Updated on  May 07, 2026

Privacy Notice

Cookie SettingsReport an Incident

Download Terms and Conditions
Submit Complaint

1. Introduction

This is the General Privacy Notice on the privacy and protection of personal data (hereinafter referred to as “Privacy Notice”), adopted by Rondo Services SP ZOO (hereinafter referred as "Rondo Services SP ZOO" or "Konto.com Exchange").

Rondo Services SP ZOO respects your privacy and is committed to protecting the personal data you have provided to us. We undertake to collect and use personal data in accordance with the General Data Protection Regulation (GDPR). This Privacy Notice will inform you of how we handle your personal data and will detail your rights in relation to your personal data and how the law (including the GDPR) protects you.

This Privacy Notice covers personal data of our customers, business partners, other persons contacting us, contracting our services and visiting us and their representatives and employees, potential employees or interns and applies to data collected via our showcase website (https://www.konto.com), our crypto exchange platform/app, as well as at our events, personal data collected in order to meet AML/ KYC legal requirements in the area of financial transactions that are incumbent on us, and personal data collected via email, ad networks or other offline means.

The purpose of this Privacy Notice is to inform you about how Rondo Services SP ZOO collects and uses personal data as a result of using our website, our crypto exchange platform/ application, as a result of our compliance with the AML/ KYC legal requirements in the field of financial transactions incumbent upon us, as a result of registering for any Events or courses organized by Rondo Services SP ZOO publications or newsletters or as a result of collaborating in any way, actual or potential, with Rondo Services SP ZOO, including by contracting the services we make available to you.

This website, as well as our crypto exchange platform/ application, is not intended for minors and we do not knowingly collect personal data from minors.

It is important that you read this Privacy Notice and the protection of your personal data together with any other information notice about personal data or any processing notice that we may provide on certain occasions when we collect or process personal data about you, so that you are fully informed of the manner and purpose of the use of this data. This Privacy Notice complements the other notifications and is not intended to replace them.

2. Definitions

EVENTS

Event (s) means any event organized by us, including virtual events, in collaboration with our customers or partners, regardless of how it is organized, online (virtual), offline or in any combination of the two variants, respectively: conference, seminar, congress, webinar, workshop, presentation, conference with speaker in the hall and participants who connect online etc.

LEGAL ISSUE

Legitimate interest means our interest in running and managing our business to enable us to offer you the best services and / or products, as well as the best and safest experience. We make sure that we consider and balance any potential impact on you (both positive and negative), respectively on your rights, before processing your personal data for our legitimate interests.We do not use your personal data for activities in which our interests are overburdened by the impact on you (unless we have your consent or if the applicable law does not provide otherwise). You can obtain additional information about how we evaluate our legitimate interests against any potential impact on you regarding certain activities by contacting us.

Execution of the Contract means the processing of your data if it is necessary for the execution of a contract to which you are a party or to which an association or company to which you are affiliated is a party or to take action at your request before concluding such a contract.

Compliance with a legal or regulatory obligation means the processing of your personal data if it is necessary to comply with a legal or regulatory obligation to which we are subject.

THIRD PARTIES

Internal third parties are, as the case may be, other entities that act as operators or processors and that have their headquarters in Poland, Romania, or other EEA countries, associates, employees or collaborators of Rondo Services SP ZOO.

External third parties (listing not exhaustive):

  • Service providers that provide IT systems administration and management services.
  • Professional consultants including lawyers, accountants, bankers, auditors and insurers providing consulting, banking, legal, insurance and accounting services.
  • Public regulatory authorities and institutions and other public authorities in Poland, Romania or the European Union.
  • Collaborators or business partners with whom RONDO SERVICES SP ZOO works in order to carry out its activity.

3. Data Processor

The data processor responsible for your personal data is:

Konto.com Exchange
RONDO SERVICES SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ (hereinafter referred to as “ RONDO SERVICES SP ZOO”)
Address: Hoża 86 / 210, 00-682 Warsaw, Poland
Email: dpo@konto.com

If you have any questions about this Privacy Notice or our data practices, you can contact us at the above email.

4. Legal basis for Processing Personal Data

Personal data are processed on the basis of the data subject's consent, legitimate interest or legal requirements as provided for:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) - GDPR;
  • Polish Act of 10 May 2018 on Personal Data Protection (Dz.U. 2018 poz. 1000, as amended);
  • Romanian Law no. 190/2018 on measures implementing Regulation (EU) 2016/679;
  • Polish AML Act of 1 March 2018 on Counteracting Money Laundering and Terrorism Financing (Dz.U. 2018 poz. 723, as amended);
  • Romanian Law no. 129/2019 on counteracting money laundering and terrorism financing (as amended by Law no. 315/2022);
  • Polish Act of 14 June 2024 on the Protection of Whistleblowers (Dz.U. 2024 poz. 928);
  • Romanian Law no. 361/2022 on the protection of whistleblowers in the public interest;
  • MiCA (Reg. 2023/1114);
  • DORA (Reg. 2022/2554).

We only process your personal data when we have a legal basis to do so, including:

Consent (Art. 6(1)(a)) GDPR

When you voluntarily provide information or opt-in for newsletters and marketing.

Contract (Art. 6(1)(b)) GDPR

To provide our services, process transactions, manage your account, or respond to your inquiries.

Legal Obligation (Art. 6(1)(c)) GDPR:

For compliance with legal or regulatory requirements (e.g., Anti-Money Laundering (AML), Counter Terrorism Financing (CTF), anti-fraud laws).

Legitimate Interests (Art. 6(1)(f)) GDPR:

To improve Website functionality, secure our services, prevent fraud, and conduct analytics — provided these interests are not overridden by your rights.

Explicit consent (Art. 9(2)(a) GDPR:

The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject.

5. Principles of personal data processing that Konto.com Exchange adheres to

Rondo Services SP ZOO adheres to the principles of Personal data protection as envisaged in the EU GDPR, and other applicable laws. Under these principles, Rondo Services SP ZOO assists Controllers in ensuring that Users’ Personal data is:

  • Processed fairly and lawfully and in a transparent manner in relation to the Data Subject;
  • Processed for specified, explicit, and legitimate purposes only and not further processed in a manner that is incompatible with those purposes;
  • Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
  • Kept accurate and up to date;
  • Retained in a form permitting identification of Data Subjects for no longer than is necessary for the purposes for which they are processed;
  • Processed in a manner that ensures their appropriate security;
  • Not transferred outside the European Economic Area (EEA) without adequate protection.

6. Types of personal data processed

EGeneral personal data

User name or similar identifier, full name, nationality, country of residence, country of birth, place of birth, personal number code, professional status, place of work (if provided), date of birth, amount of income, planned value to invest (monthly), proof of domicile/residence in a particular place (i.e. utility bill not older than 2 months or bank statement)

Identity document data

National identity card/passport number and series, as well as data on the validity of these documents, issuing country

Contact details

Address, e-mail address, and phone number

Banking details

Bank account and payment card details, as well as proof of domicile/residence in a particular place (i.e. utility bill not older than 2 months or bank statement), i.e. amounts being transacted, amount of income, wallet address

Transaction data

Full name of the sender and the recipient, the address of the sender and the recipient

Technical data

Information regarding the date, time, and activity in the Services; IP address, your login details, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technologies on the devices on which you use the Site

Geolocation data

IP address, general geographic location (e.g., city, country) from User’s device

Profile data

Username and password, purchases or orders made by you, interests, preferences, feedback and survey responses, including user data for registration on our website and/or crypto exchange platform/app, session language

Marketing and communication data

Your preferences in receiving communications from us and our third parties and your communication preferences, consent and interactions

Media data

Audio recordings, video recordings and photos/pictures.

Relevant publicly available data

Information regarding a person’s status as a Politically Exposed Person (PEP) or presence on sanctions lists

Employment data

HR records, payroll, training

Whistleblowing data

Confidential reports under Polish Act of 14 June 2024 on the Protection of Whistleblowers and Romanian Law no. 361/2022

Special categories of personal data

We do not intentionally collect special categories of personal data (such as health information or religious beliefs) unless legally required or you voluntarily provide such information with your explicit consent. However, please note that our identity verification provider may process special categories of personal data on our behalf as part of their verification procedures including biometrics.

7. Sharing and Disclosure of Data

We may share your personal data with the parties listed below for the purposes set out in point 4 above.

  • Internal third parties, as defined in the Definitions.
  • External third parties, as defined in the Definitions.
  • Third parties to whom we may choose to transfer or merge parts of our business or assets. Alternatively, we may seek to acquire or merge with other businesses. If there is a change in our business, then the new owners may use your personal data in the same way as described in this Policy.

We ask all our collaborators and partners to respect the security of your personal data and to treat them in accordance with the applicable legislation in force. We do not allow employees to use your personal data for their own purposes. They may use your personal data only if we give them permission to process it and only for the purposes mentioned by us.

We do not sell your data. We may share your personal data only with:

a. Third-Party Service Providers

  • Cloud hosting (e.g., AWS, Google Cloud)
  • Email and marketing tools (e.g., Mailchimp, SendGrid)
  • Payment processors (e.g., OpenPayd, Checkout.com, PayPal)
  • Customer support platforms

These providers process data on our behalf and under strict contractual obligations (Data Processing Agreements).

b. Legal and Regulatory Authorities

When required by law or to protect our rights or the safety of users.

c. Business Transfers

If Konto.com Exchange is involved in a merger, acquisition, or asset sale, your personal data may be transferred under appropriate confidentiality safeguards.

8. Our Data Processors and Third-Party Recipients

In accordance with Articles 13 and 14 of the GDPR, we inform you below of all third-party organisations that process your personal data on our behalf as data processors (bound by a Data Processing Agreement), or that receive your personal data as independent controllers under a legal obligation. We have concluded Data Processing Agreements (DPAs) with all processors, and where data is transferred outside the European Economic Area (EEA), we apply Standard Contractual Clauses (SCCs) approved by the European Commission or rely on an EU adequacy decision.

The table below lists all processors and recipients by category. This list is reviewed and updated at least annually. If you have any questions, please contact our Data Protection Officer at dpo@konto.com.

a. Identity Verification and Customer Due Diligence (KYC)

b. Payments and Digital Asset Custody

c. AML Transaction Monitoring, Sanctions Screening, and Regulatory Reporting

Note: Polish and Romanian public authorities listed below receive your data as independent controllers, not as our processors. Disclosure to these authorities is mandatory under Polish, Romanian, and EU law. In certain cases (e.g., Suspicious Transaction Reports), we are legally prohibited from informing you of a specific disclosure (tipping-off prohibition, Polish AML Act of 1 March 2018, Art. 53; Romanian Law no. 129/2019, Art. 56).

d. Cloud Infrastructure and Storage

e. Customer Communications, Support, and Notifications

f. Website Analytics, Cookies, and Consent Management

g. Security, Fraud Detection, and Application Monitoring

h. Address Validation

i. Whistleblowing System

Our whistleblowing channel (operated in compliance with the Polish Act of 14 June 2024 on the Protection of Whistleblowers and Romanian Law no. 361/2022) does not use any external processors. The system is hosted exclusively on segregated, EU-based infrastructure under Rondo Services SP ZOO's direct control. No personal data submitted through the whistleblowing channel is shared with any external processor or transferred outside the EU/EEA.

We do not sell your personal data to any third party. All processors listed above are bound by Data Processing Agreements requiring them to process your data only on our documented instructions, to implement appropriate technical and organisational security measures, and to assist us in meeting our obligations under the GDPR. For any queries regarding the processors listed above or to exercise your data subject rights, please contact: dpo@konto.com.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to improve functionality and personalize your experience. These may include:

  • Necessary Cookies: Essential for site operation

  • Analytics Cookies: To analyze Website performance (e.g., Google Analytics)

  • Marketing Cookies: For advertising and retargeting (only with your consent)

You can manage your cookie preferences through our Cookie Banner and browser settings. For more, see our Cookie Policy.

10. Data Transfers Outside the EEA

Whenever a transfer of Personal data outside the EEA is carried out, Konto.com Exchange implements appropriate safeguards as set out in Chapter V of the EU GDPR by transferring based on an EU Adequacy Decision or by concluding Standard Contractual Clauses. Third-Party Processors likewise rely on appropriate safeguards, which include Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs), or other lawful bases.

11. Personal Data Retention

As long as we keep personal data

We will retain your personal data for as long as is necessary to fulfill the purposes for which we have collected it, including for the purpose of fulfilling any legal, accounting or reporting requirements. For complying with Anti-Money Laundering (AML) and Counter Terrorism Financing (CTF) legislation, your personal data is retained for a period of five (5) years from the moment the business relationship is closed. However, the term might be extended if required by competent authorities. 

All data related to whistleblowing reports shall be retained for five years from the completion of the last investigative act or measure, after which it shall be deleted, in order to protect the public interest reporter and to enable subsequent verification of the measures taken in his or her interest, in accordance with the Polish Act of 14 June 2024 on the Protection of Whistleblowers (Art. 28) and Romanian Law no. 361/2022 (Art. 25).

In order to properly determine the retention period for personal data, we consider the value, nature and sensitivity of personal data, the potential risk of harm caused by unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve these goals by other means.

12. Disposal and Destruction Policy

Any Personal data is deleted only after (a) obtaining an applicant's data deletion request in line with corresponding procedures by a Client or the Data Subject or (b) the satisfaction of the purpose for data processing, including expiration of retention period prescribed by applicable law.

To delete data from the files located in the removable media, we call the setting and tools designated to the relevant sanitisation method - clearing or purging. If the purging method is not secure enough considering the sensitivity of the information and such information may be recovered again, the removable media containing such information must be destroyed completely (e.g. shredded, crushed, disintegrated, pulverised, or incinerated by burning the device in a licensed incinerator, etc.).

To delete data from mobile devices, we use the means of a particular device. If a certain mobile device is intended to be reused/recycled/donated or is no longer to be used by the Konto.com Exchange staff, this staff member must reset the device to the original settings. As a general rule, the procedure for Apple iPhone and iPad OS: Select 'Settings > General > Reset > Erase All Content and Settings menu. For Android OS devices: Select ‘Settings > Backup & Reset > Factory Data Reset > Reset Phone’.

It is forbidden to handle any sensitive data in any equipment, removable media or mobile devices.

Any request to delete all or any Personal data related to a User is fulfilled within 30 days.

We may also have to store some records that have been confirmed as relating to fraudulent applications or accounts or obtaining and maintaining records to prove our compliance with legal obligations in and outside the EU. 

When the purpose refers to the establishment, exercise or defence of legal claims (so-called ‘litigation hold’), the retention period is limited to the duration of such proceedings in a specific case or circumstance.

In any case, we do not keep your data longer than we have a lawful basis for doing so.

13. Your Data Protection Rights

In certain circumstances, you have rights under applicable data protection law in respect of your personal data. Such rights are:

  • The right to access your personal data: provides that you have the right to a copy of personal data held by us and to verify that they are legally processed.
  • The right to rectify your personal data: by which you can request the correction of personal data we hold about you. This allows you to request the correction of any incomplete or inaccurate data we hold about you. Please note that it may be necessary to verify the accuracy of the new data you provide to us.
  • The right to request the deletion of your personal data: (“the right to be forgotten”). This allows you to ask us to delete or remove your data if there are no longer good reasons to continue processing. Please note, however, that we may not always be able to comply with your request of deletion, for specific legal reasons, which will be notified to you, if applicable, at the time of your specific request.
  • The right of the opposition regarding the processing of your personal data: when we process data based on legitimate interest (ours or a third party) and when in your particular situation you consider that your fundamental rights and freedoms are violated. You may also object to the processing of your data for marketing purposes. In some cases we may demonstrate legitimate and compelling reasons justifying the processing and prevailing over personal interests, rights and freedoms.
  • The right to request the restriction of the processing of your personal data: This right allows you to request that we suspend the processing of your personal data in the following cases: (a) whether you wish to establish the accuracy and correctness of the data; or; (b) if our processing of the data is illegal, but you object to the deletion; (c) if you need to keep the data, even if we no longer process it, because you need it to establish, exercise or defend rights in court; or (d) you objected to the processing of your data, but we must verify that we have mandatory legal reasons to process it.
  • The right to request the transfer of your personal data (portability): We will provide you or a third party of your choice with your personal data in a structured, commonly used format that can be read automatically. Please note that right applies to automatic data processing for which you have given us your consent or, if we have used the data, to execute a contract with you.
  • The right to withdraw consent: when we base our processing on your consent. However, this right shall not affect the lawfulness of the processing carried out before the withdrawal of the consent in question.
  • The right not to be the subject of any individual decision or automated individual decision-making process (including, but not limited to, automated profiling that produces legal effects that concern or affect you in a similar way).
  • Right to Lodge a Complaint with the Supervisory Authority. You have the right to lodge a complaint with the competent data protection supervisory authority. As Rondo Services SP ZOO is established in Poland and also operates in Romania, the relevant supervisory authorities are: (a) in Poland: the President of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych – UODO), ul. Stawki 2, 00-193 Warsaw; website: https://uodo.gov.pl; and (b) in Romania: the National Supervisory Authority for Personal Data Processing (Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal – ANSPDCP), B-dul G-ral Gheorghe Magheru 28-30, Bucharest; website: https://www.dataprotection.ro. You may also have the right to lodge a complaint with the supervisory authority of the EU Member State of your habitual residence or place of work.

Without taxes

You will not have to pay any fees to access your personal data (or to exercise any of the rights granted to you in connection with them). However, we may charge a reasonable fee if your request is manifestly unfounded, repeated or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we can ask of you

We may request specific information from you to help you confirm your identity and secure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who is not entitled to receive it.

We try to respond to all legitimate requests within thirty (30) days. Occasionally, it may take more than 30 days, but no longer than two (2) months if your request is particularly complex or if you have made several requests. In this case, within a maximum of thirty (30) days of receipt of your request, we will notify you and keep you informed of the status of the request.

To exercise your rights, contact us at dpo@konto.com. We will respond within 30 days.

14. Security Measures

We have implemented appropriate security measures to prevent accidental loss of your personal data, unauthorized use or access, modification or disclosure of your personal data. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who are in dire need of such data. They will only process your personal data in accordance with our instructions and will be subject to confidentiality obligations in this regard.

The technical and organizational measures implemented by Konto.com Exchange to ensure Personal data protection, include, but are not limited to, the following:

  • SSL/TLS encryption
    Access controls and authentication
  • Regular security audits
  • Staff training and confidentiality agreements

However, no online system is 100% secure. We encourage you to take precautions when sharing data online.

15. Data Breaches

Where a Personal data breach occurs or is suspected, it is reported immediately to the Data Protection Officer (DPO) or a director and, where applicable, to the data protection authority, the respective Client and, if applicable, to the individual affected by the breach. The report includes full and accurate details of the incident (including its reasons and magnitude) and outlines the planned measures to eliminate the breach.

The report is provided directly to the concerned Client, and further breach mitigation is supported.

16. Third-Party Links

Our Website may link to third-party sites. We are not responsible for their privacy practices. Please review their privacy policies before sharing data.

17. Changes to This Privacy Policy

We may update this policy to reflect legal, technical, or business changes. When we do, we will revise the “Last Updated” date. Material changes will be notified via email or prominent notice on the site.

18. Contact Us

For questions, concerns, or to exercise your rights, contact:

Konto.com Data Protection Officer
Email: dpo@konto.com
Website: www.konto.com

19. Timeline for Procedure Updates after Legal Changes

Konto.com is committed to updating its Privacy Policy promptly and proactively upon the issuance of legal or regulatory changes. If dependencies (e.g., external vendor updates) delay implementation, temporary risk mitigation controls are applied.

Whistleblowing Form
Speak Up!

We have a strong commitment to building and maintaining a culture of transparency, honesty and trust within our organization at all times.

We also have a duty of care to all of our teams, customers, partners and other stakeholders, and we take these responsibilities very seriously. It is for these reasons that you are encouraged to speak up if you believe that we are not living up to our commitments and report any behavior that you believe to be unethical, illegal or fundamentally inappropriate.

Reporter's Contact Information

(This section may be left blank if reporter chooses to remain anonymous)

Reported Person's Information

About the Incident

Briefly describe the incident/misconduct/wrongdoing that occurred and how you found about it. Be specific about the following: what, who, when, where and how. If there is more than one allegation, number each allegation and make a description as clear as possible.

Thank you for speaking up!
We will investigate this incident and get back to you as soon as possible.
Something went wrong while submitting your report.
Please refresh this page and fill in this form again.

Get in touch

We're here to answer any of your questions, so leave your details below and we will get back to you within two business days.

Thanks for reaching out, we'll get back to you very soon!

Something went wrong, please refresh the page and try again.

Verified by VisaVerified by Mastercard ID Check

Konto.com is a property of Cryptoro OU group and is operated by: Rondo Services Sp. z o.o., a company incorporated under the laws of Poland, with its registered address in Warsaw, Ul. Hoza 86 / 210, registered into the Register of Business within Virtual Currencies under the authority of the Director of the Inland Revenue Administration Chamber in Katowice under number RDWW-255. Nava Investment UAB, a company incorporated under the laws of Lithuania, with its registered address in Kaunas, Chemijos g. 27C,registered as a virtual asset service provider under the authority of Financial Crime Investigation Service (FNTT) under the number 306112062. Rondo Services Sp. z. o.o. Warsaw Cluj-Napoca, Romania branch, registered at the National Office for the Prevention and Control of Money Laundering (ONPCSB) as a provider of virtual and fiat currency exchange services and as a provider of digital wallets under the number 3113/2023.

The information provided on this website does not constitute investment advice, financial advice, trading advice, or any other sort of advice and you should not treat any of the website's content as such. Konto.com (or it's affiliates) does not recommend that any cryptocurrency should be bought, sold, or held by you. Do conduct your own due diligence and consult your financial advisor before making any investment decisions.

Konto.com © YEAR. All rights reserved

Please rotate your phone
to portrait orientation for
an optimal experience

Submit a complaint

We're here to answer any of your questions, so leave your details below and we will get back to you within five business days.

If you want to submit your complaint using this website:

Click here

If you want to write your complaint in a document and send it to us by email:

Click here

If you want to write your complaint in a document and send it to us by postal services:

Click here

Submit a complaint

Download the Document

After filling all the necessary information in the document, please send it to:

Complaints@Konto.com

Don't forget to include(attach) all other documents associated with your complaint in the email

Submit a complaint

Download the Document

After filling all the necessary information in the document, please print it and send it to any of these addresses :
1. Street UL. HOZA 86 / unit 210, 00-682, Warsaw, Poland

Don't forget to include all other documents associated with your complaint in the envelope.

Complaint form

Fillout the form being as explicit as possible in order for us to understand your issue.

Your request is being processed. Please check your email for further updates.
Something went wrong while submitting the form.
Click here to try again