Push

Privacy Notice

Effective date: 11 December 2024

This Privacy Notice ("Privacy Notice") describes the types of data that Push Virtual Assets Ireland Limited ("Push"), and its affiliates collect about customers accessing our services, and users ("you", "your") of this website (https://www.push.co/) (the "Site") and our Push mobile application (collectively, the "Platform"). It also sets out how Push uses, shares, and protects such personal data. Please read this Privacy Notice carefully to understand Push's data practices.

Company Details

Entity name: Push Virtual Assets Ireland Limited
Status: Controller
Registered Address: Fourth Floor, One Molesworth Street, Dublin 2, Ireland
E-mail: [email protected]

Who Is in Scope of This Privacy Notice?

This Privacy Notice applies to the following categories of individuals:

  • Customers: Individuals who access or use Push's services through our Platform, including those who have registered accounts.
  • Prospective Customers: Individuals who express an interest in our services, engage with us during the onboarding process, or otherwise interact with us as potential users of the Platform.
  • Website Users: Visitors to our website (https://www.push.co/) or users of the Push mobile application who engage with the Platform without necessarily being registered customers.

This Privacy Notice does not apply to:

  • Employees and Other Staff: Personal data of employees, contractors, consultants, and other staff members is governed by a separate privacy notice, which is available to relevant individuals as part of their employment or contractual relationship with Push.
  • Other Third Parties: Any data provided in the context of business-to-business engagements or supplier relationships is not covered under this Privacy Notice.

If you are uncertain whether this Privacy Notice applies to you, please contact us at [email protected].

What Data Do We Collect About You?

Information You Give Us

The personal data we collect directly from you includes the following:

  • Name
  • Address
  • Phone number
  • Email address
  • Date of birth
  • Login credentials
  • Linked wallet address(es)
  • Linked bank account number(s) and sort code(s)
  • Photographic identification (which may include first name, last name, address, document number, date of birth, nationality, type of document, issuing country, expiration date, information embedded in barcodes, QR codes, security chips and features, and image metadata)
  • Likeness records including facial image (which may include image metadata and biometric data, extracted from such recorded videos or images provided by you to enable us to verify your identity)
  • Personal data included in any documentary evidence provided to us
  • Transaction records (including amounts, assets, dates and times)
  • Any information you voluntarily provide to us e.g., within communications sent to our Support team

Information Automatically Collected

We may automatically record certain information about how you use the Platform such as the data points listed below in order to administer and improve the Platform:

  • Your Internet Protocol ("IP") address
  • Device and browser type
  • Operating system
  • The URL of the website you visited prior to visiting the Platform
  • Information about your use of the Platform
  • Diagnostics and performance related information including website performance and error messages

Information Collected via Third Parties

We may collect information from third parties to enable us to maintain the Platform, meet our legal and regulatory obligations, and to help keep the Platform safe:

  • Information collected from public sources and databases
  • Blockchain data
  • Site usage
  • Customer experience and satisfaction survey data

No Collection of Personal Data of Minors

The Platform is not intended for minors and we do not knowingly collect personal information from individuals under the age of 18. If you believe that a minor under the age of 18 has provided us with personal data; please contact us with sufficient detail to enable us to delete that information.

How Do We Use Your Personal Data?

We use your personal data for the following purposes:

  • To administer, improve and optimise the Platform
  • To understand your needs and your eligibility for products and services
  • To provide the products and services to you
  • To develop, enhance, market and deliver products and services to you
  • To promote the security of the Platform
  • To conduct surveys and obtain feedback from you
  • To provide you with news and other matters of general interest to you as an Push customer
  • To provide you with information about developments and new products, including changes and enhancements to the Platform
  • To respond to your requests submitted via the Platform's contact forms or our email address noted above
  • To comply with applicable laws, regulations, regulators and authorities
  • Any other purposes that may arise from time to time and for which we will obtain your specific consent

Please note that we may use artificial intelligence ("AI") to assist us in the customer onboarding process (if permitted by applicable law), including to help us to authenticate your identity. However, it is important to note that we do not consider there to be any "automated decision making" in this regard for the purposes of the European Union General Data Protection Regulation ("EU GDPR") on the basis that any such decision should not create an outcome which produces legal or similarly significant effects which impact you.

Special Categories of Personal Data

Push processes special categories of personal data, including biometric data, for the purpose of identity verification. We rely on the legal basis that such processing is necessary for reasons of substantial public interest on the basis of the laws of the EU or its Member States. Push has assessed that this processing is proportionate to the aim pursued, respects the essence of the right to data protection, and includes suitable and specific measures to safeguard the fundamental rights and interests of the data subject.

Legal Bases for Processing

For other types of personal data, Push relies on the following legal bases for processing:

  • Processing is necessary to take steps at the request of the data subject prior to entering into a contract.
  • Processing is necessary for compliance with a legal obligation to which Push is subject under the EU GDPR.

Third-Party Identity Verification

Push engages SumSub as its identity verification partner, which processes personal data, including special categories of personal data, as a processor to enable Push to perform identity verification. SumSub may also use personal data, including special categories of personal data, to train its proprietary algorithms, including those based on AI and machine learning. For more information on SumSub's data processing practices and legal bases, please refer to SumSub's Privacy Policy. Additionally, please ensure you review Annex A - Consent to Processing of Personal and Biometric Data for Identity Verification Purposes at the end of this Privacy Policy, which provides detailed information about how your data is processed and retained.

We are committed to processing your personal data in accordance with the purposes outlined above, but only where there is a lawful basis for such processing, and to the extent required by applicable laws. We engage in these processing activities as necessary to achieve the specified purposes, which may include fulfilling our contractual obligations to you, pursuing our legitimate interests, addressing legal claims or obligations, or complying with relevant legal requirements.

When we rely on our legitimate interests as a basis for processing your personal data, we do not use your personal data for activities if we determine that our interests are outweighed by any adverse impact on you, unless we obtain your explicit consent or are otherwise compelled or permitted to do so by applicable laws. Where we rely on your consent, you have the right to withdraw it at any time by contacting us at [email protected]. Please note that this will not affect the lawfulness of any processing undertaken before you withdraw such consent.

Our commitment to safeguarding your personal data and respecting your rights underpins our approach to data processing activities. Under no circumstances do we sell your personal data.

To Whom Do We Disclose Personal Data?

We do not disclose the personal data that you provide us with other organisations without your express consent, except under the following circumstances:

  • Compliance with laws, regulators, authorities and related to legal proceedings: We may share personal data with regulators, courts and other authorities (e.g., law enforcement or tax authorities), for legal, protection, and safety purposes, including compliance with applicable laws and regulations, requests from regulators or other authorities, and court orders, as well as to prepare for and participate in legal or regulatory proceedings and investigations.
  • Professional advisors, business partners and service providers: We may share personal data with third parties who need such information to (i) assist us in providing our products and services via the Platform to you; or (ii) perform their work or services for us or on our behalf.
  • For business transfers: We may share or transfer your personal data in connection with, or during negotiations of any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
  • With affiliates: We may share your information with our affiliates, in which case we will require those affiliates to honour this Privacy Notice. Affiliates may include other companies that we control or that are under common control with us.
  • Other: You may permit us from time to time to share your personal data with other companies or entities of your choosing.

Push engages SumSub as its identity verification partner, which processes personal data, including special categories of personal data, as a processor to enable Push to perform identity verification. SumSub may also use personal data, including special categories of personal data, to train its proprietary algorithms, including those based on AI and machine learning. For more information on SumSub's data processing practices and legal bases, please refer to SumSub's Privacy Policy.

Do We Transfer Your Personal Data Internationally?

Push may transfer your personal data to jurisdictions outside of Ireland. These transfers are necessary to provide our services, comply with legal obligations, or for other purposes outlined in this Privacy Notice. When transferring personal data outside of Ireland, Push relies on one or more of the following legal mechanisms:

  • Adequacy Decisions: Where the European Commission has determined that a third country provides an adequate level of data protection equivalent to that of the EU.
  • Appropriate Safeguards: In the absence of an adequacy decision, Push ensures that data transfers are subject to appropriate safeguards, such as the Standard Contractual Clauses ("SCCs") approved by the European Commission.
  • Mutual Legal Assistance Treaties ("MLATs") or Exemptions: For transfers involving requests from law enforcement authorities in third countries, Push will only share personal data if the third country has a MLAT (in case of the EU), or an equivalent legal arrangement or exemption that ensures adequate protection of your data.

Push takes reasonable steps to ensure that your personal data is treated securely and in accordance with this Privacy Notice, regardless of the location of the data. If you have any questions about international transfers or require further information about the safeguards we apply, please contact us at [email protected].

What Security is Provided for Your Personal Data?

We understand the importance of safeguarding and ensuring the security of your data. We employ appropriate administrative, technical and operational safeguards designed to protect the security of personal data submitted through the Platform. These measures are aimed at providing ongoing security, integrity and confidentiality of personal data.

The following measures are employed to protect and store your data:

  • Encryption: All customer data is encrypted using industry-standard encryption protocols to ensure that your information remains confidential and cannot be intercepted by unauthorised parties.
  • Access Controls: Access to customer data is restricted to authorised personnel only. Our team members are trained on data protection and privacy best practices, and access to customer data is limited to those who require it to perform their job responsibilities.
  • Firewalls and Intrusion Detection: We employ robust firewall systems and intrusion detection mechanisms to protect against unauthorised access, malware, and other cyber threats. These security measures help us maintain the integrity and availability of your data.
  • Regular Security Audits: We conduct regular security audits and assessments of our systems and infrastructure to identify and address vulnerabilities promptly. This proactive approach helps us stay ahead of potential threats.
  • User Authentication: We implement secure customer authentication mechanisms to enhance the security of customer accounts.
  • Security Training: Our team members receive ongoing training and awareness programs to stay informed about emerging threats and best practices for data security and privacy.
  • Incident Response Plan: In the unlikely event of a data breach or security incident, we have a defined incident response plan in place. This allows us to respond promptly, mitigate potential harm, and notify affected parties as required by law.

By implementing these robust security measures and adhering to industry best practices, Push strives to provide a safe and secure environment for our customers.

How Long Is Your Personal Data Retained?

We retain your personal data only for as long as is necessary to provide services to you, to comply with our legal and regulatory obligations, and for the other purposes set out in this Privacy Notice to the extent permitted by applicable legal requirements.

As a general rule, personal data is retained for a period of seven (7) years after the end of your relationship with Push, in accordance with our recordkeeping policy. However, there may be circumstances where personal data is retained for a different period if required by applicable laws or regulatory obligations.

Records and internal policies are maintained in relation to the length of time each category of data is required to be kept. Any data that is no longer needed for any of the above purposes is deleted after the account is closed, or when you request for deletion of your personal data.

Push may take steps to anonymise personal information collected from customers and users. In these circumstances, Push is permitted to use the data as it is no longer considered personally identifiable information.

What Are Your Rights?

The EU GDPR gives individuals the following specific rights over their personal data:

  • The right to access personal data held about you (the right of subject access)
  • The right to be informed about how and why your data is used
  • The right to have your data rectified, erased, or restricted
  • The right to object to or to restrict processing
  • The right to portability of your data
  • The right not to be subject to a decision based solely on automated processing

If you would like to exercise any rights afforded to you, please contact us at: [email protected].

There are exemptions and restrictions that can, in some circumstances, be legitimately applied to exempt or qualify the right of individuals to exercise their rights, but these shall only be leveraged in exceptional situations.

Requirement to Provide Personal Data

Please note, that the provision of certain personal data is necessary for Push to comply with its legal and regulatory obligations, including identity verification and anti-fraud measures. Without this data, Push is unable to onboard you as a customer or continue providing services. Failure to provide the requested personal data may result in:

  • Inability to create or maintain your account
  • Suspension or termination of services

Complaints

In the event you find it necessary to submit a complaint about our use of your personal data or in respect of our response to your request regarding your personal data, you may submit a complaint via the following email address: [email protected].

Should you wish to escalate your complaint in connection with this Privacy Notice to the Ireland data protection authorities, you can contact them as follows:

Contact: Ireland Data Protection Commission
Telephone: (01) 765 01 00

Changes To This Notice

We will update this Privacy Notice when necessary, including to reflect customer feedback and changes to the Platform. When we post changes to this Privacy Notice, we will revise the "last updated" date at the top of the Privacy Notice.

We encourage you to periodically review this Privacy Notice to understand our data practices and the choices available to you.

Annex A - Consent to Processing of Personal and Biometric Data for Identity Verification Purposes

I hereby agree and express my voluntary, unequivocal and informed consent that personally identifiable information ("PII") including biometric information will be processed for the purposes specified in this consent of the organisation for which I pass the identity verification process (hereinafter - the "Company") that uses Sumsub Group of Companies, (hereinafter - the "Service Provider" or "Sumsub") through which the Company collects and processes my PII and the biometric information. Please refer to the Privacy Notice here: https://sumsub.com/privacy-notice-service) for details about the identity and contact details of Sumsub.

Categories of biometric data

My biometric information, to the processing of which by the Company and by the Service Provider I hereby agree and express my voluntary, unequivocal and informed consent, includes facial features or facial scans.

I hereby acknowledge and agree that facial images of myself are processed to confirm the liveliness of my face and/or to confirm that a given identity document is presented by me, its legitimate owner.

Purposes of processing of biometric data

I hereby acknowledge and agree that processing shall be done for the purposes of the Company and may include matters of compliance with applicable AML/CFT, anti-fraud laws and regulations, age restrictions acts and/or other laws and regulations and/or the Company customer due diligence procedures in accordance with the laws governing the intended business relationship.

The processing of biometric data will also be carried out for other compatible purposes of the Service Provider acting as a separate business including service development, fraud and criminal activity prevention, as well as 'litigation hold' and statutory obligations of the Service Provider (for details please see the Privacy Notice available here: https://sumsub.com/privacy-notice-service).

How will the biometric data be processed

I hereby acknowledge and agree that Company and Service Provider shall process my biometric information by means of automated reading, verification of the authenticity and other automated processing as stated in the Privacy Notice available at https://sumsub.com/privacy-notice-service/, which includes the processing of facial scan while passing liveness, video-selfie or video identification process, biometric authorisation, face comparison from the photo of an identity document and the facial image, searching of multiple identity creation, work and development of fraud control network to detect and prevent fraud and criminal activity. The PII including biometric data may be disclosed to entities associated with Service Provider to achieve the purpose of the processing under this Consent. The Service Provider stores biometric information in AWS Amazon or Google Cloud (depending on the requirements of the Company on the place of data storage).

Retention of biometric data

I hereby represent that I have been informed that my PII will be retained and stored by Company and Service Provider and will be permanently destroyed based on the Company’s instructions when the Company’s initial purpose and/or retention period prescribed by applicable law expires. Where Service Provider independently defines the compatible purposes or under the legal obligation, the personal data, including biometric information, will be destroyed after Service Provider’s purposes for collecting the biometric information have been satisfied (and one (1) year of the date the purpose for collecting the data expires for residents of Texas) or after five (5) years from the provision of data to the Service Provider system, whichever occurs first. For the residents of Illinois, the retention period of personal data, including biometric information, will be three (3) years from the date of data provision to the Service Provider system. Please check how your PII will be deleted and destroyed in Service Provider’s Data Disposal and Destruction Policy at https://sumsub.com/privacy-notice-service/?id=#8).

I hereby represent that I have carefully read all of the above provisions and do voluntarily and unequivocally agree with them.