Compose Finance Logo

Privacy policy.

Version 1.0 - Effective January 1, 2025

I. INTRODUCTION

  1. Compose Finance Sp. z o.o. ("we," "our," or "us"), with its registered office in Warszawa, recognizes the importance of protecting the privacy and personal data of our Clients. This Privacy Policy outlines how we collect, use, process, and protect personal data in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Polish Act on Personal Data Protection of 10 May 2018, and other applicable Polish and EU laws.
  2. This Privacy Policy applies to all Compose Finance Employees and governs the processing of personal data of our Clients.

II. DEFINITIONS

The phrases used in this Privacy Policy shall mean:

  1. Client - a natural person, legal person or organisational unit without legal personality, who intends to conclude or has concluded an agreement with COMPOSE FINANCE concerning the provision of services in the scope of:
    1. exchanges between virtual currencies and means of payment,
    2. exchanges between virtual currencies,
    3. brokering the exchange referred to in point (a) or (b),
    4. keeping in electronic form a set of identification data ensuring that authorised persons can use virtual currency units, including carrying out their exchange transactions.
  2. Personal Data - any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  3. Data Controller - the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. Compose Finance Sp. z o.o. is the Data Controller.
  4. Data Processor - a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  5. GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  6. Employee - a person employed by COMPOSE FINANCE on the basis of an employment contract or a civil law contract, including a B2B contract. A Member of the Management Board of the COMPOSE FINANCE is also considered an Employee.
  7. Supervisory Authority - the independent public authority which is established by a Member State pursuant to Article 51 GDPR. In Poland, the supervisory authority is the President of the Office for Personal Data Protection (Urząd Ochrony Danych Osobowych).

III. DATA CONTROLLER AND CONTACT INFORMATION

  1. Compose Finance Sp. z o.o., a limited liability company incorporated in Poland (Company No. 5214081197), is the Data Controller responsible for processing your personal data, with registered office at 22B Bartycka lok. 21A, 00-716 Warsawa.
  2. Any inquiries regarding this Privacy Policy or your personal data should be directed to:
    Email address: [email protected]
    Phone number: (+27) 76 983 7809

IV. CATEGORIES OF PERSONAL DATA COLLECTED

  1. We may collect and process the following categories of personal data:
    1. Identity Data: forename and surname, citizenship, the number entered in the Universal Electronic System for Civil Registration (PESEL) or the date of birth - in the case where no PESEL number has been assigned, and the country of birth, the series and number of the person's identity-proving document
    2. Contact Data: address, email address, phone number
    3. Financial Data: bank account details, transaction history
    4. Technical Data: IP address, browser type, operating system
    5. Usage Data: Information about how you use our website or services
    6. KYC/AML Data: documents for identity verification (e.g., passport copies) as required by Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) laws.
    7. Beneficial Owner Data: forename and surname, nationality, the series and number of the person's identity-proving document, address, country of birth, PESEL and if no PESEL, date of birth and country of birth
  2. We collect personal data directly from you, as well as from publicly available sources and third-party service providers as necessary for compliance with legal and regulatory requirements.

V. LEGAL BASIS FOR PROCESSING PERSONAL DATA

  1. We process personal data based on the following legal grounds, in accordance with Article 6 GDPR:
    1. Performance of a Contract: processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) GDPR).
    2. Legal Obligations: processing is necessary for compliance with a legal obligation to which the controller is subject, including AML/CTF laws and other regulatory requirements (Article 6(1)(c) GDPR).
    3. Legitimate Interests: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (Article 6(1)(f) GDPR). Examples include improving our services and ensuring security.
    4. Consent: for specific purposes such as marketing communications, we will obtain your explicit consent (Article 6(1)(a) GDPR). You have the right to withdraw your consent at any time.

VI. PURPOSES OF PROCESSING PERSONAL DATA

  1. We use your personal data for the following purposes:
    1. To verify your identity and comply with AML/CTF obligations.
    2. To process transactions and provide our services.
    3. To communicate with you regarding updates or changes to our services.
    4. To detect and prevent fraud or other illegal activities.
    5. To comply with legal and regulatory obligations.
    6. For statistical analysis and to improve our services.
    7. To provide customer support.

VII. DATA SHARING AND TRANSFER

  1. We may share your data with:
    1. Regulatory authorities such as the Polish Ministry of Finance or General Inspector of Financial Information (GIIF).
    2. Third-party service providers for KYC/AML checks or technical support.
    3. Law enforcement agencies when required by law.
    4. Other obliged institutions as defined in the Act, subject to compliance with professional secrecy and data protection rules.
  2. International Transfers: if we transfer your data outside the European Economic Area (EEA), we ensure it is protected by:
    1. Standard Contractual Clauses approved by the European Commission.
    2. Other appropriate safeguards as required by GDPR.
    3. Transferring to countries deemed by the European Commission to provide an adequate level of protection.

    We will only transfer personal data outside the EEA when it is necessary for the purposes outlined in this Privacy Policy and when appropriate safeguards are in place.

VIII. DATA RETENTION

  1. We retain your personal data only as long as necessary to fulfill the purposes outlined in this policy or as required by law (e.g., AML regulations mandate retaining certain records for at least five years).
  2. Specific retention periods include:
    1. Data related to transactions: 5 years from the date of the transaction.
    2. KYC/AML documentation: 5 years after the termination of the business relationship.
    3. Data processed based on consent: until withdrawal of consent.
  3. Before the expiry of the deadlines indicated in section VIII.1 and 2. of this policy, the GIIF may require COMPOSE FINANCE to keep the documents referred to above for a further period, not exceeding 5 years, starting from the expiry of these deadlines.

IX. CLIENT RIGHTS

  1. Under GDPR, you have the following rights:
    1. Access: request access to your personal data.
    2. Rectification: request correction of inaccurate or incomplete data.
    3. Erasure: request deletion of your data ("right to be forgotten"), subject to legal obligations.
    4. Restriction: request limitation on processing your data.
    5. Portability: receive a copy of your data in a structured format.
    6. Objection: object to processing based on legitimate interests or direct marketing.
    7. Withdraw Consent: withdraw consent at any time where processing is based on consent.
  2. To exercise these rights, contact us at the details provided in section III.2 of this policy. We will respond to your request within one month, unless otherwise required by law.

X. DATA SECURITY MEASURES

  1. We implement technical and organizational measures to protect your personal data against unauthorized access, loss, or misuse, including:
    1. Encryption of sensitive data.
    2. Secure storage systems.
    3. Access controls and authentication mechanisms.
    4. Regular security assessments and audits.
    5. Employee training on data protection.

XI. COOKIES

  1. Our website uses cookies to enhance user experience and analyze traffic patterns.
    1. The cookies we use are classified under the category of site navigation and authentication cookies and expire after 60 minutes (unless sessions are extended due to recent user activity).
    2. The cookies do not store any Personal Data and are hardened with HTTPONLY and secure attributes.
    3. Browser fingerprinting is used within cookies to prevent cookie theft and re-use on other devices.

XII. COMPLAINTS

  1. If you believe we have violated your privacy rights, you may file a complaint with the President of the Office for Personal Data Protection in Poland (Urząd Ochrony Danych Osobowych).
  2. You may also seek judicial remedy against a legally binding decision of the supervisory authority concerning you.

XIII. UPDATES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in legal requirements or our practices. The latest version will always be available on our website. We will notify you of any material changes to this Privacy Policy.

XIV. EMPLOYEE OBLIGATIONS

Each Compose Finance Employee shall promptly make available to the Data Protection Officer (or designated person) any information and documents that they request for the purpose of performing their duties under this Privacy Policy. The decision as to what information and documents the Data Protection Officer (or designated person) must have access to rests solely with the Data Protection Officer (or designated person).

XV. REVIEW AND UPDATING OF THE PRIVACY POLICY AND CONTROLLING

  1. Reviews of this policy shall be performed regularly by the Data Protection Officer (or designated person) at least once a year or more frequently in the event of:
    1. implementation of significant changes in the process affecting the provisions of this policy;
    2. recommendations received from the Management Board or the person(s) responsible at COMPOSE FINANCE for internal control;
    3. receipt of supervisory recommendations (addressed to COMPOSE FINANCE by the Ministry of Finance, GIIF, UODO or other supervisory authorities);
    4. changes in common law affecting the process of Personal Data Protection.

Be inflation-resistant

Embrace the future of money.

Compose Finance Logo
© 2025 Compose Finance. All rights reserved.
Compose Finance Sp. z o.o. is a limited liability company incorporated in Poland (Company No. 5214081197) with its registered office at 22B Bartycka lok. 21A, 00-716 Warsaw, Republic of Poland. It is registered in the Polish Register on Virtual Currencies Business Activity (Cryptocurrencies Register) under number RDWW – 1471.