Privacy Disclosures for the European Economic Area and the United Kingdom

Last updated: December 6, 2022

 

About This Disclosure

These Privacy Disclosures for the European Economic Area (EEA) and the United Kingdom (UK) supplement the Chainalysis Privacy Policy, the latter of which describes the Personal Data that we collect, the sources from which we collect it, the purposes for which we use it, the limited circumstances under which we share Personal Data, and with whom we share it. These additional disclosures are made in accordance with European and UK law, including the European General Data Protection Regulation (GDPR) and the UK GDPR. Terms that are not defined here have, unless otherwise indicated, the meanings set forth in our Privacy Policy. If you are based elsewhere in the world this Disclosure does not apply to you.

 

Our Legal Basis for Processing Personal Data

The European GDPR and the UK GDPR require us to have a legal basis for processing Personal Data about you. Depending on the Personal Data and data processing activities at issue, the legal bases upon which we rely may include:

  • Consent. When you have given us clear consent for us to process your Personal Data for a specific purpose;
  • Contract. When processing your Personal Data is necessary to perform a contract we have with you, or when you have asked us to take specific steps before entering into a contract;
  • Legal obligation. When processing your Personal Data is necessary for us to comply with the law (not including contractual obligations);
  • Public task. When our use of your Personal Data is necessary for us to perform a task in the public interest lawfully, or the exercise of official authority vested in the controller; or
  • Legitimate interests. When our use of your Personal Data is necessary to pursue our legitimate interests or those of a third party (provided your privacy interests do not override such interests).

To the extent that we rely on your consent, we will not invoke another legal basis. Further details on when we collect Personal Data, what we collect, as well as how and why we use it, are set out in our Privacy Policy and below.

Registering Customers
When you register with us to receive our Services (such as our web-based services, the Chainalysis Academy, our forum, and our conferences and webinars), we may process your contact details; credit card information (when you make a purchase); professional information such as your role and company name; IP address and device information; and transaction information such as purchase and subscription information or courses that you follow. We ask for this data to create and manage your account with us; to communicate with you about your account; and, to provide you with the Service. We may rely on your consent, our legitimate interests, and/or the fulfillment of a contractual obligation as the lawful basis for processing your Personal Data. Our legitimate interests are to provide you with the Service you have requested and to ensure we deliver the Service with the appropriate quality.

Providing Our Services
When you use the Service, or when we provide our Service, we may process your contact details; professional information such as your role and company name; the login and connection information used to enable the Service; your educational information (when you sign up to the Chainalysis Academy or for any conferences or webinars); your IP address and device information; Chainalysis forum posts (where applicable); feedback to us; or Chainalysis customer support interactions. We process this Personal Data to operate or provide the Service; to carry out security checks; to fulfill our commitments to you; to contact you about your use of the Service; and, to generally improve the quality of the Service. We may rely on legitimate interests and/or the fulfillment of a contractual obligation as the legal basis for processing your Personal Data. Our legitimate interests are to provide you with the Service that you or your company have requested appropriately.

Providing the Service to You if You Are an Agent or an End User
Regarding your capacity as an end user of Chainalysis products or services, we may process your contact details; professional information such as your role and company name; the login and connection information used to enable the Service; your educational information (when you sign up to the Chainalysis Academy or for any conferences or webinars); your IP address and device information; and Chainalysis forum posts (where applicable). We ask for this Personal Data to create and manage your account with us; to communicate with you about your account; and, to provide you with the Service. We may rely on legitimate interests and/or the fulfillment of a contractual obligation as the legal basis for processing your Personal Data. Our legitimate interests are to provide you with the Service you or your company have requested appropriately.

Marketing Operations
We may process your contact details and your marketing preferences to provide you with marketing if we think you will be interested in our Service or if you sign up to receive marketing from us, such as signing up for webinars and conferences. We always carry out marketing activities based on your consent or opt-in if legally required. Otherwise, we may rely on legitimate interests and/or the fulfillment of a contractual obligation as the legal basis for processing your Personal Data. We may rely on implied consent or opt-in in some circumstances, such as if you previously contacted us about our products and Services, subscribed to our Services, declined to opt out of marketing, etc. See the section on “Marketing Communications” in our Privacy Policy for additional information.

Addressing Fraud and Security Threats
To prevent and detect fraud and unauthorized access to our customers’ accounts or the Services and our systems, we may process contact details; professional information such as your role and company name; the login and connection information used to enable the Service; your IP address and device information. We rely on our legitimate interests to minimize fraud and security issues and/or the fulfillment of a contractual obligation as a legal basis to use this Personal Data.

Compliance Requirements
To conduct security and identity checks, and to comply with other legal and regulatory requirements for screening individuals, we may process contact details; professional information such as your role and company name; the login and connection information used to enable the Service; your IP address and device information; and transaction information. We use this Personal Data to carry out identity and credit checks and address other Know Your Customer (KYC) and compliance obligations. We rely on our legitimate interests and our need to comply with legal obligations to process this information.

Analytics
To monitor how our customers and users use the Chainalysis website and the Service, and make improvements or modifications to them, we may process your IP address, device information and transaction information, and other user activity data. We rely on your consent when such Personal Data is collected via non-essential cookies if required by law, and also our legitimate interests to deliver and improve our products and services, as our legal bases.

 

Your Privacy Rights

Subject to applicable law, including relevant exemptions and exceptions, you may have the following rights concerning your Personal Data.

  • Right of access. The right to be provided with a copy of Personal Data about you that we process
  • Right to rectification. The right to require us to modify Personal Data that you think is inaccurate
  • Right to erasure (also known as the “right to be forgotten”). The right to require us to delete your Personal Data
  • Right to restriction of processing. The right to require us to restrict processing of your Personal Data in certain circumstances, e.g., if you contest the accuracy of the data
  • Right to data portability. The right to receive the Personal Data you provided to us in a structured, commonly used, and machine-readable format and transmit that data to a third party in certain situations
  • Right to object. The right to object to your Personal Data being processed for direct marketing (including profiling) and in certain other situations, e.g., processing pursuant to our legitimate interests.
  • Right to not be subject to profiling. The right not to be subject to a decision based solely on automated processing (including profiling) without any human intervention that produces legal effects concerning you or similarly significantly affects you

These rights do not apply to non-UK and non-EEA citizens, nor do they apply to anonymized data or data that does not otherwise constitute Personal Data. If you are an individual based in the UK or the EEA and you would like to exercise any of these rights described above, please email [email protected] with proof of your identity and address and describe what right you want to exercise and the information to which your request relates. To the extent permitted by applicable law, a charge may apply before we provide you with a copy of any of your Personal Data that we maintain.

To the extent required under applicable law, we will respond to you within 30 days to let you know that we have complied with the request, to ask for further information or an extension of time, or to explain why are not able to comply with the request. If you do not agree with our decision, then you can make a complaint as outlined below.

 

Supervisory Authority

We hope that we can resolve any concerns you may have about our use of your Personal Data. However, if we are unable to resolve your query to your satisfaction, then you may exercise your right to file a complaint with a supervisory authority.

  • United Kingdom. For UK citizens, this will be to the Information Commissioner’s Office (ICO). You can contact the ICO here.
  • European Economic Area. If you are an EEA citizen, this will be the supervisory authority in the member state where you work, normally live, or where the alleged infringement of data protection laws has occurred. A list of EEA supervisory authorities is available here.

Our lead supervisory authority is the Danish Data Protection Agency (Datatilsynet) in Denmark. Their contact information can be found here.

 

How to Contact Us

Please contact us if you have any questions about this Policy or the Personal Data we hold about you by email at [email protected] or by postal mail at:

Chainalysis Inc.
ATTN: Head of Privacy
114 5th Avenue, 18th Floor
New York, NY 10011