Privacy Notice to the 3C Services
This Privacy Notice is effective as of 26 March 2025.
1. INTRODUCTION
This Privacy Notice (hereinafter “Notice”) explains how your personal data is processed by two independent data Controllers.
3Commas Technologies OÜ (hereinafter “3C Tech”) provides technical tools and functionality in relation to managing cryptocurrency holdings (hereinafter “3C Services”), through the application program interface(s) (hereinafter “3C Software”); and
J2TX Ltd (hereinafter “J2TX”), the Crypto Asset Services Provider registered with the Cyprus Securities and Exchange Commission (CySEC) under the registration number 006/2, providing its clients the 3C Services.
3C Tech and the J2TX are hereinafter jointly referred to as the Controllers and separately as 3C Tech Controller and J2TX Controller or partner, respectively.
Controllers are subject to the provisions of the General Data Protection Regulation (EU) 2016/679 ('GDPR'), and to the applicable data protection laws of the countries they are registered.
The Controllers are committed to ensuring the security and confidentiality of your information and maintaining transparency about how it is processed.
This Notice outlines the following key areas:
- the categories of personal data that are collected and processed by the Controllers;
- the legal basis for the processing of your personal data;
- the recipients or categories of recipients of your personal data;
- the principles relating to the processing of your personal data;
- your rights under applicable legislation and an explanation of how those rights can be exercised.
By using 3C Services, you acknowledge and agree to the practices described in this Notice. In case you disclose any personal data regarding any third person(s) (e.g., your employee, management board member, co-worker, etc.) to us, you are obligated to refer them to this Notice.
2. DEFINITIONS
For the purposes of this Notice, the following definitions shall apply. These are consistent and in accordance with the General Data Protection Regulation (EU) 2016/679.
• (1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
• (2) 'processing' means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• (3) 'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
• (4) 'recipient' means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
•(5) 'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
3. JOINT CONTROLLERS
3Commas Technologies OÜ, a limited company established and existing under the laws of Estonia, registry code 14125515, registered office at Laeva tn 2, Tallinn 10111, Estonia (hereinafter “3C Tech Controller”).
If you have any questions or concerns relating to the processing of your personal data by the 3C Tech Controller, you can contact the Data Protection Officer by email at: [email protected] or by registered post to: Laeva tn 2, Tallinn 10111, Estonia.
J2TX Ltd is a regulated Crypto Asset Services Provider (CASP), registered in Cyprus under registration number HE 422703 and registered with the Cyprus Securities and Exchange Commission ('CySEC') under the registration number 006/22 (hereinafter “J2TX Controller”). The registered office address is at Spyrou Kyprianou, 78, 4A Magnum Business Center, 3076, Limassol, Cyprus.
If you have any questions or concerns relating to the processing of your personal data by the Company, you can contact our Data Protection Officer by email at: [email protected] or by registered post to: Spyrou Kyprianou, 78, 4A Magnum Business Center, 3076, Limassol, Cyprus.
4. CATEGORIES AND SOURCES OF PERSONAL DATA
3C Tech Controller may obtain and process the following categories of your personal data:
Categories of personal data | Examples |
|---|---|
Main Data | For providing our 3C Software to you or the legal entity you represent via partner website or app we may process the following personal data: |
Billing Data | For providing our 3C Software and processing payments, we may process the following personal data. |
Transaction Data | For providing our 3C Software and executing transactions sent via partner website or app, we may process the following personal data: |
Communication Data | If you communicate with us through our Website, App or other communication channels (e.g., by email or our official social media) concerning your usage of 3C Software via partner website or app, we may process the following personal data depending on the channel you communicate with us: |
Marketing Data | For marketing purposes, we may process the following personal data: |
Technical Data | When you use the 3C Software via a partner website or app, we may also collect data about the device you are using and automatically log standard data provided by your web browser or device, which may include your personal data: |
Usage Data | When you use the 3C Software via a partner website or app, we may process the following data, which may include your personal data: |
J2TX Controller obtains and processes the following categories of your personal data:
Contact information | Full name, home address/business address, contact details (telephone, fax, email); |
Documentary data | The details/data, to identify who the Client is, that are reflected in different documents or copies of the provided documents: date and place of birth, passport/ ID number/DL number (any other data from the identification document), tax residency, tax identification number, bank account details, card details. |
Socio-demographic | The employment status, the industry of employment, the employer name, education details, CV, work history, citizenship, nationality, including occupation and information on whether you hold/held a prominent public function (for PEPs); |
Behavioural and usage data | The details about how you use the product and/or services offered by the Company and other Company's counterparties; |
Technical data | Information regarding the date, time, and activity in the Services; IP address and domain name; general geographic location (e.g., city, country) from User’s device. |
Communications | The information received from you through letters and emails and conversations, including recorded calls; |
Contractual | The details about the products and/or services you use; |
Transactional | The details about your payments data; your bank account(s) details, the card details, the e-wallet details; |
Special types of data | The criminal records of convictions and offenses to exclude the possible match (predicate offenses, involvement in money laundering, sanctioned person); |
Open data and public records | The details about you that are in the public records or the information that is openly available on the internet. Your Information collected from public sources (e.g. the Department of Registrar of Companies and Official Receiver, the press, the internet) as well as from risk management suites such as the World-Check database: (i) sanction or watch lists; (ii) law enforcement, court, regulatory or other government websites; (iii) political websites and publications such as parliamentary, local government or individual politician websites; (iv) reputable news media and publications; and (v) information sources made public by an individual themselves, for example on their website, blog or any social media application; |
For more information, please refer to the Privacy Policy of J2TX Ltd.
5. PURPOSES OF PROCESSING AND LEGAL BASES
As a Controller, 3C Tech processes your personal data lawfully and transparently, including only where is a legal basis for doing so. The legal basis for processing your personal data depends on the objective and context in which we collect personal data. The following depicts a descriptive list of processing purposes that are linked to the specific data categories and legal bases for processing:
Processing purpose | Legal basis |
Handling pre-contractual communications | Consent |
The processing of your personal data is necessary for the provision of 3C Services. In order to be able to render services to you and administer our relationship, we need to collect and process certain personal data and information | Performing the contract and managing contractual relationship |
Communications: inquiries and requests submitted e.g., via the Website, App, social media platforms, sign-up forms, e-mail | If the communication is necessary to fulfill a contract with you (e.g., order confirmation, delivery updates, service support); |
Utilizing Artificial Intelligence technologies for the provision of services | Consent |
Providing notifications by your chosen channel (e.g., App, e-mail, Telegram Bot) | If the communication is necessary to fulfill a contract with you (e.g., order confirmation, delivery updates, service support); |
Carrying out marketing on social media platforms | Consent |
Carrying out promotions and marketing competitions | If the communication is necessary to fulfill a contract with you (e.g., order confirmation, delivery updates, service support); |
The processing of your personal data is necessary for the purposes of the legitimate interests pursued by the 3C Tech, where those interests do not infringe your interests, fundamental rights and freedoms. These legitimate interests, inter alia, include business or commercial interests and examples of relevant processing activities include: | For the purposes of the legitimate interests pursued by the 3C Tech |
The processing of your personal data is necessary for compliance with the legal obligations emanating from anti-money laundering legislation | For compliance with a legal obligation |
Disclosure or the transfer of data to our service providers | Performing the contract and managing contractual relationship; or |
3C Tech may process your personal data to contact you, primarily by email, in order to provide you with information that may be of interest to you about products or services offered by the 3C Tech or third parties. Please note that in accordance with the applicable law, the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest pursued by the 3C Tech.
However, if you do not wish to receive marketing communications from 3C Tech, you can opt-out at any time by contacting the Data Protection Officer email at [email protected]. After you unsubscribe, 3C Tech will not send you further promotional emails, but we will continue to contact you to the extent necessary for the purposes of any services you have requested.
We may process your personal data for other purposes, provided that we disclose the purposes and use to you at the relevant time and that you either consent to the proposed use of the personal data, other legal grounds exist for the new processing purposes, or the new purpose is compatible with the original purpose brought out above.
For more information regarding the processing of your personal data, please refer to the Privacy Policy of J2TX Ltd.
6. RECIPIENTS OF PERSONAL DATA AND DATA TRANSFERS
3C Tech Controller may disclose your personal data to third parties, who process your personal data for their own purposes, and processors, who process your personal data on our behalf to help us provide the Website, App and Software.
These data recipients belong to the following categories:
Category | Purpose of disclosure |
|---|---|
Public sector authorities, supervisory and law enforcement authorities | To fulfil our statutory obligation, a court order, to establish, exercise or defend our legal rights or in other cases where this is necessary to prevent and deter unlawful acts. |
Professional advisors | To ensure our proper economic activity and to establish, exercise or defend our legal rights. For example: auditors, legal advisors. |
Third-parties Service providers | To help us in providing the services, including our Website, App and overall Software, to you. |
As 3C Tech Controller operates globally, the personal data that we receive/collect may be processed in a country other than yours and we may transfer your data to and store it in countries outside of the EEA, which do not offer an equivalent level of protection. In such cases we use safeguards to ensure that a level of protection of personal data comparable to that applicable in the EEA is applied to your personal data.
J2TX Controller, in the course of the performance of our contractual and statutory obligations and for legitimate business purposes, your personal data may be disclosed to:
Category | Purpose of disclosure |
|---|---|
Relevant authorities | Supervisory and other regulatory and public authorities, upon request or where required. Some examples are the Cyprus Securities and Exchange Commission, the Unit for Combating Money Laundering (MOKAS), criminal prosecution authorities. |
Professional advisors | Auditors, lawyers, consultants and other outside professional advisors of the Company, subject to confidentiality agreements. |
Third party processors | Third party processors and controllers such as payment services providers, companies who assist us with the effective provision of our services to you by offering technological expertise, solutions and support, file storage and records management companies. |
For more information regarding the processing of your personal data, please refer to the Privacy Policy of J2TX Ltd.
7. SECURITY OF YOUR PERSONAL DATA
3C Tech Controller takes reasonable technical and organisational security measures designed to protect your personal data against accidental or unlawful destruction, loss or alteration, unauthorised disclosure, abuse or other processing in violation of applicable law. These measures vary based on the sensitivity of the personal data we process and the current state of technology.
However, please be advised that no security measure can be 100% effective, and we cannot guarantee the security of your data, including against unauthorised acts, access, hacking or data breaches by third parties.
We also encourage you to take measures to ensure the safety of your personal data, including protecting your account. In particular, we strongly recommend you to enable two-factor authentication for your account and keep your password, API key and API secret confidential and stored in a secure location. In addition, we advise you to make sure of your device security and avoid using public unencrypted internet connection spots.
8. PERSONAL DATA RETENTION PERIODS
J2TX Controller will keep your personal data for the duration of our business relationship and for five (5) years after the termination of our business relationship, unless otherwise requested by a competent authority, in line with the provisions of the applicable European and Cyprus legislation on the prevention of the use of the financial system for the purposes of preventing money laundering or terrorist financing. J2TX Controller may keep your data for longer if we cannot delete it for legal or regulatory reasons. In particular, the retention of data is not limited in time in the case of pending legal proceedings or an investigation initiated by a public authority, provided that in each case J2TX has been informed of the pending legal proceedings or the investigation initiated by a public authority within the retention period described hereinabove.
3C Tech Controller retains your personal data for the duration necessary to fulfil the objectives outlined in Section 6 of this Notice or for as long as we have a legal obligation to do so.
9. AUTOMATED DECISION MAKING
3C Tech Controller incorporates Artificial Intelligence technologies such as the Generative Pre-training Transformer technology (“GPT”) into our services, including but not limited to our FAQ Chatbot. While we do not actively process your personal data within these services, any personal data you input may be subject to automated decision-making. This activity will not result in any legal consequences for you. 3C Tech prioritises the protection of your personal data and take all necessary precautions to ensure its security. Should you believe that your personal data has been processed in this regard, you may reach out to us for further actions regarding your data protection rights at [email protected] . For more detailed information about this use case, please also contact us at the aforementioned email address.
10. YOUR RIGHTS AS A DATA SUBJECT
You may, at any time, exercise the following rights with respect to processing of your data:
- Right to access: you have the right to request access, including receive a copy, of your personal data. This includes the right to be informed on whether we process your personal data, what personal data categories are being processed by us, and the purpose of the data processing;
- Right to rectification: you have the right to request that we correct any of your personal data if you believe that we are processing incorrect, inaccurate or incomplete personal data;
- Right to object: you are entitled to object to certain processing of your personal data, for example when we process your personal data based on our legitimate interest or for direct marketing purposes;
- Right to restriction: you have the right to request that we restrict the processing of your personal data, for example if you wish to dispute the accuracy of certain personal data we are processing or if we no longer need the personal data for the purposes of the processing, but you require the personal data to establish, exercise or defend legal claims;
- Right to erasure: you have the right to request that we erase your personal data for example if the personal data is no longer necessary for the purposes for which it was collected or if you consider that the processing is unlawful.
Note: You can initiate the deletion procedure of your Software’s Client Account in the App’s settings. Please note that an extended authentication procedure may be required before we proceed with the account deletion.
- Right to data portability: you have the right to receive your personal data in a structured, commonly used and machine-readable format if the processing is carried out by automated means and is based on your consent or a mutual contractual relationship. Moreover, you may request that the personal data is transmitted to another controller. Bear in mind that the latter can only be done if that is technically feasible.
- Right to withdraw your consent: in cases where the processing is based on your consent, you have the right to withdraw your consent to such processing at any time.
Note: To stop receiving our direct marketing messages, either reach out to us directly or click the ‘unsubscribe’ link provided in the message. Using this link will remove you from future messages of that type. For preferences regarding all categories of direct marketing, visit the Account Settings page. Please note however that essential service emails like password resets, billing information, or updates to our terms, will continue unless you deactivate your account.
- Right not to be subject to a decision based solely on automated processing, including profiling: Our use of automated decision-making is limited, and should not result in any legal impact to you. You may read more about our use of automated decision-making in Section 9.
- Right to lodge a complaint regarding the processing of your personal data by us.
To exercise the data subject’s rights, please contact 3C Tech Controller and/or as specified in Section 2 of this Notice. Please note that you should supply us with adequate information for us to respond to your requests concerning your rights. Prior to answering your request, we may ask you to provide additional information for the purposes of authenticating you and evaluating your request (e.g., if you seek to exercise the rights on behalf of someone else as a legal representative).
3C Tech Controller will respond to your request within one month of receiving it. If necessary, due to the complexity and number of the requests, this period may be extended by up to two additional months. We will inform you of any such extension within one month of receiving your request, along with the reasons for the delay.
11. OTHER JURISDICTIONS
3C Tech Controller may also have certain additional rights regarding your personal data under other data protection and privacy laws. Please contact us at [email protected] about your specific situation for more information.
Your personal data may be transferred to third countries (i.e. countries outside the European Economic Area), to recipients mentioned in the Section 5, in connection with the purposes set out in this Notice. We may transfer your personal data to countries that may have different laws and data protection compliance requirements; however, processors in third countries are obliged to comply with the European data protection standards when processing your personal data.
12. LINKS TO OTHER WEBSITES, APPS OR SERVICES
3C Tech Controller’ Website and App may link to external sites that are not operated by us, or offer access to apps and services not under our operation or control. However, once you have used these links to leave our website, you should note that we do not have any control over that other website. Therefore, 3C Tech cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question. To find out more about how such third parties process your personal data, please refer to the respective privacy notices on the other websites you visit or apps and services you use.
13. CHANGES TO THIS NOTICE
At any time, the 3C Tech may amend this Notice. You might be notified about material changes, however, you are encouraged to review this Notice periodically, so as to be always informed about how 3C Tech processes and protects your personal data.
