PRIVACY POLICY

Effective Date: 21 October 2025

Simple Europe UAB, a private limited company, registered in accordance with the laws of the Republic of Lithuania under registration number 305959834, with registered address at Kauno str. 32B-48, LT-03202, Vilnius, Republic of Lithuania, together with its affiliated companies (collectively referred to as "Simple", "we", "us", or "our") is committed to protecting the privacy and security of your Personal Data.

This Privacy Policy explains how we collect, use, process, store, and share your Personal Data when you use our website (the "Website"), mobile application (the "App"), and all related services (collectively, the "Services").

We comply with the EU General Data Protection Regulation (Regulation EU 2016/679 or "GDPR") and relevant Lithuanian data protection laws. This Privacy Policy forms an integral part of our Terms & Conditions ("T&C").

IMPORTANT NOTICE: APPLICABLE TERMS AND SERVICE MODULES

Please be advised that the Simple App offers access to two distinct service modules for managing digital assets, each operating under different principles:

Custodial Wallet Service ("Custodial Module") — this is the module where Simple acts as a custodian, securely managing cryptographic private keys on your behalf. Users are typically onboarded to this module by default.

Self-Custodial Wallet Service ("SCW Module") — this is an optional module utilizing Multi-Party Computation (MPC) technology. When using the SCW Module, you retain exclusive control over your cryptographic key material and digital assets.

Your use of the Simple App may involve one or both of these modules. To provide you with clear and specific information as required by GDPR, this policy is structured into three main sections:

  • General Privacy Provisions (Section 1) — Information applicable to ALL users of our Services.
  • Part A – Data Processing for Custodial Services (Section 2) — Details on data processing when you use the Custodial Module.
  • Part B – Data Processing for Self-Custodial Services (Section 3) — Details on data processing when you use the optional SCW Module.

Your interaction with the Custodial Module is governed by the Terms and Conditions for Custodial Wallet, while your use of the optional SCW Module is governed by the Terms and Conditions for Self-Custodial Wallet. By using the Simple App, you acknowledge the data processing practices described in the applicable sections of this Privacy Policy.

 

SECTION 1: GENERAL PRIVACY PROVISIONS

The terms in this Section apply to all users and all Services, both Custodial and Self-Custodial.

1.1. DEFINITIONS

For the purposes of this Privacy Policy, the following terms have the meanings ascribed to them below:

“Consent” means any freely given, specific, informed, and unambiguous indication of your wishes by which you, by a statement or by clear affirmative action, signify agreement to the Processing of Personal Data relating to you.

“Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Simple Europe UAB is the Controller for the Personal Data processed as described in this Privacy Policy.

“Data Subject” means an identified or identifiable natural person whose Personal Data is processed. You, as a user of our Services, are a Data Subject.

“Personal Data” means any information relating to an identified or identifiable natural person.

“Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Third-Party Service Provider" means an independent entity providing specific services integrated within our App, including, but not limited to, KYC/identity verification, cryptocurrency swaps, fiat on-ramp/off-ramp, payment card programs, cloud hosting and content delivery networks (CDNs), analytics, customer support platforms, and BaaS services.

1.2. YOUR DATA PROTECTION RIGHTS (GDPR)

As a Data Subject under GDPR, you have specific rights regarding your Personal Data:

a) You have the right to be informed about the collection and use of your Personal Data, which is the purpose of this Privacy Policy.

b) You have the right to request access to the Personal Data we hold about you and receive a copy of it.

c) You have the right to request correction of inaccurate or incomplete Personal Data.

d) You have the right to request the deletion of your Personal Data under certain conditions, subject to our legal or regulatory retention requirements (e.g., AML/KYC retention periods).

e) You have the right to request the suspension of your Personal Data being processed.

f) You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format.

g) You have the right to object to the Processing of your Personal Data based on our legitimate interests and for direct marketing purposes.

h) You have the right not to be subject to a decision based solely on automated Processing which produces legal effects concerning you, with certain exceptions. Simple aims to ensure significant decisions involve human oversight where required.

1.3. HOW TO EXERCISE YOUR RIGHTS

To exercise any of your data protection rights, please submit a request by contacting our Data Protection Officer (DPO) at: [email protected]. We may need to verify your identity before proceeding. We will respond to your request without undue delay and generally within one (1) month of receipt. This period may be extended by two (2) further months where necessary. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

1.4. DATA SECURITY

1.4.1. We implement appropriate technical and organizational security measures designed to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

1.4.2. Measures include: encryption of data in transit and at rest where appropriate, firewalls, access controls, network security monitoring, secure software development practices; limiting access to Personal Data to authorized personnel on a need-to-know basis, confidentiality agreements, internal data protection policies and training, and incident response procedures. For the SCW Module, the MPC architecture itself enhances security by avoiding a single point of failure for private keys.

1.4.3. While we take security seriously, the security of your account also depends on you. You are responsible for maintaining the security of your device, your email account, your wallet PIN, and any backup credentials or files (as outlined in the T&C).

1.4.4. Please be aware that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

1.4.5. Recognizing the sensitivity of Biometric Data processed for the Face Check feature, we implement specific, heightened security measures beyond our standard practices, including strong encryption of biometric templates/vectors both in transit and at rest, strict technical and organizational access controls, secure processing environments, and thorough vetting and contractual security requirements for any third-party processor involved (e.g., KYCAID).

1.5. INTERNATIONAL DATA TRANSFERS

Your Personal Data may be transferred to, stored, and processed in countries outside the European Economic Area (EEA). When we transfer your Personal Data outside the EEA, we ensure an adequate level of protection is afforded to it by using legally recognized mechanisms such as the European Commission's Standard Contractual Clauses (SCCs) or adequacy decisions. In specific circumstances where these safeguards are not applicable, transfers may exceptionally be based on derogations permitted under GDPR, such as your explicit Consent, or where the transfer is necessary for the performance of our contract with you.

1.6. CONSENT AND HOW TO WITHDRAW IT

Where Processing is based specifically on your Consent (such as for marketing or optional features), we will obtain this Consent explicitly. You have the right to withdraw your Consent at any time. Specific methods include:

a) Marketing Communications — you can opt-out by clicking the "unsubscribe" link provided in any marketing email.

b) Cookies/Similar Technologies — you can manage your preferences through our cookie consent management tool or your browser/device settings.

c) Optional App Features — you can withdraw consent for features like Face Check directly within the App's settings.

Withdrawing Consent will not affect the lawfulness of any Processing conducted prior to your withdrawal.

1.7. CHILDREN'S PRIVACY

Our Services are not intended for or directed at individuals under the age of 18 (or the applicable age of legal majority in their jurisdiction). We do not knowingly collect Personal Data from children.

1.8. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. If we make material changes, we will notify you. The "Effective Date" at the top of this Policy indicates the latest revision. Your continued use of the Services after any changes take effect constitutes your acceptance of the revised policy.

1.9. CONTACT US & LODGING A COMPLAINT

If you have any questions, please contact our Data Protection Officer (DPO):

If you are not satisfied with our response, you have the right to lodge a complaint with the Lithuanian State Data Protection Inspectorate:

Lithuanian State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija)

1.10. COOKIES AND SIMILAR TECHNOLOGIES

We may use cookies and similar technologies on our Website. These technologies help us operate the Services, conduct analytics and potentially deliver targeted information or advertising (where appropriate Consent is obtained). Please read our Cookie Policy for more details on our use of cookies on the Website. You can manage your Consent preferences for non-essential cookies and similar technologies through our cookie consent management tool or your browser/device settings.

1.11. DATA RETENTION — GENERAL PRINCIPLES

We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, to provide the Services, to satisfy any legal, regulatory, accounting, or reporting requirements, or to resolve disputes. Once Personal Data is no longer necessary for its purpose, we will securely delete or anonymize it. Module-specific retention is described in Sections 2 and 3.

1.12. BUSINESS TRANSFERS

If Simple is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of its assets, your Personal Data may be transferred as part of that transaction.

 

SECTION 2: PART A – DATA PROCESSING FOR CUSTODIAL SERVICES

The terms in this Part A apply ONLY when you use our Custodial Wallet and related services. This section details the specific types of Personal Data we collect and how we process it to provide these regulated services and comply with our legal obligations.

A.1. TYPES OF PERSONAL DATA WE COLLECT (CUSTODIAL)

When you use our Custodial Services, Personal Data that we may collect, store and process includes:

a) Contact info — name (first name, surname), e-mail, phone number, address (registered and/or actual), and other data you provide in forms or correspondence.

b) KYC Data — ID documents (passport, governmental ID, driving license), date of birth, proof of address (utility bill, bank statement), information and documents on source of funds/source of wealth.

c) Biometric Data — pictures, photos, visual images, scan copies of your documents, and real-time biometric facial scans for identity verification.

d) Financial information — form of payment, payment card number, bank account number, details of transactions, and information on income and assets.

e) Correspondence — records of correspondence whether via the Website, App, email, telephone or by any other means.

f) Technical Data — details of your visits to the Website and/or mobile app, including traffic data, precise location data, activity logs, IP address, device information (model, OS, ID), and crash data.

g) Marketing Data — responses to marketing campaigns and communication preferences.

A.2. LAWFUL BASES FOR PROCESSING YOUR PERSONAL DATA (CUSTODIAL)

We will only use your information where it is necessary for us to carry out our lawful business activities. We have described the purposes and legal bases for which your information will be used in detail below:

A.2.1. Contractual Necessity — we process your information where it is necessary to enter into a contract with you for the provision of our services or to perform our obligations under that contract. This includes processing to:

a) Assess and process applications for products or services;

b) Provide and administer those products and services, including opening, setting up or closing your accounts; executing your instructions; and processing transactions.

c) Manage and maintain our relationships with you and for ongoing customer service.

d) Communicate with you about your account(s) or the products and services you receive from us.

A.2.2. Legal Obligation — we are required by law to collect and process certain personal information about you. Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account. This may include processing to:

a) Confirm your identity, including using biometric information and facial recognition technology.

b) Perform checks and monitor transactions for the purpose of preventing and detecting crime and to comply with laws relating to money laundering, fraud, terrorist financing, bribery and corruption, and international sanctions.

c) Share data with other financial institutions and third parties to help recover funds that have entered your account as a result of a misdirected payment.

d) Share data with police, law enforcement, tax authorities or other government and fraud prevention agencies where we have a legal obligation.

e) Deliver mandatory communications to customers or to communicate updates to product and service terms and conditions (T&C).

f) Investigate and resolve complaints.

g) Manage contentious regulatory matters, investigations and litigation.

h) Perform assessments and analyse customer data for the purposes of managing, improving and fixing data quality.

i) Monitor dealings to prevent market abuse.

A.2.3. Legitimate Interests — we may process your information in the day-to-day running of our business, to manage our business and financial affairs and to protect our customers and property. This may include processing your information to:

a) Monitor, maintain and improve internal business processes, technology and communications solutions.

b) Ensure business continuity and disaster recovery.

c) Ensure network and information security, including monitoring to prevent cyber-attacks and unauthorized use of our systems.

d) Perform general, financial and regulatory accounting and reporting.

e) Protect our legal rights and interests.

A.3. SHARING OF PERSONAL DATA (CUSTODIAL)

We do not sell your Personal Data. We will not share your information with anyone outside of Simple except:

a) where we have your permission;

b) where required for your product or service;

c) where we are required by law and by law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory bodies around the world;

d) with other financial institutions and third parties where required by law to help recover funds that have entered your account as a result of a misdirected payment by such a third party;

e) with third parties providing services to us, such as KYC providers, payment processors, and IT service providers acting on our behalf;

f) with other financial institutions to help trace funds where you are a victim of suspected financial crime and you have agreed for us to do so, or where we suspect funds have entered your account as a result of a financial crime;

g) with blockchain analytics providers to analyze public blockchain data for App security or performance analysis;

h) with other Simple customers to display your name (or account display name) to them when they already have your contact details stored in the contact book on their device and you interact with them through the Services (e.g., to help the payer/payee correctly identify the counterparty and reduce misdirected payments). Legal basis: contractual necessity for executing your instruction and our legitimate interests in preventing errors and fraud. This visibility is limited to users who already have your contact details saved on their device; we do not enable public search or discovery. You can manage the App’s access to your contacts in your device settings.

i) where permitted by law, it is necessary for our legitimate interests or those of a third party; this includes sharing data with: (1) the Affiliates of Simple Europe UAB, (2) third-Party Service Providers such as electronic money institutions, payment service providers, KYC providers (e.g., KYCaid, Sumsub), CRM system providers, marketing agencies, and other trusted partners, (3) The privacy policies of our current KYC providers are available at: KYCaid: https://kycaid.com/privacy-policy/; Sumsub: https://sumsub.com/privacy-notice/.

A.4. DATA STORAGE AND RETENTION (CUSTODIAL)

A.4.1. Storage Location: We store your Personal Data in secure data centres primarily within the European Economic Area (EEA).

A.4.2. Retention Period: We are required by law, particularly anti-money laundering and counter-terrorist financing regulations, to retain records of your Personal Data (including KYC data, transaction history, and correspondence) throughout the term of your Account and for 8 (eight) years after the closure of your Account. This retention is based on a legal obligation, not on your consent.

A.4.3. Face Data Storage and Retention: Biometric face data collected for KYC is an integral part of your identification record. As such, it is retained for the same period as other KYC data (up to 8 years after account closure) to comply with our legal obligations.

A.4.4. Customer Support Records: Retained for a period necessary to address inquiries, track issue resolution, and for potential legal claims.

 

SECTION 3: PART B – DATA PROCESSING FOR SELF-CUSTODIAL SERVICES

IMPORTANT NOTICE: The terms in this Part B apply ONLY when you use our Self-Custodial Wallet (SCW). This service is designed with a strong focus on privacy and data minimization. We collect only the Personal Data that is strictly necessary to provide and secure the SCW functionality.

B.1. DEFINITIONS SPECIFIC TO SELF-CUSTODIAL SERVICES

In addition to the definitions in Section 1.1, the following terms apply to this Part B:

"Biometric Data" means Personal Data resulting from specific technical processing relating to the physical characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as data derived from facial images. Under GDPR, this constitutes a special category of Personal Data. In the context of our Services, this relates solely to the optional Face Check recovery feature.

"Face Check" means the optional biometric recovery feature utilizing Biometric Data derived from your device's front camera to assist in verifying your identity for wallet recovery. It is distinct from native OS biometric authenticators.

B.2. WHAT PERSONAL DATA WE COLLECT AND WHY (SELF-CUSTODIAL)

We collect only the Personal Data necessary to provide and improve our Services.

B.2.1. Information You Provide Directly:

a) Email Address — to serve as your login identifier, for service communications, and to facilitate account recovery.

b) Customer Support Communications — to investigate and respond to your inquiries.

B.2.2. Information Collected Automatically:

a) Device Information — hardware model, operating system version, unique device identifiers (e.g., instance ID for push notifications), language settings, and crash data.

b) Usage Information — aggregated or pseudonymized data about how you interact with our App.

c) Blockchain Data — public addresses of your SCW and their public transaction history.

d) IP Address — for security, troubleshooting, and as part of standard server logging.

B.2.3. Data for Optional Features - Biometric Data for Face Check:

If you choose to enroll in the optional Face Check recovery feature, we will collect and process Biometric Data derived from images captured by your device's front camera.

Purpose — strictly for verifying your identity when you use the Face Check feature to recover your wallet.

Lawful Basis — processing of Biometric Data relies exclusively on your explicit Consent, which we will request separately before enrollment. This data typically involves mathematical representations (templates or vectors) of your facial features; raw facial images may be processed transiently but are not stored long-term.

B.2.4. Data Processed by Your Device's Operating System:

If you use biometric features like Face ID or Touch ID for App login or transaction confirmation, these are processed directly by your device's operating system (OS). Simple only receives a confirmation (pass/fail) from the OS and does not collect or store your underlying biometric data (e.g., your fingerprint or face scan).

B.2.5. Information We Do Not Collect Directly:

Direct KYC Data — for the core SCW service, Simple does not collect sensitive identification documents. When you use integrated Third-Party Services (like on-ramps), the respective provider will collect this KYC data directly from you. These providers act as independent Controllers for the data they collect directly from you under their own privacy policies.

B.3. LAWFUL BASES FOR PROCESSING (SELF-CUSTODIAL)

We process your Personal Data based on:

a) Contractual Necessity — to provide the SCW Services as outlined in our T&C.

b) Legitimate Interests — for platform security, fraud prevention, and service improvement.

Explicit Consent: For processing Biometric Data for the optional Face Check feature and for sending marketing communications.

B.4. SHARING OF PERSONAL DATA (SELF-CUSTODIAL)

We do not sell your Personal Data. We share it only with:

a) Infrastructure and analytics providers acting as our data processors;

b) Third-party service providers when you choose to use their integrated services;

c) Legal authorities if required by a valid legal process;

d) The Face Check provider (KYCAid) acting as our data processor under strict contractual obligations;

e) Affiliates of Simple Europe UAB for operational, administrative, security, and internal reporting purposes;

f) Blockchain analytics providers to analyze public blockchain data to help ensure App security or performance analysis;

g) Other Simple customers to display your name (or account display name) to them when they already have your contact details stored in the contact book on their device and you interact with them through the Services (e.g., to help the payer/payee correctly identify the counterparty and reduce misdirected payments). Legal basis: contractual necessity for executing your instruction and our legitimate interests in preventing errors and fraud. This visibility is limited to users who already have your contact details saved on their device; we do not enable public search or discovery. You can manage the App’s access to your contacts in your device settings.

B.5. DATA SECURITY FOR BIOMETRIC DATA (SELF-CUSTODIAL)

Recognizing the sensitivity of Biometric Data processed for the Face Check feature, we implement specific, heightened security measures. These include strong encryption of biometric templates both in transit and at rest, strict technical and organizational access controls, secure processing environments, and thorough vetting of any third-party processor involved (KYCaid). Despite these measures, risks associated with processing Biometric Data remain.

B.6. DATA RETENTION (SELF-CUSTODIAL)

We retain your Personal Data only for as long as necessary.

a) Account Information (Email Address) — retained for the duration your account is active, plus a period afterward to allow for recovery.

b) Usage and Device Information — pseudonymized or aggregated data may be retained for longer periods. Raw logs are typically retained for 6–12 months.

c) Customer Support Records — retained for a period necessary to address inquiries and for potential legal claims.

d) IP Address Logs — retained for security and diagnostic purposes for a limited time of 6–12 months.

e) Biometric Data (Face Check): (i) Enrollment Data — retained only for as long as you actively use this feature. It is securely deleted upon your withdrawal of consent or account closure; (ii) Verification Data — biometric Data captured for a verification attempt is processed transiently and generally not stored long-term, unless necessary for investigating a specific security incident.

f) Blockchain Monitoring — public blockchain data (addresses, transaction hashes, etc.) associated with your wallet visible within the App may be retained while your account is active and for a limited period thereafter as necessary for providing the service and facilitating support.

 

 

For your reference, previous versions of this document is archived and can be accessed at the following links:

— Custodial Wallet Privacy Policy — https://simple.app/privacy-policy-custodial-old/

— Non-Custodial Wallet Legacy Privacy Policy — https://simple.app/privacy-policy-scw-old/

Cookie consent
We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.
Cookie policy

Strictly Necessary

Performance & Analytics

Functional

Marketing

Download the Simple app

Scan the QR code with your phone to download