PRIVACY POLICY (Self-Custodial Wallet)
Effective Date: 25 May 2025
Simple Europe UAB, a private limited company, registered in accordance with the laws of the Republic of Lithuania under registration number 305959834, with registered address at Kauno str. 32B-48, LT-03202, Vilnius, Republic of Lithuania, together with its affiliated companies (collectively referred to as "Simple", "we", "us", or "our") is committed to protecting the privacy and security of your Personal Data.
This Privacy Policy explains how we collect, use, process, store, and share your Personal Data when you use our self-custodial cryptocurrency wallet application (the "App"), associated websites, and related services (collectively, the "Services"). Our Services utilize Multi-Party Computation (MPC) technology, placing you in control of your digital assets.
We comply with the EU General Data Protection Regulation (Regulation EU 2016/679 or "GDPR") and relevant Lithuanian data protection laws. This Privacy Policy forms an integral part of our Terms & Conditions ("T&C"). Please read this policy carefully to understand our practices regarding your Personal Data.
1.DEFINITIONS
For the purposes of this Privacy Policy, the following terms have the meanings ascribed to them below, consistent with GDPR definitions:
1.1. "Biometric Data" means personal data resulting from specific technical processing relating to the physical characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as data derived from facial images. Under GDPR, this constitutes a special category of personal data requiring specific safeguards and explicit consent for processing. In the context of our Services, this relates solely to the optional Face Check recovery feature.
1.2. "Consent" means any freely given, specific, informed, and unambiguous indication of your wishes by which you, by a statement or by clear affirmative action, signify agreement to the Processing of Personal Data relating to you.
1.3. "Controller" means natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Simple Europe UAB is the Controller for the Personal Data processed as described in this Privacy Policy.
1.4. "Data Subject" means an identified or identifiable natural person whose Personal Data is processed. You, as a user of our Services, are a Data Subject.
1.5. "Face Check" means the optional biometric recovery feature described in the T&C, utilizing Biometric Data derived from your device's front camera to assist in verifying your identity for wallet recovery. It is distinct from native OS biometric authenticators.
1.6. "Personal Data" means any information relating to an identified or identifiable natural person (Data Subject).
1.7. "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.8. "Third-Party Service Provider" means an independent entity providing specific services integrated within our App, including, but not limited to, cryptocurrency swaps, fiat on-ramp/off-ramp, payment card, and BaaS services.
2. WHAT PERSONAL DATA WE COLLECT AND WHY
We collect only the Personal Data necessary to provide and improve our Services, ensure security, comply with legal obligations (within our capacity as a technology provider), and communicate with you. As providers of a self-custodial wallet, we minimize data collection where possible.
We collect the following categories of Personal Data:
2.1. Information You Provide Directly:
a) Email Address — We collect your email address when you sign up or create an account within the App.
Purpose: To serve as your primary login identifier, to communicate essential service information (e.g., security updates, changes to T&C or policies), to facilitate account recovery procedures, and to send marketing communications about Simple's products and features.
b) Customer Support Communications — If you contact our support team, we collect the information you provide in your communications (your email address, the content of your message, and any attachments).
Purpose: To investigate and respond to your inquiries, troubleshoot issues, provide assistance, and improve our customer support and Services.
2.2. Information Collected Automatically When You Use the Services:
a) Device Information — We collect information about the mobile device you use to access the App, such as the hardware model, operating system version, unique device identifiers (e.g., instance ID for push notifications), language settings, and crash data.
Purpose: To ensure App compatibility, deliver push notifications (if enabled), facilitate troubleshooting and bug fixing, maintain security (e.g., identifying authorized devices during recovery), and optimize App performance.
b) Usage Information — We may collect information about how you interact with our App, such as features accessed, buttons clicked, screens viewed, and general usage patterns. This data may be collected using analytics tools and may be aggregated or pseudonymized.
Purpose: To understand how users engage with the App, identify popular features, diagnose usability issues, improve user experience and app design, and for general service optimization.
c) Blockchain Data — We collect public addresses associated with your Self-Custodial Wallet created or managed through the App, along with the publicly available transaction history (transaction hashes, sending/receiving addresses, amounts, timestamps) related to those addresses.
Purpose: To display your wallet balance and transaction history within the App, to help you initiate and track transactions on the blockchain. This data is public by nature but collected and processed by us to provide core wallet functionality and maintain platform integrity.
d) IP Address — We collect the IP address used to access our Services.
Purpose: To maintain security, for troubleshooting network issues, for approximate geolocation analysis, and as part of standard server logging.
2.3. Information We Generally Do Not Collect Directly:
a) Direct KYC Data — Simple does not directly collect sensitive identification documents (like government-issued IDs, passports, driver's licenses), proof of address documents, detailed financial information (bank account numbers, full credit card numbers), source of wealth/funds documentation, or conduct biometric facial scans for the purpose of mandatory KYC verification for its core self-custodial wallet service. These types of verification are typically required for regulated financial services. When you choose to use integrated services, including, but not limited to, fiat On-Ramp/Off-Ramp, Payment Card, or BaaS within our App, the respective Third-Party Service Provider (e.g., Unlimit) will collect this KYC data directly from you according to their own regulatory obligations and privacy policies. Simple does not receive or store this sensitive KYC data from them.
2.4. If you use biometric features like Face ID or Touch ID for App login or transaction confirmation, these are processed directly by your device's operating system. Simple only receives a confirmation (pass/fail) from the OS and does not collect or store your underlying data.
2.5 Information Collected If You Use Optional Features:
a) Biometric Data (for Face Check Enrollment & Verification): If you choose to enroll in and use the optional Face Check recovery feature, we will need to collect and process Biometric Data derived from images captured by your device's front camera during the enrollment and subsequent verification processes. This data typically involves mathematical representations (templates or vectors) of your facial features, not the storage of raw facial images long-term (though images may be processed transiently).
Purpose: Strictly for verifying your identity when you choose to use the Face Check feature to recover access to your wallet. This data is not used for any other purpose (e.g., marketing, general identification).
Lawful Basis: Processing the Biometric Data relies exclusively on your explicit Consent. We will request this separate, explicit consent before you can enroll in the Face Check feature. Use of this feature, and therefore the collection of this data, is entirely optional.
3. HOW WE USE YOUR PERSONAL DATA (LAWFUL BASES)
We process your Personal Data based on the following GDPR lawful grounds:
3.1. Much of our Processing is necessary to provide the Services you requested, as outlined in our T&C. This includes using your:
a) Email Address, Device Information, IP Address — To create and maintain your account, secure access, deliver essential service communications, and enable core App functionalities like the MPC operations;
b) Blockchain Data — To display your wallet information, transaction history, and facilitate your interactions with the blockchain via the App;
c) Support Communications — To fulfill our obligation to provide assistance when you request it;
d) Recovery Information — To facilitate wallet recovery processes initiated by you.
3.2. We process certain data based on our legitimate interests, provided these are not overridden by your rights and interests. Our legitimate interests include:
a) Platform Security — Detecting and preventing fraud, unauthorized access, security incidents, and abuse of the Services (using IP Address, Device Information, Usage Information, Blockchain Data);
b) Service Improvement & Analytics — Understanding how our App is used to improve its functionality, user experience, and performance; identifying and fixing bugs;
c) Customer Support Enhancement — Analyzing support interactions to improve our support processes and identify common user issues.
3.3. We may process your Personal Data where necessary to comply with applicable laws and regulations or legally binding requests from competent law enforcement or regulatory authorities.
3.4. For certain Processing activities, we rely on your freely given, specific, informed, and unambiguous Consent. This includes:
a) Sending you direct marketing communications about Simple's products, services, and events;
b) Using non-essential cookies or similar technologies for purposes such as personalized advertising or advanced analytics;
c) Processing the Biometric Data solely for the purpose of enabling the optional Face Check recovery feature, which requires your explicit Consent.
You have the right to withdraw your Consent at any time for Processing based on Consent, without affecting the lawfulness of Processing before withdrawal.
4. HOW WE SHARE YOUR PERSONAL DATA
We do not sell your Personal Data. We only share your Personal Data with third parties under the following circumstances and for the purposes described below:
4.1. We may share information within our corporate group (parent companies, subsidiaries) as necessary for operational, administrative, security, and internal reporting purposes.
4.2. We engage third-party companies and individuals to perform services on our behalf. These include:
a) Infrastructure Providers — Cloud hosting services, database providers, content delivery networks (CDNs) that host our platform and data;
b) Analytics Providers — Services that help us understand App usage and performance;
c) Blockchain Analytics Providers — Specialized services that may analyze public blockchain data to provide insights for the App security or performance analysis;
d) Customer Support Platforms — Tools used to manage support tickets and communications.
These processors are contractually obligated to handle your data securely and only process it according to our instructions.
4.3. When you choose to use services integrated within the App that are provided by third parties we may share limited information necessary to initiate or facilitate the connection between the App and their service. We do not share the detailed KYC data collected directly by these providers. They are independent Controllers for the data they collect directly from you.
4.4. We may disclose Personal Data if required by law, regulation, or a valid legal process, but only to the extent necessary and limited to the data within our possession.
4.5. If Simple is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of its assets, your Personal Data may be transferred as part of that transaction.
4.6. To provide the Face Check feature, we may securely share the necessary Biometric Data with a specialized third-party service provider, KYCaid, who acts as our data processor. This provider performs the technical facial recognition matching process on our behalf under strict contractual obligations, requiring them to maintain data security and confidentiality, and limiting their processing solely to the purpose of identity verification for your Face Check recovery attempts.
5. INTERNATIONAL DATA TRANSFERS
Your Personal Data may be transferred to, stored, and processed in countries other than the Republic of Lithuania or your country of residence, including countries outside the European Economic Area (EEA), where our affiliates or third-party service providers operate. Data protection laws in these countries may differ from those in the EEA.
When we transfer your Personal Data outside the EEA, we ensure an adequate level of protection is afforded to it. In specific circumstances where the above primary safeguards are not applicable or feasible, transfers may exceptionally be based on derogations permitted under GDPR, such as your explicit Consent, or where the transfer is necessary for the performance of our contract with you.
6. DATA SECURITY
6.1. We implement appropriate technical and organizational security measures designed to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
6.2. Measures Include:
a) Encryption of data in transit and at rest where appropriate, firewalls, access controls, network security monitoring, secure software development practices. The MPC architecture itself enhances security by avoiding a single point of failure for private keys;
b) Limiting access to Personal Data to authorized personnel on a need-to-know basis, confidentiality agreements, internal data protection policies and training, incident response procedures.
6.3. While we take security seriously, the security of your Self-Custodial Wallet also depends heavily on you. You are responsible for maintaining the security of your device, your email account, your wallet PIN, and any Backup credentials or files (as outlined in the T&C).
6.4. Please be aware that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.
6.5. Recognizing the sensitivity of Biometric Data processed for the Face Check feature, we implement specific, heightened security measures beyond our standard practices. These include measures such as strong encryption of biometric templates/vectors both in transit and at rest, strict technical and organizational access controls to limit who can access this data, secure processing environments, and thorough vetting and contractual security requirements for any third-party processor involved (KYCAid). Despite these measures, no system can be guaranteed to be 100% secure, and risks associated with processing Biometric Data remain, as highlighted in the T&C.
7. DATA RETENTION
7.1. We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including providing the Services, satisfying any legal, regulatory, accounting, or reporting requirements, or resolving disputes.
7.2. Indicative Periods:
a) Account Information (Email Address) — Retained for the duration your account is considered active, plus a period oafterward following inactivity or closure to allow for potential account recovery or reactivation, unless a longer retention period is required by law;
b) Usage and Device Information — Pseudonymized or aggregated data used for analytics may be retained for longer periods. Raw or identifiable logs are typically retained for a shorter period of 6–12 months, necessary for security, troubleshooting, and service improvement;
c) Blockchain Monitoring — Public blockchain data (addresses, transaction hashes, etc.) associated with your wallet visible within the App may be retained while your account is active and for a limited period thereafter as necessary for providing the service and facilitating support.
d) Customer Support Records — Retained for a period necessary to address inquiries, track issue resolution, and for potential legal claims;
e) IP Address Logs — Retained for security and diagnostic purposes for a limited time of 6–12 months unless required for an ongoing investigation.
f) Biometric Data (Face Check) — Biometric Data used for Face Check enrollment is retained only for as long as you actively use this feature or until you withdraw your explicit consent for its processing. We aim to minimize retention; this data will typically be securely deleted upon your withdrawal of consent or account closure, whichever occurs first. Biometric Data captured solely for a verification attempt is processed transiently and generally not stored long-term unless necessary for investigating a specific security incident related to that attempt.
7.3. Once Personal Data is no longer necessary for its purpose, we will securely delete or anonymize it. Data may be retained for longer periods if legally required or for the establishment, exercise, or defense of legal claims.
8. YOUR DATA PROTECTION RIGHTS (GDPR)
As a Data Subject under GDPR, you have specific rights regarding your Personal Data. Simple is committed to facilitating the exercise of these rights:
a) You have the right to be informed about the collection and use of your Personal Data, which is the purpose of this Privacy Policy;
b) You have the right to request access to the Personal Data we hold about you and receive a copy of it;
c) You have the right to request correction of inaccurate or incomplete Personal Data we hold about you;
d) You have the right to request the deletion of your Personal Data under certain conditions (e.g., the data is no longer necessary for the purpose it was collected, you withdraw Consent and there's no other legal ground, the data was unlawfully processed), subject to legal or regulatory retention requirements Simple must adhere to;
e) You have the right to request the restriction of Processing your Personal Data under certain circumstances (e.g., while the accuracy of the data is contested, Processing is unlawful but you oppose erasure);
f) Where Processing is based on your Consent or contract necessity and carried out by automated means, you have the right to receive the Personal Data you provided to us in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller without hindrance from us;
g) You have the right to object to the Processing of your Personal Data based on our legitimate interests. Simple will cease Processing unless we can demonstrate compelling legitimate grounds which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. You also have the absolute right to object to Processing for direct marketing purposes;
h) You have the right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except under certain conditions (e.g., necessary for contract, authorized by law, based on explicit Consent). Simple aims to ensure significant decisions involve human oversight where required.
9. HOW TO EXERCISE YOUR RIGHTS
9.1. To exercise any of your data protection rights listed above, please submit a request by contacting our Data Protection Officer (DPO) at: [email protected].
9.2. Please make your request clear and specific. We may need to request additional information from you to verify your identity before proceeding with your request, ensuring the security of your Personal Data.
9.3. We will respond to your request without undue delay and generally within one (1) month of receipt. This period may be extended by two (2) further months where necessary, considering the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
10. CONSENT
10.1. By registering for and using the Simple App and Services, you acknowledge that you have read and understood this Privacy Policy and agree to the Processing of your Personal Data as described herein, particularly where such Processing is necessary for the performance of the contract (T&C), based on our legitimate interests, or required by legal obligations.
10.2. Where Processing is based specifically on your Consent (as outlined in Section 3.4), such as for receiving marketing communications or using non-essential cookies/technologies, we will obtain this Consent explicitly before starting the Processing.
10.3. You have the right to withdraw your Consent at any time for Processing activities that rely on Consent. Specific methods include:
a) Marketing Communications — You can easily withdraw your Consent (opt-out) by clicking the "unsubscribe" link provided in any marketing email we send you;
b) Cookies/Similar Technologies — You can manage your Consent preferences for non-essential cookies and similar technologies through our cookie Consent management tool or your browser/device settings.
Withdrawing Consent will not affect the lawfulness of any Processing conducted prior to your withdrawal or Processing conducted under other lawful bases (like performance of contract or legitimate interest).
10.4. Using the optional Face Check recovery feature involves processing sensitive Biometric Data. Therefore, in addition to agreeing to this Privacy Policy for general Services, enabling Face Check requires your separate and explicit consent specifically for the collection and processing of your Biometric Data for the sole purpose of identity verification during recovery attempts. This explicit consent will be clearly requested within the App before you can enroll in the Face Check feature. You can withdraw this specific consent at any time, which will disable the Face Check feature for your account moving forward. Withdrawal does not affect processing performed prior to withdrawal.
11. COOKIES AND SIMILAR TECHNOLOGIES
We may use cookies and similar technologies on our Website. These technologies help us operate the Services, conduct analytics and potentially deliver targeted information or advertising (where appropriate Consent is obtained). Please read our Cookie Policy for more details on our use of cookies on the Website.
12. CHILDREN'S PRIVACY
Our Services are not intended for or directed at individuals under the age of 18 (or the applicable age of legal majority in their jurisdiction). We do not knowingly collect Personal Data from children under 18. If we become aware that we have inadvertently collected Personal Data from a child under 18 without verification of parental Consent, we will take steps to delete such information from our systems promptly. If you are a parent or guardian and believe your child has provided us with Personal Data, please contact our DPO at [email protected] so we can take appropriate action.
13. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will notify you, which may include posting the revised policy on our website, providing notice through the App, or sending an email notification. The "Last Updated" date at the top of this Policy indicates when it was last revised. We encourage you to review this Privacy Policy periodically. Your continued use of the Services after any changes take effect constitutes your acceptance of the revised policy.
14. CONTACT US
If you have any questions, concerns, or complaints about this Privacy Policy or our data handling practices, or if you wish to exercise your data protection rights, please contact our Data Protection Officer (DPO):
- Email: [email protected]
If you are not satisfied with our response or believe we are Processing your Personal Data not in accordance with the law, you have the right to lodge a complaint with the Lithuanian State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija) or your local data protection supervisory authority within the EU/EEA.
- Lithuanian State Data Protection Inspectorate: L. Sapiegos str. 17 LT-10312 Vilnius Phone: +370 5 271 2804 / 279 1445; Email: [email protected]; Website: https://www.vdai.lrv.lt/
IMPORTANT NOTICE REGARDING APPLICABLE TERMS AND SERVICE MODULES
Please be advised that the Simple App offers access to two distinct service modules for managing digital assets, each operating under different principles and governed by separate legal terms:
- Custodial Wallet Service ("Custodial Module") — This is the standard module where Simple acts as a custodian, securely managing cryptographic private keys on your behalf according to the applicable terms referenced below. Users are typically onboarded to this module by default.
- Self-Custodial Wallet Service ("SCW Module") — This is an optional module utilizing Multi-Party Computation (MPC) technology. When using the SCW Module, you retain exclusive control over your cryptographic key material and the corresponding digital assets, subject to the specific terms governing this module.
Your use of the Simple App may involve one or both of these modules, depending on whether or not you activate SCW Module. It is essential to understand which set of terms and conditions applies to your activities within each module. Your interaction with the Custodial Module is governed by the Terms and Conditions for Custodial Wallet, while your use of the optional SCW Module is governed by the Terms and Conditions for Self-Custodial Wallet.
Regarding your privacy and the processing of personal data, the policy applicable to you depends on the Simple App modules you use. If you use only the Custodial Module of the App, your processing of personal data is governed by our Privacy Policy for Custodial Wallet. Should you choose to activate and use the optional SCW Module, you will be required to review and separately agree to the Privacy Policy for Self-Custodial Wallet.
By creating a Simple account, downloading or using the App, enabling or using specific modules (including the optional SCW Module), or by agreeing to the terms when presented, you acknowledge you have read, understood, and agree to be bound by the Terms and Conditions applicable to the modules you use, and you acknowledge the data processing practices described in the applicable Privacy Policy. We strongly encourage you to review all four documents carefully using the links provided herein to fully understand your rights, obligations, and data processing details relevant to your chosen method(s) of using the Simple App.
