Virginia Consumer Data Protection Notice
This Virginia Privacy Notice (“Virginia Notice”) section supplements the Kraken Global Privacy Notice and the U.S. Privacy Notice and applies to the personal data of Virginia residents in order to comply with the Virginia Consumer Data Protection Act (“VCDPA”). This Virgina Notice applies to natural persons who are residents of Virginia acting only in an individual or household context. It does not apply to natural persons acting in a commercial or employment context. Kraken Financial endeavors to protect the privacy and confidentiality of the personal data with which we are entrusted This Virginia Notice outlines the personal data we collect or process about Virginia residents in connection with the services we provide or offer specifically to you as a consumer, including through any site, application, or product that links to this Virginia Notice (the “Service”), how we use, share, and protect that personal data, and what your rights are with respect to your personal data that we gather and process. The VCDPA has several exemptions which are outlined below in the section entitled “exceptions.”
"Biometric data" means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual.
"Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.
"De-identified data" means data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to such a person.
"Identified or identifiable natural person" means a person who can be readily identified, directly or indirectly.
"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. "Personal data" does not include de-identified data or publicly available information.
"Precise geolocation data" means information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet.
"Pseudonymous data" means personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
"Publicly available information" means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.
"Sale of personal data'' means the exchange of personal data for monetary consideration by the controller to a third party. "
Categories Of Personal Data Kraken Financial May Collect About You:
- Identifiers: identifiers such as a real name, postal address, unique personal identifier (such as a device identifier; cookies, beacons, pixel tags, mobile ad identifiers and similar technology; customer number, unique pseudonym, or user alias; telephone number and other forms of persistent or probabilistic identifiers), online identifier, internet protocol address, email address, account name, Social Security number, driver’s license number, passport number, and other similar identifiers;
- Signature, physical characteristics or description, state identification card number, education, bank account number, credit card number, debit card number, and other financial information;
- Protected Classifications: characteristics of protected classifications under Virginia or federal law, such as race, color, national origin, age, sex, gender, marital status, citizenship status, and military and veteran status;
- Commercial Information: commercial information, including records of personal property, products or services purchased, obtained, or considered, and other purchasing or consuming histories or tendencies;
- Biometric Information;
- Online Activity: Internet and other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interaction with websites, applications, or advertisements;
- Geolocation Data;
- Sensory Information: audio, electronic, visual, and similar information;
- Employment Information: professional or employment-related information; and/or
- Inferences: inferences drawn from any of the information identified above to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Purposes For Processing Personal Data
- Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing advertising or marketing services, providing analytics services, or providing similar services;
- Auditing related to a current interaction with you and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance;
- Short-term, transient use, including, but not limited to, the contextual customization of ads shown as part of the same interaction;
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity;
- Debugging to identify and repair errors that impair existing intended functionality;
- Undertaking internal research for technological development and demonstration; and/or
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us.
We may also, from time-to-time, use personal information provided by you through your use of the services and/or through client surveys to help us improve our products and services. It is our legitimate interest to use your personal information in this way to try to ensure the highest standards when providing you with our products and services and to continue to be a market leader within the cryptocurrency financial service industry.
This may include:
- To tailor specific promotions according to your preferences;
- To provide you with access to the services;
- To serve the functions of the sites;
- To manage everyday business needs, such as administering and improving the sites;
- To analyze the performance and functioning of the sites;
- To analyze how you use the sites and to perform other market research;
- For internal operations, including troubleshooting, testing, and analytics; and
- To assist us in developing new products and improving our services.
Purpose for Collection and Disclosure of Personal Information.
Kraken Financial may also use or share de-identified information that is not reasonably likely to identify you for commercially legitimate business purposes. When we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connections with an investigation or suspected or actual illegal activity;
- If necessary to protect the vital interests of a person;
- If there is a duty to disclose;
- If our legitimate business interests require disclosure;
- To protect our property, services, and legal rights;
- To enforce our Terms of Service;
- To prevent fraud against Kraken Financial, our affiliates, business partners, or authorized users;
- To support auditing, compliance, and corporate governance functions; or
- At your request or with your consent or to those described in the Virginia Notice.
Sharing Of Personal Data With Third Parties
Kraken Financial will make such disclosures on a “need-to-know” basis, unless otherwise instructed by a regulatory authority. Under such circumstances, Kraken Financial will notify the third party regarding the confidential nature of any such information. Kraken Financial will not disclose your confidential information to a third party, except:
- We are required to do so by law or legal process;
- To the extent that it is required to do so pursuant to any applicable laws, rules, or regulations;
- To law enforcement authorities or other government officials, as necessary;
Categories Of Third Parties With Which Data Is Shared
As part of using your personal information for the purposes set out above, Kraken Financial may disclose your personal information to the following:
- Any member of Kraken Financial, which means that any of our affiliates and subsidiaries may receive such information;
- Any of our service providers and business partners, for business purposes, such as specialist advisors who have been contracted to provide us with administrative, financial, legal, tax, compliance, insurance, IT, debt-recovery, analytics, research, or other services.
- If Kraken Financial discloses your personal information to service providers and business partners, in order to perform the services requested by clients, such providers and partners may store your personal information within their own systems in order to comply with their legal and other obligations. These third parties are not authorized by us to use or disclose the information, except as necessary to perform services on our behalf or comply with legal requirements. These third parties have no independent rights to the data.
Kraken Financial requires that service providers and business partners who process personal information to acknowledge the confidentiality of this information, undertake to respect any client’s right to privacy and comply with all relevant privacy and data protection laws and the Virginia Notice.
Selling Or Sharing Of Personal Information.
Kraken Financial does not sell personal data to any third parties for monetary consideration and has not done so in the preceding 12 months. We do not sell personal information.
Your Right to Know.
Under the VCDPA, you have the ability to confirm whether we are processing personal information about you.
Your Right to Access and Portability.
Under the VCDPA, you have the ability to obtain a copy of the personal information we maintain and process about you in a portable and, to the extent technically feasible, readily-usable format.
Your Right to Delete.
Under the VCDPA, you have the right to request that we delete the personal information we maintain or process about you.
Your Right to Correct.
Under the VCDPA, you have the right to request that we correct inaccuracies in the personal information we maintain or process about you, taking into consideration the nature and purpose of such processing.
Your Rights to Opt-Out.
Under the VCDPA, you have the right to opt-out of certain types of processing of personal information, including:
- Opt-Out of the “sale” of personal information;
- Opt-Out of targeted advertising by us;
- Opt-Out of any processing of personal information for the purposes of making decisions that produce legal or similarly significant effects.
Right to Opt-In for Sensitive Data Processing
The right for a consumer to opt in before a business can process their sensitive data.
Your Right to Non-Discrimination.
You may exercise your rights under the VCDPA without discrimination. Unless the VCDPA provides an exception or permits us to do so, we will not: Deny you goods or services; Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; or Provide you a different level or quality of goods or services.
Pursuant to Virginia law, some Virginia residents may have specific rights regarding their personal data. These rights are subject to certain exceptions. When legally required, we will respond to requests without undue delay, within 45 days of receipt of a verified request, unless it is reasonably necessary for us to extend our response time.
To exercise your rights described above, please submit a Request to us by:
By email, at [email protected]
By phone, at +1 (888) 871-2573
You may only make two requests within a 12-month period. Each request must: Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. We will make every effort to verify your identity using your email address, but we may request additional information. Describe your request with sufficient detail that allows us to properly evaluate and respond to it.
To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to your personal information or complying with your request. We may require you to provide any of the following information: your name, date of birth, the last four digits of your Social Security number, the email and physical addresses associated with your Kraken Financial account, one or more recent transactions, and the last four digits of one or more of the cards associated with your account. If you have never had an account with us and you request access to or deletion of your personal information, there is no reasonable method by which we can verify your identity. The reason for this is that Kraken Financial does not maintain information about non-account holders in a way that is linked to named actual persons (and historically has not linked IP addresses, device identifiers or other information collected by automated means to named actual persons). In addition, if you ask us to provide you with specific pieces of personal information, we may require you to sign a declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request.
Response Timing And Format.
We will respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
Kraken Financial will not charge a fee to process or respond to your verifiable consumer request, but reserves the right to request a fee if the request is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Other Rights That May Be Available.
Right to Appeal
If we deny your request in whole or in part, you may have the right to appeal the decision. In such circumstances, we will provide you with information regarding the appeals process. If we refuse to act on your request, you have the right to appeal our decision within a reasonable period of time after receipt of our initial decision. We will inform you in writing, within 60 days of receipt of an appeal, of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.
If your appeal is denied, you may contact the Attorney General to submit a complaint by visiting the Office of the Attorney General’s website to complete an Online Consumer Complaint Form or by calling the Consumer Protection Hotline at 1-800-552-9963 (within Virginia) or 1-804-786-2042 (outside Virginia).
Right Against Automated Decision Making.
A prohibition against a business making decisions about a consumer based solely on an automated process without human input.
Situations where businesses are exempt from complying with consumer rights requests include:
- When personal information has already been pseudonymized (and safeguards are in place), and
- Compiling would be "unreasonably burdensome."
VCDPA cannot limit a controller or processor's ability to:
- Comply with state or federal law
- Cooperate with law enforcement
- Defend legal claims
- Provide a service or product, which a consumer requests
- Perform a contract with the consumer
- Detect or prevent security incidents
Specific datasets exempted from the VCDPA include:
- Specific personal data regulated by the Family Educational Rights and Privacy Act (FERPA)
- Particular kinds of data regulated by the Fair Credit Reporting Act (FCRA)
- HIPAA personal health data
- Data related to employment
The law also will not forbid controllers and processors from conducting: Internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.