In any event, we undertake to delete your personal data from our databases at the end of these various periods, subject to the retention of certain information for a period to meet our legal, accounting and tax obligations, including those we have as a digital asset provider.

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law.

1. Sharing your information

   1. Cometh employees

Authorized Cometh employees have access to your data to ensure the proper functioning of the Platform and to respond to your requests. 

2. Service providers

Your personal data is transmitted to third-party processors involved in the provision of the Platform and services. 

These service providers include the following: 

• Authentication management: Amazon Web Services (AWS) Cognito

• Data hosting: MongoDB

• AML/KYC verification: Dotfile

• Customer relationship management: Pipedrive

3. Cookie providers

Your personal data are transmitted to third parties depositing cookies or similar tracking technologies on the Platform, according to the choices made via the cookies banner and subject to your consent. 

4. Communication for legal reasons

Personal data may be disclosed to a third party if Cometh is required to do so by law, regulation or court order, or if such disclosure is necessary for the purposes of an investigation, injunction or legal process, whether domestically or abroad.

5. Business partners 

Cometh collaborates with third-party service providers to facilitate on-ramp and off-ramp transactions, enabling you to convert between digital assets and fiat currency. To complete these transactions, we may share certain personal data—such as your Cometh wallet address and transaction details—with these providers to ensure the proper execution of their services. Your information will only be shared to the extent necessary for you to interact with these partners and complete your transactions securely.

2. Is your personal data transferred outside the European Union?

Your information is transferred outside the European Economic Area, in particular because of the use of services providers.

In this case, these transfers are carried out with appropriate guarantees to ensure a sufficient level of protection for privacy and fundamental rights, including the signing of standard contractual clauses adopted by the European Commission.

3. Your rights

For any exercise of the below-mentioned rights, you can contact us at the following e-mail address:  dpo@cometh.io 

Subject to applicable law, you have the following rights:

• Right of accessing your personal data, including the right to obtain from Cometh some information such as the purposes of the processing, the categories of personal data concerned.

• Right to rectification: You can ask us at any time to rectify your personal data that are inaccurate or incomplete 

• Right to erasure/right to be forgotten: You can request the deletion of your personal data, in particular when it’s no longer needed by Cometh, when you have withdrawn your consent or when you have objected to the processing. 

• Right to restriction of processing: You can request the restriction of the processing of you personal data if (i) you have contested the accuracy of the personal data, (ii) the processing is unlawful, (iii)  Cometh no longer needs your personal data, but the data are still necessary for your to defend legal claims; or (iv) you have objected to the processing during the verification as to whether the legitimate grounds pursued by Cometh override yours. 

• Right to data portability: when your personal data is automatically processed and the processing is based on your consent or a contract, it’s possible to request the reception and the transmission of your personal data to a third party. 

• Right to object: You can object to the processing of your personal data if the processing is based on your legitimate interest, for reasons relating to your particular situation. 

• Right to determine what happens to your personal data after your death: or choose a trusted third-party to whom Cometh can entrust your personal data.

Before we can respond to a request to exercise one or more of your rights, we may ask you to provide additional information in order to verify your identity. 

Cometh undertakes to respond to your requests concerning the Privacy Policy or the exercise of your rights, as soon as possible and within one calendar month of receipt of the request as provided by the GDPR.

If your request is complex, or if you made several requests, the response time can be up to three calendar months from the date of receipt. 

If you believe that the processing of your personal data is unlawful, you also have the right to file a complaint with:

• Cometh’s main data protection authority: the Commission Nationale de l'Informatique et des Libertés, or the "CNIL", or

• Your local supervisory authority.

4. Security

We implement appropriate technical and organizational measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction.

These measures are designed in accordance with recognized industry standards, including ISO/IEC 27001, and include:

• Access controls and authentication mechanisms;

• Data encryption in transit and at rest;

• Regular security audits and risk assessments;

• Incident response procedures;

• Staff training in information security and data protection.

Our security framework is continually reviewed and improved to address evolving threats and ensure the confidentiality, integrity, and availability of your data.

5. Contact us

If you have any questions, concerns, or requests regarding your personal information or this Privacy Policy, please contact us at dpo@cometh.io.

6. California privacy notice

We provide this California Privacy Notice to comply with applicable privacy laws in the State of California, including the California Consumer Privacy Act of 2018, and its amendment, the California Privacy Rights Act of 2020 (together, the “CCPA”). Any capitalized term used and not otherwise defined below has the meaning assigned to it in our Privacy Policy.

This California Privacy Notice supplements information included in this Privacy Policy and applies to any California residents about whom we have collected Personal Data from any source, including offline, and through your use of our Platform. 

The CCPA provides California residents with rights to receive certain disclosures regarding the collection, use, and sharing of Personal Data, as well as rights to access, delete, correct, limit, and opt-out of the sales of certain Personal Data we collect about them, as well as to opt-out of the sharing of certain Personal Data for purposes of cross-context behavioral advertising (called “sharing” under California law). California residents also have the right not to receive discriminatory treatment by us for the exercise of their privacy rights under the CCPA. If you are a California resident, you may submit a request to exercise these rights by emailing us using the information provided in the Your Privacy Rights section below.

For the purposes of this California Privacy Notice, except where a different definition is noted, “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. Personal Data does not include publicly available information; lawfully obtained, truthful information that is a matter of public concern; information that has been de-identified; or information that has been aggregated. For purposes of this section, “Publicly available Information” includes: information that is made available from federal, state, or local government records; information that a business has a reasonable basis to believe is lawfully available to the general public, either through widely distributed media, or by the consumer; and information that is made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.

The Personal Data we may collect or have collected from California Residents within the last twelve months are listed in Section 1 of this Privacy Policy. 

Please note that because of the overlapping nature of certain of the categories of Personal Data identified above, which are required by state law, some of the Personal Data we collect may be reasonably classified under multiple categories.

1. Uses of Personal Data

Cometh may collect, use, or disclose Personal Data about California residents for purposes described in this Privacy Policy.

2. Sources of Personal Data

We obtain the categories of Personal Data listed above from the following categories of sources:

• From you, including from when you register for a Cometh account, or as automatically collected when using the Platform.

• Through our service providers, which are third party companies who help us provide our Platform to you consistent with the purposes detailed in this Privacy Policy.

• From our business partners and others, including those that may promote and/or offer products and services that may be of interest to you.

We may supplement the Personal Data collected from the categories of sources described above with Personal Data we obtain from other sources. 

3. Disclosure of Personal Data

We may disclose your Personal Data to service providers and third parties as described in Section 3 of this Privacy Policy. 

This includes disclosure of your Personal Data to service providers for a business purpose. “Business purposes” means the reasonably necessary and proportionate use of personal information for our operational purposes, other purposes described in this Privacy Policy, for the operational purposes of our service providers and contractors, as well as other purposes compatible with the context in which the Personal Data was collected.

When we disclose Personal Data for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that Personal Data confidential and not to use it for any purpose except performing the contract. 

4. Your privacy rights

The CCPA provides California residents with specific privacy rights regarding their Personal Data. This section describes your CCPA rights and explains how to exercise those rights. 

If you are a California resident, you have the right to make the following requests under applicable California law in relation to your Personal Data, subject to certain exceptions: 

• Right to Know (or Access).  You have the right to, up to twice in a 12-month period, request what Personal Data we collect, use, disclose, and/or sell, and to whom, as applicable. You may request either a report disclosing the general categories of the Personal Data we collect, or a report disclosing the specific pieces of personal information we collect.

• Right to Delete. You have the right to request, under certain circumstances and subject to exceptions, the deletion of your Personal Data that we collect.

• Right to Opt-Out of Sale and/or Sharing. You have the right to opt-out of the “sale” or “sharing” of your Personal Data, as those terms are defined under the CCPA. As noted in Section 10(a)(iv) above, however, Cometh is not currently engaged in such activity. 

• Right to Limit Use and Disclosure. You have the right to limit the use or disclosure of your sensitive personal information to only the uses that are necessary for us to provide the Platform reasonably expected by the average user, including as may be consistent with your consent and expressed preferences, or for certain other authorized purposes. We will not use or disclose your sensitive personal information after you have exercised your right unless you subsequently provide consent for the use of your sensitive personal information.

• Right to Correct. You have the right to request the correction of any inaccurate Personal Data that we may maintain about you, subject to our ability to reasonably verify the accuracy and/or inaccuracy of the Personal Data that is the subject of your request.

• Right to Non-Discrimination. You have the right not to receive discriminatory treatment for the exercise of the above privacy rights. 

How to submit a request: To submit a request to exercise any of the rights described above, please submit a verifiable consumer request to us in any of the following ways:

• By mail to the following address: 

Cometh
61-63 rue des Belles Feuilles 75016 Paris, France

• By e-mail to: dpo@cometh.io 

Cometh undertakes to respond to your requests concerning this Privacy Policy or the exercise of your rights as soon as possible and no later than the time limit set forth by applicable legislation.

Any request you submit to us is subject to an identification and residency verification process (“Verifiable Consumer Request”) as permitted by the CCPA.  We will not fulfill your request unless you have provided sufficient information that enables us to reasonably verify that you are the consumer about whom we collected the Personal Data. In order to verify you, you must provide us with your first and last name, e-mail address associated with your Cometh account, in addition to any additional information that we reasonably request for purposes of verification.  

Requests by authorized agents: You may designate an authorized agent, in writing or through a power of attorney, to request to exercise the above rights on your behalf. If you should designate an authorized agent to exercise your rights under the CCPA, we may require that you provide your authorized agent with written permission to exercise your rights and to verify your own identity with us. If your authorized agent does not submit proof that they have been authorized by you to submit verified requests for disclosure and deletion, we reserve the right to deny such a request that we have received and will explain to your authorized agent why we have denied such request. The authorized agent may submit a request to exercise these rights by emailing the letter of authorization or power of attorney to: dpo@cometh.io

Responses: We will respond to your request within forty-five (45) days after receipt of a Verifiable Consumer Request for a period covering twelve (12) months and for no more than twice in a twelve-month period. We reserve the right to extend the response time by an additional forty-five (45) days when reasonably necessary and provided consumer notification of the extension is made within the first forty-five (45) days.

These rights are subject to various exclusions and exceptions under California law and other applicable laws. In addition, if we are unable to verify your identity to a degree of certainty as required by the CCPA through any reasonable method, we will state that we are unable to verify in a written response to you along with a reason as to why there is no reasonable method by which we can verify your identity.

Household data: Accounts on our Platform are maintained on an individual-by-individual basis.  As such, we currently do not collect Personal Data at the household level. If we receive a request submitted by all members of a household, we will individually respond to each request. We will not be able to comply with any request by a member of a household under the age of 13, as we do not collect Personal Data from any person under the age of 13. 

Direct marketing by third parties: Cometh does not disclose personal information to third parties for their own direct marketing purposes. However, California residents have the right to request information regarding such practices under California’s “Shine the Light” law. If you are a California resident and would like to inquire further, please email dpo@cometh.io