# Privacy Policy

This Privacy Policy is effective as of November 20, 2023.

# 1. INTRODUCTION

Lucid Invest Inc. (“Lucid”, “our“, “we” or “us” as applicable) provides tools that allow managing cryptocurrency holdings, including application program interface(s) (“Software”). Your privacy is important to us and therefore, it is our policy to respect your privacy and take appropriate measures to protect your personal data.

This privacy notice (“Notice”) explains how we process, including how we use, store and disclose your personal data when: (i) you visit or otherwise interact with our website at https://lucid-crypto.com/ (“Website”); (ii) you (or the legal entity you represent) wish to register or have registered a user account, including agreeing to our Terms of Use, and using the Software; (iii) you subscribe to our newsletter and/or receive other direct marketing; (iv) communicate with us through our Website, or other communication channels (e.g., by email or our official social media accounts); or (v) take any other actions on our Website, which entails us receiving and processing your personal data. The data we process may differ based on your interactions with us, so if anything here only applies to one specific use case, we’ll point this out to you.

Please note that this Notice does not describe how we process Lucid’ potential employees data.

We process your personal data as described in this Notice and in accordance with applicable legislation, including the European Union’s General Data Protection Regulation (2016/679) (“GDPR”) and other relevant laws and regulations, as applicable towards the controller stated in Section 2 of this Notice.

In case you disclose any personal data regarding any third person(s) (e.g., your employee, management board member, co-worker, etc.) to us, you are obligated to refer them to this Notice.

We do not knowingly allow children (under the age of 18) to sign up for a Lucid account, and therefore, do not knowingly process children’s personal data. Should we discover that an individual below the age of 18 has registered for a Lucid account, we will take appropriate measures to promptly remove their personal data from our database. If you believe an underage person has signed up for a user account or is in any way using the Software, please reach out to us at dpo[at]lucid-crypto.com.

# 2. CONTROLLER

For the personal data processing purposes set out in Section 4 of this Notice, the controller of your personal data is Lucid Invest, Inc. with email address dpo[at]lucid-crypto.com.

In case of personal data protection related inquiries, including questions or comments about this Notice or if you wish to exercise your data subject’s rights, please contact us by writing to dpo[at]lucid-crypto.com.

# 3. CATEGORIES AND SOURCES OF PERSONAL DATA

Personal data is any information that can be used to directly or indirectly uniquely identify you as a private individual. Anonymous data is not personal data, as it cannot be linked back to you. We may obtain and process the following categories of your personal data:

Category

Personal Data

Main Data

For concluding and managing the contractual relationship with you or the legal entity you represent, we may process the following personal data:
Name, e-mail address, the legal entity’s information you represent (e.g., name, address, registry code) (if applicable), user ID, 2FA key, data regarding account (e.g., internal and external activity IDs, results of the authentication), authentication and profile data received from third parties exchanges (e.g., ID, profile name and picture, e-mail).

Billing Data

For managing the contractual relationship and processing payments, we may process the following personal data:
Main Data, billing information, including payment method details (e.g., the service provider used, payment type, network, card’s brand, last four digits and expiration year and month, presence of a digital wallet), location (e.g., country, postal code), results of payment checks (e.g., CVC and address check, third-party checks (null or pass)). Additionally, your contact phone number, and specific preferences regarding invoice names.

Transaction Data

For managing the contractual relationship and executing transactions, we may process the following personal data:
API key and secret, exchange account data (e.g., exchange platform, account ID, deposit address, date when portfolio was generated), account status data (e.g., deleted, locked, hedge mode enabled), transaction data (e.g., transaction’s date, time, amount, currency action, order type, unique identifiers, transaction request and response).
When accessing the Lucid API: data related to any changes, manipulations, or interactions developers make with end user accounts.

Communication Data

If you communicate with us through our Website, App or other communication channels (e.g., by email or our official social media), we may process the following personal data depending on the channel you communicate with us:
Main Data, your username on the platform through which you interact with us, conversation ID, date, time and contents of your message.

Marketing Data

For marketing purposes, we may process the following personal data:
Main Data, Google Analytics client ID, information about interests, given and withdrawn consents, engagement data (e.g, actions made), responses to user surveys, data regarding sources (e.g., original source, identifiers including but not limited to Appsflyer ID, ad ID, media source, channel, campaign and Affise ID (also known as click ID)), data regarding performance of marketing campaigns and contents (e.g., UTM parameters), data regarding actions (e.g., email confirmation, subscription and bot activation, trade commencement).

Technical Data

When you visit our Website or App, or in any way use the Software, we may also collect data about the device you are using and automatically log standard data provided by your web browser or device, which may include your personal data:
IP address, data about device (e.g., device type, language, model, unique device identifiers, operating system, session key), log data (e.g., referring URL, visitor ID number, date and time of visit, location data (down to city level), browser type, version and language, internet service provider).
When accessing the Lucid API: data related to developer identification and authentication, including developer IDs and app names.

Usage Data

When you visit our Website or App or in any way use the Software, we may process the following data, which may include your personal data:
Main Data (user ID), data about actions made (e.g., user role, attributes to that action, error logs, web pages visited on Website).

Cookie Data

We use cookies to keep login information in your browser. Cookies do not collect your personal data.

# 4. PURPOSES OF PROCESSING AND LEGAL BASES

We process your personal data lawfully and in a transparent manner, including only where we have a legal basis for doing so. The legal basis for processing your personal data depends on the objective and context in which we collect personal data. The following depicts a descriptive list of processing purposes that are linked to the specific data categories and legal bases for processing.

# 5. RECIPIENTS OF PERSONAL DATA AND DATA TRANSFERS

We may disclose your personal data to separate controllers, who process your personal data for their own purposes, and processors, who process your personal data on our behalf to help us to provide the Website, App and Software. These data recipients belong to the following categories:

The personal data that we collect from you is primarily processed in United States of America (“USA”), but we may transfer your data to and store it in countries outside of the USA, which do not offer an equivalent level of protection. In such cases we use safeguards (e.g., standard contractual clauses approved by the European Commission) to ensure that a level of protection of personal data comparable to that applicable in the USA is applied to your personal data. Upon your request to the contact details specified in Section 2 of the Notice, we can make available further information, including a copy of the safeguards applied.

# 6. SECURITY OF YOUR PERSONAL DATA

We take reasonable technical and organisational security measures designed to protect your personal data against accidental or unlawful destruction, loss or alteration, unauthorised disclosure, abuse or other processing in violation of applicable law. These measures vary based on the sensitivity of the personal data we process and the current state of technology.

However, please be advised that no security measure can be 100% effective, and we cannot guarantee the security of your data, including against unauthorised acts, access, hacking or data breaches by third parties.

We also encourage you to take measures to ensure the safety of your personal data, including protecting your account. In particular, we strongly recommend you to enable two-factor authentication for your account and keep your password, API key and API secret confidential and stored in a secure location. In addition, we advise you to make sure of your device security and avoid using public unencrypted internet connection spots.

# 7. PERSONAL DATA RETENTION PERIODS

We retain your personal data for the duration necessary to fulfil the objectives outlined in Section 4 of this Notice or for as long as we have a legal obligation to do so. In deciding the appropriate retention period for personal data, we consider the quantity, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the processing purposes and whether we can achieve these purposes through other means, and applicable statutory obligations. Whilst retaining your personal data, we take into account the viable need to resolve disputes and enforce the contract between us, or anonymise your personal data and retain this anonymised information indefinitely. The specific retention periods are the following:

Personal data category

Retention period

Main Data and Billing Data relating to transactions

7 years from the end of the financial year when the respective transaction took place, to comply with our obligations arising from applicable laws.

Other Main Data, Billing Data and Transaction Data relating to the taking and implementing the pre-contractual measures of the potential Terms of Use to be concluded between us or performing the Terms of Use concluded between us

3.5 years from the termination of the Terms of Use, including deletion of User Account, under our legitimate interests to establish, exercise, or defend against potential legal claims. In case we have reasonable doubt that a party has breached the contractual relationship between us intentionally, we may prolong such retention period for a maximum of 10 years.

Communication Data

3.5 years from the moment the respective communication-flow was closed, under our legitimate interests to establish, exercise, or defend against potential legal claims. In case we have reasonable doubt that a party has breached the contractual relationship between us intentionally, we may prolong such retention period for a maximum of 10 years.

Marketing Data

30 days after the termination of the Terms of Use, including deletion of the User Account, or upon withdrawal of consent.
In case the legal basis for processing your Personal Data is consent and you decide to withdraw the consent, we will stop processing the personal data for the previously communicated purpose, however, we will retain a note regarding your withdrawal of consent for the purposes of administering your decision and our data processing activities at least for a period of 3 years.

Technical Data and Usage Data

30 days as of the collection of such data.

Following the retention period or if we no longer need the personal data for the purposes specified in Section 4 of the Notice, we shall destroy the respective personal data within a reasonable time, unless the retention of personal data is required to perform duties or requirements arising from the applicable law or to protect against ongoing or threatened disputes, in which case we retain the personal data as long as the dispute is solved.

After the expiry of the retention period determined above or the termination of the legal basis for processing purpose, we may retain the materials containing the personal data in our backup systems, from which the respective materials will be deleted after the end of the backup cycle. We ensure that during the backup period appropriate safeguards are applied and the backed-up materials are put beyond use. Access to these backups is strictly limited to essential personnel on a need-to-know basis.

# 8. AUTOMATED DECISION MAKING

We incorporate Artificial Intelligence technologies such as the Generative Pre-training Transformer technology (“GPT”) into our services, including but not limited to, our FAQ Chatbot. While we do not actively process your personal data within these services, any personal data you input may be subject to automated decision making. This activity will not result in any legal consequences for you. We prioritise the protection of your personal data and take all necessary precautions to ensure its security. Should you believe that your personal data has been processed in this regard, you may reach out to us for further actions regarding your data protection rights at dpo[at]lucid-crypto.com. For more detailed information about this use case, please also contact us at the aforementioned email address.

# 9. YOUR RIGHTS AS A DATA SUBJECT

You may, at any time, exercise the following rights with respect to our processing of your personal data:

Right to access: you have the right to request access, including receive a copy, of your personal data. This includes the right to be informed on whether we process your personal data, what personal data categories are being processed by us, and the purpose of the data processing.
Right to rectification: you have the right to request that we correct any of your personal data if you believe that we are processing incorrect, inaccurate or incomplete personal data.
Right to object: you are entitled to object to certain processing of your personal data, for example when we process your personal data based on our legitimate interest or for direct marketing purposes;
Right to restriction: you have the right to request that we restrict the processing of your personal data, for example if you wish to dispute the accuracy of certain personal data we are processing or if we no longer need the personal data for the purposes of the processing, but you require the personal data to establish, exercise or defend legal claims;
Right to erasure: you have the right to request that we erase your personal data for example if the personal data is no longer necessary for the purposes for which it was collected or if you consider that the processing is unlawful.
undefined
Right to data portability: you have the right to receive your personal data in a structured, commonly used and machine-readable format if the processing is carried out by automated means and is based on your consent or a mutual contractual relationship. Moreover, you may request that the personal data is transmitted to another controller. Bear in mind that the latter can only be done if that is technically feasible.
Right to withdraw your consent: in cases where the processing is based on your consent, you have the right to withdraw your consent to such processing at any time.
undefined
Right not to be subject to a decision based solely on automated processing, including profiling: Our use of automated decision-making is limited, and should not result in any legal impact to you. You may read more about our use of automated decision-making in Section 8.
Complaints: If you wish to make a complaint, please contact us. We will promptly investigate your complaint and respond to you. If you are not satisfied with our response to your request in relation to personal data processing or you believe we are processing your personal data not in accordance with the applicable law, you can submit your claim to the data protection authority.

To exercise the data subject’s rights please contact us as specified in Section 2 of this Notice. Please note that you should supply us with adequate information for us to respond to your requests concerning your rights. Prior to answering your request, we may ask you to provide additional information for the purposes of authenticating you and evaluating your request (e.g., if you seek to exercise the rights on behalf of someone else as a legal representative).

We will respond to your request promptly and in any case within one month from the date we receive it. If necessary, due to the complexity and number of the requests, this period may be extended by up to two additional months. We will inform you of any such extension within one month of receiving your request, along with the reasons for the delay.

# 10. OTHER JURISDICTIONS

You may also have certain additional rights regarding the information we hold about you under other data protection and privacy laws. Please contact us at dpo[at]lucid-crypto.com about your specific situation for more information.

# 11. LINKS TO OTHER WEBSITES, APPS OR SERVICES

Our Website and App may link to external sites that are not operated by us, or offer access to apps and services not under our operation or control. Therefore, this Notice applies solely to the personal data we may collect or receive from these third-party sources, but does not apply to data processing conducted by such third parties. Please be aware that we neither endorse nor have any control over the content and policies of those sites, apps or services, and thus cannot accept responsibility or liability for their respective practices. To find out more about how such third parties process your personal data, please refer to the respective privacy notices on the other websites you visit, or apps and services you use.

# 12. CHANGES TO THIS NOTICE

We regularly review and revise this Notice as necessary to reflect the changes in the way we process personal data, and in such cases we publish any updates directly on this page.

Please check back periodically, and especially before you provide any new personal data. In case of material changes, we will send a direct notification to the email address you’ve registered with us.