Make a request

• See data they hold about you

  You can ask to see what data Coinbase UK has about you. They usually can’t charge for this, and they must respond to your request within a month.

  Why you might make this request

  You might want a copy of the data about you to understand what data the organisation has collected about you.

  By email

  Email privacy@coinbase.com using this template

  Dear {{name}}, Could you please send me a copy of the personal data you hold about me? Please send the data in a commonly-used electronic format. This is as a subject access request.

  Copy template to clipboard

• Change data they hold about you

  You can ask Coinbase UK to change inaccurate or incomplete data about you. They must respond to your request within a month. Sometimes your request can be refused.

  Why you might make this request

  If an organisation is using information about you which is incorrect, you can ask them to correct it.

  By email

  Email privacy@coinbase.com using this template

  Dear {{name}}, Some of the data you are holding about me is inaccurate. [Give details of the inaccurate information.] Please rectify this inaccurate information. This is the correct information. [Give details of the correct information.]

  Copy template to clipboard

• Delete data they hold about you

  You can ask that Coinbase UK delete information about you. They must respond to your request within a month. Sometimes your request can be refused.

  Why you might make this request

  You might want to delete data about you if, for example, you have stopped using an organisation’s services.

  By email

  Email privacy@coinbase.com using this template

  Dear {{name}}, Could you please erase the following data about me that you are holding? [Give details of the data you would like to be erased. This may be all the data they are holding about you.]

  Copy template to clipboard

• Limit how they use data about you

  You can ask that Coinbase UK only store data about you and not use it. They must respond to your request within a month.

  Why you might make this request

  You might want the accuracy of the data to be verified or you might want the organisation to hold on to data so you can make a legal claim against them.

  By email

  Email privacy@coinbase.com using this template

  Dear {{name}}, Could you please only store the following data about me? I want you not use it. [Give details about the data you would like not to be used]

  Copy template to clipboard

• Stop their use of data about you

  You can ask Coinbase UK to stop using your data for particular reasons. They must respond to your request within a month.

  Why you might make this request

  You might want to stop the organisation using your data to for direct marketing.

  By email

  Email privacy@coinbase.com using this template

  Dear {{name}}, Please stop using my data for direct marketing purposes.

  Copy template to clipboard

• Export data they hold about you

  You can ask Coinbase UK to move data about you to another service or provide it in a format that can be used by another service.

  Why you might make this request

  You might want to move your data to another organisation to get a better deal.

  By email

  Email privacy@coinbase.com using this template

  Dear {{name}}, Please provide me with a copy of my personal data that you holding about me in a structured, commonly-used, interoperable, and machine-readable format. [You can also ask for your personal data to be transferred to another organisation.]

  Copy template to clipboard

• Challenge an automated decision

  You can ask Coinbase UK to give you information about how they use automated decision making, or ask for a person to review an automated decision.

  Why you might make this request

  You might want to find out about an automated decision if, for example, you were rejected for a bank loan or account.

  By email

  Email privacy@coinbase.com using this template

  Dear {{name}}, I would like to ask for a review about a decision which was recently made about me by automated means. [Give details about the decision which was made about you]

  Copy template to clipboard

Organisation information

Registration country

United Kingdom

Registration number

09083955

Data Protection Officer

Organisations that use special categories of data, are public bodies, or do large scale processing must appoint a Data Protection Officer.

Email address

dpo@coinbase.com

Data categories collected

Organisations must give details about what categories of data are stored and processed.

• Bank account details

• Bank transactions

• Date of birth

• Device information

• Email address

• Employment

• Gender

• Identity documents

• Names

• Online activity

• Postal address

• Telephone number

Unusual processing purposes

Organisations must provide information about what they do with data. This section highlights less common uses of data.

This privacy notice does not appear to mention any unusual processing purposes.

Third parties

Organisations must give details about other parties that personal data is shared with.

List of third parties

• Identity verification services

• Service providers like bill collection, marketing, and technology services

• Financial institutions with which we partner to process payments you have authorised

• Companies or other entities that we plan to merge with or be acquired by

• Companies that purchase Coinbase assets under bankruptcy/insolvency law

• Law enforcement

How specific is this information?

Third parties are listed as groups

Observations

States that "CB will never sell or rent your personal information".

Retention rules

Organisations must give details about how long data is kept.

Summary

Basic contact information is kept until user unsubscribes.

Content like support desk comments, photographs, videos, blog posts may be kept indefinitely for audit and crime prevention purposes.

Phone call recordings are kept for up to 6 years.

Cookies, webpage counters, analytics tools are kept for up to one year from expiry of a cookie.

Observations

Coinbase use an email suppression list.

How specific is this information?

• Retention rules are given for specific categories of data

• Specific times are given for how long data is kept

Lawful bases

Organisations must justify collection and use of data under six lawful bases and provide information about their decisions

• Contract

  CB handles very sensitive information, such as your identification and financial data, so it is very important for us and our customers that we are actively monitoring, investigating, preventing and mitigating any potentially prohibited or illegal activities, enforcing our agreements with third parties, and/or violations of our posted user agreement or agreement for other Services. In addition, we may need to collect fees based on your use of our Services. We collect information about your account usage and closely monitor your interactions with our Services. We may use any of your personal information collected on our Services for these purposes. The consequences of not processing your personal information for such purposes is the termination of your account as we cannot perform our Services in accordance with our terms.

• Legal obligation

  Some of our core Services are subject to laws and regulations requiring us to collect and use your personal identification information, formal identification information, financial information, transaction information, employment information, online identifiers, and/or usage data in certain ways. For example, Coinbase must identify and verify customers using our Services in order to comply with anti-money laundering and terrorist financing laws across jurisdictions. In addition, we use third parties to verify your identity by comparing the personal information you provided against third-party databases and public records. When you seek permissions to raise Digital Currency buy and sell limits associated with your CB Account, we may require you to provide additional information which we may use in collaboration with service providers acting on our behalf to verify your identity or address, and/or to manage risk as required under applicable law. The consequences of not processing your personal information for such purposes is the termination of your account as we cannot perform the Services in accordance with legal and regulatory requirements.
  
  EEA Residents: For individuals who reside in the European Economic Area (including the United Kingdom) or Switzerland (collectively “EEA Residents”), pursuant to Article 6 of the EU General Data Protection Regulation (GDPR) or any equivalent legislation (collectively “EEA Data Protection Law”), we process this personal information to comply with our legal obligations.

Observations

Legitimate interests aren't clearly labelled, but these could include:

* To provide Coinbase’s Services
* To provide Service communications
* To provide customer service
* To ensure quality control
* To ensure network and information security
* For research and development purposes
* To enhance your website experience
* To facilitate corporate acquisitions, mergers, or transactions
* To engage in marketing activities

Security standards

Organisations must ensure that data is stored and processed securely.

Observations

Mentions "appropriate safeguards" but doesn't go into any detail beyond using Payment Card Industry Data Security Standards (PCI DSS).

How specific is this information?

This organisation provides specific details about how they secure data

Data processing addendum

Some organisations offer a data processing addendum that gives data adequate protections when it leaves the EEA.

Type

Adequate protections are provided by this organisations Terms of Service

Observations

Uses model contract clauses and EU-US Privacy Shield with international partners

Automated decision making

Organisations must give details about how data is used to make decisions without human involvement.

Complaint information

Organisations must give details about how to make a complaint with a data protection authority.

Summary

This privacy notice contains information about to make a complaint to a data protection regulator

Observations

Provides a clickable email address to casework@ico.org.uk.

How specific is this information?

This privacy notice contains specific contact details for a data protection regulator

Design recommendations

Organisations are required to provide privacy information in a transparent way. The Article 29 Working Party has provided recommendations on how to do this.

Assessment

This privacy notice:

• Has language that is easy to understand

• Is designed in a way that makes it easy to find information

• Can be easily found on the organisation's website