Privacy Policy
Last updated: April 6, 2026
1. Introduction
This Privacy Policy (hereinafter referred to as the "Policy") describes how the EuropaTech investment platform (hereinafter referred to as the "Platform", "we", "us") collects, uses, stores, and protects users' personal data.
By using the Platform, you confirm your consent to the terms of this Policy. If you do not agree, please discontinue use of the Platform.
2. Data We Collect
Data you provide:
- Full name
- Email address
- Phone number
- Identity verification documents (KYC): passport, national ID
- Payment information (processed via Stripe)
- Residential address
Data collected automatically:
- Blockchain wallet addresses (public addresses only — we never store private keys)
- KYC verification data processed by Sumsub (identity documents, selfie, liveness check)
- IP address and geolocation data
- Browser type and version, operating system
- Cookies and device identifiers
3. How We Use Data
We use collected data for the following purposes:
- Creating and managing user accounts
- Processing investments and payments
- Conducting identity verification (KYC/AML)
- Sending notifications about investments, payouts, and Platform changes
- Improving Platform functionality and user experience
- Fraud prevention and security
- Legal compliance
- Analytics and usage statistics
Legal bases for processing (GDPR Art. 6 and Art. 9):
- Contract performance (Art. 6(1)(b)): account creation, investment processing, payment processing, and notifications about your investments.
- Legal obligation (Art. 6(1)(c)): KYC/AML identity verification, regulatory reporting where legally applicable, and financial record retention under applicable law.
- Legitimate interests (Art. 6(1)(f)): fraud prevention, platform security, analytics, and platform improvement — where such interests are not overridden by your fundamental rights.
- Consent (Art. 6(1)(a)): marketing communications and non-essential analytics cookies, where you have provided explicit consent.
- Special category data (Art. 9(2)(g)): biometric data processed for KYC verification (selfie, liveness check) — necessary for reasons of substantial public interest in preventing money laundering and terrorist financing (AMLD6, MiCA). You may be required to provide this data to use financial features.
4. Data Storage and Security
Personal data is stored on secure servers using modern encryption methods.
We implement technical and organizational security measures, including:
- Data encryption in transit (TLS/SSL) and at rest
- Restricted access to personal data
- Regular security audits
- Data backup
Data retention periods: Account data — duration of account + 30 days after deletion request. Financial records (transactions, payments, tax reports) — 5 years minimum per AMLD6 requirements (and aligned with expected MiCA data retention standards). KYC documents — 5 years after last transaction per EU AML directives. Session logs — 90 days. Analytics data — 26 months. Marketing consent records — indefinitely (GDPR audit trail). Travel Rule transfer records (EU 2023/1113) — 5 years minimum; personal data is anonymized upon GDPR Art.17 erasure request but the transfer record is retained under Art.17(3)(b) legal obligation.
Data Processing Locations
Your personal data is processed at the following locations:
- EU/EEA — Primary processing and database storage
- United States — Payment processing (Stripe), error monitoring (Sentry), email delivery (Resend), authentication (Google, Apple), protected by Standard Contractual Clauses (SCCs)
- Finland — Hetzner dedicated production server for application hosting, files, database, and cache
All data transfers outside the EEA are protected by Standard Contractual Clauses (SCCs) in accordance with Article 46(2)(c) GDPR. You may request copies of these safeguards by contacting our Data Protection Officer.
5. Third-Party Data Sharing
We may share your data with the following categories of third parties:
Stripe — payment processing. Stripe processes payment data in accordance with its own privacy policy and PCI DSS standards.
Sumsub — identity verification (KYC/AML). Document data, selfie images, and liveness check results are processed securely in accordance with GDPR and EU AML directives. Data is stored in Sumsub's EU-located servers.
Resend — transactional email delivery. Your email address is shared for notification delivery.
Sentry — error monitoring. Technical data may be shared for diagnostics and issue resolution.
Hetzner — dedicated self-hosted VPS for nginx static frontend, Telegram app, widget, docs, files, and API reverse proxy. Platform data is processed on the controlled production server, not on external app-hosting platforms.
Google — OAuth authentication and Firebase push notifications. Email address and profile data are shared for sign-in. Push notification tokens for in-app alerts.
Apple — OAuth authentication. Email address and profile data may be shared for sign-in via Apple ID.
Self-hosted PostgreSQL and Redis — database and cache run on the dedicated Hetzner host, bound to host-local ports. No managed hosting or managed database provider processes Platform data.
NOWPayments — cryptocurrency payment processing (Bitcoin, Ethereum, USDT, and other digital assets). Wallet addresses and transaction amounts are securely processed in accordance with the Travel Rule (EU 2023/1113).
Voice processing is described separately in Section 12 (Voice Feature). We do not sell or share your personal data with third parties for marketing purposes.
6. Cookies
The Platform uses cookies to ensure proper functionality and improve user experience.
Essential cookies:
- Authentication and session management
- Language preference storage
- Cookie consent preference storage
Analytics cookies:
- Anonymous usage statistics collection
- Performance analysis and error detection
You can manage cookies through your browser settings. Disabling essential cookies may limit Platform functionality.
7. Your Rights (GDPR)
Under the General Data Protection Regulation (GDPR) and other applicable legislation, you have the right to:
Right of access — request a copy of your personal data
Right to rectification — request correction of inaccurate data
Right to erasure — request deletion of your data ("right to be forgotten")
Right to restriction — restrict how your data is used
Right to portability — receive your data in a machine-readable format
Right to object — object to data processing for certain purposes
Right to lodge a complaint — lodge a complaint with the Italian Data Protection Authority: Garante per la Protezione dei Dati Personali (garanteprivacy.it), Piazza Venezia 11, 00187 Rome, Italy.
Right to contest automated decisions — (GDPR Art. 22(3)) contest any automated decision significantly affecting you and request human review
To exercise your rights, contact our Data Protection Officer at dpo@europa-tech.org. We will process your request within 30 days in accordance with GDPR Art. 12.
Supervisory authority for Italy: Garante per la Protezione dei Dati Personali — garanteprivacy.it
7b. Data Export (GDPR Article 20 — Right to Portability)
You have the right to request a complete export of your personal data in machine-readable formats.
Export Format Options:
- JSON — Complete data export in JSON format (immediate download)
- CSV — Comma-separated values for spreadsheet import (available April 2026)
What's Included in Export:
- Account information (name, email, phone, address)
- Identity verification data (KYC documents metadata, verification status)
- Investment history and transaction records
- Share ownership records and portfolio data
- Payment information (card last 4 digits, payment dates)
- Communication history and consent records
How to Request:
- Log in to your Cabinet account
- Navigate to Settings → Privacy → Export My Data
- Select desired format (JSON or CSV)
- Download immediately or receive via email
Limitations:
- One export per 24 hours (rate limited per GDPR compliance)
- Processing time: Instant for download, < 1 hour for email delivery
- Data includes all personal information processed by the Platform
7b. Automated Decision-Making and Profiling
We use automated processing in the following limited contexts: (1) AML/KYC risk scoring — automated risk assessment is performed as part of mandatory identity verification required by EU AML Directives. This may result in temporary account limitations if a high-risk profile is detected. You have the right to request human review of any such decision (GDPR Art. 22(3)). (2) Transaction monitoring — automated alerts are generated based on transaction patterns for regulatory compliance purposes under applicable AMLD6 requirements and in preparation for potential future MiCA obligations.
These automated processes are subject to human oversight by our Compliance team. No fully automated decisions with significant legal effect are made without human review. To exercise your right to human review under GDPR Art. 22(3), use the dedicated form in your Account Settings (Settings → Request Manual Review) or contact dpo@europa-tech.org. We will process your request within 48 hours.
How to Contest an Automated Decision
- Log in and go to Settings → Privacy & GDPR
- Click "Contest a Decision" and describe the decision
- Our Compliance team will review and respond within 48 hours
8. Children's Data
The Platform is not intended for persons under 18 years of age. We do not knowingly collect data from minors. If you become aware that a minor has provided us with their data, please contact us for its removal.
9. Policy Changes
We may update this Policy. You will be notified of changes via email or Platform notifications.
Continued use of the Platform after the Policy is modified constitutes acceptance of the updated version.
10. Contact Information
For questions regarding personal data processing, please contact us:
Email: dpo@europa-tech.org
Website: europa-tech.org