Last Modified: November 3, 2022
On May 25th 2022, as part of ShapeShift AG’s efforts to decentralize, ShapeShift Global Limited transferred the ownership and operation of all consumer ShapeShift software products to Fox Foundation, a nonprofit foundation formed in Lichtenstein with the purpose of transitioning operation of such platform and software to the ShapeShift community, which is a decentralized autonomous organization. For more information on these efforts, see this article. As a result of this transition, user data in connection with user accounts of the ShapeShift platform were transferred from ShapeShift Global Limited to Fox Foundation in order for our users to enjoy a seamless transition and to avoid any downtime of the platform or the deletion of their accounts, which is a legitimate interest of ShapeShift Global Limited. Please note, that if you have a user account on the ShapeShift platform you have a right to object to the transfer of your user account. If you wish to exercise your right to object to such transfer, you may do so by emailing email@example.com and requesting that the Fox Foundation delete your account and any associated personal data (subject to legal requirements) within 30 days of this notice. IF YOUR SHAPESHIFT ACCOUNT IS DELETED, YOU WILL LOSE ACCESS TO YOUR SHAPESHIFT NATIVE WALLET UNLESS YOU WROTE DOWN YOUR SEED PHRASE. Additionally, you will no longer be eligible for any benefits accrued in connection with a registered ShapeShift account, such as entry in promotions. For further details, see our terms of service. If your account has been deleted under your right to object, you may re-register for a new account at any time.
YOUR ACCEPTANCE OF THIS POLICY
By accessing or using the Services, are accepting all aspects of this policy. If we require additional or direct consent from you to further process your personal information, we will ask for your consent for the collection, use, or disclosure of your personal information. We may provide additional "just-in-time" disclosures or information about the data processing practices of specific Services. These notices may supplement or clarify our privacy practices or may provide you with additional choices about how we process your data. If you do not agree with or you are not comfortable with any aspect of this policy, you should immediately discontinue access or use of our Services.
HOW WE MAY CHANGE THIS POLICY
ShapeShift, in its sole discretion, may modify or update this policy at any time, so you should review this page periodically. If we update this policy, the “last modified” date will list the month when such update(s) were made. If we make any material changes to this policy, we notify our registered users via email and summarize those changes. Your continued use of our Services after any change to this policy is deemed your acceptance of such change(s).
WITH WHOM WE SHARE YOUR PERSONAL DATA
In connection with our Services, to protect our legitimate interests, to fulfill legal requirements, or to perform under agreements we enter into (including our Terms), we may be required to share your personal data with our affiliate ShapeShift US, Inc., with our business partners (described in more detail below), as well as with public authorities in connection with a facially valid official law enforcement request. Specifically, such sharing of data may be necessary to manage your registration (such as to verify your identity), to respond to your inquiries, to execute a transaction you request, to provide access to additional information, or to inform you about new Services or offers. Further, to the extent we are legally required by public authorities or courts, we will share your personal data with them or other third-parties. The data sharing may include transfers to companies or organizations in countries without an adequate standard of data protection. In these cases, we transfer personal data in accordance with applicable provisions on the international transfer of personal data, such as, where applicable, the respective provisions of the EU General Data Protection Regulation (“GDPR”). By accessing our Services, you expressly allow us to export data outside of the jurisdiction in which you reside or are located when you utilize the Services.
DATA WE COLLECT AND PROCESS IN ORDER TO MAKE THE SERVICES GENERALLY AVAILABLE
You can use some aspects of our Services, including our websites, and obtain information about our Services without telling us who you are, however, when accessing any website, a user makes a connection with a webserver, which automatically logs and stores certain technical data including: that user’s internet protocol address (“IP Address”), the operating system of that user’s device, the time the website was accessed, or the web browser used to access the site. Logging this data is required in order to make the Services available to you and other users and ensure the functionality of the Services. To the extent we, thereby, process such personal data, we do so based on our legitimate interest to bring you the best possible user experience and to safeguard the security and stability of our systems.
Similarly, our Services use Google Fonts (previously known as Google Web Fonts), a library of open-source font families that enhance your browsing experience, which are licensed by Google LLC (“Google”). To integrate Google Fonts into our websites, your browser establishes a connection to Google’s server and the IP Address of your device is transmitted to Google. Google logs records of font queries and protects this data from unauthorized access. Google analyzes aggregated data to optimize Google Fonts and identify which websites use Google Fonts. Further information on Google Fonts can be found here and information on how Google handles personal data can be found here.
We use Amazon Web Services (“AWS”) to host all of our websites. Thus, any data collected by us on any of our websites will be stored on AWS’s servers in the Republic of Ireland. Some of this data is either processed by us directly or transferred to and processed by one of our third-party partners, both of which are described in further detail in this policy. AWS provides a list of frequently asked questions about their data privacy practices here.
DATA WE COLLECT AND PROCESS TO PROVIDE SERVICES TO YOU, SPECIFICALLY
If you interact with registration, application, order, or inquiry forms on the Services (e.g. signing up for an account, namely in order to use our Services; application for becoming an affiliate of ShapeShift; or requesting support for the Services), we will collect and process the information that you provide to us providing the Services and information about the Services to you, including providing asset management dashboard services. This information may include your:
Any wallet you connect to our Services will provide us with such wallet’s: extended public keys, which are used to derive public digital wallet addresses (known as “xPubs”); transaction history; and digital asset balance. You can select the “forget my wallet” option at any time to disconnect your wallet (and xPubs) from our services. Some aspects of the Services may be inaccessible without a connected wallet.
The collection of words associated with a wallet, commonly known as “Seed Phrases” are extremely important because they provide a back-up method to access your wallet. ShapeShift does not have access to or store Seed Phrases of its users. We highly encourage you to write down all Seed Phrases upon the time they are issued to you in connection with a wallet, and thereafter store them in a secure location. SHAPESHIFT MAY NOT BE ABLE TO ASSIST YOU IF YOU CANNOT ACCESS YOUR WALLET DUE TO A FORGOTTEN/LOST PASSWORD OR SEED PHRASE.
If you use the Google single-sign-on option (“SSO”), which is denoted by the “Sign up with Google button”, Google will automatically provide us with your email address upon your successful sign-in with Google.
Where such processing of your personal data is not strictly necessary to perform our contractual obligations (such as in connection with providing financial services to you) or at your request, we will use this personal data based on our legitimate interest to: verify your identity; respond to your inquiry; process your registration, applications, or orders; develop, enhance, and improve the Services to bring you the best possible experience; or to safeguard the security and stability of the Services.
Based on our legitimate interest to bring you the best possible user experience, we collect and process certain data to analyze how our users use of the Services to gain insight on how we may improve our Services. This data may include information on the type of web browser or device you use to access the website, the geographical region where you access the website, the date and time of your access, and the parts of the website you access.
We also use “Cookies”, which are text files that are downloaded to your computer or mobile device when you visit a website to analyze the use of the website, to optimize our Services, and to enable the use of marketing tools. You can prevent the storage of Cookies on your device and the collection of data. By adjusting your web-browser’s settings accordingly. Note, however, that some functions of the Services may be limited or unavailable if you disable the storing of Cookies.
In connection with the above, we use the following third-party services to collect and analyze the data of our users:
DATA WE COLLECT AND PROCESS IN ORDER TO COMMUNICATE WITH YOU
If you provide us with your email address, either through our registration process, by inputting it in a field associated with a prompt about being added to our mailing list (e.g., “Let’s stay in touch” or similar language), or otherwise responding to an express request to contact you, we will, based on your consent, send you certain commercial information about ShapeShift generally, such as our email newsletter, updates on our Services or other products, blog posts, or other related communications. However, at any time you may opt-out of receiving these communications by utilizing the “unsubscribe” function in any email sent to you by us, or by contacting us here with the subject line “Unsubscribe”. ShapeShift does not engage in direct marketing.
In furtherance of the above, we use the following third-party services to communicate with our users:
For general information regarding your choices in relation to usage-based online advertising, see: http://www.youronlinechoices.com.
DATA WE COLLECT AND PROCESS DUE TO LEGAL OBLIGATIONS
In various jurisdictions we are required by law to verify the identity or locations of a user before allowing such user to access certain aspects of the Services, in particular when that user seeks to trade digital assets with us directly through the Services. This practice is known as “Know-Your-Customer” or “KYC” (any data collected in connection with KYC, such as name, address, phone number, date of birth, government identification number, or a copy of a government issued identification, is referred to as “KYC Data”) and accordingly any collection or processing of KYC Data is done in compliance with a legal obligation. Additionally, ShapeShift has a commitment to prevent fraud or other criminal activity on the Services, thus we may contact you directly to better understand information about transactions that you initiate on the Services. We use the following third-party services to process KYC Data consistent with these obligations:
We do not collect or require any KYC Data when you trade on a decentralized exchange (DEX) on our Services.
HOW WE PROCESS AND PROTECT YOUR PERSONAL DATA; HOW LONG WE STORE IT
We collect, process, and protect your personal data responsibly and in accordance with applicable laws and best practices. We apply adequate technical and organizational security measures, commensurate with the level of known risk, in order to protect the confidentiality and integrity of the personal data we collect when using the Services. Specifically, we store all of the personal data you provide to us in an encrypted fashion and only allow access to certain employees or contractors who are required to perform the purposes for which you provide the personal data to us or as set forth in this policy. For more information on our encryption and securities practices see this article.
We store your personal data only for as long as this is necessary: in the case of KYC Data, we are required by law to store this for 5 years; and for all other data, we retain this indefinitely to assist our provision and maintenance of our Services, however, subject to the prior sentence, you may request that we delete your account information by emailing us at the address below.
THE RIGHTS YOU HAVE REGARDING YOUR PERSONAL DATA
You have certain rights regarding the personal data that we collect and process about you. In particular, generally, you have the following rights:
If the GDPR applies to you (i.e., if you reside in the EU or are an EU data subject) and we collect or process your personal data to perform a contract with you (such as providing the Service) or based on your consent, you also have the right to receive a copy of your personal data for the purpose of transferring such data to a third-party.
Please note, however, that your rights are subject to exceptions or derogations. Specifically, we may need to further process and retain your personal data to perform a contract with you, to protect our legitimate interests (such as the establishment, exercise or defense of legal claims), or to comply with legal requirements. To the extent permitted by law, namely, to protect the rights and freedoms of others or to protect our own legitimate interests, we may therefore refuse to satisfy your request or we may satisfy your request with qualifications. Lastly, you have a right to submit a complaint with a competent supervisory authority.
WHO WE ARE AND HOW TO CONTACT US
ShapeShift is the controller in relation to the collection and processing of personal data through the Services. To inquire about our collection or processing of your personal data, or if you have any questions or concerns about this policy, you may contact us via email at firstname.lastname@example.org. For all correspondence, please include any necessary identifying information such as your name, return e-mail, and any other information relevant to your request. Failure to do so may prevent us from or cause a delay in providing a response. TechGDPR DPC GmbH serves as our data protection officer, and it can be contacted by email here.
- Erik Voorhees, ShapeShift CEO