Privacy Notice

  • Updated

Last updated: 29 November 2024

1. Introduction

Deribit (“Deribit”, “we”, or “us”) is an online platform that facilitates the trading of cryptocurrency-related products. In order to be able to provide our services to you, we need to process certain data about you. We take your privacy seriously and will always process your personal data in accordance with this Privacy Notice, as regularly updated under the conditions set out below.

This Privacy Notice outlines the general provisions applicable to all personal data processing activities carried out by us when you visit the Deribit website (whose domain names include but are not limited to www.Deribit.com), the trading platform, and the mobile applications (collectively referred to as "Deribit platforms"). To the extent that you are a customer or user of our services, a website visitor, a job applicant, or if you otherwise interact with us, this Privacy Notice applies together with the Deribit Terms of Service and any other agreements we may have with you. 

This Privacy Notice doesn’t apply to the information practices of other companies and organisations that refer to our services.

2. Our relationship with you

The Deribit operating entity you contract with determines the means and purposes of the processing of your personal data in relation to the services provided to you (typically referred to as a “data controller”). 

For clients contracting with Deribit FZE, your data controller is Deribit FZE, a company existing and operating in the Dubai World Trade Centre in the Emirate of Dubai, United Arab Emirates registered with license number 2800 having its registered address at The Offices 4 - One Central, Floor Number 04, Premises No. TO4 FLR04-04.08, Dubai World Trade Center. 

For all other clients your data controller is DRB Panama Inc, a private company with limited liability incorporated and existing in the Republic of Panama and registered with the Mercantile Registry under No. 155684990 having its registered address at Via Espana, Delta Bank Building, 6th Floor, Suite 604D, Panama City, Republic of Panama. 

3. What personal data does Deribit collect and process?

Personal data is any information relating to an identified or identifiable individual. This includes information you provide to us, information which is collected about you automatically, and information we obtain from third parties.

Information you provide to us

To open an account and access our services, we'll ask you to provide us with some information about yourself. This information is either required by law (e.g., for KYC - ‘Know your Customer’, AML ‘Anti-Money Laundering’ and CDD ‘Customer Due Diligence’ obligations), necessary to provide the requested services, or is relevant for certain specified purposes, described below. In some cases, if we add services and features you may be asked to provide us with additional information. Failure in providing the data required implies that Deribit will not be able to offer you our services.

If you apply to a job through our career page in the website, you will also be asked to provide certain personal information, and if you communicate with us through our Support Center, our Telegram channels, join any of our events, or otherwise interact with us, you may also share your personal data with us.

We may collect the following types of information from you:

Category of personal data

Types of personal data

Biographical information and contact information

Full name, e-mail address, residential address, telephone number, date of birth, place of birth, gender, nationality, proof of residence

Sensitive and Biometric data

As part of your onboarding, we may collect biometric information to verify your identity by, for example, comparing the facial scan data extracted from your selfie or video with the photo in your government issued identity document

Sensitive and Biometric Personal Data

Deribit may also collect sensitive personal data  when permitted by local law or with your consent, such as biometric information, for example to verify your identity by comparing the facial scan data extracted from your selfie or video with the photo in your government issued identity document

Government identifiers

Government issued identity documents such as passport, national identification number, national identity card details, drivers licence

Financial information

Income details and source of income, net worth and source of wealth, bank account information, credit card details

Trading information

Transaction history, account balances, order details, wallet data, travel rule data, expected trades, expected deposits

Online identifiers

Social media domains / profiles (e.g., Telegram, Slack, X)

Suitability information

Experience in trading, and trading derivatives, understanding of cryptocurrency trading and its inherent risk

Personal information regarding corporate clients

Register of Directors including the names, residential addresses and dates of appointment of all directors, signed and dated within the past 3 months by a signatory, with the name of the signatory provided;

Register of Members/Shareholders including names, residential addresses and number of shares, signed and dated within the past 3 months by a signatory, with the name of the signatory provided;

Corporate structure chart showing the shareholders and ultimate beneficial owners (UBOs), including share percentages and countries of residence/incorporation, signed and dated within the past 3 months by a signatory, with the name of the signatory provided; 

In this sense, natural persons connected to corporate clients must be identified and verified so that we know who we are engaging with. This identification process applies to UBOs, directors, traders, authorised signatories and legal representatives of the corporate client, and we will collect the following: full name, date of birth, residential address, country of residence, nationality, country of birth, ID, proof of residence.

Employment information

Employer, job title, salary wage, CV

Communication information

Correspondence with customer support, chat logs, support tickets, responses to surveys. Communications with us including call recordings with our customer services team, or any other team.

Career application information

CV, cover letter, a photo of you, contact details

Information from Cookies

See our Cookie Notice at the bottom of the website for further information

Account, security and authentication information

Usernames, UserID, passwords, API Keys, two-factor authentication details, preferred UX settings

Marketing preferences

Opt-in or opt-out preferences for marketing communications

CCTV footage

If you visit our offices or data centres you may be captured by CCTV cameras placed facing the access doors. If you participate in any of our events, there might be recordings of these.

Information we collect about you automatically

To the extent permitted under the applicable law, we may collect certain types of information automatically, for example whenever you interact with us or use the services. This information helps us address customer support issues, improve the performance of our sites and services, maintain and or improve your user experience, and protect your account from fraud by detecting unauthorised access.

Category of personal data

Types of personal data

Browser information

Collected automatically via analytics systems providers from your browser, such as IP address, referral site, login information browser type and version, time zone setting, operating system and platform

Usage information

Generated by your use of our websites, applications and services, and collected normally via Cookies, web beacons, pixels or similar technologies. This includes device information such as device identifier, device operating system and model, device storage, location information, network address, system activity and information regarding the pages you visit, length of the visit, page response time, page interaction such as scrolling, clicks, and mouse overs, among others.

Marketing information

Website activity and preferences expressed through selection, viewing, purchase of products and offered through our website and platform;

Mobile device information such as type of device, device identification number, mobile operating system.

This also includes information collected via Cookies.

Information we receive about you from other sources

We may obtain information about you from our affiliates or third party sources such as our service providers assisting with AML, fraud, and security compliance, custody solutions, and through publicly available sources. 

For example, we outsource some services and work closely with other companies to deliver our products, and therefore, we receive personal data about you from these vendors (e.g., background check providers, identity verification providers, credit reference agencies, blockchain data analysers, custody firms and onboarding platforms, among others). To comply with “travel rule” regulations, we may receive personal data about you if you are the beneficiary of a transfer. We may also read and store data that is written on a blockchain, other publicly available ledgers, or is otherwise in the public domain (Third-parties data).

When conducting a transaction with a third-party vendor or customer, this party may provide us with personal data about you such as name, contact information, and transaction information.

4. Why and on which legal grounds does Deribit process my personal data?

Our main purpose in collecting your personal data is to provide our services in a secure, compliant and efficient way. We generally use your personal data to deliver, provide, operate our services, to market our services, and for loss prevention and anti-fraud purposes. In the table below we set out the various reasons for us to process your personal data, together with the categories of personal data processed (as described in the section above) and our legal basis for doing so.

Processing purposes

Legal basis

To manage our contractual relationship with you

This covers onboarding you as a customer, creating and administering your account, processing your trades and trading history, your orders, withdrawals, and deposits.

Categories of personal data: Biographical information and contact information, Financial information, Trading information, Suitability information, Personal information regarding corporate clients, Account, security and authentication information, communication information.

Processing is necessary for the performance of a contract to which you are a party.

To perform KYC and CDD

Specific laws and regulations require us to process certain personal data about you.

Categories of personal data: Biographical information and contact information, Sensitive and Biometric data, Government identifiers, Financial information, Employment information, Suitability information, Personal information regarding corporate clients, information received by third parties.

Processing is necessary to comply with “know your customer”, Anti-Money Laundering and customer due diligence regulatory obligations.

When this involves the processing of special categories of personal data, our processing relies on reasons of substantial public interest, based on EU or EU Member State law.

Where no specific KYC/AML legislation applies, we process these categories of personal data relying on our legitimate interest. We firmly believe in the responsible and proactive implementation of such measures. By voluntarily engaging in thorough KYC procedures, we contribute to the prevention of financial crimes, the protection of our clientele, and our trading venue.

To communicate with you on service-related matters

It involves communicating with you about the service (e.g., keep you informed about relevant security issues or updates). You may not opt-out of receiving critical service communications, such as emails or mobile notifications sent for legal or security purposes.

It also covers customer support and trouble-shooting activities such as answering your questions, complaints and disputes.

Categories of personal data: Biographical information and contact information, Trading information, Communication information, Account, security and authentication information, Browser information, Usage data

Processing is necessary for the performance of a contract of which you are a party.

Processing is necessary for the purpose of the legitimate interest pursued by us to improve our services and enhance our user experience.

To safeguard the security, safety and integrity of our trading venue

This includes transaction combating malware and security risks, monitoring, detecting suspicious trades, and combating malware, credit risks, prevent fraud and abuse, and security risks such as compromised accounts and funds loss.

We may also use scoring methods to assess and manage credit risks. Please note that we may engage in automated decision-making for purposes of risk and fraud detection. When we do, we have implemented suitable measures to safeguards your rights, including in most cases, the revision of the case by one of our officers (human-in-the-loop).

If you visit our offices or data centres, this can also include CCTV footage.

Categories of personal data:  Biographical information and contact information, Trading information, Financial information, Personal information regarding corporate clients, Communication information, Account, security and authentication information, Browser information, Usage data, CCTV footage, information received by third parties.

Our legitimate interest in maintaining a fair trading venue, and in protecting the security of our customers, ourselves and others.

Processing is necessary for the performance of a contract to which you are a party.

For internal business purposes and record keeping.

Categories of personal data:  Biographical information and contact information, Trading information

Processing is necessary for the purpose of the legitimate interest pursued by us to keep records to ensure that you comply with your contractual obligations pursuant to the agreement governing our relationship with you, for internal business and research purposes as well as for record keeping purposes.

Processing is also necessary to comply with our legal obligations to keep certain records.

To do research, improve our services and innovate.

We process personal data to improve our services and for you to have a better user experience.

We may aggregate your personal data with the personal data of our other clients on an de-identified basis (that is, with your personal identifiers removed), so that more rigorous statistical analysis of general patterns may lead us to providing better products and services.

Some of this information may be used for marketing purposes as described below.

Categories of personal data:  Biographical information and contact information, Trading information, Communication information, Account, security and authentication information, Browser information, Usage data, Marketing information.

Processing is necessary for the purpose of our legitimate interest to improve and run our services through information obtained through your use of our services, your interaction with customer support, your responses to our surveys, and in general, your communications with us.

To run some minor marketing activities

This includes sending out newsletters to registered customers, launching specific campaigns for active users, organizing give-aways, promotions, prizes, conducting surveys.

Categories of personal data:  Biographical information and contact information, Trading information, Communication information, Account, security and authentication information, Browser information, Usage information, Online identifiers, Marketing preferences, Marketing information.

We rely on your consent when you have indicated so. For instance, when you register for the newsletter, or to participate in a specific campaign, or you agree with us sharing a photo or short story about you.

For other activities, such as sending out surveys, we rely on our legitimate interest to gather information on how our products and services are working for our clients and how to improve our products and services. Your participation in those surveys will be on the basis of your consent.

To administer and run Events

This includes rolling out invitations, hosting the events (online and offline events), and sending communications to keep you updated about any changes regarding the event,

The events may include the recording of audiovisual (AV) material, such as voice and image.

Categories of personal data: Biographical information and contact information, CCTV footage

Processing is necessary for the purpose of our legitimate interest to produce, organise and host events. 

For some specific processing, we rely on your consent (e.g., if you voluntarily wish to appear in a photo or recording).

To gather information via Cookies

This includes analysing usage of the website and the platform, drawing statistics and some minor marketing activities.

Categories of personal data: Information from Cookies

Where required by applicable law, we rely on your consent to place cookies and similar technologies.

To process job-applicant applications

Categories of personal data: Biographical information and contact information, Career application information

We rely on our legitimate interest to process applicant personal data.

For specific purposes (e.g., storing your career application information for longer periods than allowed by local law) we rely on your consent.

To enforce and defend our rights

This includes initiating legal claims, preparing our defence in litigation procedures, addressing legal or administrative proceedings whether before a court or a statutory body and to investigate or settle issues, enquiries and/or disputes

Categories of personal data: Biographical information and contact information, Government identifiers, Financial information, Trading information, Suitability information, Personal information regarding corporate clients, Employment information, Communication information, Account, security and authentication information, Browser information, Usage information, Marketing information, CCTV footage.

It is in our legitimate interest to enforce and defend our rights and to ensure that issues, enquiries and/or disputes are investigated and resolved in a timely and efficient manner.

To comply with applicable laws, subpoenas, court orders, other judicial process, or the requirements of any applicable regulatory authorities

Categories of personal data: Biographical information and contact information, Government identifiers, Financial information, Trading information, Suitability information, Personal information regarding corporate clients, Employment information, Communication information, Account, security and authentication information, Browser information, Usage information, Marketing information, CCTV footage.

It is our legal obligation to disclose personal data where we receive a legally binding request to disclose personal data from law enforcement or other bodies or where we have a legitimate interest in assisting law enforcement or other agencies in respect of an investigation.

5. Can children use Deribit services?

Deribit does not allow anyone under the age of 18 to use Deribit Services and we do not knowingly request or collect any information about persons under the age of 18. If you are under the age of 18, please do not provide any personal information to us.

If a customer or user submitting personal information is suspected of being younger than 18 years of age, Deribit will require the relevant customer or user to close his or her account, and will take steps to delete the individual’s information as soon as possible.

6. What Rights Do I Have?

Subject to applicable law, as outlined below, you have a number of rights in relation to your privacy and the protection of your personal data. You have the right to request access to, correct, and delete your personal data, and to ask for data portability. You may also object to our processing of your personal data or ask that we restrict the processing of your personal data in certain instances. In addition, when you consent to our processing of your personal data for a specified purpose, you may withdraw your consent at any time. 

Your rights may be limited in some situations - for example, where we can demonstrate we have a legal requirement to process your personal data, or some rights are limited to our reliance on a specific legal ground as indicated above.

  • Right to access: you have the right to obtain confirmation that your personal data are processed and to obtain a copy of it as well as certain information related to its processing

  • Right to rectify: you can request the rectification of your personal data which are inaccurate, and also add to it. You can also change your personal data in your account at any time.

  • Right to delete: you can, in some cases, have your personal data deleted;

  • Right to object: you can object, for reasons relating to your situation, to the processing of your personal data. For instance, you have the right to object where we rely on legitimate interest or where we process your data for direct marketing purposes;

  • Right to restrict processing: You have the right, in certain cases, to temporarily restrict the processing of your personal data by us, provided there are valid grounds for doing so. We may continue to process your personal data if it is necessary for the defense of legal claims, or for any other exceptions permitted by applicable law;  

  • Right to portability: in some cases, you can ask to receive your personal data which you have provided to us in a structured, commonly used and machine-readable format, or, when this is possible, that we communicate your personal data on your behalf directly to another data controller;

  • Right to withdraw your consent: for processing requiring your consent, you have the right to withdraw your consent at any time. Exercising this right does not affect the lawfulness of the processing based on the consent given before the withdrawal of the latter;

  • Right to contest to a decision based solely on automated processing: You have the right to require that decisions be reconsidered if they are made solely by automated means, without human involvement; 

  • Right to lodge a complaint with the relevant data protection authority: We hope that we can satisfy any queries you may have about the way in which we process your personal data. However, if you have unresolved concerns, you also have the right to complain to the data protection authority in the location in which you live, work or believe a data protection breach has occurred.

If you have any questions or objection as to how we collect and process your personal data, or if you want to exercise any of your rights please contact us via email at dpo@deribit.com

7. How long do you retain my personal data?

We keep your personal data to enable your continued use of our services, for as long as it is required in order to fulfil the relevant purposes described in this Privacy Notice, and as may be required by law such as for tax and accounting purposes, compliance with Anti-Money Laundering laws, or to resolve disputes and/or legal claims or as otherwise communicated to you. 

While retention requirements vary by jurisdiction, information about our typical retention periods for different aspects of your personal data are described below.

  • Personal Identifiable Data collected to comply with our legal obligations under financial or anti-money laundering laws may be retained after account closure for as long as is required under such laws.

  • Trading activity data may be retained after account closure for as long as is need for us to maintain the integrity of our platform, as well as to maintain sufficient records for resolving disputes and legal claims. 

  • Contact Information such as your name, email address and telephone number for marketing purposes is retained on an ongoing basis and until you (a) unsubscribe, or we (b) delete your account. Thereafter we will add your details to an unsubscribed list to ensure we do not inadvertently market to you.

  • Content that you post on our website such as support desk comments, photographs, videos, blog posts, and other content may be kept after you close your account for audit and crime prevention purposes.

  • Information collected via cookies, are retained for the period indicated for each one in our Cookie banner accessible at the bottom of this website.

7. Will your personal data be transferred internationally?

To facilitate our global operations, Deribit may transfer your personal information outside of the European Economic Area (“EEA”), UK, United Arab Emirates and Switzerland. The EEA includes the European Union countries as well as Iceland, Liechtenstein, and Norway. Transfers outside of the EEA are sometimes referred to as “third country transfers”.

We maintain servers around the world and your information may be processed on servers located outside of the country where you live. Data protection laws vary among countries, with some providing more protection than others. Regardless of where your information is processed, we apply the same protections described in this policy. We also comply with certain legal frameworks relating to the transfer of data.

8. Who has access to your personal data?

To the extent permitted by law and taking into account your rights and the consent you have given (if any), only our authorised personnel shall have access to your personal data on a need-to-know basis. These persons have undergone background screening before they were employed and are required to treat the information as highly confidential. We may also share your personal data with a limited and defined number of recipients in other Deribit entities, or under control of Deribit (Deribit Group) as part of regular day-to-day business, and with external professional advisors such as lawyers or accountants.

We outsource some services that are essential to deliver our products and services (e.g., for blockchain monitoring, assessing credit risk, identity verification, IP address monitoring, marketing partners, or some essential infrastructure providers such as cloud service providers, emailing providers, and in general, software solutions). All third parties engaged by us undergo thorough due diligence procedures and we make sure they follow practices as protective with your data as we have. These third parties will only access personal data which is essential to provide the service to us and not more. When you use third-party services (like when you go through Jumio for your identity check, custody or onboarding solutions) or websites that are linked through our services, the providers of those services or products may receive information about you that Deribit, you, or others share with them. Please note that when you use third-party services which are not governed by this Notice, their own terms and privacy policies will govern your use of those services and products.

We may provide your personal data to competent authorities (courts, law enforcement authorities, regulators, attorneys) upon their request to the extent legally required, or to the extent necessary to defend our rights in legal proceedings or investigations, or when we believe in good faith that the disclosure of personal information is necessary to protect the rights, property or safety of our customers, Deribit, or others, including to prevent imminent physical harm or material financial loss. Finally, we may share personal data to investigate violations of our Terms of Use or other applicable policies, and to detect, investigate, prevent or address fraud or credit risk, or other illegal activity, and report it to competent authorities.

Lastly, we may choose to buy or sell assets, and may share and/or transfer customer information, including personal data, in connection with the evaluation of and entry into such transactions and based on our legitimate interests. Also, if we (or our assets) are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, personal data could be one of the assets transferred to or acquired by a third party.

9. Will your personal data be transferred internationally?

To facilitate our global operations, Deribit may transfer your personal information outside of your country of residence, or the country of residence of your contracting Deribit entity. For such transfers, we put in place suitable technical, organisational and contractual safeguards to ensure that such transfer is carried out in compliance with applicable data protection rules.  

We maintain servers around the world and your information may be processed on servers located outside of the country where you live. Data protection laws vary among countries, with some providing more protection than others. Regardless of where your information is processed, we apply the same protections described in this Notice. We also comply with applicable legal frameworks relating to the transfer of data.

10. Is your personal data secure?

We process your personal data with the greatest possible care and scrutiny. This means we will adopt appropriate technical and organisational measures to ensure that all the information is correct, current and complete and to prevent it from being accessed by unauthorised persons inside and outside our organisation. We use ‘best practices’ to secure your personal data. For instance, your personal data is encrypted with Secure Sockets Layered (SSL) technology and our directories and databases are password protected. You can also visit the Security Settings page of our Website for further information.

11. Use of Cookies

We use cookies when you visit our website and use our platform. A cookie is a small file that is saved on your computer, tablet or mobile phone when viewing a website. With the help of cookies user preferences may be saved for later use, or browsing habits can be tracked for statistical purposes. A lot of improvements in a website’s user experience and performance are possible thanks to the implementation of cookies.

We use the following cookies:

  • Necessary cookies

  • Statistics cookies

  • Marketing cookies

Go to our Privacy Preference Center or to the Cookie Notice at the bottom of the website to find additional information on our use of cookies.

12. Contact Information

Our data protection officer can be contacted via email at dpo@deribit.com and we will work to address any questions or issues that you have with respect to the collection and processing of your personal data.

If you have any concerns about privacy at Deribit, please contact us, and we will try to resolve it. You also have the right to contact your local Data Protection Authority.

13. Notices and Revisions

As our business evolves regularly, our Privacy Notice may undergo modifications as well. It is advisable to routinely review our websites for the latest updates. The "Last Updated" date at the beginning of this Privacy Notice will be adjusted accordingly. Any substantial alterations to this Privacy Notice will be communicated through our platform or via email to the address you have supplied in your account. Your ongoing use of Deribit following adjustments to this Privacy Notice indicates your comprehension and acceptance of these changes. 

Unless stated otherwise, our most recent Privacy Notice applies to all information that we have about you and your account.

14. Languages

This Privacy Notice may be published in different languages. In case of any discrepancy, this English version shall prevail.