Our commitment to transparency and data privacy
The Bitkey team has a strong commitment to transparency and open communication with our customers and the community. Since we started building the product, we’ve openly shared details about our product principles, our progress, and how we make the decisions in our product. Part of this commitment also means being clear and upfront about the data we’ll collect from our customers, and why.
Like our product roadmap, our approach to data privacy and data protection will evolve over time — but one thing will remain constant: we'll always be transparent about what data we’re collecting, why we need it, how it’s protected, and try to offer customers’ choice when possible (while also keeping a high bar on safety and experience) on how it’s used.
The following Privacy Notice details transparently what types of information we’ll collect from you, why we need it, how we protect it, and how long we retain it for, so you can decide whether or not you want to use our product.
Effective Date: August 25, 2023
This Privacy Notice describes how Block, Inc., its affiliated and associated entities, including Block Global B.V., as further detailed below (collectively, ‘Block’, ‘we’, and ‘us’) collects, uses, discloses, transfers, stores, retains, or otherwise processes your personal data in association with your purchase and/or use of Bitkey, a self-custody bitcoin wallet, including the associated mobile application (“App”), a hardware device (“Hardware”) and a set of recovery tools (collectively the “Service(s)”).
I. Information Collection & Use
We will collect information about you when you provide it to us directly, when you sign up to the beta program, and we collect some data when you interact with the Services.
If you decline to provide us with your personal data, or do not consent where we rely upon it, we may not be able to proceed with entering into and fulfilling some of our Services. This includes providing your personal data to ship our product to you, or to respond to a support request.
The following table provides more information about the different categories and examples of personal data that we collect from you or through interaction with our services, how we use such data, and who we share your data with. We have also outlined the lawful bases that apply as prescribed under the General Data Protection Regulation and UK General Data Protection Regulation:
|Category of Personal Data||Purpose for Processing and Method of Collection||Categories of Third Party Recipients|
|Contact Identifiers (e.g. name, email, phone number)||Purpose: During the beta, we will send you emails (including requests for feedback). We may reach out for the following reasons: (a) To notify you of important recovery & transaction messages; (b) To ask for your feedback; (c) To respond to customer support inquiries; (d) To keep you updated about Bitkey development and availability; and (e) To send you a download link for the mobile app. At the end of the beta, you will be able to decide whether to continue to use the product and what types of communications you want to receive. How: Provided by you directly when signing up for the beta. Lawful basis: Our lawful basis is for the performance of an agreement with you; for our legitimate interests to maintain and improve our Services.||
|Shipping Information (e.g. shipping address, phone number)||Purpose: To fulfill your order as needed for shipping and billing requirements. How: Provided by you directly when signing up for the beta program. Lawful basis: Lawful basis is for the performance of an agreement with you.||
|Online Identifiers (e.g. IP address)||Purpose: We do not collect your IP address directly, but as part of routine online interactions, your IP is exposed to us when you interact with our Services and will be exposed to third party service providers when you interact with their services on our App. These third party service providers may use your IP address in order to provide us with services or to improve their services. How: Processed automatically when you use our Services and interact with third party service providers on our App. Lawful basis: Our lawful basis is for the performance of an agreement with you; for our legitimate interests and our third party service providers to maintain and improve our Services.||
|Bitkey Identifiers (e.g. hardware serial number and a beta account identifier)||Purpose: Hardware serial number is processed for logistics, shipping, & customer support purposes. When you onboard to the beta, you will be issued a beta account ID that will be connected to your account. These are used to identify and fix bugs and provide customer support, as well as help us understand beta product usage. How: Bitkey identifiers are generated automatically by us and assigned to you when you onboard to the beta. Lawful basis: Our lawful basis is for the performance of an agreement with you; for our legitimate interests to maintain and improve our Services.||
|Transaction Data (e.g. details of the transfer of bitcoin)||Purpose: Bitkey maintains one of your three keys in order to provide recovery tools if you lose access to your wallet, and to co-sign mobile transactions if you choose to use this feature. Because we maintain this key, we’re able to identify transaction data on the blockchain related to your Bitkey. This information may be used to troubleshoot during the beta to improve our Services. How: This information is collected from you when you transfer bitcoin to or from your Bitkey. Lawful basis: Our lawful basis is for the performance of an agreement with you; for our legitimate interests to maintain and improve our Services.||
|Mobile Device Information (e.g. make, model, and operating system of your mobile phone.)||Purpose: This information may be used to troubleshoot and improve our Services. How: Bitkey gatherers this information from APIs available in the iOS and Android software development kits (SDKs). Lawful basis: Our lawful basis is for our legitimate interests to maintain and improve our Services.||
|Hardware Interactions Information (such as device version, battery percentage over time, and interactions with fingerprint sensor.)||Purpose: This information may be used to troubleshoot and improve our Services, and to provide updates to device firmware in order to improve the security and functionality of the hardware. How: Bitkey collects this information from the hardware device statistics via a software development kits (SDKs). Note: Bitkey does not collect or store your fingerprint data. Lawful basis: Our lawful basis is for the performance of an agreement with you; for our legitimate interests to maintain and improve our Services.||
|Optional categories of Personal Data||Purpose for Processing and Method of Collection||Categories of Third Party Recipients|
|Partner Data Related to Bitcoin Transfers and Purchase such as your preferred fiat payment method, bitcoin purchase amount, and local fiat currency denomination.||Purpose: If you use our integrated exchange partners’ services to transfer and/or buy bitcoin, at the time of serving you a set of potential partner options, we may ask for information. In the case of a transfer, we will share your wallet address with the exchange partner so that you can send your desired amount of bitcoin from the exchange partner to your Bitkey wallet. In the case of a purchase of bitcoin with the exchange partners’ services and subsequent transfer to your Bitkey wallet, we will ask you for the payment method type, desired bitcoin purchase amount, and we will collect your country location so that we can provide you with an accurate price quote of how much this bitcoin purchase will cost based on the partners’ services. If you choose to proceed with the purchase with your desired third party exchange, we will share this information with the exchange partner, in addition to your wallet address, so that they can facilitate your purchase and transfer. How: Provided by you directly when using a direct third party partner integration. Lawful basis: Our lawful basis is for the performance of an agreement with you.||
|Payment Account Information, optionally provided during the beta period||Purpose: We may optionally reimburse you for certain costs you incur to receive the product (e.g. customs and duties). In that case, we will need you to provide payment account information in order to provide you with the reimbursement. How: Provided directly by you in the case of a reimbursement. Lawful basis: Our lawful basis is for the performance of an agreement with you||
|Feedback & Survey Information, optionally, any feedback you provide us about the product||Purpose: We may ask you to provide us feedback on your use of the product. If you choose to provide us with feedback, we might ask you for more information about your product and use of the product. How: Provided directly by you. Lawful basis: Our lawful basis is consent.||
|Customer Support, optionally, any information you provide us in order to receive customer support||Purpose: You may provide us with information (e.g. e-mail address, device serial number, shipping address, etc.) in order for us to provide you with customer support. How: Provided directly by you. Lawful basis: Our lawful basis is consent.||
II. When and with whom we share your information
In order to safeguard your personal data, we have implemented stringent access controls that limit the number of individuals within our team who can directly access any of your personal information, including your name and email. This restriction is limited to an extremely small and specific subset of our team, who require this information to communicate with you and determine the group of beta customers.
We share any data specified above with the following third parties/platforms for the purposes specified here:
- Our affiliates and group companies: Bitkey is part of Block, Inc. and its affiliated and associated entities. We have offices and we carry out daily business operations from various locations in Europe and in the United States. We may share your data with our affiliated companies, which we rely on to provide, maintain, and improve our services for the purposes outlined in this Privacy Notice.
- Processors (service providers). We engage third party service providers (as outlined in the table above) which process personal data on our behalf and according to our instructions. Our written agreements set out our mutual obligations and responsibilities, including technical and organizational measures which the processors need to adopt to adequately protect the personal data they process on our behalf.
- Law enforcement and other public and private agencies. We may share your personal data with law enforcement agencies, government agencies, officials, or other authorities or third parties pursuant to a subpoena, court order, or other legal process requirement if we believe that disclosure is necessary to comply with any applicable law, regulation, legal process or governmental request.
The table in section I above further outlines which categories of personal information we share with different third party processors.
We may also de-identify your data, and combine and aggregate your de-identified information with other information in a way that it no longer enables your identification and share that de-identified, aggregated information publicly with other third parties not mentioned above (e.g. we may publically share statistics around how many people use Bitkey in various countries). Although we disclose your personal information to third parties as described above, we do not sell your personal information to third parties.
III. How long we will keep your information
We will store your personal information, in a form which permits us to identify you, for no longer than is necessary for the purpose for which the personal information is processed. We may retain your personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements and rights, or if it is not technically and reasonably feasible to remove it. Once the retention periods applicable to your personal information expires, we will otherwise take steps to delete or anonymize personal data where we no longer have a lawful basis to retain your personal information. Otherwise, we will seek to delete your personal information within a reasonable timeframe upon request.
IV. Your Rights
Depending on the jurisdiction in which you reside, you may be entitled under applicable law to request:
- To be provided with access to your personal data held by us;
- To request that your data be transferred to a third party (data portability);
- To request the rectification or erasure of your personal data held by us;
- To request that we cease or restrict processing your data;
- To request to ask us to correct your personal information held by us, including where you believe it is not accurate, complete, up to date, or relevant.
- To object to profiling activities based on our own legitimate interests;
- To object to solely automated processing and ask for more information about a decision; and
- In addition, where you have provided your consent to our processing of your personal data you can withdraw this at any time. If we process your information on the basis of your consent and you withdraw your consent, this does not affect the lawfulness of the processing prior to your withdrawal.
In order to exercise your rights (including the right to withdraw your consent), you can email email@example.com. We may need to verify your identity before granting access or otherwise changing or correcting your information. You may also designate an authorized agent to make a request on your behalf as permitted under law, though before we process that request, we will require that you provide the authorized agent written permission to do so and verify your identity directly with us.
Please note that when you make a request to exercise your rights, we may require that you provide information and follow procedures so that we can verify you are making a request regarding your own data. If we are able to verify your request, we will process it.
We will assess any request to exercise these rights on a case-by-case basis to see if we are able to fulfill your request. We will respond to your request within the periods required by applicable data protection law. However, we may not always be able to comply fully with your request. We will notify you in that event.
If you are dissatisfied with our response, you have a right to make a complaint to your local privacy authority by clicking on the applicable links.
- Office of the Privacy Commissioner of Canada: here
- UK Information Commissioner’s Office: here
- EU residents can find their local privacy authority here
If you need help finding your local privacy authority and it's not linked above, please contact us for assistance at firstname.lastname@example.org.
V. Automated Decision Making
Block does not use automated decision-making technology, including profiling, where the decision would have a legal or significantly similar effect on you.
VI. International Data Transfers
We operate in many countries, and we (or our service providers) may move your data and process it outside the country where you live. We use third-party service providers to process and store your information in the United States, the EU, and Japan. When we transfer your personal data to our affiliates outside the EU, we make use of standard contractual clauses (which have been approved by the European Commission) to help ensure your information is afforded a high standard of protection, and that your privacy rights can be vindicated.
If you wish to obtain further details regarding the contractual arrangements we enter into to protect your personal data when it is transferred outside the EU, you may do so by contacting us at email@example.com. You can also access the standard contractual clauses approved by the European Commission at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
VII. Data Security
We do a lot to keep your data safe. We take reasonable measures, including administrative, technical, and physical safeguards, to protect your information from loss, theft, and misuse, and unauthorized access, disclosure, alteration, and destruction. Nevertheless, the internet is not a 100% secure environment, and we cannot guarantee absolute security of the transmission or storage of your information. We hold information about you both at our own premises and with the assistance of third-party service providers, as described above. Your personal information will be accessible by a limited number of our employees, contractors and service providers who require access for the purposes described in this Privacy Notice.
VIII. Note about Children’s Privacy
Our Services are general audience services not directed at children under the age of 18. We do not knowingly collect, share, or sell any information from children under the age of 18.
IX. Changes to this Privacy Notice
We reserve the right to change this Privacy Notice from time to time, as may be required. We will provide you with reasonable prior notice of any material changes in how we use your information, including by email if you have provided one. If you disagree with these changes, you may cancel your account at any time. Any amendments will be published by posting a revised version of the Privacy Notice and updating the “Effective Date” above. The revised version will be effective on the “Effective Date” listed.
X. How to Contact Us
If you have any questions or concerns regarding this Privacy Notice, please reach out to us via firstname.lastname@example.org. If you would like to speak to the EU Data Protection Officer, please address your communication for the attention of the Data Protection Officer.