Cookies policy

We respect your operative system’s privacy settings. When in line with them, we will use first-party and third-party cookies for analytical purposes and to show you advertising related to your preferences, based on your browsing habits and profile. For more information, please consult our Cookies policy in Privacy Notice.

Essential cookies
Required
Marketing cookies
Personalization cookies
Analytics cookies
Thank you!
Thank you! Your submission has been received!
Something went wrong while submitting the form. Please check your input data and try again.

Stobox 4 Privacy Notice

Last revised: 21.05.2025

Stobox Polska Sp. z o. o. (hereinafter – "Company", "Stobox", "we', "us", "our") is the data controller for the purpose of the General Data Protection Regulation (EU) 2016/679 (hereinafter – "GDPR")  and the Polish Personal Data Protection Act of 10 May 2018 (Ustawa o ochronie danych osobowych). This Privacy Notice together with our Terms of Use [www.stobox.io/terms-of-use-stobox4] sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us for the purposes of provision of our services to you through our website and/or other applicable software, including but not limited to: the Blockchain-based application (hereinafter – the " Stobox 4"). The website can be accessed via the following link: https://www.stobox4.io/ (hereinafter – the "Website").

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting our Website, you are accepting and consenting to the practices described in this Privacy Notice. 

We take the protection of our users ("user/you/your") personal data very seriously and strictly comply with applicable data protection laws and regulations. In this Privacy Notice below we provide you with an overview of what data we collect for what purpose and how we ensure the protection of such data.

1. Purpose and Legal Basis of Processing Data; Legitimate Interests

1.1. The legal basis for the collection and processing of your personal data is provided by the applicable legal provisions, particularly those of Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016, repealing the directive 95/46/EC, on the protection of individuals with regard to the processing of Personal Data, on the free movement of such data ("General Data Protection Regulation", GDPR), as well as the Polish Personal Data Protection Act of 10 May 2018 (Ustawa o ochronie danych osobowych) . We will only collect, use and/or pass on Personal Data if this is permitted by law or if the user consents to the data processing. We process your personal data in accordance with the principles of lawfulness, purpose limitation, and data minimization as set out in Article 5 of GDPR.

1.2. Your data will be used for the following purposes:

1.2.1. to implement this Privacy Notice and carry out the contractual relationships between you and us regarding our services available via the Website and/or our other software, including the Stobox 4 (Art. 6(1)(b) of GDPR);

1.2.2. to provide our services on the Website, to contact you in any matters regarding our services (also by means of emails and messaging) and to ensure the technical functionality of our services fulfillment of contractual or pre-contractual obligations (Art. 6(1)(b) of GDPR);

1.2.3. to prevent fraudulent behavior by any of our users (Art. 6(1)(f) of GDPR) and to comply with anti-money laundering (AML) and know-your-customer (KYC) requirements (Art. 6(1)(c) and (b) of GDPR);

1.2.4. to analyze your use of our services and improve our services (Art. 6(1)(f) of GDPR);

1.2.5. with your express consent or instruction to carry out our business activities or send you newsletters and other advertising materials (Art. 6(1)(a) of GDPR);

1.2.6. to follow our internal policies and protect our legitimate interests (Art. 6(1)(f) of GDPR) and to comply with Polish, EU, and other regulations governing our activities as a VASP (Art. 6(1)(c) of GDPR or Art. 9 (2) (a) of GDPR);

1.2.7. to save your blockchain data (e.g. your blockchain wallet address) on the distributed ledger (on Art. 6(1)(f) of GDPR);

1.2.8. to comply with our legal obligations before third parties involved in the process of performance of our services (Art. 6(1)(c) GDPR);

1.2.9. to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about (Art. 6(1)(f) of GDPR);

1.2.10. to provide you, or permit selected third parties to provide you, with information about goods or services we feel may interest you. If you are an existing customer, we will only contact you by electronic means (e-mail) with information about goods and services similar to those which were the subject of a previous sale or negotiations of a sale to you (Art. 6(1)(f) of GDPR). If you are a new customer, and where we permit selected third parties to use your data, we (or they) will contact you by electronic means only if you have consented to this (Art. 6(1)(a) of GDPR).

1.2.11. to notify you about changes to our services (Art. 6(1)(b) of GDPR);

1.2.12. to ensure that content from our Website is presented in the most effective manner for you and for your device (Art. 6(1)(f) of GDPR).

1.2.13. for other purposes otherwise explained in this Privacy Notice or by any further communication from us, in accordance with the provisions of the General Data Protection Regulation (GDPR) and applicable Polish data protection laws, provided such purposes are supported by an appropriate legal basis under Article 6 of GDPR.

2. Your Consent

We may collect and process your personal data only with your explicit consent, as required by applicable laws, including the General Data Protection Regulation (GDPR). Consent must be freely given, specific, informed, and unambiguous, and we ensure this through a clear and separate affirmative action.

• Consent at the Start of Service: When you register or begin using our services, we will present a pop-up notification clearly explaining the purposes of collecting and processing your personal data, as outlined in this Privacy Notice. The notification will include a link to the full text of the Privacy Notice and require you to perform a separate affirmative action, such as checking a checkbox, to confirm your consent. Consent will not be bundled with the acceptance of other terms, and no checkboxes will be pre-selected.

• Updates to this Privacy Notice: We may periodically update this Privacy Notice. We commit to notifying you of any changes in advance via email and/or through a pop-up notification upon logging into the system. The notification will include a clear description of the changes and a link to the full text of the updated Privacy Notice to ensure you are fully informed.

   ◦ Material Changes: If the changes materially affect the processing of your personal data (e.g., new purposes of processing or data sharing), we will request your explicit consent through a pop-up notification. To provide consent, you will be required to perform a separate affirmative action, such as checking a checkbox with a clear explanation of what you are agreeing to. Consent will not be bundled with the acceptance of other terms. Such changes will take effect only after your confirmation or at least 14 days after the notification.

   ◦ Minor Changes: If the changes do not affect the processing of your personal data (e.g., error corrections or clarifications of wording), they will take effect upon posting the updated Privacy Notice on our website. We will still notify you to ensure transparency.

• Your Responsibility: We recommend regularly reviewing the Privacy Notice to stay informed of any updates. By continuing to use our services after being notified of the updated Privacy Notice and, where required, providing consent, you confirm your agreement to it.

We engage third-party providers, including SumSub, Fireblocks, and others, to support our services. Their processing of your personal data includes:

• SumSub: Processes your name, ID documents, contact details, and transaction data (e.g., amounts, wallet addresses), and biometric data (e.g., facial images and selfies) for KYC (Know Your Customer), KYB (Know Your Business), and KYT (Know Your Transaction) purposes. This includes identity verification and real-time transaction monitoring for fraud, money laundering, and regulatory compliance using AI-driven risk analysis. Biometric data is processed to verify your identity and may be used in the future for enhanced security measures, such as ensuring that verified accounts are not transferred to third parties.

• Fireblocks: Processes wallet addresses and transaction details for secure storage, management, and transfer of digital assets in Stobox 4.

• Other Providers: May process data for services like customer support or analytics, as needed, with details provided during consent or in Privacy Notice updates.

Details of our interactions with SumSub, Fireblocks, and other external service providers are outlined in our Terms of Use, available at www.stobox.io/terms-of-use-stobox4.

3. Recipient(s) of Your Data

We, as well as our external service providers, including SumSub and Fireblocks, receive your data for the purpose of provision of our services. We may need to share your information with our external service providers, affiliates and/or agents. We require that third party organizations who handle or obtain personal information as service providers acknowledge its confidentiality and undertake to respect an individual's right to privacy and comply with data protection principles including this Privacy Notice.

4. Information We May Collect From You

4.1. We may collect and process the following data about you:

4.1.1. your name (including first name, last name);

4.1.2. physical address;

4.1.3. e-mail address and phone number;

4.1.4. credit card information, blockchain wallet address, other financial information applicable for provision of our services;

4.1.5. date of birth;

4.1.6. gender and nationality.In order to obtain the above-mentioned information we may either ask it from you during your filling of any forms (e.g. registration forms) to access our services, including, during the KYC, KYB process conducted via our third-party provider SumSub. Or, we may ask you to provide us with copies of respective documents by phone, e-mail or otherwise. Such documents include but not limited to:

- passport;
- driver license;
- transaction history;
- certificates.

4.1.7. Consent for Processing and Display of Name: Before collecting or processing your name (first name, last name), including for potential display (e.g., in user profiles or service interfaces), we will request your explicit consent through a pop-up notification. This notification will clearly explain the purpose of processing and display, include a link to this Privacy Notice, and require a separate affirmative action, such as checking a checkbox. Consent will be freely given, specific, informed, unambiguous, and not bundled with other terms.

4.1.8. By undergoing the KYC (Know Your Customer) or KYB (Know Your Business) verification process through our service interface, you consent to the transfer of your personal data and documents to our third-party provider, SumSub, for the purposes of identity verification and compliance with applicable regulatory requirements, including anti-money laundering (AML) obligations. Further details are provided in our Terms of Use, available at www.stobox.io/terms-of-use-stobox4.

4.1.9. Biometric Data Collection and Processing: During the KYC (Know Your Customer) or KYB (Know Your Business) verification process, our third-party provider, SumSub, may collect biometric data, such as facial recognition data or other biometric identifiers, to verify your identity and comply with anti-money laundering (AML) and other regulatory requirements. The purpose of collecting biometric data is to ensure secure and accurate identity verification for the provision of our services. Stobox does not collect, store, or transmit your biometric data; all biometric data processing is handled directly by SumSub on its platform. By providing your consent through a checkbox or other affirmative action when approving this Privacy Notice, you agree to SumSub’s collection and processing of your biometric data for the purposes of identity verification. SumSub processes and stores biometric data in compliance with applicable laws. If you are a resident of a jurisdiction with specific biometric data protection laws (e.g., Illinois Biometric Information Privacy Act (BIPA)), you may have additional rights. For further details on SumSub’s biometric data practices, please refer to SumSub’s Privacy Notice at https://sumsub.com/privacy-notice/. For questions about our verification process, contact us at info@stobox.io.4.2. Stobox reserves the right to change the Fees at any time, and will provide you with a notice of any such fee changes before they become effective.

4.2. Stobox may also gather data about you:

- When you engage with us on social media;
- When you enter prize draws or competitions organized by Stobox;
- When you book any kind of appointment with us or book to attend an event;
- When you choose to complete any surveys we send you;
- When you comment on or review our products and services;
- When you've given a third party permission to share with us the information they hold about you;
- When Stobox suppliers and partners share information with us.

4.3. We may collect your data from publicly-available sources when you have given your consent to share information or where the information is made public as a matter of law in relation towards KYC and AML regulation.

4.4. We may collect notes from our conversations with you, details of any complaints or comments you make, details of investments you made and how and when you contact us.

4.5. With regard to each of your visits to our Website we may automatically collect the following information:

4.5.1. technical information, including the internet protocol (IP) address used to connect your computer to the internet;

4.5.2. browser type and version;

4.5.3. time zone setting;

4.5.4. browser plug-in types and versions;

4.5.5. operating system and platform.

4.5.6. information about your visit, including the full uniform resource locators (URL) clickstream to, through and from our Website (including date and time);

4.5.7. products you viewed or searched for;

4.5.8. page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs);

4.5.9. methods used to browse away from the page and any phone number used to call our customer service number;4.5.10. dates and timestamps associated with your IP address usage;

4.5.11. geographical data linked to your IP address;

4.5.12. device indicators, including hardware and software information;

4.5.13. virtual assets wallet addresses associated with your transactions;

4.5.14. transaction hashes related to any activities conducted through the Website.

4.6. Information we receive from other sources.

We may receive information about you if you use any of the other websites we operate or the other services we provide. We also work closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.

5. Your Rights

5.1. You have the right to:

5.1.1. withdraw your consent relating to the use of your data any time with effect for the future when such data processing is based on your consent**;

5.1.2. object to the processing of your personal data, if your personal data is processed on the basis of legitimate interests (based on Art. 6 (1) f. GDPR);

5.1.3. access the scope of data stored by us;

5.1.4. amend or rectify your data if such data is incorrect or outdated;

5.1.5. request the restriction of processing of your personal data;

5.1.6. request the erasure of your data***;

5.1.7. receive your personal data in a structured, commonly used, and machine-readable format and to transmit those data to another controller;

5.1.8. lodge a complaint with the President of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych) in Poland if you believe that the processing of your personal data violates GDPR.

5.1.9. The rights listed in this section apply primarily to residents of the European Union under GDPR. If you are located in another jurisdiction, such as the United States, you may have similar or additional rights under local laws, as described in Section 14. To learn more, please contact us at info@stobox.io.

** Please note that if you become our user as described in the Stobox 4 Terms of Use [www.stobox.io/terms-of-use-stobox4] and at any point will decide not to use our services and/or products we are legally obliged to nevertheless store your data related to you as our user for the purposes of maintenance of shareholder list. 

*** Please note, that your blockchain data stored on a distributed ledger is pseudonymized and in any case cannot be deleted by us due to the consequences for the integrity of the entire chain, specifically, due to deletion of such chain containing transactions validation history of other users.

5.2. To enforce your above mentioned rights, you may reach us through email put at the end of this document.

6. Period for Storing Your Data; Deletion of Your Data

The data that we collect from you will be stored and processed for the period of time necessary to provide you our services and will be deleted after there will be no need in its storage and processing, unless required to be retained under AML regulations or other applicable laws. Please note that when using our Website and/or any of our available services certain information and data about the user will be stored on the blockchain in pseudonymized form and may not be deleted.

7. Disclosure of Your Data

7.1. We may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries as well as the above-mentioned third party services providers. We provide only the information they need to perform their specific services. They may only use your data for the exact purposes we specify in our contract with them. We work closely with them to ensure that your privacy is respected and protected at all times. If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.

7.2. We may share your data with selected third parties including:

- business partners, suppliers and subcontractors for the performance of any contract we enter into with them to render you our services;- advertisers and advertising networks that require the data to select and serve relevant adverts to you;

- analytics and search engine providers that assist us in the improvement and optimization of our Website;

- credit reference agencies for the purpose of assessing your credit score where this is a condition for us entering into any agreement with you regarding our services;

- in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;

- if we or substantially all of its assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets;

- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply any agreements between you and us, or to protect our or our customer's rights, property, or safety. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

- we may, from time to time, expand, reduce or sell the Company and this may involve the transfer of divisions or the whole business to new owners. If this happens, your personal data will, where relevant, be transferred to the new owner or controlling party, under the terms of this Privacy Notice.

8. Use of the Blockchain

When using our services, including Stobox 4, certain information and data about the user will be stored on the blockchain in pseudonymized form and may not be deleted because it is not possible without deleting the entire chain. Such data stored on the blockchain will only be in pseudonymized form, including address (public key) of the user of the relevant services, a flag that the user is verified, a flag stating that the user is a sophisticated investor, a flag that the user has verified their bank account. In this event and if such data is considered to be a Personal Data, the data processing by us is subject to Art. 6 (1) f. of GDPR based on our legitimate interest in using and providing this technology for our services in a functioning way.

This limitation on deletion applies globally, including under GDPR, U.S. state privacy laws (e.g., the California Consumer Privacy Act), and other applicable privacy regulations, as further described in Section 14.

9. Sharing Your Data With Authorities

9.1. We will only do this in very specific circumstances, for example:

- for fraud management, we may share information about fraudulent or potentially fraudulent activity in our premises or systems. This may include sharing data about individuals with law enforcement bodies, such as the Polish Financial Supervision Authority (KNF) or the General Inspector of Financial Information (GIIF) for AML compliance;

- we may also be required to disclose your personal data to the police or other enforcement, regulatory or Government body, in your country of origin or elsewhere, upon a valid request to do so. These requests are assessed on a case-by-case basis and take the privacy of our customers into consideration.

9.2. The specifics of access to personal data, the timelines for processing requests, and the grounds for refusal of access are governed by the provisions of GDPR and the Polish Personal Data Protection Act of 10 May 2018.

10. Cookies

10.1. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your device if you agree to accept them. Cookies contain information that is transferred to your device's hard drive. Our Website uses cookies to distinguish you from other users of our Website. This helps us to provide you with a good experience when you browse our Website and also allows us to improve our Website. By continuing to browse the Website.

10.2. We use the following cookies:

- strictly necessary cookies – which are required for the operation of our Website, including, cookies that enable you to log into secure areas of our Website;

- analytical/performance cookies – which allow us to recognize and count the number of visitors and to see how visitors move around our Website when they are using it. This helps us to improve the way our Website works, for example, by ensuring that users are finding what they are looking for in the possible easiest way;

- functionality cookies – which are used to recognize you when you return to our Website, enabling us to personalize our content for you, greet you by name and remember your preferences (for example, your choice of language or region);

- targeting cookies – which record your visit to our Website, the pages you have visited and the links you have followed. We use this information to make our Website more relevant to your interests. We may also share this information with third parties for this purpose.

10.3. Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.

10.4. You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.

11. Access to Information on Your Data

GDPR and the Polish Personal Data Protection Act of 10 May 2018 gives you the right to information held about you and information can be accessed in accordance with GDPR by emailing info@stobox.io

12. Changes to Our Privacy Notice

Any changes we may make to our Privacy Notice in the future will be posted on this page. Please check back frequently to see any updates or changes to our Privacy Notice.

13. Contacts

Questions, comments and requests regarding this Privacy Notice are welcomed and should be addressed to info@stobox.io

14. Region-Specific Privacy Information

14.1. United States

If you are a resident of the United States, you may have additional rights under applicable state privacy laws, such as the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act (OCPA), or other similar regulations. These rights may include:

The right to know what personal data we collect, use, disclose, or share about you, including the categories of data, sources, and purposes of processing.

The right to request the deletion of your personal data, subject to certain exceptions, such as our obligations to retain data under anti-money laundering (AML) regulations or the technical immutability of blockchain data, as described in Section 8.

Disclosure of your personal data to third-party advertising and analytics providers may be considered a sale under certain state laws. In California, this may also be considered “data sharing” (a term used to describe the exchange of information for advertising purposes). Stobox does not sell or share personal data for targeted advertising purposes as defined under the CCPA but may transfer data to third-party service providers (e.g., SumSub, Fireblocks), which are located in the European Union (EU) or European Economic Area (EEA) and comply with GDPR requirements, for the operational purposes outlined in this Privacy Notice, which does not constitute a sale or sharing. If the use of your personal data involves a sale or sharing for targeted advertising, you have the right to opt-out by (a) enabling a Global Privacy Control (GPC) signal in your browser, (b) adjusting cookie settings on our Website, or (c) submitting an opt-out request to info@stobox.io.

The right to non-discrimination for exercising your privacy rights.

The right to correct inaccurate personal data we hold about you, subject to verification of your identity and applicable legal restrictions.

The right to data portability, allowing you to receive a copy of your personal data in a structured, commonly used, and machine-readable format, where technically feasible.

The right to limit the use and disclosure of sensitive personal data (e.g., financial information, precise geolocation), subject to exceptions for providing our services, as outlined in this Privacy Notice or as required by law.

The right to opt-out of automated decision-making or profiling that produces legal or similarly significant effects, where applicable. You may appeal such decisions by contacting us at info@stobox.io, and your appeal will be reviewed manually by our team. 

The right to appeal decisions regarding your privacy requests, where applicable (e.g., in Virginia, Colorado, Connecticut). If your request is denied, you may appeal by contacting us at info@stobox.io.

To exercise these rights, please contact us at info@stobox.io. We will respond to your request within the timelines prescribed by applicable laws (e.g., within 45 days under the CCPA, with a possible extension of an additional 45 days if necessary). To process your request, we may require sufficient information to verify your identity or authority to make the request and confirm that the personal data relates to you. Please note that certain data, such as blockchain data stored in pseudonymized form, cannot be deleted due to technical constraints, as explained in Section 8. For further details on our data practices or to learn more about your state-specific rights, please contact us.

We do not knowingly collect personal data from individuals under 18 years of age. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at info@stobox.io to request its deletion.If you enable the Do Not Track (DNT) feature in your browser, certain features of our Website may function less effectively, as DNT may limit personalization or tracking for analytics purposes.

14.2. Other Jurisdictions

If you are located outside the European Union or the United States, you may have additional privacy rights under applicable local laws. We process your personal data in accordance with the principles outlined in this Privacy Notice and comply with local legal requirements to the extent applicable. To exercise your rights or learn more about how your data is processed in your jurisdiction, please contact us at info@stobox.io.