Privacy policy

This Policy applies to the processing of personal data carried out by the company GOin SAS as a data controller. GOin is incorporated at 29 rue Marbeuf, 75008 Paris (France) under number 839 009 669 RCS Paris and registered as a Crypto-Asset Service Provider (in French « PSAN ») by the AMF under number E2022-053.

Hereinafter « GOin » or the « Company.

GOin complies with European Regulation n°2016/679 on the protection of personal data (« Personal Data ») of natural persons, known as the GDPR Regulation, as well as to the law n°78-17 of January 6th, 178 relating to data processing, files and freedoms. This Policy presents the information collected by GOin, the way it is collected, processed, and protected, the purpose of its processing as well as your rights regarding this data.

1. Scope of Application

This Policy applies to data:

• Collected directly or indirectly by GOin as part of its missions and the services provided to its Clients
• Collected via the website, www.goin-invest.com (hereinafter « GOin Website »)
• Collected via its Client portal, https://access.investor.goin-invest.com (hereinafter « Client Portal »)

2. Data Controller

GOin is the data controller for the processing referred to in this Policy.

Furthermore, GOin has appointed a Data Protection Officer (hereinafter “DPO”) with the French Data Protection Authority, the CNIL (“Commission Nationale Informatique et Libertés”). Any question or request related to the processing of your data can be addressed to them, according to the procedure detailed in the “Rights of the Data Subjects” section.

3. Personal Data Collected

3.1. Personal Data of Prospective Clients and Clients

The Personal Data listed below relate to prospective Clients and Clients of GOin as defined in section 3.3:

• Identity-related data
• Contact information
• Personal life details
• Economic and financial information
• Banking, financial, and transactional data
• Login data
• Data revealing political opinions
• Data related to criminal convictions or offenses

3.2. Indirect collection

• Identity-related data
• Contact information
• Economic and financial information

3.3. Concerned Individuals

GOin collects and processes the Personal Data of its prospective Clients and Clients, their representatives where applicable, and the legal representatives, agents, or ultimate beneficiaries of its corporate Clients ("Clients").

GOin may also collect Personal Data from natural persons who are not its Clients. Data collection may include:

• Contacts from its partners
• Prospects and business contacts
• Individuals subscribed to its newsletters and updates
• Any representative of natural and/or legal persons with whom GOin may interact in the course of its activities
• Individuals covered by this section are entitled to the rights regarding their Personal Data as outlined in the “Rights of the Data Subjects” section of this Policy.

3.4. Means of Personal Data Collection

3.4.1. Direct Collection

In the course of its activities, GOin may collect Personal Data directly from its Clients, both natural persons and legal entities (including legal representatives, ultimate beneficiaries, points of contact, etc.). Personal Data is provided by the Client to GOin via the dedicated relationship entry form and subsequently via email for ongoing communication.

Similarly, GOin may collect Personal Data, particularly contact details, directly from anyone wishing to engage with its teams or receive information. This collection can be done through oral or written means. It is possible, for instance, to subscribe free of charge to GOin’s information emails via the form available directly on our website. Subscription will only be effective after double validation via email.

3.4.2. Indirect Collection

To verify and supplement its databases in accordance with regulatory obligations, GOin may also collect Personal Data from external sources, such as:

• Databases published by official authorities (Commercial Court, etc.)
• Information that you have made public yourself, notably through websites or social networks
• Data provided by third-party organizations, including commercial intelligence agencies, fraud prevention agencies, or any other organization providing data in compliance with GDPR
• Connection and activity data on the Client Area

If data collection concerns natural persons other than Clients, those natural persons may refer to the “Rights of the Data Subjects” section if they have questions and wish to contact GOin.

3.5. Use of Cookies

GOin’s Client Portal uses a tracker solely for authenticating the Client with this service, in accordance with paragraph 49 of the CNIL Guidelines on Cookies and Trackers. Data from this tracker is encrypted and inaccessible to third-party sites. This tracker is necessary for system security and exempt from user consent requests.

GOin’s website also uses a tracker for statistical purposes. It requires user consent.

4. Purposes and Legal Bases of Processing Activities

4.1. Processing Purposes

i. GOin implements a personal data processing activity aimed at complying with its obligations regarding Client due diligence and transaction monitoring, within the framework of Anti-Money Laundering and Counter-Terrorist Financing (hereinafter “AML/CFT”). In this context, prior to any relationship with a Client, throughout the duration of the relationship with a Client, GOin collects, processes, and retains the Personal Data necessary to comply with, among others, the following legal obligations:

• a. AML/CFT, notably in accordance with Article L. 54-10-3 of the French Code Monétaire et Financier (“CMF”) as a Digital Asset Service Provider (DASP).
• b. Fraud prevention, including tax fraud, compliance with regulatory obligations regarding tax reporting and monitoring.
• c. Responding to official requests from public and/or judicial authorities within appropriate procedures.
• d. Implementing appropriate measures in case of suspicions regarding the intentions of Clients, including asset freezing procedures and reporting to competent authorities.

ii. As part of its services, GOin collects and processes the Personal Data of its Clients, from the beginning of the relationship, in order to:

• a. Be able to communicate with them and provide them with necessary legal information and documentation.
• b. Assist them during their application, during each transaction, or more broadly throughout the duration of the relationship.
• c. Assess their knowledge and/or experience in investment matters and financial literacy, as well as in the crypto-asset sector.
• d. Understand their investment objectives in order to offer them products and services tailored to their needs.
• e. Provide them with the most comprehensive information possible about the status of their portfolio.

iii. GOin also implements processing purposes for Personal Data with objectives such as:

• a. Sharing news and explanatory content related to crypto-assets and blockchain technology, for information and educational purposes.
• b. Exchanging information with third-party service providers and subcontractors of GOin (e.g., service providers including software providers, advisors, and accounting service providers of GOin).
• c. Developing its products and services: automation of various procedures necessary for effective risk management and improvement of its offerings, anonymized analyses for research and development purposes, etc.
• d. Managing IT risks: data protection, infrastructure protection, and/or personnel protection.
• e. Defending its interests in court.

4.2. Legal Bases

The processing purposes presented in Section 4.1. i. of the Policy rely on:

• A legal obligation of GOin. As specified in Article L54-10-3 (4°) of the CMF, GOin must be “able to comply with [its] obligations regarding combating money laundering and terrorist financing, asset freezing and prohibition of provision by setting up an organization and procedures to ensure compliance with the obligations provided for in Articles L. 561-4-1 to L. 561-5-1, L. 561-10-2 and L. 561-15 and by the regulations issued for their implementation, as well as in Chapter II of Title VI of this Book and the European regulations adopting restrictive measures pursuant to Articles 75 or 215 of the Treaty on the Functioning of the European Union.”
• The legitimate interest of GOin. GOin must indeed be able to defend its interests, particularly in the event of disputes or potential investigations.

The processing purposes presented in Section 4.1. ii. of the Policy rely on:

• Contract performance or pre-contractual measures. The Personal Data collected in the context of this processing is necessary for the provision of services offered by GOin.
• A legal obligation. As a DASP, GOin is required to implement certain procedures and provide information (including on transactions carried out) to its Clients.
• The legitimate interest of GOin. GOin must indeed be able to justify all operations carried out and decisions made in the context of the client relationship, particularly in the event of complaints.

The processing purposes presented in Section 4.1. iii. are based on:

• 4.1. iii.a – depending on the situation, the legitimate interest of GOin or your consent.
• 4.1. iii.b – contract performance.
• 4.1. iii.c, 4.1. iii.d, and 4.1. iii.e – the legitimate interest of GOin.

5. Data Retention Periods

GOin retains Personal Data for the maximum duration necessary in light of the purposes for which they are processed.

Personal Data collected and processed for the purposes outlined in sections 4.1. (i) and 4.1. (ii) are retained for a period of 5 years after the end of the business relationship with the Client, even if no transactions have been conducted.

In any case, Personal Data collected and processed for the purposes outlined in section 4.1. are retained:

• For the strictly necessary duration for the use of GOin’s website and the Client Portal, or for GOin’s needs, and for a maximum period of 5 years from their collection in the absence of a contract concluded with GOin.
• In the event of a contract being concluded, for the entire duration of the contractual relationship, and then retained in intermediate archives for a duration corresponding to any potential warranty period plus the applicable statutory limitation period (usually 5 years in most cases).
• In the event of GOin fulfilling a legal obligation, your data is processed for the duration necessary for the performance of this obligation as provided by law.
• In the context of commercial prospecting operations, for 3 years from your last contact with GOin.
• Until the withdrawal of your consent, in cases where the processing is based on your prior consent.
• For a period of 25 months from their implantation/creation regarding cookies.

6. Recipient of Personal Data

In the context of processing purposes, your Personal Data may be accessed and processed internally only by natural persons who need them for their duties. GOin may also disclose your Personal Data to the following recipients:

• Financial, judicial, state agencies, or public authorities, upon request and within the framework of applicable legal and regulatory procedures.
• Certain regulated professions partners, including its accountants, statutory auditors, lawyers or notaries, and banking partners.
• Other companies within its group for specific processing purposes.
• Third-party service providers and subcontractors, including for example: service providers including software providers, advisors, and accounting service providers of GOin.

7. Data Transfers outside the European Economic Area (EEA)

Your Personal Data may be transferred to service providers acting on their behalf who are located in France and/or within the European Economic Area (EEA).

Some of your data may be collected, accessed, or stored outside of France and/or the European Economic Area (EEA). Nevertheless, GOin has taken measures to ensure an adequate level of protection for your data, regardless of their location, for example by using standard data transfer clauses, or any other method approved by the European Commission (where data protection legislation is considered the most effective in the world) and/or national data protection authorities.

We also require our third-party partners to comply with applicable data transfer obligations, for example through contractual clauses, regarding the Personal Data they receive on our behalf.

8. Data Protection

GOin implements technical and organizational measures to prevent:

• Any accidental or unlawful loss, destruction, or alteration of Personal Data.
• Any unauthorized access, theft, or disclosure, whether accidental or unlawful.

Furthermore, GOin requires service providers or any third-party organization processing on its behalf or receiving Personal Data from it to take necessary and appropriate security measures.

Any employee of GOin who, in the course of their duties, may have access to your Personal Data, undertakes to hold them strictly confidential.

9. Rights of Data Subjects

Depending on the circumstances, you have the right of access, rectification, erasure, restriction, portability, and objection to the processing of your data as well as the right to withdraw your consent at any time.

You also have the option to provide us with instructions regarding the fate of your data (retention, deletion, communication to a third party, etc.) in the event of your death.

Considering the legal and regulatory obligations to which GOin is subject, the exercise of certain rights will be limited in certain situations. Furthermore, in case of refusal to provide certain Personal Data requested by GOin or following the exercise of certain rights (notably the right to restriction and objection), GOin might have to terminate the business relationship and suspend your access to GOin’s website and/or the Client Area.

For any request for information, exercise of your rights, or recourse regarding the collection, processing, and storage of your personal data, you can contact GOin’s DPO. To do so, please send an email to dpo@goin-invest.com stating the subject of your request.

Furthermore, in accordance with applicable regulations, you may at any time lodge a complaint with the CNIL.