Legal

Privacy Policy

Last updated
Privacy Policy
Cookies

This Privacy Policy (the Policy) describes how Copper collects, uses and shares the information you provide to us and the information we collect in the course of operating our business and our websites. We comply with the applicable data protection laws of Switzerland, Swiss Federal Act of 19 June 1992 on Data Protection (FADP) and any reference to the FADP shall always also include a reference to the Ordinance of the FADP (the OFADP), and the European Union, in particular the General Data Protection Regulation, GDPR.

We may revise this Policy at any time by amending this page. We therefore recommend that you check this page on a regular basis to take notice of any changes we make. This Privacy Policy was last updated on 20 February 2023.

This Policy describes:

To find out more click on the sections.

General Information

In this Policy when we refer to Copper or “we”/”us”/”our” we mean Copper Markets (Switzerland) AG registered in the Commercial Register of the Canton of Zug under No. CHE-477.629.838. Our registered office is at Gubelstrasse 24, 6300 Zug, Switzerland. You can find contact details in the Contact us section of our website.

Who we are

Copper is a FinTech scale-up and go-to provider of safeguarding and trading infrastructure for digital assets. We create and maintain the systems that enable vast sums of crypto-assets to move quickly and securely between exchanges and hedge funds, private banks and family offices. Your interest in our Crypto Asset Services is highly appreciated.

Purpose of this Policy

Copper takes your data protection very seriously and is committed to protecting your personal data and client confidentiality. In order to ensure that Copper will comply with data protection laws and regulations. This Policy sets out the way in which personal data you provide to us is processed and kept secure by Copper and your rights under data protection laws and regulations. It applies whenever we handle your personal data (including when you use our website or other digital platforms or register for our service), so please read it carefully. Which specific data are processed and how they are used depends largely on the services requested or agreed in each case. Before registering for, or using Copper services, in particular before entering any personal data you need to understand our practices regarding your personal data, how we will treat your personal data and the basis on which it could be disclosed to third parties. We process the Personal Data in compliance with the provisions of the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR).

Outsourcing

When we collect and process your personal information, Copper is the controller of data. Copper can transfer personal data to affiliated companies outside Switzerland, in particular to Copper Technologies (UK) Limited in London. Copper warrants adequate protection for personal data in situations in which the data is transferred to another country for the purpose of processing such data on behalf of Copper.

What is personal data / client registration

“Personal data” is anything which enables us to identify you in some way such as a name, email address, or an online identifier such as an IP address that we can link to you. You may be asked to provide personal data through our digital channels such as the website. In order to register as a new e.g. corporate client, we might probably collect following data: -Company name / Company address - First and Last name / copy of passport - E-Mail Address / Phone Number / Residential Address -Your wallet ID -Some additional information, e.g. what kind of service is desired, to ensure compliance with KYC/AML requirements (Art. 6 para. 1 Anti-Money Laundering Act, AMLA). We collect these data to fulfil our pre-contractual and contractual legal obligation with the meaning of Art. 13 para. 2 FADP and of Art. 6 para. 1 lit. b GDPR. The process of personal data is not limited to the personal data of our clients, it includes also suppliers, prospects, website users, employees, job applicants, vendors and third parties. Our aim is to limit its processing of these to a necessary minimum and in accordance with the applicable laws and regulations.

Updating your personal information

If you need to change or amend your personal information, including your contact details, please notify Copper as soon as possible in writing; details can be found below.

Third party links

Please note that our website may contain links to third party websites / digital platforms which are provided for your convenience. We recommend that you check the privacy and security policies and procedures of each and every other website / digital platform that you visit.

Origin of personal data that we collect

We collect personal data to the extent that is legally permitted and in particular from the following sources:

Personal data that is given to us by the data subject

  1. We will process personal data that you give to us including when you email us or contact us through various channels as follows:

  2. Signing up for services on our website: when you sign up for newsletters, webinars, participating in discussion boards or other social media functions, events or digital asset acquisition or storage services from us or when you contact us with queries or respond to our communications.

  3. In connection with our provision of digital asset acquisition and storage services: namely for the account opening you will provide us with personal data when you or the company you represent becomes a client of Copper. If you are not a client we may collect or receive your personal information because you are involved in one of our client’s matters.

  4. Recruitment application: when you apply for a role with us you may provide us with your personal data submitted directly by you as well as third party agencies and recruiters on your behalf. We only process the personal data we need in order to assess your suitability for the position you apply for.

Personal data we obtain from other sources

  • If you apply for a position with us we may collect personal data relating to past employment, qualifications and education, opinions from third parties about you, past employment history and other details about you, which will be provided to us by a third party that provides background screening services to us. We may also ask for an information from official registers such as criminal records checks or credit history.

  • Personal data that is necessary for the facilitation of products and services that we offer on the Copper Platform and that is transmitted to us via the technical infrastructure (e.g. login information for Copper Unlimited, payment and trading transactions or collaborations with financial or IT service providers).

  • Personal data from third parties, such as authorities, sanction list (e.g. SECO, UNO/EU), Worldcheck or search information providers)

  • Personal data that is publicly assessable (e.g. public register information, public social media platforms).

Purpose and usage of data

We may process personal data as described below to the extent legally permitted:

  1. Digital asset acquisition and storage services, improving and managing our products and services as well as to update the data of individuals with whom we maintain a business relationship;

  2. Market research, marketing and business development activity in relation to our services. This may include sending you newsletters, marketing communications and other information that may be of interest to you, events for clients, prospects, etc.;

  3. Review and process job application;

  4. Compliance, legal and/or regulatory disclosure, notification and reporting obligations to authorities, including but not limited to money laundering and terrorist financing;

  5. Exercise or defend our legal rights or for the purpose of legal proceedings against us or our employees and clients;

  6. Managing, controlling and monitoring business related decisions and risk, processing business in appropriate time e.g. investment profiles, limits, operational and fraud risk.

Grounds for processing your personal data

We rely on the following legal grounds to process your personal information:

On the basis of your consent

Art. 13 para. 1 FADP; Art. 6 para. 1 lit. a GDPR Consent – insofar as you have agreed to the processing of your personal data for specific purposes. You can withdraw your consent at any time by contacting us (see below).

For fulfilment of contractual obligation

Art. 13 para. 2 lit. a FADP; Art 6 para. 1 lit. b GDPR Performance of a contract in order to provide you with crypto services or to perform pre-contractual measures in order to proceed with a request – the purposes of data processing are mainly in compliance with the specific products and services and may include needs assessments, support and as well as carrying out transactions.

For compliance with a legal obligation

Art. 13 para. 1 FADP; Art. 6 para.1 lit. c GDPR or in the public interest Art. 6 para.1 lit. e GDPR Compliance with law or regulation – we are subject to various legal obligations, in particular statutory requirements such as the Anti-Money Laundering Act, financial supervisory ordinances and circulars, and tax law. The purposes of processing include assessment of identity, anti-fraud and anti-money laundering measures, the fulfilment of tax law and reporting obligation and the assessment of risk.

For the purpose of protecting legitimate interest 

Art. 13. para. 1 FADP; Art. 6 para. 1 lit. f GDPR Legitimate interest - we may process your personal data where necessary for safeguard our legitimate interests or of a third party, some examples of which are given above e.g. guarantee of IT security, prevention and clarification of crimes, asserting legal claims and marketing.

For all data processing in the points 3.1.2. – 3.1.4 the legal basis is given by the necessity of accomplishment a legal obligation. For those cases there is no need for your prior consent to process this data.

How we share personal data with third parties

In addition we contract with third party service providers and suppliers to deliver certain services. Copper adheres to the requirement to have Data Flow Agreements in place with each of its providers so that they process your personal data in accordance with this Policy. This may include:

  1. Third party suppliers or contractors, bound by obligations of confidentiality, in connection with the processing of your personal data for the purposes described in this Policy. This may include, but is not limited to, IT and communications service providers or website hosting company. Our website is hosted on servers based in the UK and operated by AWS.

  2. Third parties relevant to the digital asset acquisition and storage services that we provide. This may include, but is not limited to, counterparties to transactions and other professional service providers.

The following third parties may also have access to your personal information:

  1. any other person who is authorised to act on your behalf;

  2. regulators, government departments, law enforcement authorities, tax authorities and insurance companies;

  3. any relevant dispute resolution body or the courts; and

  4. persons or businesses in connection with any sale, merger, acquisition, disposal, reorganisation or similar change in our business.

If we transfer your personal information outside Switzerland and the EU or the EEA (so called third countries), service providers are obligated to comply with the data protection levels in Switzerland and Europe in addition to written instructions by agreement to the standard contractual clauses. In all cases, however, any transfer of your personal information will be compliant with applicable rules and regulations.

Storage of data and data security

How long we hold your personal data for will vary and will depend principally on:

  1. the purpose for which we are using your personal data – we will need to keep the information for as long as is necessary for the relevant purpose, and

  2. legal obligations – laws or regulation have set a minimum period for which we have to keep your personal data.

According Swiss regulations, business communication, contracts, account opening forms, accounting documents, reports must be stored for up to 10 years. We will not hold your personal data for any longer than is necessary, unless we are required to keep your personal data longer to comply with the statutory retention period. We will ensure that your stored data is subject to appropriate security measures, which are continually improved by new technological developments.

Data subject rights

You have a number of legal rights in relation to the personal information that we hold about you and you can exercise your rights by contacting us using the details set out below.

Your rights include:

  1. The right to access the personal information held about you (Art. 8 FDPA; Art 15 GDPR);

  2. The right to have your personal information rectified if it is inaccurate or incomplete (Art. 5 FADP; Art. 16 GDPR);

  3. The right to erasure as long as there is no legal basis that allow us to further process such data (Art. 5 FADP, Art. 17 GDPR);

  4. The right to restrict the processing of your personal information under certain conditions (Art. 12, 13, 15 FADP; Art 18 GDPR);

  5. The right to object certain processing of personal data (Art. 4 FADP; Art. 21 GDPR);

  6. If applicable, the data portability rights - under some circumstances, receiving some personal data that you have provided to us in a readable format (Art 20 GDPR);

  7. If applicable, the right to lodge a complaint with a supervisory authority for an EU or EEA member country ( Art. 77 GDPR); and

  8. Where you have provided consent to the processing of personal data, the right to request to withdraw such consent at any time. Please note that the revocation will only take affect in the future.

Please note that if you choose to exercise your rights to have personal data restricted or deleted, then we may not be able to provide you with a full service.

The provisions of money laundering law require that we verify your identity before establishing the authority / authorization, e.g. by means of your passport and that we record your name, date of birth, address etc. In order to complete this statutory obligation, you must provide us with the necessary information and documents and notify us without delay of any change that may arise during our business relationship. Without necessary information and documents, we will not be allowed to enter or continue the business relationship.

We do not make decisions based solely on automated processing, including profiling, as define in Art. 22 GDPR to establish or implement the business relationship.

How to contact us

You may contact us in writing to the DPO email address or via regular mail to the address indicated below.

Email: dpo@copper.co

Post: Data Protection Officer, Copper Markets (Switzerland) AG, Gubelstrasse 24, 6300 Zug, Switzerland.

If you are not satisfied with the response you receive from us or how we handle your personal information, then please let us know. We will examine your issue and improve, where necessary. We understand how crucial the protection of personal data is, especially in an online environment.

CPRA Notice to Applicants, Employees, Principals and Consumers

Last updated: 20 February 2023

This PRIVACY NOTICE FOR CALIFORNIA RESIDENTS supplements the information contained in the Privacy Policy of Copper Markets (Switzerland) AG and its subsidiaries (collectively, “Copper,” “we,” “us,” or “our”), including Copper Technologies (US) Inc., and applies solely to visitors, applicants, employees, persons who manage and administer Copper but are not employees such as board members (“principals”), and others who reside in the State of California (“consumers” or “you”). Any terms defined in the CCPA as amended by the California Privacy Rights Act (“CPRA”) have the same meaning when used in this notice. This information should be read together with rest of our Privacy Policy.

Information We Collect

We collect personal information to operate and manage our business. In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:

Category

Potential Examples

1. Identifiers.

A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.

2. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).

A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

3. Protected classification characteristics under California or federal law.

Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).

4. Commercial information.

Information you provide when you interact with us and our website, including intranet, browsing history, passwords, travel information and reimbursement requests, and information about the products or services we offer to you.

5. Geolocation data.

The geographic location of your mobile device and laptop.

6. Professional or employment-related information.

Current or past job history or performance evaluations.

7. Other information collected electronically

Biometric, audio, electronic and visual data collected in relation to access to Copper’s systems, IT hardware or secured access points.

  • Personal information does not include:

  • Publicly available information sourced from government records.

  • De-identified or aggregated consumer information.

  • Information excluded from the CPRA’s scope, like:

    • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; or

    • personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

Use of Personal Information

We may use each of the categories of personal information described above for one or more of the following purposes:

  • To fulfill or meet the reasons for which the information is provided, including hiring, retention and employment purposes.

  • To provide you with information, products or services that you request from us.

  • To provide you with email alerts and other notices concerning our products or services, or events or news, that may be of interest to you.

  • To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collections.

  • To improve our website and accurately provide you with the information you are seeking.

  • For testing, research, data analysis and product development.

  • As necessary or appropriate to protect the rights, property or safety of us, our applicants, employees, principals, customers or others, including conducting risk and security controls, monitoring, implementing quality and safety assurance measures and performing other internal functions such as accounting, audit and internal investigations.

  • To respond to law enforcement requests and as required by applicable law, court order, governmental regulations and internal policies.

  • As described to you when collecting your personal information or as otherwise set forth in the CPRA.

  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.

  • Any other purposes authorized by the California Privacy Protection Agency, California or Federal law.

We use or disclose sensitive personal data for the following purposes only: providing the products and services you request, as well as improving those offerings; operating and overseeing our business; protecting rights and interests; and for purposes that do not infer characteristics about consumers.

Retention

We retain the categories of information described above for so long as reasonably necessary and proportionate to fulfill the business purposes set out above. The criteria that inform our retention practices include legal requirements, contractual requirements, where retention is advisable in light of the company's legal position (including but not limited to with respect to litigation or regulatory investigations) and business needs. For example, we will retain your information during ongoing interactions with you, including pending inquiries about services, events and training registrations, and other matters, and for a reasonable period thereafter to enable any follow up of our correspondence and contact if needed.

Disclosure of Personal Information

In the preceding twelve (12) months, we have not sold or shared for cross-context behavioral advertising any personal information. We also have not knowingly sold or shared for cross-context behavioral advertising personal information for minors less than sixteen (16) years of age.

We may disclose your personal information for a business purpose. In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose:

Category 1: Identifiers.

Category 2: California Customer Records personal information categories.

Category 3: Protected classification characteristics under California or federal law.

Category 5: Geolocation data.

Category 6: Professional or employment-related information.

Category 7: Other information collected electronically

We disclose your personal data as follows:

  • To, for example, improve our offerings, our Affiliates may receive the information we collect directly from our employees, principals, customers or their agents; indirectly from our employees, principals, customers or their agents; directly and indirectly from activity on our website; and from third parties that interact with us in connection with the services we perform.

  • To provide certain services, our vendors and business partners may receive the information we collect directly from our employees, principals, customers or their agents; indirectly from our employees, principals, customers or their agents; directly and indirectly from activity on our website; and from third parties that interact with us in connection with the services we perform. Third parties to whom you or your agents authorize us to disclose your personal information in connection with products or services we provide to you.

Categories of Sources

We obtain the categories of personal information listed above from the following categories of sources:

Directly from our employees, principals, customers or their agents, including references, recruiters or job-related social media platforms. For example, from documents that our employees provide to us related to their employment applications.

Indirectly from our employees, principals, customers or their agents, including references, recruiters or job-related social media platforms. For example, through information we collect from our employees in the course of processing their employment applications.

Directly and indirectly from activity on our website. For example, from submissions through our website portal or website usage details collected automatically.

From third parties that interact with us in connection with the services we perform. For example, from background check companies, drug testing facilities, claim administrators and investigators.

We may or may not collect all of the information identified about you.

Your Rights and Choices

The CPRA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CPRA rights and explains how to exercise those rights.

Consistent with applicable law, you may request notice of and access to certain information about our collection and use of your personal information. Once we receive and confirm your verifiable consumer request, we may disclose to you:

The categories of personal information we collected about you.

The categories of sources for the personal information we collected about you.

Our business or commercial purpose for collecting or selling that personal information. The categories of third parties with whom we share that personal information.

The specific pieces of personal information we collected about you (also called a data portability request). As we do not sell personal information, if we disclosed your personal information for a business purpose, we would provide a list identifying the personal information categories that each category of recipient obtained.

You may request that we correct personal information about you that is inaccurate. You may request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete or de-identify (and direct our vendors to delete or de-identify) your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our vendors to:

Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.

Help to ensure security and integrity to the extent the use of the personal information is reasonably necessary and proportionate for those purposes.

Debug products to identify and repair errors that impair existing intended functionality.

Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.

Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).

Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.

Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us and compatible with the context in which you provided the information

Comply with a legal obligation.

Exercising Your Rights

To exercise the access, data portability, deletion, and correction rights described above, please submit a verifiable consumer request to us by either:

Emailing us at DPO@copper.co

Write to us at: Copper Technologies (US) Inc. Suite 9A, 817 Broadway, New York, NY 10003 USA

Only you or an authorized agent may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.

Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Non-Discrimination

We will not discriminate or retaliate against you for exercising any of your CPRA rights, although some of the functionality and features available on the service may change or no longer be available to you. Any difference in the services is related to the value provided.

Changes to Our Privacy Notice

We reserve the right to amend this privacy notice at our discretion at any time. Any changes will become effective at the “Last Updated” date. If we make a material change to this privacy notice, we will update the “Last Updated” date on this privacy notice.

Contact Information

If you have any questions or comments about this notice, our Privacy Policy, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Email: DPO@copper.co

Postal Address: Copper Technologies (US) Inc. Attn: Data Protection Manager Suite 9A, 817 Broadway New York, NY 10003 USA

Cookies

In common with many other website operators, we use standard technology called 'cookies' on our website. Cookies are small pieces of information that are stored by your browser on your computer's hard drive and they are used to record how you navigate this website on each visit.

We will also collect information when you use our services or when we otherwise interact or correspond with you. We use various technologies to collect and store information when you visit our websites, such as Google Analytics. We may, for example, collect information about the type of device you use to access the websites, your IP address and your geographic location, the operating system and version, your browser type, the content you view and features you access on our websites, the web pages and the search terms you enter on our websites. For information about how we use Cookies and the choices you may have, please see our Cookies Policy.

Click here for information on our Cookies Policy