Privacy Policy
1. Data controller
vorepo ("we") is operated by a sole proprietorship to be registered in Poland (or a Polish sp. z o.o. / Dutch BV at revenue scale). Contact: privacy@vorepo.com.
2. Data we collect
We collect the minimum data needed to operate the Platform:
- Account data: email, chosen username, authentication tokens, OAuth provider IDs (if you sign in with Google/Apple)
- Identity data (Tier 2+): name, date of birth, country, government-issued ID and selfie (processed by Sumsub under their privacy policy)
- Financial data: USDC wallet addresses (Solana), deposit/withdrawal transactions, trade history
- Tax data (DAC8 required from Jan 1 2026): tax identification number (TIN), tax residency
- Device data: IP address, user-agent, approximate geolocation (city-level from IP), device fingerprint for fraud prevention
- Interaction data: page views, API calls, feature usage (via PostHog + Microsoft Clarity once registered)
3. Purposes & legal basis
| Purpose | Legal basis |
|---|---|
| Provide trading functionality | Contract performance (Art. 6(1)(b)) |
| KYC / AML / sanctions | Legal obligation (Art. 6(1)(c)) |
| DAC8 tax reporting | Legal obligation |
| Fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Platform analytics (aggregated) | Legitimate interest |
| Marketing emails (opt-in) | Consent (Art. 6(1)(a)) |
4. Sharing with third parties
- Sumsub (KYC): identity documents, liveness selfie
- Privy (auth / embedded wallet): email, OAuth tokens
- Coinbase Onramp (fiat → USDC): card details never touch our servers
- PostHog (analytics): pseudonymised user events
- Microsoft Clarity (session replay): interaction heatmaps
- TRM / Chainalysis (sanctions screening): wallet addresses
- Law enforcement: where legally compelled by valid court order
5. Retention
We keep data only as long as necessary:
- Account data: while account is active + 5 years (AML requirement)
- Transaction data: 10 years (tax + audit)
- IP logs: 90 days
- Marketing: until opt-out
- Analytics: 2 years aggregated, 14 months identifiable
6. Security
bcrypt-hashed passwords (rounds=12), JWT with 7-day expiry, TLS 1.2+ in transit, age-encrypted backups, Sanctioned-only KYC provider, fail2ban on SSH, firewall-restricted DB. No password recovery via email for account takeover protection.
7. Your rights (GDPR)
- Access — request a copy of your data (JSON export)
- Rectification — correct inaccurate data
- Erasure — delete (subject to AML 5-year retention for accounts with transactions)
- Portability — machine-readable export
- Restriction / objection — pause specific processing
- Withdraw consent — for any consent-based processing
- Complain — to your local data-protection authority (PL: UODO, NL: AP)
Exercise rights: email privacy@vorepo.com. We respond within 30 days.
8. Cookies
We use essential cookies (authentication session) and, with consent, analytics cookies (PostHog, Clarity). Cookie banner offers granular opt-in/out. No third-party advertising cookies.
9. International transfers
Primary processing in EU (Frankfurt). Sumsub operates from Estonia (EU). Coinbase and PostHog have SCCs in place. No data is transferred to jurisdictions without adequacy decisions.
10. Children
Vorepo is not for users under 18 (21 where required). We do not knowingly collect data from minors. Contact us if you believe a minor has registered.
11. Tax reporting (DAC8)
Effective January 1, 2026, we collect and report to your national tax authority: TIN, tax residency, and annual aggregate crypto-asset transactions. This is a legal obligation we cannot opt out of; neither can you.
12. Contact
Privacy inquiries: privacy@vorepo.com
DPO (when appointed): dpo@vorepo.com