Bullish (GI) Limited and its affiliates (collectively, “Bullish”, “we”, “us” or “our”) are committed to protecting the privacy of your personal information. This Privacy Notice explains how we demonstrate this commitment, including:
(a) the types of information we collect through your use of our products and services including our exchange software and mobile applications, and your navigation of our websites;
(b) the manner in which we use and share the information, and why;
(c) the circumstances in which your information may be transferred to another country;
(d) the rights you may have under relevant privacy or data protection laws;
(e) cookies that we use or used by our service providers; and
(f) whom you can reach out to regarding this Privacy Notice.
Where a law or regulation in the applicable jurisdiction, for example, the EU General Data Protection Regulation (GDPR), requires us to provide you with a notice or other explanation of the information about you that we collect and process or similar, this Privacy Notice is intended to fulfil this obligation.
This Privacy Notice applies to your use of, access to, or participation in any of the following sources (collectively, our “Data Sources”):
(ii )any Bullish website (URL: www.bullish.com) or subdomain regardless of the medium in which the Websites are accessed by a user (e.g., via a web or mobile browser) (the “Websites”);
(iii) any Bullish mobile application, regardless of which medium or operating system on which an App is accessed by a user (the “Apps”);
(iv) any events hosted by us, whether such events are open to the public or by invitation (collectively the “Events”); and
(v) subsections of social media platforms controlled by us.
Personal Data We Process
We process the Personal Data we collect about you when you use, gain access to, or participate in our Data Sources. For example, we may collect Personal Data from you when you sign up for a marketing newsletter, when we onboard you as a client, or when you apply for a job with us. In this Privacy Notice, “Personal Data” means any information relating to an identified or identifiable natural person as may be collected or processed by us in connection with the Data Sources and includes “Personal Data” as defined in the EU General Data Protection Regulation 2016/679 (“GDPR”) or other applicable laws. As set out in the section below, we may process the following categories of Personal Data:
- Contact Information, including your first and last name, mailing address, email address, telephone number, mailing preference and other contact information you may provide when communicating with us through our Data Sources.
- Communication Information, which means the contents of the communications and correspondence between us, whether by email, an EOSIO blockchain, social media, or otherwise through one of our Services, through your submission of an online form, or when you otherwise contact us, as well as your communications preferences, such as for marketing purposes.
- Account Information, which means your Contact Information provided to us when creating an account as well as your username, user identification number, and account number.
- Other Identifying Information, which means things like your IP address, cookie information, device name and device ID, MAC address, GUID, coarse location, and fine location.
- Application Security Information, which means your passwords, two-factor authentication software or key pairs, security questions (including the answers to the said questions), and security device identification number.
- Service Use Information, which means the information that you provide to us when you use our Services, such as information you may upload or generate when using our Services or communicating with us about our Services.
We collect Personal Data through:
- Your use of or participation in our Data Sources.
- A third party’s use of our Data Sources relating to you, for example where a third party may manage a Service or Event on our behalf.
- Direct or unsolicited interactions, such as when you voluntarily provide your information to us by contacting us, submitting requests and comments, subscribing to our newsletters, submitting job applications, or otherwise engaging with us through our Data Sources.
- Indirectly, such as through public or media websites or government websites when conducting user identity verifications and reviews.
We also collect other types of statistical information in aggregate form (either on an anonymized or pseudonymized basis depending on the use) when you use our Data Sources.
How We Use Your Personal Data
The following table outlines how and why we use your Personal Data:
|Activity||Categories of Personal Data||Purpose of Processing||Lawful Basis|
|Providing Services||Account Information, Application Security Information, Communications Information, Contact Information, Other Identifying Information, Service Use Information||Enable you to use our Services, manage your preferences, manage our Services including in accordance with your instructions, administer and troubleshoot our platforms, develop new and improve existing Services, detect abuse, fraud, and illegal activity on our platforms, enforce our Service terms and conditions||Performance of a Contract|
Legitimate Interest: Providing our Services and improving our Services and user experience
|Providing support for our Services||Account Information, Communications Information, Contact Information||Answer your queries, resolve matters with accounts, and otherwise provide general support related to our Services||Legitimate Interest:|
Respond, investigate, and resolve user queries
|Downloading Apps||Other Identifying, Information||Enabling the download of Apps to access our Services||Performance of a contract|
|User application and account creation process||Account Information, Contact Information, Other Identifying Information, Application Security Information||Enabling users to create accounts required to access and participate in our Services||Performance of a contract Legitimate Interest:|
Verify and screen individuals in order to protect against fraud and comply with our legal and regulatory obligations
|Compliance with laws and regulations and protection of company interests||Account Information, Application Security Information, Other Identifying Information, Service Use Information||Verify accounts and activity, including processing personal data for identity verification purposes (where required, such as for the distribution of prizes), protect the business from fraud, money laundering, breach of confidence, theft of proprietary materials and other financial or business crimes||Legal Obligation Legitimate Interest:|
Complying with laws in the jurisdictions where we are subject to them, protecting the Services, protection of our business interests, and protection of data
|Obtain professional advice and manage business risk||Account Information, Contact Information, Communication Information, Other Identifying Information||Work with tax, legal, audit, and other professional firms to obtain advice||Legitimate Interest:|
obtain professional advice from consulting, tax, legal audit or other professional firms for the proper protection or functioning of our business
|Security and investigations||Account Information, Application Security Information, Other Identifying Information, Service Use Information||Operate, administer, secure, and improve the safety and security operations of our Services, detect spam, prevent harmful or illegal conduct, investigate suspicious activity in breach of terms of Service, administer policies and rules applicable to the Service||Legitimate Interest:|
Security of the Services, protection of our business interests, and protection of data
|Events and webinars||Contact Information, Communications Information||Facilitate Event registration, plan and execute Events, and share pre- and post-Event information with registrants and interested individuals||Performance of a Contract Legitimate Interest:|
Planning and executing Events, administering Event attendance, and distributing Event information
|Marketing and surveys||Contact Information, Communications Information, Service Use Information||Provide you with relevant information about our Services and Events, send surveys, and send information that may be of interest to you based on your preferences||Consent|
|Website traffic||Other Identifying||Understand how||Legitimate|
|Analysis and usage analytics||Information, Service Use Information||users interact with our Websites, analyze Website traffic and usage, to improve our Websites and our offerings||Interest: |
Understanding user behavior and preferences on our Websites to improve our Websites and user experience
|Engaging with you on social media||Contact Information, Communications Information, Other Identifying Information||Engaging with you on social media, including on subsections of social media platforms controlled by us||Legitimate Interest: |
Understanding how you engage with us on social media, engaging users through social media platforms, and improving our social media activities and users’ social media experience
|Sharing with law enforcement/legal requests||Information that is the subject of a lawful request||Comply with valid legal requests from authorities, and to comply with our legal and regulatory obligations||Legal Obligation Legitimate Interest: |
Complying with laws in the jurisdictions where we are subject to them
|Protection of the vital interests of an individual||Information required to protect the vital interest of an individual||Protect the life or physical safety of individuals, to combat harmful conduct, to promote safety and security||Vital Interests|
In the above table, “consent” refers to Article 6(1)(a) or the manner of consent
required in your jurisdiction, “performance of a contract” or “steps we must take
prior to entering into a contract” to Article 6(1)(b), and “legitimate interest” to
Article 6(1)(f) of the GDPR.
In addition to the processing activities outlined on the above table, we may also process your Personal Data to comply with our obligations under applicable law, or where the processing is necessary to protect a person’s vital interests.
How We Share Your Personal Data
We may share your Personal Data with the following categories of third parties:
- Third-party service providers who need access to Personal Data to assist us in delivering Services or the operation of our business. For example, such third parties include payment processors; information technology service providers; providers of identity verification services; website hosting providers; insurance, marketing, accounting, shipping, and delivery vendors; other business process outsourcing providers; and partners who assist us with administering programs we offer to you, such as our bug bounty program.
- Third-party service providers who need access to Personal Data to provide advertising and analytics services. For example, we use a third-party service for the collection and management of your Personal Data that enables us to deliver marketing communications about our Services and Events to you.
- Our corporate affiliates in the Bullish Group, when necessary to complete the processing activities described above.
- Other third parties, as reasonably necessary:
- In relation to a merger, sale, acquisition, divestiture, restructuring, reorganization, dissolution, bankruptcy, or other change of ownership or control (whether in whole or in part); or
We always endeavor to only share the minimum amount of Personal Data that these third parties need to perform their tasks.
Third Party Applications and Websites
Our Data Sources may contain links to third-party applications not affiliated with us. Your use of an external application or any informational content found on external applications is subject to and governed by the privacy policies, terms, and conditions of that application. We do not endorse or make any representations or warranties concerning, and will not in any way be liable for, any informational content, products, services, software, or other materials available on external applications are framed within our Data Sources.
While we do review the privacy practices of our Service Providers prior to engaging them to ensure that they meet Bullish Service Provider privacy standards, we ultimately do not control the privacy practices of any external applications or websites. The Websites may contain links to websites not affiliated with us. Your use of external websites or any informational content found on external websites is subject to and governed by the privacy policies, terms, and conditions of those websites. We do not endorse or make any representations or warranties concerning, and will not in any way be liable for, any informational content, products, services, software, or other materials available on external websites even if one or more pages of the external websites are framed within a page of our Websites.
Advertising and Analytics Services Provided by Third PartiesIntellectual Property and Use of the Websites
The third-party service providers we use for advertising and analytics include:
When you first land on the Websites, you will be asked for your consent to the placement of Cookies. No Cookies are placed on your browser until you give your consent. You also have the option to manage your consent on an ongoing basis by opting out of any Cookies category except Strictly Necessary Cookies by changing your Cookies Settings by clicking on the shield icon in the bottom left corner of the website. Please note that if you reject cookies, the functionality of some areas of the Websites may be limited.
Automated Decision-Making and Profiling
Automated decision-making is a process by which your Personal Data is used to make a decision about you that creates legal or other significant effects in an automated fashion using an algorithm alone, without any human intervention in the process. Profiling is where Personal Data is evaluated in an effort to predict things like interests or preferences about what types of information an individual might light to receive. Although profiling is a type of automated processing, it does not produce legal (or other significant) effects and in that way is different from automated decision-making. We may use profiling as part of our analytics to deliver the most relevant content and best experience to you.
You have rights relating to automated decision-making that produces legal or other significant effects on you. Please see the section on “Your Rights” for more information on how to exercise your rights relating to the use of your Personal Data in automated decision-making. For example, to withdraw your consent to an automated decision-making process where the legal basis for that processing is your consent.
Applicable privacy legislation may entitle you to some or all of the following rights with respect to your Personal Data:
- To access the Personal Data we maintain about you. We will provide you with one copy of your Personal Data free of charge, but we may charge you a reasonable fee to cover our administrative costs if you request further copies of the same information.
- To be provided with information about how we process your Personal Data. This will include information on the categories of data, the sources from which it originated, the purpose and legal basis for the processing, the expected retention period, the recipients of your Personal Data, and the safeguards regarding data transfers to other jurisdictions, subject to the limitations set out in applicable laws and regulations.
- To correct your Personal Data. You have the right to ask us to rectify Personal Data you think is inaccurate or incomplete. In some cases, you will need to make these changes yourself by using the tools we provide in the Data Sources.
- To have your Personal Data erased. You have the right to ask us to delete your Personal Data. In some cases, you will need to do the deletion yourself using the tools we provide in the Data Sources. If we have shared your Personal Data with a third party in the manner described above, we will require the third party to delete the Personal Data that we have shared with them (consistent with their legal obligations to do so). We will decline your request for deletion if processing your Personal Data is necessary: (i) to comply with our legal obligations such as fraud detection and monitoring, (ii) or being required to perform a task in the public interest; (iii) in pursuit of a legal action; (iv) for exercising the right of freedom of expression and information; and (v) for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing.
- To object to how we process your Personal Data. Where we process your Personal Data based on our legitimate interest (or that of a third party), you have the right to object to this processing on grounds relating to your particular situation if you feel it impacts on your fundamental rights and freedoms. We will decline your request where we have compelling legitimate grounds for the processing which override your rights and freedoms, or where the processing is in connection with the establishment, exercise or defense of legal claims.
- To be informed about direct marketing. You have the right to request us to tell you how your Personal Data has been shared, if at all, with third parties for the third parties’ direct marketing purposes.
- To stop your Personal Data from being used for direct marketing purposes. At your request, we will stop using your Personal Data for the purpose of direct marketing. Our marketing communications include an unsubscribe facility, which we encourage you to use. If you want to stop us from contacting you in connection with marketing communications, please email us at the email address specified below.
- you dispute the accuracy of your Personal Data;
- your Personal Data was processed unlawfully and you request a limitation on processing, rather than the deletion of your Personal Data;
- we no longer need to process your Personal Data, but you require your Personal Data in connection with a legal claim; or
- you object to the processing and no overriding legitimate interest for the processing exists.
We may continue to store your Personal Data to the extent processing is required or based on one of the following bases: with your consent; for the establishment, exercise or defense of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest; or where an overriding legitimate interest for the processing exists.
- The right to data portability. You have the right to receive your Personal Data in a structured, commonly used and machine-readable format, if:
- the processing of your Personal Data is based on your consent or required for the performance of a contract; or
- the processing is carried out by automated means.
Please note information may already be available to you via the Data Sources.
- To withdraw any consent that you gave us to process your Personal Data. You have the right to withdraw any consent you may have previously given us at any time. Your consent withdrawal will not affect the lawfulness of the processing done before the withdrawal.
- To complain to a supervisory authority. If you are not satisfied with our response, you have the right to complain to or seek advice from a supervisory authority and/or bring a claim against us in any court of competent jurisdiction.
To exercise the above rights, please contract Bullish Customer Service or contact us at the email address specified below. We will consider and process your request within the required period of time. Please be aware that under certain circumstances, or in relation to certain types of data, including pseudonymous data, the applicable legislation may limit your exercise of these rights.
International Data Transfers
We may transfer your Personal Data to any of our offices in countries outside of your jurisdiction for processing in accordance with this Privacy Notice and as permitted by the applicable laws. These locations include the EU, United States, and Asia-Pacific region. Transfers are based on approved mechanisms, such as standard contractual clauses.
Where we rely on our service providers located outside of your jurisdiction and acting as data processors, we ensure that they are subject to laws ensuring an adequate level of data protection as set out in an applicable adequacy decision of the relevant regulatory authority, or will ensure that an adequate level of data protection will be available on the basis of standard contractual clauses (or other contractual clauses or legal transfer bases appropriate to your jurisdiction) that will allow you to directly enforce your rights as a third-party beneficiary.
Retention of Personal Data
We retain Personal Data for the period of time necessary to fulfil the purposes outlined in this Privacy Notice and our record retention policies, unless a longer retention period is permitted or required by law. To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
The security of your information is important to us. We have implemented appropriate technical, physical, and organizational security measures intended to protect your Personal Data from unauthorized access, disclosure, alteration or destruction.
To opt-out of receiving marketing communications from us, please click the unsubscribe link at the bottom of a marketing email or let us know by reaching us at the email address specified below. Please note that even if we stop all marketing communications, you may still receive administrative, legal, and other important Service-related communications from us.
We do not market to and do not knowingly collect any Personal Data from or about a child under the age of 16 without the consent of the child’s parent or legal guardian. Bullish Services are not intended for children under the age of 16.Children under the age of 16 are not eligible to use our Services and must not use other Data Sources for any purpose without first obtaining legally valid parental/guardian consent to this Privacy Notice (both for themselves and on your behalf). If you believe we have any Personal Data from any children under the age of 16 without such parental/guardian consent, please contact us at the email address specified below.
Do Not Track
Certain web browsers and other devices you may use to access the Websites may permit you to submit your preference that you do not wish to be “tracked” online. We do not currently commit to responding to these submissions, in part, because no common industry standard for “do not track” has been adopted by industry groups, technology companies, or regulators. We will make efforts to monitor developments around “do not track” browser technology and the implementation of a standard.
Updates to the Privacy Notice
We reserve the right to amend this Privacy Notice at any time. You will know if the Privacy Notice has changed since the last time you reviewed it by checking the “Date of Last Update” section below. We therefore encourage you to review this Privacy Notice from time to time. To the extent permitted by law, by continuing to use our Data Sources after changes have been posted, you are confirming that you have read and understood the latest version of this Privacy Notice.
Our Role and How to Contact Us
Bullish acts as the as data controller for your Personal Data unless a different affiliate is named in a separate privacy notice, or we have identified a different data controller for a particular processing operation.
If you have any questions, comments or complaints, or would like to exercise your rights concerning your Personal Data and privacy preferences, you may use self-service options if they are available to you, or contact us in the following ways:
If you are in the EEA, you may also contact our EU representative, designated for the purposes of Article 27 of the EU GDPR:
- Achieved Compliance Advocacy, Ltd., Attn: Ms. S. Ali re Block.one, Singel250; 1016 AB, Amsterdam, Netherlands
- [email protected]
If you are in the UK, you may also contact our designated UK representative, designated for the purposes of Article 27 of the UK GDPR:
- Achieved Compliance Advocacy, Ltd., Attn: Ms. S. Ali re Block.one,Princess House, Princess Way, Swansea, UK SA1 3LW
- [email protected]
Alternatively, you may contact our appointed global Data Protection Officer(DPO):
- HewardMills Ltd., 77 Farringdon Road, London, UK EC1M 3 JU
- [email protected]
Date of Last Update: July 27, 2021