LAST UPDATED – 30 Nov 2022
1.2 Amber is committed to protecting the privacy of your personal data and to the security of your data. We respect privacy as a human right and uphold the rights of our customers to determine for themselves when, how, and to what extent their personal data is provided, shared with or communicated to others. We are trusted by our customers to maintain the confidentiality of personal data that is provided to us. We maintain robust cybersecurity safeguards to protect your personal data from loss, theft, unauthorised access and misuse.
2. Collection of Personal Data
2.1 When you supply personal data to us through the Amber App, we have legal obligations towards you in the way that we use your data. We must protect the data in a secure manner and we must explain to you how we use it. We must limit collection and use of your personal data, to only the specific data that is reasonably necessary for us to provide our services to you.
2.2 By law, we are obligated to perform customer identification procedures before providing our exchange services. We are obligated to collect personal data and verify identification documents, so as to comply with ‘Know Your Customer’ (KYC) standards. KYC standards are adopted widely around the world to help counter fraud, corruption, money laundering and terrorist financing.
2.3 ‘Personal data’ means any data about you, from which your identity is apparent or can be uncovered. The personal data we collect about you may include but is not limit to: legal name, date of birth, email address, postcode, mobile phone number, device data, bitcoin address for external BTC withdrawals, Amber App settings and preferences as well as any additional personal data that you voluntarily provide to us.
2.4 We collect your personal data directly from you, through the Amber App. When you sign up an account with us, you are asked to provide your full legal name, date of birth, postcode, email address and mobile phone number. When you are ready to use our exchange services, the Amber App will ask you to provide identification documents to enable verification of your identity. You are redirected inside the App to our third party service provider Persona, who confirms validation of your identity for us before redirecting you back to the Amber exchange.
2.5 When you install the Amber App, we may automatically log the standard data provided by your device. The specific data we collect can depend on the individual settings of your device and the access permissions you grant when you install and use the app. Data may include your device type and version, your activity within the app, internet protocol address, time, date, and other details about your usage.
2.6 When you encounter certain errors while using the app, we may automatically collect data about the error and the circumstances surrounding its occurrence. This data may include technical details about your device, what you were trying to do when the error happened, and other technical information relating to the problem.
2.7 Please be aware that while this information may not be personally identifying by itself, it may be possible to combine it with other data to personally identify individual persons. Access to such information is restricted to authorised Amber personnel and only for the purposes of troubleshooting an error.
3. Sensitive Personal Data
3.1 Sensitive personal data includes data about your race, ethnicity, political opinions, religious beliefs, criminal record, sexual preferences, health or biological data.
3.2 By design, we never seek or solicit sensitive personal data about you, as we have no business requirement or regulatory obligation to collect such information.
3.3 The exception applies in circumstances where:
3.4 your identity documents require additional supporting evidence in order to validate your identity, such as proof of gender change or proof of name change; or
3.5 You are a shortlisted candidate for a position at Amber that requires a criminal history check; or
3.6 You, your friend or family opt to volunteer sensitive personal data that is unsolicited by us e.g. through customer support channels.
4. Purposes for which we use your Personal Data
4.1 The main purpose for which we collect, store, use and disclose personal data is for regulatory compliance. Amber is registered as a digital currency exchange provider DCE100575713-002 under the Australian Transaction Reports and Analysis Centre (AUSTRAC). Amber is a reporting entity under the Anti‑Money Laundering and Counter‑Terrorism Financing regime which carries obligations on us, including but not limited to, the collection and verification of personal identity data for KYC compliance.
4.2 Other purposes for which we may use your personal data includes to:
4.3 Perform internal business functions such as account administration, accounting and information technology systems maintenance;
4.4 Help us improve our services and develop our products to better meet customer needs;
4.5 Protect and prevent the Amber App against fraud; and
4.6 Resolve transaction disputes, refunds or repatriation of funds back to the rightful owner.
5. Privacy Matters
5.1 Amber is a privacy and security conscious bitcoin only software company who are committed to maintaining that the personal data you provide to us, is secure from loss, theft, unauthorised access and misuse.
5.2 Amber’s values go above and beyond installing a culture of data protection by design and by default. As a bitcoin only company, we believe that everyone should strive to use bitcoin in a more private manner and this is reflected in every element of our product design and service.
5.3 Privacy is the right to have informed expressed consent about the collection, usage and handling of your personal data. Privacy is the right to not have your personal data monetised and/or misused by others, by default. Privacy is not secrecy. Choosing to remain private does not imply that one has secrets or has something to hide. Privacy is the right to selectively reveal oneself to the world as required.
5.4 How much money or bitcoin you have and where you spend it is not necessarily a secret matter. It should, however, be a private one. Most would agree that your boss, your landlord or even your spouse should not need to know the details of how you choose to spend your salary (Matt Odell and Gigi, 2021).
5.5 We at Amber value your privacy and security and work tirelessly to balance these values with seemingly conflicting KYC obligations under anti-money laundering regulations. At Amber, we actively seek innovative solutions to ‘age old problems’ using open-source architecture, decentralised, secure, scalable, reliable, interoperable and purpose built solutions that are globally available. Our privacy and security values are reflected throughout our culture, products, systems, policies and processes.
6. Protection of Personal Data
6.1 We make use of modern robust security techniques to protect your personal data including but not limited to secure servers, firewalls, access control restrictions, limiting PII data collected, use of data tokens, aggregated anonymised data, two factor authentication, captchas, password managers, monitoring of activity logs, employee cybersecurity awareness and industry standard encryption for data both in transit and at rest.
6.2 Part of the service we provide to Amber App users, behind the scenes includes fraud detection which relies on both automatic flagging of suspected fraudulent activity as well as trained human observation, investigation, management and technical oversight.
6.3 The Amber website uses SSL/TLS encryption for security and to prevent data that you send to us being intercepted by third parties. You can recognize an authentic encrypted connection by the address line of your browser changing from “http://” to “https://” and by the lock symbol 🔒 in your browser line.
6.4 We do our best to provide multiple layers of protection around the personal data you provide us, however no method of electronic transmission or storage is 100% secure, and no one can guarantee absolute data security.
6.5 For privacy and security reasons, Amber would prefer to not collect your personal identification data in the first instance. However we are obligated by law to collect personal data about you in order to maintain our registration, continue to offer you exchange services and to continue to assist law enforcement and regulators with fighting financial crime.
6.6 We have in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where it is appropriate to do so.
6.8 We protect the personal data and privacy of our customers personal data by meeting the standards set by the General Data Protection Regulation (GDPR) of the European Union (“EU”). Although Amber does not currently operate an establishment within the EU, the Amber App does offer our services to citizens within some EU nations and Amber has an EU representative based in Portugal.
7. Data Transfers
7.1 To facilitate our global operations, Amber may securely transfer your personal data outside of the EU to our third-party partners and service providers based throughout the world.
7.2 In cases where we transfer personal data outside of the EU, Amber puts in place suitable technical, organisational and contractual safeguards to ensure that the data transfer is carried out in compliance with data protection rules. This ensures that your personal data is transferred and held securely and that your rights as a data subject are upheld. Transfers of personal data are either made:
7.3 to a Country that has had a determination by the European Commission as providing an adequate level of protection;
7.4 to a Country which does not have an EU adequacy decision but where data transfer has been governed by standard contractual clauses approved by the European Commission or by implementing other appropriate cross-border transfer solutions to ensure adequate protection.
8. Compliance with Privacy Laws and Regulations
8.1 Under the GDPR, Amber is the “data controller” of personal data that is provided to us. We comply with the high standards of personal data handling as laid out in the GDPR. By default many of the rights and protections afforded to EU citizens by the GDPR standards, are also afforded to customers outside of our EU customer base.
8.2 In addition to the GDPR, Amber also manages personal data in accordance with the California Consumer Privacy Act (2018) and the Australian Privacy Principles which are part of the Privacy Act (Cth) (1988).
8.3 Amber acknowledges that laws and regulations pertaining to the operation of a bitcoin brokerage mobile application are presently in its infancy across jurisdictions worldwide.
8.4 It is anticipated that new laws and regulations will emerge that may impose additional obligations or restrictions on our ability to continue to provide you with our services. Amber is operationally poised to comply with relevant laws and regulations, once passed and once specific obligations on exchange services have been prescribed by regulators.
8.5 Future laws and regulations may become enacted and enforced in your residential jurisdiction that may consequently require the Amber App to cease providing our services in your Country of residence. If such a situation arises, Amber undertakes to assist you with account withdrawal services and/or support with self custody or transfer to alternative service providers.
9. Disclosure of Personal Data to Third Parties
9.1 Amber contracts other companies as third parties, to perform functions on our behalf. We share restricted access personal data with our third party contractors where they have a legitimate interest for specific personal data, in order to perform functions on our behalf. Examples of third party service providers include data storage and IT hosting, communication services, payment service providers, banks and financial institutions and data analytics services.
9.2 Our third party contractors will only process your personal data on our instructions and they are subject to a duty of confidentiality. Under the GDPR, all third parties act as “data processors” for Amber. Third-party service providers must process the personal data in accordance with our contractual agreements which include sufficient guarantees that appropriate technical and organisational measures are in place to protect and secure your data in the form of intercompany agreements based on the Standard Contractual Clauses.
10. Storage, Processing and Use of Personal Data
10.1 By design, Amber collects the minimum amount of personal data that we are obligated to collect in order to provide our services to you. Our third party service providers assist us in delivering services to you and they perform a variety of functions including payment processing, administrative, statistical and technical services.
10.2 Data that we collect about you may be encrypted and stored or processed by third party service providers with data centres located outside of Australia and/or the EU such as Google Analytics, Microsoft Azure, Amazon Web Services. This does not materially impact your fundamental rights, freedom or interests.
10.3 We are committed to maintaining the confidentiality and privacy of the personal data that you provide to us. There are no circumstances in which Amber would sell, trade, rent, profit from discloses your identifying personal data to others.
10.4 Where it is necessary for our legitimate interests of providing you with exchange services and your fundamental rights do not override those interests, we may disclose specific personal data to third party organisations. Examples of where we may disclose elements of your personal data, include to:
10.5 Government approved identity verifications service providers, who help us verify your identity (eg. Persona, Rapid ID and Pepchecker.com);
10.6 Regulated payment gateway service providers (eg. sendwyre.io and checkout.com) who help us provide you with payment gateways to our exchange service, to and from your bank account or credit/debit card;
10.7 Regulated banks and financial institutions (ie. to assist with resolving any customer transaction disputes);
10.8 Law enforcement agencies who ask us to provide specific personal data to assist them with criminal investigations;
10.9 Third party service providers to assist us with detection, prevention and management of fraud and security issues; or
10.10 A relevant entity, in the event of a corporate acquisition, merger, re-organisation, dissolution or similar event.
10.11 With your consent and right to opt out at any time, Amber may also disclose elements of your personal data with our third party service providers for marketing purposes. Examples include:
10.12 Marketing contractors who provide you with updates and information about our products or services;
10.13 Service providers whom we consider may provide services or products you may find useful and complementary to the Amber app.
11. Aggregated Anonymised Personal Data
11.1 To the greatest extent possible, we make use of aggregated data that is anonymised. Aggregated anonymised data that does not contain any personal identifiable information that could be linked back to identify you. An example of where we may use anonymised aggregated personal data is in business analytics, market research and customer surveys.
11.2 We may use, sell, redistribute and disclose de-identified aggregated information to third parties to assist us in delivering products and services. An example of where we may use anonymised aggregated personal data to a third party is in presentations to current and future investors where we may share overall data on composition of our customer base as well as trends and preferences.
12. Google Analytics
13.1 When you browse our www.amber.app website, we collect anonymous data about your interaction with the website. Logs capture data such as your server internet protocol address, date and time of your visit, pages and links visited, type of browser and type of device used.
13.2 Cookies are small pieces of digital information which are sent to your browser and stored on your computer’s hard drive. This is purely to increase the functionality of the site. Cookies do not damage your computer and you can set your browser to notify you when you receive a cookie so that you can decide if you want to accept it.
13.3 Since a cookie is an anonymous individual identifier, it does not contain or send any personal data to the website that stored it on your computer, but only enables faster and more efficient activation of information, data and settings previously communicated during access and use of the website.
14. If You Don’t Provide Some Personal Data to Us?
14.1 At Amber, we respect that personal data is your personal property and you have rights to determine who gets access to what personal data and how it is to be used. If you do not wish to provide us with some or all of the personal data that we ask for, we may not be able to provide you with our exchange services.
16. How Long Do We Keep Your Personal Data?
16.1 We keep your personal data only for as long as is reasonably necessary for the purpose for which it was collected, which is generally only as long as you are a customer of ours. In some jurisdictions we are required to adhere to data retention time periods after you cease to be a customer. We keep de-identified and aggregated information which can not be linked back to identify you, for as long as we may need it.
16.2 As a data subject you have a number of rights in relation to your personal data. Below, we have described the various rights that you have as well as how you can exercise them.
17. Your Right of Access
17.1 You may request access to the personal data that we hold which relates to you. Please note that this right entitles you to receive a copy of personal data that we hold about you in order to enable you to check that it is correct and to ensure that we are processing that personal data lawfully. It is not a right that allows you to request personal data about other people, or a right to request specific documents from us that do not relate to your personal data.
17.2 You can exercise this right at any time by emailing a request to us at [email protected] or making a request through our secure in-app customer support channel. You do not have to fill in a specific form to make this kind of request. In some cases we may request information to confirm your identity so as to ensure that the personal data is delivered to the rightful owner.
18. Your Right to Rectification and Right to be Forgotten
18.1 You may exercise your right to rectification of your personal data by asking that we amend the personal data that we hold about you, which you consider is incorrect. Please note that we may ask you to verify any new data that you provide to us and may take our own steps to check that the new data you have supplied us with is correct.
18.2 You may exercise your right to rectification, at any time by emailing a request to us at [email protected] or making a request through our secure in-app customer support channel. You do not have to fill in a specific form to make this kind of request, however you will need to instruct us what that data is incorrect and what new data should be used as its replacement.
18.3 If you believe that we no longer need to continue retaining your personal data, you can exercise your right to be forgotten, at any time, by asking us to erase your personal data that we have under our control. You can email a request to us at [email protected] or make a request through our secure in-app customer support channel. You do not have to complete a specific form to make this kind of request.
18.4 In most situations, erasure of your personal data is a simple process and will result in account deactivation. Please note that you will no longer be able to use exchange functions of the Amber App once your personal data is erased.
18.5 In some circumstances, depending on your residential jurisdiction, it may not always be possible to erase all of your data as there may be legal requirements upon us, to retain certain personal data or there may be technical limitations to the scope of data we can delete. We will do everything to respect your request for erasure of your personal data. If we are unable to completely erase all your data due to technical limitations, we will tell you this and our reasoning at the time we respond to your request.
19. Your Right to Restrict to Object to Processing
19.1 We process your personal data on the basis of legitimate interest in providing you with our exchange services. You can exercise your right to object to processing by asking us to stop processing your personal data. To exercise your right you must establish that you feel processing your personal data impacts on your fundamental rights and freedoms or you feel that our legitimate interests are no longer valid.
19.2 You may also object and ask us to stop processing your personal data (a) if you dispute the accuracy of that personal data and want us verify that data’s accuracy; (b) where it has been established that our use of the data is unlawful but you do not want us to erase it; (c) where we no longer need to process your personal data (and would otherwise dispose of it) but you wish for us to continue storing it in order to enable you to maintain evidence for the exercise or defence of legal claims.
19.3 In most situations, ceasing processing of your personal data is a simple process for us to carry out. We will respectfully comply with your request unless we have a compelling overriding legitimate interest for processing or we need to continue processing your personal data to establish, exercise or defend a legal claim. If for any reason we have a good legal reason to continue processing personal data that you ask us to stop processing, we will tell you what that reason is, after we have had the opportunity to consider and investigate the circumstances of your case.
19.4 You can exercise your right to restrict processing at any time by emailing a request to us at [email protected] or making a request through our secure in-app customer support channel. You do not have to fill in a specific form to make this kind of request. Please note that if we cease to process your personal data, we will not be able to provide you with exchange, deposit or withdrawal functions. It is recommended that you withdraw the balance of your account before making a request to stop processing your personal data.
20. Your Right to Data Portability
20.1 Where you wish to transfer certain personal data that we hold about you, which is processed by automated means, to a third party, you may write to us and ask us to provide it to you.
20.2 Owing to the kind of service that we offer and the systems that we use, we do not envisage this right being relevant to the majority of our customers. However, if you wish to transfer your data from us to a third party we are happy to consider such requests. Personal data that you wish to be transferred to a third party is provided by us in a commonly used machine-readable format.
20.3 You can exercise your right to data portability at any time by emailing a request to us at [email protected] or making a request through our secure in-app customer support channel. You do not have to fill in a specific form to make this kind of request. Export of your data to a third party does not impact on your ability to continue to use our services, unless you also request for us to erase or stop processing your personal data.
21. Your Right to Stop Receiving Communications
21.1 You have the right to stop receiving marketing communications at any time if that is your preference. To unsubscribe from marketing communications at any time, please click on the manage preference link at the bottom of any marketing email from Amber. You will be sent to a secure link where you can update your preferences on what types of notification you wish to receive.
21.2 If you wish to unsubscribe from all marketing communications you can select “unsubscribe from all email communications” at the bottom of the page. Don’t forget to click the blue button “update email preferences” to activate your preferences. You can re-subscribe to any of our marketing communications at any time by emailing a request to us at [email protected] or making a request through our secure in-app customer support channel.
21.3 Please note that operational emails regarding specific transactions, for example emails confirming your withdrawal requests, are not available for opt out for security reasons.
22. Your Right to Object to Automated Decision Making and Profiling
22.1 You have the right to be informed about the existence of any automated decision making and profiling of your personal data.
22.2 Amber does not undertake automated profiling or automated decision making about matters that impact your human rights. We at Amber, believe that everybody should have the right to access the bitcoin network and we work tirelessly to design a product that is as inclusive as possible whilst still complying with rules of the legacy financial system as well as our obligations to help counter fraud, corruption, money laundering and terrorist financing.
22.3 Whilst we do use automation to assist in delivering our services to you, we do not delegate decision making to automation. Any decision making which may impact on the exercise of your rights (eg. your rights to continue to our service) are considered on a case by case with management oversight that considers facts, context, fairness and ethics as well as our Terms and Conditions of service.
22.4 If however you feel that you have experience decision making from Amber that consequently impacted on your rights and you believe the decision was based on automated profiling that is erroneous, you may seek a review of your case by contacting us at at [email protected] or making a request through our secure in-app customer support channel.
23. Withdrawal of Consent
23.1 Where we are relying on consent to process your personal data, you may withdraw consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we will not be able to continue to provide you with our services.
24. Exercising your Rights
24.1 When you email us with a request to exercise your rights, we are entitled to ask you to prove that you are who you say you are. We may ask you to provide copies of relevant ID documents or undertake enhanced customer due diligence in order to help us to verify your identity.
24.2 It will help us to process your request if you clearly state which right you wish to exercise and, where relevant, why it is that you are exercising it. The clearer and more specific you can be, the faster and more efficiently we can deal with your request. If you do not provide us with sufficient information, then we may delay actioning your request until you have provided us with additional information that we request from you.
25. Minimum Age Requirements
25.1 Customers from the United States of America (USA) must be at least 18 years of age to use the Amber App.
25.2 Customers from the EU must be at least 16 years of age to use the Amber App. If you are between the ages of 13 and 16 you may use the Amber App once we receive parental permission. Exemptions to parental permission apply, where for EU residents where their member state specifies a lower minimum age requirement than 16 years of age but not greater than 13 years of age.
25.3 If you are a customer outside of the USA and the EU you must meet the following criteria for using the Amber App.
25.3.1 At least 13 years of age (exceptions apply if your local jurisdiction has a higher minimum age limit for consent to handling of personal data); and
25.3.2 Ability to provide valid identification documents, and
25.3.3 Ability to provide a valid payment method.
25.4 Please note that the Amber App does not knowingly collect data relating to children. If you believe we have collected personal data about your child, you may contact us [email protected] and request that we remove information about him/her.
26. Request Access to a Copy of Your Personal Data?
26.1 You have the right to request access to your personal data and to ask us to correct it if you believe there is an error in the data we are holding. If you wish to access, amend or delete any of your personal data, please reach out to us via email [email protected] or via our in Amber App customer support. Upon receipt of your written request we may request additional information to allow us to validate your identity. Upon validation of your identity we will promptly correct, amend or delete any personal data that we agree is incorrect. We do not charge fees for this service.
27. How to Make a Complaint?
27.1 Should you have any complaints about the protection of your personal data with the Amber App, please reach out to us via email at [email protected] or via our secure in-app customer support feature.
27.2 If your complaint reasonably requires us to consult with a third party (eg. payment gateway provider), we may need to disclose information contained in your complaint to that third party. If your complaint is still not resolved to your satisfaction, you may refer it to the Office of the Australian Information Commissioner via Lodge a privacy complaint with OAIC.
27.3 If you are a resident of the EU you have the right to lodge a complaint under the GDPR. This can be lodged via email to [email protected] to Amber’s EU representative based in Portugal. If your complaint is still not resolved to your satisfaction you may contact our EU Supervisory Authority in Portugal via email [email protected].
28. Your consent
29. Contact Us
This policy is:
Effective as of 17 November 2022
Last updated as of 30 November 2022
Tell us what you think