Vexl Privacy Policy

How we treat your personal data…

‍

1. Who collects my personal data?

We are a commercial company called Vexl s.r.o., with its registered office at Kundratka 2359/17a, Libeň, 180 00 Prague 8, Czech Republic, Id. No. 172 70 642, and we are registered in the commercial register kept by the Commercial court in Prague under file No. 369216.

We are the company responsible for operation and development of Vexl – a service (including the application) that allows users looking to buy or sell Bitcoin to connect with each other to discuss their offers and agree upon trades (“Vexl”).

‍

‍

‍2. Why should I read this document?

You may have heard about Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (”Regulation”) more commonly known as GDPR.

Under the Article 13 and 14 of the Regulation, we must provide our users and other data subjects with information on the collection, handling, protection and processing of their personal data.

Therefore, in this Privacy Policy you may learn more about these topics regarding the personal data that we collect when you use Vexl.

‍

‍

3. What personal data is processed?

‍

Onboarding and using Vexl

We may process the following categories of personal data provided during the onboarding procedure and subsequent use of Vexl:

• your name (as provided by you);
• your phone number (as provided by you);
• your avatar (either uploaded picture or picture taken by a built-in camera of your device);
• your public key linked to your user account;
• contact details of your friends imported from your phone (in a form of phone number)
• your contact details (provided by other users of Vexl as part of their onboarding procedure) in a form of your phone number
• graph of your 1st and 2nd degree contacts (as explained in Vexl Terms of Service);
• certain information about offers to purchase or sale Bitcoin published via Vexl;
• any communication with other users of Vexl.
  
  

Please note, that (except for your public key) we cannot actually access any of the above data as it is always encrypted by you using public keys of specific users of Vexl (recipients of your offers, the users you are talking to via chat function etc.). Such data may only be decrypted using associated private keys stored locally on devices of respective users.

Also note, that some of the above data are stored locally on the devices of the respective users and are stored on our servers only for a limited period of time necessary to transmit it to other users of Vexl (etc. communication via chat function). So even if we could decrypt such data in theory, which we actually cannot, the data are still out of our reach.

In any case, if any such information is actually considered personal data, we may, as a data controller, from time to time process such personal data (even if in an encrypted form unreadable to us).

‍

Analytical data

We may collect and process anonymous analytical data regarding your usage of the Vexl application. This data is collected purely for analytical purposes, such as improving the user experience, identifying popular features, and optimizing the application's performance. This data is collected in an aggregated and anonymized form, ensuring that it cannot be used to identify any individual user.

‍

Support and reporting procedures

We may provide our users support services regarding Vexl. To be able to provide you with any support services we may have to use data obtained from you during the course of support procedure (such as your contact information etc.).

We allow users to report unlawful content. To be able to assess any reports we may have to use any data obtained from you during the course of the reporting procedure (such as your contact information etc.).

If any of such information is considered as personal data, we will, as a data controller, collect, store and/or process such personal data.

‍

‍

4. Why is my personal data processed?

We process your personal data only so we can provide you Vexl services including any support services and reporting procedures regarding Vexl.

We will also process your personal data to perform any of our obligations under the Vexl Terms of Service and any applicable law and to protect our own rights thereunder.

It is also in our legitimate interest to process such personal data to establish, exercise or defend any related legal claims, since otherwise we could not exercise our legal rights and such use of personal data is foreseeable by data subjects and represents little to no restriction of data subject interests, rights and freedoms.

‍

‍

5. For how long is my personal data processed?

We process your personal data only for the time necessary to meet the purposes of its processing specified above, or for the time consented by you, or for the time that is either necessary to comply with our obligations under the applicable law or set forth by the applicable law or in accordance therewith. We comply with the mandatory rules for data archiving.

To be specific:

We process your name, your avatar, your phone number, your public key and a graph of your 1st and 2nd degree contacts for as long as your user account exists. Please note, that except for your public key, we cannot actually access any of the above data as it is always encrypted with public keys of the specific users of Vexl.

Information about your offers is stored and processed only for the duration of the offer (set by you when placing the offer). Please note, that this information is also encrypted with specific public keys of the users that are allowed to see the offer and cannot be decrypted by us, even if transmitted via our servers.

Information provided when chatting with other users via chat function are processed only for the duration of the chat. Please note, that this information is also encrypted with specific public keys of the other party to the chat and cannot be decrypted by us, even if transmitted via our servers.

The analytical data is processed only until it is aggregated with data from other users. Once aggregated, the raw analytical data is deleted.

The data obtained during the support and reporting procedures will be processed until the procedure is completed and for a period of time when you are allowed under the statute of limitations to initiate any court proceedings in relation to the above procedures.

‍

‍

6. Who will have access to my personal data?

We take care of your personal data security and so we choose the partners to whom we entrust your personal data very carefully.

All our partners must be able to provide sufficient security of your personal data to prevent unauthorized or accidental access thereto or other abuse thereof and all our partners must undertake a confidentiality obligation and must not use your personal data for any purpose other than the purpose for which the data were made available to them.

The recipients that may have access to your personal data are:

• technological services providers including providers of data storage solutions;
• persons who provide our services with security and integrity and who regularly test such security and integrity;
• providers of accounting, legal and administrative services;
• our staff.
  ‍

Our aim is and always will be to ensure your personal data is as anonymous as possible and unavailable to all third parties. However, under certain specifically defined conditions we will be under some circumstances required, in accordance with the applicable law, to transfer certain personal data to public authorities.

‍

‍

7. Do you transfer the personal data outside the EU/EEA?

When collecting, storing and processing personal data we sometimes may use personal data processors such as Twilio, which under some circumstances transmit your personal data to third countries. In such an event we always make sure such transmission is compliant with the Regulation.

In particular, we specify that the personal data may be transmitted to the United States of America and in such event the transmission is compliant with the Standard Contractual Clauses (SCCs) mechanism.

For an in-depth overview, you can find Twilio's guidelines here.

‍

‍

8. How is my personal data protected?

All your personal data is secured by standard procedures and technologies. We provide data protection against unauthorized or accidental access, alteration, destruction, loss, unauthorized transmission or any other unauthorized processing, as well as against any other abuse of records containing the personal data.

The standard procedures and technologies may include, but are not limited to, the following:

• education and training of relevant staff to ensure they are aware of our privacy obligations when handling personal data;
• administrative and technical rules to restrict access to personal data on a ‘need to know’ basis;
• technological security measures, including firewalls, encryption and anti-virus software;
• physical security measures, such as staff security passes to access our premises.

‍

We are not able to guarantee the security of your personal data without your help and responsible behavior. Therefore, we ask you to help us ensure the security of your data by keeping your PIN private (if set up), and your device secure by following common security standards.

‍

‍

9. What are my rights in relation to personal data protection?

In relation to the personal data you shall have in particular the following rights:

• a right to withdraw your consent at any time;
• a right to correct or make additions to the personal data;
• a right to request restrictions to processing of your personal data ;
• a right to object or complain against processing of your personal data under certain circumstances;
• a right to request transfer of your personal data ;
• a right to access your personal data;
• a right to be informed of the personal data security breach under certain circumstances;
• a right to request deletion of your personal data (a right to be „forgotten“) under certain circumstances; and
• other rights set forth in Act of the Czech republic No. 110/2019 Coll., on personal data processing (Personal Data Protection Act) and the Regulation.
• You have a right to object, on grounds relating to your particular situation, at any time to processing your personal data which is based on Article 6(1)(f) of Regulation (it means that we have legitimate interest to process such personal data). You have also a right to object to processing your personal data for direct marketing purposes.

Additionally, you have a right to contact the Office for Personal Data Protection with a request for remedial measures in case of any violation of the obligations set forth in the Regulation at the following address: Office for Personal Data Protection, Pplk. Sochorova 27, 170 00 Prague 7, Czech Republic, phone number +420 234 665 111 (central telephone exchange).

‍

‍

10. How can I contact you?

If you have any questions regarding this Privacy Policy, please do not hesitate to contact us using the contact details below:

Address: Vexl s.r.o, Kundratka 2359/17a, Prague, Czech republic

Email address: support@vexl.it

‍

‍

11. When is this Privacy Policy effective?

This Privacy Policy comes into effect on 12. 5. 2025.

We reserve the right to amend and update this Privacy Policy at any time.

‍