1. Wstęp

This Privacy Notice explains how CRYPTOCOMMERCIAL SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ (“we,” or “us”) collects, stores, processes, and uses your personal data, as well as what you can expect when interacting with our services. We are committed to protecting your privacy and handling your Personal Data with care and transparency.

This Notice applies when you access or use our website indyvo.com (“Website”), our mobile application available via official app stores or other platforms (“App”)—including any mobile-optimized or device-specific versions—as well as any related products, services, or official pages we maintain on social media platforms. Collectively, these are referred to as our “Services.”

Any references to “you” or “your” in this Privacy Notice refer to all individuals whose Personal Data we collect, hold, and proceмss as a Data Controller in the course of providing our Services.

If you have any questions or comments about this Privacy Notice or need more information about the Services please contact us.

2.Our Contact Details

We act as the data controller of your Personal Data processed through the Website, the App, or by any other means in connection with the provision of our Services. As the data controller, we determine the purposes and means of personal data processing.

Controller data	CRYPTOCOMMERCIAL SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ registration number 0001004762 Ostrobramska 101A / 301, 04-041 Warsaw, Poland
Data Protection Team	[email protected]

3.Sources of Personal Data

We receive Personal Data about you in the course of providing our Services, which may include your use of the App, the Website, or related features. The specific data we collect depends on the nature of the Services you use and your interactions with them. Please see the sections below for detailed information.

We may receive certain Personal Data from third-party sources, depending on your settings and the specific features of the Services you choose to use. However, such third-party data sharing does not occur in all cases.

We may gather certain information automatically:

Access logs	Similar to the majority of websites online, our Website gathers access logs (including IP address, browser type, operating system) to guarantee the secure, dependable, and resilient functioning of our Services.
Tracking Technologies (Cookies)	Cookies are typically small text or image files that are placed on your device when you visit our Website. Some cookies are necessary for the smooth operation of our Website, while others are used to enhance functionality, analyze aggregated usage statistics for improving performance, and support advertising efforts.
Dane użytkowania	Information about how you use our Website and Services.

4.How We Use Your Personal Data

To provide, maintain, and improve App, Website, and related Services, we collect and process your Personal Data for specific and lawful purposes. These purposes include both essential operational activities and compliance with legal requirements. We may also use your Personal Data for other purposes if we have obtained your consent or if such processing is compatible with the original purpose of collection:

Purpose	Opis	Podstawa prawna
Account setup and 2FA protection	Managing user accounts, including registration, billing, customer support, and account security	Performance of a contract / Legitimate interest
Provision of Services and Marketing	Operating the Website/App and delivering content, including targeted marketing communications	Performance of contract/ Consent
KYC and identity verification	Verifying user identity and processing payments as needed to complete transactions	Performance of a contract/Legal obligation
Security and fraud prevention	Ensuring account and system security, detecting and preventing fraud, spam, or DDoS attacks	Legitimate interest
AML compliance	Meeting anti-money laundering requirements and maintaining secure financial practices	Legal obligation/ Legitimate interest
Cookies and personalization	Enhancing user experience and customizing content via cookies (user-manageable via browser settings)	Consent / Performance of a contract
User support and communication	Responding to inquiries, feedback, and support requests; improving Services	Performance of a contract / Legitimate interest

To process your personal data, we rely on the following legal bases:

Legal Basis	Opis
performance of the contract	for the processing of personal data necessary for the negotiating on, conclusion, and performance of a contract (e.g. Terms of Service) with you.
legal obligation	for the processing of data as required by applicable laws (for example, to comply with tax or KYC/AML regulations) or if requested by a law enforcement agency, court, supervisory authority, or another state-authorized public body.
legitimate interest	for the processing necessary for the development of our services, taking into consideration your interests, rights, and expectations.
consent	for additional processing for specific purposes.

5.Data Sharing with Third Parties

We may share your Personal Data as follows:

Party	Opis
Service providers:	With our contracted service providers, who provide services such as IT and system administration and hosting, credit card processing, research and analytics, marketing, customer support and data enrichment for the purposes and pursuant to the legal bases described above.
Professional advisers:	In individual instances, we may share your Personal Data with professional advisers acting as service.
Public authorities:	With public and government authorities, to the extent we are compelled to disclose Personal Data to comply with our legal obligations.
Third parties involved in a corporate transaction:	If we are involved in a merger, reorganization, dissolution or other fundamental corporate change, or sell a Website or business unit, or if all or a portion of our business, assets or stock are acquired by a third party. In accordance with applicable laws, we will use reasonable efforts to notify you of any transfer of Personal Data.

6.Payment Card

To provide you with the Indyvo payment card, we securely share certain personal information with Quicko sp. z o.o., Tarnowskie Góry, 49 Sienkiewicza St., 42-600 Tarnowskie Góry, Poland, registered in the National Court Register (KRS) under number 0000350151, www.quicko.pl

Quicko sp. z o.o. processes this information in line with its own Informacja o ochronie prywatności, which we encourage you to read to understand how your data is handled.

7.International Data Transfers

We have the ability to store, access, and transfer Personal Data worldwide. We evaluate cross-border data transfers and put in place suitable measures to ensure the protection of your Personal Data in accordance with the guidelines outlined in this Privacy Notice.

Zachód	Opis
Adequacy decision	If your Personal Data is transferred to countries outside the European Economic Area (EEA), we ensure the recipient country has received an adequacy decision from the European Commission. For more information about adequacy decisions, click here.
Odpowiednie środki ostrożności	To transfer personal data to recipients lacking an adequacy decision, we may utilize standard contractual clauses that have been approved by the European Commission or other legally recognized transfer mechanisms. For more information about standard contractual clauses, click here.

8. Data Security Measures

We are committed to protecting your Personal Data and have implemented appropriate technical and organisational measures to prevent unauthorised access, disclosure, alteration or loss. These security measures ensure the protection and integrity of the Personal Data we process, in line with applicable data protection laws and industry standards.

Examples of such measures include:

Data encryption during transmission and storage to protect against interception or unauthorised access.
Access controls and authentication mechanisms ensuring that only authorised personnel can access Personal Data.
Regular security audits and vulnerability assessments to identify and mitigate risks.
Network and system monitoring to detect suspicious activity and prevent breaches.
Data minimisation practices, ensuring that only necessary Personal Data is collected and retained.
Employee training and awareness programs on data protection and information security.
Secure backup and recovery procedures to prevent data loss.

Policies and procedures governing the secure data processing operations of Personal Data.

9. Data Retention

We retain your Personal Data only for as long as it is necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations.

Data Retention: Once Personal Data is no longer needed for the specified purposes, we securely delete, destroy, or anonymize it in accordance with our data retention policies and applicable legal requirements.
Your Right to Delete Data: You may request the deletion of your Personal Data or withdraw your consent at any time by contacting us at [email protected]. Please note that withdrawing consent or requesting deletion may limit or disable your access to certain features of Indyvo Account.
Unlimited Storage Where Required by Law: We reserve the right to store and process your Personal Data without a specific retention period where required for legal compliance or as otherwise permitted by law.
Grounds for Erasure: We will erase your Personal Data without undue delay under the following conditions:
- It is no longer necessary for the purposes it was collected or processed;
- You withdraw your consent and there is no other lawful basis for processing;
- You object to processing and there are no overriding legitimate grounds;
- The data was unlawfully processed;
- Erasure is required to comply with legal obligations under EU or Member State law.

We may also retain your Personal Data where such retention is necessary:

To comply with a legal obligation;
To protect your vital interests or those of another individual.

10. Data Subject Rights

Depending on where you reside, you may be entitled to specific rights under data protection laws such as the General Data Protection Regulation (GDPR), the UK GDPR, PIPEDA (Canada), or various U.S. state privacy laws. These rights are designed to give you greater control over how your personal data is collected, used, and shared.

The tables below provide an overview of the rights available to residents of the European Union, United Kingdom, Canada, and applicable U.S. states. If you are a resident of a country whose laws are not covered by this notice, please refer to the section on Data Subject Rights for the European EEA and UK residents.

If you wish to make a request or have questions about your privacy rights, please reach out to us at [email protected]

You are not required to pay any fee to exercise your data protection rights.

European Economic Area and United Kingdom Residents

Your Right	Opis
Right of Access	You have the right to request copies of your Personal Data that we hold.
Right to Rectification	You can ask us to correct any inaccurate Personal Data or complete data you believe is incomplete.
Right to Erasure	You can request the deletion of all your Personal Data when you stop using the Services and close your account.
Right to Restrict Processing	You can ask us to limit the processing of your Personal Data in certain circumstances.
Right to Object to Processing	You can object to the processing of your Personal Data in certain situations.
Right to Data Portability	You can request that we transfer the Personal Data you provided to another organization, or directly to you, in certain cases.
Right to withdraw consent	You can withdraw your consent at any time.
Right to file a complaint	If your request was not satisfied, you could file a complaint to the regulatory body.
You can also exercise your rights by contacting us at [email protected].
EEA Residents	We will respond to your request within one month. If you’re not satisfied, you can file a complaint with your local Data Protection Authority here.
UK Residents	We will respond to your request within one month. If unresolved, you can contact the ICO at 0303 123 1113 or www.ico.org.uk/concerns.

If you make a request, we have a 30-day period to respond to you. In case we need a longer timeframe, we will notify you by email with an anticipated date of our response.

If you believe that your rights have been violated, you can file a complaint with the Commissioner for Personal Data Protection of the Republic of Poland (the jurisdiction of our registration). Commissioner’s website: https://uodo.gov.pl/en

If you are within the EU, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence or place of work. You can find the list of data protection authorities in the EEA at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

11. Children’s Privacy

Our services are not intended for individuals under the age of 18, and we do not knowingly collect any personally identifiable information from anyone under the age of 18. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at [email protected]. Should we become aware that we have unintentionally collected such information without verified parental consent, we will take immediate steps to delete it.

12. Modifications

We indicate the current version of this Privacy Notice by the “Last modified” date provided in the upper left corner of this notice. We regularly review and update this privacy notice to ensure it remains accurate and reflects any changes in how we process your Personal Data.

If we make material changes to this privacy notice, we will notify you, where feasible, either by sending an email to the address associated with your account or by displaying a notification or pop-up within the App.

We still recommend checking this Privacy Notice from time to time to stay informed about how we collect, use, and protect your Personal Data.