Even if a decision is necessary for entering into or
performing a contract, you may contest the decision and require human intervention. We
may not be able to offer our Services if we agree to such a request by terminating our
relationship with you.

You can exercise any of these rights by contacting us at [email protected].

9. ACCEPTANCE

By using the Services, you signify your agreement to this Privacy Policy. Blockchain.com
reserves the right to change or amend this Privacy Policy at any time. If we make any
material changes to this Privacy Policy, the revised Policy will be posted here and we will
notify our users at least 30 days prior to the changes taking effect so that you are always
aware of what information we collect, how we use it and under what circumstances we
disclose it. Please check this page frequently to see any updates or changes to this
Privacy Policy.

10. QUESTIONS AND COMPLAINTS

Any questions about this Privacy Policy, the collection, use and disclosure of Personal Data
by Blockchain.com or access to your Personal Data as required by law (to be disclosed
should be directed to [email protected].

In the event that you wish to make a complaint about how we process your Personal Data,
please contact us in the first instance at In the event that you wish to make a complaint
about how we process your personal data, please contact us in the first instance at
[email protected] and we will attempt to handle your request as soon as possible.
This is without prejudice to your right to launch a claim with the data protection
supervisory authority in the country in which you live or work where you think we have
violated data protection laws.

California Residents

This section supplements the information in our main Privacy Policy and is intended to
provide additional privacy disclosures as required under the California Consumer Privacy
Act (“CCPA”) concerning the collection and disclosure of Personal Information (as defined
in the CCPA of California residents in the preceding 12 months.

Categories of Information

In the preceding 12 months we have collected the following information:

● Identifiers, such as name, contact information, online identifiers, email address,

account name and other government-issued identifiers;
● Commercial information, such as transaction information and transaction history;
● Internet or network activity information, such as browsing history and interactions
with our website;
● Geolocation data, such as device location and IP location;
● Biometric data;
● Professional or employment related information.

We may use this personal information for the following business purposes: (i) to operate,
manage, and maintain our business, (ii) to provide our products and services, and (iii) to
accomplish our business purposes and objectives, including, for example, using personal
information to develop, improve, repair, and maintain our products and services and to
fulfill your requests; personalize, advertise, and market our products and services; conduct
research, analytics, and data analysis; maintain our property; undertake quality and safety
assurance measures; conduct risk and security control and monitoring; detect and prevent
fraud; perform identity verification; perform accounting, audit, and other internal functions,
such as internal investigations; to carry out corporate transactions,such as mergers, joint
ventures or acquisitions; comply with law, legal process, and internal policies; maintain
records; and exercise and defend legal claims.
Your Rights

Pursuant to the CCPA, upon request and upon our verification of your identity, California
residents may:

● Request access to the specific and Personal Information that we have collected
about you over the past twelve months, the categories of sources of that
information, our business or commercial purposes for collecting the information,
and the categories of third parties with whom the information was shared;
● Obtain a copy of your Personal Information in a format that would permit you to
transfer that Information to another Repository;
● Submit a request for deletion of Personal Information, subject to certain exceptions,
including (without limitation) in the event that we may need to retain Personal
Information to complete the transaction for which the Personal Information was
collected, detect security incidents, protect against illegal activity, exercise certain
rights of free speech, comply with legal obligation or for internal uses permitted by
law. If your request is subject to any exception, we may deny your request to delete
your data. Please note that you must verify your identity and request before further
action is taken by us. To do so, we will notify you of what we require via email.
● To be free from unlawful discrimination for exercising your rights under the CCPA.

Do Not Sell My Personal Information

Blockchain.com does not sell Personal Information in the normal course of our business,
but the CCPA defines sale more broadly than the traditional sense of an exchange of data
for money and may encompass transactions in which we may share your Personal
Information. Accordingly you may, subject to exceptions in CCPA, request that
Blockchain.com not “sell” your Personal Information to the extent that we may do so.
Please be aware that certain sharing of your Personal Information, such as disclosures of
that Information to “Service Providers” as that term is defined and in accordance with
CCPA, or for certain business operations of Blockchain.com, are not considered “sale” of
Personal Information.
CCPA comprises provisions that explicitly prohibit us from making any adverse decisions
about you or your account based upon your exercise of this right (“non-discrimination”).

The CCPA permits you to request certain information regarding our disclosure of Personal
Information to third parties for their direct marketing purposes.

To exercise any of the above rights, you may contact us at [email protected].

Consistent with California law, you may designate an authorised agent to make a request
on your behalf. In order to designate an authorised agent, please contact us via email
[email protected]. Please note that any proposed appointment is subject to verification
checks and we may deny requests from agents who are unable to prove their
identity or provide proof of authority to act on your behalf.

While many browsers permit you to send a signal about your Do Not Track (“DNT”)
preferences, we do not respond to DNT signals sent from browsers.

Children’s Online Privacy Protection Act

Blockchain.com complies with the Children’s Online Privacy Protection Act COPPA, which
requires the consent of a parent or guardian for the collection of personally identifiable
information from children under 13 years of age. Blockchain.com does not knowingly
collect, use or disclose personal information from children under 13, or equivalent minimum
age in the relevant jurisdiction, without verifiable parental consent. However, it is possible
that we may inadvertently receive information pertaining to children under 13. If you
believe that we have received information about your child that is under the age of 13,
please do not hesitate to notify us at [email protected]. When we receive your
notification, we will obtain your consent to retain the information or will delete it
permanently.
Vermont Privacy Rights Applicable to Vermont Residents)
Vermont Financial Privacy Act

The Vermont Financial Privacy Act limits what we can do with your financial information
and gives you rights to limit our sharing of your financial information. Under the Vermont
Financial Privacy Act, Vermont residents have the right to receive notice and opt-in to
sharing non-public Personal Information with non-affiliated third parties. Additionally,
residents must consent to us sharing information regarding credit worthiness.

We do not share your information with affiliates and non-affiliated third parties, except for
certain business purposes (e.g., to service your accounts), to market our products and
services, as permitted by law, or with your consent. Additionally, we will not disclose credit
information about you with our affiliates or non-affiliated third parties, except as required
or permitted by law. You can access our Privacy Notice for information about our practices
in accordance with the Vermont Financial Privacy Act. Please contact us to opt-in to, or
opt-out of, sharing your non-public Personal Information.

Cayman Islands Data Protection Act

The Cayman Islands Data Protection Act (as amended, the "DPA") applies to
Blockchain.com entities that are organised in the Cayman Islands, including
Blockchain.com (Cayman) Limited. Where you engage the services of such an entity, that
entity is a data controller with respect to your Personal Data and shall process your
Personal Data in accordance with the requirements of the DPA. Subject to complying with
the DPA, the entity may also share your Personal Data with its affiliates, its service
providers and applicable regulatory and governmental authorities from time to time. Any
transfer of your Personal Data outside of the Cayman Islands will be carried out in
accordance with the DPA. Individuals have certain rights under the DPA with respect to
their Personal Data, including the right to: (a) be informed about the purposes for which
your Personal Data are processed; (b) access your Personal Data; (c) stop direct
marketing; (d) restrict the processing of your Personal Data; (e) have incomplete or
inaccurate Personal Data corrected; (f) ask us to stop processing your Personal Data; (g)
be informed of a Personal Data breach (unless the breach is unlikely to be prejudicial to
you); (h) complain to the Cayman Islands Data Protection Ombudsman; and (i) require us to
delete your personal data in some limited circumstances.