Bitfinex Labs Privacy Policy

Last updated: 24 October 2022

Bitfinex Labs Inc., registered in the British Virgin Islands under company number 2107623 and having its registered office at Trinity Chambers, PO Box 4301, Road Town, Tortola VG1110, British Virgin Islands, British Virgin Islands, ("Bitfinex Labs") makes available the Iris Wallet non-custodial wallet mobile application software and the Test Net Iris Wallet non-custodial wallet mobile application software (each an “App” and together the "Apps"). Bitfinex Labs and its affiliate iFinex Inc. (any of the foregoing, "we", "our", or "us") also maintain a website at www.IrisWallet.com (the “Website") relating to the Apps. The Apps access computer networking power required for: (a) in the case of the Iris Wallet software, the Bitcoin blockchain and RGB protocol transactions, including a Bitcoin blockchain node; and (b) in the case of the Test Net Iris Wallet software, test net Bitcoin blockchain and RGB test net protocol transactions, including a test net Bitcoin blockchain node (“Protocol Networks”). The Bitcoin blockchain node and test net Bitcoin blockchain node may be operated by us although we have no obligation to do so.

We respect and protect the privacy of App and Website users. This privacy notice ("Privacy Policy") sets out the basis on which Personal Information about you ("you", "your", or "customer") is processed. "Personal Information" is typically data that identifies an individual or relates to an identifiable individual and includes any information which, either alone or in combination with other data, enables you to be directly or indirectly identified, for example any unique identifier such as an IP address, device ID or other online identifier. Personal information includes information you provide to us, information which is collected about you automatically, and information we obtain from third parties. The exact definition of Personal Information depends on the applicable law based on your physical location. Only the definition that applies to your physical location will apply to you under this Privacy Policy.

We act as joint data controller for your Personal Information that is received or otherwise processed by us as described in this Privacy Policy. We have appointed Rickert Rechtsanwaltsgesellschaft mbH, whose registered office is Colmantstraße 15, 53115, Bonn, Germany, as its EU/UK representative.

Please read the following carefully to understand what Personal Information the App will access and make accessible to Protocol Networks, what Personal Information the Website will access, what Personal Information we may collect, how that Personal Information is used and the ways it can be shared by us. If you do not agree with or you are not comfortable with any aspect of this Privacy Policy, you should immediately discontinue access of Protocol Networks components managed by us and not visit our Website

The RGB protocol is an open-source software protocol implementing a smart contracts system that uses client-side validation and operates on top of the Bitcoin network as a Layer 2 solution. The RGB test net protocol is an open-source software protocol implementing a smart contracts system that uses client-side validation and operates on top of the test net Bitcoin network as a Layer 2 solution. While the RGB protocol and RGB test net protocol attempt to build enhanced privacy into the transactions in RGB tokens or RGB test net tokens, as applicable, no encryption or privacy enhancing systems is ever completely secure. The RGB protocol and RGB test net protocol are experimental protocols and the Apps are experimental wallet applications for those experimental protocols. The Apps are subject to failure and may contain defects. Your transactions using the Apps may be exposed. We do not and we cannot guarantee the security of your data transmitted through the Apps; any transmission is at your own risk.

1. Our Processing of Your Personal information.

Please note that when you download an App via a third-party platform (e.g., via the Google Play Store), certain information required for the download (such as your username, e-mail address, user account number, time of download, and individual device identification number) may be transferred to the platform together with additional information which the platform may collect. We have no influence on and are in no way responsible for any data collection or processing activities carried out by such third-party platforms.

As we add new features, either the App or we may learn additional information from you or send different or additional information from your device.

1. Information accessible to the App on your device when you use the App.

To support your usage of the App the App may obtain certain information which are either necessary to enable you using certain features of the App (e.g., the address associated with your unspent bitcoin transaction output or unspent test net bitcoin transaction output), or relevant for certain specified purposes, described in greater detail below. Except as otherwise described in this Privacy Policy, this information will reside on your device and not be accessible to or processed by us, and we are not responsible for this Information.

The App may collect the following types of information from you:

• Identification information such as your IP address and Bitcoin blockchain address or test net Bitcoin blockchain address;

• Financial Information such as the blockchain address for your unspent bitcoin transaction output and RGB protocol unspent transaction output (i.e. token balances) or the blockchain address for your unspent test net bitcoin transaction output and RGB test net protocol unspent transaction output (i.e. token balances); and

• Transaction Information such as Bitcoin blockchain commitment data and RGB protocol transaction data or test net Bitcoin blockchain commitment data and RGB test net protocol transaction data; QR codes that you generate within the App or onchain balances of originating transfer addresses.

• Audio, electronic, visual, or similar information such as QR-code scans.

2. Information that leaves your device when you use the App.

The App may send the following types of information from your device to Protocol Networks. Information sent to the Bitcoin blockchain node or test net Bitcoin blockchain node comprising a part of the Protocol Networks will be permanently, and publicly recorded. Information sent to other components of the Protocol Networks is transferred between users of the App but is not recorded publicly or permanently. Unless stated otherwise in Section 1.4 below, we have no access to this information and accordingly are not responsible for its processing.

• Identification information such as your IP address and Bitcoin blockchain address or test net Bitcoin blockchain address;

• Financial Information such as the blockchain address for your unspent bitcoin transaction output and RGB protocol unspent transaction output (i.e. token balances) or the blockchain address for your unspent test net bitcoin transaction output and RGB test net protocol unspent transaction output (i.e. token balances);

• Transaction Information such as Bitcoin blockchain commitment data and RGB protocol transaction data or test net Bitcoin blockchain commitment data and RGB test net protocol transaction data; and

• Back-up: The App may offer you an option to choose to connect it to a Google Drive to back-up information and permit you to recover the App on another device for example, if your device is ever lost or stolen. Information backed-up into the Google Drive you select includes financial information such as the blockchain address for your unspent bitcoin transaction output and RGB protocol unspent transaction output (i.e. token balances) or the blockchain address for your unspent test net bitcoin transaction output and RGB test net protocol unspent transaction output (i.e. token balances), and transaction Information such as Bitcoin blockchain commitment data and RGB protocol transaction data or test net Bitcoin blockchain commitment data and RGB test net protocol transaction data. Private keys are not sent to the back-up service. You must independently back-up your private keys.

3. Information we collect about you automatically.

If you visit the Website, to the extent permitted under applicable law, we may obtain Personal Information automatically. This information helps us, for example, to provide you with a streamlined and personalized experience. Personal Information collected automatically by the Website may include Online Identifiers, such as geo location, internal device ID, model, operating system, IP address, language, browser fingerprint/name and/or version, time zone setting or browser plug-in types and versions. Your use of the App will not result in us obtaining any of the foregoing information.

4. Information we receive about you from other sources.

From time to time, we may obtain information about you, including from our affiliates or third-party sources as permitted by applicable law through your use of services, such as other wallet providers, Protocol Network operators, and/or through publicly available sources. These sources and information may include:

• Blockchain and RGB Protocol Data: We may analyze the Bitcoin blockchain, test net Bitcoin blockchain, RGB protocol and RGB test net protocol to ensure that users of the App are not engaged in illegal or prohibited activities, and to analyze transaction trends for research and development purposes.

• Protocol Network: We may operate components of the Protocol Network. If you choose to interact with those, the App may send the information described in Section 1.2 (Information that leaves your device when you use the App) to those Protocol Network components that we run. Consequently, we may have access to that information, although it will remain encrypted in most cases.

2. How your Personal Information is used.

The primary purpose where the App collects Personal Information is to enable RGB protocol and Bitcoin blockchain transactions. We do not have access to this Personal Information and are not responsible for its processing.

In the limited circumstances where we receive Personal Information, such as when you interact with the Website or Protocol Network components managed by us, we generally use the information to facilitate RGB protocol and Bitcoin blockchain transactions and improve the App or Protocol Network components managed by us. This being said, we may use your Personal Information in the following ways:

1. Compliance with a legal and regulatory obligations

In the limited circumstances where we receive Personal Information, such as when you interact with the Website or Protocol Network components managed by us, we may also use the information to comply with legal obligations imposed by relevant laws to which we are subject.

.

2. To enable the App to perform wallet functions

The App processes your Personal Information to allow your use of the App and its features, for example, by seeding transaction data that you control within the App, by checking that RGB data received respect validation rules, and by checking that Bitcoin transaction output and transaction commitments exist on the Bitcoin blockchain or test net Bitcoin transaction output and transaction commitments exist on the test net Bitcoin blockchain. The App may also process QR code information to allow you to initiate peer-to-peer transactions. All of the foregoing occurs on your device and outside our responsibility, but as described in Section 1.2 (Information that leaves your device when you use the App) above, certain information must be sent from your device to the Protocol Network and may be permanently and publicly recorded. If you use the App to interact with the Protocol Network components managed by us, we will use the information we receive in that context to facilitate RGB protocol and Bitcoin blockchain transactions or RGB test net protocol and test net Bitcoin blockchain, as applicable, and for other purposes set out in this Privacy Policy.

3. To ensure quality control

In the limited circumstances where we receive Personal Information, such as when you interact with the Website or Protocol Network components managed by us, we may also process your Personal Information for quality control and staff training to improve the Website, our management of Protocol Network components or contribute to the further development of the RGB protocol.

4. For the purpose of safeguarding legitimate interests

In the limited circumstances where we receive Personal Information, such as when you interact with the Website or Protocol Network components managed by us, we may also process personal data so as to safeguard the legitimate interests pursued by us or by a third party. A legitimate interest is when we have a business or commercial reason to use your information. It is, for example, in the interest of our organization to conduct and manage our business; this includes protecting our interests and enforcing agreements with others, as well as comply with industry best practices. We might have legitimate interest to process Personal Information in other contexts. We ensure that we balance any potential impact on you and your rights before we process your Personal Information on that basis. You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us. Please also consult the section "Your rights" below.

We process your Personal Information in this context

1. to better understand use of the App.

2. to facilitate corporate acquisitions, mergers, or transactions. We may, in particular, process any information regarding your wallet and use of the App as is necessary in the context of corporate acquisitions, mergers, or other corporate transactions.

1. For any purpose that you provide your consent.

We will not use your Personal Information for purposes other than those purposes we have disclosed to you, without your permission. From time to time, and as required under applicable law, we may request your permission to allow us to share your Personal Information with third parties. In such instances, you may opt out of having your Personal Information shared with third parties, or allowing us to use your Personal Information for any purpose that is incompatible with the purposes for which we originally collected it or subsequently obtained your authorization.

3. Legal Basis for processing your Personal Information

For individuals who are located in the European Economic Area, the United Kingdom or Switzerland (collectively "EEA Residents") at the time their Personal Information is collected, our legal bases for processing your information under the EU General Data Protection Regulation ("GDPR") or the applicable data protection regulations in the United Kingdom or Switzerland will depend on the Personal Information at issue, the specific context in the which the Personal Information is collected and the purposes for which it is used.

Generally, we process Personal Information, including data pertaining to EEA Residents, as described in Section 2 of this Privacy Policy, based on the following corresponding legal bases:

Section & Purpose of Processing	Legal Bases for Processing
Section 2.1 – Compliance with a legal and regulatory obligations (in connection with EEA law and regulatory obligations)	Based on our legal obligations, or the public interest.
Section 2.2 – To enable the App to perform wallet functions Section 2.3 – To ensure quality control	Based on our contract with you or to take steps at your request prior to entering into a contract
Section 2.1 – Compliance with a legal and regulatory obligations (in connection with non-EEA law and regulatory obligations) Section 2.4 – For the purpose of safeguarding legitimate interests	Based on our legitimate interests (as balanced, as described under Section 2.4)
Section 2.5 – For any purpose that you provide your consent	Based on your consent

If you have questions about or need further information concerning the legal basis on which we collect and use your Personal Information, please contact us using the contact details provided under the "How to contact us" heading below.

4. security and confidentiality of your Personal Information.

We are committed to protecting your privacy. In the limited circumstances where we may receive your Personal Information, such as when you interact with the Website or Protocol Network components managed by us, we have put in place appropriate physical, technical and administrative safeguards to protect the security and confidentiality of the Personal Information you entrust to us, as well as procedures to deal with any actual or suspected data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

For example, we use computer safeguards such as firewalls and data encryption and we authorize access to Personal Information only for those contractors or employees who require it to fulfil their job responsibilities.

5. Transfers.

In the limited circumstances where we may receive your Personal Information, such as when you interact with the Website or Protocol Network components managed by us, we take care to allow your Personal Information to be accessed only by those who require access to perform their tasks and duties, and to share your Personal Information only with third parties who have a legitimate purpose for accessing it. We will never sell or rent your Personal Information to third parties without your explicit consent. As necessary, we will share your Personal Information with:

• Any member of our group, including any of our associates or affiliates or any of their representatives;

• Our service providers, to the extent they process your data on our behalf. Our data processing agreements require these service providers to only use your information in connection with the services they perform for us, and prohibit them from selling your information to anyone else. Examples of the types of service providers we may share Personal Information with (other than those mentioned above) include:

  • Network infrastructure, cloud storage, document repository services, and other Internet / IT related providers necessary to run and provide the Protocol Network components managed by us;

  • Transaction processing, and other functions provided in connection with the Protocol Network components managed by us;

  • Service providers specializing in security issues;

• Selected third parties, including analytics providers that assist us in the improvement and optimization of the App or the Website;

• Authorities and law enforcement agencies worldwide either when ordered to do so or on a voluntary basis if this appears reasonable and necessary to us;

• Companies or other entities that we plan to merge with or be acquired by, in which case Personal Information held by it about its customers will be one of the transferred assets;

• Our professional advisors who provide banking, legal, compliance, insurance, accounting, or other consulting services in order to complete third party financial, technical, compliance and legal audits of our operations or otherwise comply with our legal obligations;

• Any other third party, if we are under a duty to disclose or share your Personal Information in order to comply with any legal obligation, or in order to enforce or apply our terms of and other agreements; or to protect the rights, property, or safety of us, our clients, or others, including to defend ourselves from legal claims.

6. International Transfers

Your Personal Information may be processed and stored in a foreign country or countries and the governments, courts, law enforcement or regulatory agencies of that country or those countries may be able to obtain access to your Personal Information through foreign laws. You need to be aware that the privacy standards of those countries may be lower than those of the jurisdiction in which you reside.

If we are the recipient of your information, we will take all steps reasonably necessary to ensure that your Personal Information is treated securely and in accordance with this Privacy Policy. In the limited circumstances where we may receive your Personal Information, such as when you interact with the Website or Protocol Network components managed by us, all data you provide to us is stored on our secure servers. Where we transfer Personal Information pertaining to EEA Residents outside of the EEA, we ensure that adequate safeguards are in place. That includes, where necessary, taking steps to evaluate the risks raised by the transfers in countries that do not offer an adequate level of protection. We rely primarily on the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum to facilitate the international and onward transfer of EEA Residents' Personal Information, to the extent the recipients of the European Personal Information are located in a country that the relevant authorities (such as the EU Commission) consider to not provide an adequate level of data protection. We may also rely on an adequacy decision of the relevant authorities confirming an adequate level of data protection in the jurisdiction of the party receiving the information, or derogations in specific situations.

Please contact us if you want further information on the specific mechanism used by us when transferring your Personal Information out of the EEA.

7. Data Retention

We have data retention and deletion policies designed to retain Personal Information for no longer than necessary for the purposes set out herein or as otherwise required to meet legal or business needs. Because of those retention requirements, we might not be able to honour erasure requests.

If we no longer process your Personal Information for the described purposes, we will remove it from our systems and records or make it completely anonymous so that you can no longer be identified from it. Your data will not be erased or made completely anonymous if and as long as we have to store your data in order to fulfil legal or regulatory obligations, e.g., legal retention requirements, which may arise from applicable national legislation.

8. Your Rights

   1. General provisions

Depending on applicable law where you reside, you may be able to assert certain rights related to your Personal Information identified below. If any of the rights listed below are not provided under law for your operating entity or jurisdiction, we have an absolute discretion in providing you with those rights.

Your rights to Personal Information are not absolute. Depending upon the applicable law, access to your rights under the applicable law may be denied: (a) when denial of access is required or authorized by law; (b) when granting access would have a negative impact on another's privacy; (c) to protect our rights and properties; or (d) where the request is frivolous or vexatious, or for other reasons.

2. Special provisions for EEA Residents

If you are an EEA resident you have a number of rights in relation to how we process your Personal Information.

1. Access and portability. You may request that we provide you with a copy of your Personal Information held by us. This information will be provided without undue delay, unless such provision adversely affects the rights and freedoms of others. In certain circumstances, you may request to receive your Personal Information in a structured, commonly used and machine-readable format, and to have us transfer your Personal Information directly to another data controller.

2. Rectification of incomplete or inaccurate Personal Information. You may request us to rectify or update any of your Personal Information held by us that is inaccurate.

3. Erasure. You may have your Personal Information erased in certain circumstances, for example, where it is no longer necessary for us to process your Personal Information to fulfill our processing purposes; or where you have exercised your right to object to the processing.

4. Restrict the processing of your Personal Information. You have this right where, for example, the information is inaccurate or it is no longer necessary for us to process such information or where you have exercised your right to object to our processing. We may continue to process your Personal Information if it is necessary for the defense of legal claims, or for any other exceptions permitted by applicable law.

5. Object to the processing of your Personal Information. This right may be exercised in certain circumstances under applicable law, for example, where we are processing your Personal Information for direct marketing purposes, or where your own legitimate interests outweigh ours.

6. Data portability. You have the right to receive Personal Information which you have provided to us in a structured, commonly used and machine-readable format and the right to transmit this information to another controller.

7. Withdraw consent. When we rely on your consent to process Personal Information, you have the right to withdraw your consent at any time. Your withdrawal will not affect the lawfulness of our previous processing based on consent before your withdrawal.

Between us we have agreed that Bitfinex Labs shall be acting as point of contact and will be responsible for any requests that you may have when exercising your rights; this does not limit your right to contact iFinex Inc. as joint data controller.

9. Third-Party records

Please be aware that App transactions will be recorded on the Bitcoin blockchain or test net Bitcoin blockchain, as applicable. Public blockchains such as the Bitcoin blockchain and test net Bitcoin blockchain are distributed ledgers, intended to immutably record transactions across wide networks of computer systems. Many blockchains are open to forensic analysis which can lead to deanonymization and the unintentional revelation of private financial information, especially when blockchain data is combined with other data.

Because the Protocol Networks are decentralized or third-party networks which are not controlled or operated by us, we are not able to erase, modify, or alter Personal Information from such networks.

10. Changes to this Privacy Policy

Any changes we make to our Privacy Policy in the future will be posted on this page and, where material, notified to you. Please check back frequently to see any updates or changes to our Privacy Policy.

11. Contact

Questions, comments and requests regarding this Privacy Policy should be addressed to BitfinexLabs.privacy@bitfinex.com.

If you are an EEA Resident and you have any concerns about how we handle your Personal Information, please contact us in the first instance by email at BitfinexLabs.privacy@bitfinex.com. We will do our best to resolve your concern. You can also submit a complaint to the national supervisory authority within your jurisdiction, details of which can be found here.