Bitfirst Capital Privacy Policy

"Data Protection Law" shall mean any data protection, data security or privacy law applicable to the Company, including, without limitation, the (Indian) Information Technology Act, 2000 including the rules and regulations notified pursuant to it and any applicable laws governing Personal Data, Sensitive Personal Data or information from outbound telephone calls, transmission of electronic mail, transmission of facsimile messages and any other communication-related data protection, data security or privacy laws.

"Personal Data" shall mean any personally identifiable information relating to an identified or identifiable individual, including data that identifies an individual or that could be used to identify, locate, track, or contact an individual. Personal Data includes both directly identifiable information, such as name, identification number or unique job title, and indirectly identifiable information such as date of birth, unique mobile or wearable device identifier, information that could be used to identify a household, telephone number, key-coded data or online identifiers, such as IP addresses, and includes any data that constitutes "personal data" or similar terms under applicable Data Protection Law.

"Sensitive Personal Data or Information" with respect to a person shall mean such personal information which consists of information relating to: (i) biometric information; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) medical records and history; (iv) password; (v) physical, physiological and mental health condition; and (vi) sexual orientation (vii) any detail relating to the above clauses as provided to us for providing the Services; and (viii) any of the information received under above clauses by us for processing, stored or processed under lawful contract or otherwise.

Our processing of your Personal Data will be based on one of the following reasons, depending on the purpose of our processing activity:

• It is necessary for the legitimate interests of our Company, without unduly affecting your interests or fundamental rights and freedoms, to provide you with communications related to our Services, promotions, offers and events. You have a right to opt-out of receiving marketing messages by clicking on the unsubscribe link in the bottom of our marketing emails;
• It is necessary for taking steps to enter into or executing an agreement with you for the Services you request, or for carrying out our obligations under such an agreement;
• It is essential for us to meet our legal or regulatory responsibilities both within and outside of the European Union; or
• It is processed with your explicit and free consent which we obtain from you from time to time.

We ensure that your Personal Data is processed lawfully, fairly and in a transparent manner and is collected for specified, explicit and legitimate purposes shared with you. Any information you provide to us is voluntary. You are free to choose whether to provide us with the types of Personal Data requested, but we may not be able to serve you as effectively or offer you all or any of our Services when you do choose not to share certain information with us.

We may collect, store, use, disclose and process the following data about you:

Information You Give Us

You may be required to give us your Personal Data (including any Sensitive Personal Data) while creating a User Account, or during your continued use of our Online Platforms. You hereby agree to provide us with accurate information, and ensure that you update them, as and where a need for the same arises. We receive the following information directly from you, thereby enabling you to make use of our Online Platforms:

• Identification Details – name, date of birth, nationality, gender, photograph, etc. which are used for the purposes of registering your valid profile with the Online Platforms.
• National Identifiers – Any government issued identity card details, is used for the purposes of mapping your identity with the profile so created and registered with, by you.
• Correspondence Details – e-mail address, phone number, postal address, etc., which are used for the purposes of communicating with you, resolving your queries and provisioning of other support services. In case you participate in our surveys or contests, you may also provide us with additional information of your own accord. This also includes the content of any correspondence sent by you.
• Financial Data – bank account details, permanent account number, credit or debit card number, transaction history, credit history, trading data, UPI, tax identification details, your status on any sanctions lists / blacklists / defaulter lists maintained by public authorities or authorised bureaus, Digital Assets information including but not limited to any wallet address or details, which are used for the purposes of enabling and effecting transactions on the Online Platforms.
• Location Data – we may seek your location data for providing certain Services or in order to enable you to access certain features of the Online Platforms or in the event we suspect any fraudulent transactions.
• Transaction Information – Information about the transactions by using the Online Platforms, such as the name of the recipient, internal and external digital currency and wallet/account addresses, your name, the amount, and/or time-stamps.
• Employment or Business Information – office location, job title, and/or description of Business, role, etc. If you are not a natural person, this would extend to your constitutional documents, shareholding and beneficial holding details, company master data, and any other substantive proof you may submit to us as part of our KYC and verification processes.
• Any other information which you may provide to us when you leave us a message, during customer support conversations, surveys, or for assistance in case of matters related to law enforcement, investigations.

Information We Collect About You

We may also collect certain personal identifiers from you automatically, during your association with us:

• Technical information: IMEI or equipment identification numbers, IMSI or subscriber identification, UUID, MAC address, OS version, device details, network operator, Wi-fi/data network connectivity, etc. Internet protocol (IP) address, your login information, browser details, time zone setting, browser plug-in types and versions, operating system and platform and other similar information.
• Access to your apps and services including messaging through SMS, storage data, device details, camera access, location, microphone, notifications, photos and videos, phone contacts, etc., to the extent permitted through your device settings.
• Information about your visit: Uniform Resource Locators (URL) clickstream with timestamp; transactions and trades executed or attempted to be executed by you; viewed and searched items; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
• Information relating to fund transfer requests executed by you while accessing Services through our Online Platforms. In such transactions, we may collect information relating to such transactions provided by you or by a selected third party.
• Metadata is usually technical data associated with the content you submit, post or share on the Online Platforms. Users can add or may automatically have metadata added to their content including geolocation, date, attribution, or other data.
• Our Online Platforms use cookies and tracking technology (including pixels) depending on the features offered. This allows us to improve the Online Platforms and our Services. Third parties may also use such cookies and tracking technology if you interact with any content provided by them through our Online Platforms, however we endeavour to identify these cookies before they are used and afford the choice for you to accept or deny them.

The information discussed here is processed for the purposes of ensuring that the Services brought to you are in order and enable us to continuously monitor and update our Online Platforms and Services.

Information We Receive from Third Parties

We may receive information about you from third parties if you have volunteered/ consented for such information to be shared with us or where it may be permitted under Applicable Laws. This includes, without limitation, information from public databases, credit bureaus, KYC verification partners, resellers and channel partners, joint marketing partners, and social media platforms. We may combine and process such data internally towards our Services. We also work closely with select third parties (including, for example, subcontractors and service providers such as advertising networks, analytics providers, search information providers, online intermediaries and exchanges, Digital Assets market participants, wallet and other Digital Asset service providers, infrastructural services, including cloud service providers) and may receive information about you from such sources. We may also collect and receive information in an aggregated form from different browser types for analysis.

If applicable and in order to automate input Transaction ID/ Reference/UTR number linked with Your deposit to the Company, we will need access to your SMSs, for our systems to be able to read and proceed with auto-input instead of the same being manually entered by You. Your explicit consent to read Your SMSs in order to extract the Transaction Id/ Reference/UTR number(s) will be sought (unless such a permission is provided by default via your device settings). Please be advised that our systems are restricted to read only transactional SMS with the keyword -partner entity name. In the event, you decide to proceed manually with inputting Transaction Id/ Reference/ UTR number as you proceed with the money transfer in your wallet, you accept the responsibility for any manual error that may result in the failure of transferred money not reflecting in your digital wallets. Your SMS data will not be uploaded, published, or shared with any remote server, external ad agency, or third party or be uploaded to our systems, or servers.

By providing consent under this Policy, you grant us the permission to collect, use, copy, transmit, process, disclose, store and back-up your Personal Data and/or Sensitive Personal Data for purposes of the Services and/or for any other purpose mentioned below. We shall not be responsible for the authenticity of the personal identification information, Personal Data, Sensitive Personal Data or any other information supplied by you to us or any other person acting on our behalf. We use your information:

• to create and register your User Account with us, and maintain your records and profile details, and authenticate such information;
• to administer the Platform and the Services;
• to inform you of promotions, offers, surveys, events, products and services, which may be of interest to you and to otherwise correspond with you in relation to the Services;
• to facilitate and provide the services offered through the Online Platforms;
• to carry out our obligations arising from any contracts entered into between the Company and you;
• to enhance our Services and to ensure the security of our Online Platforms;
• to personalize content/Services offered to you;
• to conduct internal research on our user demographics, interests, and behaviour to better understand, protect and serve our Users;
• to facilitate transactions related to Digital Assets;
• to provide you, or permit selected third parties to provide you, services;
• for KYC verification of tax identification details and other identification documents provided by you. We may seek you to validate such information by way of a one-time password (OTP), or by having a third-party service provider to authenticate and validate such information, only with your consent hereunder;
• for marketing, market research, and User profiling;
• to deal with enquiries and complaints;
• to perform such other activities that we may be expressly authorised or required to perform under Applicable Laws;
• to prevent and identify suspicious /other illegal transactions in order to mitigate risks relating to money laundering and other illegal activities, enforce our legal rights, and discharge any other duties and obligations under the applicable laws; and
• any other purpose for which we may seek your consent

We may transfer your Personal Data if we are acquired by or merged with another company or if our business / assets are sold to another company. In such an event, we will notify you about the transfer. If your Personal Data becomes subject to a different privacy policy, then we (or such transferee entity) would be required to take your prior consent.

You hereby grant us the consent to disclose and share the information collected from you, with such other third parties, when you have submitted such information to us directly, or where such information is received by us from a third party, based on your consent. We share your information with other third parties who provide us with services, which are essential for us to provide you with our Services.

We may disclose your information to any member of our group of companies and affiliates and business partners and a variety of third-party service providers and agents insofar as reasonably necessary for the purposes, and on the legal bases, set out in this Policy. For example, we may disclose data to obtain useful analytics, provide in-app support to mobile app users, improve the functionalities of the Services, etc.

We may share aggregated data (information about our users that we combine together so that it no longer identifies or references an individual user) and other anonymized information for regulatory compliance, industry and market analysis, demographic profiling, marketing and advertising, and other business purposes.

Additionally, we may be required to disclose your Personal Data in the following cases:

• Where we are authorised or obligated to or we believe it is reasonably necessary to do so under any Applicable Laws, or for responding to orders, requests, direction, processes of law enforcement agencies, judiciary, governmental authorities, regulators, banks and financial institutions, and persons/authorities tasked to investigate (suspected) illegal activities;
• Where we are in the process of detecting and preventing and addressing potential or actual occurrence of identity theft, fraud, money laundering, abuse of Services, security or technical issues, and other illegal acts;
• Responding to claims that an advertisement, posting or other content violates the intellectual property rights of a third party;
• in order to enforce or apply our Terms and other agreements;
• where we believe it is reasonably necessary to do so in order to protect your vital interests or the vital interests of another person, to protect the safety or integrity of the Platform and the Services, to explain why we have removed content or accounts from the Services, or to protect the rights, property, or safety of the Company, our customers, or others. This includes exchanging information with third parties for the purposes of fraud protection and KYC verification and background checks.

By agreeing to this Policy, you provide your consent for the above disclosures.

Subject to applicable laws, to facilitate our operations, your Personal Data may be transferred to and stored in locations outside of India ("Alternate Country") by us or our Affiliates/partners located in foreign jurisdictions. We will do this only when the transfer is lawful, and only when the same is required for us to meet our contractual and statutory obligations including in order to provide Services to you. For completeness, the Personal Data which may be transferred outside is such information which may be sent to foreign jurisdictions as per the Applicable Laws. You hereby confirm that you have noted the aforementioned provisions and accordingly consent to the same.

When we transfer your Personal Data from India to the Alternate Country, we will comply with our legal and regulatory obligations in relation to your Personal Data, including having a lawful basis for transferring Personal Data and putting appropriate safeguards in place to ensure an adequate level of protection for the Personal Data. We will also ensure that the recipient in Alternate Country is obliged to protect your Personal Data at a standard of protection comparable to the protection under Applicable Laws.

We have in place commercially reasonable technical and security measures to prevent unlawful access to or accidental loss of Personal Data collected including those prescribed under applicable laws. We do this by having in place a range of appropriate technical and organisational measures, including firewalls, encryption measures and disaster recovery plans. All Personal Data you provide to us is stored on our secure servers. We ask you not to share your password with anyone, and to follow general internet etiquette in operating your User Account with us. In public areas, you should exercise caution and not leave your computer/device unattended especially whilst logged into your User Account. The use of established malware and virus protection software and apps for your device is recommended.

Please remember that if you post any of your Personal Data in public areas of the Online Platforms, such information may be collected and used by others over whom we have no control.

You understand and acknowledge that any transmission through the internet is not completely secure and is at your own risk. While we will do our best to protect your Personal Data, we cannot guarantee or give any warranties in this regard, and hereby disclaim all liabilities for any breach of security, malicious attacks, error, omission or commission concerning the data transmitted through the Online Platforms or leading to a breach of data or information of the User. We are not responsible for the circumvention of any privacy settings or security measures contained on the Services or Platforms done by you.

If you suspect any misuse or loss of or unauthorised access to your personal information please let us know immediately. Please contact our support team at contact@bitfirstcapital.com, in the first instance, and we will investigate the matter and update you as soon as possible on next steps.

We also may subject ourselves to regular checks by third party security evaluation specialists and restrict access to your Personal Data by our personnel on a need-to-know basis only. Once we have received your Personal Data, we will use strict procedures and security features to try to prevent, as far as is reasonably possible, unauthorized access to your Personal Data.

Notwithstanding anything contained herein or in the Terms, we retain any Personal Data for as long as your User Account is active, and for any additional time periods for resolution of disputes, for the purpose of investigations or ongoing prosecutions or in case of any suspicious/illegal transactions, for enforcement of any agreements, and/or as necessitated or authorised under Applicable Laws, and/or in order to protect your vital interests or the vital interests of another natural person. The retention period may be extended in accordance with the Applicable Law and shall only be for such a period as is authorised by Applicable Law, or as is absolutely necessary for us to comply with Applicable Law, and/or for provision of our Services to you.

We make no warranties and shall not be liable regarding non-availability or non-retention of any information and/or data provided by you beyond the deletion of your User Account.

While we will endeavour to permanently erase your Personal Data once it reaches the end of its retention period, some of your Personal Data may still exist within our systems, for example if it is waiting to be overwritten. For our purposes, this data has been put beyond use, meaning that, while it still exists in the electronic ether, our employees will not have any access to it or use it again. This is subject to retention for purposes set out in paragraph 1 above.

Unless otherwise indicated, you are only allowed to use our Online Platforms and Services if you are over the age of 18 (eighteen) years.

We understand the importance of safeguarding the Personal Data of persons with disability who have a lawful guardian under Applicable Law. If you are suffering from disability and have a lawful guardian under Applicable Law, you may use our Services only with the direct involvement of the lawful guardian. Such lawful guardian must provide us with verifiable guardian consent. In such a scenario, you, i.e., the person agreeing to this Policy and providing consent, confirm that you are the lawful guardian of such person.

We may automatically track certain information about you based upon your behaviour on our Online Platforms or while accessing our Services. You agree that we may use such information to do internal research on our Users' demographics, interests, and behaviour to better understand, protect and serve our Users. This information is compiled and analysed on an aggregated basis.

The Platform uses cookies to distinguish you from other Users of the Online Platforms and to store your preferences as a User. This helps us to provide you with a good and personalised experience when you browse the Online Platforms and also allows us to improve the Online Platforms including as an element of our security measures and analytics measures. By continuing to browse the Online Platforms, you are agreeing to our use of cookies. Usage of a cookie is in no way linked to any personally identifiable information on our Online Platforms.

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer and of your other device if you agree. Cookies contain information that is transferred to your computer's hard drive.

Please note that third parties (including, for example, advertising networks and providers of external services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.

We may use certain third-party web analytics services on the Online Platforms such as Google Analytics, tools offered by Facebook and/or LinkedIn, etc., which may use technologies such as cookies, web server logs and web beacons to collect information and help us analyze how visitors use the Online Platforms. These analytic services may use the data collected to contextualize and personalize the marketing materials of their own advertising network.

Google Analytics is a web analysis service provided by Google Inc. ("Google"), in accordance with its policies: http://www.google.com/policies/privacy/partners/. You can prevent Google's collection and processing of data by using the Google Ads Settings page or by downloading and installing its browser plug-in. (https://tools.google.com/dlpage/gaoptout).

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies), you may not be able to access all or parts of the Online Platforms or avail of our Services. You further agree that if you send us personal correspondence, such as emails or letters, or if other Users or Third Parties send us correspondence about your activities or postings on the Online Platforms, we may collect and/or store such information.

Our Services and Online Platforms may contain links to third-party applications/websites. Please note that when you click on one of these links, you are entering another application/website over which we have no control and will bear no responsibility. We do not own or control these third-party applications and when you interact with them you may be providing information directly to them or us or both. Often such a third-party application/website will require you to enter your Personal Data, and use/collect your Personal Data, in accordance with its own privacy policy and standard practices. You are requested to exercise your own discretion in this regard and you agree that we shall not be liable for any breach of your privacy of Personal Data or loss incurred by your use of these applications/websites.

You may deal with your Personal Data available with us in the following ways:

• to check whether we hold Personal Data about you and to access such data;
• to ask for a copy of the Personal Data we hold about you in a structured, commonly used and machine-readable format (or, when this is possible, ask for such Personal Data to be communicated on your behalf to another data controller);
• to require us to correct (when communicated to us by you in writing), as soon as reasonably practicable any Personal Data relating to you that is inaccurate or deficient;
• to ascertain our policies and practices in relation to Personal Data held by us;
• to withdraw consent, where we have obtained your consent to process your Personal Data for certain activities;
• to ask us to erase and forget your Personal Data;
• to register any grievances in relation to this Policy with our grievance officer / data protection officer.

You may exercise the above rights by sending us requests for the same at contact@bitfirstcapital.com. While the majority of questions and issues related to access or requests can be handled quickly, complex requests may take more research and time. We reserve the right to charge a reasonable fee for processing any data access request(s).

The Company may retain all or some of your data in accordance with our policies in force or as per Applicable Law.

We cannot utilize your Personal Data and/or Sensitive Personal Data (to provide you with access to our Online Platforms and process any application to avail Services from us) without your consent. You may write to contact@bitfirstcapital.com indicating the withdrawal of your consent provided under this Policy. Upon receipt of your withdrawal request, we shall within a reasonable time, cease processing your Personal Data unless we are required or authorised to process such data under Applicable Laws. You may note that withdrawal of your consent does not affect the legality of processing of Personal Data based on any consent received before it was withdrawn.

We will also provide you an option to opt-out of marketing communications. By selecting this option, you are indicating that you DO NOT wish for us to use your Personal Data in direct marketing and DO NOT wish to receive direct marketing materials by phone, SMS, mail, email, fax or any other communication channels and DO NOT wish for us to provide your Personal Data to any other persons for their use in advertising and marketing, whether or not such persons are members of the Company except where you have applied for or will apply for any Service that is provided by us jointly with a co-branding partner, such Opt-Out will not apply to such co-branding partner to whom you have consented or shall consent to the provision of your Personal Data separately.

You shall:

• not impersonate any other person while providing any information to us;
• not to register any false or frivolous grievance or complaint with our grievance redressal channels or with any authority or regulator;
• furnish only such information as is verifiably authentic, while exercising your right to correction or erasure under Applicable Laws; and
• comply with this Policy and with the Terms in all respects.

We may use a variety of third-party service providers to help us provide our Services. Service providers may be used, including without limitation: (a) to authenticate your identification information and documents to process your payments; (b) to check information against public databases; (c) for fraud prevention and risk assessment; (d) to allow the provision of Services through third party platforms and software tools; (e) to provide customer service and for marketing, (f) to process and handle claims; and (g) such other purposes as we may seek your consent for, from time to time.

The third-party service providers shall have limited access to your Personal Data for performance of the above tasks and in accordance with our strict directions and policies.

Non-personal data or information is information that does not personally identify you. When you visit and interact with our Online Platforms or third parties with whom we have contracted to provide services, nonpersonal information, like a list of website pages visited by you, domain name, areas of the site you visit, URL, etc. could be collected to enhance your online experience by understanding your web usage patterns.

We may use or disclose non-personal information for any purpose from time to time, for instance, we may embed email addresses with images. In such cases where we combine non-personal information with personal information that is not aggregated or anonymized, the combined information will be treated by us as Personal Data as per this Policy.

We will report theft or loss of Personal Data in accordance with applicable Data Protection Laws.

Any Personal Data collected or accessed by us shall be limited to that which is necessary to perform our obligations in relation to the Services offered on by us or to fulfil any legal requirements or is otherwise consented to by you. We shall not share any Personal Data that is collected or possessed by us with any third-party for any reason except as expressly stated in this Policy.

You agree that other than as stated in this Policy, we shall have the right to collect and/or use or analyse the Personal Data on an anonymised basis. We advise you not to include Sensitive Personal Data in any emails you may send to us. Please do not send credit/debit card numbers or any other Sensitive Personal Data to us via email.

Notwithstanding anything contained in this Policy, we are not responsible for any loss, damage or misuse of your information, if such loss, damage or misuse is attributable to a Force Majeure Event (as defined in the Terms).

We may update this Policy from time to time when required by Applicable Law or due to business reasons and provide you with notice of the same. We encourage you to periodically review the Policy for the latest information on our privacy practices. Continued use of the Online Platforms constitutes agreement of the User to the Terms and this Policy and any amendments thereto.

If any term or provision of this Policy is held by a court of competent jurisdiction to be invalid, void or unenforceable, the remainder of the terms and provisions of this Policy shall remain unaffected, and in full force and effect.

We may provide any notice to you under any of our policies by sending a message to the email address then associated with your User Account. Notices we provide by email will be effective when we send the email. It is your responsibility to keep your email address current. To give us notice under any of our policies, you must contact us by email, overnight courier or registered mail to the mailing address listed below. Notices to us must be sent to contact@bitfirstcapital.com and contact@bitfirstcapital.com or to any other email address notified by email to the User by us, or by electronic communication via the Online Platforms from time to time for such purpose. Notices provided by overnight courier will be effective 1 (one) business day after they are sent. Notices provided by registered mail will be effective 3 (three) business days after they are sent.

Please address your grievances, feedback or questions, without limitation, with respect to the collection, processing, usage, disclosure, security of your Personal Data or on any element of this Policy; or your intention to exercise one of your data protection rights in writing to at contact@bitfirstcapital.com and contact@bitfirstcapital.com or to the Data Protection Officer at contact@bitfirstcapital.com. Please use "Privacy Policy" as the subject line of your email. Please provide details of the issue in the body of the email along with evidence (if any).

We will record any Personal Data and other content that you provide in your communication so that we can effectively respond to your communication.

We will be guided by the following grievance redressal principles:

• Users should be treated fairly at all times.
• Issues raised by Users should be attended with courtesy and in time.
• Users should be provided with effective and satisfactory resolution within reasonable time period.
• Users should be informed of avenues to escalate their issues/ grievances if they are not fully satisfied with the response to their complaints.