Privacy Policy
Revision dated 06.10.2025
Introduction, Contact and Complaints
Introduction
PaYard s.r.o. (“PaYard”, “we”, “us”, or “our”) is committed to protecting your privacy and handling your personal data in compliance with all applicable laws. This Privacy Policy explains how we collect, use, share, and protect personal data when you use the PaYard.cz website and related services (the “Platform”). We operate as a Crypto-Asset Service Provider (“CASP”) under Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA) and comply with the EU General Data Protection Regulation (GDPR) and Czech Act No. 110/2019 Coll. on Personal Data Processing. By using our Platform or services, you acknowledge that you have read and understood this Privacy Policy (which is referenced by our Terms & Conditions) and agree to its terms. If you do not agree, please refrain from using PaYard services.
We process personal data lawfully, fairly, and transparently, only for the specific purposes outlined in this Policy and within the limits permitted by GDPR and applicable national law. PaYard seeks to protect its legal interests and those of its clients, but will not process personal data in ways that overreach what is allowed under data protection laws. Our services are offered globally where lawful, with a focus on the Czech Republic and the EU. Please note that our Platform is intended for users who are at least 18 years old (or the age of majority in your jurisdiction), and we do not knowingly collect data from minors.
Contact and Complaints
If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please do not hesitate to contact us:
Email: support@payard.cz
Postal Mail: PaYard s.r.o., Vlkova 532/8, Žižkov, CZ-13000 Praha, Czech Republic.
We will endeavor to respond promptly and address your inquiry or issue in a satisfactory manner.
If you are not satisfied with our response or believe we are processing your personal data unlawfully or in violation of your rights, you have the right to file a complaint with a supervisory authority. Our lead supervisory authority in the Czech Republic is:
Office for Personal Data Protection (Úřad pro ochranu osobních údajů – ÚOOÚ)
Pplk. Sochora 27
170 00 Praha 7
Czech Republic
Website: https://www.uoou.cz/en/ (contains contact forms and further contact details)
Telephone: +420 234 665 111
The ÚOOÚ is the Czech data protection authority competent to handle complaints regarding personal data. You have the right to approach this authority directly about any data protection issue. Additionally, if you reside in another country (especially within the EU/EEA), you may contact your local data protection authority. Under GDPR, you can choose to lodge a complaint with ÚOOÚ or with your home country’s supervisory authority.
We do sincerely hope to resolve any privacy concerns directly and encourage you to contact us first. Your privacy is of utmost importance to us, and we continuously work to uphold the trust you place in us by using PaYard.
Thank you for reading our Privacy Policy. We value your trust and are dedicated to keeping your personal data safe and respecting your privacy rights while using our services.
Data Controller and Contact Information
The data controller responsible for your personal data is PaYard s.r.o., the operator of PaYard.cz. Our contact details are:
Company Name: PaYard s.r.o.
Registered Address: Vlkova 532/8, Žižkov, CZ-13000 Praha, Czech Republic
Company ID (IČO): 19555792
E-mail: support@payard.cz
Website: https://payard.cz
If you have any questions or requests regarding your personal data, you may contact us at the above email. We take data protection seriously and users are entitled to have their personal data protected in accordance with GDPR and Czech data protection law.
Personal Data We Collect
We collect various categories of personal data in order to provide our non-custodial crypto-asset exchange services and comply with legal requirements. This includes:
Identity Information: Full name, date of birth, nationality, and government-issued identification details (e.g. ID card or passport number, expiration date, country of issue). We may also collect copies of identification documents and, where required for verification, photographs or videos (for example, a selfie or live image for KYC/AML purposes).
Contact Information: Residential address, email address, telephone number, and any other contact details you provide during account registration or correspondence.
Know-Your-Customer (KYC) and Due Diligence Data: Additional information collected for identity verification and Anti-Money Laundering/Countering Financing of Terrorism (AML/CFT) compliance. This may include government identification numbers (e.g. national ID or tax ID), proof of address (such as utility bills), information about your occupation or source of funds, and information about any beneficial owners or representatives if you are using the service on behalf of a legal entity. We process personal data not only of Clients but also of relevant third parties related to the Client (such as authorized persons or beneficial owners) when required – if you provide us personal data of third parties, you must have the authority or their consent to do so.
Financial and Transaction Data: Information about the transactions you perform on the Platform. This includes crypto-asset wallet addresses you provide for sending or receiving crypto-assets, transaction amounts, timestamps, order details, exchange rates, and transaction hashes. If our services involve fiat currency conversions, we will collect necessary financial details such as your bank account number (IBAN), bank name, or payment transaction references. We do not hold or store your crypto-assets or private keys, as our exchange is non-custodial – you retain control of your funds at all times. However, we may record the public blockchain addresses and transaction details associated with your exchanges for compliance and record-keeping. (Please note that blockchain transactions are public by nature; while we associate your addresses with your account internally, the transactions themselves are on public ledgers outside of our control.)
Usage and Technical Data: Data generated through your use of our website and services. This includes IP address, device type, operating system, browser type, referral URLs, language preferences, and other technical information we receive when your browser or device interacts with our Platform. We may also log actions you take on the Platform (e.g. login dates, features used, error reports) for security and troubleshooting. This information helps us secure the Platform and optimize user experience.
Cookies and Tracking Data: We use cookies and similar technologies (explained in detail below) to collect data about your interactions with our website. This may include pages visited, clicks, and other behavior analytics. Some cookies are essential for site functionality, while others (like analytics or advertising cookies) are used with your consent.
Communications: If you contact us (for example, via support email or chat), we will collect and retain the content of your communication, your contact details, and our responses. This may include any information you choose to provide about your issue or inquiry. Telephone calls with customer support (if any) may also be logged or recorded, in accordance with applicable law, for quality and evidence purposes.
Marketing Preferences: If you opt-in to receive marketing communications (such as newsletters or promotional offers), we will record your preferences and any data necessary to send you such communications (e.g. your email address and preferred language). We will also note if you opt out of marketing to ensure we respect your choices.
We collect most of this information directly from you (e.g. through registration forms, KYC verification process, or when you use the Platform). In some cases, we may obtain data from third parties: for instance, identity verification providers may supply us with verification results or fraud risk scores; payment processors or banks may confirm if a transaction was successful; and we may receive sanctions or watchlist information from compliance databases. We only collect data that is relevant and necessary for the purposes described in this Policy, and we do not collect special categories of personal data (such as health, religion, or political beliefs) unless it is absolutely required and permitted by law. Biometric Data: The only context in which biometric data might be processed is for identity verification (for example, facial recognition to match your live image with your ID photo). In jurisdictions where required, we will seek your explicit consent for using biometric identification, and such data will be protected with heightened security and deleted when no longer needed for the verification purpose.
Purposes and Legal Bases for Processing
We process personal data for the following purposes, and rely on specific legal grounds under Article 6(1) of the GDPR for each:
Providing Our Services (Performance of Contract): We use personal data to create and manage your account, allow you to access the Platform, and facilitate the crypto-asset exchange transactions you request. This includes using your identity and contact information to register you as a user, enabling you to initiate exchanges, and using transaction data to execute your trades and provide confirmations/receipts. It also includes handling customer support requests and communications. The legal basis for these processing activities is performance of a contract – these uses of data are necessary to deliver the services that you have requested and agreed to under our Terms & Conditions.
Compliance with Legal Obligations: We collect and use personal data to meet various legal and regulatory obligations that apply to PaYard as a regulated CASP and as an obliged entity under AML laws. Specifically:
Identity Verification and KYC: We process identity documents and personal details to verify your identity, perform due diligence, and screen customers as required by AML/CFT regulations (such as Czech Act No. 253/2008 Coll. on anti-money laundering) and by MiCA. For example, we may verify your identity before allowing certain transactions or above certain value thresholds, and we may require renewal of KYC information periodically.
Transaction Monitoring and Reporting: We monitor transaction activity for signs of fraud, money laundering, or other illegal activities. If transactions appear suspicious or fall under mandatory reporting criteria, we will report them to the competent authorities such as the Czech Financial Analytical Office (FAÚ). We also cooperate with regulators and law enforcement: PaYard may disclose user data or specific transaction details to the Czech National Bank (ČNB), the FAÚ, or other supervisory and enforcement agencies when we are legally required to do so (for example, in response to a subpoena, court order, or regulatory inquiry).
Record-Keeping: We retain records of customer identities, transactions, and communications as mandated by law. Under AML laws, we must keep certain data for minimum periods (see Data Retention below).
Other Legal Obligations: We may process and share data as needed to comply with tax law, accounting requirements, consumer protection laws, or other regulatory mandates in jurisdictions where we operate. For example, MiCA requires us to maintain robust data protection measures consistent with GDPR and to be able to demonstrate compliance to authorities.
In all these cases, the legal basis is compliance with a legal obligation (GDPR Art. 6(1)(c)). Providing your personal data for these purposes is mandatory; if you do not provide information required by law (for instance, failing to complete required KYC steps), we will not be able to provide or continue services to you.
Security and Fraud Prevention (Legitimate Interests/Legal Obligation): We process personal data to ensure the security of our Platform, our users, and our company. This includes using technical information (like IP address, device information, and usage logs) to detect and prevent fraudulent or unauthorized activities, combat malware or hacking attempts, and maintain the integrity of our systems. We also may use identity and transaction data to enforce our Terms & Conditions and prevent abuse of our services (for example, ensuring Users are not from prohibited jurisdictions or engaged in prohibited activities). Some of these security measures are required by law or regulatory guidance (e.g., implementing appropriate technical and organizational measures under GDPR, or risk management procedures under MiCA), which we treat as legal obligations. In other cases, our legitimate interest (GDPR Art. 6(1)(f)) in protecting our business, preventing fraud, and ensuring network and information security is the basis for processing. We balance these interests with your rights and freedoms, and typically such processing either does not negatively affect you or is necessary to protect all parties. For example, monitoring login attempts or wallet addresses for suspicious patterns protects both us and legitimate users from harm.
Service Improvements and Analytics (Legitimate Interests or Consent): We want to improve and optimize our Platform and services. To do so, we may analyze how users navigate the site, which features are used, and where issues occur. This may involve processing aggregated usage data or conducting surveys. Where possible, we use anonymized or aggregated data that does not identify individuals. If any personal data is used for analytical purposes (such as evaluating an individual user’s experience or customizing the interface), we will either rely on our legitimate interest in improving our services (ensuring this has minimal privacy impact and never intrudes on your fundamental rights), or we will obtain your consent via cookie controls or similar mechanisms. For instance, non-essential cookies (like Google Analytics cookies) that track your website usage will only be activated with your consent (see “Cookies and Tracking” below). Our analytics help us understand user preferences and troubleshoot technical problems, which ultimately enhances the functionality and security of the Platform.
Marketing and Communications (Consent or Legitimate Interest): If you explicitly consent, we will use your contact information (such as email) to send you marketing communications about PaYard updates, newsletters, promotions or new services. The legal basis for sending these direct marketing messages is your consent (GDPR Art. 6(1)(a)), and you have the right to withdraw that consent at any time. We will not spam you, and you can opt out of marketing emails by using the unsubscribe link provided in each message or by contacting us. We may still send you transactional or service emails that are not marketing (e.g., emails about your account status, security alerts, or updates to our terms or this policy) as those are necessary for performing our contract with you or fulfilling legal obligations. In certain cases, if you are an existing customer, we may inform you about products or services similar to those you’ve already used, based on our legitimate interest in developing our business, but you will always have a clear opportunity to opt out, and any such communication will comply with applicable e-privacy laws.
Protecting Legal Rights and Interests (Legitimate Interests): We may process personal data when necessary to establish, exercise, or defend legal claims, to investigate violations of our Terms, or to resolve disputes. For example, if a user violates the Terms or attempts fraud, we may use and preserve evidence from their account (identity details, transaction records, logs, etc.) to take action (such as suspending the account) or to cooperate with law enforcement. Likewise, if we face any legal dispute or regulatory enforcement, we will use relevant personal data to respond appropriately. The legal basis for this is our legitimate interest in safeguarding our legal rights, preventing liability, and ensuring compliance with laws. We will not use your data in litigation against you unless such use is lawful and necessary to protect our rights.
Special Note on Consent: In cases where we rely on your consent as the legal basis (for example, for certain marketing or cookie usage), you have the right to refuse or withdraw consent without detriment. We will make clear what you are consenting to at the time we ask for it. If you decline to provide consent for optional processing (like analytics cookies or marketing emails), you can still use our services – we will simply omit those optional activities. If you grant consent and later withdraw it, we will cease the related processing going forward. Withdrawal of consent does not affect the legality of processing already carried out based on that consent before its withdrawal.
We will not process personal data for purposes that are incompatible with those described above. If we intend to use your data for a new purpose, we will update this Privacy Policy and, if required, seek your consent or provide notice as appropriate.
Disclosure of Personal Data to Third Parties
PaYard respects the confidentiality of your personal data and will only share it with third parties under certain circumstances and in accordance with GDPR. Below are the categories of recipients with whom we may share data, along with the reasons for such sharing:
Service Providers and Processors: We employ trusted third-party companies to perform functions on our behalf, under our instructions. These include:
Identity Verification Partners: We use specialized KYC/AML service providers (for example, SumSub or similar verification platforms) to help verify customer identities and documents. These partners receive the personal data you provide for verification (such as your ID documents, selfie, and basic identity info) and process it solely for verifying your identity or conducting AML checks on our behalf. They may return to us verification results, risk assessments (e.g., document authenticity, sanctions or politically exposed person screening outcomes), or enriched data (like validated identity information). Such partners are bound by contract to protect your data and to use it only in line with our instructions and applicable privacy laws.
Cloud Hosting and IT Infrastructure: We host our Platform and databases with reputable cloud service providers (for example, Amazon Web Services (AWS) or similar). Personal data (including your account information and transaction records) is stored on secure servers that may be operated by these providers. We ensure that our hosting providers implement appropriate security measures and, if they are located outside the EU, that adequate data transfer safeguards are in place (see “International Data Transfers” below). These providers act as our data processors, meaning they cannot use your data for their own purposes and must handle it according to our agreements and data protection law.
Analytics and Performance Tools: We may share certain technical and usage information with analytics providers to help us improve our services. For instance, we use Google Analytics (provided by Google) to understand how users interact with our website. Google may process usage data (e.g., pages visited, IP addresses (with IP anonymization enabled), device info) on our behalf to compile reports. We only employ such analytics tools with your consent via cookies. Any analytics provider is contractually bound to process data only for our analytical purposes and not for other uses. (Note: Google Analytics is a tool based in the United States; we address transfers to non-EU countries below, and Google has certified compliance with EU-U.S. data transfer frameworks.)
Customer Support Platforms: If we utilize third-party software or services to manage support tickets, live chat, or email communications (for example, a cloud-based helpdesk or CRM system), your contact information and communications with us may be processed through those platforms. These providers assist us in organizing and responding to support requests efficiently. They are bound by confidentiality and data protection obligations.
Payment and Banking Partners: In cases where our services involve fiat currency transactions, we rely on regulated banking or payment institutions to process deposits or withdrawals. For example, if you convert crypto to EUR or CZK, we might involve a payment gateway or bank to send/receive money. Those institutions will receive information such as your name, bank account number, payment amount, and reference details, as needed to execute the transaction. They may also require certain personal data to comply with their own legal obligations (e.g., anti-fraud checks). Such partners will typically be separate controllers of that financial data (since they have independent obligations to process your data for completing the payment and complying with law). We only share what is necessary for the transaction and require that our partners secure the information.
Within Our Corporate Group: affiliates, parent, or subsidiary companies that need access to personal data for business operations (for example, if we have a branch in another country handling local support or compliance), we may share data within our corporate group on a need-to-know basis. Any such intra-group sharing would follow an internal data protection agreement ensuring equivalent security and confidentiality. (If this occurs across borders, it will be subject to the same transfer safeguards described below.)
Legal and Regulatory Authorities: We may disclose personal data to government authorities, regulators, law enforcement agencies, courts, or public bodies as required by law or strictly necessary to fulfill our regulatory obligations. This includes:
Regulators/Supervisory Bodies: As a CASP in the Czech Republic, our activities are subject to oversight by bodies such as the Czech National Bank (ČNB) for compliance with MiCA and financial regulations, and the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ) for data protection matters. If any of these authorities, or equivalent regulators in the EU, request information (for example, during an inspection or inquiry), we will provide the required personal data if we are legally compelled to do so. We will ensure any request is valid and within the authority’s power before disclosing data.
Financial Intelligence and Law Enforcement: Under AML/CFT laws, we have a duty to report certain information. If we detect suspicious activities or transactions that might indicate money laundering, terrorist financing, fraud, or other crimes, we will report relevant personal and transaction data to the Financial Analytical Office (FAÚ) or other designated financial intelligence units, as required by law. We may also share information with police, prosecutors, or courts if we receive a lawful order (such as a subpoena or search warrant), or to assist in an investigation. In such cases, we typically will not inform the user about the disclosure if prohibited by law (for instance, tipping off is illegal under AML laws).
Dispute Resolution and Enforcement: If a user raises a formal dispute, files a complaint with a supervisory authority, or if we need to enforce our Terms in court or collect a debt, we may share relevant data with our legal advisors, the courts, or dispute resolution bodies. For example, we might provide a court evidence of transactions or communications with a user if needed to resolve a legal case. We will limit the data shared to what is necessary for the matter at hand.
Third-Party Business Partners: We do not sell or rent your personal data to third parties for their own marketing. However, we might have partnerships in which we offer joint promotions or integrate services. If you choose to participate in such offerings (for example, a joint promotion with a blockchain project or a referral arrangement), we will tell you at the time what data might be shared and obtain your consent if required. By default, any sharing for these purposes will be either with your consent or in a way that the data is anonymized. We will be transparent about any new category of recipient not covered by this Policy.
Merger or Acquisition: In the event that PaYard s.r.o. is involved in a merger, acquisition, sale of assets, or other business transaction, personal data may be transferred to the successor or new owner as part of the transaction. If so, we will ensure that the new entity honors the protections outlined in this Privacy Policy or provide notice and possibly request your consent if required by law. Any such transfer would only occur under appropriate confidentiality agreements. We would inform users (via website notice or email) of any change in data controllership resulting from such a corporate change.
Every third party that acts as our data processor (performing tasks on our behalf) is bound by a contract that includes data protection clauses as required by GDPR Article 28. This means they must only process your data for our purposes, keep it secure, and return or delete it when our engagement ends. Some of our key subprocessors (like our KYC provider, hosting provider, etc.) are listed above; we can provide a full list of current subprocessors upon request.
We strive to minimize the personal data we share and always evaluate the necessity and proportionality of any disclosure. Unless prohibited by law or impractical (e.g., an emergency or security incident requiring immediate action), we may notify you if your data has been disclosed to a third party outside of the uses you have consented to or that are outlined here.
International Data Transfers
PaYard primarily processes personal data within the European Union (EU)/European Economic Area (EEA). Our company is based in the Czech Republic, and whenever feasible we choose service providers and data storage locations within the EEA to ensure your data remains under the robust protection of EU law. However, some of the third parties we work with may be located in, or may access personal data from, countries outside the EEA (so-called “third countries”). For example:
Our cloud hosting or IT providers might have data centers or support teams in non-EU countries.
Our analytics provider (Google Analytics) and possibly certain customer support tools involve companies based in the United States or other jurisdictions.
If you are using our services from outside the EU, your data will naturally travel across borders (since, for example, your device connects to our EU servers).
When we transfer personal data outside the EU/EEA, we take steps to ensure that an adequate level of protection travels with your data, as required by GDPR. These measures include:
Adequacy Decisions: Where we transfer data to a country that the European Commission has recognized as providing an adequate level of data protection (for instance, the United Kingdom, Switzerland, or others if applicable), we rely on that decision. For example, if our identity verification provider is based in the UK, the EU has an adequacy decision for the UK, which means your data is protected comparably to EU standards.
Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision (such as the United States, unless the recipient is certified under a relevant framework), we use the European Commission’s approved Standard Contractual Clauses in our contracts with the data importer. These are legal commitments that bind the overseas recipient to protect your data to EU privacy standards. We also assess, on a case-by-case basis, whether additional technical or organizational measures are needed to ensure data safety (for example, encryption in transit and at rest, or commitments to handle European data via EU-based infrastructure when possible).
Data Privacy Framework (DPF) Certification: In July 2023, the EU Commission approved the EU-U.S. Data Privacy Framework as a new mechanism for compliant data transfer to certified U.S. companies. Where applicable, we will preferentially work with U.S. service providers that have certified their compliance under the DPF. For example, Google LLC is certified under the EU-U.S. Data Privacy Framework, which means transfers of personal data to Google for analytics can rely on this approved safeguard. We will treat such certified transfers as covered by an adequacy decision.
Binding Corporate Rules or Other Mechanisms: In the unlikely event we transfer data within a corporate group across borders, we may implement Binding Corporate Rules approved by EU authorities. Currently, this is not applicable to PaYard (as we do not have an international corporate family handling personal data), but we mention it for completeness. Similarly, if any provider offers another GDPR-compliant transfer mechanism (such as codes of conduct or certification schemes), we may rely on those if appropriate.
In all cases, we ensure that your rights and protections travel with your data. We will not transfer personal data to a third country or international organization unless appropriate safeguards (as outlined above) are in place, or a specific derogation under GDPR Article 49 applies (e.g., you have explicitly consented to the transfer after being informed of possible risks, or the transfer is necessary for the performance of a contract like an international payment you initiated).
If you have questions about our international data transfers or want to obtain a copy of the relevant contractual safeguards (such as the SCCs) in place, you may contact us via the details provided. We will be as transparent as possible within the bounds of commercial confidentiality.
Data Retention Periods
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to satisfy legal, accounting, or regulatory requirements. Retention periods vary depending on the type of data and the purpose of processing. Below is a summary of our key retention practices:
Account Information: If you have an account with PaYard, we will retain your personal information for the duration of your active account. This allows us to provide services to you. If you decide to close your account or if it has been inactive for an extended period, we will initiate deletion or anonymization of your personal data, except where retention is required for legal reasons (see below). “Inactive” in this context means you have not logged in or used our services for a substantial period (which we currently set at 2 years), and you have no pending transactions.
KYC/Identity Verification Data: Personal data collected for AML/KYC purposes (such as copies of ID documents, verification information, and due diligence records) is subject to strict retention rules under law. In accordance with Czech AML legislation and EU regulations, we are required to retain customer identification and due diligence records for at least 10 years after the end of the customer relationship or the date of an occasional transaction. This means that if you close your account or we cease our business relationship, we will archive your KYC data for the legally mandated period (often 10 years) counted from the start of the year following the termination of the relationship, as required by Act No. 253/2008 Coll. (AML Act). Similarly, records of any transaction that was subject to customer identification must be kept for a minimum of 10 years from the transaction date. These retention periods may be extended if required by applicable law or directives. We securely store this data and restrict access to it, using it only if needed for compliance audits, investigations, or as required by authorities.
Transaction Records: We retain details of crypto-asset exchange transactions, payments, and transfers as part of our business records. Even if you delete your account, we will retain transaction data as needed for compliance (e.g., financial reporting, AML monitoring) and to maintain evidence of transactions (which can be important for fraud detection or legal defense). Typically, transaction data will be kept for a period aligning with the AML retention (10 years) or other financial record-keeping obligations. Some transaction information (like invoice records or accounting data) may be required to be kept for a certain number of years under tax or accounting laws (often 5-10 years). We apply whichever period is longer if data falls under multiple requirements.
Communications and Support Tickets: Correspondence with users (emails, support chats) is generally retained for as long as you have an active relationship with us and for a certain period after, in order to have a history of interactions (this helps in resolving ongoing issues or for reference if you contact us again). Typically, we retain support communications for 2-3 years after resolution of the inquiry, unless a longer period is justified (e.g., if the communication must be retained as evidence in a dispute or regulatory matter). Recorded phone calls (if any) would similarly be retained for a limited time unless needed longer for legal reasons.
Analytics Data: Data used for analytics purposes is often aggregated or anonymized. Raw analytics logs (especially those tied to identifiable users or IP addresses) are either not stored at all on our end (e.g., only processed by Google Analytics with shortened IP addresses) or are stored for a short period. Google Analytics data, for instance, is retained for the duration we set in our Google Analytics settings (commonly 14 months for user-level data, though aggregated reports may persist). We periodically review and delete older analytics data that is no longer needed.
Cookies: Cookie data retention varies by cookie type. Session cookies (for login sessions etc.) are temporary and end when you close your browser. Persistent cookies (like preferences or analytics) remain for a set duration unless cleared – we provide details in our Cookies section below, but generally these can last from a few days up to 12 months or more, depending on their function. You can clear cookies at any time in your browser settings.
Marketing Data: If you have consented to receive marketing communications, we will retain the necessary contact info and preference data until you unsubscribe or withdraw consent. Once you opt out, we will stop sending you marketing, and we may either delete your contact from our marketing list or suppress it (to ensure we don’t accidentally send you emails). We may keep a record of your opt-out request indefinitely to honor your no-contact request.
Legal Hold: Notwithstanding the stated retention periods, if we are involved in ongoing litigation, investigation, or audit, we may need to retain relevant data beyond the normal period until the issue is resolved. We also may retain data for longer if necessary to establish, exercise, or defend legal claims.
Deletion and Anonymization: When personal data is no longer needed for any of the purposes described and we have no legal obligation to retain it, we will either securely delete it or irreversibly anonymize it so that it can no longer be associated with you. Anonymized data (which is not personal data) may be retained for research or statistical purposes without further notice.
We maintain an internal data retention schedule and periodically review the data we hold. Our aim is not to keep personal data indefinitely, but rather to retain it for only as long as it is truly needed. After the retention period expires, we ensure data is properly erased or anonymized in a secure manner.
Your Rights as a Data Subject
As a user of PaYard services and a data subject under GDPR (and Czech data protection law), you have certain rights regarding your personal data. We are committed to respecting your rights and have processes in place for you to exercise them. These rights include:
Right of Access: You have the right to obtain confirmation from us as to whether or not we are processing personal data about you, and if so, to request a copy of that personal data, along with information about how we process it. This is commonly known as a “data subject access request.” Upon request, we will provide you with a summary of the personal data we have about you, the purposes of processing, the categories of data, the recipients to whom the data has been disclosed, and other required information (unless an exception applies). The first copy of your data will be provided free of charge, but we may charge a reasonable fee for additional copies or repetitive requests, as permitted by law.
Right to Rectification: If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it. We encourage you to keep your account information up-to-date. For example, you can correct basic profile details by logging into your account. For changes that you cannot make yourself (such as correcting KYC information), you can contact us with proof of the correct data, and we will make the correction if appropriate. We may need to verify the accuracy of the new data you provide before updating our records.
Right to Erasure (Right to be Forgotten): You have the right to request the deletion of your personal data in certain circumstances, for example if the data is no longer necessary for the purposes it was collected, you withdraw consent (for data that was processed based on consent and we have no other legal ground), or you object to processing and we have no overriding legitimate grounds to continue. We will assess such requests on a case-by-case basis. Please note that this right is not absolute – sometimes we must retain certain data despite a deletion request, due to legal obligations or other exemptions. For instance, we cannot delete data that we are required to keep under AML laws or other regulations immediately upon request, even if you close your account, because we must comply with mandatory retention periods. Likewise, if you request erasure, we might retain minimal information to record that you asked for deletion or to prevent further contact (e.g., maintaining your email in a suppression list). If we must deny a deletion request, we will explain our reasoning (unless we are legally prevented from doing so).
Right to Restrict Processing: In certain situations, you have the right to request that we limit the processing of your data (basically to store it but not use it). You can exercise this right if: (a) you contest the accuracy of the data (for a period allowing us to verify it); (b) the processing is unlawful and you oppose erasure and prefer restriction instead; (c) we no longer need the data but you need it for the establishment, exercise or defense of legal claims; or (d) you have objected to processing (see below) and we are verifying whether our legitimate grounds override yours. When processing is restricted, we will flag the data and only process it for specific reasons (like with your consent, for legal claims, to protect others’ rights, or important public interest) as per GDPR. We will inform you before lifting any restriction.
Right to Data Portability: For personal data that you have provided to us and that we process by automated means on the legal basis of your consent or for performance of a contract, you have the right to receive that data from us in a structured, commonly used and machine-readable format, and you have the right to transmit that data to another controller (or have us transfer it, where technically feasible) directly. This right enables you to take your data to other services easily. It applies to things like account data you provided in signup, or perhaps transaction data you initiated, if processed automatically. We will provide the data in a reasonable format (likely CSV or JSON files) that should be interoperable with other services. Note that this right does not apply to data we generate internally (like risk scores) or data collected on a legal obligation basis, and it should not adversely affect others’ rights.
Right to Object: You have the right to object, on grounds relating to your particular situation, to any processing of your personal data that we conduct based on legitimate interests (Art. 6(1)(f) GDPR). If you lodge an objection, we must stop processing the personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless we need to continue processing for the establishment, exercise, or defense of legal claims. In practice, this means if you object to something like our use of your data for analytics or security monitoring under legitimate interest, we will consider your objection and either cease the contested processing or provide a justification as to why our need to process outweighs your privacy concern. In any event, if your objection is to direct marketing, we will honor it absolutely – you can object at any time to processing of your personal data for direct marketing (including any profiling related to marketing) and we will stop using your data for that purpose immediately. (E.g., if you receive marketing emails and object or unsubscribe, we will cease marketing to you.)
Right to Withdraw Consent: Where we rely on your consent to process personal data (for example, for sending promotional emails or for using certain cookies), you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing that took place before the withdrawal. If you withdraw consent, we will stop the processing that was based on consent. For instance, if you withdraw consent to marketing, we will remove you from our marketing list. To withdraw consent, you can use the specific method provided (such as clicking “unsubscribe” in an email, or toggling off a cookie in our preference center) or contact us directly. There is no penalty for withdrawing consent; however, note that if consent was necessary to provide a service (e.g., if we required consent to process certain optional data), we might not be able to continue that aspect of service after withdrawal.
Right not to be Subject to Automated Decisions: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless it is (i) necessary for entering into or performing a contract between you and us, (ii) authorized by law, or (iii) based on your explicit consent. In clear terms, this means if we ever were to make a completely automated decision about you with a substantial impact (for example, an automated refusal of service or an automated risk scoring that blocks your account without human intervention), you would have the right to request human intervention, to express your point of view, and to contest the decision. Currently, PaYard does not make any such purely automated decisions without human review that would have profound effects on individuals. Certain processes may be automated (like initial fraud detection flags), but final decisions involving denial of service or reporting to authorities involve human evaluation for fairness and accuracy. If you believe you have been subject to an unfair automated decision, please contact us to review the matter.
To exercise any of your rights, you can contact us at support@payard.cz with your specific request. To protect your privacy, we may need to verify your identity before fulfilling your request (for example, by asking you to write to us from the email associated with your account, or by providing information that matches our records). This is to ensure we don’t disclose data to someone impersonating you. We will respond to your request as soon as possible and at the latest within one month, as required by GDPR. If your request is complex or we have received many requests, we may extend the response time by up to two further months, but we will inform you of the extension and the reasons for it.
We will notify you of the actions we take on your request, or if we cannot comply, we will explain the reason (e.g., certain data cannot be erased due to legal obligations). In some cases, we may refuse requests that are manifestly unfounded or excessive (for instance, repetitive requests), in which case we will justify our decision or charge a reasonable fee as allowed by law.
Importantly, you also have the right to lodge a complaint with a supervisory data protection authority if you believe that we have infringed your data protection rights (see below for details on the Czech authority). However, we kindly ask that you contact us first so we can try to resolve your concern directly – we take privacy matters seriously and will do our best to address any issues.
Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies to provide, personalize, and improve the user experience, as well as to ensure security and marketing functionality. This section explains what cookies are, which types we use, and how you can manage your preferences.
What are cookies? Cookies are small text files that are placed on your device (computer, smartphone, etc.) when you visit a website. They allow the website to recognize your device and store certain information about your preferences or past actions. Similar technologies include web beacons (pixel tags), local storage, and scripts that track your activity. Cookies can be “first-party” (served by our domain) or “third-party” (served by another domain through our site, such as analytics or advertising providers).
Categories of Cookies We Use:
Essential/Necessary Cookies: These cookies are crucial for the basic functioning of our website. They enable core features such as user login, account navigation, and transaction processing. For example, when you log into your PaYard account, a session cookie keeps you logged in as you navigate between pages. Without these cookies, our services would not work properly. Because they are necessary for providing the service you requested, these cookies are used without requiring consent. (However, you still have the ability to block them via browser settings if you choose, but doing so may break certain functionalities.)
Preference Cookies: These cookies allow our site to remember your choices and preferences, such as your chosen language or region, or whether you’ve seen a particular notice already. While not strictly essential, they enhance your experience (for example, by not asking you to select language every time). These might be first-party cookies set by us. We may treat these as requiring consent if they are not strictly necessary, or we may rely on implied consent (through site use) for trivial preferences, depending on local legal requirements.
Analytics and Performance Cookies: We use these to understand how visitors engage with our Platform. For instance, we use Google Analytics to collect information about site usage – such as which pages are visited, how long users stay, how they navigate the site, and any errors encountered. This helps us improve site design, features, and performance. The information collected is typically aggregated and not used to identify you directly. However, since analytics cookies do process some personal data (like IP address and device ID) and could potentially track your activities, we will only use them with your consent. When you first visit our site (or if required by law, on each visit until you consent), you will be presented with a cookie banner or settings that allow you to accept or reject analytics cookies. If you decline, we will not set these cookies, and your site usage will not be tracked by our analytics tools. We have configured Google Analytics, where used, to anonymize IP addresses (masking the last octet of IPv4 addresses) to enhance your privacy. Data collected by Google Analytics may be transmitted to and stored on Google’s servers (which could be in the USA or other countries), but as noted in the international transfers section, Google is certified under the EU-US Data Privacy Framework, and we have appropriate safeguards in place.
Advertising and Marketing Cookies: As of the latest update, PaYard does not host third-party advertisements on our site, and we do not heavily profile users for advertising purposes. However, if we run campaigns or partner with advertising platforms in the future (for example, Google Ads or social media pixels for retargeting), such cookies may be used to track the effectiveness of our ads or to show you relevant PaYard promotions on other websites. These cookies could collect data about your browsing habits and interactions with our site and other sites to infer your interests. We will only use advertising cookies if you have given consent. If we ever implement these, we will update our cookie notice and allow you to opt in or out.
Security Cookies: We may use certain cookies or similar mechanisms for security purposes, such as to detect repeated failed login attempts or to deploy anti-fraud checks. For example, a cookie might help distinguish legitimate users from bots. These might be considered essential, as they protect the security of the service.
Managing Cookies: When you first visit PaYard.cz, you will see a notice or banner about our use of cookies, with a link to this Privacy Policy or a Cookie Policy. We will ask for your consent for any non-essential cookies (like analytics or marketing). You can choose to accept all, reject all, or customize your preferences (depending on the interface we provide). If you accept, cookies will be placed as described. If you decline, we will not serve the optional cookies. You can change your cookie preferences at any time by accessing the cookie settings on our website (if available) or by clearing cookies in your browser.
Regardless of the banner, you can also control cookies through your browser settings. Most web browsers allow you to: (a) view what cookies are stored and delete them on an individual basis, (b) block third-party cookies or cookies from specific sites, or (c) block all cookies globally. You can usually find these options in the “Privacy” or “Security” section of your browser’s settings or preferences. Keep in mind that if you disable cookies entirely, our website may not function properly (for example, you won’t be able to log in).
For more information on how to manage cookies in popular browsers, you can visit the browsers’ support pages (e.g., Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge). Additionally, there are online resources and tools (such as YourOnlineChoices.eu) that allow you to opt-out of many advertising cookies from participating networks.
Other Tracking Technologies: In emails we send, we may use tracking pixels to know if you opened the email or clicked on links (this helps us gauge engagement and refine our communications). You can disable remote image loading in your email client to avoid this, if desired. If we ever use mobile app tracking or other cross-device tracking, we will disclose that in a separate notice (currently our service is web-based, with any mobile apps being subject to their own privacy controls).
We do not use cookies to collect sensitive personal data, and we do not use any tracking that would profile you in a discriminatory or invasive manner. Any data collected via cookies is used in accordance with this Privacy Policy and for the purposes stated. By using our site with cookies enabled, you are deemed to agree to our use of cookies, subject to the choices you make through the consent tools provided.
Data Security Measures
PaYard takes the security of personal data very seriously. We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures are designed to provide a level of security appropriate to the risks of processing personal data. Some of the key security practices we follow include:
Encryption: We use encryption to protect data in transit and at rest. Our website is accessible only over HTTPS, meaning that data transmitted between your browser and our servers is encrypted using industry-standard protocols (TLS). Sensitive information (such as passwords or identification documents) is further protected, and we employ encryption or hashing for stored passwords (so that even we cannot see your plaintext password). When we store personal data in our databases, we use encryption at rest to add another layer of defense against potential breaches.
Access Controls: We limit access to personal data strictly to those employees, contractors, and service providers who need to know that information to perform their job duties or services. PaYard staff are bound by confidentiality obligations. We implement role-based access controls in our systems, ensuring that, for example, support staff can only see information necessary to assist you, while compliance staff can see KYC details, etc. Administrator access to systems that contain personal data is logged and reviewed. Two-factor authentication is used for access to critical systems wherever possible.
Secure Infrastructure: Our Platform is built with security in mind. We rely on reputable hosting providers (e.g., AWS) that offer robust physical and network security. We keep our software and servers updated with the latest security patches. Firewalls and intrusion detection systems are in place to guard against unauthorized network access. We segment our network and databases to contain any potential incidents. Regular backups are performed, and backup data is secured to prevent data loss.
Monitoring and Testing: We monitor our systems for suspicious activity, unauthorized access attempts, or anomalies. Logging mechanisms are in place to record access and actions in systems handling personal data, which aids in both real-time monitoring and post-incident investigations. We conduct periodic security assessments and penetration testing (using internal or external experts) to identify and fix vulnerabilities. Our security team stays updated on emerging threats and best practices.
Organizational Policies: We have internal policies and procedures to ensure data is handled safely. Staff are trained on data protection principles and security practices. We have an incident response plan for handling any suspected data breaches, which includes notifying affected parties and authorities as required by law. Regular audits and compliance checks are conducted to ensure we adhere to GDPR, MiCA, and other regulatory security requirements.
Third-Party Risk Management: When we engage third-party processors (as described earlier), we thoroughly vet their security measures. We choose industry-leading providers known for strong security. In contracts, we require them to implement suitable security controls and to notify us in case of any data breaches involving our data. We also attempt to minimize the data shared with third parties to only what is necessary.
Despite our best efforts, no system can be guaranteed 100% secure. The internet by its nature carries inherent risks. Therefore, while we strive to protect your personal data, we cannot warrant absolute security. Users also play a role in security: protect your account credentials – use a strong, unique password for PaYard and do not share it. Enable any available security features on your account (e.g., two-factor authentication if we offer it). Be cautious of phishing attempts – PaYard will never ask for your password via email, and any communication from us will come from official channels. If you suspect any unauthorized access or security issue related to your personal data or account, please notify us immediately so we can investigate and assist.
In the unfortunate event of a data breach that poses significant risks to your rights (such as identity theft or fraud), we will promptly inform both you and the appropriate supervisory authority (ÚOOÚ in the Czech Republic, or other relevant EU authorities), as required by GDPR. We will also take all possible steps to mitigate any harm.
Our commitment to security is continuous: we keep improving our safeguards as new technologies and threats emerge. For more details on our security practices, you may contact us, though we may not disclose certain specifics to ensure our measures remain effective (security through obscurity is not our policy, but some details must remain confidential to prevent giving attackers an advantage).
Updates to This Privacy Policy
We may update or revise this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. If we make changes, we will notify users by updating the “Last Updated” date at the top of this Policy, and, if the changes are significant or required by law, we may provide a more prominent notice (such as by email notification or a pop-up notice on the Platform).
Any changes will be effective when posted on this page, unless stated otherwise. Material changes that affect your rights or the way we use personal data will generally be communicated to you in advance, where required. For example, if we plan to use your personal data for a new purpose not covered by this Policy, and that purpose relies on your consent, we will obtain your consent for that new use.
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. Your continued use of the Platform after any modifications to the Privacy Policy indicates your acknowledgement of the changes. If you do not agree with the revised terms, you should stop using our services and may request deletion of your account and data as per your rights.
In case of any discrepancy between earlier versions of the Privacy Policy and this updated version, the terms of the latest version will prevail. We maintain past versions of our Privacy Policy (with effective dates) which can be provided upon request for reference.
Your Choices and Additional Information
Providing Data: You can choose not to provide certain personal data to us, but please be aware that this may limit your ability to use some or all of our services. For example, if you do not complete required identity verification, we will not be able to offer you services beyond certain thresholds, or potentially any services at all if verification is mandatory by law.
Third-Party Websites: Our website may contain links to third-party websites or services (for example, links to blockchain explorers, or partner sites). This Privacy Policy does not apply to those external services, and we are not responsible for the privacy practices of any third party outside our organization. We encourage you to read the privacy policies of any third-party sites you visit.
Social Media: If PaYard maintains an official presence on social media platforms (like a Twitter or Facebook page), any information you post or provide through those platforms is subject to that platform’s privacy policy. We might receive aggregate information from social media (like overall engagement statistics), but we don’t import personal details of our followers from those platforms except as provided by you.
No Sale of Personal Data: We do not sell personal information to third parties. We also do not share personal data with third parties for their direct marketing purposes unless you have given consent.
Compliance and Accountability: PaYard s.r.o. is the entity accountable for processing personal data in line with this Policy. We adhere to the principles of GDPR (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, and accountability) in all our processing activities. We maintain records of processing and conduct Data Protection Impact Assessments (DPIAs) for high-risk processing as needed. Our team stays updated on data protection rules, including guidance from the Czech ÚOOÚ and the European Data Protection Board, to ensure ongoing compliance.
Office Adress
Vlkova 532/8, Prague 3, 130 00.
Czech Republic
Disclaimer:
PaYard operates as a non-custodial crypto-asset exchange service provider (CASP) in accordance with Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA) and relevant Czech legislation.
PaYard provides crypto-to-crypto and crypto-to-fiat exchange services only, without holding or managing clients’ crypto-assets or private keys.
PaYard does not provide any services involving custody, lending, staking, investment advice, portfolio management, brokerage, or other regulated financial or payment activities.
The Platform’s services are intended solely for users who are legally eligible to use crypto-asset exchange services under applicable EU and Czech laws, and are not available in jurisdictions where such services are restricted or prohibited.
PaYard acts transparently and independently, and does not guarantee returns, profits, or investment performance of any crypto-assets exchanged through the Platform.