I, Jonathan Haywood, am a registered “data controller” with the Isle of Man Information Commissioner (Registration Number R003578). The information on this page represents an overview of my Data Protection, Privacy, and Transparency Policy which is linked to here:
My data protection principles
While processing personal data I follow six key principles:
- Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
- Personal data shall be collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes.
- Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Personal data shall be accurate and kept up to date.
- Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Why do I collect your personal data?
- Access to your identity data, bank account details, and historic trading activity, allows me to provide a rapid, automated service without the need to perform repeated additional checks.
- By proving your identity, bank account holdership, “liveness” (that you are who you say you are, and that you are present at the time of verification), and your intention to buy cryptoassets, you help to protect me from criminals who may manipulate victims or misuse bank accounts. Stating your source of cryptoasset funds (when selling cryptoassets to me) you protect me from the exchange of illicitly-sourced funds.
- British legislation requires cryptoasset service providers to collect, verify, and store customer data, relating to their identity, their source of funds, their intended business relationship, and whether they have any ties to high risk jurisdictions or to public officials.
What data do I collect and how do I collect it?
- From your identity document: Full name, nationality, place of birth, date of birth, and document expiry date.
- From your bank statement: Your address, your account number and sort code, and your recent transactional activity.
- From your video declaration (cryptoasset buyers): Your “liveness”, your intention to buy cryptoassets, your source of funds, and your intended use of the cryptoassets that you are buying from me.
- From your stated source of cryptoassets (cryptoasset sellers): Your source of (cryptoasset) funds that you are selling to me.
- From any external communications (where applicable): Your telephone number and/or email address.
- From intermediary trading platforms (e.g. LocalBitcoins, LocalCoinSwap, ZedZeroth.com etc.): Your platform username, IP geolocation (country only), and the country of your registered phone number (where applicable).
- From our trade history: Date/time of transactions, amount of fiat/cryptoassets transacted, and blockchain data (where applicable).
How do I use your data and who do I share it with?
- Trading procedures: Your name, identity document expiry date, account numbers and sort codes, contact details, and transactional history, are used during each of our trades to ensure that your payment comes from a verified bank account, that you are trading within your limits, and that your identity documents on file are still valid.
- Risk assessments: In order to comply with legislation and to protect my business from exploitation by criminals, all of your data may be used to estimate the degree of “risk” that you present. Customers with an unacceptably high risk score may be declined business.
- Banking partners, regulators, and law enforcement: For higher risk transactional activity I may be required to share your data with my banking partner (Enumis Ltd), my regulator (IOMFSA), or law enforcement bodies (such as IOMFIU or UK/IOM police).
Where do I store your data and for how long?
Your submitted identity documents, bank statements, and video declarations, are moved to two devices (each backing up the other) that are:
- Stored in a secure location.
- Air-gapped (not connected to the internet)
- Encrypted with Linux Unified Key Setup (LUKS) Full Disk Encryption (FDE).
The only data stored on active devices is alphanumeric data required during trading procedures (see above). My active devices are also LUKS FDE encrypted and protected by multiple other security measures.
Legislation requires that I store your data throughout the time in which you are actively trading with me, and for a further five years after our final trade (should you cease trading with me).
Can you request access to your data, or its erasure?
I am required to be transparent as to what data I hold for you, with the exception of any information that may be connected to investigations into criminal activities. After our first transaction, legislation prohibits me from deleting any of your data for a five year period. As the Data Protection Officer of my business, you can contact me at firstname.lastname@example.org regarding my use of your personal data.
Can you provide false data?
By providing me with your documents and personal data, you are also confirming that the information is true and accurate. Providing falsified or misleading information could be classed as an offence.