Skip to main content

Privacy Policy

Last updated: April 6, 2026

1. Introduction

This Privacy Policy (hereinafter referred to as the "Policy") describes how the EuropaTech investment platform (hereinafter referred to as the "Platform", "we", "us") collects, uses, stores, and protects users' personal data.

By using the Platform, you confirm your consent to the terms of this Policy. If you do not agree, please discontinue use of the Platform.

2. Data We Collect

Data you provide:

  • Full name
  • Email address
  • Phone number
  • Identity verification documents (KYC): passport, national ID
  • Payment information (processed via Stripe)
  • Residential address

Data collected automatically:

  • Blockchain wallet addresses (public addresses only — we never store private keys)
  • KYC verification data processed by Sumsub (identity documents, selfie, liveness check)
  • IP address and geolocation data
  • Browser type and version, operating system
  • Cookies and device identifiers

3. How We Use Data

We use collected data for the following purposes:

  • Creating and managing user accounts
  • Processing investments and payments
  • Conducting identity verification (KYC/AML)
  • Sending notifications about investments, payouts, and Platform changes
  • Improving Platform functionality and user experience
  • Fraud prevention and security
  • Legal compliance
  • Analytics and usage statistics

Legal bases for processing (GDPR Art. 6 and Art. 9):

  • Contract performance (Art. 6(1)(b)): account creation, investment processing, payment processing, and notifications about your investments.
  • Legal obligation (Art. 6(1)(c)): KYC/AML identity verification, regulatory reporting where legally applicable, and financial record retention under applicable law.
  • Legitimate interests (Art. 6(1)(f)): fraud prevention, platform security, analytics, and platform improvement — where such interests are not overridden by your fundamental rights.
  • Consent (Art. 6(1)(a)): marketing communications and non-essential analytics cookies, where you have provided explicit consent.
  • Special category data (Art. 9(2)(g)): biometric data processed for KYC verification (selfie, liveness check) — necessary for reasons of substantial public interest in preventing money laundering and terrorist financing (AMLD6, MiCA). You may be required to provide this data to use financial features.

4. Data Storage and Security

Personal data is stored on secure servers using modern encryption methods.

We implement technical and organizational security measures, including:

  • Data encryption in transit (TLS/SSL) and at rest
  • Restricted access to personal data
  • Regular security audits
  • Data backup

Data retention periods: Account data — duration of account + 30 days after deletion request. Financial records (transactions, payments, tax reports) — 5 years minimum per AMLD6 requirements (and aligned with expected MiCA data retention standards). KYC documents — 5 years after last transaction per EU AML directives. Session logs — 90 days. Analytics data — 26 months. Marketing consent records — indefinitely (GDPR audit trail). Travel Rule transfer records (EU 2023/1113) — 5 years minimum; personal data is anonymized upon GDPR Art.17 erasure request but the transfer record is retained under Art.17(3)(b) legal obligation.

Data Processing Locations

Your personal data is processed at the following locations:

  • EU/EEA — Primary processing and database storage
  • United States — Payment processing (Stripe), error monitoring (Sentry), email delivery (Resend), authentication (Google, Apple), protected by Standard Contractual Clauses (SCCs)
  • Finland — Hetzner dedicated production server for application hosting, files, database, and cache

All data transfers outside the EEA are protected by Standard Contractual Clauses (SCCs) in accordance with Article 46(2)(c) GDPR. You may request copies of these safeguards by contacting our Data Protection Officer.

5. Third-Party Data Sharing

We may share your data with the following categories of third parties:

Stripe — payment processing. Stripe processes payment data in accordance with its own privacy policy and PCI DSS standards.

Sumsub — identity verification (KYC/AML). Document data, selfie images, and liveness check results are processed securely in accordance with GDPR and EU AML directives. Data is stored in Sumsub's EU-located servers.

Resend — transactional email delivery. Your email address is shared for notification delivery.

Sentry — error monitoring. Technical data may be shared for diagnostics and issue resolution.

Hetzner — dedicated self-hosted VPS for nginx static frontend, Telegram app, widget, docs, files, and API reverse proxy. Platform data is processed on the controlled production server, not on external app-hosting platforms.

Google — OAuth authentication and Firebase push notifications. Email address and profile data are shared for sign-in. Push notification tokens for in-app alerts.

Apple — OAuth authentication. Email address and profile data may be shared for sign-in via Apple ID.

Self-hosted PostgreSQL and Redis — database and cache run on the dedicated Hetzner host, bound to host-local ports. No managed hosting or managed database provider processes Platform data.

NOWPayments — cryptocurrency payment processing (Bitcoin, Ethereum, USDT, and other digital assets). Wallet addresses and transaction amounts are securely processed in accordance with the Travel Rule (EU 2023/1113).

Voice processing is described separately in Section 12 (Voice Feature). We do not sell or share your personal data with third parties for marketing purposes.

6. Cookies

The Platform uses cookies to ensure proper functionality and improve user experience.

Essential cookies:

  • Authentication and session management
  • Language preference storage
  • Cookie consent preference storage

Analytics cookies:

  • Anonymous usage statistics collection
  • Performance analysis and error detection

You can manage cookies through your browser settings. Disabling essential cookies may limit Platform functionality.

7. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR) and other applicable legislation, you have the right to:

Right of access — request a copy of your personal data

Right to rectification — request correction of inaccurate data

Right to erasure — request deletion of your data ("right to be forgotten")

Right to restriction — restrict how your data is used

Right to portability — receive your data in a machine-readable format

Right to object — object to data processing for certain purposes

Right to lodge a complaint — lodge a complaint with the Italian Data Protection Authority: Garante per la Protezione dei Dati Personali (garanteprivacy.it), Piazza Venezia 11, 00187 Rome, Italy.

Right to contest automated decisions — (GDPR Art. 22(3)) contest any automated decision significantly affecting you and request human review

To exercise your rights, contact our Data Protection Officer at dpo@europa-tech.org. We will process your request within 30 days in accordance with GDPR Art. 12.

Supervisory authority for Italy: Garante per la Protezione dei Dati Personali — garanteprivacy.it

7b. Data Export (GDPR Article 20 — Right to Portability)

You have the right to request a complete export of your personal data in machine-readable formats.

Export Format Options:

  • JSON — Complete data export in JSON format (immediate download)
  • CSV — Comma-separated values for spreadsheet import (available April 2026)

What's Included in Export:

  • Account information (name, email, phone, address)
  • Identity verification data (KYC documents metadata, verification status)
  • Investment history and transaction records
  • Share ownership records and portfolio data
  • Payment information (card last 4 digits, payment dates)
  • Communication history and consent records

How to Request:

  1. Log in to your Cabinet account
  2. Navigate to Settings → Privacy → Export My Data
  3. Select desired format (JSON or CSV)
  4. Download immediately or receive via email

Limitations:

  • One export per 24 hours (rate limited per GDPR compliance)
  • Processing time: Instant for download, < 1 hour for email delivery
  • Data includes all personal information processed by the Platform

7b. Automated Decision-Making and Profiling

We use automated processing in the following limited contexts: (1) AML/KYC risk scoring — automated risk assessment is performed as part of mandatory identity verification required by EU AML Directives. This may result in temporary account limitations if a high-risk profile is detected. You have the right to request human review of any such decision (GDPR Art. 22(3)). (2) Transaction monitoring — automated alerts are generated based on transaction patterns for regulatory compliance purposes under applicable AMLD6 requirements and in preparation for potential future MiCA obligations.

These automated processes are subject to human oversight by our Compliance team. No fully automated decisions with significant legal effect are made without human review. To exercise your right to human review under GDPR Art. 22(3), use the dedicated form in your Account Settings (Settings → Request Manual Review) or contact dpo@europa-tech.org. We will process your request within 48 hours.

How to Contest an Automated Decision

  1. Log in and go to Settings → Privacy & GDPR
  2. Click "Contest a Decision" and describe the decision
  3. Our Compliance team will review and respond within 48 hours

8. Children's Data

The Platform is not intended for persons under 18 years of age. We do not knowingly collect data from minors. If you become aware that a minor has provided us with their data, please contact us for its removal.

9. Policy Changes

We may update this Policy. You will be notified of changes via email or Platform notifications.

Continued use of the Platform after the Policy is modified constitutes acceptance of the updated version.

10. Contact Information

For questions regarding personal data processing, please contact us:

Email: dpo@europa-tech.org

Website: europa-tech.org