Privacy Policy


Date of the latest revision: 10 October 2022.

Change Summary

2022-10-10 We have added specifications regarding the legal bases for processing your personal data and the processing of biometric data.

1. Introduction

1.1 Providing our services requires that we process personal data. In this Privacy Policy we explain how and why we use your personal data when you access or use LocalBitcoins’ services and how we protect the privacy and security of our users. This Privacy Policy also contains information on your rights regarding your personal data.

1.2 This policy covers the processing of personal data of our customers (or, in other words, the users of the LocalBitcoins’ services) and website visitors. Personal data refers to all data that relates to an identifiable individual. Such data includes for example name, contact information and trade history on the platform.

1.3 This policy applies to personal data we process or that is processed on our behalf (in other words, the processing for which we are the controller). Please note that our website and services contain links to third party websites or elements provided by third parties (for example an embedded video player). These third parties also process your personal data, either on our behalf (in other words, they are data processors) or for their own purposes. More information on where we disclose your data to, is available from chapter 3 of this policy.

1.4 We will update this policy from time to time to keep the information in this policy up-to-date as we develop our operations and services. You can always find the latest version of this policy on our website. We will notify you of any significant changes by email and/or through our website. If you have any questions regarding this policy, our contact details are listed in section 8.

1.5 Information security is paramount to LocalBitcoins, and we use a variety of technical and organisational measures and strict best practices to protect all personal data and other data we process. LocalBitcoins has an ISO 27001 certification for our information security management system and we also run for example a bug bounty program for security researchers.

2. Your personal data and why we use it

2.1 In this section, we describe the purposes for which we process personal data, what kind of data we process and what the legal bases for the processing are.

2.2 On a general level, we process personal data for the following reasons:

  • to provide our services to our users, including ensuring their security;
  • to verify and authorise our users in order to provide access to their user accounts;
  • to comply with our legal obligations (for example obligations arising from anti-money laundering legislation);
  • to communicate with our customers and market our services;
  • to provide support services to our users;
  • to prevent fraud or other unauthorised or illegal activity or any activity that violates our Terms of Service;
  • to develop and improve our services.

2.3 The data we process can be divided into the following categories:

  • personal identification data and contact data, including
    • formal identification data
    • biometric data (also known as “special category data” or “sensitive data”);
  • platform use data, including trade and transaction data;
  • technical data.

2.4 We process your personal data based on one of the following legal bases, depending on the circumstances:

  • performance of a contract to which you as a data subject are a party to;
  • legitimate interests pursued by the LocalBitcoins or by a third party; or
  • legal obligation to which LocalBitcoins is subject to;
  • consent received from you.

More detailed information about the purposes is available below.

2.5 Providing LocalBitcoins’ services

2.5.1 We process personal data to provide our services and to enable trading of cryptocurrencies. This includes the core functionalities of the services, the escrow protection and for example the affiliate program of our peer-to-peer model. Some of the personal data is also used to develop the service, for example through statistical data on the most popular features.

2.5.2 The data processed for this purpose is primarily collected from the users themselves, either when signing up for the services or for example when submitting new trades or making transactions on the services. Some data is collected from the use of the services, including logs and some trade data (such as timestamps). Some data is provided by other users, such as feedback after a transaction.

2.5.3 The personal data used for these purposes includes:

  • personal identification data and contact data (name, username, email address etc.)
  • trade data (trade advertisement, trade value, currency, payment method, trade chat messages etc.);
  • transaction data (wallet addresses, timestamps, currency amounts etc.);
  • technical data (logs, search queries, site statistics, IP addresses etc.);
  • data imported by the user (such as reputation or trade history).

2.5.4 The legal bases for this processing are the performance of a contract (with our customers) and the legitimate interests of LocalBitcoins (to ensure the security of the service and to prevent fraudulent use of the service).

2.5.5 Please also note that you have the option to post some data publicly when using our services. This may be for example through optional fields on your profile or interactions on public boards. You have control over which data you choose to include and remove, but please note that you should not post any data you consider private, and we urge you to consider that such data may be indexed by search engines or otherwise be processed by others outside our services.

2.6 Complying with our legal obligations

2.6.1 We process personal data to comply with our legal obligations in accordance with applicable legislation and orders of competent authorities. As a cryptocurrency exchange operating from Finland, we have legal obligations to for example identify our customers and to prevent money laundering and financing of terrorism. We also have a legal obligation to disclose some data to the authorities if ordered to do so.

2.6.2 This data is partly collected from the users themselves (such as formal identification data and biometric data) and partly from the use of our service (such as some data about the transactions).

2.6.3 The data used for these purposes includes:

  • personal identification data and contact data, including
    • formal identification data (full name, nationality, date of birth, social security number etc.);
    • biometric data for identification purposes (video data and facial geometry data recorded during identity verification process);
  • financial data (bank account details, tax identification data etc.);
  • trade data (trade advertisement, trade value, currency, payment method, trade chat messages etc.);
  • transaction data (wallet addresses, timestamps, currency amounts etc.).

2.6.4 This data is processed on the basis of our legal obligations. These obligations relate primarily to the know-your-customer and anti-money laundering and anti-terrorism financing legislation. Biometric data may also be processed on the basis of the processing being necessary for reasons of substantial public interest (including but not limited to preventing money laundering, terrorist financing and fraud). In some cases, we may also ask for your consent to the processing of biometric data.

2.7 Communicating with our customers and marketing our services

2.7.1 We use personal data to communicate with our customers in a variety of ways. These include for example notifications sent through the services, updates about the services, invites to webinars and other events and other marketing communications. We also use advertising services to target advertising for potential customers.

2.7.2 This data is partly collected from the users themselves (such as contact data) and partly through an analytics service provider and the use of our website.

2.7.3 The data used for these purposes includes:

  • contact data (e-mail address, phone number);
  • communication data (messages, customer support tickets etc.);
  • notification data (notification content);
  • marketing communications (newsletters etc.).

2.7.4 The legal bases for this processing are legitimate interests of LocalBitcoins (to communicate about our services), performance of a contract (notifications regarding trades and other use of the service) and consent (regarding marketing communications and data used for targeted advertising).

3. Disclosing Your Personal Data to Others

3.1 In this section, we describe which third parties we disclose your personal data to. We use certain third-party service providers who process your personal data on our behalf (in other words, they are data processors). Below, we have grouped these into general categories and describe how they process your data. We may also disclose your personal data to other third parties, such as tax authorities based on our regulatory obligations.

3.2 For LocalBitcoins to be able to offer its services, we use certain third-party service providers to help us run our service. These include hosting providers and other technical service providers which allow us to monitor the status of our service and to send you email notifications. We also use third-party services to protect the security of the website and to filter malicious traffic, and to generate statistics about the use of our website and to target advertising.

3.3 We use third-party ID service providers to verify the identity of our customers as required by applicable law. These companies verify the identity based on formal identification proof, such as a passport.

3.4 In addition, we disclose personal data to authorities in cases where we have a regulatory obligation to do so. The content and recipient of these disclosures varies from case to case, but such disclosures are based on a regulatory obligation or a binding order by the authorities.

4. How long is your data processed?

4.1 Our policy is to store and process your personal data only for as long as is necessary for providing our services or as is required by applicable law. The storage times depend on several factors, including the nature of the data, the purposes for which the data is processed and the legislation applicable to the processing. The storage principles and times for different categories of data are described below. Please note that in individual cases, data may be stored longer if necessary for example to resolve a customer support issue, for auditing purposes or for other legal reasons. For some data on your user account, you have the possibility to remove the data yourself.

4.2 Please also note that all data included in the blockchain will remain publicly available on the blockchain. This is due to the nature of the blockchain technology and is not controlled by us.

Account and transaction data

4.3 Generally, we store data related to your account and transactions for as long as you have an account with us and if you have conducted transactions on your account, 5 years after you've requested the account to be deleted. Your public profile and possible advertisements will be hidden 14 days after the deletion request and completely deleted after the 5 year period.

4.4 If you have not conducted any transactions, your account and related data will be deleted 14 days after the deletion request.

Technical data

4.5 Personally identifiable analytics data of our service is deleted 14 days after the deletion request. Notification data may be stored longer, but no longer than 13 months. The storage times for logs vary, however, LocalBitcoins will only store logs for as long as is necessary.

5. Transfers of data outside the EU

5.1 LocalBitcoins hosts its services in the EU/EEA and your personal data is primarily processed on our secure servers within the EU/EEA. The data of our Russian and Chinese customers is also processed in Russia and China as required by local legislation.

5.2 Some of our external service providers may process some of your personal data outside the EU/EEA. We ensure that a similar degree of protection is afforded to your personal data by making sure that one or more of the following safeguards recognized by the EU General Data Protection Regulation (2016/679, “GDPR”) is implemented:

  • Personal data is only transferred to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
  • The transfers are based on the standard contractual clauses approved by the European Commission;
  • Binding corporate rules approved by a competent authority.
In addition and depending on the service, we have implemented additional safeguards, such as pseudonymization of the data (in other words, not transferring any direct identifiers outside the EU/EEA).

5.3 Please also note that the disclosures of personal data due to a legal obligation (described in paragraph 3.4) may also include transfers of personal data outside the EU/EEA. This is the case for example in cases where you are a resident of a non-EU country and we are obligated to disclose data to your local authorities.

6. Cookies

What are cookies?

6.1 Like almost all professional websites, this site uses cookies which are tiny files that are saved to your device to enable certain features, such as authentication, and to help us improve the site. This section describes how we use cookies and what personal data is processed. We will also share how you can prevent these cookies from being stored, although denying all cookies may downgrade or break certain elements of the site’s functionality.

6.2 Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date. A session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

6.3 Cookies do not typically contain any information that directly identifies a user (such as a name), but personal information that we store about you may be linked to the information stored in and obtained from cookies.

6.4 For more general information on cookies, see for example the Wikipedia article on HTTP Cookies.

Cookies that we use

6.5 If you create an account with us, we will use cookies for management of the signup process, for general administration and for preventing abuse and misuse of our services.

6.6 We use cookies when you are logged in so that we can remember the login session. This prevents you from having to log in every single time you visit a new page. These cookies are typically removed or cleared when you log out to ensure that you can only access restricted features and areas when logged in.

6.7 When you submit personal data through a form such as those found on contact pages or comment forms, cookies may be set to remember your user details for future use. In order to provide you with a better experience on this site, we provide the functionality to set your preferences for how this site runs when you use it. In order to remember your preferences, we need to set cookies so that this information can be called whenever you interact with a page that is affected by your preferences.

6.8 We run an affiliate program and as a part of it affiliates advertise our site and services. With the affiliate program we use tracking cookies to track users who visit our site through one of our affiliate partner sites in order to credit them appropriately, and where applicable, allow our affiliate partners to provide you with a bonus for making a purchase.

Cookies used by our service providers

6.9 We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create reports about the use of our website and how we might improve your experience. These cookies may track things such as how long you spend on the site and the pages that you visit. Google's privacy policy is available at: https://www.google.com/policies/privacy/. To opt out of being tracked by Google Analytics, please click here: https://tools.google.com/dlpage/gaoptout.

6.10 In addition, Cloudflare will add a security cookie to any domain or subdomain that is being proxied by our service. The purpose of this is to block malicious traffic and ensure the security of the site.

We may use cookies to re-target our advertisements in select advertising platforms, such as Facebook to show advertisements for people who have visited our website.

Managing cookies

6.11 You can prevent the setting of cookies by adjusting the settings on your browser (see your browser support to do so). Disabling cookies may result in some functionalities and features of this site being disabled.

7. Your rights

7.1 This section describes the rights that you as a data subject have regarding the processing of your personal data. Please note that some of the rights may contain restrictions – for example, we have a legal obligation to store some of our users’ personal data for certain periods, so even if you request for it to be deleted, we will store it until we no longer have a legal obligation to do so. Not all of the restrictions and preconditions are listed below, and we will consider them on a case-by-case basis.

7.2 Your principal rights as the data subject are:

(a) the right to access;

You have the right to know whether we process your personal data and if we do, to have access to the data. Providing that the rights and freedoms of others are not affected, we will provide you with a copy of your personal data. Primarily you can view and export your personal data from your account settings page.

(b) the right to rectification;

You have the right to have any inaccurate personal data about you rectified and any incomplete data about you completed. You can correct or update some of your personal data yourself through the services.

(c) the right to erasure;

You have the right to request the erasure of your personal data. The legal obligations to process your data are described above in section 2.6, and if such obligations apply, your data cannot be erased until the end of the statutory storage periods.

(d) the right to restriction of processing;

You have the right to request that the processing of your personal data is restricted if the preconditions set in the GDPR are met.

(e) the right to object to processing;

You have the right to object to the processing of your personal data on grounds relating to your particular situation as regards the processing that is based on the public interest or the exercise of official authority or the legitimate interests of us or a third party.

(f) the right to data portability;

To the extent that the processing is based on your consent or an agreement, you have the right to receive your personal data you have provided us. This right does not apply where it would adversely affect the rights and freedoms of others.

(g) the right to complain to a supervisory authority;

If you consider that our processing of your personal data infringes data protection laws, you have a right to lodge a complaint with a supervisory authority responsible for data protection.

(h) the right to withdraw consent;

To the extent that the legal basis for our processing of your personal data is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.

8. How to contact us?

8.1 The data controller responsible for your personal data is LocalBitcoins Oy, a Finnish limited liability company with the postal address of Porkkalankatu 24, 00180 Helsinki, Finland.

8.2 If you have any questions about this Privacy Policy, your rights or our data processing practices in general, you can contact our data protection officer (DPO) by email: dpo@localbitcoins.com.