SMARTATLAS LTD. S.R.O. – PRIVACY POLICY
Effective Date: October 27, 2025
Last Updated: October 27, 2025
Introduction and Scope
SmartAtlas Ltd. s.r.o. ("SmartAtlas", "we", "our", "us") is committed to protecting your privacy and handling your personal data responsibly.
This Privacy Policy explains how we collect, process, transfer, store, and protect your personal data in connection with our services and interactions with you, whether you are a prospective, current, or former client.
If your country of residence is within the European Economic Area (EEA), your data controller is:
SmartAtlas Ltd. s.r.o.
Na strži 1702/65, 140 00 Praha - Nusleř, Czech Republic
IČO: 21766401
Email: privacy@smartatlas.io
SmartAtlas acts as an independent data controller in relation to the processing of your personal data when you use our website, applications, and services related to crypto-asset exchange, transfer, order execution, and fiat gateways.
We process your personal data in accordance with:
- Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR);
- Regulation (EU) 2023/1114 (MiCA);
- Regulation (EU) 2022/2554 (DORA);
- Czech Act No. 110/2019 Coll. on the Processing of Personal Data;
- Other applicable EU and Czech financial and AML/CTF regulations.
By using our services, you acknowledge that you have read and understood this Privacy Policy.
1. Information We Collect
We collect personal data directly from you, automatically when you use our services, and from third-party sources. The categories of personal data include:
1.1. Identification and Verification Data (KYC)
- Full name, date of birth, nationality, personal identification number, address;
- Government-issued identification documents (passport, ID card, residence permit);
- Proof of address documents;
- Video or image data for verification or authentication (facial recognition for KYC).
1.2. Contact Data
- Email address, phone number, and other contact information you provide.
1.3. Financial and Transaction Data
- Bank account details, crypto wallet addresses, fiat payment information;
- Transaction amounts, timestamps, counterparties, exchange operations;
- Source of Funds (SoF) and Source of Wealth (SoW) information;
- Deposit and withdrawal records, order execution details, and trading activity.
1.4. Technical and Usage Data
- Device identifiers (IP address, browser type, operating system, device type);
- Log data (time and date of access, API usage, platform actions);
- Security logs and 2FA data for authentication;
- Geolocation data when enabled by you.
1.5. Compliance and Risk Data
- Screening results (sanctions, politically exposed persons "PEPs", adverse media checks);
- Risk ratings and transaction-monitoring data;
- Results of AML and sanctions screening.
1.6. Support and Communication Data
- Records of correspondence and inquiries with support or compliance departments;
- Complaint-handling data and communication transcripts.
1.7. Optional Data
- Information voluntarily provided, such as marketing preferences, surveys, or service feedback.
2. Data Collected from Third Parties
We may obtain your personal data from external sources, including:
- Verification providers for identity confirmation and document validation;
- Financial institutions and payment partners for transaction records;
- Blockchain analytics and Travel Rule providers AML/CTF screening;
- Business partners for shared compliance purposes;
- Public databases for sanctions or politically exposed person checks;
- Regulatory or law enforcement authorities, where required by law.
All third-party data processing is conducted under contractual agreements ensuring GDPR compliance and equivalent data protection standards.
3. Purpose and Legal Basis for Processing
We process your personal data for specific, legitimate purposes as outlined below. The lawful bases are performance of a contract, legal obligation, legitimate interest, or your consent, where applicable.
| Purpose of Processing | Examples of Processing Activities | Legal Basis |
|---|---|---|
| Account registration and service provision | Opening, managing, and maintaining your SmartAtlas account | Contractual necessity |
| Transaction processing and execution | Processing crypto and fiat trades, order execution, and transfers | Contractual necessity |
| KYC/AML/CTF compliance | Identity verification, risk assessment, sanctions screening | Legal obligation |
| Security and fraud prevention | Monitoring accounts, preventing unauthorized access, incident response | Legal obligation / Legitimate interests |
| Regulatory reporting | Submitting information to competent authorities | Legal obligation |
| Customer communication | Responding to support requests and client inquiries | Legitimate interests |
| Service improvement | Analysing usage data to enhance system performance | Legitimate interests |
| Marketing (if opted-in) | Sending updates, newsletters, or promotional material | Consent |
| Data analytics and reporting | Aggregating anonymised statistics for internal reporting | Legitimate interests |
| Legal defence and claims | Managing disputes, audits, and investigations | Legal obligation / Legitimate interests |
We will not use your personal data for purposes that are incompatible with the purposes for which it was originally collected.
4. Automated Processing and Artificial Intelligence
SmartAtlas may use automated systems and machine learning models to detect suspicious transactions, assess risk levels, and monitor for fraud or sanctions breaches.
Such processes may result in decisions affecting your ability to execute certain transactions.
Where required by law, you have the right to request human intervention and contest such automated decisions.
5. Sharing and Disclosure of Data
We share personal data only when necessary, under strict legal and security conditions.
5.1. Internal Recipients
SmartAtlas employees, compliance officers, and authorised contractors with role-based access.
5.2. External Recipients
We may share your personal data with:
- Regulatory authorities (Czech National Bank, FIU, or other EU regulators);
- Payment and banking partners for fiat operations;
- Blockchain analytics and Travel Rule providers (e.g., Notabene);
- Third-party IT, cloud, and data-processing providers (under GDPR-compliant data-processing agreements);
- Legal, accounting, or auditing service providers;
- Law enforcement agencies, when legally required.
We do not sell your personal data to third parties.
6. International Data Transfers
6.1. Personal data may be transferred outside the European Economic Area only when adequate protection mechanisms are in place, such as:
- EU Standard Contractual Clauses (SCCs);
- Adequacy decisions issued by the European Commission;
- Legally binding corporate rules or other mechanisms ensuring equivalent data protection.
6.2. SmartAtlas ensures that all transfers are properly documented and subject to appropriate safeguards and supervision.
7. Data Retention
7.1. We retain personal data only as long as necessary to fulfil the purposes described in this Policy or to comply with legal obligations. Typical retention periods include:
- AML/CTF records: 5 to 10 years after termination of the client relationship;
- Transaction and financial records: 7 years (or longer if required by law);
- Support correspondence: 2 years after case closure;
- Marketing and consent data: until withdrawal of consent.
7.2. After the applicable retention period, personal data will be securely deleted or anonymised.
8. Data Security
8.1. SmartAtlas applies robust technical and organisational measures to ensure data security, confidentiality, integrity, and availability, including:
- Encryption of data at rest and in transit;
- Multi-factor authentication (MFA) for account access;
- Network segmentation and firewalls;
- Incident detection and response procedures;
- Regular audits and penetration testing.
8.2. Under DORA, SmartAtlas maintains business continuity and digital operational resilience plans, ensuring minimal disruption in case of IT incidents.
8.3. If a personal data breach occurs, SmartAtlas will notify the Czech Data Protection Authority (ÚOOÚ) and affected clients within legally required timeframes.
9. Your Data Protection Rights
Under GDPR, you have the right to:
- Access your personal data;
- Request correction or erasure of inaccurate data;
- Restrict or object to processing;
- Withdraw consent (where applicable);
- Request data portability;
- Lodge a complaint with the Czech Data Protection Authority (Úřad pro ochranu osobních údajů) or your local supervisory authority.
You may exercise your rights by contacting us at privacy@smartatlas.io.
10. Data Protection Officer (DPO)
SmartAtlas has appointed a Data Protection Officer to oversee GDPR compliance:
Data Protection Officer
Email: privacy@smartatlas.io
Address: SmartAtlas Ltd. s.r.o., Na strži 1702/65, 140 00 Praha - Nusle, Czech Republic
11. Cookies and Tracking
We use cookies and similar technologies to:
- Enable functionality (e.g., login sessions).
- Improve performance and analytics.
- Provide personalized content.
You may manage your cookie preferences via our Cookie Banner. Non-essential cookies require your prior consent.
Used cookies:
| Name | Description | Duration |
|---|---|---|
| _hjClosedSurveyInvites | Hotjar cookie. This cookie is set once a visitor interacts with a Survey invitation modal popup. It is used to ensure that the same invite does not re-appear if it has already been shown. | 365 days |
| _hjDonePolls | Hotjar cookie. This cookie is set once a visitor completes a poll using the Feedback Poll widget. It is used to ensure that the same poll does not re-appear if it has already been filled in. | 365 days |
| _hjMinimizedPolls | Hotjar cookie. This cookie is set once a visitor minimizes a Feedback Poll widget. It is used to ensure that the widget stays minimizes when the visitor navigates through your site. | 365 days |
| _hjDoneTestersWidgets | Hotjar cookie. This cookie is set once a visitor submits their information in the Recruit User Testers widget. It is used to ensure that the same form does not re-appear if it has already been filled in. | 365 days |
| _hjIncludedInSample | Hotjar cookie. This session cookie is set to let Hotjar know whether that visitor is included in the sample which is used to generate funnels. | 365 days |
| _hjShownFeedbackMessage | This cookie is set when a visitor minimizes or completes Incoming Feedback. This is done so that the Incoming Feedback will load as minimized immediately if they navigate to another page where it is set to show. | 365 days |
| _hjid | Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID. | 365 days |
| _hjRecordingLastActivity | This should be found in sessionStorage (as opposed to cookies). This gets updated when a visitor recording starts and when data is sent through the WebSocket (the visitor performs an action that Hotjar records). | Session |
| hjTLDTest | When the Hotjar script executes we try to determine the most generic cookie path we should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable). To determine this, we try to store the _hjTLDTest cookie for different URL substring alternatives until it fails. After this check, the cookie is removed. | Session |
| _hjUserAttributesHash | User Attributes sent through the Hotjar Identify API are cached for the duration of the session in order to know when an attribute has changed and needs to be updated. | Session |
| _hjCachedUserAttributes | This cookie stores User Attributes which are sent through the Hotjar Identify API, whenever the user is not in the sample. These attributes will only be saved if the user interacts with a Hotjar Feedback tool. | Session |
| _hjLocalStorageTest | This cookie is used to check if the Hotjar Tracking Script can use local storage. If it can, a value of 1 is set in this cookie. The data stored in _hjLocalStorageTest has no expiration time, but it is deleted immediately after creating it so the expected storage time is under 100ms. | N/A |
| _hjptid | This cookie is set for logged in users of Hotjar, who have Admin Team Member permissions. It is used during pricing experiments to show the Admin consistent pricing across the site. | Session |
| _hjAbsoluteSessionInProgress | The cookie is set so Hotjar can track the beginning of the user's journey for a total session count. It does not contain any identifiable information. | 30 minutes |
12. Children's Data
SmartAtlas services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If such data is identified, it will be deleted immediately.
13. Updates to This Policy
We may update this Privacy Policy to reflect legal, technical, or business developments.
Material updates will be communicated via the Platform or email.
The current version will always be available at www.smartatlas.io/privacy-policy.
14. Governing Law
This Privacy Policy and all related matters are governed by the laws of the Czech Republic and applicable European Union regulations.
Contact us
Need more details about our solutions?
Drop us a line and we'll get back to you shortly.