Last updated: July 19, 2018

By visiting, accessing, or using Abra, you consent to the policies and practices of our privacy policy (the “Privacy Policy”) so please read them carefully. If any policies or practices described in this Privacy Policy are unacceptable to you, please do not visit, access, or use Abra. Use of the words “we,” “us,” or “our” in this Privacy Policy refers to Plutus Financial, Inc. (d/b/a Abra) and any or all of its affiliates.

PRIVACY POLICY

INTRODUCTION
At Abra, your trust is one of our most important assets. We continually work to protect the privacy of our users and continually review our privacy policy. This website will always contain the most current privacy statement. If we decide to change our privacy practices, we will post those changes to this privacy statement and other places we deem appropriate, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, disclose it. We reserve the right to modify this privacy statement at any time, so please review it frequently. If we change how we use your Personal Information (as defined below), we will notify you here, by email, or by means of a notice on our home page.

PERSONAL INFORMATION
As used herein, “Personal Information” means any information relating to an identified or identifiable natural person (each, a “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, or an online identifier or to one or more factors specific to the physical, economic, cultural or social identity of that natural person.

PERSONAL INFORMATION WE COLLECT
Section 326 of the USA PATRIOT ACT requires all financial institutions to obtain, verify, and record Personal Information that identifies each person who opens an account. This federal requirement applies to all new users. This Personal Information is used to assist the United States government in the fight against the funding of terrorism and money-laundering activities. What this means for you: when you open an account, we ask you for your name, email address, mobile phone number and other identifying Personal Information.

In addition, we are a global company and may conduct business and collect Personal Information from individuals and institutions located within the European Union (“EU”). We are required to protect Personal Information processed in the EU in accordance with the General Data Protection Regulation (“GDPR”). To understand more about how we protect the data we collect from individuals and institutions located within the EU, please see the section titled “Privacy Statement for Data Subjects Residing In The European Union,” below.

Personal Information we collect may include the following:

Individual User — Depending on your level of activity, Abra will attempt to collect, verify, and authenticate the following:

  • Email address;
  • Mobile phone number;
  • Full legal name;
  • Social Security Number (“SSN”) or any comparable government-issued identification number;
  • Date of birth;
  • Proof of identity (e.g., driver’s license, passport or government-issued ID);
  • Home address (not a mailing address or P.O. Box); and
  • Additional Personal Information or documentation at the discretion of our Operations Staff.

Legal Entities — We attempt to collect, verify, and authenticate the following:

  • Entity legal name;
  • Employer Identification Number (“EIN”) or any comparable identification number issued by a government;
  • Full legal name of all account signatories;
  • Email address of all account signatories;
  • Mobile phone number of all account signatories;
  • Principal place of business and/or other physical location;
  • Proof of legal existence (e.g., state certified articles of incorporation or certificate of formation, unexpired government-issued business license, trust instrument, or other comparable legal documents as applicable); and
  • Documentation indicating that the signatories are authorized to act on behalf of the legal entity.

Device Information – Information automatically collected about the device used to access the Abra platform (such as, but not limited to, hardware, operating system, browser, etc.).

Location Information – Information automatically collected to determine your location, including your IP address and/or domain name.

Log Information – Information that is generated by your use of Abra that is automatically collected and stored in our server logs. This may include, but is not limited to, device-specific information, location information, system activity and any information related to Abra services you utilize.

Transactional Information – Information that is generated by your activity, including, but not limited to, trading activity, order activity, deposits, withdrawals, and wallet balances.

Correspondence – Information that you provide to us in correspondence, including creating a wallet or wallets, and with respect to ongoing user support.

COOKIES
Some of our web pages may contain “cookies”, or data that is sent to your web browser and stored on your computer. The purpose of these “cookies” is to allow our server to recognize you as a returning visitor, customize our services, content, and advertising; measure promotional effectiveness; help ensure that your account security is not compromised; mitigate risk and prevent fraud; and to promote trust and safety across our sites and services. We may also use trusted third-party services that track this information on our behalf. In the event you do not wish to receive such cookies, you may configure your web browser to not accept cookies or to notify you if a cookie is sent to you. You are free to decline cookies if your web browser permits, but you may not be able to use all the features and functionalities of our website. Abra does not link the information we store in cookies to any personally identifiable information you submit while on our website.

HOW WE USE AND SHARE THE PERSONAL INFORMATION WE COLLECT
The Personal Information we collect and the practices described above are done in an effort to provide you with the best experience possible, protect you from risks related to improper use and fraud, and help us maintain and improve the Abra platform.

We may share Personal Information with third-party service providers (including those that may be located outside of the United States or your country), who help us operate our platform and systems, and detect fraud and security threats during the normal course of our business. Such third-party service providers are subject to strict confidentiality obligations. In addition, we may be compelled to share Personal Information with law enforcement, government officials, and regulators.

For example, we may use your Personal Information to:

Provide you with our services, including user support for Abra;

  • Optimize and enhance our services for all users or for you specifically;
  • Conduct anti-fraud and identity verification and authentication checks (you authorize us to share your Personal Information with our third-party service providers, who may also conduct their own searches of publicly available Personal Information about you);
  • Monitor the usage of our services, and conduct automated and manual security checks of our services; and
  • Create aggregated and anonymized reporting data about our services.

If we decide to modify the purpose for which your Personal Information is collected and used, we will amend this Privacy Policy.

If we propose to sell or buy any business or assets, we may disclose your Personal Information in an anonymized form to the prospective buyer or seller of such business or assets. In the event of a merger, acquisition, or asset sale of Abra, we will give you notice if, and before, your Personal Information is transferred in a non-anonymized form or becomes subject to a different privacy policy.

We do not sell user Personal Information to third parties for the purpose of marketing.

Be aware that Bitcoin, Litecoin, and other cryptocurrencies are not necessarily truly anonymous. Generally, anyone can see the balance and transaction history of any public cryptocurrency address. We, and any others who can match your public cryptocurrency address to other Personal Information about you, may be able to identify you from a blockchain transaction. This is because, in some circumstances, Personal Information published on a blockchain (such as your cryptocurrency address and IP address) can be correlated with Personal Information that we and others may have. This may be the case even if we, or they, were not involved in the blockchain transaction. Furthermore, by using data analysis techniques on a given blockchain, it may be possible to identify other Personal Information about you. As part of our security, anti-fraud and/or identity verification and authentication checks, we may conduct such analysis to collect and process such Personal Information about you. You agree to allow us to perform such operations and understand that we may do so.

DATA SECURITY
If Abra stores or processes Personal Information, Abra protects data by using physical, technical, and administrative security measures to reduce the risks of loss, misuse, unauthorized access, disclosure and alteration. Some of the safeguards Abra uses are firewalls and data encryption, physical access controls to data centers, and information access authorization controls. Abra’s employees, contractors and agents are subject to strict contractual confidentiality obligations and may access your Personal Information only on a need-to-know basis.

ACCURACY AND RETENTION OF PERSONAL INFORMATION
We take reasonable and practicable steps to ensure that your Personal Information held by us (i) is accurate with regard to the purposes for which it is to be used, and (ii) is not kept longer than is necessary for the fulfillment of the purpose for which it is to be used, which is when your business relationship with us ends, unless the further retention of your Personal Information is otherwise permitted or required by applicable laws and regulations.

ACCESS, CORRECTION, AND DELETION OF PERSONAL INFORMATION
You have the right to ascertain whether we hold your accurate and current Personal Information, to obtain a copy of the Personal Information that you submitted as permitted by law, and to correct any of your data that is inaccurate. You may also request that we inform you of the type of Personal Information we hold with regard to you, subject to restrictions on our providing copies of certain data pursuant to our obligations under the Bank Secrecy Act (“BSA”) and Anti-Money Laundering (“AML”) regulations and/or data provided to our legal counsel in defense of a claim against us. You may also request that we delete your Personal Information, subject to restrictions under applicable laws and regulations, such as those related to the BSA and AML. For data access, correction, or deletion requests, please contact privacy@abra.com.
When handling a data access, correction, or deletion request, we check the identity of the requesting party to ensure that he or she is the person legally entitled to make such request. While we maintain a policy to respond to these requests free of charge, should your request be repetitive or unduly onerous, we reserve the right to charge you a reasonable fee for compliance with your request.

DIRECT MARKETING
Subject to applicable laws and regulations, we may from time to time send direct marketing materials promoting services, products, facilities, or activities to you using information collected from you. We will provide you with an opportunity to opt-out of such communications and will only send them to you if you consent.
We will not provide your Personal Information to third parties for direct marketing or other unrelated purposes without your written consent.

CONTACT US
If you have questions or concerns, please feel free to contact us at privacy@abra.com. Please note that whenever you send us a message, you will be providing us with Personal Information about yourself, including your email address, your name, if you choose to do so, and any information you choose to include in the text of your message. In some cases, other Personal Information may be required in order for us to be helpful and address your question or concern. Such provided Personal Information will be deemed Personal Information provided under this Privacy Policy and handled pursuant to the provisions hereof.
This Privacy Policy only pertains to our policies and practices with regard to your Personal Information. Websites linked to and/or from our website are not covered by this Privacy Policy.

PRIVACY STATEMENT FOR DATA SUBJECTS RESIDING IN THE EUROPEAN UNION
There are obvious risks that apply when data are transferred from one jurisdiction to another (e.g., an unauthorized interception of the data, misuse, etc.) and the data protection and other laws of the United States and/or other countries might not be as comprehensive as those in your country. Additionally, in certain circumstances, law enforcement or regulatory agencies, courts, or security authorities in the United States may be entitled to access your personal information. By using our Services, you acknowledge and agree that your personal information will be transferred to and processed in the United States at our facilities and those third parties with whom we share it as described in this Privacy Policy. Please be assured that we take commercially reasonable steps to ensure that your privacy is protected. For users of the Services that are residents of the European Union (“EU“) or the United Kingdom (“UK“), please see below to review Abra’s European Data Privacy Addendum, which details your rights under the EU’s General Data Protection Regulation (“GDPR“) and provides you with an explanation of how you may exercise your rights.

YOUR RIGHTS AS A EUROPEAN DATA SUBJECT
The GDPR provides “data subjects” (essentially natural persons that are the subject of personal data and are residents of the EU or UK) with a wide array of rights related to data privacy. Abra is considered a “data controller” under the GDPR with respect to its processing of your personal data. A data controller is essentially a person or organization that can determine how and why your personal data is processed and is responsible for ensuring that you are able to exercise certain privacy rights. Although Abra’s service providers will also collect and process your personal data, as described in the Privacy Policy, Abra will always be the data controller in respect to such processing. If you wish to exercise any of the rights detailed below, please send an e-mail sufficiently detailing such request to: privacy@abra.com . Please note that if we receive a request from you to exercise your rights, Abra has the right to have you take reasonable steps to confirm your identity, including your residency within the EU or UK.

RIGHT TO TRANSPARENT COMMUNICATION
You are entitled to a receive information from Abra regarding its collection and processing of your personal data. All such information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Such information has been provided by Abra in this Privacy Policy, as amended from time to time.

RIGHT TO ACCESS BASIC INFORMATION
You have the right to obtain confirmation from Abra as to how your personal data are being processed, including the following information:

  • Confirmation of whether, where, and by whom your personal data are being processed;
  • Purpose(s) for the processing;
  • Categories of personal data being processed;
  • Categories of recipients with whom the data may be shared;
  • The period for which the data will be stored (or the criteria used to determine that period); and
  • Information about the existence of, and an explanation of the logic involved in, any automated decision-making that has a significant effect on you.

You may also request to receive an electronic copy of your personal data that are processed by Abra. Abra is required to provide any requested information within one (1) month of receiving an access request. However, if Abra receives a large numbers of requests, or especially complex requests, this time limit may be extended by a maximum of two (2) further months as long as Abra provides you with an explanation for the delay within the original one (1) month timeframe. If Abra fails to meet these deadlines, you may complain to the relevant Data Protection Authority (explained below) and may be able to seek a judicial remedy in the relevant EU Member State’s court system.

RIGHT TO DATA PORTABILITY
You have the right to transfer your personal data between controllers (e.g., to move account details from one online platform to another). Specifically, you have the right to:

  • Receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
  • Transfer your personal data from one controller to another;
  • Store your personal data for further personal use on a private device; and
  • Have your personal data transmitted directly between controllers without hindrance.

Please note that any inferred or derived data (data derived through use of analytical processes) do not fall within the right to data portability, because such data are not provided by you. Additionally, Abra is not obliged to retain personal data for longer than is otherwise necessary simply to service a potential data portability request.

RIGHT TO RECTIFY INFORMATION
Abra is required to ensure that inaccurate or incomplete data are erased or corrected. You have the right to request Abra correct or erase personal data that you believe to be inaccurate or incomplete.

RIGHT TO WITHDRAW CONSENT
Your consent can provide a lawful basis for Abra to process your personal data and/or transfer your data internationally. You have the right to withdraw such consent. However, please note that other lawful bases may apply to the processing or transfer of your data.

RIGHT TO ERASURE/RIGHT TO BE FORGOTTEN
Under the GDPR, in certain circumstances, you may have the right to have Abra erase your personal data, cease further dissemination of the data, and potentially have third parties halt processing your data upon your request. This right is commonly referred to as the “right of data erasure” or “the right to be forgotten.”  You have the right to erasure of your personal data if:

  • The data are no longer needed by Abra for their original purpose (and no new lawful purpose exists);
  • The lawful basis for the processing is your consent, you withdraw that consent, and no other lawful ground exists for Abra to process the information;
  • You exercise your right to object to processing and Abra has no overriding grounds for continuing the processing;
  • The data have been processed unlawfully; or
  • Erasure is necessary for compliance with other EU laws or the national law of a relevant EU Member State.

RIGHT TO NOT BE EVALUATED SOLELY ON THE BASIS OF AUTOMATED DECISION-MAKING PROCESSES
Subject to certain exceptions detailed below, you generally have the right to not have any decisions made about you that are based solely on “automated decision-making” processes. An automated decision-making process involves using automated processing activities (activities that do not use human intervention) to make a decision about you that will materially affect you (i.e., a decision that would produce “legal effects” or otherwise have a similar “significant effect“). A legal effect is something that will affect your legal rights. The decision must have the potential to: significantly affect your circumstances, behavior, or choices; have a prolonged or permanent impact; or at its most extreme, lead to exclusion or discrimination. Please note that if a human being reviews and takes other factors into account in making a final decision, that decision is not considered to be “based solely” on automated processing.
In general, the use of automated decision-making processes are permitted where:

  • It is necessary for a data controller to enter into or perform a contract with you;
  • It is authorized by law; or
  • You have explicitly consented and appropriate safeguards are in place.

If a data controller is making decisions based on any automated decision-making processes, you are entitled to a description of what portions of the decision-making will be automated, reasons why automation is logical, and the significance and consequences behind the decision to automate the processing.
If an automated decision-making process is conducted as a result of contractual necessity or you have explicitly consented to such processing, you are allowed to request human intervention, express your point of view, and contest decisions that are arrived at as a result of the processing. To the extent automated decision-making processes also involve high risks to the privacy of your information, Abra will conduct a data privacy impact assessment (“DPIA“) prior to conducting the processing in order to ensure that appropriate safeguards are in place. A DPIA is a tool designed to enable organizations to identify and analyze the risks that are inherent in data processing activities and enables us to address and mitigate those risks.

RIGHT TO RESTRICT PROCESSING
In some circumstances, you may be entitled to limit the purposes for which Abra can process your personal data. Specifically, you have the right to restrict the processing of your personal data if:

  • The accuracy of the data is contested (and only for as long as it takes to verify that accuracy);
  • The processing is unlawful and you request restriction (as opposed to exercising the right to erasure);
  • Abra no longer needs the data for their original purpose, but the data are still required by Abra to establish, exercise, or defend legal rights; or
  • If verification of overriding grounds is pending in the context of an erasure request.

FEES FOR REQUESTS
Abra is required to give effect to your rights of access, rectification, erasure, and the right to object free of charge. However, Abra may charge a reasonable fee for repetitive requests, unfounded or excessive requests, or further copies beyond the initial copy provided.

RIGHT TO MAKE A COMPLAINT TO THE RELEVANT DPA
Data Protection Authorities (“DPAs“) are the regulatory authorities responsible for monitoring and enforcing data protection laws at a national level and providing guidance on the interpretation of those laws. DPAs are empowered to oversee enforcement of the GDPR, investigate breaches of the GDPR, and bring legal proceedings where necessary. If you believe that your rights have been infringed by Abra, you have the right to ask Abra to remedy the situation. If you believe you have not received an adequate response from Abra, you may file a complaint with the relevant DPA (either the DPA for the EU Member State in which you live or work or the Member State in which the alleged infringement occurred). A list of DPAs may be found at: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080 (current as of July 2018).

ABRA’s LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA
Under the GDPR, in order to process your personal data, Abra is required to identify a legal basis (or bases) for its processing activities. Abra’s legal bases for processing your personal data are as described below.

  • Consent: Abra is permitted to process your personal data to the extent you have given consent for Abra to perform processing activities. Please note that your consent to processing can be revoked at any time (though there may be other applicable legal bases that may justify ongoing processing of your personal data). Your consent may be revoked by sending an email to: privacy@abra.com.
  • Due Diligence Interests: It is necessary for Abra to process your personal data for the purposes of conducting due diligence. This could include, for example, monitoring official watch-lists, sanction lists and “do-not-do-business-with” lists published by governments and other official bodies globally. This could also include keyword searches of industry and reputable publications to determine if companies and individuals have been involved in or convicted of relevant offenses, such as fraud, bribery, and/or corruption.
  • Fraud Detection and Prevention Interests: Processing your personal data is necessary for Abra to help detect and prevent fraud, e.g., verifying that the registered address of the cardholder for a particular credit or debit card is the same as the cardholder’s normal place of residence or work.
  • Compliance with Laws and Regulations: Abra is subject to binding legal or regulatory obligations and needs to process your personal data in order to comply with such laws or regulations. Examples include: complying with reporting obligations; complying with screening obligations; responding to law enforcement requests; and/or responding to judicial/regulatory agency requests.
  • Reporting Potential Threats to Public Security/Safety: Abra has a legitimate interest in reporting possible criminal acts or threats to public security/safety that we identify as part of our processing activities to a competent authority.
  • Binding Legal or Regulatory Obligations: Abra is permitted to process your personal data where it has a binding legal or regulatory obligation to perform the processing to stay in compliance with applicable laws or regulations, for example, where Abra is required to respond to a court order, subpoena, or law enforcement agency request, to prevent fraud or abuse, or to protect the safety of individuals. Were Abra not able to process your personal data for such purposes, Abra could be subject to fines, penalties, and/or civil or criminal liability.

NON-DISCLOSURE OF PERSONAL INFORMATION
Our employees are prohibited, either during or after their employment, from disclosing Personal Information to any person or entity outside of our company, including family members, except under the circumstances described above. An employee is only permitted to disclose the Personal Information of a user to such other employees who needs access to such information in order to deliver our services to that user.

OUR CONTACT INFORMATION FOR PERSONS LOCATED IN THE EU
If you are located in the EU or Switzerland and have questions or concerns regarding the processing of your Personal Information, you may contact us at: privacy@abra.com or write us at:

Plutus Financial, Inc.
PO Box 390004
Mountain View, CA 94039
USA