Privacy Policy

UPDATED ON DECEMBER 31, 2019

Scope and Consent

This policy describes the ways BitPay, Inc. and its subsidiaries (BitPay B.V. and Stichting Client Funds BMSE, hereinafter, “BitPay”, “we”, “our” or “us”) collect, store, use and protect Personal Data. The purpose of this policy is to ensure that BitPay complies with applicable United States (US) federal and state regulations, and European Union (hereinafter, “EU”) data protection laws such as the General Data Protection Regulation (hereinafter, “GDPR”). BitPay’s Services include merchant processing services, products, or any other features, technologies or functionalities (hereinafter: “Services”) offered by BitPay, Inc.

This policy describes the ways BitPay, Inc. and its subsidiaries (hereinafter, “BitPay”, “we”, “our” or “us”) collect, store, use and protect Personal Data. The purpose of this policy is to ensure that BitPay complies with applicable United States (US) federal and state regulations, and European Union (hereinafter, “EU”) data protection laws such as the General Data Protection Regulation (hereinafter, “GDPR”). BitPay’s Services include merchant processing services, products, or any other features, technologies or functionalities (hereinafter: “Services”) offered by BitPay, Inc. Users accept this Policy by visiting our website and/or by using our Services.

There are six types of data subjects whose personal data we may process:

  1. Visitors of our websites (bitpay.com, bitcore.io, copay.io);
  2. Merchants that sign up for our Services;
  3. Shoppers who indirectly interface with BitPay when paying a merchant’s invoice that is forwarded by BitPay to merchants during checkout (refer to Section III.3 for more details);
  4. BitPay cardholders that have signed up for a BitPay Prepaid Visa® Debit Card;
  5. BitPay wallet users that have downloaded and installed either the BitPay or Copay app on their mobile device;
  6. Shoppers who indirectly interface with BitPay when requesting a cryptocurrency withdrawal via a Merchant that is using BitPay’s Services.

What is “personally identifiable information?”

“Personally Identifiable Information” (hereinafter: “Personal Data”) is any information that can be directly associated with a specific person and can be used to identify that person. A prime example of identifiable information is a person’s name.

What kind of personal data do we collect?

The Personal Data we collect depends on the type of user:

  1. Visitors: We may collect the following Personal Data for visitors of our websites (https://www.bitpay.com, https://www.bitcore.io, https://www.copay.io):
    • IP address
    • Email address (e.g. when you subscribe to our blog or opt in to receive other marketing materials)
    • Phone number (e.g. when you contact our sales team or media team or opt in to our media list)
    • Name (e.g. when you submit a support request)

    We may collect information about a visitor’s computer or other access devices for fraud prevention purposes.

  2. Merchants: When opening an account, we may collect the following types of Personal Data of the beneficial owner or any user that is added to the account:
    • Name
    • Email address
    • Date of birth
    • Identification documents (such as a passport or driver’s license)

    We may use this Personal Data for risk-management purposes (i.e. to verify merchant’s identity or address). We may also obtain information about our merchants from third parties such as credit bureaus and identity verification services. We ensure that such third parties adhere to the same data protection principles as BitPay.

  3. Shoppers of merchants: When a shopper is paying a BitPay invoice, the following Personal Data is captured:
    • Email address
    • IP addresses used to view the BitPay invoice

    The email address is either automatically provided by the merchant or manually entered by the shopper. This enables our system to send an email to Shoppers directly to obtain a cryptocurrency refund address in case of a payment exception (e.g. overpayments, underpayments, etc.). This creates a more seamless payment experience for both the merchant and the shopper.

    Additionally, only upon the merchant’s explicit request, we will collect and store Personal Data for the merchant’s benefit only and as a service through our invoicing service. Personal Data that merchants may request from the shoppers are:

    • Name
    • Address
    • Phone number

    Additionally, for donations that are made through BitPay’s processing platform, the merchant might opt for BitPay to collect the following Personal Data as required by the US Federal Election Commission (FEC) or other applicable local regulations:

    • Donor’s name
    • Donor’s email address
    • Donor’s address
    • Donor’s phone number
    • Donor’s employer
    • Donor’s job title
    • Donor’s city of employment

    In all cases mentioned above, Shoppers’ or Donors' information is processed and stored according to the same principles as we process / store our merchant’s Personal Data.

  4. Cardholders: When a user signs up for a BitPay Visa® Prepaid Card, the following information is collected as part of the onboarding program:
    • Name
    • Address
    • Date of birth
    • IP address
    • Phone number
    • Email address
    • Social Security Number

    Please note that our Card Program is currently only available to US residents. BitPay only stores date of birth and social security number until the time the card application is accepted or archived.

    The BitPay Visa® Prepaid Card is issued by Metropolitan Commercial Bank, member FDIC, pursuant to a license from Visa, U.S.A. Inc. “Metropolitan” and “Metropolitan Commercial Bank” are registered trademarks of Metropolitan Commercial Bank © 2014. Use of the Card is subject to the terms and conditions of the applicable Cardholder Agreement and fee schedule, if any.

  5. Wallet holders: For wallet holders, BitPay collects the following Personal Data:
    • Email address

    The email address collection is optional in case the user would like to receive email notifications and (if selected) BitPay news and product updates and can be removed at any point in time.

  6. Shoppers that use BitPay’s cryptocurrency withdrawal service: The following Personal Data is collected for shoppers that would like to process more than 3000 USD per day:
    • Name
    • Email address
    • Identification documents (such as a passport or a driver’s license)
    • Proof of address document (such as a bank statement or a utility bill)

Sensitive or special categories of personal data

BitPay does not process any sensitive personal information, such as religion, race, ethnicity and/or political views.

Why we collect personal information

Our primary purpose for collecting Personal Data is to provide you with a secure, smooth, efficient, and customized experience. We may use your Personal Data to:

  • comply with applicable laws and regulations;
  • provide the BitPay Services and customer support you request;
  • process transactions and send notices about your transactions;
  • resolve disputes, collect fees, and troubleshoot problems;
  • prevent potentially prohibited or illegal activities, and enforce our Terms of Use;
  • customize, measure, and improve the BitPay Services and the content and layout of our website and applications;
  • deliver targeted marketing, service update notices, and promotional offers based on your communication preferences;
  • compare information for accuracy and verify it with third parties.

How we protect and store personal information

We take security of data very seriously. We use computer safeguards such as firewalls and data encryption, we enforce physical access controls to our buildings and files, and we authorize access to Personal Data only for those employees who require it to fulfill their job responsibilities.

In addition to this Privacy Policy, we have several other (internal) policies and procedures in place that deal with data security:

  • IT Security Policy: This policy describes how we store and process your Personal Data on our servers in the United States and elsewhere in the world where BitPay facilities are located. It also describes how we protect it by maintaining physical, electronic and procedural safeguards in compliance with applicable US federal and state regulations, and EU data protection laws.
  • Incident Response Policy: This policy describes our response to an information security incident.
  • Data Breach Policy: This policy specifically describes what steps will be taken by us in case of a data breach. This includes notifying the supervisory authorities and the affected data subjects when required.
  • Business Continuity and Disaster Recovery Policy: This policy describes how we recover from a disaster and what steps will be taken to continue or resume routine business operations.
  • Cookie Policy: This policy describes how BitPay uses cookies to customize the BitPay Services, content and advertising; measure promotional effectiveness, and promote trust and safety.

Data retention

We are a regulated Financial Institution in the United States and per the applicable Bank Secrecy Act provisions, we will retain Personal Data that has been obtained as a part of our Customer Identification Program for a period of 5 years after an account has been closed or became dormant.

How we share personal data with third parties

We may share your Personal Data with:

  • Other BitPay entities, in order to help detect and prevent potentially illegal acts and violations of our policies, and to guide decisions about our products, services and communications;
  • Service providers under contract who help with our business operations. We will make sure that these third parties have appropriate internal controls in place to protect any Personal Data that might be transferred;
  • Law enforcement, government officials, or other third parties pursuant to a subpoena, court order, or other legal process or requirement applicable to BitPay; or when we believe, in our sole discretion, that the disclosure of Personal Data is necessary to report suspected illegal activity or to investigate violations of our Terms of Use.
  • In cases of suspected fraud or in connection with an ongoing investigation, we may share certain shopper information with our merchants.

Please note that these third parties may be in other countries where the laws on processing Personal Data may be less stringent than in your country. We deploy the following safeguards if we transfer Personal Data originating from the European Union or Switzerland to other countries not deemed adequate under applicable data protection law:

E.U.-U.S. Privacy Shield

BitPay Inc complies with the EU-U.S. Privacy Shield Framework as set forth by the US Department of Commerce regarding the transfer of personal data from the EEA to the US (“Personal Data”). BitPay Inc has self-certified to the US Department of Commerce declared its commitment to adhere to the Privacy Shield Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement, and Liability (the “Principles”). For more information about the Privacy Shield Program, please visit www.privacyshield.gov/welcome.

BitPay Inc’s self-certification to the Privacy Shield is subject to the investigatory and enforcement authority of the Federal Trade Commission.

Disclosure and Accountability for Onward Transfers

Consistent with the Principles, BitPay will only disclose an individual’s nonpublic personal information to third parties under one or more of the following conditions:

  • The disclosure is to a third party providing services to BitPay Inc, or to the individual, in connection with the operation of our business, and as consistent with the purpose for which the personal information was collected. We maintain written contracts with these third parties and require that these third parties provide at least the same level of privacy protection and security as required by the Privacy Shield Principles. To the extent provided by the Principles, BitPay Inc remains responsible and liable under the Privacy Shield Principles if a third-party that it engages to process personal information on its behalf does so in a manner inconsistent with the Privacy Shield Principles, unless BitPay Inc proves that it is not responsible for the matter giving rise to the damage;
  • With the individual’s permission to make the disclosure;
  • Where required to the extent necessary to meet a legal obligation to which BitPay Inc is subject, including a lawful request by public authorities and national security or law enforcement obligations and applicable law, rule, order, or regulation.
  • Where reasonably necessary for compliance or regulatory purposes, or for the establishment of legal claims.

Recourse, Enforcement, Liability

Under certain circumstances detailed in the Privacy Shield, Data Subjects may be able to invoke binding arbitration before the Privacy Shield Panel, when other dispute resolution procedures have been exhausted. For additional information, please visit www.privacyshield.gov/article?id=How-to-Submit-a-Complaint.

EU Model Clauses

BitPay offers EU Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our merchants or third parties that operate in the European Union. Please contact BitPay (dpo@bitpay.com) if you wish to use this option.

BitPay shall be liable for the acts and omissions of any third parties with whom we share Personal Data unless BitPay proves that it is not responsible for the event giving rise to the damage.

How data subjects can access or change their personal data

Individuals located in the European Union have statutory rights in relation to their Personal Data. Subject to any exemptions provided by law, you may have the right to request access to Information, as well as to seek to update, delete, correct, or restrict the processing of this Personal Data. If you are located in the European Union and would like to exercise a data subject right under the GDPR, you can submit a request here.

Merchants can review and edit their information by logging in to their account and reviewing their Personal Data under the Settings tab on the Dashboard. If you wish to change information relating to your industry or company website, or if you wish to terminate your account, you can send an email to compliance@bitpay.com. If you choose to terminate your BitPay account, we will mark your account in our database as "Closed". We will retain the information on the account in line with the data retention principles as outlined in Section VII.

Marketing

We do not sell your Personal Data to third parties for their marketing purposes without your explicit consent. We may combine your information with information we collect from other companies and use it to improve and personalize the BitPay Services, content and advertising. If you do not wish to receive marketing communications from us or participate in our ad-customization programs, you can simply click the “unsubscribe” link at the bottom of the e-mail or you can send an email to marketing@bitpay.com.

Contact

To communicate with our Data Protection Officer, please email dpo@bitpay.com. Subject to applicable law, you also have the right to lodge a complaint with your local Data Protection Authority or the Dutch Data Protection Commissioner, which is BitPay’s lead supervisory authority in the EU. If you are residing within the European Union and believe we maintain your Personal Data within the scope of the GDPR, you may direct questions or complaints to our lead supervisory authority:

Autoriteit PersoonsgegevensPostbus 93374

2509 AJ Den Haag

Netherlands

Phone (+31) - (0)70 - 888 85 00

Fax: (+31) - (0)70 - 888 85 01

In the United States, BitPay is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). Complaints may be submitted by completing the form that can be found here: www.ftccomplaintassistant.gov.

How we use cookies

What are cookies?

A cookie is a small piece of data that a website asks your browser to store on your computer or mobile device. The cookie allows the website to “remember” your actions or preferences over time. Most browsers support cookies, but you can set your browser to decline them and can delete them whenever you like.

What type of cookies do we use?

When you access our website, we, or companies we hire to track how our website is used, may place small data files called “cookies” on your computer. We and our service providers also use cookies to customize the BitPay Services, content and advertising; measure promotional effectiveness, and promote trust and safety.

We send a “session cookie” to your computer when you log in to your account or otherwise use the BitPay Services. This type of cookie helps us to recognize you if you visit multiple pages on our site during the same session, so that we do not need to ask you for your password on each page. Once you logout or close your browser, this cookie expires and no longer has any effect.

We also use longer-lasting cookies for other purposes such as to display your email address on our login page, so that you don't need to retype the email address each time you login to your account.

We encode our cookies so that only we can interpret the information stored in them. You are free to decline our cookies if your browser permits, but doing so may interfere with your use of our website. We may also collect information about your computer or other access device to mitigate risk and for fraud prevention purposes.

You may encounter cookies from third parties when using the BitPay Services on websites that we do not control (for example, if you view a web page created by a third party or use an application developed by a third party, there may be a cookie placed by that web page or application.)

Managing your cookie settings

You can manage cookies through the settings of your Internet browser. You can have the browser notify you when you receive a new cookie, delete individual cookies or delete all cookies. Please note that, if you choose to delete BitPay cookies, your access to some functionalities and areas of our website may be degraded or restricted.

For more information on cookies and how to opt-out of them, please manage your cookies.

PRIVACY NOTICE – CALIFORNIA-SPECIFIC ADDENDUM

At BitPay, Inc, (“BitPay”, “we”, “us”, “our”) we take our responsibilities under the California Consumer Privacy Act (“CCPA”) seriously. If you are a California resident, the following provisions apply to our processing of information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household subject to the CCPA. For such residents, the provisions of this California Addendum prevail over any conflicting provisions in our Privacy the Privacy Notice.

California Personal Information We Collect

We have collected the following categories of California Personal Information within the last 12 months:

CategoryExamples
A. IdentifiersIdentifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
B. Information under the California Customer Records statute.Personal information described in subdivision (e) of Section 1798.80 (California Customer Records statute). This means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, social security number, address, telephone number, passport number, driver’s license or state identification card number, bank account number, credit card number, debit card number, or any other financial information.
C. Commercial informationCommercial information, including records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies on our site.
D. Internet or other similar network activityInternet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
E. Geolocation dataGeolocation data.
F. Professional or employment-related informationCurrent or past job history or performance evaluations.
G. Inferences drawn from other personal informationInferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

For each of these categories, we obtain California Personal Information from a variety of sources. These sources include: yourself, with respect to both online and offline interactions you may have with us or our service providers; other entities with whom you transact; others with whom you maintain relationships who may deal with us on your behalf; the devices you use to access our websites, mobile applications, and online services; credit bureaus; identify verification and fraud prevention services; marketing and analytics providers; public databases; social media platforms; and others consistent with this Privacy Notice. For more information, please see the “Why We Collect Personal Information” section of our Privacy Policy at bitpay.com/about/privacy.

For each of these categories, we share personal information with a variety of third-parties. These third-parties include: other BitPay entities; service providers; marketing and advertising providers; analytics providers; law enforcement, government officials, or other third parties pursuant to a subpoena, court order, or other applicable legal process or requirement; and merchants in cases of suspected fraud or in connection with an ongoing investigation.

Sale and Disclosure of California Personal Information

Within the last 12 months, within the meaning of the California Consumer Privacy Act, we have sold California Personal Information identified in the above categories (A-G). This includes the use of cookies on our website, including those placed by third parties. You can configure your browser to prevent the placement of cookies when using our site. To learn more about cookies, please see our Cookie Policy or your browser help documentation for more information.

Within the last 12 months, we have disclosed California Personal Information identified in the above categories (A)-(G) for our business purposes. To learn more about the categories of third parties with whom we share such information, please see the “How We Share Personal Data with Third Parties” section of our Privacy Policy at bitpay.com/about/privacy.

We do not disclose personal information of individuals we know to be under the age of 16 to business or third parties for monetary or other valuable consideration as a “sale” under California law, without affirmative authorization.

Use of California Personal Information

For each of the above categories, we use the California Personal Information we collect for the business purposes disclosed within this Privacy Notice. Please note that the business purposes for which we may use your information include:

  • Audits and reporting relating to particular transactions and interactions, including online interactions, you may have with us or others on our behalf;
  • Detecting and protecting against security incidents, and malicious, deceptive, fraudulent or illegal activity, and prosecuting the same;
  • Debugging to identify and repair errors in our systems;
  • Short-term, transient use including contextual customization of ads or website;
  • Providing services on our behalf or on behalf of another, including maintaining or servicing accounts, providing customer service, fulfilling transactions, verifying identity information, processing payments, and other services;
  • Conducting internal research to develop and demonstrate technology; and
  • Conducting activity to verify, enhance, and maintain the quality or safety of services or devices which we may own, control, or provide.

We may also use the information we collect for our own or our service providers’ other operational purposes, purposes for which we provide you additional notice, or for purposes compatible with the context in which the California Personal Information was collected.

Your California Rights

If you are a California resident, you have certain rights related to your California Personal Information. You may exercise these rights free of charge except as otherwise permitted under applicable law. Submit a request under the CCPA or call us toll-free at +1 (888) 914-9661 (PIN: 910 593).

Right to Access/Know. You may request that we disclose to you:

  • the categories of California Personal Information we have collected about you;
  • the categories of sources from which the California Personal Information is collected;
  • our business or commercial purpose for collecting or selling California Personal Information;
  • the categories of third parties with whom we share California Personal Information; and
  • the specific pieces of information we have collected about you.
  • To the extent that we sell your California Personal Information within the meaning of the California Consumer Privacy Act or disclose such information for a business purpose, you may request that we disclose to you:
  • the categories of California Personal Information that we have collected about you;
  • the categories of California Personal Information about you that we have sold within the meaning of the California Consumer Privacy Act and the categories of third parties to whom the California Personal Information was sold, by category or categories of personal information for each third party to whom the California personal information was sold; and
  • the categories of California Personal Information about you that we disclosed for a business purpose.

Right to Delete. You have the right to request that we delete California Personal Information about you which we have collected from you.

Right to Opt-Out and Right to Opt-In. You have the right to direct us to not sell your personal information at any time (the “right to opt-out”).

Verification

As required under applicable law, please note that we may take steps to verify your identity before granting you access to information or acting on your request to exercise your rights. We may require you to provide information to verify your identity in response to exercising requests of the above type, including name and account information. We may limit our response to your exercise of the above rights as permitted under applicable law.

Nondiscrimination

Subject to applicable law, we may not discriminate against you because of your exercise of any of the above rights, or any other rights under the California Consumer Privacy Act, including by:

  • Denying you goods or services;
  • Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
  • Providing you a different level or quality of goods or services; or
  • Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

Contact Information

You may contact us with questions or concerns about our privacy policies or practices at dpo@bitpay.com.

Submit a request under the CCPA or call us toll-free at +1 (888) 914-9661 (PIN: 910 593).

Changes to this policy

We may amend this policy at any time by posting a revised version on our website. The revised version will be effective at the time we post it. In addition, if the revised version includes any substantial changes to the manner in which your Personal Data will be processed, we will provide you with 30 days prior notice by posting notification of the change on the “Privacy Policy” area of our website.