CEDEX Limited – Privacy Policy

Last Updated: NOV 2018

Cedex Trading UK Limited (together with other members of its group (“Cedex”/”we”/”us”/”ours”) is committed to protecting the privacy of its users (“you”/”your”) of the website (the “Site”) which operates an online trading platform for financial products linked to diamonds which allows, inter alia, the offering, publishing, sale, purchase and trading of certified diamonds (the “Platform“).
This Privacy Policy (“Policy”) sets out what Personal Data we collect, how we process it and how long we retain it. This Policy is applies to all of our Processing activities where we act as a Data Controller. Further notices highlighting certain uses we wish to make of your Personal Data together with the ability to opt in or out of selected uses may also be provided when we collect Personal Data from you.
We ask that you please read this Policy before providing us with any Personal Data about you or any other person.
Additional defined terms are set out in the glossary at Appendix 1 of this Policy.
Our Site, App and Platform may contain links to other third party websites. If you follow a link to any of those third party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or Processing of your Personal Data. Please check these policies before you submit any personal information to such third party websites.
Certain aspects of this Policy only apply to users residing in the European Economic Area (“EEA”) – these are noted where relevant in this Policy.

Navigating this Policy

If you are viewing this policy online, you can click on the below links to jump to the relevant section:

IMPORTANT: Your Personal Data and blockchain

Blockchain technology, also known as distributed ledger technology (or simply “DLT”), is at the core of our business and the Platform. Blockchains are decentralized and made up of digitally recorded data in a chain of packages called “blocks”.

Immutable nature of blockchains:
The manner in which these blocks are linked is chronological, meaning that the data in the blocks is very difficult to alter once the blocks are added to the blockchain.

This “immutability” is one of the key features and benefits of using blockchain technology in connection with the Platform, as we are able to keep an unalterable record of all the diamond trading that takes place on it. However, this feature does also make it very difficult to amend inaccurate data on, or delete data from, the blockchain.

We do not hold any information on the blockchain which in isolation people accessing the Platform can identify you from. However, when you register with the Platform and for each subsequent transaction that you are party to and that is recorded on the Platform, we will allocate to you a randomly generated user ID, which we use in order to comply with our contractual obligations owed to you, including among other things to record transactions and to credit and debit your off-chain wallet in connection with the transaction.

Because of how broadly personal data is defined under European data protection law, this user ID may constitute “Personal Data” and the immutable nature of the blockchain may affect your ability to exercise you rights under applicable data protection law in relation to such data (see section titled “Your data protection rights” below). These rights include your right to have your Personal Data erased or to have inaccuracies corrected.

IMPORTANT: BY USING THE PLATFORM, YOU ACKNOWLEDGE AND AGREE THAT WE MAY BE UNABLE TO FULLY COMPLY WITH YOUR REQUESTS TO EXERCISE YOUR RIGHTS UNDER APPLICABLE DATA PROTECTION LAW, BUT THAT WE WILL TAKE SUCH STEPS AS ARE REASONABLY AND PRACTICABLE IF YOU DO NOT AGREE TO THIS, YOU SHOULD NOT REGISTER TO USE, OR USE, THE PLATFORM.

Distributed nature of blockchains:
Since the ledger may be distributed all over the world (across several “nodes” which usually replicate the ledger) this means there is no single person making decisions or otherwise administering the system (such as an operator of a cloud computing system), and that there is no centralized place where it is located either.

IMPORTANT: BY USING THE PLATFORM, YOU ACKNOWLEDGE THAT DATA ON THE BLOCKCHAIN IS AVAILABLE TO THE PUBLIC AND ANY PERSONAL DATA SHARED ON THE BLOCKCHAIN WILL BECOME PUBLICALLY AVAILABLE. IF YOU DO NOT AGREE TO THIS, YOU SHOULD NOT TRANSACT ON THE BLOCKCHAIN.

How we collect Personal Data from you

We collect Personal Data about you (either directly or from third parties, such as your employing organization (with respect to Personal Data Process off the blockchain) where you are acting on behalf of such organization) when you
• visit and use our Site;
• register for, and use our Platform;
• provide us with certain information including as part of the registration process;
• contact and communicate with us either through our website or through other channels;
• enter into a contract with us or other participants on the Platform (such as to invest in Diamonds/sell Diamonds); and
• enter into any other relationship with us or interact with us or our services

What type of Personal Data we may collect about you

The Personal Data we collect and Process about you includes the following.
Off the blockchain:
• information provided to us through registration/resulting from registration: such as your name; address (personal/work); email address (personal/work); telephone number (personal/work); date of birth; nationality; details of tour employer (where you are acting on behalf of such employer); wallet number(s); and Platform user ID;
• credit, identity and anti-fraud information: information relating to your financial situation, your creditworthiness or any criminal or fraudulent activities provided to us by you (including via the CEDEX Compliance Form) or third parties, including information which establishes your identity, such as driving licenses, passports and utility bills; information about transactions, credit ratings from credit reference agencies; fraud, offences, suspicious transactions, politically exposed person and sanctions lists where your details are included;
• our correspondence: if you contact us, we will typically keep a record of that correspondence;
• Survey information: we may also ask you to complete surveys that we use for research purposes. In such circumstances we shall collect the information provided in the completed survey;
• your transactions: details of transactions you carry out through our Platform or through other channels and of the fulfilment of the services we provide; and
• website and communication usage: details of your visits to the Site, App and Platform and information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access.
• your user ID and the transactions it relates to (including your wallet address and the amount of cryptocurrency tokens which you will send or have been sent to you (depending on whether you are a seller or an investor)).

How we use your personal information

In this section, we set out the purposes for which we use your Personal Data that we collect via our Site, App and Platform.
Where you are a user resident in the EEA, we also identify the “legal bases” on which we rely to Process the Personal Data in compliance with our obligations under European law. An explanation of the “legal bases” can be found at Appendix 2 of this Policy.
Please note that in addition to the disclosures we have identified below, we may disclose Personal Data for the purposes we explain in this Policy to service providers, contractors, agents, advisors (e.g. Legal, financial, business or other advisors), law enforcement/regulatory bodies and affiliates of Cedex that perform activities on our behalf, as well as other members of the CEDEX group:
• user registration: to register you as a user of our Platform, to communicate with you and respond to queries, or to carry out our obligations arising from any agreements entered into between you and us. This may include passing your details to counterparties of transactions, service providers (including diamond transportation), diamond laboratories and banks associated with transaction for invoicing purposes;
legal bases: contract performance, legitimate interests (to enable us to perform our obligations and provide our services to you);
• to process and record transactions: to conduct our business and to record the transactions you have entered into on the Platform including to connect diamond owners and traders to enable the trading of diamonds. This may include passing your details to counterparties of transactions, service providers and banks associated with transaction for invoicing purposes.
legal bases: contract performance, legitimate interests (to enable us to perform our obligations and provide our services to you);
• diamond validation: to validate diamond ownership. This may include passing your details to counterparties of transactions, service providers (including diamond transportation) and diamond laboratories.
legal bases: contract performance, legitimate interests (to enable us to perform our obligations, ensure quality and standards, and provide our services to you);
• diamond delivery: to arrange delivery of diamonds where requested by you, following a transaction. This may include passing your details to counterparties of transactions, service providers (including diamond transportation) and diamond laboratories.
legal bases: contract performance, legitimate interests (to enable us to perform our obligations and provide our services to you by delivering the diamond);
• in relation to fraud prevention: we and other organizations may also access and use certain information to investigate and prevent fraud as may be required by applicable law and regulation and best practice at any given time. If false or inaccurate information is provided and fraud is identified or suspected, details may be passed to fraud prevention agencies and may be recorded by us or by them.
legal bases: legal obligations, legitimate interests (to ensure that you fall within our acceptable risk profile and to assist with the prevention of crime and fraud). Where this includes Special Categories of Personal Data, we rely on substantial public interest (prevention or detection of crime), legal claims, or very rarely where necessary, explicit consent;
• to provide you with marketing materials: to provide you with updates and offers, where you have chosen to receive these. We may also use your information for marketing our own and our selected business partners products and services to you by email, SMS, phone and and, where required by law, we will ask for your consent at the time we collect your data to conduct any of these types of marketing. We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you or you may opt out by contacting us as set out in the “Contacting Us” section below.
legal bases: consent, legitimate interest (to keep you updated with news in relation to our products and services);

• in connection with legal or regulatory obligations: we may process your Personal Data to comply with our regulatory requirements which may include disclosing your Personal Data to third parties, the court service and/or regulators or law enforcement agencies in connection with enquiries, proceedings or investigations by such parties anywhere in the world or where compelled to do so. Where permitted, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime;
legal bases: legal obligations, legal claims, legitimate interests (to cooperate with law enforcement and regulatory authorities). Where this includes Special Categories of Personal Data we may also rely on substantial public interest (prevention or detection of crime), legal claims, or very rarely where necessary, explicit consent;

• business change: in the event that we: (i) are subject to negotiations for the sale of our business or part thereof to a third party; (ii) are sold to a third party; or (iii) undergo a re-organization, we may need to transfer some or all of your Personal Data to the relevant third party (or its advisors) as part of any due diligence process for the purpose of analyzing any proposed sale or re-organization. We may also need to transfer your Personal Data to that re-organized entity or third party after the sale or reorganization for them to use for the same purposes as set out in this policy
legal bases: legitimate interests (in order to allow us to change our business);

• for research and development purposes: to analyses your Personal Data in order to better understand your and our other clients’ services and marketing requirements, to better understand our business and develop our products and services;
legal bases: legitimate interests (to allow us to improve our services);

• to ensure Site/App/Platform content is secure and relevant: to ensure that content from our websites is presented in the most effective manner for you and for your device, which may include passing your data to business partners, suppliers and/or service providers;
legal bases: legitimate interests (to allow us to provide you with the content and services on the Site/App/Platform in a relevant and secure manner)

How long we keep Personal Data

Off the blockchain
We retain your Personal Data only for as long as is necessary for the Processing purpose(s) for which the Personal Data was collected (as set out in this Policy) and for any other permissible, linked purpose(s) in accordance with our internal Retention and Deletion Policy. Records can be held on a variety of media (physical or electronic) and formats.
Retention periods are determined based on the type of record, the nature of the record, business need and activity and the legal or regulatory requirements that apply to those records. Typically, Personal Data which is collected pursuant to our legal obligations (such as AML) are retained for 5 years. Where Personal Data is collected pursuant to a contract or prior to the creation of a contract, these are retained for 6 years after the termination of the contract pursuant to our legitimate interests in establishing or defending any related legal claims.
However, we may retain your Personal Data for a longer period of time where such retention is necessary for compliance with a legal obligation to which we are subject.
On the blockchain (including within the smart contract)

DATA ON THE BLOCKCHAIN CANNOT GENERALLY BE ERASED OR CHANGED, ALTHOUGH SOME SMART CONTRACTS MAY BE ABLE TO REVOKE CERTAIN ACCESS RIGHTS, AND SOME CONTENT MAY BE MADE INVISIBLE TO OTHERS, HOWEVER IT IS NOT DELETED.

Data Security

We have put in place commercially reasonably security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other service providers who have a business need to know. They will only Process your Personal Data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. You are responsible for keeping your password and private key confidential and for complying with any other security procedures that we notify you of. We ask you not to share a password/private key with anyone.

Transferring your information outside of the EEA (relevant to users who are EEA residents only)

We may share your Personal Data with employees, agents, contractors and other third parties (including companies which are related to CEDEX) located outside the EEA where data protection laws may be of a lower standard than the EEA.
Off the blockchain
We only do this where we have a legal basis for doing so. This may also require us to take certain additional steps to ensure that appropriate safeguards are in place if that third country is not deemed by the European Commission to offer an adequate level of protection for your privacy rights, which may include use of contractual safeguards to allow you to be able to enforce your rights and ensure these are preserved. In certain circumstances, we may need to ask you for your explicit consent to such third country transfers, and will always do so in writing and giving you full information about why we need your consent and your right to withdraw that consent at any time (together with the consequences of withdrawal). Please contact us as per the “Contacting us” section below if you would like to see a copy of these safeguards.
On the blockchain (including within the smart contract)

AS EXPLAINED ABOVE IN THIS POLICY, THE BLOCKCHAIN IS A GLOBAL DECENTRALIZED PUBLIC NETWORK AND ACCORDINGLY ANY PERSONAL DATA WRITTEN ONTO THE BLOCKCHAIN MAY BE TRANSFERRED AND STORED ACROSS THE GLOBE. YOU CONSENT TO SUCH EXPORT OF DATA ON THE BLOCKCHAIN.

Your data protection rights

You have certain rights under applicable legislation (and in particular, where you are a user that is an EU resident, under the General Data Protection Regulation).
Below is a summary of these rights. Please note that these rights may vary depending on where you are located and the exercise of such rights may be subject to certain exemptions.
In order to exercise such rights, you should contact us as per the contact details in the “Contacting us” section below. We will check your entitlement and respond in most cases within a month. The rights likely available are the:
• right of information: you have a right to be informed about the Processing of your Personal Data (and if you did not give it to us, information as to the source) and this Policy intends to provide the information;
• right to rectification: you have the right to have any inaccurate Personal Data about you rectified and to have any incomplete Personal Data about you completed. The accuracy of your Personal Data is important to us. If you need to advise us of any changes to Personal Data please contact us as per the contact details in the “Contacting us” section below;
• right to erasure (right to be ‘forgotten’): you have the general right to request the erasure of your Personal Data in certain circumstances;
• right to restrict processing and right to object to processing: you have a right to restrict processing of your Personal Data in certain circumstances such as whilst a complaint is being investigated.
• right to data portability: in certain circumstances, you have a right to receive the Personal Data you provided to us in a structured, commonly used and machine-readable format, or ask us to send it to another person;
• right to object to direct marketing: you have a choice about whether or not you wish to receive marketing communications from us. You can change your marketing preferences at any time by contacting us as per the “Contacting Us” section below. On each and every marketing communication, we will always provide the option for you to opt-out of further marketing by clicking on the ‘unsubscribe’ button on our marketing emails or choosing a similar opt-out option on any forms we use to collect your Personal Data. Please note that any administrative or service-related communications (to notify you of an update to this Privacy Policy or applicable terms of business, etc.) are not marketing communications. Therefore, please be aware that your ability to opt-out from receiving marketing and promotional materials does not change our right to contact you regarding your use of our website or as part of a contractual relationship we may have with you;
• right to request access/ receive information: you have a right to be provided with a copy of the Personal Data we hold about you. To protect your Personal Data, we follow set storage and disclosure procedures, which mean that we may require proof of identity from you prior to disclosing such Personal Data; and
• right to withdraw consent: where the legal basis for processing your Personal Data is your consent, you have the right to withdraw that consent.

IMPORTANT: WHEN INTERACTING WITH THE BLOCKCHAIN WE MAY NOT BE ABLE TO ENSURE THAT YOUR PERSONAL DATA IS DELETED. THIS IS BECAUSE THE BLOCKCHAIN IS A PUBLIC DECENTRALIZED NETWORK AND BLOCKCHAIN TECHNOLOGY DOES NOT GENERALLY ALLOW FOR DATA TO BE DELETED AND YOUR RIGHT TO ERASURE MAY NOT BE ABLE TO BE FULLY ENFORCED. IN THESE CIRCUMSTANCES WE WILL ONLY BE ABLE TO ENSURE THAT (WHERE APPLICABLE) PERSONAL DATA THAT IS HELD BY US OFF THE BLOCKCHAIN IS DELETED. THIS WILL RESULT IN ANY INFORMATION WE RETAIN LINKING YOU TO A USER ID BEING DELETED.

If you wish to raise a complaint on how we have handled your Personal Data, you can contact us as set out in the “Contacting us” section below and we will then investigate the matter.
Where you are a user resident in the EEA, if we have not responded to you within a reasonable time or if you feel that your complaint has not been resolved to your satisfaction, you are entitled to make a complaint the relevant data protection authority in the EEA country in which you are based. A list of the EEA data protection regulators can be found at: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.

Review of this Policy

We may make changes to this Policy from time to time. Where we do so, we will notify those who have a business relationship with us or who are subscribed to our emailing lists directly of the changes, and change the ‘Last updated’ date above. We encourage you to review the Policy whenever you access or use our website to stay informed about our information practices and the choices available to you. If you do not agree to the revised Policy, you should discontinue your use of the Site, App and Platform.

Contacting Us

Cedex Trading UK Limited a company incorporated in UK with its registered address at 64, New Cavendish Street London, W1G 8TB, United Kingdom and incorporation number 11579095 is the Data Controller under this Policy.
Any questions regarding our Policy or your rights should be sent to:
Privacy Manager
Questions can be sent by email to: support@cedex.com

Appendix 1: Glossary

“Data Controller” means the organisation which alone or jointly with others determines the purpose and means of the processing of Personal Data. Cedex Trading UK Limited is the Data Controller under this Policy.
“Data Processor” means the organisation which processes Personal Data on behalf of the Data Controller (not including employees of the Data Controller). Service providers that handle Personal Data on the Data Controller’s behalf will be Data Processors.
“Personal Data” means any information relating to you as an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an online identifier or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisationorganization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Special Categories of Personal Data” means types of data that is subject to more stringent processing conditions than other Personal Data, and in the EU includes Personal Data which reveals racial or ethnic origin, political opinion, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data in order to uniquely identify a person or data concerning health, sex life and sexual orientation. Data concerning health covers Personal Data relating to the physical or mental health of an individual which reveals information about the individual’s health status. In the EU, Personal Data relating to criminal convictions or offences or related security measures may only be processed when authorized by Member State or EU law.

Appendix 2: Legal bases (only relevant to users resident in the EEA)

Legal bases for Personal Data:
• Contract performance: where your information is necessary to enter into or perform our contract with you.
• Legal obligations: where Cedex is required to process your Personal Data to comply with a legal requirement; and
• Legitimate interests: where Cedex collect and use personal information in reliance on its legitimate interests (or those of any third party) and these outweigh any prejudices to your data protection rights.
Special Categories of Personal Data
• Legal claims: where Cedex is required to process your personal information for Cedex to establish, defend, prosecute or make a claim against you, Cedex or a third party;
• In the substantial public interest: the processing is necessary for reasons of substantial public interest, on the basis of EU or local law; and
• Explicit consent: where you have given explicit consent to the processing of those personal data for one or more specified purposes (this will rarely be relied on). You are free to withdraw your consent by contacting us using the details set out in the “Contacting us” section above. If you do so, we may be unable to provide a benefit or service that requires the use of such data.