Changes to This Policy
The Personal Information
Personal Information Collected
We collect personal information to provide you with our services. When we require certain personal information from users it is because we are required by law to collect this information or it is relevant for specified purposes. Any information you provide to us that is not required is voluntary. You are free to choose whether to provide us with the types of personal information requested, but we may not be able to serve you as effectively or offer you all of our services when you do choose not to share certain information with us. For example, we collect personal information which is required under the law to open an account or execute a transaction. We also collect personal information when you use or request information about our services. We collect the following types of information:
- Personal Identification Information: Full name, date of birth, age, nationality, gender, signature, utility bills, photographs, phone number, home address, and/or email.
- Formal Identification Information: Tax ID number, passport number, driver’s license details, national identity card details, and/or photograph identification cards.
- Financial Information: Bank account information, and/or tax identification.
- Employment Information: Office location, job title, and/or description of role.
How Your Personal Information is Used
Our primary purpose in collecting personal information is to provide you with a secure, smooth, efficient experience. In general, we use personal information to create, develop, operate, deliver, and improve our services, and for loss prevention and anti-fraud purposes. We may use this information in the following ways:
To maintain legal and regulatory compliance
Some of our core services are subject to laws and regulations requiring us to collect and use your personal identification information, formal identification information, financial information, transaction information and employment information. For example, GSR must identify and verify customers using our services in order to comply with anti-money laundering and terrorist financing laws across jurisdictions. The consequences of not processing your personal information for such purposes is the termination of your account as we cannot perform the services in accordance with legal and regulatory requirements. EEA Residents: For individuals who reside in the European Economic Area (including the United Kingdom) or Switzerland (collectively “EEA Residents”), pursuant to Article 6 of the EU General Data Protection Regulation (GDPR) or any equivalent legislation (collectively “EEA Data Protection Law”), we process this personal information to comply with our legal obligations. To enforce our terms in our user agreement and other agreements. GSR handles very sensitive information, such as your identification and financial data, so it is very important for us and our customers that we are actively monitoring, investigating, preventing and mitigating any potentially prohibited or illegal activities, and/or violations of our posted user agreement or agreement for other services. The consequences of not processing your personal information for such purposes is the termination of your account as we cannot perform our services in accordance with our terms.
To provide service communications
We send administrative or account-related information to you to keep you updated about our services, inform you of relevant security issues or updates, or provide other transaction-related information. Without such communications, you may not be aware of important developments relating to your account that may affect how you can use our services.
To ensure quality control
We process your personal information for quality control and staff training to make sure we continue to provide you with accurate information. If we do not process personal information for quality control purposes, you may experience issues on the services such as inaccurate transaction records or other interruptions. Our basis for such processing is based on the necessity of performing our contractual obligations with you. We will not use your personal information for purposes other than those purposes we have disclosed to you, without your permission.
Information From Third Party Resources
From time to time, we may obtain information about you from third party sources as required or permitted by applicable law, such as public databases and ID verification partners. Public Databases & ID Verification Partners: We obtain information about you from public databases and ID verification partners for purposes of verifying your identity. ID verification partners use a combination of government records and publicly available information about you to verify your identity. Such information includes your name, address, job role, public employment profile, status on any sanctions lists maintained by public authorities, and other relevant data. We obtain such information to comply with our legal obligations, such as anti-money laundering laws. Pursuant to EEA Data Protection Law, our lawful basis for processing such data is compliance with legal obligations. In some cases, we may process additional data about you to ensure our services are not used fraudulently or for other illicit activities. In such instances, processing is necessary for us to continue to perform our contract with you and others.
How We Protect and Store Personal Information
We understand how important your privacy is, which is why GSR maintains (and requires its service providers to maintain) appropriate physical, technical and administrative safeguards to protect the security and confidentiality of the personal information you entrust to us. We may store and process all or part of your personal information in Hong Kong and elsewhere in the world where our facilities or our service providers are located. We protect your personal information by maintaining physical, electronic, and procedural safeguards in compliance with the applicable laws and regulations. For example, we use computer safeguards such as firewalls and data encryption, we enforce physical access controls to our buildings and files, and we authorise access to personal information only for those employees who require it to fulfil their job responsibilities. However, we cannot guarantee that loss, misuse, unauthorised acquisition, or alteration of your data will not occur. Furthermore, we cannot ensure or warrant the security or confidentiality of information you transmit to us or receive from us by Internet or wireless connection, including email, phone, or SMS, since we have no way of protecting that information once it leaves and until it reaches us.
How You Can Access Or Change
Rights in Relation to the Use of Your personal Information
Rights of access, correction and deletion
You have a right of access to the personal information that we hold about you under European data protection legislation, and to some related information. You can also require any inaccurate personal information to be corrected or deleted.
Retention of Personal Information
We store your personal information securely throughout the life of your GSR Account. We will only retain your personal information for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting obligations or to resolve disputes. While retention requirements vary by jurisdiction, typical retention periods is for six (6) years.
International Transfers of Personal Information
While GSR is based in Hong Kong, our service providers may store, transfer, and otherwise process your personal information in countries outside of the country of your residence, including the United States, the Philippines, and possibly other countries.
EEA Users & Data
If you are a resident of the EEA, GSR is a controller with respect to your personal information. As a controller, we determine the means and purposes of processing data.
Legal bases for processing personal information
Our legal bases for processing under EEA Data Protection Law are described above in the sections entitled “How Your Information Is Used”. We may process your personal information if you consent to the processing, to satisfy our legal obligations, if it is necessary to carry out our obligations arising from any contracts we entered with you, or to take steps at your request prior to entering into a contract with you, or for our legitimate interests to protect our property, rights or safety of GSR, our customers or others.
Our Privacy Rights Dashboard allows you to set your communication preferences and make individual rights requests relating to your personal information. When we receive an individual rights request via email we may take steps to verify your identity before complying with the request to protect your privacy and security.
- Right to withdraw consent. You have the right to withdraw your consent to the processing of your personal information collected on the basis of your consent at any time. Your withdrawal will not affect the lawfulness of GSR’s processing based on consent before your withdrawal.
- Right of access to and rectification of your personal information. You have a right to request that we provide you a copy of your personal information held by us. This information will be provided without undue delay subject to some fee associated with gathering of the information (as permitted by law), unless such provision adversely affects the rights and freedoms of others. You may also request us to rectify or update any of your personal information held by GSR that is inaccurate. Your right to access and rectification shall only be limited where the burden or expense of providing access would be disproportionate to the risks to your privacy in the case in question, or where the rights of persons other than you would be violated.
- Right to erasure. You have the right to request erasure of your personal information that: (a) is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (b) was collected in relation to processing that you previously consented, but later withdraw such consent; or (c) was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing. If we have made your personal information public and are obliged to erase the personal information, we will, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform other parties that are processing your personal information that you have requested the erasure of any links to, or copy or replication of your personal information. The above is subject to limitations by relevant data protection laws.
- Right to data portability. If we process your personal information based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your personal information in a structured, commonly used and machine-readable format, and to have us transfer your personal information directly to another “controller”, where technically feasible, unless exercise of this right adversely affects the rights and freedoms of others. A “controller” is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of your personal information.
- Right to restriction of or processing. You have the right to restrict or object to us processing your personal information where one of the following applies:
- You contest the accuracy of your personal information that we processed. In such instances, we will restrict processing during the period necessary for us to verify the accuracy of your personal information.
- The processing is unlawful and you oppose the erasure of your personal information and request the restriction of its use instead.
- We no longer need your personal information for the purposes of the processing, but it is required by you to establish, exercise or defense of legal claims.
- You have objected to processing, pending the verification whether the legitimate grounds of GSR’s processing override your rights.
Restricted personal information shall only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform you if the restriction is lifted.
- Notification of erasure, rectification and restriction. We will communicate any rectification or erasure of your personal information or restriction of processing to each recipient to whom your personal information have been disclosed, unless this proves impossible or involves disproportionate effort. We will inform you about those recipients if you request this information.
- Right to object to processing. Where the processing of your personal information is based on consent, contract or legitimate interests you may restrict or object, at any time, to the processing of your personal information as permitted by applicable law. We can continue to process your personal information if it is necessary for the defense of legal claims, or for any other exceptions permitted by applicable law.
- Right to lodge a complaint. If you believe that we have infringed your rights, we encourage you to contact us first at firstname.lastname@example.org so that we can try to resolve the issue or dispute informally. You can also complain about our processing of your personal information to the relevant data protection authority. You can complain in the EU member state where you live or work, or in the place where the alleged breach of data protection law has taken place. In Hong Kong, the relevant data protection authority is the Privacy Commissioner for Personal Data.Privacy Commissioner for Personal Data’s office is located at 12/F, Sunlight Tower, 248 Queen’s Road East, Wanchai, Hong Kong.
- Storage of your personal information. GSR will try to limit the storage of your personal information to the extent that storage is necessary to serve the purpose(s) for which the personal information was processed, to resolve disputes, enforce our agreements, and as required or permitted by law.
- Your rights to personal information are not absolute. Access may be denied when:
- Denial of access is required or authorized by law;
- Granting access would have a negative impact on other’s privacy;
- Granting access would have a negative impact on other’s privacy;
- To protect our rights and properties; and
- Where the request is frivolous or vexatious.
How to Contact Us