As used herein, “Digital Asset” means a digital asset (also called a “cryptocurrency,” “virtual currency,” “digital currency,” or “digital commodity”), such as bitcoin or ether, which is based on the cryptographic protocol of a computer network that may be (i) centralized or decentralized, (ii) closed or open-source, and (iii) used as a medium of exchange and/or store of value.
As used herein, “Personal Information” means any information relating to an identified or identifiable natural person (each, a “Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier or to one or more factors specific to the physical, economic, cultural or social identity of that natural person.
Personal Information We Collect
Section 326 of the USA PATRIOT ACT requires all financial institutions to obtain, verify, and record Personal Information that identifies each person who opens an account. This federal requirement applies to all new customers. This Personal Information is used to assist the United States government in the fight against the funding of terrorism and money-laundering activities. What this means for you: when you open an account, we ask you for your name, address, date of birth, and other identifying Personal Information.
In addition, we are a global company and thus may conduct business and collect Personal Information from individuals and institutions located within the European Economic Area (“EEA”). We are required to protect Personal Information processed in the EEA in accordance with the General Data Protection Regulation (“GDPR”). To understand more about how we protect the data we collect from individuals and institutions located within the EEA, please see the “Privacy Statement for Data Subjects Whose Personal Information May Be Collected in or from the EEA” section below.
Personal Information we collect may include the following:
Individual Customer — We attempt to collect, verify, and authenticate the following:
- Email address;
- Mobile phone number;
- Full legal name;
- Social Security Number (“SSN”) or any comparable identification number issued by a government;
- Date of birth (“DOB”);
- Proof of identity (e.g., driver’s license, passport or government-issued ID);
- Home address (not a mailing address or P.O. Box); and
- Additional Personal Information or documentation at the discretion of our Compliance Team.
Institutional Customer — We attempt to collect, verify, and authenticate the following:
- Institution legal name;
- Employer Identification Number (“EIN”) or any comparable identification number issued by a government;
- Full legal name (of all account signatories and beneficial owners);
- Email address (of all account signatories);
- Mobile phone number (of all account signatories);
- Address (principal place of business and/or other physical location);
- Proof of legal existence (e.g., state certified articles of incorporation or certificate of formation, unexpired government-issued business license, trust instrument, or other comparable legal documents as applicable);
- Contract information of owners, principals, and executive management (as applicable);
- Proof of identity (e.g., driver’s license, passport or government-issued ID) for each individual beneficial owner that owns 10% or more of the institutional customer entity, as well as all account signatories; and
- Personal Information for each entity beneficial owner that owns 10% or more of the institutional customer entity (see the “Individual Customer” section above for details on what Personal Information we collect for individuals).
Device Information – Information that is automatically collected about your device (such as, but not limited to, hardware, operating system, browser, etc.).
Location Information – Information that is automatically collected via analytics systems providers to determine your location, including your IP address and/or domain name and any external page that referred you to us.
Log Information – Information that is generated by your use of Gemini that is automatically collected and stored in our server logs. This may include, but is not limited to, device-specific information, location information, system activity and any internal and external information related to Gemini pages that you visit.
Account Information – Information that is generated by your account activity including, but not limited to, trading activity, order activity, deposits, withdrawals, and account balances.
Correspondence – Information that you provide to us in correspondence, including opening an account, and with respect to ongoing customer support.
You will be allowed to access, review, correct, and ensure the accuracy of the Personal Information you have provided from time to time. We will also do our part to ensure the accuracy of your Personal Information.
Personal Information you provide during the registration process may be retained, even if your registration is left incomplete or abandoned. If you are located within the EEA, your Personal Information will not be retained without your consent.
How We Use and Share Personal Information We Collect
The Personal Information we collect and the practices described above are done in an effort to provide you with the best experience possible, protect you from risks related to improper use and fraud, and help us maintain and improve Gemini.
We may share Personal Information with third-party service providers (including those that may be located outside of the United States or your country), who help us operate our platform and systems, and detect fraud and security threats throughout the normal course of our business. Such third-party service providers are subject to strict confidentiality obligations. In addition, we may be compelled to share Personal Information with law enforcement, government officials, and regulators.
For example, we may use your Personal Information to:
- Provide you with our services, including customer support for Gemini;
- Optimize and enhance our services for all customers or for you specifically;
- Conduct anti-fraud and identity verification and authentication checks (you authorize us to share your Personal Information with our third-party service providers, who may also conduct their own searches of publicly available Personal Information about you);
- Monitor the usage of our services, and conduct automated and manual security checks of our services; and
- Create aggregated and anonymized reporting data about our services.
We do not sell customer Personal Information to third parties for the purposes of marketing.
Be aware that bitcoin, ether, and other Digital Assets are not necessarily truly anonymous. Generally, anyone can see the balance and transaction history of any public Digital Asset address. We, and any others who can match your public Digital Asset address to other Personal Information about you, may be able to identify you from a blockchain transaction. This is because, in some circumstances, Personal Information published on a blockchain (such as your Digital Asset address and IP address) can be correlated with Personal Information that we and others may have. This may be the case even if we, or they, were not involved in the blockchain transaction. Furthermore, by using data analysis techniques on a given blockchain, it may be possible to identify other Personal Information about you. As part of our security, anti-fraud and/or identity verification and authentication checks, we may conduct such analysis to collect and process such Personal Information about you. You agree to allow us to perform such practices and understand that we do so.
No security is foolproof, and the Internet is an insecure medium. We cannot guarantee absolute security, but we work hard to protect Gemini and you from unauthorized access to or unauthorized alteration, disclosure, or destruction of Personal Information we collect and store. Measures we take include encryption of the Gemini website communications with SSL; required two-factor authentication for all sessions; periodic review of our Personal Information collection, storage, and processing practices; and restricted access to your Personal Information on a need-to-know bases for our employees, contractors and agents who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.
Accuracy and Retention of Personal Information
We take reasonable and practicable steps to ensure that your Personal Information held by us (i) is accurate with regard to the purposes for which it is to be used, and (ii) is not kept longer than is necessary for the fulfillment of the purpose for which it is to be used, which is when your business relationship with us ends, unless the further retention of your Personal Information is otherwise permitted or required by applicable laws and regulations.
Access, Correction, and Deletion of Personal Information
You have the right to ascertain whether we hold your accurate and current Personal Information, to obtain a copy of your Personal Information that you submitted as permitted by law, and to correct any of your data that is inaccurate. You may also request that we inform you of the type of Personal Information we hold with regard to you, subject to restrictions on our providing copies of certain data pursuant to our obligations under BSA and AML regulations and/or data provided to our legal counsel in defense of a claim against us. You may also request that we delete your Personal Information, subject to the restrictions on data deletion pursuant to relevant data retention and destruction restrictions under applicable laws and regulations, such as those related to the BSA and AML. For data access, correction, or deletion requests, please contact email@example.com.
When handling a data access, correction, or deletion request, we check the identity of the requesting party to ensure that he or she is the person legally entitled to make such request. While we maintain a policy to respond to these requests free of charge, should your request be repetitive or unduly onerous, we reserve the right to charge you a reasonable fee for compliance with your request.
Subject to applicable laws and regulations, we may from time to time send direct marketing materials promoting services, products, facilities, or activities to you using information collected from you. We will provide you with an opportunity to opt-in to such communications and will only send them to you if you consent.
We will not provide your Personal Information to third parties for direct marketing or other unrelated purposes without your written consent.
We cannot agree to obligations of confidentiality or nondisclosure with regard to any unsolicited information you submit to us, regardless of the method or medium chosen. By submitting unsolicited information or materials to us, you or anyone acting on your behalf, agree and understand that any such information or materials will not be considered confidential or proprietary.
We do not provide any facility for sending or receiving private or confidential electronic communications. You should not use Gemini to transmit any communication for which you intend only you and the intended recipient(s) to read. Notice is hereby given that all messages and other content entered using Gemini can and may be read by us, regardless of whether we are the intended recipients of such messages.
Privacy Statement for Data Subjects Whose Personal Information May Be Collected in or from the EEA
While customers who are located in the EEA are customers of our US entity, we recognize and, to the extent applicable to us, adhere to relevant EEA data protection laws.
Collection and Transfer of Data Outside the EEA
As outlined above, we may collect Personal Information from Data Subjects located in the EEA. To facilitate the services we provide to customers located in the EEA, we request explicit consent for the transfer of Personal Information from the EEA to the US. If you are an individual located in the EEA and you decline to consent to such transfer, you will no longer be able to use Gemini and our services. You will have the ability to withdraw Digital Assets and fiat currency; however, all other functionality will be disabled.
Lawful Grounds to Process and Obtain Consent
We process the Personal Information of Data Subjects who are located in the EEA for one or more of several lawful purposes, including:
- With your explicit consent:
- To provide you with Gemini and our services, including customer service support;
- To optimize and enhance Gemini for all customers or for you specifically;
- To comply with legal obligations:
- To conduct anti-fraud and identity verification and authentication checks (you authorize us to share your Personal Information with our third-party service providers, who may also conduct their own searches of publicly available Personal Information about you);
- For our legitimate business purposes:
- To monitor the usage of Gemini, conduct automated and manual security checks of our service, to protect our rights and perform our lawful obligations.
Data Subjects in the EEA may withdraw consent at any time where consent is the lawful basis for processing their Personal Information. Should a Data Subject withdraw consent for processing or otherwise object to processing that impedes our ability to comply with applicable laws and regulations, a Data Subject may be unable to avail him or herself of the services we provide.
We do not engage in automated decision-making.
Non-Disclosure of Personal Information
Our employees are prohibited, either during or after their employment, from disclosing Personal Information to any person or entity outside of our company, including family members, except under the circumstances described above. An employee is only permitted to disclose the Personal Information of a customer to such other employees who need access to such information in order to deliver our services to that customer.
Our Contact Information for Persons Located within the EEA
If you are located in the EEA or Switzerland and have questions or concerns regarding the processing of your Personal Information, you may contact us at: firstname.lastname@example.org; or write to us at: Gemini Trust Company, LLC, 600 Third Avenue, 2nd Floor, New York, NY 10016.
If, as an EEA Citizen, you believe that we have not adequately resolved any such issues, you have the right contact the EU supervisory authority.