Privacy Policy

Comanera Europe s.r.o. ("we", "us", "our") operates the DoCryptoX platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our services. We process personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Slovak law.

1. Data Controller

Data Controller: Comanera Europe s.r.o.
Registration Address: Tvarozkova 5, Bratislava, Slovakia
Company ID: 44214090
Website: https://docryptox.com
Contact Email: privacy@docryptox.com

2. Legal Basis and Regulatory Compliance

2.1 GDPR Compliance

We fully comply with all requirements of the General Data Protection Regulation (GDPR) and respect your rights as a data subject. Our processing of personal data is based on legitimate legal grounds as specified in Article 6 of the GDPR.

2.2 MiCA Directive Compliance

We operate in full compliance with Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA), which establishes the comprehensive regulatory framework for crypto-asset services within the European Union. Our compliance encompasses all MiCA requirements for crypto-asset service providers, including authorization procedures, operational requirements, transparency obligations, and consumer protection measures.

2.3 DORA Compliance

In accordance with the Digital Operational Resilience Act (DORA), we maintain robust operational resilience frameworks, including comprehensive data protection measures, incident response procedures, and third-party risk management protocols to ensure the continuous and secure provision of our cryptocurrency exchange services.

2.4 Slovak Law Compliance

We operate in full compliance with Slovak national legislation, including Act No. 18/2018 Coll. on Personal Data Protection, Act No. 297/2008 Coll. on Prevention of Money Laundering and Terrorist Financing, all applicable Slovak financial services and cryptocurrency regulations, and Slovak National Bank (NBS) requirements and guidelines.

3. Information We Collect

3.1 Personal Information

Identity Information:

• Full name
• Date of birth
• Nationality
• Government-issued identification documents (passport, ID card, driver's license)
• Photographs for identity verification
• Biometric data (where legally required for identity verification)

Contact Information:

• Email address
• Phone number
• Residential address
• Mailing address (if different)

Financial Information:

• Bank account details
• Payment card information
• Transaction history
• Cryptocurrency wallet addresses
• Source of funds documentation
• Financial statements (where required for enhanced due diligence)

Technical Information:

• IP address
• Device identifiers
• Browser type and version
• Operating system
• Login credentials (encrypted)
• API keys and access tokens

3.2 Automatically Collected Information

We automatically collect certain information when you use our Platform:

• Log data and access records
• Cookies and similar technologies
• Usage patterns and preferences
• Device and browser characteristics
• Location data (where consented to)

4. How We Use Your Information

4.1 Legal Basis for Processing

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

Contractual Necessity (Article 6(1)(b)):

• Account creation and management
• Transaction processing and execution
• Customer support services
• Service delivery and platform functionality

Legal Obligation (Article 6(1)(c)):

We process personal data to comply with various legal obligations including Know Your Customer (KYC) verification, Anti-Money Laundering (AML) compliance, Counter-Terrorism Financing (CTF) requirements, tax reporting obligations, regulatory reporting and compliance, MiCA directive requirements for crypto-asset service providers including transaction monitoring and reporting, client asset safeguarding obligations, operational resilience requirements, and responses to court orders and legal requests.

Legitimate Interest (Article 6(1)(f)):

• Fraud prevention and security monitoring
• Platform improvement and analytics
• Risk management and assessment
• Marketing and communication (where opt-in consent obtained)
• Business operations and administration

Consent (Article 6(1)(a)):

• Marketing communications (where required)
• Optional data processing activities
• Cookies and tracking technologies (where legally required)

5. Data Security and Protection

5.1 Security Measures

Technical Safeguards:

• End-to-end encryption for all data transmission
• Advanced encryption standards (AES-256) for data at rest
• Multi-factor authentication (MFA) requirements
• Secure key management systems
• Regular security audits and penetration testing
• Real-time monitoring and threat detection
• Secure cloud infrastructure with redundancy

Organizational Measures:

• Access controls and role-based permissions
• Employee training on data protection
• Regular security awareness programs
• Incident response procedures
• Data minimization practices
• Privacy by design principles

5.2 DORA Compliance Framework

In accordance with DORA requirements, we maintain:

• Comprehensive ICT risk management framework
• Incident reporting and response capabilities
• Third-party risk management protocols
• Operational resilience testing programs
• Business continuity and disaster recovery plans

6. Data Sharing and Disclosure

6.1 Authorized Sharing

Service Providers:

• Identity verification services
• Payment processors
• Cloud storage providers
• IT security services
• Analytics providers

(All service providers are bound by strict data protection agreements)

Regulatory Authorities:

We may share your personal data with various regulatory authorities as required by law, including the Slovak National Bank (NBS) as our competent authority under MiCA for crypto-asset service provider supervision, Financial Intelligence Units for anti-money laundering reporting, tax authorities for compliance with fiscal obligations, law enforcement agencies for criminal investigations, the European Banking Authority (EBA) in its capacity as MiCA supervisory authority for significant crypto-asset service providers, the European Securities and Markets Authority (ESMA) for market conduct supervision under MiCA, and other competent supervisory authorities as designated under European Union financial services regulations.

Legal Requirements:

• Court orders and subpoenas
• Regulatory investigations
• Anti-money laundering reporting
• Tax reporting obligations
• National security requirements

6.2 International Transfers

When transferring data outside the European Economic Area (EEA), we ensure adequate protection through:

• European Commission adequacy decisions
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules (BCRs)
• Certification schemes
• Codes of conduct

7. Data Retention

7.1 Retention Periods

We retain personal data in accordance with legal requirements and regulatory obligations:

• Identity and KYC data: 5 years after account closure as required by AML regulations and MiCA record-keeping provisions
• Transaction records: 5 years after transaction completion to comply with MiCA transparency and audit requirements
• Communication records: 3 years after last communication in accordance with MiCA consumer protection provisions
• Marketing data: Until consent is withdrawn by the data subject
• Security logs: 1 year unless required for ongoing investigations or regulatory inquiries
• Legal documents: As required by applicable law, including MiCA supervision requirements

7.2 Disposal

After retention periods expire, we securely delete or anonymize personal data using industry-standard methods.

8. Your Rights Under GDPR

As a data subject, you have the following rights:

8.1 Right of Access (Article 15)

You can request confirmation of data processing and access to your personal data.

8.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

8.3 Right to Erasure (Article 17)

You can request deletion of personal data, subject to legal retention requirements.

8.4 Right to Restrict Processing (Article 18)

You can request limitation of data processing in certain circumstances.

8.5 Right to Data Portability (Article 20)

You can request transfer of your data in a structured, machine-readable format.

8.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing.

8.7 Rights Related to Automated Decision-Making (Article 22)

You have rights regarding automated decision-making and profiling.

8.8 Right to Lodge a Complaint

You can file a complaint with the Slovak Data Protection Authority or your local supervisory authority.

To exercise your rights, contact us at: privacy@docryptox.com

9. Cookies and Tracking Technologies

9.1 Cookie Policy

We use cookies and similar technologies for:

• Essential platform functionality
• Security and fraud prevention
• Analytics and performance monitoring
• User experience personalization
• Marketing and advertising (with consent)

9.2 Cookie Management

You can manage cookie preferences through your browser settings or our cookie consent management tool.

10. Marketing and Communications

10.1 Consent-Based Marketing

We only send marketing communications with your explicit consent, which you can withdraw at any time.

10.2 Opt-Out Mechanisms

All marketing communications include easy unsubscribe options.

11. Minors and Data Protection

We do not knowingly collect personal data from individuals under 18 years of age. If we discover such collection, we will immediately delete the data and terminate any associated accounts.

12. Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to the same privacy protections outlined in this policy.

13. Third-Party Links

Our Platform may contain links to third-party websites. We are not responsible for their privacy practices and encourage you to review their privacy policies.

14. Updates to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated through:

• Email notification to registered users
• Prominent notice on our Platform
• Updated "Last Modified" date

Continued use of our services after updates constitutes acceptance of the revised policy.

15. Contact Information

15.1 Data Controller Contact

Comanera Europe s.r.o.
Licensed Virtual Asset Service Provider (VASP) under Slovak Law
Tvarozkova 5
Bratislava, Slovakia
Email: privacy@docryptox.com
Phone: +421257201717

15.2 Supervisory Authority

Slovak Data Protection Authority
Hraničná 12
820 07 Bratislava
Slovak Republic
Website: https://dataprotection.gov.sk/

16. Compliance Certifications

We maintain comprehensive compliance with multiple regulatory frameworks and industry standards. Our information security management follows ISO 27001 standards, while our security and availability controls meet SOC 2 Type II requirements. Payment card data security compliance is ensured through PCI DSS certification. We hold a valid Virtual Asset Service Provider (VASP) license under Slovak law, which authorizes our cryptocurrency exchange operations and ensures compliance with national virtual asset service requirements.

17. Effective Date and Acceptance

This Privacy Policy is effective as of 01 July 2025. By using our Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

Last Updated: 01 July 2025 • Version: 1.0