Privacy Policy

Last Updated: June 17, 2019

1. INTRODUCTION

We are OST.com Limited of Hong Kong and our company registration number is 2570554 (“OST.com Limited”, “we” or “us”). Your privacy is important to us. We are committed to protecting the privacy, confidentiality, and security of information relating to individuals (“Personal Data”) that we hold by complying with the requirements under applicable laws and regulations.

We are equally committed to ensuring that all our employees, service providers, and agents uphold these obligations. This policy explains how we manage Personal Data within our organization and your rights and choices regarding our processing of your Personal Data.

Contact details of data controller (Art. 4 GDPR):
OST.com Limited, 13/F Gloucester Tower, The Landmark, 15 Queen's Road, Central Hong Kong. E-mail: support@ost.com

Data Protection Contact: privacy@ost.com

2. INFORMATION WE COLLECT IN OUR PRODUCTS AND/OR SERVICES

Following are the types of Personal Data that we collect / process and hold about you, the reasons for collecting and the retention period we hold this data:

2.1 OST’s Website OST.COM and its Subdomains

You can visit our websites without telling us who you are. For technical reasons, however, we collect data that your browser transmits to our server (log files). It concerns the following data:

  • IP address
  • date and time of the request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (concrete page)
  • Access status/HTTP status code
  • amount of data transferred in each case
  • Website from which the request originates
  • browser
  • operating system and its interface
  • language and version of the browser software.

The legal basis for the processing of this data is Art. 6 Para. 1 S. 1 lit. f GDPR. Our legitimate interest in data processing lies in the fact that we need this data in order to display our website to you and to be able to guarantee the stability and security of the operation of our website.

If you contact us on our website, we collect the following data:

Data Subject Personal Data Collected Reason / Legal Basis Retention
Prospects & clients Full name Communication & Marketing / Art. 6 Para. 1 S. 1 lit. f GDPR Until the user opts out from updates
Email
Records of our communications including messages sent by new or existing clients
2.2 OST Platform

OST Platform provides everything you need to test and deploy your brand currency. Enable your customers to transact within your mobile app, without any cryptocurrency knowledge.

If you use OST Platform, we process the following data:

Data Subject Personal Data Collected Reason Retention
OST Platform Admins IP address To enable control on security features in the system / Data Processing Agreement (We act as data processor for OST Platform Clients) 15 days
Full name For granting access to OST Platform / Data Processing Agreement (We act as data processor for OST Platform Clients) As long as clients have business terms with us
Email & Passwords
Credit Card details (in case of a personal card) Payment method / Data Processing Agreement (We act as data processor for OST Platform Clients)
OST Platform Admins - Whitelisting Request
  • Full name
  • Email
To whitelist the company so they can test OST Platform / Data Processing Agreement (We act as data processor for OST Platform Clients)
OST Platform Admins - Move to Production Request
  • Full name
  • Email
For KYC check to allow moving from test account to production / Data Processing Agreement (We act as data processor for OST Platform Clients)
OST Platform Clients' end users Email address In order to provide redemption options / Data Processing Agreement (We act as data processor for OST Platform Clients)
Unique id To manage end users in OST Platform / Data Processing Agreement (We act as data processor for OST Platform Clients)
Wallet’s public address

OST Platform is a blockchain-technology based service. OST makes its best efforts to collect as little personal data from its clients and their users as possible. Regarding our clients’ end users, there are only two personal data parameters that are saved on OST Platform:

1. The end user email address for redemption options, as explained in the above table.
2. The end user’s unique id:

The unique id is created on OST Platform to allow our clients to map their own users with the information existing on the clients’ side. The user id is not publicly available and only shared between OST and the client. OST does not know the identity behind the unique id; only the client which this user belongs to can associate this unique id with the user.

Being a blockchain-technology based service, transactions executed on the blockchain are public and cannot be deleted. However, in order to comply with the user’s right to be forgotten, we take measures when a user wants his/her personal data to be removed from OST Platform by deleting all blockchain identifiers associated with the user id.

OST VIEW is an open source block explorer provided by OST for viewing Brand Token transactions and contracts on the OST sidechains. OST Platform’s clients and their end users should be aware that the transactions signed by them are visible publicly though OST VIEW. Using OST VIEW is only one of the ways to visualize these transactions on the blockchains, as the sidechains can be accessed and read by anyone.

2.3 OST KYC

OST KYC is a plug-and-play KYC/AML management solution for your KYC needs. OST KYC can process thousands of applicants smoothly and securely.

In order to complete the KYC/AML process, we may process all or part of the following personal information from the admins using the KYC service as well as from our clients’ users that need to go through the KYC process.

Data Subject Personal Data Collected Reason Retention
OST KYC Admins Full name For granting access to OST KYC / Data Processing Agreement (We act as data processor for OST KYC Clients) As long as we have business terms.
Email address & Password
IP address To enable more control on security features in the system / Data Processing Agreement (We act as data processor for OST KYC Clients) 15 days
OST KYC - Clients’ users Email address & Password When clients’ end users need to open an account for KYC submission / Data Processing Agreement (We act as data processor for OST KYC Clients) Depends on our clients’ contract length or when a user asks to be deleted.
Full name For the KYC/AML check / Data Processing Agreement (We act as data processor for OST KYC Clients)
Date of birth
ID document image
ID document number
Image of the user with the submitted ID document
Country
Full address
2.4 OST Wallet

OST Wallet is a mobile app and it is a part of the OST Platform experience. It allows our clients to test the wallet experience for sending and receiving tokens. We use Fabric in order to analyze crashes and optimize the user experience. To do so, we need to collect the personal data found in the table below. If you wish to opt out from the collection of this data, please contact us at privacy@ost.com.

Data Subject Personal Data Collected Reason / Legal Basis Retention
Prospects & clients, clients’ end users Installation UUID Optimize the app’s functionality by resolving crashes (Art. 6 Para. 1 S. 1 lit. f GDPR) 90 days
Crash traces
2.5 We collect / process Personal Data about you in the following ways:
  • When you register for an account or to receive emails from us
  • When you order products or services from us
  • When you submit a query or request to us
  • When you respond to a survey that we run or fill in forms on one of our websites
  • By tracking your use of our websites and mobile applications
3. USE OF PERSONAL INFORMATION AND LEGAL BASIS

We use Personal Data that we collect about you for the following purposes and on the following legal basis:

  • When you provide us with consent to the processing of your Personal Data for one or more specific purposes, to provide you with the best service/product and the best and most secure experience. Example:
    • To keep you informed about our activities, including by sending out newsletters when you opt-in by subscribing to our newsletter updates from the dedicated sign up boxes. Upon submission of your request, you will receive at the specified email address a double opt-in request to confirm the consent to receive updates from us.

(Legal basis: Art. 6 Para. 1 S. 1 lit. a GDPR)

You can revoke your consent at any time in the following ways:

  • Click the “Unsubscribe” button in the emails you receive from us
  • Sending an e-mail to privacy@ost.com
  • By sending a message to the contact details given in our Impressum.
  • When there is a legitimate interest, meaning the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your Personal Data for our legitimate interests. We do not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted by law). Examples:
    • Handling contact and user support requests.
    • To improve our website based on your information and feedback
    • To carry out market analysis and research
    • To monitor the use of our products and services
    • To assess, maintain, upgrade and improve our products and services
    • To carry out education and training programs for our staff
    • To manage and resolve any legal or commercial complaints or issues
    • To carry out planning and forecasting activities and other internal business processes

(Legal basis: Art. 6 Para. 1 S. 1 lit. f GDPR)

You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us through the information outlined in the “Contact Us” section below.

  • In the performance of a contract with us. This means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract. Examples:
    • To determine your eligibility for any of our products or services to determine your compliance with the terms and conditions that apply to any of our products or services and applicable law
    • To verify your identity when you are dealing with us
    • Your email address and company information when you submit your request for being contacted about possible partnerships with us in the dedicated "Partners" page contact us form.
    • Your email address, company information, and token sale information when you submit your request for being contacted about OST KYC product details for a business relationship with us in the dedicated "OST KYC" page ‘contact us’ form.
    • Your email address and password that you used to register for the Simple Token Token Sale during the months of November and December 2017 through the dedicated portal on https://sale.simpletoken.org, now only accessible for previous existing logins credentials.

(Legal basis: Art. 6 Para. 1 S. 1 lit. b GDPR or Art. 6 Para. 1 S. 1 lit. f GDPR, if you are an employee of our client)

  • To comply with a legal or regulatory obligation. This means processing your Personal Data where it is necessary for compliance with a legal or regulatory obligation that we are subject Managing user registrations. (Legal basis: Art. 6 Para. 1 S. 1 lit. c GDPR)
  • In case you approved (opted-in) receiving marketing materials from us, we may from time to time use your Personal Data in order to send you marketing materials about products or services that we think you may be interested in (including in some cases products and services that are provided by a third party). We may use your following Personal Data for the purpose of direct marketing:
    • identifying information, such as your name and date of birth
    • contact information, such as your postal address, email address and telephone number
    • products and services portfolio information and demographic data held by us from time to time

(Legal basis: Art. 6 Para. 1 S. 1 lit. a GDPR)

You can revoke your consent at any time in the following ways:

  • Click the “Unsubscribe” button in the emails you receive from us
  • Sending an e-mail to privacy@ost.com
  • By sending a message to the contact details given in our Impressum.
4. SHARING OF PERSONAL INFORMATION

4.1 What information we share:

We may share Personal Data about you only if it is necessary for the purposes described above and only on a legal basis. We might share your Personal Data with:

  • Your representatives, advisers, and others you have authorized to interact with us on your behalf
  • Our staff who need the information to discharge their duties
  • Related entities within our corporate group in order to fulfill the services
  • our agents and service providers in order to fulfill the services
  • Payment system operators and financial institutions in order to fulfill the services
  • Government authorities who ask us to disclose that information, or to other people as required by law

4.2 We may share your Personal Data with the additional following recipients:

External Service Providers

Also, we use external service providers (e.g. support, hosting or analysis service providers) for the above data processing. Within the framework of a contract for data processing (Art. 28 GDPR), these service providers have committed themselves, among other things, to observing appropriate technical and organizational measures for data security and act in accordance with instructions on our behalf. Our main service providers are listed below but are subject to change.

Amazon Web Services, INC. (AWS), Ireland

We use AWS to handle our infrastructure, hosted on AWS virtual servers.

Google LLC, USA

We are using the following services offered by Google:

  • GSuite (Google Apps), for all email, documents, forms, and spreadsheet creation.
  • Google Analytics for our analysis and tracking needs.
  • Google Tag Manager (GTM), is processing data from Google Analytics and Google Adwords.
  • Google reCAPTCHA for security measures.
  • Google Analytics
  • We use Google Analytics to analyze the use of our website. Our analytics service provider generates statistical and other information about website use by means of cookies. Google Analytics is present on the website and software through the means of Google Tag Manager which through its code snippet is delivering the Google Analytics cookie.
  • The information generated relating to our website is used to create reports about the use of our website. Google Analytics privacy policies are available at http://www.google.com/policies/privacy/
  • The information generated by the cookie about your use of our website (including your anonymized IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google.
  • You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use the full functionality of our website.
  • By using our website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.
  • You can also prevent Google from collecting the data generated by the cookie and related to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout
  • Legal basis for the use of Google Analytics is Art. 6 para. 1 sentence 1 lit. f GDPR.

Freshworks, Inc, USA

Freshworks is used to maintain our support center help.ost.com. It collects the information of the query or tickets submitted and the conversation details that derive from those.

Acuris Risk Intelligence, UK

Our compliance partner, we are using Acuris to conduct AML checks for our clients and for our OST’s KYC clients’ end users.

5. RETENTION OF YOUR PERSONAL DATA

We may retain your Personal Data for a period of time consistent with the original purpose of collection. We determine the appropriate retention period for Personal Data on the basis of the amount, nature, and sensitivity of your Personal Data, the potential risk of harm from unauthorized use or disclosure, and whether we can achieve the purposes of the processing through other means, as well as the applicable legal requirements (such as applicable statutes of limitation).

After the expiry of the retention periods, your Personal Data will be deleted. If there is any information that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further use of the data.

6. WHAT DEVICE AND STORAGE DATA WE PROCESS

6.1 Cookies

We use cookies to monitor and observe your use of our websites, compile aggregate data about that use, and provide you with a more effective service (which may include customizing parts of our websites based on your preferences and past activities on those websites). "Cookies" are small text files created and stored on your hard drive by your internet browser software, in order to hold relevant information about the web page you are currently viewing.

You may choose to allow us the use of cookies or deny it by choosing the desired option from our cookies banner on our websites.

legal basis is 6 para. 1 sentence 1 lit. a GDPR

Opt-out - Remove cookies

Most internet browsers have a facility that will allow you to disable cookies altogether – please refer to your browser’s help menu to find out how to do this. Also, you may always go to your browser history settings and clean your cookies.

You typically have the ability to accept or decline cookies by modifying the settings in your browser. If you choose to disable cookies, you may still use our site; however, you may have limited access to some areas within our website.

We also include web beacons in the emails we deliver for you. We use the data from those web beacons to create the reports about how your email campaign performed and what actions your Subscribers took. Reports are also available to us when we send email to you, so we may collect and review that information.

6.2 Name and Description of Cookies

We currently use specifically the following cookies in order to ensure an easy experience on our website, products, and services:

Cookie Name Cookie Description Cookie Type Expiration Time Product/Services Using this Cookie
_ost_kit_session_id Being used to store the session details. Necessary Remains as long as the browser is open. OST Platform
ost_platform_ca Login cookie for our clients’ admins. Necessary Max 1 hour
ost_platform_luse Storing the last sub-environment the admin was using. Necessary 1 year
UTM Identify the Universal Tracking Parameters that are used in the URLs to identify the origin of where the user came from. OST cookie (for analytics only) 30 days OST KYC
TM For security-related features, we collect this cookie from Admins. The cookie stores the session token along with the IP address. Necessary
TU Login cookie for the end users of our clients. Necessary 30 minutes
TA Login cookie for our clients’ admins. Necessary Max 3 hours
_ost_kyc_session_id Being used to store the session details. Necessary Remains as long as the browser is open.
_ga Google Analytics - Used to distinguish users. Third party 2 years OST Website and subdomains
_gid Google Analytics - Used to distinguish users. Third party 24 hours
_gat Google Analytics - Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id>. Third party 1 minute
_ost_web_session_id Used for application security. Necessary 30 minutes
gdpr_decline User did not accept the cookie banner. Necessary 6 months
gdpe_accept User accepted the cookie banner. Necessary 1 year

If you have any specific questions on the Cookies we are using please do not hesitate to contact us.

After the expiry of the retention periods, your Personal Data will be deleted. If there is any information that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further use of the data.

7. INTERNATIONAL TRANSFER OF INFORMATION COLLECTED

Your Personal Data may be collected, transferred to and stored by us in the United States and by our affiliates in other countries where we operate.

Therefore your Personal Data may be processed outside the EEA, and in countries which are not subject to an adequacy decision by the European Commission and which may not provide for the same level of data protection in the EEA. In this event, we will ensure that such recipient offers an adequate level of protection, for instance by entering into standard contractual clauses for the transfer of data as approved by the European Commission (Art. 46 GDPR), or we will ask you for your consent prior to such international data transfers.

8. YOUR RIGHTS RELATING TO YOUR PERSONAL DATA

If you want to access any of the Personal Data that we hold about you or to correct some aspect of it (e.g. because you think it is incomplete or incorrect), please contact our privacy compliance team using the contact details set out below. To protect the integrity and security of the information we hold, we may ask that you follow a defined access procedure, which may include steps to verify your identity. In certain cases, we may charge you an administration fee for providing you with access to the information you have asked for, but we will inform you of this before proceeding.

There may be cases where we are unable to provide the information you request, such as where it would interfere with the privacy of others or result in a breach of confidentiality. In these cases, we will let you know why we cannot comply with your request.

Even if you do not request access to and/or correct your Personal Data held by us, if we are satisfied that, having regard to the reasons for which we hold your Personal Data, that Personal Data is inaccurate, incomplete, out-of-date, irrelevant or misleading, we may take reasonable steps to correct that information.

8.1 Your rights:

You have certain rights regarding your Personal Data, subject to local data protection laws. These may include the following rights:

  • To request access to Personal Data that we may process about you (right to access);
  • To require us to correct any inaccuracies in your data, free of charge. If you wish to exercise this right, you should (right to rectification);
  • To erase/delete your Personal Data to the extent permitted by other legal obligations (right to erasure; the right to be forgotten);
  • To restrict our processing of your Personal Data (right to a restriction of processing);
  • To transfer your Personal Data to another controller to the extent possible (right to data portability); to object to any processing of your Personal Data carried out on the basis of our legitimate interests (right to object). Where we process your Personal Data for direct marketing purposes or share it with third parties for their own direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection;
  • Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects ("Automated Decision-Making"); Automated Decision-Making currently does not take place on our websites;
  • To the extent we base the collection, processing, and sharing of your Personal Data on your consent, to withdraw your consent at any time, without affecting the lawfulness of the processing based on such consent before its withdrawal.

8.2 How to exercise your rights

To exercise your rights, please contact us in accordance with the “Contact Us” section below. We will respond to all legitimate requests within 30 days and will contact you if we need additional information from you in order to honor your request.

Occasionally it may take us longer than this, taking into account the complexity and number of requests we receive. If you are an employee of an ost.com customer, we recommend you contact your company’s system administrator for assistance in correcting or updating your information.

8.3 Your preferences for marketing communications:

You also have the right to ask us to stop processing your Personal Data for direct marketing purposes. You can do this from the Unsubscribe link present in every email or directly via email to us.

If you wish to exercise this right via email, you should put your request in writing (an email with a header that says 'Unsubscribe' is acceptable); provide us with enough information to identify you (e.g email address); and if your objection is not to direct marketing in general, but to direct marketing by a particular channel (e.g., email or telephone), please specify the channel you are objecting to.

9. CHANGES TO THE POLICY IN THE FUTURE

Changes to this policy: We may make changes to this policy from time to time, to take into account changes to our standard practices and procedures or where necessary to comply with new laws and regulations. The latest version of this policy will always be available on our website and we will update the “effective date” at the top of this Privacy Policy. We encourage you to periodically review this Privacy Statement to stay informed about our collection, processing, and sharing of your Personal Data.

10. STORAGE AND SECURITY OF PERSONAL DATA

We generally store the Personal Data that we collect in electronic databases, some of which may be held on our behalf by third party data storage providers. Sometimes we also keep hard copy records of this Personal Data in physical storage facilities.

We use a range of physical and technical security processes and procedures to protect the confidentiality and security of the information that we hold, and we update these from time to time to address new and emerging security threats that you become aware of.

We also take steps to monitor access to and modification of your information by our staff, and ensure that our staff is aware of and properly trained in their obligations for managing your privacy.

11. CHILDREN

Our websites are not directed at children. We do not knowingly collect Personal Data from children under the age of 16. If you are a parent or guardian and believe your child has provided us with Personal Data without your consent, please contact us as described in the “Contacting Us” section below and we will take steps to delete such Personal Data from our systems.

12. COMPLAINTS

We try to meet the highest standards in order to protect your privacy. However, if you are concerned about the way in which we are managing your Personal Data and think we may have breached any applicable privacy laws or any other relevant obligation, please contact our privacy compliance team using the contact details set out below.

We will make a record of your complaint and refer it to our internal complaint resolution department for further investigation. We will deal with the matter as soon as we can, and keep you informed of the progress of our investigation.

If we have not responded to you within a reasonable time or if you feel that your complaint has not been resolved to your satisfaction, you are entitled to make a complaint to the Hong Kong Privacy Commissioner for Personal Data.

13. CONTACTING US

If you require any further information from us on privacy matters, please contact our privacy compliance team via email at privacy@ost.com

Or mail us to:
OST.com LTD of Hong Kong
13/F Gloucester Tower, The Landmark, 15 Queen's Road, Central Hong Kong

For GDPR matters, OST.com LTD of Hong Kong has its German European entity OST.COM GmbH that acts as OST global entities’ representative for GDPR in the EU.

If, however, you believe that we have not been able to assist with your complaint or concern, and you are located in the EEA, you have the right to lodge a complaint with the competent supervisory authority.

Copyright © 2019 OST.com Inc. All Rights Reserved.
Group Created with Sketch. Android Download App iOS Download App