midchains limited: privacy statement
1. Important information and who we are
1.1 Data controller
This Privacy Statement, as amended or otherwise changed from time to time (the “Privacy Statement”), explains the manner in which MidChains Limited. (“MidChains”, "We", "Us", "Our") collects, uses, maintains and discloses Personal Data through the provision of Our services (the “Services”). MidChains is the Data Controller of your Personal Data.
1.2 MidChains is authorised and regulated by the Abu Dhabi Global Market Financial Services Regulatory Authority as an Authorised Person Operating a Multilateral Trading Facility (the "MTF") and Providing Custody in relation to Virtual Assets.
1.3 MidChains' registered address is: Al Sila Tower, Abu Dhabi Global Market Square, Al Maryah Island, Abu Dhabi, United Arab Emirates (Registration number 000003233).
1.4 MidChains' ultimate parent holding company is MEEG Holdings Limited (Registration number 000001552) whose registered address is Al Sila Tower, Abu Dhabi Global Market Square, Al Maryah Island, Abu Dhabi, United Arab Emirates.
1.5 "Data Protection Law" means ADGM's Data Protection Regulations 2015 (as amended by Data Protection (Amendment) Regulations 2021) and the data protection and privacy laws of any other jurisdiction applicable to Our Services.
1.6 “Personal Data” means data that allows someone to identify or contact you, including, for example, your name, address, telephone number, e-mail address, an identification number, location data, an online identifier or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity.
1.7 "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and "Processed", "Processes" and "Process" shall be construed accordingly.
1.8 Our responsibility as Data Controller
As Data Controller subject to ADGM's Data Protection Regulations 2015 (as amended by Data Protection (Amendment) Regulations 2021), We must ensure that any Personal Data We Process are:
(a) Processed fairly, lawfully and securely;
(b) for specified, explicit and legitimate purposes in accordance with the Data Subject's rights and not further Processed in a way incompatible with those purposes or rights; and that it is
(c) adequate, relevant and not excessive in relation to the purposes for which they were collected or further Processed;
(d) accurate and, where necessary, kept up to date; and
(e) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data were collected or for which they are further Processed.
1.9 We are also required to ensure that Personal Data that are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further Processed, are erased or rectified.
1.10 Data Protection Officer ("DPO")
You may contact Our DPO by email at email@example.com.
1.11 ADGM Supervisory Authority
We are registered as a Data Controller with The Office of Data Protection for ADGM ( https://www.adgm.com/operating-in-adgm/office-of-data-protection/overview ). The Office of Data Protection is responsible for promoting data protection within ADGM, maintaining the register of Data Controllers, enforcing the obligations upon Data Controllers and upholding the rights of individuals.
1.12 Other Supervisory Authorities
Although We are based in, and operate from, ADGM we offer Our Services globally. Consequently, We are also subject to compliance obligations in relation to the Processing of Personal Data in jurisdictions other than ADGM. For example, if you are based within the European Union or European Economic Area, you have the right to make a complaint at any time to the Supervisory Authority established for the purposes of the European General Data Protection Regulation (GDPR) in the country in which you are based. If you are based in the United Kingdom then you may also (or alternatively) make a complaint to the Information Commissioner's Office (ICO) (the UK supervisory authority for data protection issues under UK GDPR ( www.ico.org.uk)).
2. Changes to this Privacy Statement
We may revise this Privacy Statement to reflect changes in law, Our Personal Data collection and use practices, the features on the Site, or advances in technology. If material changes are made to this Privacy Statement, the changes will be prominently posted on the Site.
3. What information do we collect?
3.1 We collect and Process Personal Data as described below.
3.1.1 We may collect Personal Data from you, such as:
(a) Full name;
(b) Residential address;
(c) Contact details (telephone number, email address);
(d) Date and place of birth, place of citizenship, country of residence;
(e) Bank account information and/or credit card details;
(f) Your status as a politically exposed person;
(g) Source of funds & proof of residence;
(h) Passport and/or national driver’s license or government-issued identification card to verify your identity;
(i) Second nationality and Passport, if applicable;
(k) Transaction history and account balances in connection with your use of Our Services.
3.1.2 We may also collect other Personal Data provided by third party identity verification, market surveillance providers, and sanctions screening services, service providers, regulators or via social networking websites.
3.1.3 We log technical information about your use of the Services, including the type of browser and version you use, the wallet identifier, the last access time of your wallet, the Internet Protocol (IP) address used to create the wallet and the most recent IP address used to access the wallet.
3.1.4 We collect information about the device you use to access your account, including the hardware model, operating system and version, and unique device identifiers.
3.1.5 If you create a wallet through Our Services, you will generate a public and private key pair. When you log-out of the wallet, We collect an encrypted file, that, if unencrypted, would contain these keys, along with your transaction history. When you enable notifications through your Account Settings, We will collect the unencrypted public key in order to provide such notifications. We will not collect an unencrypted private key from you, nor can We decrypt any wallet file data.
3.1.6 In connection with Our Services, We may collect and maintain information relating to transactions you effect in your wallet.
3.2 If you provide Us feedback or contact Us via e-mail, We will collect your name and e-mail address, as well as any other content included in the e-mail, in order to send you a reply.
3.2.1 We also collect other types of Personal Data that you provide to Us voluntarily when seeking support and other Services, such as email, chat name and logs, information submitted via online form, video conferencing service information, other contact information, or other information provided to support services staff.
3.2.2 We may collect referral URLs, your location, and blockchain analytics information related to blockchain addresses you provide. Some of the Personal Data used by the blockchain and Virtual Asset exchange services is public information and can be seen by others, including, your public address and the type and amount of digital assets transferred. Additionally, certain technologies, such as blockchain, are immutable meaning that information, including Personal Data, cannot be deleted from the ledger. If you have concerns about this use of your Personal Data, do not use the Services.
3.3 Some information is collected automatically by Our servers:
3.3.1 We gather certain information automatically and store it in log files. This information includes IP addresses, browser type, Internet service provider (“ISP”), referring/exit pages, operating system, date/time stamp, and clickstream data.
3.3.3 We retain information on your behalf, such as transactional data including records for trades, deposits, and withdraws for you and the counterparty to the transaction and other session data linked to your Account.
3.4 Some information is collected from third parties:
We may obtain Personal Data about you from other sources, including through third party services such as sanctions screening services and other organizations to supplement information provided by you. This supplemental information allows Us to verify information that you have provided to Us and to enhance Our ability to provide you with information about Our business, products, and Services.
3.5 If you fail to provide Personal Data
Where We need to collect Personal Data by law, or under the terms of a contract We have with you and you fail to provide that data when requested, We may not be able to perform the contract We have or are trying to enter with you. In this case, We may have to close your Account but We will notify you if this is the case at the time.
4. Why are we allowed to collect and process personal data?
4.1 You will need to give Us Personal Data about yourself or other individuals in order to create and secure an Account and access Our Services, and you may give Us Personal Data about yourself, or other individuals to help Us provide you with or improve the Services you have asked Us for.
4.2 Under Data Protection Law, We can only Process and use your Personal Data if We have a lawful basis for doing so. We will use Personal Data where one or more of the following lawful bases applies:
4.2.1 Processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;
4.2.2 Processing is necessary for compliance with any regulatory or legal obligation to which We are subject as Data Controller;
4.2.3 Processing is necessary for the performance of a task carried out in the interests of the ADGM or in the exercise of the Board's, the Court's, the Registrar's or the Regulator's functions or powers vested in the Data Controller or in a Third Party to whom the Personal Data are disclosed;
4.2.4 Processing is necessary for the purposes of the legitimate interests pursued by Us as Data Controller or by a Third Party to whom the Personal Data are disclosed, except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation; or
4.2.5 Where the Data Subject has given written consent to the Processing of that Personal Data.
4.3 A "legitimate interest" is when We have a business or commercial reason to use your Personal Data, so long as this is not overridden by your own rights and interests. We will consider and balance any potential impact on you (both positive and negative) and your rights before We Process your Personal Data for Our legitimate interests.
4.4 Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal record, trade‐union membership and health or sex life is Sensitive Personal Data. We will only Process Sensitive Personal Data where:
4.4.1 the Data Subject has given an additional written consent to the Processing of this kind of Personal Data;
4.4.2 Processing is necessary for the purposes of carrying out the obligations and specific rights of the Data Controller;
4.4.3 Processing relates to Personal Data which are manifestly made public by the Data Subject, or is necessary for the establishment, exercise or defence of legal claims;
4.4.4 Processing is necessary for compliance with any regulatory or legal obligation to which the Data Controller is subject;
4.4.5 Processing is necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets, provided the Processing is undertaken in accordance with applicable standards and except where such interests are overridden by compelling legitimate interests of the Data Subject relating to the Data Subject's particular situation; or
4.4.6 Processing is necessary to comply with any regulatory, auditing, accounting, anti‐ money laundering or counter terrorist financing obligations that apply to a Data Controller or for the prevention or detection of any crime.
5. How do we use the information we collect?
5.1 We will only use your Personal Data when the law allows or requires Us to do so. Most commonly, We will use your Personal Data in the following circumstances:
5.1.1 where We need to perform the contract We are about to enter into or have entered into with you, for example, to execute a transaction on your behalf;
5.1.2 where it is necessary for Our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; and/or
5.1.3 where We need to comply with a legal or regulatory obligation;
5.1.4 where you have provided your consent in accordance with the applicable Data Protection Law.
5.2 Please note that We may Process your Personal Data without your knowledge or consent where this is required or permitted by law.
5.3 In general, Personal Data you submit to Us is used either to respond to requests that you make, or to aid Us in serving you better. We use your Personal Data in the following ways:
5.3.1 facilitate the creation of and secure your Account;
5.3.2 identify you and perform identity verification through a service provider;
5.3.3 provide improved administration of Our Site and Services;
5.3.4 improve the quality of experience when you interact with Our Site and Services;
5.3.5 send you a welcome e-mail to verify ownership of the e-mail address provided when your Account was created;
5.3.6 send you administrative e-mail notifications, such as account activity, transaction Processing, security or support and maintenance advisories;
5.3.7 identify, prevent, and report potentially suspicious, fraudulent, or illegal activities;
5.3.8 notify you about important changes to Our Terms; and
5.3.9 respond to your inquiries or other requests.
5.4 Data collected automatically will be used to administer or improve Our Services and for other lawful purposes.
5.5 We use IP address to make Our Site and Services more useful to you, and to perform identity verification.
5.6 We use information from log files to analyse trends, administer the Site, track users’ movements around the Site, gather demographic information about Our user base as a whole, and better tailor Our Services to Our users’ needs. Except as noted in this Privacy Statement, We do not link this automatically-collected data to Personal Data.
5.7 We may create aggregated or de-identified records from Personal Data by excluding information (such as your name) that makes the data personally identifiable to you. We use this to analyse request and usage patterns so that We may enhance the content of Our Services and improve Site navigation. We reserve the right to use and aggregated and other de-identified information for any purpose and disclose to third parties in Our sole discretion.
6.1 We may provide you with choices regarding certain Personal Data that We use, particularly around marketing and advertising, subject to the following Personal Data control mechanisms:
6.1.1 Promotional offers from Us: We may use your Personal Data to determine what may be of interest to you in accordance with applicable law. This is how We decide which products, Services, and offers may be relevant for you.
6.1.2 Third-party marketing: In accordance with applicable law, We may obtain your express consent (opt-in) before We share your Personal Data with any company outside Our group for that company's own marketing purposes.
6.1.3 Opting out: you can ask Us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting Us via Our DPO firstname.lastname@example.org or via Our support team email@example.com.
7. How do We share Your Personal Data?
7.1 We disclose your Personal Data as described below and as described elsewhere in this Privacy Statement.
7.1.1 It may be necessary to disclose your Personal Data to law enforcement agencies, regulators, government/public officials, or other relevant third parties to comply with any law, subpoenas, court orders, or government request, defend against claims, investigate or bring legal action against illegal or suspected illegal activities, enforce Our Terms, or to protect the rights, safety, and security of Us, Our users, or the public.
7.1.2 We may share Personal Data with Our affiliated companies.
7.1.3 We may share your Personal Data with third party service providers to provide you with the Services that We offer you through Our Site; to conduct quality assurance testing; to facilitate creation of accounts; to provide technical support; to verify your identity; and/or to provide other services to Us. These third party service providers are required not to use your Personal Data other than to provide the services requested by Us.
7.1.4 We may provide Personal Data to business partners with whom We jointly offer products or services as allowed by law. In such cases, Our business partner’s name will appear with Ours.
7.1.5 We may share some or all of your Personal Data with third parties in connection with or during negotiation of any merger, financing, acquisition or dissolution transaction or proceeding involving sale, transfer, divestiture, or disclosure of all or a portion of Our business or assets. In the event of an insolvency, bankruptcy, or receivership, Personal Data may also be transferred as a business asset. If another company acquires Our company, business, or assets, that company will possess the Personal Data collected by Us and will assume the rights and obligations regarding your Personal Data as described in this Privacy Statement.
7.1.6 The Site may contain links to other third party websites which are regulated by their own privacy policies. We are not responsible for the privacy policies of these third party websites even if they were accessed using the links from Our Site.
7.2 Other than as stated in this Privacy Statement, We do not disclose any of your Personal Data to third parties unless required to do so by law enforcement, court order, or in compliance with legal reporting obligations.
8. Transfers outside ADGM
8.1 We share your Personal Data within Our affiliated group of companies, which are based in various locations globally. This may involve transferring your Personal Data outside ADGM.
8.2 In addition, many of Our external third parties are also based outside of ADGM so their Processing of your Personal Data will involve a transfer of data outside of ADGM.
8.3 Whenever We transfer your Personal Data out of the ADGM, We ensure a similar degree of protection is afforded to it by putting in place appropriate safeguards, as required by applicable Data Protection Law.
8.4 Where Personal Data is transferred to a jurisdiction that is not listed in Schedule 3 to ADGM's Data Protection Regulation 2021 (as amended from time to time) we ensure that an adequate level of protection is in place in accordance with Regulation 5 of the ADGM's Data Protection Regulation.
8.5 Please contact Us via Our DPOdp@midchains.com or Our support team firstname.lastname@example.org if you want further information on the specific mechanism used by Us when transferring your Personal Data out of ADGM.
9. Transfers outside of the EEA if You are based in Europe
9.1 We share your Personal Data within Our affiliated group of companies, which are based in various locations globally. If you are based in Europe, this will involve transferring your data outside the European Economic Area (EEA)
9.2 In addition, many of Our external third parties are also based outside of the EEA so their Processing of your Personal Data will involve a transfer of data outside the EEA. Whenever We transfer your Personal Data out of the EEA, We ensure a similar degree of protection is afforded to it by putting in place appropriate safeguards, as required by applicable law.
9.3 Please contact Us if you want further information on the specific mechanism used by Us when transferring your Personal Data out of the EEA.
10. How can You update Your information?
11. How long do We keep Your information?
11.1 We retain Personal Data for as long We need it for the purposes set out in this Privacy Statement. This period will vary depending on the nature of the information and your interactions with Our Site and Our Services. We will retain your information for as long as your Account has not been closed or as needed to provide you access to your Account.
11.2 If you unsubscribe from Our marketing communications, We will keep a record of your email address to ensure We do not send you marketing emails in future.
11.3 Once your Account has been closed We will retain and use your information as necessary to comply with Our legal obligations, resolve disputes, and enforce Our Terms. For example, We keep a record of transactions on Our site for up to [seven] years, to protect Us from legal claims, and We will retain information associated with your Account for up to 7 [seven] years after it has been closed unless there are other legal needs to retain it.
12.2 We may also use third party service providers to collect information regarding visit, or behaviour and visitor demographics on Our Services.
12.4 We may use third party application program interfaces (APIs) and software development kits (SDKs) as part of the functionality of Our Services. APIs and SDKs may allow third parties including analytics and advertising partners to collect your Personal Data for various purposes including to provide analytics services and content that is more relevant to you. For more information about Our use of APIs and SDKs, please contact Us.
12.5 Do Not Track (DNT) is an optional browser setting that allows you to express your preferences regarding tracking by advertisers and other third-parties. At this time, We do not respond to DNT signals.
13. What security precautions do We take?
13.1 We take the protection of your Personal Data seriously, and We apply appropriate physical, technological and organisational safeguards and security measures. We use industry-standard data encryption technology and have implemented restrictions related to the storage of and the ability to access your Personal Data. Our servers and business operations are entirely located in ADGM.
13.2 Where Processing is carried out by any Third Party on our behalf, We require from that Third Party sufficient guarantees in respect of the technical security measures and organisational measures governing the Processing to be carried out, and We ensure compliance with those measures.
13.3 Please note that no transmission over the Internet or method of electronic storage can be guaranteed to be 100% secure.
14. Your legal rights
14.1 Under certain circumstances, you have rights under data protection laws in relation to your Personal Data which are set out in more detail below:
14.1.1 Right to access to and rectification, erasure or blocking of Personal Data:
You have the right to require and obtain from Us upon request, at reasonable intervals and without excessive delay or expense:
(a) confirmation in writing as to whether or not Personal Data relating to you are being Processed and information at least as to the purposes of the Processing, the categories of Personal Data concerned, and the Recipients or categories of Recipients to whom the Personal Data are disclosed;
(b) communication in an intelligible form of the Personal Data undergoing Processing and of any available information as to their source; and
(c) as appropriate, the rectification, erasure or blocking of Personal Data the Processing of which does not comply with the provisions of these Regulations.
14.1.2 Right to object to Processing:
You have the right:
(a) to object, at any time on reasonable grounds relating to your particular situation, to the Processing of Personal Data relating to you; and
(b) to be informed before Personal Data are disclosed for the first time to Third Parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses.
Where there is a justified objection, Processing shall no longer include those Personal Data.
14.2 If you wish to exercise any of the rights set out above, please contact Us.
14.3 You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, We may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, We may refuse to comply with your request in these circumstances.
15. What We may need from You
We may need to request specific information from you to help Us confirm your identity and ensure your rights to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up Our response.
16. Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take Us longer than a month if your request is particularly complex or you have made a number of requests. In this case, We will notify you and keep you updated.
17. Children's privacy
We do not knowingly solicit or collect information from anyone under 18. If We become aware that a person under the age of 18 has provided Us with Personal Data, We will delete it immediately.
18. questions and complaints
18.2 In the event that you wish to make a complaint about how we Process your Personal Data, please contact us in the first instance at email@example.com and we will attempt to handle your request as soon as possible. This is without prejudice to your right to launch a claim with the data protection supervisory authority in the country in which you live or work where you think we have violated Data Protection Law.