The Scope of this Privacy Notice
Carabaas is a business-to-business product. Our customers are companies, partnerships, institutions and other legal entities, not individuals acting in a personal or consumer capacity.
This Privacy Notice explains how CEX.IO Ltd. trading as Carabaas processes personal data as controller in connection with the Carabaas website, business development activities, demo and onboarding processes, customer relationship management, account administration, billing, support coordination, service security, legal compliance and other controller-side business activities. It applies to individuals who act for, are employed by, represent, administer, use or communicate with us on behalf of customers, prospective customers, partners, suppliers or other business counterparties.
Where Carabaas processes personal data through the Services solely on behalf of a business customer and in accordance with that customer’s documented instructions, Carabaas acts as processor. That processing is governed by the applicable customer agreement and Carabaas data processing addendum. The relevant customer is responsible for providing any required privacy notice to its own personnel, representatives, clients and other individuals. This Privacy Notice does not replace any privacy notice that the relevant customer is required to provide.
Definitions
In this Privacy Notice:
Authorised User means an individual authorised by a Customer to access or use the Services on that Customer’s behalf, including administrators, approvers, operators, security officers, viewers, API users and other platform users.
Business Contact means an individual who acts for, represents, is employed by, administers, uses or communicates with us on behalf of a Customer, prospective customer, partner, supplier, adviser or other business counterparty.
Customer means a company, partnership, institution or other legal entity that enters into, evaluates, uses or receives access to the Services. Carabaas does not provide the Services to individuals acting in a personal or consumer capacity.
Customer Personal Data means personal data that Carabaas processes as processor on behalf of a Customer through the Services.
Customer Representative means a Business Contact who acts for or on behalf of a Customer or prospective customer, including an Authorised User, administrator, approver, operator, security officer, signatory, billing contact, technical contact, support contact or other representative.
Data Processing Addendum or DPA means the Carabaas data processing addendum that governs Carabaas’s processing of Customer Personal Data as processor on behalf of a Customer.
Personal data means any information relating to an identified or identifiable natural person. Information relating only to a legal entity, such as a company name, company registration number, registered office address or general corporate billing information, is not personal data unless it is linked to an identified or identifiable natural person.
Services means the Carabaas self-custody SaaS platform and related blockchain connectivity, infrastructure, web interface, API, webhook, reporting, support, maintenance, security and service-administration functionality provided to business customers.
The terms controller, processor, data subject, processing and special category data have the meanings given to them under applicable data protection law.
Information relating only to a legal entity, such as a company name, company registration number, registered office, corporate billing details or general business information, is not personal data unless it also relates to an identified or identifiable natural person.
Who We Are
3.1. Controller. CEX.IO Ltd., a company incorporated and registered in England and Wales with company number 08757996 and registered office at 78-79 Pall Mall, London, England, SW1Y 5ES, trading as Carabaas, is the controller of personal data processed for the controller-side purposes described in this Privacy Notice.
3.2. Contact. You may contact us about this Privacy Notice or about the exercise of data protection rights using the following details:
Email: [email protected]
Postal address: CEX.IO Ltd., 78-79 Pall Mall, London, England, SW1Y 5ES
International Scope and Applicable Privacy Laws
4.1 CEX.IO Ltd. is established in the United Kingdom. We process personal data covered by this Privacy Notice in accordance with the UK General Data Protection Regulation and the Data Protection Act 2018.
4.2 This Privacy Notice may apply to Customer Representatives, Business Contacts, website visitors and other individuals located in different jurisdictions. Where you are located outside the United Kingdom, additional privacy or data protection laws may also apply to our processing, including the EU General Data Protection Regulation, Swiss data protection law or other local privacy laws. We will comply with such laws to the extent they apply to our processing.
4.3 Nothing in this Privacy Notice is intended to limit any mandatory privacy rights you may have under applicable law. Where local privacy law gives you additional rights, those rights apply in addition to the rights described in this Privacy Notice.
Personal data we collect
5.1 The personal data we process depends on your role, the organisation you represent and how you interact with Carabaas. Carabaas is a business-to-business product. We process personal data relating to individuals who act for, represent, administer, use or communicate with us on behalf of corporate customers, prospective customers, partners, suppliers or other business counterparties.
5.2 We group the personal data covered by this Privacy Notice into the following categories:
| Category | Examples of data | How we collect it |
|---|---|---|
| Commercial Relationship Data | Name, business email address, business telephone number, employer or organisation, department, role, job title, business location, demo or onboarding enquiry details, meeting records, CRM notes, support communications, contract correspondence, signatory details, marketing preferences, compliance-screening outputs where applicable, dispute records and legal correspondence. | Directly from you; from the organisation you represent; from other representatives of that organisation; from public business sources such as company websites, public registers and professional profiles; and from third-party business sources such as event organisers, referral partners, CRM or sales-enablement providers, advisers, regulators, courts or law-enforcement authorities. |
| Payment and Billing Data | Billing contact details, billing address, invoice communications, purchase order information, payment-administration records, subscription plan information, billing history, tax-related correspondence, accounting records, payer details, VAT/GST or other tax details, payment processor identifiers, transaction references, payment status, failed payment records, refund or credit records, and chargeback or payment dispute records. We do not intentionally collect full payment card details where these are collected directly by payment processors. | Directly from you; from the organisation you represent; from billing, payment, subscription-management or invoicing providers; from payment processors; from banks or financial institutions involved in payment processing; and from internal finance, subscription-administration and reconciliation records. |
| Device Data | IP address, approximate location derived from IP address, device identifiers, browser type and version, operating system, language settings, time zone, referral URLs, page interaction data, cookie identifiers, consent preferences, analytics identifiers, campaign identifiers, authentication data, session records, login events, access logs, API logs, audit logs, security logs, telemetry, error reports and diagnostic data. | Automatically when you visit the website, interact with our online materials or communications, access an account, use Customer-authorised access to the Services, or where logs, cookies, analytics, authentication records, audit records, security records or service-event records are generated. |
| Blockchain Data | Blockchain addresses, wallet addresses, public keys, transaction hashes, network identifiers, transaction amounts, timestamps, fee data, token or network metadata, transaction status, address-book entries, whitelisting records, transaction references, approval metadata, signature metadata, transaction workflow metadata and audit-trail data. | From Customer-authorised use of the Services, transaction workflows, Customer configurations, Authorised User activity, support interactions and public blockchain networks. Public blockchain networks are not owned or controlled by Carabaas. |
5.3 Information relating only to a legal entity, such as a company name, company registration number, registered office address or general corporate billing information, is not personal data unless it is linked to an identified or identifiable natural person.
5.4 Where we collect personal data directly from you, we provide privacy information at or before the point of collection, including through this Privacy Notice, website notices, forms, cookie notices, onboarding materials or direct communications.
5.5 Where we obtain personal data from another source, including the organisation you represent, public business sources or third-party business sources, we provide privacy information within the period required by applicable law, including by making this Privacy Notice available and, where appropriate, by referring to it in our first communication with you.
5.6 Providing personal data is generally not a statutory requirement. However, some information may be necessary for us to respond to an enquiry, assess or administer a business relationship, provide account access, manage billing, provide support, protect the Services, comply with law, or maintain security and audit records. If relevant information is not provided, we may be unable to proceed with the relevant enquiry, relationship, account access, support request or other interaction.
5.7 Public blockchain networks are decentralised, public and potentially immutable systems. Once data is recorded on a public blockchain, it may be difficult or impossible to delete, modify or restrict at the protocol level. Where Blockchain Data is processed through the Services on behalf of a Customer, that Customer is responsible for determining the lawful basis for that processing, providing any required privacy notices and responding to data subject requests relating to that processing.
Cookies and similar technologies
We use cookies, local storage and similar technologies on our website and relevant web-based interfaces. These technologies may collect Device Data, such as cookie identifiers, consent preferences, IP address, browser and device information, page interaction data and analytics information. Information collected through cookies and similar technologies is described further in the Carabaas Cookie Policy.
How we use personal data and our lawful bases
We process personal data only where we have a lawful basis under applicable data protection law. The lawful basis will depend on the category of personal data, the purpose of processing and the context in which the personal data is used.
| Purpose | Category of personal data | Examples of data used | Lawful basis |
|---|---|---|---|
| Responding to demo requests, sales enquiries, sandbox requests, onboarding enquiries, meeting requests and other business communications. | Commercial Relationship Data Device Data where relevant | Identity and business contact details, enquiry data, use-case information, meeting records and communications, referral URLs, campaign identifiers and website interaction data where relevant. | Legitimate interests in responding to business enquiries and developing B2B customer relationships; consent where required for a specific communication channel; contract-related processing where relevant to pre-contractual or customer-relationship administration. |
| Managing relationships with Customers, prospective customers, partners, suppliers, advisers and other business counterparties. | Commercial Relationship Data | Business contact details, role/job title, employer or organisation, CRM notes, communication history and meeting notes. | Legitimate interests in managing B2B relationships, administering commercial communications and operating our business. |
| Negotiating, entering into and administering customer agreements, order forms and commercial arrangements. | Commercial Relationship Data; Payment and Billing Data where relevant | Contract correspondence, signatory details, business contact details, employer or organisation name, role, purchase order details and commercial communications. | Legitimate interests in negotiating and administering business contracts; legal obligation where records are required by law. |
| Creating and administering Customer accounts and representative access. | Commercial Relationship Data; Device Data | Authorised User details, role and permission data, account identifiers, authentication metadata, access records, account activity logs and API access logs. | Legitimate interest in creating and administering Customer accounts, managing authorised representative access, maintaining access controls and providing secure B2B services; contract, where processing is necessary to provide account access or related administration; legal obligation, where access records or security records are required to be retained by law. |
| Providing support, service communications and incident communications. | Commercial Relationship Data; Device Data; Blockchain Data where relevant to the support request | Contact details, support tickets, troubleshooting data, incident communications, service-administration records, logs, transaction references and technical evidence voluntarily provided for support. | Legitimate interest in providing support, resolving technical issues, maintaining service reliability and communicating with Customers about the Services; contract, where processing is necessary to provide support or related communications under a contract; legal obligation where providing support or communication is required by law. |
| Billing, invoicing, payment administration, subscription administration, finance, accounting and tax. | Commercial Relationship Data; Payment and Billing Data | Billing contact details, billing address, invoice communications, purchase order information, payment-administration records, subscription plan information, billing history, tax-related correspondence, accounting records, payer details, VAT/GST or other tax details, payment processor identifiers, transaction references, payment status, failed payment records, refund or credit records and chargeback or payment dispute records. | Legitimate interest in managing billing, subscription administration, finance operations and customer administration; legal obligation, where processing is necessary for accounting, tax, statutory record-keeping requirements. |
| Operating, maintaining and improving the website and Services. | Device Data; Commercial Relationship Data where relevant | IP address, approximate location derived from IP address, device identifiers, browser type and version, operating system, language settings, time zone, referral URLs, page interaction data, analytics identifiers, telemetry, error reports, diagnostic data, access logs and service-event records. | Legitimate interests in operating, maintaining, improving and securing the website and Services, monitoring performance, resolving technical issues and improving reliability; consent, where required for non-essential cookies, analytics or similar technologies. |
| Authenticating access and administering sessions. | Device Data; Commercial Relationship Data | User identifiers, account identifiers, authentication data, session records, login events, IP address, device information, access logs, API logs, audit logs and security logs. | Legitimate interests in authenticating users, maintaining secure sessions, preventing unauthorised access and protecting the website and Services; legal obligation, where authentication, access or security records are required to be retained by law. |
| Detecting, preventing and investigating fraud, abuse, misuse, unauthorised access, security incidents and technical issues. | Device Data; Commercial Relationship Data; Payment and Billing Data where relevant; Blockchain Data where relevant. | IP address, approximate location derived from IP address, device and browser metadata, authentication records, failed login attempts, access logs, audit logs, security logs, configuration changes, incident records, support communications, payment status, chargeback or payment dispute records, transaction references, blockchain addresses and transaction hashes. | Legitimate interests in protecting the website, Services, systems, Customers and users against fraud, abuse, misuse, unauthorised access, technical issues and security threats; legal obligation, where processing is necessary to comply with applicable security, fraud-prevention, sanctions, regulatory or law-enforcement obligations. |
| Managing cookies, analytics, campaign measurement and website functionality. | Device Data; Commercial Relationship Data where relevant. | Cookie identifiers, consent preferences, analytics identifiers, campaign identifiers, IP address, device and browser information, page interaction data, referral URLs, campaign source data and analytics events. | Consent, where required for non-essential cookies, analytics or similar technologies; legitimate interests in operating strictly necessary technologies, recording cookie choices, maintaining website security and providing requested website functionality. |
| B2B marketing, event participation and relationship development. | Commercial Relationship Data; Device Data where relevant. | Name, business email address, business telephone number, employer or organisation name, department, role, job title, business location, event registration details, marketing preferences, CRM notes, communication history, campaign identifiers and engagement records. | Legitimate interests in sending relevant B2B communications, developing business relationships and promoting Carabaas to business contacts; consent, where required for a particular communication channel or recipient type; legal obligation or legitimate interests in maintaining suppression and opt-out records. |
| Supporting Customer-authorised blockchain transaction workflows and related service functionality. | Blockchain Data; Device Data; Commercial Relationship Data where relevant. | Blockchain addresses, wallet addresses, public keys, transaction hashes, network identifiers, transaction amounts, timestamps, fee data, token or network metadata, transaction status, transaction references, approval metadata, signature metadata, transaction workflow metadata, audit-trail data, authorised user identifiers and access logs. | legitimate interests in supporting, securing and administering Customer-authorised blockchain workflows and related service functionality. |
| Administering transaction requests, approval workflows, approval rules, access permissions, and audit trails. | Blockchain Data; Device Data; Commercial Relationship Data where relevant. | Authorised user identifiers, roles and permissions, approval metadata, signature metadata, policy settings, public keys, transaction references, transaction hashes, timestamps, audit logs, API logs, security logs and configuration records. | legitimate interests in administering, securing and evidencing transaction workflows, approvals, access permissions, transaction-control settings and audit trails. |
| Legal, regulatory, sanctions, compliance, audit and dispute-management activities. | Commercial Relationship Data; Payment and Billing Data; Device Data; Blockchain Data where relevant. | Business contact details, signatory details, contract records, compliance-screening outputs where applicable, sanctions or risk-screening results, audit records, billing records, dispute records, legal correspondence, incident records, access logs, API logs, security logs, transaction references and blockchain transaction data where relevant. | Legal obligation, where processing is necessary to comply with applicable laws, regulatory requirements, tax or accounting obligations, sanctions obligations, court orders or lawful requests; legitimate interests in managing legal risk, conducting audits, preventing fraud, resolving disputes, enforcing rights and protecting the business. |
| Corporate transactions and business administration. | Commercial Relationship Data; Payment and Billing Data; Device Data where relevant. | Customer and supplier contact details, contract records, billing records, account records, support history, corporate transaction due diligence records, corporate correspondence, audit records, legal documentation. | Legitimate interests in administering our business and evaluating, preparing for, carrying out and completing a corporate transaction, reorganisation, financing, investment, merger, acquisition, sale of assets or similar event. Legal obligation, where disclosure, assessment or retention is required by law. |
Controller and processor roles
Carabaas acts as controller for the personal data covered by this Privacy Notice.
Carabaas acts as a processor where it processes personal data through the Services on behalf of a business customer in accordance with that customer’s documented instructions. In those circumstances:
(a) the relevant business customer is responsible for the lawful basis for processing and for any required privacy notices;
(b) the relevant business customer is generally responsible for responding to data subject requests relating to personal data processed through the Services on its behalf; and
(c) our processing is governed by the Carabaas Data Processing Addendum and the relevant customer agreement.
Disclosure of personal data
9.1. We may disclose personal data, where appropriate and lawful, to the following categories of recipients:
(a) our personnel and contractors who need access for their roles;
(b) group companies and affiliated entities where necessary for internal administration or service delivery;
(c) hosting, cloud infrastructure, communications, email delivery, CRM, payment processing, billing, invoicing, customer support, security, fraud prevention, cookie-consent management and other service providers acting on our behalf;
(d) professional advisers, auditors and insurers;
(e) competent regulators, courts, law-enforcement bodies and public authorities; and
(f) any person to whom disclosure is required or permitted by law, or is reasonably necessary in connection with a corporate transaction, reorganisation, financing, merger, sale of assets or similar event.
9.2 Our service providers are authorised to process personal data only as necessary to provide services to us, comply with law or perform their contractual obligations.
9.3 Where Carabaas processes personal data as a processor on behalf of a Customer, disclosures to sub-processors are governed by the applicable customer agreement and data processing addendum.
Children
The website and Services are intended for business use only and are not directed to children.
If you believe that a child has provided personal data to us, please contact us and we will take appropriate steps to investigate and, where applicable, delete that information.
International transfers
We are established in the United Kingdom and may process personal data in the United Kingdom, the European Economic Area, Switzerland, the United States and other countries where we, our group companies or our service providers operate.
We may transfer personal data outside the United Kingdom, the EEA or Switzerland where this is necessary for the activities described in this Privacy Notice, including website operation, account administration, billing, support, security and related business operations.
Where we make a restricted transfer of personal data in our capacity as controller, we will do so only where a valid transfer mechanism is available under applicable data protection law. Depending on the circumstances, this may include:
(a) an adequacy decision or, in the case of UK restricted transfers, adequacy regulations; or
(b) the European Commission’s Standard Contractual Clauses, together with the UK Addendum or Swiss-specific amendments, UK International Data Transfer Agreement where applicable, or
(c) another lawful safeguard or transfer mechanism recognised under applicable data protection law; or
(d) in limited cases, a derogation or other exception permitted under applicable data protection law.
Where we process personal data through the Services on behalf of a business customer, any international transfers are governed by the applicable customer agreement and the Carabaas Data Processing Addendum.
Data retention
We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Notice, including for contractual, legal, accounting, security and operational purposes.
Retention periods may vary depending on the type of personal data and the reason for processing. By way of example:
(a) account, billing, support and business records may be retained for the duration of the customer relationship and for a reasonable period afterwards;
(b) security, audit and operational records may be retained for at least five (5) years, or longer where necessary for legal compliance, fraud prevention, dispute resolution, security or evidential purposes; and
(c) where we process Customer Personal Data on behalf of a customer through the Services, deletion or return is governed by the applicable customer agreement and the Carabaas Data Processing Addendum, subject to backup cycles and legal retention obligations.
Security
We implement technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access.
Our security measures are designed to maintain the confidentiality, integrity and availability of personal data. Depending on the relevant system and use case, these measures may include access controls, logging and monitoring, encryption in transit, service hardening, denial-of-service protections, webhook signature verification, customer-configurable security controls, and hardened or hardware-isolated execution environments where applicable to the relevant deployment model.
No method of transmission or storage is completely secure. We therefore cannot guarantee absolute security, but we maintain measures appropriate to the nature of the Services and the risks involved.
Carabaas provides self-custody infrastructure based on multi-party computation. By design, Carabaas does not hold or reconstruct complete private cryptographic keys and does not have unilateral ability to access, freeze or move customer digital assets.
Your rights
Where applicable under data protection law, you may have the right to:
(a) request access to personal data we hold about you;
(b) request rectification of inaccurate or incomplete personal data;
(c) request erasure of personal data;
(d) request restriction of processing;
(e) object to processing carried out on the basis of legitimate interests;
(f) request portability of personal data you have provided to us, where applicable; and
(g) withdraw consent where processing is based on consent.
These rights may be subject to conditions, exceptions or limitations under applicable law. We may need to verify your identity and your authority to act before responding to a request.
If we process personal data through the Services on behalf of a business customer, you should usually direct your request to the relevant customer first. We will assist our customers in accordance with our contractual obligations.
Please note that public blockchain networks may be immutable and may make it difficult or, in some cases, impossible to modify or delete data once it has been recorded on-chain. Where personal data is recorded on a public blockchain, requests relating to rectification, erasure or restriction may not be capable of being fully implemented in respect of the on-chain record itself, although they may still be addressed in relation to off-chain data or other related processing where applicable.
Your right to complainIf you have a concern about how we handle your personal data, you may contact us using the contact details provided in section 3.2 of this Privacy Notice, so that we can review and address your concern.
If you are not satisfied with our response, you may lodge a complaint with the Information Commissioner’s Office in the United Kingdom or, where applicable, with your local supervisory authority in the EEA or Switzerland.
Automated decision-making
Carabaas does not use personal data covered by this Privacy Notice to make decisions based solely on automated processing, including profiling, that produce legal effects concerning an individual or similarly significantly affect an individual.
We may use automated tools and technical controls to support the operation, security and administration of our website and Services, including authentication, session management, fraud and abuse prevention, service monitoring, analytics, logging, alerting and customer-configured transaction workflows. These tools are used to support service operation and security, and do not involve Carabaas making solely automated decisions about individuals with legal or similarly significant effects.
Marketing communications
Where permitted by applicable law, we may send marketing or promotional communications to business contacts, including representatives of customers, prospective customers, partners and other business counterparties. Where we send you marketing or promotional communications, you may opt out at any time by using the unsubscribe link included in the communication or by contacting us using the details set out below. We will respect your marketing preferences and may maintain suppression records where necessary to ensure that we do not send further marketing communications where you have opted out.
If you opt out of marketing communications, we may still send you service-related, transactional, legal, security or administrative communications where necessary.
Third-party websites and services
Our website or Services may link to, integrate with, or make available third-party websites, applications, products or services that are not owned or controlled by us. We are not responsible for the privacy practices, content or security of those third-party services. You should review the relevant privacy notices of those third parties before providing personal data to them.
Changes to this Privacy Notice
We may update this Privacy Notice from time to time. Where we make material changes, we will post the updated version on our website and update the “Last Updated” date above. Where required by law, we will also take additional steps to notify you.