Privacy Policy

MBI.COM Sp. z o.o.

Effective Date: February 2026

I. About This Policy

This Privacy Policy explains how MBI.COM Sp. z o.o. ("Bitprime", "Company", "we", "us", or "our") collects, uses, processes, and protects personal data in connection with:

  • the Bitprime platform (bitprime.io)
  • fiat-to-crypto transaction services
  • interactions via website, support channels, or business relationships

This Policy outlines:

  • the categories of personal data we process
  • the purposes and legal bases for processing
  • recipients of personal data
  • data retention periods
  • your rights under applicable data protection laws

We act as the data controller in accordance with:

  • Regulation (EU) 2016/679 (GDPR)
  • Polish Act on Personal Data Protection (10 May 2018)
  • Polish AML Act (1 March 2018)
  • applicable electronic communications laws
  • and other relevant legislation

II. Key Terms and Business Model

Controller
MBI.COM Sp. z o.o., Osiedle Przy Arce 10/42, 31-845 Kraków, Poland
KRS: 0001117984 | NIP: 6783218579

Platform
https://bitprime.io

Services
Execution-only fiat-to-crypto transactions. No crypto-to-fiat or crypto-to-crypto services are provided.

Operational Model
Bitprime operates under a execution-only (transit) model:

  • no client accounts or balances are maintained
  • no custodial services are provided
  • assets are not stored or held beyond transaction execution

Digital Assets are transferred directly to user-controlled external wallets.

Bitprime does not:

  • control user wallets
  • retain funds after execution
  • engage in proprietary trading

III. Contact Details

Email: main@bitprime.io
Address: Osiedle Przy Arce 10/42, 31-845 Kraków, Poland

IV. Sources of Personal Data

We collect personal data through:

1. Data provided by you

When you:

  • initiate transactions
  • complete KYC/KYB verification
  • contact support
  • submit forms

2. Data from third parties

Including:

  • payment service providers
  • financial institutions
  • identity verification providers (e.g., Sumsub)
  • public registers (e.g., beneficial ownership registers)
  • blockchain analytics providers
  • fraud prevention databases

3. Automatically collected data

Including:

  • IP address
  • device and browser data
  • session activity
  • website interaction logs

V. Categories of Personal Data

We process only data necessary for defined purposes.

1. Identity & KYC Data

  • full name
  • date of birth
  • nationality
  • identification numbers (e.g., PESEL)

2. Document Data

  • ID/passport details
  • issuing authority
  • expiry date

3. Verification Data

  • facial images
  • video verification
  • biometric checks (where applicable)

4. Contact & Address Data

  • email
  • phone number
  • residential address

5. Financial & Risk Data

  • source of funds
  • occupation/business activity
  • AML screening results

6. Transaction Data

  • transaction history
  • wallet addresses
  • order data
  • device/session authentication data

7. Business Data (KYB)

  • company details
  • directors and beneficial owners

8. Website & Support Data

  • cookies and session data
  • support communications

VI. Legal Basis for Processing

We process personal data based on:

Contract (Art. 6(1)(b) GDPR)
To execute transactions and provide services.

Legal Obligation (Art. 6(1)(c))
To comply with AML/CFT, tax, and regulatory requirements.

Legitimate Interests (Art. 6(1)(f))
To:

  • prevent fraud
  • ensure security
  • improve services
  • protect legal rights

Consent (Art. 6(1)(a))
For marketing communications. Consent may be withdrawn at any time.

VII. Data Sharing

We may share data with:

Service Providers (Processors)

  • KYC providers (e.g., Sumsub)
  • cloud infrastructure
  • analytics tools
  • support platforms

All processors operate under Data Processing Agreements (DPAs).

Liquidity Providers
Limited data required for transaction execution.

Authorities (Independent Controllers)

  • regulators (e.g., UODO, financial authorities)
  • law enforcement
  • tax authorities

VIII. Profiling and Automated Decision-Making

To comply with strict AML/CFT requirements, the Company operates a hybrid AML framework combining automated tools and internal compliance oversight:

  • Automated screening: via third-party providers (e.g., Sumsub) for identity verification and fraud detection.
  • Transaction Monitoring (TM): for risk scoring and pattern analysis.
  • Manual Review & MLRO: escalated cases are reviewed manually by our compliance team and the Money Laundering Reporting Officer.

These automated systems may result in:

  • transaction rejection
  • account restriction
  • KYC denial

All decisions are subject to human review upon request via: main@bitprime.io

IX. Data Retention

We retain data only as necessary:

  • AML/KYC: up to 10 years
  • Tax/accounting: 5 years
  • Marketing: until consent withdrawn
  • Support data: up to 6 months
  • Legal claims: per statutory limitation periods

X. International Transfers

Where data is transferred outside the EEA, we apply safeguards such as:

  • EU adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • EU-U.S. Data Privacy Framework (where applicable)

XI. Cookies

We use cookies for:

  • essential functionality
  • analytics
  • performance
  • marketing (with consent)

See our Cookie Policy for details.

XII. Security Measures

We implement:

  • encryption
  • pseudonymisation
  • access controls
  • monitoring systems
  • regular audits

XIII. Personal Data Breaches

In case of a data breach:

  • supervisory authority notified within 72 hours (where required)
  • users informed if risk is high

XIV. Blockchain Transparency Notice

Due to the nature of blockchain technology:

  • transactions are recorded on public ledgers
  • wallet addresses and transaction details may be publicly visible

Bitprime does not control blockchain networks and cannot anonymise such data.

XV. Legal Disclosures

We may disclose personal data where required by:

  • law
  • court orders
  • regulatory requests

XVI. Your Rights

Under GDPR, you have the right to:

  • access your data
  • rectify inaccuracies
  • request erasure
  • restrict processing
  • object to processing
  • data portability
  • withdraw consent

You may also lodge a complaint with:
UODO (Poland) – ul. Stawki 2, Warsaw

XVII. Age Restriction

Services are limited to individuals aged 18+.

XVIII. Data Protection Officer

Where required, a Data Protection Officer (DPO) will be appointed and published on the Website.

XIX. Governing Law

This Policy is governed by Polish law and applicable EU legislation.

XX. Updates

We may update this Policy periodically. Updates take effect upon publication, unless otherwise required by law.