Data Privacy Policy of Kurant GmbH
Data Privacy Policy of Kurant GmbH, with registered office in Vienna and business address Forchheimergasse 30A/4/1, A-1230 Vienna/Austria, and its affiliates (hereinafter referred to as “Kurant” or “we”), for their websites (e.g., kurant.at, kurant-btm.de, kurant.gr, kurant.es, kurant.io, kurant.net, hereinafter “website”) and contracts for the purchase or sale of cryptocurrencies.
Thank you very much for your interest in our products. Below we inform you comprehensively, to what extent we process your data and which rights you have in this regard. The protection of your privacy is particularly important to us and we would like to inform you accordingly about your rights or possibilities in order to sustainably promote a relationship based on trust. Our data protection practice complies with the General Data Protection Regulation of the European Union (hereinafter “GDPR”) in conjunction with the Austrian Data Protection Amendment Act 2018 (hereinafter “DS-AG”), the Telecommunications Act (TKG) and other relevant legal provisions.
Data protection regulations must always be observed when processing personal data. The scope of this privacy policy is based on the understanding of the GDPR. Thus, the “processing” of personal data essentially involves any dealings with the same. Insofar as data processed by us are inhuman and – even if only through third parties, in a synopsis or additional knowledge – make you identifiable as a person (in particular, have your full name ascertained), this is basically personal data.
This privacy statement applies solely to our website. If you are redirected to other websites via links on our website, please inform yourself directly on the landing page about the respective handling of your data. For contents on web pages of the third party, which are linked over our web appearance, we can take over no responsibility or adhesion.
§ 1 Data processing when using our website
When you visit our website, we collect the following information: IP address.
You can visit our website without having to provide any personal information. When the website is accessed, only certain access data (your IP address and other metadata regarding your surfing behaviour, e.g., date/time of retrieval, requesting provider) are processed. This data processing is carried out for the purpose of traceability of visitors, checking the effectiveness of advertising, playing targeted advertising elements and messages, and for the purpose of ensuring and improving the quality of our offer and is based on Article 6 (1) (f) GDPR (predominant legitimate interests, that is achievement of the purposes just mentioned). However, this information does not allow us to infer yourself.
IP addresses are collected and stored by shortening the last three (3) digits exclusively in anonymous form. As a basic principle, you can therefore view all content on our
§ 2 Data processing when trading cryptocurrencies
If you have decided to trade cryptocurrencies through our Bitcoin ATMs, you must first register at the Bitcoin ATM starting from a certain amount (which depends on the country) and then complete a Know Your Customer verification process (hereinafter “KYC”). Within the framework of this registration or KYC verification and the subsequent ordering of cryptocurrencies (purchase or sale), the following personal data are collected: first name, last name, address data, date of birth, e-mail address, telephone number and identification data (presentation of ID card copy) and a photo of your face to make a KYC check.
Video-Ident-Procedure by identity Trust Management AG
Kurant uses the video-identification procedure of identity Trust Management AG, based in Dusseldorf/Germany. In the course of the identification process, the following data is collected and processed: First and last name, residential address, gender, date and place of birth, nationality, mail address, telephone number, photo of the customer, data and photo of the ID presented (including type of ID, ID number, issuing authority, date/place of issue, validity date), acoustic and video recordings with time stamps.
The data is transmitted to Kurant by identity Trust Management AG as a service provider. identity Trust Management AG uses this data only to the extent necessary for proper identification.
After the expiration of the period of 3 months, the depersonalized order data will be kept in a separate offline database by identity Trust Management AG for another 9 months. After a total of 12 months, the depersonalized order data will also be deleted automatically by identity Trust Management AG.
Should you have decided to make a request to set up a Bitcoin ATM, the following personal data will be collected: title, first name, last name, email address, company, sector, position and website.
These personal data are required by us for the fulfilment of the contract and for the fulfilment of the legal requirements (Article 6 (1) (b) GDPR, Article 6 (1) (c) GDPR). The data is stored at least for the duration of a contract with Kurant, whereby in particular due to legal requirements (statutory retention requirements, limitation periods of potential legal claims) a longer period may also be provided for. Insofar as the storage of the data for the purposes of the original survey (or within the scope of a legally permissible change of purpose) is no longer required and no legal provisions are in conflict, we will arrange for the deletion of the same.
In addition, we process the date of the transaction, the transaction fee and the network fee (also required for contract fulfilment).
§ 3 Data processing of children
There are no business relationships with children.
§ 4 Rights of the data subject
An important concern of data protection law is to give you certain disposition possibilities about your personal data even after a data processing has already begun. For this purpose, there are a number of data subject rights, which we will comply with immediately upon request, but at the latest within one (1) month. To exercise your rights, please contact us via the following e-mail address: office@kurant.at. Specifically, the following rights are provided:
(a) If you exercise your right to information and no legal restrictions are in conflict, we will inform you comprehensively about our processing of your data. We will provide you with (i) copies of the data (e-mails, database extracts, etc.) as well as information on (ii) specifically processed data, (iii) processing purposes, (iv) categories of processed data, (v) recipients, (vi) the retention period or criteria for their determination, (vii) the source of the data and (viii) where applicable, further information depending on the individual case. Please note, however, that we cannot provide documents that could affect the rights of others.
(b) With the right of rectification, you can request that we correct incorrectly recorded, incorrect or (for the respective processing purpose) incomplete data. Your request will then be reviewed and the data processing concerned may be restricted for the duration of the audit upon request.
(c) The right to (data) deletion may be exercised at any time by you (i) in the absence of any need for processing purposes, (ii) in the event of the revocation of any consent granted by you, (iii) in the event of special opposition, to the extent that the data processing concerned affects the legitimate interests of Kurant, (iv) in the event of unlawful data processing and (v) in the event of a legal cancellation obligation.
(d) An accompanying right to restriction, after the exercise of which data may only be stored, exists in special cases. In addition to the possibility of restricting the review period of data adjustments, (i) unlawful data processing (if no deletion is required) and (ii) the duration of the review of a particular request for opposition are included.
(e) In addition, you have a fundamental right to opposition to data processing any time. However, this only applies if the processing is based on the legitimate interests of Kurant.
(f) You can also exercise your right of appeal to the data protection office (see point 10).
Please note further that we may not be able to comply with your request due to compelling, legitimate reasons for the processing (balance of interests) or processing due to the assertion, exercise or defence of legal claims (on our side). The same applies in the case of excessive applications, whereby a fee may be charged here as well as in the processing of obvious unfounded requests.
§ 5 Data security and data deletion
Kurant will take all appropriate technical and organizational measures to ensure that only personal data is processed by default, the processing of which is strictly necessary for the business purpose. The measures we have taken cover both the amount of data collected, the amount of work involved, and their retention and accessibility. We use these measures to ensure that personal data is made available to a limited and necessary number of people by default. Other persons will not be granted access to personal data under any circumstances without the express consent of the data subject. We also use various protection mechanisms (backups, encryption) to secure the website and other systems. This is intended to best protect your (personal) data against loss or theft, destruction, unauthorized access, modification and dissemination.
In accordance with the provisions of the GDPR, all (personal) data collected by us via the Bitcoin ATM or the website will only be stored for as long as they are required for the legal basis of processing, unless longer-term storage is provided for by law. We comply with our deletion obligation by means of our specific company-internal deletion concept, whereby we can give you more information on request.
All employees of Kurant have been sufficiently informed about all applicable data protection regulations, internal data protection regulations as well as data security precautions and are required to keep secret all information entrusted or made accessible to them in the course of their professional employment. The requirements of the GDPR are strictly adhered to and personal data are only made available to individual employees insofar as this is necessary with regard to the purpose of the data collection and our resulting obligations.
If a data processor is commissioned by us, these are also obligated to comply with all applicable data protection regulations due to specific framework agreements. In addition, when dealing with your (personal) data, they are strictly bound by our specifications, especially with regard to type and scope.
§ 6 Data transmission
For the purposes explained in the context of this privacy policy, we will transfer your (personal) data to third parties, if necessary. This requirement occurs e.g., if you have decided on a verification at the Bitcoin ATM.
Within our organization, those entities or employees will receive your data for the fulfilment of their contractual or legal obligations and for data processing based on our legitimate interests.
§ 7 Cookies
Cookies are small files that enable specific information related to the device to be stored on the user’s access device (PC, smartphone or similar). On the one hand, they serve the userfriendliness of websites and thus the users (e.g., storage of login data). We store information that is necessary for the operation of the website in cookies. However, these are not filled with personal data that could be read by third parties. Users can influence the use of cookies. You can set up your browser so that it informs you about the setting of cookies and you only allow this in individual cases. By refusing cookies in the browser or deleting them regularly, you can also prevent conclusions from being drawn about your behaviour as a result. If cookies are deactivated, the functionality of our website may be limited.
§ 8 Use of plug-ins
Google services
The following services “Google Analytics”, “Google Adwords” and “Google Maps” are a service provided by Google Ireland Limited (“Google”), a company incorporated and operated under the laws of Ireland (registration number: 368047) with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
You can read what data is collected by Google and what it is used for at policies.google.com/privacy. The data processing is based on the legal provisions of § 96 para 3 TKG and Art 6 para 1 lit a of the DSGVO.
Google Analytics
This website uses Google Analytics, a web analytics service. Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of the website such as
- Browser type/version,
- operating system used,
- Referrer URL (the previously visited page),
- Host name of the accessing computer (IP address),
- time of the server request
are usually transferred to a Google server and stored.
The IP address transmitted by your browser as part of Google Analytics is recorded to ensure the security of the service and to provide us with information about which country, region or city our users come from. This is also referred to as IP location determination. In Google Analytics, collected IP addresses are anonymized using socalled IP masks.
On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.
If Google Analytics has been implemented in apps or websites together with other Google advertising products such as Google Ads, additional advertising IDs may be collected. Users can disable this feature in Google’s advertising settings and change their settings for this cookie.
Google Maps
Our website uses the Google Maps API product from Google Inc. (Google Inc., 1600 Amphitheater Parkway, Mountain View, California, 94043). To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transferred to a Google server in the USA and stored there. The provider of this site has no influence on this data transmission. Information on data processing by Google can be found in Google’s privacy policy. You can find this under the following link: www.google.com/privacypolicy.html.
Facebook Pixel
Within this website, so-called “Facebook pixels” of the social network Facebook, which is operated in Europe by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”), are used.
With the help of the Facebook pixel, it is possible for Facebook to determine the visitors to our offer as a target group for the display of advertisements, so-called “Facebook ads”. Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those Facebook users who have also shown an interest in our Internet offer. In other words, with the help of the Facebook pixel, we want to ensure that our Facebook ads correspond to the potential interest of the users and do not have a harassing effect. With the help of the Facebook pixel, we can also track the effectiveness of the Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad.
The Facebook pixel is directly integrated by Facebook when our websites are called up and can save a so-called cookie, i.e., a small file, on your device. If you subsequently log in to Facebook or visit Facebook while logged in, the visit to our offer will be noted in your profile. The data collected about you is anonymous for us, so it does not offer us any conclusions about the identity of the user. However, the data is stored and processed by Facebook, so that a connection to the respective user profile is possible. The processing of the data by Facebook takes place within the framework of Facebook’s data usage policy. Accordingly, you can find more information on how the remarketing pixel works and generally how Facebook ads are displayed, in Facebook’s data usage policy: www.facebook.com/policy.php.
You can object to the collection by Facebook pixel and use of your data for the display of Facebook ads. To do so, you can visit the page set up by Facebook and follow the instructions there on the settings for usage-based advertising: www.facebook.com/settings?tab=ads or declare the objection via the EU page www.youronlinechoices.com/. The settings are platform-independent, i.e., they are applied to all devices, such as desktop computers or mobile devices.
§ 9 Right of appeal
If you believe that we violate applicable data protection laws when processing your data, you have the right to lodge a complaint with the Austrian Data Protection Authority (DPA). The requirements for such a complaint are based on § 24ff DS-AG. However, we ask you to contact us in advance in order to clarify any questions or problems. The contact details of the DPA are as follows:
Österreichische Datenschutzbehörde
Barichgasse 40-42
A-1030 Vienna/Austria
Phone: +43 1 52 152-0
Mail: dsb@dsb.gv.at
§ 10 Contact for data protection questions, notifications, requests
For data protection questions, notifications or requests, please use the following contact address:
Kurant GmbH,
Forchheimergasse 30A/4/1,
A1230 Vienna/Austria,
office@kurant.at
Valid as of: 01.10.2022