Global — GDPR, NDPR, POPIA, CNDP Compliant
Version
1.0
Effective date
1 January 2025
Last updated
1 January 2025
This Privacy Policy explains how $PeerMarkt("Company," "we," "us") collects, uses, stores, and shares personal data when you use our Platform. This Policy applies globally and is designed to comply with the EU General Data Protection Regulation (GDPR), UK GDPR, Nigeria Data Protection Regulation (NDPR 2019 / NDPA 2023), South Africa Protection of Personal Information Act (POPIA), Morocco Law 09-08 (CNDP), Kenya Data Protection Act 2019, and the California Consumer Privacy Act (CCPA/CPRA).
Data Controller: $PeerMarkt Operating Entity | DPO Contact:privacy@peermarkt.com | EU Representative: [EU Entity] | UK Representative: [UK Entity]
| Data | Purpose | Legal Basis |
|---|---|---|
| Full legal name | Account creation, KYC | Contract (GDPR Art. 6(1)(b)) |
| Email address | Account management | Contract (GDPR Art. 6(1)(b)) |
| Phone number | Security, 2FA, trade alerts | Legitimate interests |
| Date of birth | Age verification, KYC | Legal obligation (Art. 6(1)(c)) |
| Country of residence | Sanctions screening | Legal obligation |
| Password (hashed, bcrypt) | Authentication | Contract |
| Data | Purpose | Basis |
|---|---|---|
| Government-issued ID | Identity verification (AML law) | Legal obligation |
| NIN (Nigeria) | AML/KYC per SEC/CBN requirements | Legal obligation |
| Ghana Card | AML/KYC per BoG requirements | Legal obligation |
| CNI (Morocco/Ivory Coast) | AML/KYC per local law | Legal obligation |
| Selfie / liveness check | Liveness verification (biometric) | Legal obligation + consent |
| Source of funds | AML risk assessment | Legal obligation |
| Proof of address | Address verification | Legal obligation |
Biometric data (facial recognition) constitutes Special Category Data under GDPR Article 9, processed under Article 9(2)(g) (substantial public interest for AML compliance). Where technically feasible, we store a cryptographic hash of identity documents rather than raw images to minimize data exposure.
| Data | Purpose | Basis |
|---|---|---|
| Trade history | Platform operation, dispute resolution | Contract |
| Cryptocurrency wallet addresses | Transaction execution, Travel Rule | Legal obligation |
| Payment proof documents | Dispute resolution | Contract + Legitimate interests |
| Transaction amounts | Fee calculation, tax reporting | Legal obligation |
| Blockchain transaction data | Compliance analytics | Legal obligation |
| Data | Purpose | Basis |
|---|---|---|
| IP address | Fraud prevention, geo-restriction | Legitimate interests |
| Device fingerprint | Fraud detection, SIM-swap prevention | Legitimate interests |
| Browser / OS | Platform compatibility | Legitimate interests |
| Access logs | Security monitoring, audit trail | Legal obligation |
We process your personal data under the following legal bases:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account + 5 years post-closure | AML record-keeping |
| KYC documents | 5 years from account closure or last trade | FATF Rec. 11; local AML law |
| Transaction records | 5 years from transaction date | AML / Tax law |
| Biometric data | 90 days post-verification (result kept 5 yrs) | Proportionality; AML |
| IP / access logs | 12 months | Security; proportionality |
| Support communications | 3 years | Legitimate interests |
| Deleted account data | 5 years in archived/anonymized form | Legal obligation |
After applicable retention periods, data is securely deleted using NIST 800-88 guidelines or irreversibly anonymized. Anonymized data may be retained indefinitely for analytical purposes.
For transfers of personal data outside the originating jurisdiction:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Receive a copy of your personal data | privacy@peermarkt.com |
| Rectification | Correct inaccurate data | Account settings or request |
| Erasure | Delete data where no legal obligation to retain | privacy@peermarkt.com |
| Restriction | Restrict processing while dispute is pending | privacy@peermarkt.com |
| Portability | Receive data in machine-readable format | privacy@peermarkt.com |
| Object | Object to processing based on legitimate interests | privacy@peermarkt.com |
| Automated decisions | Request human review of automated KYC decisions | compliance@peermarkt.com |
We cannot delete data we are legally required to retain for AML, sanctions, or tax compliance. In such cases we will inform you of the limitation and restrict processing to the minimum required by law.
Response timeframe: 30 days from receipt of request (extendable by 60 days for complex requests). Supervisory authority complaints: EU (national DPA), UK (ICO ico.org.uk), Nigeria (NDPC), South Africa (Information Regulator), Morocco (CNDP), Kenya (ODPC).
We comply with the Nigeria Data Protection Act 2023 and NDPR 2019. We are registered as a Data Controller with the Nigeria Data Protection Commission (NDPC) where required. Nigerian users have all rights under NDPA Section 34, including the right to lodge a complaint with the NDPC at ndpc.gov.ng.
We comply with the Protection of Personal Information Act 4 of 2013 (POPIA). Our Information Officer is responsible for ensuring POPIA compliance. South African users may lodge complaints with the Information Regulator at inforeg.org.za. We do not process Special Personal Information without the explicit consent of the data subject unless otherwise permitted by POPIA.
We are registered with the Commission Nationale de contrôle de la Protection des Données à caractère personnel (CNDP) under registration number [Number]. Moroccan users have rights of access, rectification, and deletion under Law 09-08. KYC data of Moroccan residents is stored in the EU or Morocco in accordance with CNDP transfer requirements. Cross-border transfers require CNDP authorization or adequacy determination.
We comply with the Data Protection Act 2019 and Data Protection (General) Regulations 2021. Kenyan users may lodge complaints with the Office of the Data Protection Commissioner (ODPC).
WE DO NOT SELL YOUR PERSONAL INFORMATION. WE DO NOT SHARE YOUR PERSONAL INFORMATION FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING.
California residents have additional rights under CCPA/CPRA:
To exercise California rights, contact privacy@peermarkt.com. We verify identity before processing requests. Response within 45 days (extendable by 45 days).
The Platform is not directed to children under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact privacy@peermarkt.com and we will promptly delete it.
We notify you of material changes via email 30 days before the effective date. For minor changes, we update the "Last Updated" date and post notice on the Platform. Continued use after the effective date constitutes acceptance of the revised Policy.
On this page