Privacy Policy
# Reclaimify Privacy & Data Protection Policy
**Effective Date**: July 9, 2021
Reclaimify GmbH, a Germany-based scam recovery service specializing in cryptocurrency fraud, is fully committed to protecting your personal data and privacy rights. This Privacy & Data Protection Policy ("Policy") details how we collect, use, process, store, share, and protect your personal information in strict compliance with the General Data Protection Regulation (GDPR - EU Regulation 2016/679), the German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG), the EU ePrivacy Directive, the German Telecommunications Act (Telekommunikationsgesetz - TKG), Anti-Money Laundering laws (GwG), and other applicable EU and German data protection laws, including international standards like the California Consumer Privacy Act (CCPA) for applicable global clients. By using our website (www.reclaimify.com), engaging in our services, or providing us with your data, you acknowledge and consent to the practices described herein. This Policy applies to all individuals interacting with Reclaimify, including clients, website visitors, job applicants, business contacts, and prospective users. As a data controller, we integrate privacy-by-design into all operations, with a focus on transparency, accountability, and ethical handling to build trust. We encourage you to read this Policy carefully and contact us with any questions. For related policies, see our [Terms of Service & Client Agreement](www.reclaimify.com/terms) and [Code of Ethics](www.reclaimify.com/ethics).
## 1. Scope
This Policy covers all activities involving personal data across Reclaimify's ecosystem, including client interactions (e.g., onboarding, case investigations, support), internal operations (e.g., employee data, vendor relationships), digital platforms (e.g., website, client portals, email systems), and third-party engagements (e.g., with blockchain analytics providers, legal firms, or authorities like Europol or Interpol). Personal data is defined as any information relating to an identified or identifiable natural person (e.g., names, contact details, transaction records, IP addresses). It does not cover anonymized or aggregated data that cannot be linked back to individuals. Special categories of data (e.g., sensitive personal data under GDPR Art. 9) are handled with heightened safeguards if collected (e.g., only with explicit consent and for essential purposes). We conduct Data Protection Impact Assessments (DPIAs) for high-risk activities (e.g., blockchain analysis of sensitive financial data) and maintain Records of Processing Activities (ROPAs) as required by GDPR Art. 30.
## 2. Data We Collect
To deliver our scam recovery services effectively and securely, we collect only the necessary personal data. The types of data we may collect include:
- **Personal Information**: Identifiers such as your full name, email address, phone number, postal address, and payment details (e.g., credit card or bank account information) that you voluntarily provide during initial consultations, subscription sign-ups, or account creation. This data is essential for verifying your identity, processing payments, and communicating with you.
- **Case-Related Data**: Information specific to your scam recovery case, including details of the fraudulent incident (e.g., descriptions of the scam, transaction records, blockchain wallet addresses, timestamps, amounts lost, and copies of communications with scammers). Supporting documents, such as screenshots, emails, or transaction receipts, may also be collected to build a comprehensive case file.
- **Technical Data**: Automatically collected information about your interactions with our website or services, including IP address, browser type and version, operating system, device identifiers, referral sources, pages viewed, time spent on pages, and clickstream data. This is gathered via cookies, web beacons, or similar technologies, with your consent where required.
- **Other Data**: Any additional information you choose to provide, such as feedback, survey responses, or preferences for scam prevention resources. We may also collect data from public sources (e.g., blockchain explorers) as part of lawful open-source intelligence (OSINT) for case analysis, but only in anonymized or aggregated forms unless directly related to your case.
We do not collect sensitive personal data unless it is voluntarily provided and directly relevant to your case, in which case we apply enhanced protections. Data is collected via direct provision (e.g., forms, emails), automated means (e.g., website logs), or third-party sources (e.g., public blockchain data), with clear notices at collection points explaining purposes, bases, and rights.
## 3. How We Use Your Data and Legal Basis for Processing
Your data is processed solely for legitimate purposes tied to our services and operations, adhering to GDPR principles like lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability. We use it in the following ways:
- **Service Delivery**: To investigate and analyze scam incidents, trace blockchain transactions, prepare case documentation, connect you with legal professionals, manage your subscription, and provide personalized case updates. For example, transaction records help us generate forensic reports for authorities.
- **Communication**: To send you service-related notifications, such as case progress reports, subscription confirmations, payment reminders, or responses to your inquiries. We may also use your contact details to deliver educational resources on scam prevention, tailored to your expressed interests.
- **Compliance and Legal Obligations**: To conduct Know Your Customer (KYC) and Anti-Money Laundering (AML)/Countering the Financing of Terrorism (CFT) checks, as required by BaFin and EU AML Directives. This includes verifying your identity and screening against sanctions lists to prevent fraud.
- **Website Improvement and Analytics**: To analyze anonymized usage patterns (e.g., via Google Analytics or equivalent tools) for enhancing our website's functionality, user experience, and security. This helps us identify trends, fix bugs, and optimize content delivery.
- **Marketing and Promotions**: With your explicit consent (opt-in), to send promotional materials about our services, webinars, or updates on scam trends. You can withdraw consent at any time without affecting service delivery.
- **Internal Operations**: For administrative purposes, such as auditing, fraud detection, and staff training, ensuring all processing aligns with our ethical standards.
Our data processing activities are grounded in one or more of the following legal bases under GDPR Article 6:
- **Contractual Necessity**: To perform our obligations under the Terms of Service & Client Agreement, such as managing your case or processing subscriptions (GDPR Art. 6(1)(b)).
- **Consent**: For non-essential activities, like marketing emails or the use of non-essential cookies, where we obtain your freely given, specific, informed, and unambiguous consent (GDPR Art. 6(1)(a)). Consent can be withdrawn at any time via dpo@reclaimify.com.
- **Legal Obligation**: To comply with regulatory requirements, such as AML/CFT reporting to the German Financial Intelligence Unit (FIU) or cooperation with law enforcement (GDPR Art. 6(1)(c)).
- **Legitimate Interests**: For activities that benefit our business without overriding your rights, such as fraud prevention, cybersecurity measures (e.g., monitoring for threats), or improving services through aggregated analytics (GDPR Art. 6(1)(f)). We conduct Legitimate Interest Assessments (LIAs) to balance these interests.
If processing involves sensitive data, we rely on explicit consent or other applicable bases under GDPR Art. 9. Processing is limited to specified, explicit, and legitimate purposes, with pseudonymization applied where feasible.
## 4. Data Sharing and International Transfers
We share your data only when necessary and with appropriate safeguards, minimizing sharing and conducting it with stringent controls:
- **Internal Sharing**: Limited to employees with a legitimate need (e.g., case managers accessing client files), governed by internal policies and NDAs.
- **Trusted Partners and Service Providers**: With vetted third parties who assist in service delivery, such as blockchain analytics providers (e.g., Chainalysis), law firms for legal guidance, payment processors (e.g., Stripe), or authorities (e.g., FIU, Europol) for case investigations or AML reporting. Sharing occurs only with your consent or as legally required, and partners are bound by Data Processing Agreements (DPAs) under GDPR Art. 28, ensuring they act on our instructions.
- **Legal and Regulatory Requirements**: In response to lawful requests from authorities, courts, or regulators, such as subpoenas or audits. We may also share data proactively if it aids in scam recovery (e.g., with international agencies like the FBI or DHS), but only with your consent where possible and using secure channels.
- **No Third-Party Marketing**: We never sell, rent, or share your data for marketing purposes by unrelated third parties. All sharing is limited, secure, and documented.
International transfers are restricted to EU/EEA or adequate jurisdictions. For others, safeguards like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) are used, with transfer impact assessments. No data is sold or shared for unrelated marketing.
## 5. Data Security, Storage, and Retention
Protecting your data is a core priority, with security paramount to prevent unauthorized access, loss, or breaches:
- **Security Measures**: We implement robust technical and organizational measures, including AES-256 encryption for data at rest and TLS 1.3 for transmission, role-based access controls (RBAC) with multi-factor authentication (MFA), logging, firewalls, intrusion detection systems (IDS), and pseudonymization where feasible. We align with ISO 27001 standards, conducting quarterly internal audits, annual external penetration testing, vulnerability scans, and security incident logging via tools like SIEM. Least privilege principles are enforced, with regular access reviews.
- **Storage Location**: All data resides on GDPR-compliant servers in EU data centers (e.g., AWS Frankfurt region), with redundant backups and physical security in access-controlled facilities.
- **Retention Periods**: Personal data is retained for up to 6 years after case closure, subscription end, or last interaction, aligning with AML requirements (GwG) and limitation periods under BGB. Exceptions include longer retention for legal holds (e.g., ongoing disputes) or shorter for transient data (e.g., logs deleted after 30 days). Post-retention, data is securely erased using methods like overwriting or degaussing, with confirmation logs. Clients can request earlier deletion via erasure rights, subject to overrides.
- **Breach Response**: We maintain a robust incident response plan for data breaches, with detection via monitoring tools and immediate containment. Supervisory authorities are notified within 72 hours if required (GDPR Art. 33), and affected individuals informed without undue delay if high risk (Art. 34), including mitigation steps. Annual breach simulations test the plan, with root cause analysis and corrective actions to prevent recurrence.
## 6. Your Rights
As a data subject under GDPR, you have extensive rights to control your personal data, which we facilitate promptly and without undue barriers. Requests are handled free of charge (unless manifestly unfounded or excessive) within 30 days (extendable to 60 days), via dpo@reclaimify.com. We verify requester identity to prevent unauthorized access. These include:
- **Right to Access (Art. 15)**: Obtain confirmation of processing and a copy of personal data, including purposes, recipients, and retention periods.
- **Right to Rectification (Art. 16)**: Correct inaccurate or incomplete data.
- **Right to Erasure ("Right to be Forgotten" - Art. 17)**: Request deletion when data is no longer needed, consent is withdrawn, or processing is unlawful, subject to exceptions (e.g., legal obligations).
- **Right to Restriction (Art. 18)**: Limit processing during verification or disputes.
- **Right to Object (Art. 21)**: Oppose processing based on legitimate interests or for direct marketing.
- **Right to Data Portability (Art. 20)**: Receive data in a structured, machine-readable format (e.g., CSV, JSON) for transfer to another controller.
- **Right to Withdraw Consent (Art. 7)**: Revoke consent at any time for consent-based processing, without affecting prior lawfulness.
- **Automated Decisions (Art. 22)**: Not be subject to solely automated decisions with legal effects, with rights to human intervention and contest.
- **Right to Lodge a Complaint**: File a complaint with a supervisory authority, such as the Berlin Commissioner for Data Protection and Freedom of Information (www.datenschutz-berlin.de), if you believe your rights have been violated.
## 7. Cookies
Our website uses cookies and similar tracking technologies to enhance functionality and user experience:
- **Essential Cookies**: Necessary for core site operations, such as session management and security, which do not require consent.
- **Analytics Cookies**: For anonymized performance tracking (e.g., via Matomo or equivalent), activated only with your consent.
- **Marketing Cookies**: For personalized content, if applicable, also consent-based.
You can manage cookie preferences through our website's cookie banner or browser settings. For more details, refer to our Cookie Policy linked on the site.
## 8. Internal Governance
Compliance is overseen by our Data Protection Officer (DPO), who monitors adherence, advises on DPIAs, handles data subject requests, trains staff, audits processes, and acts as the contact for supervisory authorities (e.g., Berlin Commissioner for Data Protection). The DPO reports directly to senior management, operates independently without conflicts of interest, and conducts privacy impact assessments for new services or tools. All employees and contractors undergo mandatory annual training on GDPR principles, handling procedures, breach reporting, and role-specific topics (e.g., secure data sharing for case managers), with effectiveness measured through assessments, quizzes, and phishing simulations. Violations may result in disciplinary action, up to termination or legal consequences. We engage external legal counsel for complex issues and align with global best practices.
## 9. Updates and Contact
We may revise this Policy periodically to reflect changes in our practices, legal requirements, or technologies. Updates will be posted on our website with the new effective date highlighted. Material changes (e.g., affecting your rights) will be notified via email or prominent website notice at least 30 days in advance. Continued use of our services after updates constitutes acceptance.