Privacy Policy
COINGATE PRIVACY POLICY
- Why should I read this Privacy Policy?
This Privacy Policy (the “policy”) describes how CoinGate (CoinGate is owned and operated by UAB “Decentralized”) (the “Company”, “we”, “us”, “our”) collects, uses, discloses, and stores your personal information and what statutory rights you have. We protect your personal information under the applicable data protection laws, including the EU General Data Protection Regulation (the “GDPR”). We may amend this policy unilaterally from time to time. Any such amendments will be effective immediately upon publication, therefore please visit our website regularly for the latest version of this policy.
- Who is responsible for protecting my information?
We are: CoinGate (owned and operated by UAB “Decentralized”)
Our company number is: 303423510
Our address: A. Goštauto g. 8-331, LT-01108 Vilnius
Our e-mail address: info@coingate.com
- Why and how do you collect my information?
- To enable you to use CoinGate platform
In order for to allow you to register on our platform at www.coingate.com, we will process your information as described in the table below:
| What information do you collect about me? | E-mail address, password, IP address, country, sign in data (such as the last sign in time, number of sign ins), geolocation data, 2FA information . |
| What is your legal basis to collect my information? | Contract (Art. 6 (1) (b) of GDPR) |
| Am I obliged to provide this information? | It is a contractual requirement. If you do not provide this information, you will not be able to register and use our platform |
- Crypto payment processing, deposits and conversions, payouts, virtual currency swap and related services
To provide our virtual currency processing, cryptocurrency deposit and conversion, crypto payouts, virtual currency swap, and other related services, we need to process the information as described below:
| What information do you collect about me? | E-mail address, password, country, IP address, crypto address, crypto platform, name and surname, gender, place of birth, address, telephone number, cryptocurrency address, bank account number, account number of money withdrawal platform, PayPal address, transaction amount, transaction currency, transaction time, address of the sender of the transaction, address of the payee of the transaction, power of attorney, data provided in the business registration certificate, data provided in the document of business address proof, requests for overpayments, Facebook ID information, Google ID information, types of swapped virtual currencies, cryptocurrency address, transaction amount, device fingerprint, purpose of transfer, recipient, transfer amount, other information provided by you |
| What is your legal basis to collect my information? | Contract (Art. 6 (1) (b) of GDPR) |
| Am I obliged to provide this information? | It is a contractual requirement. If you do not provide this information, we will not be able to provide our services |
- Compliance with anti-money laundering (AML) regulations, sanction screening, fraud prevention, and other applicable legal requirements
This purpose involves processing the personal data of our clients (natural persons), the managers, representatives, or ultimate beneficial owners (UBOs) of our clients (legal entities), as well as shoppers and beneficiaries of transactions. The processing is carried out to verify identities, monitor transactions, detect and prevent fraudulent activities, assess risks, and ensure compliance with laws aimed at combating money laundering, terrorism financing, and other illicit activities.
| What information do you collect about me? | Client (natural person) related information: name, surname, ID details (such as number, type, issuing country, date of issuance, and validity), date of birth, sex, personal number, citizenship(s), nationality, place of birth, address, annual income, source of funds, source of wealth, expected annual turnover, countries of incoming funds, account opening purpose, geolocation data, and photo, other information required to comply with applicable laws. Company-related information (director and representative details, including name, surname, ID information, date of birth, sex, citizenship, place of birth, address, sanctions status, current position, email), ultimate beneficial owner (UBO) details (name, surname, personal number, date of birth, place of birth, address, citizenship, nationality, shares held, stake in the company, and involvement in politics, including PEP status), other information required to comply with applicable laws.Payees’ information – when you make a payment to our client (merchant): email, name, surname, date of birth, country of residence, and any other data required by applicable laws, other information required to comply with applicable laws.If you are a beneficiary receiving a payment from our client: email, name, surname, country of residence, address |
| What is your legal basis to collect my information? | Legal obligation (Art. 6 (1) (c) of GDPR) |
| Am I obliged to provide this information? | It is a statutory requirement. If you do not provide this information, we will not be able to provide our services |
- Security & improvement of our platform
We need to keep our platform at www.coingate.com safe and smooth. Thus, please be aware that upon visiting our platform, we automatically gather certain technical information regarding your device and the use of our platform. This is a standard procedure aimed at ensuring optimal functionality and security during your browsing experience.
| What information do you collect about me? | Internet protocol address (IP), user agent, referrer url, date and time of website visiting, logs |
| What is your legal basis to collect my information? | Legitimate interest to ensure security and improvement of our platform (Art. 6 (1) (f) of GDPR) |
| Am I obliged to provide this information? | No |
- Customer support & inquiries
We are committed to providing support and addressing any questions or concerns you may have. To respond to your inquiries efficiently when you contact us, we need to process your information as described below.
| What information do you collect about me? | E-mail address, subject of your inquiry, date of your inquiry, content of your inquiry, attachments to your inquiry, your name and (or) surname provided in your inquiry, reply to your inquiry, information provided by you |
| What is your legal basis to collect my information? | Consent (Art. 6 (1) (a) of GDPR) |
| Am I obliged to provide this information? | No |
- Marketing & social media profiles
When you or the company you represent use our services, consent to receive marketing communications, interact with us via social media or when we have a legitimate interest in informing you about our services and products, we will process your information as outlined below.
| What information do you collect about me? | Name and surname, company you represent, your position in the company, e-mail, telephone number, call recording, social media profile and your interactions with our social media profiles information |
| What is your legal basis to collect my information? | Consent (Art. 6 (1) (a) of GDPR; Art. 81 (1) of Lithuanian Law on Electronic Communications)Customer relationship (Art. 81 (2) of Lithuanian Law on Electronic Communications)Legitimate interest to send direct marketing communications (Art. 6 (1) (f) of GDPR) |
| Am I obliged to provide this information? | No |
- To carry out the selection of potential employees
When we receive your application for a job position, when you give us your consent for storing your CV, or we contact you based on the information you publicly disclose on professional social media platforms
| What information do you collect about me? | Full name, e-mail, phone number, CV, work experience, other information you provide us with |
| What is your legal basis to collect my information? | Consent (Art. 6 (1) (f) of GDPR)Consent (Art. 6 (1) (a) of GDPR)Contract (Art. 6 (1) (b) of GFPR)Legitimate interest to contact you when you publicly disclose your information on professional social media platforms (Art. 6 (1) (f) of GDPR) |
| Am I obliged to provide this information? | It is a requirement necessary to enter into a contract only where we intend to enter into an employment contract with you. If you do not provide this information, we will not be able to enter into an employment contract with you. |
- Compliance with legal requirements and defence of our rights and interests
If you enter into a contract with us, we’ll keep your data for as long as the law requires. We also need to hold onto some of your information for legal requirements like accounting and record-keeping. And, on the off chance you’re involved in a legal case where we’re also a party, we’ll use your data specifically for that case.
| What information do you collect about me? | Name, surname, email address, contracts, legally binding documents and data, correspondence, legal documents, pleadings, annexes, court documents, investigative information, information about convictions and criminal offences, logs, possible breaches and incidents, and any other information provided and collected |
| What is your legal basis to collect my information? | Legal obligation (Article 6 (1) (c) of the GDPR)Legitimate interest in defending our rights and interests (Article 6(1)(f) of the GDPR) |
| Am I obliged to provide this information? | When the processing of your information is required under applicable laws, providing this information becomes a legal necessity. If you are unable to provide this information, unfortunately, we will not be in a position to offer our services to you. |
- How long do you store my information?
We will not retain your information longer than necessary for the purposes of processing, except as required by law, which may mandate a longer retention period:
- We store copies of documents confirming the client’s identity (e.g., identity documents, beneficiary identity data, documentation of accounts and agreements, and other information related to the customer application and due diligence process), correspondence related to business relations, and records of monetary transactions (e.g., documents, data, and other legally valid information confirming or relating to monetary transactions) for up to 8 years from the date of the end of the business relationship with the client.
- For managing our recruiting and processing employment applications we will retain the information that we have obtained via our recruitment processes for as long as necessary to evaluate the application and in accordance with all relevant laws and regulations. Furthermore, we may ask for your consent to retain your information for some time after we have evaluated your application.
- We will use your information for marketing purposes as long as you are our customer or have given us consent, and 3 years thereafter, unless you inform us that you no longer wish to receive such information from us.
- If we do not enter into a business relationship but you have created an account on our platform, your data will be deleted after 3 months of inactivity. However, if you have provided consent to receive marketing communications, we will retain your data for up to 3 years, unless you notify us that you no longer wish to receive such communications.
- We will retain information necessary for the protection of our legal interests for 10 years.
- Where do you obtain my information from?
We collect most of the information directly from you. In addition, for certain purposes, we may receive information from other sources, as explained below.
| Information source | Purpose of collecting information |
| AML/CTF, Sanction & Fraud Screening Providers | To comply with AML/CTF regulations, sanction screening, fraud prevention, and other applicable legal requirements |
| Social media service providers | To manage our social media profiles |
| Marketing service providers | To inform you about our services and products |
| Recruitment agencies, job search portals, professional social networks (e.g. LinkedIn) | To carry out the selection of potential employees |
- Who do you share my information with?
| Recipients or categories of recipients | If the information is to be transferred to a third country or an international organisation: | |
| Third country | Safeguard measure or exemption allowing the transfer | |
| Elastic N.V.(data analytics service provider) | — | |
| Google Ireland limited (IT infrastructure and services provider) | — | |
| DeepL GmbH (AI-powered translation service provider) | — | |
| Salesforge, UAB (cold outreach platform) | — | |
| MailerLite Limited (mail marketing and automation services) | — | |
| Avokaado OÜ (document management tool) | — | |
| Lawyers, notaries, bailiffs, data protection officers, auditors, tax, business, HR and other consultants | — | |
| Other providers of IT tools and services, AML and identification services, banking and payment processing services, electronic communication service providers, customer support services, cloud services, social media platforms, marketing services, travel agencies, insurance companies, archiving services, and other related service providers. | — | |
| Bank of Lithuania, State Tax Inspectorate, Financial Crime Investigation Service, Centre of Registers, State Security Department of Lithuania, other state institutions, law enforcement authorities and courts of the EU and the Republic of Lithuania | — | |
| Atlassian Corporation Limited (software-as-a-service) | UK | Adequacy Decision |
| Cloudflare, Inc (security management services) | USA | EU-U.S. Data Privacy Framework |
| Klaviyo, Inc (software-as-a-service) | USA | EU-U.S. Data Privacy Framework |
| Hotjar Ltd (analytics platform) | Malta | EU Standard Contractual Clauses |
| Raintank, Inc (Grafana labs) (open-source analytics and monitoring platform) | USA | EU-U.S. Data Privacy Framework |
| DataDog Inc (monitoring, security, and analytics of cloud applications and IT infrastructure) | USA | EU-U.S. Data Privacy Framework |
| Vercel UK Ltd (deployment of websites and applications) | UK | Adequacy Decision |
| Onfido Limited (identity verification service provider) | UK | Adequacy Decision |
| Sum & Substance Ltd. (identity verification service provider) | UK | Adequacy Decision |
| IVXS UK Ltd. (real-time financial crime insights service provider) | UK | Adequacy Decision |
| Elliptic Enterprises Limited (transaction monitoring and compliance service provider) | UK | Adequacy Decision |
| Slack Technologies, Inc. (communications service provider) | USA | EU Standard Contractual Clauses |
| Zendesk Inc. (customer support platform provider) | USA | EU-U.S. Data Privacy Framework |
| Google LLC. (IT infrastructure and services provider) | USA | EU-U.S. Data Privacy Framework |
| LinkedIn (social media service provider | USA | EU Standard Contractual Clauses |
| X Corp. (social media service provider) | USA | EU-U.S. Data Privacy Framework |
| Amazon Web Services, Inc. (cloud service provider) | USA | EU Standard Contractual Clauses |
| Potential or actual purchasers of the business or part of it and their authorised advisers or representatives | Various | EU Standard Contractual Clauses |
- What statutory rights do I have regarding my data?
Subject to conditions, limitations, and exceptions established by statutory data protection provisions, you have the rights listed below:
| My right | When this right is applicable to me? |
| Right of access | the right to obtain confirmation from us as to whether information relating to you is being processed and, if such personal data is being processed, the right to have access to the information and information about the processing. |
| Right to rectification | the right to require us to rectify inaccurate personal data relating to you. |
| Right to erasure (‘right to be forgotten”) | – when personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;- when you withdraw consent on which the processing is based and there is no other legal ground for the processing;- when you object to the processing and there are no overriding legitimate grounds for the processing, or you object to the processing for direct marketing purposes;- where the personal data have been unlawfully processed;- where the personal data have to be erased for compliance with a legal obligation;- where the personal data have been collected in relation to the offer of information society services directly to a child and subject to a consent. |
| Right to restriction of processing | – where the accuracy of the personal data is contested by you;- where the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;- where we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims;- where you have objected to processing. |
| Right to data portability | where you seek to receive the data you have provided in a structured, commonly used and machine-readable form or to transmit those data to another controller, the processing is based on consent or on a contract and is carried out by automated means. |
| Right to object | where the collection and use is based on a task carried out in the public interest or in the exercise of official authority vested or legitimate interest, including profiling, as explained in Section 3 of this Privacy Policy, or where you object to the collection of your personal data for direct marketing purposes. |
| Right to withdraw consent | where the processing is based on consent, and you seek to withdraw it at any time. |
| Right to lodge a complaint | right to lodge a complaint with a supervisory authority |
- Do you engage in automated individual decision-making, including profiling?
No, we do not make decisions based solely on automated processing, including profiling, which would produce legal effects concerning you.
- Does your website place cookies on my device?
Yes, our website places the following cookies on your device:
| Purpose of processing | Cookie | Category | Whether third parties will have access to the information | Duration of operation |
| Stores the URL to redirect users after authentication, ensuring they return to their intended destination post-login | __Secure-next-auth.callback-url | Necessary | No | Session |
| Maintains the state of the authentication process to prevent Cross-Site Request Forgery (CSRF) attacks. | __Secure-next-auth.state | Necessary | No | 15 minutes |
| Preserves the user’s session state across page requests, enabling consistent interaction with the website. | _coingate_session | Necessary | No | Session |
| Records the user’s consent preferences for cookie usage, ensuring compliance with data protection regulations. | cookieyes-consent | Necessary | No | 1 year |
| Utilized by Google’s reCAPTCHA to protect the site against spam and abuse by distinguishing between human and automated access. | _GRECAPTCHA | Necessary | Yes (Google) | 6 months |
| Provides a CSRF token to secure forms and prevent malicious cross-site request forgery attacks during authentication. | __Host-next-auth.csrf-token | Necessary | No | Session |
| Stores the PKCE code verifier during the OAuth authentication flow to enhance security by ensuring the integrity of authorization codes. | __Secure-next-auth.pkce.code_verifier | Necessary | No | 15 minutes |
| Tracks sessions in HubSpot, determining if the session count should be incremented; contains domain, viewCount, and session start timestamp. | __hssc | Performance | Yes (HubSpot) | 30 minutes |
| Set by HubSpot to determine if the visitor has restarted their browser; if not present, it is assumed to be a new session. | __hssrc | Performance | Yes (HubSpot) | Session |
| Assigns a unique Hotjar user ID to ensure data from subsequent visits to the same site are attributed to the same user. | _hjSessionUser_2660382 | Performance | Yes (HotJar) | 1 year |
| Holds current session data for Hotjar, ensuring subsequent requests within the session window are attributed to the same session. | _hjSession_2660382 | Performance | Yes (HotJar) | 30 minutes |
| Used by Google Analytics to persist session state, enabling the collection of analytics data on user interactions. | _ga_EKPDML0Q46 | Performance | Yes (Google) | 2 years |
| Registers a unique ID used by Google Analytics to generate statistical data on how the visitor uses the website. | _ga | Performance | Yes (Google) | 2 years |
| The main cookie for tracking visitors in HubSpot; contains domain, user token, initial timestamp, last timestamp, current timestamp, and session number. | __hstc | Performance | Yes (HubSpot) | 13 months |
| Tracks when someone clicks through a Klaviyo email to the website, allowing for better email campaign performance tracking. | __kla_id | Performance | Yes (Klaviyo) | 2 years |
| Used by Google AdSense to experiment with advertisement efficiency across websites using their services. | _gcl_au | Targeting | Yes (Google AdSense) | 3 months |
| Set by Cloudflare to identify trusted web traffic, enhancing security and performance. | _cfuvid | Functionality | Yes (Cloudflare)) | Session |
| Stores the current language selection, allowing the website to display content in the visitor’s preferred language. | wp-wpml_current_language | Functionality | No | 1 day |
| Stores the callback path to redirect users appropriately after certain actions, ensuring seamless navigation. | x-callback-path | No | Session | |
| Keeps track of a visitor’s identity in HubSpot; passed to the marketing platform on form submission to deduplicate contacts. | hubspotutk | Functionality | Yes (HubSpot) | 13 months |
| Remembers the user’s language preference for the next visit, ensuring content is displayed in the chosen language. | NEXT_LOCALE | Functionality | Np | Session |
- How can I manage cookies?
You can configure your browser to decline some or all cookies or to ask for your permission before accepting them. Please note that by deleting cookies or disabling future cookies you may be unable to access certain areas or features of our website. You can control the use of functionality cookies, targeting cookies or advertising cookies by adjusting your browser settings. To find out how to manage cookies in your browser, please visit one of the links below:
- Mozilla Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
- Google Chrome: https://support.google.com/chrome/answer/95647
- Opera: https://www.opera.com/help/tutorials/security/privacy
- Microsoft Edge: https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy
- Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-information-sfri11471/mac
- How can I contact your data protection officers?
If you have any questions, comments, or complaints regarding how we collect, use, and store your personal information, our data protection officers are ready to help you. If you need their help, you may contact them at any time via dpo@coingate.com.
- Can this Policy be amended?
We update this Policy from time to time. The latest version of this Policy can be found on our website at www.coingate.com.
Last updated: February 2025