Privacy Policy


Last updated: August 23, 2023


Introduction

Paella Inc., d/b/a Crossmint (“Crossmint,” “we,” “us” or “our”) provides a platform that enables users to maintain a digital custodial wallet that manages access to digital assets on the blockchain and integrates with decentralized applications provided by third parties. 

This Privacy Policy discloses our privacy practices for personal information we collect and use when you access our products, services, features, or content, without limitation, through our website at www.crossmint.com (the “Site”), our services to facilitate the purchase, storage, and transfer of certain non-fungible tokens (“NFT(s)”), and software provided on or in connection with those services (collectively, the “Service(s)”), or when you apply or express interest in employment with Crossmint.

By accessing, browsing and/or otherwise using the Site and/or our Service, we collect the personal data of each user (the "User" or, indistinctly, the "Users") in accordance with this privacy policy ("Privacy Policy") and any other policy that may replace it in the future.

  1. Adherence to EU-US Data Privacy Framework (DPF)

Paella, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Paella, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  Paella, Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

  1. Acceptance of this Privacy Policy

By accessing, browsing and/or otherwise using the Site and/or our Services, you accept the terms of this Privacy Policy. If you do not agree with or you are not comfortable with any aspect of this Privacy Policy, you should discontinue access or use of our Site and Service.

  1. Data Controller

The data controller responsible for the collection and processing of your personal data is Paella Inc, domiciled at 1317 Edgewater Dr #4296, Orlando, FL 32804 (United States of America).

For residents of the European Economic Area (“EEA”), UK and Switzerland, as well as for the purposes of Act 34/2002 of 11 July, on Information Society and Electronic Commerce Services (LSSICE), the data controller will be Paella Europe, S.L., a Spanish entity, with tax identification number (CIF) B10806719, domiciled at C/Villalar 7, BJ IZQ, 28001 Madrid (Spain). Standard Contractual Clauses (SCCs) for the required international transfers between Paella Europe, S.L. and Paella, Inc. have been implemented.

  1. How We Collect Your Personal Information

Crossmint collects and processes various information from Users. This information may, in many cases, constitute Users' personal data. This information will be considered "personal data" when it can directly identify or allow us to identify a natural person.

The categories of personal information we collect depend on how you interact with our Service and the requirements of applicable law. This personal data may have been directly provided by the User, when interacting on the Site or completing any of the available forms, or which may have been inferred from the relationship we have with you. Specifically: 

A. Information you provide to us. To sell or purchase an NFT, establish an account with a wallet, and access our Service, we will request that you provide us with important information about yourself. If you choose not to share certain information with us, we may not be able to serve you effectively or offer you our Service. Any information you provide to us that is not required is voluntary.

We may collect the following types of information from you:

  1. User Data:
  • Contact data, such as first and last name, email address, mailing address, and phone number.
  • Personal identification information, such as date of birth, nationality, gender, signature, and photographs.
  • Formal Identification Information, Government issued identity documents such as Passport, Driver's License, National Identity Card, State ID Card, Tax ID number, and/or any other information deemed necessary to comply with our legal obligations under financial or anti-money laundering laws.
  • Communications that we exchange with you, including when you contact us through the Service, social media, or otherwise regarding the Service.
  • Transaction data relating to or needed to complete your transactions through the Service, such as the wallet addresses, your name, the transaction amount, NFT, and/or timestamp.

  1. Potential users and clients
  • Marketing data such as your preference for receiving our marketing communications and details about your engagement with them. 
  • Other data not specifically listed here, which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection.

  1. Prospective employees
  • Employment data, such as information submitted in resumes, cover letters, and/or applications.

B. Information we may collect automatically about you

(i) Service Data. To the extent permitted under the applicable law, we, our service providers, and our business partners may automatically collect information about you, your computer, mobile device, and your interaction over time with the Service, our communications and other online services. Information collected automatically includes:

  • Wallet data, in order to provide the Service, we will create an account with a custodial wallet address and will collect data about your wallet such as the NFT related attributes on the blockchain and details about transactions that you executed.
  • Device data, such as your computer’s or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, LTE, 3G), and general location information such as city, state or geographic area.
  • Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Service, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, and whether you have opened our emails or clicked links within them.

(ii) Cookies and similar technologies. We, as well as third parties that provide content, or other functionality on the Service, may use cookies, local storage, and other technologies to automatically collect information through the Service.

  • Cookies, which are small text files that websites store on user devices and that allow web servers to record users’ web browsing activities and remember their submissions, preferences, and login status as they navigate a site. Cookies used on our sites include both “session cookies” that are deleted when a session ends, “persistent cookies” that remain longer, “first party” cookies that we place and “third party” cookies that our third-party business partners and service providers place. 
  • Local storage technologies, like HTML5, that provide cookie-equivalent functionality but can store larger amounts of data on your device outside of your browser in connection with specific applications. 
  • Web beacons, also known as pixel tags or clear GIFs, which are used to demonstrate that a webpage or email address was accessed or opened, or that certain content was viewed or clicked.

(iii) Analytics. We use website analytics software to help us understand user activity on the Service, including which pages are most and least visited and how visitors move around the Service, as well as user interactions with our emails. For example, we use Fathom Analytics for this purpose. 

(iv) Social Sign In. Our Service allows you to sign in with Google or Discord third party social sign services. These features may collect your IP address and which page you are visiting on our Service, and may set a cookie to enable the feature to function properly. Your interactions with these platforms are governed by the privacy policy of the company providing it.

If required by applicable law, in (i) to (iv) above we will obtain the necessary consents or treat this information always under an appropriate legal basis.

C. Information we receive from third parties: We receive personal data about you from third parties: 

  • Due to mergers or acquisitions, when we obtain your data from another company.
  • Public sources, such as government agencies, public records, social media platforms, identification verification partners, credit bureaus, and other publicly available sources.
  • Data providers, such as information services and data licensors that provide demographic and other information. 
  • Public blockchain data, such as public addresses and public transaction data.

Third-party services, such as Google and Discord’s social media services, that you use to log into, or otherwise link to, your Service account. This data may include your username, profile picture and other information associated with your account on that third-party service that is made available to us based on your account settings on that service. These features may collect your IP address and which page you are visiting on our Service, and may set a cookie to enable the feature to function properly. Your interactions with these platforms are governed by the privacy policy of the company providing it.

  1. What We Use Your Personal Information For.

Our primary purpose in collecting personal information is to provide, develop and, ultimately, improve the provision of the Service, and to provide you with a secure and customized experience. We may use your personal information for the following purposes - or as otherwise described at the time of collection –:

A. Delivering our service. When you create your Crossmint account and use our Service, you accept our Terms of Service and thus enter into a contract. In order for us to fulfill our obligations under that agreement, we need to access and process your personal information. We will not be able to service you do not include your details in your account registration or if, when you make a purchase or proceed to payment, you do not provide your personal details.

Within the framework of this purpose of treatment, we may use your personal information to: 

  • fulfill our contract with you and provide the Service.
  • enforce our terms in our user agreement (Terms of Service) and other agreements.
  • provide Service communications.
  • provide customer service in responding to questions, comments, and other requests.
  • enhance your experience, improve Service, and develop new services.
  • ensure quality control.

Third parties such as identity verification services may also access and/or collect your personal information when providing identity verification and/or fraud prevention services on our behalf.

B. Research and development. We may use your personal information to better understand the way you use and interact with our Service,, including to analyze and improve the Service and our business and to develop new services.

C. Direct marketing. Based on your communication preferences, we may send you direct marketing communications. You may opt-out of our marketing communications in every such communication we send you or as described in the Opt-out of marketing section below. Our marketing will be conducted in accordance with your advertising marketing preferences and as permitted by applicable law.

D. To manage our recruiting and process employment applications. We may use personal information, such as information submitted to us in a job application, to facilitate our recruitment activities and process employment applications, such as by evaluating a job candidate for an employment activity, and monitoring recruitment statistics.

E. Compliance and protection. We may use your personal information to:

  • comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities
  • comply with anti-money laundering regulations and help detect, prevent, and mitigate fraud and abuse of our Service;
  • protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims); 

audit our internal processes for compliance with legal and contractual requirements or our internal policies; and

  • enhance security, monitor and verify identity or service access, combat spam or other malware or security risks and to prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.

F. With your consent. We will not use your personal information for purposes other than those purposes we have disclosed to you, without your permission. In some cases, we may specifically ask for your consent to collect, use or share your personal information, such as when required by law.

G. To create anonymous, aggregated or de-identified data.  We may create anonymous, aggregated or de-identified data from your personal information and other individuals whose personal information we collect.  We make personal information into anonymous, aggregated or de-identified data by removing information that makes the data identifiable to you.  

We may use anonymized or aggregate customer data for any business purpose, including to better understand customer needs and behaviors, improve our Service, conduct business intelligence and marketing, and detect security threats. We may perform our own analytics on anonymized data or enable analytics provided by third parties.

Types of data we may anonymize include, transaction data, click-stream data, performance metrics, and fraud indicators.

  1. Legal bases for processing your information

For individuals who, at the time when we collect your personal data, are located in the European Economic Area, the United Kingdom or Switzerland (jointly, “EEA Residents''), our legal bases for processing your personal information pursuant to the EU General Data Protection Regulation (“GDPR”) will depend on the personal information at issue, the specific background where the personal information is collected and the purpose for which such information is used. 

We usually only process your data where we are legally required to, where processing is necessary to perform our services and/or any agreements we entered with you, where processing is in our legitimate interests to operate our business and not overridden by your data protection interests or rights, or where we have obtained your consent to do so. 

Below is a list of how we use your personal information with the corresponding legal bases for processing:

Purpose of Processing

Legal Basis for Processing

(i) to enforce our terms in our user agreement and other agreements; (ii) to provide the Service (including any content provided by the NFT project creator/seller, when applicable); (iii) to provide Service communications (iv) to provide customer service; and (v) to ensure quality control

Based on our agreement with you, or to take steps at your request prior to entering into an agreement, or based on your agreement with one of our clients.

(i) for research and development purposes; (ii) to enhance your experience; and (iii) to engage in direct marketing activities

Based on our legitimate interests. When we process your personal data for our legitimate interests, we ensure that we balance any potential impact on you and your rights under applicable laws.

(i) to maintain legal and regulatory compliance, including but not limited to anti-money laundering regulations; (ii) to detect and prevent fraud, funds loss, spam or other malware or security risks, as well as any other illegal activitu (iii) to ensure network and information security; (iv) to audit our internal systems; and (v) protect our, your or others’ rights, privacy, safety or property.

Based on our legal obligations or the public interest.

(i) to enhance your experience; (ii) to engage in third party marketing activities; (iii) to manage our recruiting and process employment applications; and (iv) for any purpose to which you consent.

Based on your consent.

  1. How We Share Your Personal Information

The holdings and transactions associated with a wallet address are publicly available on the blockchain. Therefore, information about your holdings and transactions will be accessible to third parties due to the nature of the blockchain. We may share your personal information with the following categories of third parties and as otherwise described in this Privacy Policy or at the time of collection:

Affiliates.  Our corporate parent, subsidiaries, and affiliates, for purposes consistent with this Privacy Policy.


Project Creators. We may share your Contact data with the project creator(s) of any NFTs you purchase through the Service, strictly to the extent necessary to provide the Service and execute the intended transaction initiated by you.

Service providers. We may share your personal information with our third-party service providers that provide services on our behalf or help us operate the Service or our business. This includes service providers that provide us with technology support, hosting, payment processing (including financial institutions with which we partner to process payments you have authorized), transaction monitoring, customer service, auditing, analytics, maintenance, security or other related business purposes. We may use third-party Application Program Interfaces (“APIs”) and Software Development Kits (“SDKs”) as part of the functionality of our Service.

Additionally, we may share your personal information with third party identity verification services in order to prevent fraud. This allows us to confirm your identity by comparing the information you provide us to public records and other third-party databases. These service providers may create derivative data based on your personal information that can be used in connection with the provision of identity verification and fraud prevention services.

Authorities and others. We may release your information to law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above (including an investigatory or enforcement action by the Federal Trade Commission (FTC) or any other U.S. authorized statutory body related to the DPF). 

Business Transferees. We may release your information to a third party if we are involved in a merger, acquisition, or sale of all or a portion of our stock or assets. If this occurs, you will be notified of any change to this Privacy Policy, as well as any choices you may have regarding your personal information.

Linked third-party services. If you log into the Service with, or otherwise link your Service account to, a social media or other third-party service, we may share your personal information with that third-party service. The third party’s use of the shared information will be governed by its privacy policy and the settings associated with your account with the third-party service.

Professional advisors.  Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.

Crossmint recognizes the importance of maintaining accountability for personal data transferred to third parties. When transferring personal information to a third party, we comply with the Notice and Choice Principles and enter into contracts that ensure such data is processed only for limited and specified purposes consistent with your consent. These contracts require the third-party controller to provide the same level of protection as the DPF Principles and to notify us if they can no longer meet this obligation.

Our commitment to these principles ensures that your data remains protected, even when handled by third parties. A summary of the relevant privacy provisions of our contracts with third-party processors is available upon request.

  1. International Data Transfers

We are headquartered in the United States and may use service providers that operate in other countries. To facilitate our global operations, we may transfer, store, and process your personal information within our affiliates, third-party partners, and service providers based throughout the world (specifically, outside of the EEA, UK and Switzerland, in what is defined as “third country transfers” under GDPR). 

In cases where we intend to transfer personal data to third countries or international organizations outside of the EEA, we put in place suitable technical, organizational and contractual safeguards (including Standard Contractual Clauses as approved by the European Commission), to ensure that such transfer is carried out in compliance with applicable data protection rules, except where the country to which the personal information is transferred has already been determined by the European Commission to provide an adequate level of protection.

We also rely on decisions from the European Commission where they recognize that certain countries and territories outside of the European Economic Area ensure an adequate level of protection for personal information (“adequacy decisions”), and we have adhered to the DPF Program Principles.

  1. Your Privacy Choices

Access or update your information. If you have registered for an account with us through the Service, you may review and update certain account information by contacting us. 

Opt-out of marketing communications.  You will receive transaction-related emails regarding the Service you have requested. We may also send you certain non-promotional communications regarding us and our Service and you will not be able to opt out of those communications (e.g., communications regarding the Service or updates to our Terms of Service or this Privacy Policy). 

You may opt-out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email, or by contacting us. Please note that if you choose to opt-out of marketing-related emails, you may continue to receive service-related and other non-marketing emails pursuant to your use of the Service.

Cookies and similar technologies. You may stop or restrict the placement of cookies and web beacons on your device or remove them by adjusting your preferences as your browser or device permits.

Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

Linked third-party platforms. If you choose to connect to the Service through your social media account or other third-party platform, you may be able to use your settings in your account with that platform to limit the information we receive from it. If you revoke our ability to access information from a third-party platform, that choice will not apply to information that we have already received from that third party.

  1. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which we collected it to provide the Service, including for the purposes of satisfying any legal, accounting, or reporting obligations or to resolve disputes, or as otherwise communicated to you.

Moreover, our adherence to the DPF Principles will continue for as long as we retain any personal data that was collected or processed under the DPF. Should we ever decide to leave the DPF program, we will continue to apply the Principles to such data or provide adequate protection by other means recognized by applicable law. If we engage in an onward transfer of personal data to third parties, we will remain liable under the DPF Principles if the third party processes such data in a manner inconsistent with the Principles, unless we prove that we were not responsible for the event giving rise to the damage.

  1. Information Security

We take steps to secure your information in accordance with this Privacy Policy. We have technical and administrative safeguards to protect the security and confidentiality of your personal information. Unfortunately, no system is 100% secure when transmitting and storing data, and we cannot ensure or warrant the security of any information you provide to us. 

By using the Service or providing personal information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of the Service. If we learn of a breach, we may attempt to notify you electronically by posting a notice on the Site or by sending you an email.

  1.  Third Party Websites or Applications

The Service may contain links to other websites/applications and other websites/applications may reference or link to our Service. In addition, our content may be integrated into websites or other online services that are not associated with us. We encourage our users to read the privacy policies of each website and application with which they interact. These third- party service are not controlled by us. We do not endorse, screen, or approve, and are not responsible for, the privacy practices or content of such other websites or applications. Providing personal information to third-party websites or applications is at your own risk.

  1.  Children’s Personal Information

The Service is not intended for use by anyone under the age of 18 and we do not knowingly request to collect personal information from any person under the age of 18. If a user submitting personal information is suspected of being younger than 18 years of age, we will require the user to close his or her account and will not allow the user to continue using our Service. We will also comply with applicable legal requirements and take steps to delete the information as soon as possible. Please notify us if you know of any individuals under the age of 18 using our Service so we can take action to prevent access to our Service.

  1.  Changes to our Privacy Policy

We may, in our sole discretion, change this Privacy Policy from time to time by posting a revised version at www.crossmint.com/privacy-policy. If we make any material change to this Privacy Policy, we will notify you by posting a notice on www.crossmint.com/privacy prior to the change becoming effective and may also elect to send you an email notifying you of the policy modifications. Any modifications to this Privacy Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). In all cases, your use of the Service after the effective date of any modified Privacy Policy indicates your acceptance of the modified Privacy Policy.

  1.  Your privacy rights

Depending on applicable law where you reside, you may be able to assert certain rights related to your personal information, as disclosed below. If any of these rights are not provided under law for the jurisdiction we you reside, we reserve our right to provide you with those rights.

  1. Access: you have the right to obtain the confirmation that your personal information is being processed as well as the right to obtain a copy of such information. 
  2. Rectification: you may request the rectification of any personal information held by us which that you deem inaccurate. You can also change your personal information directly in your account at any time.
  3. Deletion: you can, in some cases, have your personal information deleted. However, please note that even after closing your account we may keep certain account information in our database pursuant to applicable law and to assist law enforcement.
  4. Objection: you can object, for reasons relating to your particular situation, to the processing of your personal information. Additionally, in some jurisdictions, you may have the right not to be subject to a decision based solely on automated processing of your personal information.
  5. Restriction of processing: You have the right, in certain cases, to temporarily restrict the processing of your personal information by us. However, please note we may continue to process your personal information if it is necessary pursuant to applicable law.
  6. Portability: in some cases, you can ask to receive your personal information which you have provided to us in a structured, commonly used and machine-readable format, or, when this is possible, that we communicate your personal information on your behalf directly to another data controller.
  7. Withdraw consent: to the extent we are processing your information based on your consent, you have the right to withdraw your consent at any time. This withdrawal does not affect the lawfulness of the processing based on the consent given before the withdrawal.

Note these rights may be limited where we can demonstrate we have a legal requirement to process your personal data.

  1.  Contact Us

If you have any questions about our privacy practices or this Privacy Policy or would like to file a complaint, please log a support ticket here or contact us at:

Company Name:

Paella, Inc.

Mailing Address:

Paella, Inc.

1317 Edgewater Dr #4296 Orlando, FL 32804

Email:

[email protected] 

  1. Dispute Resolution

At Crossmint, we prioritize your concerns and are committed to resolving any complaints or disputes in a timely and fair manner. If you have a complaint, you may bring it directly to our attention by contacting us at [email protected] or logging a support ticket here.

Furthermore, depending on your place of residence, in compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Paella, Inc. commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

In accordance with DPF Principles, individuals also have the right, under certain conditions, to invoke binding arbitration for complaints regarding our compliance with the DPF that have not been resolved by any of the other DPF mechanisms. If you believe your rights under the DPF Principles have been violated and wish to invoke binding arbitration, you must deliver notice to Paella, Inc. and follow the procedures and conditions set forth in Annex I of the DPF Principles. Please note that Paella Inc. is obligated to arbitrate claims and adhere to the terms as detailed in Annex I of the DPF Principles.

  1. Applicable Law and Jurisdiction

For users located in the European Union, United Kingdom, and Switzerland, Spanish legislation shall apply to the resolution of all disputes or questions related to the Site or the activities carried out therein. The parties expressly submit themselves to the Courts of Madrid, Spain, for the resolution of all disputes arising from or related to its use.

For users located outside the European Union, United Kingdom, and Switzerland, the laws of the State of New York, United States, shall govern all matters related to the Site or the activities carried out therein. The parties expressly submit themselves to the Courts of New York City, New York, United States, for the resolution of all disputes arising from or related to its use.