Privacy Policy
This Privacy Policy describes how KEYTOM SERVICES ltd. (“Keytom”, “we”, “us” or “our”) collects, uses, discloses and safeguards personal information of natural persons (“you”) who visit www.keytom.com (the “Website”) or use any of the services, interfaces or online offerings made available through the Website (collectively, the “Services”).
KEYTOM SERVICES ltd. is incorporated in the Province of British Columbia, Canada (registration number BC1291639), with its registered office at 210 – 1715 Dickson Ave., Kelowna, BC, Canada V1Y 6G3. Keytom is the organization accountable for the personal information under its control.
This Privacy Policy is governed by the laws of the Province of British Columbia and the federal laws of Canada applicable therein. It is designed to comply with British Columbia’s Personal Information Protection Act (“BC PIPA”), supplemented by the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and Canada’s Anti-Spam Legislation (“CASL”) where applicable.
Consistent with British Columbia’s Personal Information Protection Act, we collect, use and disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.
Please read this Privacy Policy carefully before creating an account or using the Services. By using the Services you acknowledge that you have read and understood this Privacy Policy. Where the law requires consent, we will obtain it as described below.
1. ACCOUNTABILITY AND PRIVACY OFFICER
Keytom is accountable for personal information in its custody or control, including personal information transferred to third parties for processing. As required by applicable Canadian privacy law, we have designated our Head of Legal as the Privacy Officer responsible for our compliance with this Privacy Policy. You may contact the Head of Legal using the details set out in Section 14.
2. PERSONAL INFORMATION WE COLLECT
We limit the collection of personal information to what is necessary for the purposes identified in this Privacy Policy. The categories of personal information we collect depend on how you interact with the Services.
2.1 Information you provide directly
- Account information: name, email address, password, and other identity and verification information required to open and operate an account.
- Identity verification and AML/KYC information: government-issued identification (such as passport, driver’s licence or other ID), date of birth, nationality, residential address, source of funds and source of wealth information, occupation, tax-residency information, sanctions and politically-exposed-person screening results, and similar information required to comply with anti-money laundering, counter-terrorist financing and “know-your-client” obligations.
- Wallet and transaction information: information about your digital wallet address and the transactions you carry out through the Services. We never ask for, and never collect, your private keys.
- Communications: the content of messages you send to us, including support requests, survey responses and feedback.
- Interactive features: any information you submit through community channels, chat features or social-media pages we operate. Information posted in public sections of these features is not subject to the confidentiality protections of this Policy.
- Promotional activities: information you provide when you participate in surveys, contests, sweepstakes, conferences, trade shows or business-development activities.
2.2 Information collected automatically
When you use the Services we may automatically collect: IP address, device and browser identifiers, MAC address, mobile carrier, approximate location derived from IP address, user settings, the pages you visit and links you click, and the frequency and duration of your activity. We collect this information using cookies, pixel tags, web beacons, local storage and similar technologies (“Technologies”).
2.3 Information from third parties
We may receive information about you from third-party sources where you have authorized them to share it, such as identity-verification providers, anti-fraud and sanctions-screening providers, payment processors, analytics providers, and third-party login or social-networking services.
3. PURPOSES FOR WHICH WE USE PERSONAL INFORMATION
In accordance with PIPEDA’s identifying-purposes principle, we use personal information only for the following purposes:
- To provide, operate and maintain the Services and to perform our contract with you.
- To verify your identity, conduct customer due diligence and prevent fraud, deception and other unlawful activities.
- To comply with our legal and regulatory obligations, including those relating to anti-money laundering, counter-terrorist financing, sanctions, tax reporting and record-keeping.
- To secure the Website, our systems and your account, and to detect and respond to security incidents.
- To respond to your questions, complaints and support requests.
- To understand how the Services are used and to develop, improve and personalize the Services.
- To send service communications and, where you have consented (or where CASL otherwise permits), commercial electronic messages about our products and services.
- For any other purpose disclosed to you at the time of collection or for which you give your consent.
If we propose to use personal information for a new purpose that is not listed here, we will identify that purpose and, where required by law, obtain your consent before doing so.
4. LEGAL BASIS AND CONSENT
Under Canadian privacy law, your knowledge and consent are generally required for the collection, use and disclosure of your personal information. Consent may be express or implied, depending on the sensitivity of the information and the reasonable expectations of the individual. Sensitive information will only be processed with your express consent.
In certain circumstances permitted or required by the Personal Information Protection Act (British Columbia) and other applicable law, we may collect, use or disclose personal information without consent — for example, where it is necessary to comply with a legal or regulatory obligation, to investigate or prevent fraud, or where the information is publicly available as defined by law.
You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. If you withdraw consent, we may no longer be able to provide you with certain Services, and we will inform you of the consequences of withdrawal. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
5. COMMERCIAL ELECTRONIC MESSAGES (CASL)
We will only send you commercial electronic messages (such as marketing emails) where you have given express or implied consent in accordance with CASL. Every commercial electronic message we send will identify us, provide our contact information, and include a functional unsubscribe mechanism that will be honoured within 10 business days. You may also withdraw consent at any time by contacting our Privacy Officer.
6. DISCLOSURE OF PERSONAL INFORMATION
We do not sell, rent or trade your personal information. We may disclose personal information to:
- Service providers and processors that perform services on our behalf (such as cloud hosting, identity verification, fraud prevention, analytics, customer support and communications), under written contracts that require them to protect the information and use it only for the purposes we specify.
- Professional advisors, including lawyers, accountants and auditors.
- Law-enforcement agencies, regulators, courts and other public authorities, where required or permitted by law, including in response to a lawful subpoena, warrant, court order, or other legal process.
- Parties to a proposed or completed business transaction (such as a merger, acquisition, financing or sale of assets), subject to safeguards required by applicable law.
- Other parties with your consent or at your direction.
7. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION
Personal information may be processed and stored in Canada or in other countries where we or our service providers operate. When personal information is transferred outside Canada, it may be subject to the laws of those jurisdictions, including lawful access requests by foreign courts, governments and law-enforcement agencies.
We ensure that personal information transferred to service providers, including those located outside Canada, is protected by contractual and organizational safeguards that provide a comparable level of protection, as required under applicable Canadian law.
8. SAFEGUARDS
We protect personal information using physical, organizational and technological safeguards appropriate to the sensitivity of the information, including access controls, encryption in transit, secure storage, employee confidentiality obligations, and ongoing monitoring. Despite these safeguards, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security.
In the event of a security incident affecting personal information under our control, we will assess the incident through our internal response procedures, take prompt action to contain and remediate it, and notify affected individuals and relevant regulators where required by applicable law. We maintain records of security incidents in accordance with applicable legal requirements.
9. RETENTION
We retain personal information only for as long as is necessary to fulfill the identified purposes and to meet our legal, regulatory and accounting obligations (including, in particular, record-keeping obligations under anti-money laundering and counter-terrorist financing legislation).
For greater clarity, we do not retain personal information longer than necessary. However, certain records, including identity-verification, AML/KYC, sanctions-screening and transaction records, may be subject to mandatory statutory retention periods even after an account is closed or the business relationship has ended. During such retention periods, we may be unable to delete or anonymize those records, even if a deletion request is made.
Where we have used personal information to make a decision that directly affects an individual, we retain that information for at least one year after the decision is made, as required under applicable law, so that the individual has a reasonable opportunity to obtain access to it. When personal information is no longer needed, we securely destroy, erase or anonymize it.
10. YOUR RIGHTS
Subject to applicable law, you have the following rights with respect to your personal information:
- Access: to be informed of the existence, use and disclosure of your personal information and to obtain access to that information.
- Correction: to challenge the accuracy and completeness of your personal information and have it amended where appropriate.
- Withdrawal of consent: to withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
- Complaint: to challenge our compliance with applicable Canadian privacy laws by contacting our Head of Legal.
To exercise any of these rights, please contact our Head of Legal using the details in Section 14. We will respond to your request within 30 days, or within any extended period permitted under applicable law. We may need to verify your identity before acting on your request. If we refuse a request, we will explain the reasons in writing and inform you of your right to file a complaint with the Office of the Information and Privacy Commissioner for British Columbia or the Office of the Privacy Commissioner of Canada.
11. AUTOMATED DECISION-MAKING AND PROFILING
We may use automated tools to detect fraud, screen for sanctions and assess risk. Where required by applicable law, if we make a decision based exclusively on automated processing of personal information that significantly affects you, we will inform you of that fact and provide the information and review rights required under applicable law.
12. COOKIES AND TRACKING TECHNOLOGIES
We use the following categories of cookies and similar Technologies on the Website:
- Strictly necessary cookies — required for the operation of the Website and the Services (for example, to authenticate you, maintain your session, and enable security features). These cannot be disabled.
- Analytics and performance cookies — help us understand how visitors interact with the Website so that we can improve it. These may be provided by third-party analytics providers such as Google Analytics.
- Functionality cookies — remember your preferences (such as language or region) so that the Website behaves consistently for you.
- Targeting and advertising cookies — used by us or by third-party advertising partners to deliver content that may be relevant to you and to measure the effectiveness of advertising campaigns. These may involve sharing limited information with third parties.
Where consent is required by law, we obtain it through our cookie banner before non-essential Technologies are activated. You can block or delete cookies through your browser settings or through our cookie preference tool; however, certain features of the Services may not function correctly if you do so. We do not respond to “Do Not Track” browser signals at this time.
13. CHILDREN
The Services are not directed to minors and we do not knowingly collect personal information from them. We do not open accounts for any individual who is not entitled to use the Services under applicable law and our onboarding rules. Where relevant, we assess an individual’s capacity to provide meaningful consent in accordance with applicable law. If we learn that we have collected personal information from a minor without the appropriate consent, we will promptly delete it. Parents or guardians who believe that their child has provided personal information to us may contact our Head of Legal.
14. CONTACT AND COMPLAINTS
If you have any questions, concerns or complaints about this Privacy Policy or our handling of your personal information, please contact our Head of Legal, who acts as our Privacy Officer:
KEYTOM SERVICES ltd. — Head of Legal (Privacy Officer)
210 – 1715 Dickson Ave., Kelowna, BC, Canada V1Y 6G3
Email: [email protected]
If you are not satisfied with our response, you have the right to file a complaint with the Office of the Information and Privacy Commissioner for British Columbia (www.oipc.bc.ca) or the Office of the Privacy Commissioner of Canada (www.priv.gc.ca).
15. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. The updated version will be posted on the Website with a revised “Last updated” date. Where the changes are material, we will provide additional notice as required by law. Your continued use of the Services after the effective date of an updated Privacy Policy constitutes your acknowledgement of the updated Policy.
16. GOVERNING LAW AND JURISDICTION
This Privacy Policy is governed by the laws of the Province of British Columbia and the federal laws of Canada applicable therein. The courts of British Columbia have exclusive jurisdiction over any dispute arising out of or relating to this Privacy Policy, subject to any mandatory rights you may have under the privacy laws of your province of residence.