Proton Wallet - Privacy Policy

Last modified: 24 July 2024

By accessing, using and making use of Proton Wallet (the “Services”), you understand that your data in relation with your use of our Services is processed according to the following privacy policy (the "Privacy Policy"). The Privacy Policy states (i) what data we collect through your access and uses of the Services; (ii) the use we make of such data; and (iii) the safeguards put in place to protect your data. The Privacy Policy is to be read and understood as being a complement to our terms and conditions.

1. Legal framework

The Services are operated by Proton Financial AG (the “Company”, “We”), domiciled at Baarermattstrasse 8F 6340 Baar, Switzerland. It is therefore governed by the laws and regulations of Switzerland. Proton Financial AG is a wholly-owned subsidiary of Proton AG, whose primary shareholder is the non-profit Proton Foundation based in Geneva, Switzerland.

2. Data that may be collected using Proton Wallet, and how they may be used

Our overriding policy is to collect as little user information (personal data included) as possible to ensure a private user experience when using the Services.

Data collection is limited to the following:

2.1 Proton Financial data processing activities

In order to provide you with the Services, the Company processes the following data:

2.1.1 Account creation: Your account is linked to an email address you provide at the creation of your account. You can provide an address from a third-party provider or create a Proton Mail address as you create your account for the Services. The legal basis for this processing activity is the execution of a contract.

2.1.2 Account Activity: Transaction metadata that are stored on the Company's servers are limited to the strictly necessary data and are stored encrypted on Proton servers. These metadata include Transaction IDs, exchange rate and optional notes written by you. The lawful basis for this data processing activity is a legitimate interest to troubleshoot possible technical issues.

If you use the Bitcoin via Email feature, Proton Wallet generates a pool of Bitcoin addresses. These addresses are stored on the Company's servers so that they can be communicated to the sender. Once an address has been used, it is deleted from Proton's servers. The lawful basis for this data processing activity is the execution of the contract to provide you with the services.

2.1.3 Payment information: If you purchase a Proton Wallet subscription, we rely on third parties to process payments. We do not retain full credit card details, only the last 4 digits of the credit card number. Anonymous cash or Bitcoin payments and donations are accepted. We may use your account data for payment-related matters, including but not limited to sending you emails, invoices, receipts, notices of delinquency, and alerts to update payment information. The legal basis of these processing activities is the necessity to the execution of the contract to provide the Services. In order to respect the principle of data minimisation, we reserve our right to remove payment information from our systems that is no longer valid, without notice.

2.1.4 Native applications: When you use our native applications, we (or the mobile app platform providers) may collect certain information. We may use mobile analytics software app statistics and crash reporting, Play Store app statistics, App Store app statistics, or self-hosted Sentry crash reporting) to send crash information to our developers in order to rapidly fix bugs. Some platforms, such as Google’s Play Store or Apple’s App Store may also collect aggregate, anonymous statistics, which may be governed by their respective privacy policies and terms and conditions. Such statistics can include most commonly used devices and operating systems, total number of installs and uninstalls, and the total number of active users.

Our applications do not access or track any location-based information from your device.

2.2 Potential applicability of Proton AG's Privacy Policy:

If you use Proton Wallet via integrations with separate services provided by Proton AG, that usage may be subject to Proton's Privacy Policy in addition to this Privacy Policy. Please carefully read both policies when using the Services as part of an offering from Proton AG.

2.3 Third-party processing activities

2.3.1 Integrated Services: You may access certain third-party services through the Services, for example on-ramp services that allow you to exchange fiat for crypto for use in the Services. Those services are subject to their own terms and applicable privacy notices and the Company does not process any personal data in relation to them.

2.3.2 Use of Blockchain and digital assets: Your use and/or transfer of digital assets may be recorded on a public blockchain. These blockchains are not controlled or operated by the Company, and we do not have the technical capacities to erase or modify data on them. These blockchains are publicly accessible and their analysis can lead to identification of individuals or revelation of personal data, on which we do not have any control or influence.

2.3.3 Social Media: We are active on Facebook, Instagram, Linkedin, Twitter, Reddit, and Mastodon. Any information, communication, or material you submit to us via social media platforms is done at your own risk without any guarantee of privacy. We cannot control the actions of other users of these platforms or the actions of the platforms themselves. Your interactions with those features and platforms are governed by the privacy policies of the companies that provide them.

2.4 Fraud and abuse detection

We may use the data mentioned above to detect abusive and fraudulent use of our services, and take appropriate measures. The legal basis of this processing is our legitimate interest to protect our service against non-compliant or fraudulent activities.

3. Data subprocessors

To provide the Services, we rely on different data subprocessors, which process different categories of data. Processors never store data outside of the scope of their specific purpose. Notably, they do not store data in relation with the general day-to-day use of your account and Services, which is exclusively processed by the Company. Subprocessors are as follow:

3.1 Third-party subprocessors

Zendesk, Inc.

Purpose: Provide services in relation with the processing of customer support data
Data processing location: United States
Guarantees for international transfer: Standard Contractual Clauses, Binding Corporate Rules, Certifications

Stripe, Inc.

Purpose: Provide services in relation with the processing of payment data
Data processing location: United States
Guarantees for international transfer: Standard Contractual Clauses, Data Processing Agreement

PayPal group

Purpose: Provide services in relation with the processing of payment data
Data processing location: United States, Singapore
Guarantees for international transfer: Standard Contractual Clauses, Data Processing Agreement

Chargebee, Inc.

Purpose: Provide services in relation with the processing of payment data
Data processing location: United States
Guarantees for international transfer: Standard Contractual Clauses, Data Processing Agreement

4. Data disclosure

We will only disclose the limited user data we possess if we are legally obligated to do so by a binding request coming from the competent Swiss authorities. We may comply with electronically delivered notices only when they are delivered in full compliance with the requirements of Swiss law. Proton Financial’s general policy is to challenge requests whenever possible and where there are doubts as to the validity of the request or if there is a public interest in doing so. In such situations, we will not comply with the request until all legal or other remedies have been exhausted. Under Swiss law, subjects of judicial procedures have to be notified of such procedures, although such notification has to come from the authorities and not from the Company.

5. Your privacy using Proton Wallet

Through your account interface, you can directly access, edit, delete, or export personal data processed by the Company in your use of the Services.

If your account has been suspended for a breach of our terms and conditions, and you would like to exercise the rights related to your personal data, you can make a request to our support team.

In case of violation of your rights, you have the right to lodge a complaint to the competent supervisory authority.

6. Modifications to Privacy Policy

Within the limits of applicable law, the Company reserves the right to review and change this Privacy Policy at any time. As long as you are using the Services, you are responsible for regularly reviewing this Privacy Policy. Continued use of the Services after such changes are performed shall constitute your consent to it.