2022-10-10 We have added specifications regarding the legal bases for processing your personal data and the processing of biometric data.
1.2 This policy covers the processing of personal data of our customers (or, in other words, the users of the LocalBitcoins’ services) and website visitors. Personal data refers to all data that relates to an identifiable individual. Such data includes for example name, contact information and trade history on the platform.
1.3 This policy applies to personal data we process or that is processed on our behalf (in other words, the processing for which we are the controller). Please note that our website and services contain links to third party websites or elements provided by third parties (for example an embedded video player). These third parties also process your personal data, either on our behalf (in other words, they are data processors) or for their own purposes. More information on where we disclose your data to, is available from chapter 3 of this policy.
1.4 We will update this policy from time to time to keep the information in this policy up-to-date as we develop our operations and services. You can always find the latest version of this policy on our website. We will notify you of any significant changes by email and/or through our website. If you have any questions regarding this policy, our contact details are listed in section 8.
1.5 Information security is paramount to LocalBitcoins, and we use a variety of technical and organisational measures and strict best practices to protect all personal data and other data we process. LocalBitcoins has an ISO 27001 certification for our information security management system and we also run for example a bug bounty program for security researchers.
2.1 In this section, we describe the purposes for which we process personal data, what kind of data we process and what the legal bases for the processing are.
2.2 On a general level, we process personal data for the following reasons:
2.3 The data we process can be divided into the following categories:
2.4 We process your personal data based on one of the following legal bases, depending on the circumstances:
More detailed information about the purposes is available below.
2.5.1 We process personal data to provide our services and to enable trading of cryptocurrencies. This includes the core functionalities of the services, the escrow protection and for example the affiliate program of our peer-to-peer model. Some of the personal data is also used to develop the service, for example through statistical data on the most popular features.
2.5.2 The data processed for this purpose is primarily collected from the users themselves, either when signing up for the services or for example when submitting new trades or making transactions on the services. Some data is collected from the use of the services, including logs and some trade data (such as timestamps). Some data is provided by other users, such as feedback after a transaction.
2.5.3 The personal data used for these purposes includes:
2.5.4 The legal bases for this processing are the performance of a contract (with our customers) and the legitimate interests of LocalBitcoins (to ensure the security of the service and to prevent fraudulent use of the service).
2.5.5 Please also note that you have the option to post some data publicly when using our services. This may be for example through optional fields on your profile or interactions on public boards. You have control over which data you choose to include and remove, but please note that you should not post any data you consider private, and we urge you to consider that such data may be indexed by search engines or otherwise be processed by others outside our services.
2.6.1 We process personal data to comply with our legal obligations in accordance with applicable legislation and orders of competent authorities. As a cryptocurrency exchange operating from Finland, we have legal obligations to for example identify our customers and to prevent money laundering and financing of terrorism. We also have a legal obligation to disclose some data to the authorities if ordered to do so.
2.6.2 This data is partly collected from the users themselves (such as formal identification data and biometric data) and partly from the use of our service (such as some data about the transactions).
2.6.3 The data used for these purposes includes:
2.6.4 This data is processed on the basis of our legal obligations. These obligations relate primarily to the know-your-customer and anti-money laundering and anti-terrorism financing legislation. Biometric data may also be processed on the basis of the processing being necessary for reasons of substantial public interest (including but not limited to preventing money laundering, terrorist financing and fraud). In some cases, we may also ask for your consent to the processing of biometric data.
2.7.1 We use personal data to communicate with our customers in a variety of ways. These include for example notifications sent through the services, updates about the services, invites to webinars and other events and other marketing communications. We also use advertising services to target advertising for potential customers.
2.7.2 This data is partly collected from the users themselves (such as contact data) and partly through an analytics service provider and the use of our website.
2.7.3 The data used for these purposes includes:
2.7.4 The legal bases for this processing are legitimate interests of LocalBitcoins (to communicate about our services), performance of a contract (notifications regarding trades and other use of the service) and consent (regarding marketing communications and data used for targeted advertising).
3.1 In this section, we describe which third parties we disclose your personal data to. We use certain third-party service providers who process your personal data on our behalf (in other words, they are data processors). Below, we have grouped these into general categories and describe how they process your data. We may also disclose your personal data to other third parties, such as tax authorities based on our regulatory obligations.
3.2 For LocalBitcoins to be able to offer its services, we use certain third-party service providers to help us run our service. These include hosting providers and other technical service providers which allow us to monitor the status of our service and to send you email notifications. We also use third-party services to protect the security of the website and to filter malicious traffic, and to generate statistics about the use of our website and to target advertising.
3.3 We use third-party ID service providers to verify the identity of our customers as required by applicable law. These companies verify the identity based on formal identification proof, such as a passport.
3.4 In addition, we disclose personal data to authorities in cases where we have a regulatory obligation to do so. The content and recipient of these disclosures varies from case to case, but such disclosures are based on a regulatory obligation or a binding order by the authorities.
4.1 Our policy is to store and process your personal data only for as long as is necessary for providing our services or as is required by applicable law. The storage times depend on several factors, including the nature of the data, the purposes for which the data is processed and the legislation applicable to the processing. The storage principles and times for different categories of data are described below. Please note that in individual cases, data may be stored longer if necessary for example to resolve a customer support issue, for auditing purposes or for other legal reasons. For some data on your user account, you have the possibility to remove the data yourself.
4.2 Please also note that all data included in the blockchain will remain publicly available on the blockchain. This is due to the nature of the blockchain technology and is not controlled by us.
4.3 Generally, we store data related to your account and transactions for as long as you have an account with us and if you have conducted transactions on your account, 5 years after you've requested the account to be deleted. Your public profile and possible advertisements will be hidden 14 days after the deletion request and completely deleted after the 5 year period.
4.4 If you have not conducted any transactions, your account and related data will be deleted 14 days after the deletion request.
4.5 Personally identifiable analytics data of our service is deleted 14 days after the deletion request. Notification data may be stored longer, but no longer than 13 months. The storage times for logs vary, however, LocalBitcoins will only store logs for as long as is necessary.
5.1 LocalBitcoins hosts its services in the EU/EEA and your personal data is primarily processed on our secure servers within the EU/EEA. The data of our Russian and Chinese customers is also processed in Russia and China as required by local legislation.
5.2 Some of our external service providers may process some of your personal data outside the EU/EEA. We ensure that a similar degree of protection is afforded to your personal data by making sure that one or more of the following safeguards recognized by the EU General Data Protection Regulation (2016/679, “GDPR”) is implemented:
5.3 Please also note that the disclosures of personal data due to a legal obligation (described in paragraph 3.4) may also include transfers of personal data outside the EU/EEA. This is the case for example in cases where you are a resident of a non-EU country and we are obligated to disclose data to your local authorities.
6.2 Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date. A session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
6.3 Cookies do not typically contain any information that directly identifies a user (such as a name), but personal information that we store about you may be linked to the information stored in and obtained from cookies.
6.4 For more general information on cookies, see for example the Wikipedia article on HTTP Cookies.
6.7 When you submit personal data through a form such as those found on contact pages or comment forms, cookies may be set to remember your user details for future use. In order to provide you with a better experience on this site, we provide the functionality to set your preferences for how this site runs when you use it. In order to remember your preferences, we need to set cookies so that this information can be called whenever you interact with a page that is affected by your preferences.
6.8 We run an affiliate program and as a part of it affiliates advertise our site and services. With the affiliate program we use tracking cookies to track users who visit our site through one of our affiliate partner sites in order to credit them appropriately, and where applicable, allow our affiliate partners to provide you with a bonus for making a purchase.
6.10 In addition, Cloudflare will add a security cookie to any domain or subdomain that is being proxied by our service. The purpose of this is to block malicious traffic and ensure the security of the site.
6.11 You can prevent the setting of cookies by adjusting the settings on your browser (see your browser support to do so). Disabling cookies may result in some functionalities and features of this site being disabled.
7.1 This section describes the rights that you as a data subject have regarding the processing of your personal data. Please note that some of the rights may contain restrictions – for example, we have a legal obligation to store some of our users’ personal data for certain periods, so even if you request for it to be deleted, we will store it until we no longer have a legal obligation to do so. Not all of the restrictions and preconditions are listed below, and we will consider them on a case-by-case basis.
7.2 Your principal rights as the data subject are:
(a) the right to access;
You have the right to know whether we process your personal data and if we do, to have access to the data. Providing that the rights and freedoms of others are not affected, we will provide you with a copy of your personal data. Primarily you can view and export your personal data from your account settings page.
(b) the right to rectification;
You have the right to have any inaccurate personal data about you rectified and any incomplete data about you completed. You can correct or update some of your personal data yourself through the services.
(c) the right to erasure;
You have the right to request the erasure of your personal data. The legal obligations to process your data are described above in section 2.6, and if such obligations apply, your data cannot be erased until the end of the statutory storage periods.
(d) the right to restriction of processing;
You have the right to request that the processing of your personal data is restricted if the preconditions set in the GDPR are met.
(e) the right to object to processing;
You have the right to object to the processing of your personal data on grounds relating to your particular situation as regards the processing that is based on the public interest or the exercise of official authority or the legitimate interests of us or a third party.
(f) the right to data portability;
To the extent that the processing is based on your consent or an agreement, you have the right to receive your personal data you have provided us. This right does not apply where it would adversely affect the rights and freedoms of others.
(g) the right to complain to a supervisory authority;
If you consider that our processing of your personal data infringes data protection laws, you have a right to lodge a complaint with a supervisory authority responsible for data protection.
(h) the right to withdraw consent;
To the extent that the legal basis for our processing of your personal data is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
8.1 The data controller responsible for your personal data is LocalBitcoins Oy, a Finnish limited liability company with the postal address of Porkkalankatu 24, 00180 Helsinki, Finland.