Privacy Statement

Effective as of 27 September 2023

This privacy statement explains how we, Crystal Blockchain B.V.; located at the Strawinskylaan 3051, 1077ZX Amsterdam, the Netherlands (“Crystal” “we”, “us” or “our”) collect, handle, disclose, store and protect information about you in the context of our services Crystal Expert, Crystal Public Explorer and/or Crystal API (“Services”). We also provide information about your rights and about how you can contact us if you have questions about how we handle your information.

What this privacy statement covers

This privacy statement only covers our Services. Our privacy notice applies to other products, services and websites made available by us.

Who we hold information about

We, through our Services, power cryptocurrency transaction analysis and monitoring on the blockchain (“Checks”), bringing best-in-class anti-money laundering compliance and risk management solutions to exchanges, banks, and financial institutions and others (“Crystal Users”).

Our Services are designed and maintained to improve the speed, accuracy and transparency of Checks which are carried out by Crystal Users on customers, vendors, business partners and other (counter)parties.

The Services are not aimed at children. In the highly unlikely circumstances where we collect and use personal information about children, we comply with industry guidelines and applicable laws.

Your information is only included on our Services through the Checks performed by Crystal Users or if Public Domain Data (as defined below) suggests that there is information about you that Crystal Users ought to be aware of for the purposes of Checks.

Crystal Users make their own decisions about how to use the results from the Checks received from our Services. If you have any questions about these decisions, please be referred to the relevant Crystal User.

Your information is included in our Services through Public Domain Data and by Crystal Users performing the Checks.

For the purpose of this privacy statement, “Public Domain Data” means personal information (1) originally available to the public and typically over the internet; (2) that Crystal has a reasonable basis to believe is lawfully made available to the general public by or from: (i) the data subject (or consumer or individual to whom the personal information relates), (ii) widely distributed media, or (iii) from a person to whom the data subject has disclosed the personal information (provided that Crystal does not have knowledge that the data subject has restricted the information to a specific audience); or (3) lawfully made available from records, databases, and/or systems of government agencies, departments, divisions or other operating units, in electronic, paper or any other format. Examples include personal information found on sanction or watch lists or law enforcement, court, regulatory or other government websites.

What personal information we process

As part of our Services, we may collect and process information (i) through Checks; and (ii) that is derived from Public Domain Data, where relevant for Checks.

The Services may hold the following types of information about you.

Information that helps identify you (e.g. your name and/or alias (if any).

Your inclusion (if any) on sanctions lists or on public lists of disqualified directors or other positions of responsibility.

Public Domain Data about actual or alleged money laundering or terrorist financing crime, or crimes that are a pre-cursor to money laundering or terrorist financing which are also known as predicate offences (e.g. financial crime, illegal trafficking, environmental offences, smuggling, membership of an organised crime group).

In some cases, the personal information on our Services includes, depending on specific jurisdictions and their applicable data protection laws, so-called ‘sensitive’ or ‘special categories’ of personal information such as information relating to any criminal offences actually or allegedly committed by you (for example, if these are money-laundering or terrorist financing offences, or pre-cursor crimes to such offences).

We have in place robust controls designed to ensure that information about you on our Services is accurate, relevant and not excessive. We comply with detailed research and screening processes for sourcing Services information and we monitor compliance with these processes.

How we use information about you

We use information to facilitate Checks by Crystal Users, to comply with regulatory requests and for other purposes connected with the proper management of our Services and protection of our rights. More information on these purposes is contained below.

If your information is included on our Services, it is processed (e.g. collected, used, shared and retained) for the purposes of:

  • facilitating Checks by Crystal Users;
  • if you contact us, dealing with your requests and enquiries;
  • complying with requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, including where they are outside your country of residence;
  • exercising our rights, and to defend ourselves from claims and to comply with laws and regulations that apply to us;
  • services we receive from our professional advisors, such as lawyers, accountants, consultants or information security professionals;
  • protecting our rights; and
  • supporting the operation of our Services.

What legal grounds do we use to process your information

Some laws require us to explain our lawful reason for processing your personal information. We process standard personal information on the basis that it is in our or others’ legitimate interests; Art. 6 (1) 1 lit. f GDPR. We generally process special category and criminal data for reasons of substantial public interest on the basis of applicable law; namely Art. 9 respective 10 GDPR.

We are required by laws in Europe to set out in this privacy statement the legal grounds on which we rely in order to process your information.

We process your standard personal information on the basis that it is in Crystal Users’ legitimate interests to carry out Checks to ensure that they can comply with their legal and regulatory obligations and protect the public from financial crime, fraud and serious misconduct or dishonesty. In addition, it is also in our legitimate interests to carry on a business to facilitate those Checks. We and the public also have a legitimate interest in ensuring that financial crime, fraud and serious misconduct or dishonesty are prevented and detected. It is reasonable for you to expect that your information may be used for the carrying out of Checks in the public interest. You may feel that your interests differ from our and Crystal Users’ interests, as inclusion of your personal information on our Services results in further Checks being carried out by Crystal Users prior to a decision being made about whether to enter into an arrangement with you. However, the legitimate interests in carrying out Checks would not be overridden by your interests, given the significant public interest in the carrying out of Checks.

We process your special category information on the basis that:

  • you have made the information manifestly public; and
  • in all other cases, the processing is necessary for reasons of substantial public interest, on the basis of applicable law (including laws designed to combat money-laundering, bribery and corruption and avoidance of sanctions).

We process information about actual or alleged criminal offenses on the basis that it is authorized by applicable law.

Who we disclose your personal information to

We make our Services information available to Crystal Users, business partners that work with us to make our Services data available for the purpose of Checks and as required by, or desirable in order to comply with, law.

If information about you is included on our Services, it is made available to the following parties:

Crystal Users. We only make our Services information available to Crystal Users that have a legitimate need and a legal ground to access information on our Services. We also require that they only use it for the purposes of carrying out Checks or to otherwise comply with law. If any Crystal User uses information on our Services beyond the limited purposes permitted by us, we may act to terminate the Crystal User’s access to our Services.

Group companies. We disclose information about you to group companies that require our Services data for products or services that they offer.

Authorities, Courts and Tribunals. We also disclose information about you to competent authorities (including any national and/or international regulatory or enforcement body or court or other form of tribunal) in connection with one or more of the purposes outlined in the “How we use information about you” above where we are required to do so or at their request.

Business Transfers. In order to participate in, or be the subject of, any sale, merger, acquisition, restructure, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings), we share information about you with prospective buyers, sellers, advisers or partners and your information may be a transferred asset in a business sale.

Audits. We may share your personal data with auditors, tax advisors, or other auditing parties, solely on a legal basis and in accordance with applicable data protection laws. Such sharing of personal data is undertaken to fulfill our legal and regulatory obligations, ensure accurate financial reporting, and maintain compliance with relevant laws. We take appropriate measures to ensure that any such third parties handling your personal data adhere to strict confidentiality and data protection standards.

As we continue to develop our business, we may sell assets that currently form part of our business. In those circumstances, we may include information collected about you, or control of that personal information, as a business asset in any such sale. Also, in the unlikely event that we, or substantially all of our assets, are acquired, information about you, or control of such information, may be one of the transferred assets.

How we secure your personal information

We take information security seriously and use a range of physical, electronic and managerial measures to keep your personal information secure, accurate and relevant. These measures and our information security policies are closely aligned with widely accepted international standards, reviewed regularly and updated as necessary to meet our business needs and changes in technology and regulatory requirements.

International Transfer of Your Data

Crystal may transfer your personal data to countries other than your country of residence (including countries outside the European Economic Area). International transferring occurs in the course of providing our Services or because our affiliates, partners, or service providers have operations in countries across the world. The laws of these countries may not afford the same level of protection to your personal data.

The European Commission has determined that certain countries outside the European Union offer an adequate level of data protection (see article 45 General Data Protection Regulation (GDPR)).

Crystal ensures that adequate safeguards are in place to comply with the requirements for the international transfer of personal data under applicable privacy laws. For transfers of personal data outside the European Economic Area, Crystal may uses European Commission-approved Standard Contractual Clauses as safeguards (see article 46 General Data Protection Regulation (GDPR)).

How long we keep your information

Your personal data will be retained for as long as required for the purposes described in this Privacy Statement and depends on the type of information we hold about you.

We calculate retention periods for your personal information in accordance with the following criteria:

  • the length of time your personal information remains relevant to Checks;
  • the length of time it is reasonable to keep records to demonstrate that we have fulfilled our duties and obligations;
  • any limitation periods within which claims might be made;
  • any retention periods prescribed by law or recommended by regulators, professional bodies or associations or inter-governmental bodies (for example, the Financial Action Task Force);
  • the existence of any relevant proceedings.

Your rights

You may contact us (please see paragraph ‘How to Contact Us’ below) to exercise any of the rights you are granted under applicable data protection laws, which includes (1) the right to access your data, (2) to rectify them, (3) to erase them, (4) to restrict the processing of your data, (5) the right to data portability and (6) the right to object to processing.

How to contact us

If you have any questions or concerns regarding this Privacy Statement, please feel free to contact us at:


[email protected]

Data Protection Officer: David Braat

Mailing Address:

Crystal Blockchain B.V.; our office is located at the Strawinskylaan 3051, 1077ZX Amsterdam, the Netherlands.

Changes to this privacy statement

We may update and/or change the terms of our Privacy Statement. If we make any material changes, we will notify you by email, through our services, or by posting a prominent notice on the website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices. The effective date of this Privacy Statement is indicated at the top of this page and replaces previous versions.