Introduction
This is the Policy on the privacy and protection of personal data (hereinafter referred to as “Policy”), adopted by RONDO SERVICES SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ (hereinafter referred to as “ RONDO SERVICES SP Z O O”).
RONDO SERVICES SP Z O O respects your privacy and is committed to protecting the personal data you have provided to us. We undertake to collect and use personal data in accordance with the General Data Protection Regulation (GDPR). This Policy will inform you of how we handle your personal data and will detail your rights in relation to your personal data and how the law (including the GDPR) protects you.
This Policy covers personal data of our customers, business partners, other persons contacting us, contracting our services and visiting us and their representatives and employees, potential employees or interns and applies to data collected via our showcase website (https://www.konto.com), our crypto exchange platform/app (app.konto.com), as well as at our events, personal data collected in order to meet AML/ KYC legal requirements in the area of financial transactions that are incumbent on us, and personal data collected via email, ad networks or other offline means.
1. Important information and details about RONDO SERVICES SP Z O O
Purpose of this Privacy Policy and the protection of personal data
The purpose of this Policy is to inform you about how RONDO SERVICES SP Z O O collects and uses personal data as a result of using our website, our crypto exchange platform/ application, as a result of our compliance with the AML/ KYC legal requirements in the field of financial transactions incumbent upon us, as a result of registering for any Events or courses organized by RONDO SERVICES SP Z O O, as a result of subscribing to any RONDO SERVICES SP Z O O publications or newsletters or as a result of collaborating in any way, actual or potential, with RONDO SERVICES SP Z O O, including by contracting the services we make available to you.
This website, as well as our crypto exchange platform/ application, is not intended for minors and we do not knowingly collect personal data from minors.
It is important that you read this Privacy Policy and the protection of your personal data together with any other information notice about personal data or any processing notice that we may provide on certain occasions when we collect or process personal data about you, so that you are fully informed of the manner and purpose of the use of this data. This Policy complements the other notifications and is not intended to replace them.
2. Definitions
EVENTS
Event (s) means any event organized by us, including virtual events, in collaboration with our customers or partners, regardless of how it is organized, online (virtual), offline or in any combination of the two variants, respectively: conference, seminar, congress, webinar, workshop, presentation, conference with speaker in the hall and participants who connect online etc.
LEGAL ISSUE
Legitimate interest means our interest in running and managing our business to enable us to offer you the best services and / or products, as well as the best and safest experience. We make sure that we consider and balance any potential impact on you (both positive and negative), respectively on your rights, before processing your personal data for our legitimate interests.We do not use your personal data for activities in which our interests are overburdened by the impact on you (unless we have your consent or if the applicable law does not provide otherwise). You can obtain additional information about how we evaluate our legitimate interests against any potential impact on you regarding certain activities by contacting us.
Execution of the Contract means the processing of your data if it is necessary for the execution of a contract to which you are a party or to which an association or company to which you are affiliated is a party or to take action at your request before concluding such a contract.
Compliance with a legal or regulatory obligation means the processing of your personal data if it is necessary to comply with a legal or regulatory obligation to which we are subject.
THIRD PARTIES
Internal third parties are, as the case may be, other branches / subsidiaries of RONDO SERVICES SP Z O O and / or other entities that act as operators or processors and that have their headquarters in Romania, associates, employees or collaborators of RONDO SERVICES SP Z O O.
External third parties (listing not exhaustive):
- Service providers that provide IT systems administration and management services.
- Professional consultants including lawyers, accountants, bankers, auditors and insurers providing consulting, banking, legal, insurance and accounting services.
- Public regulatory authorities and institutions and other public authorities in Romania or the European Union.
- Collaborators or business partners with whom RONDO SERVICES SP Z O O works in order to carry out its activity.
3. Data Processor
The data processor responsible for your personal data is:
Konto.com Exchange
RONDO SERVICES SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ (hereinafter referred to as “ RONDO SERVICES SP Z O O”)
Hoża 86 / 210, 00-682 Warsaw, Poland
Email: dpo@konto.com
If you have any questions about this policy or our data practices, you can contact us at the above email.
4. Legal basis for Processing Personal Data
Personal data are processed on the basis of the data subject's consent, legitimate interest or legal requirements as provided for:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) - GDPR;
- Law No 190/2018 on measures implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);
- Law No 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector;
- Law No 129/2019 on preventing and combating money laundering and terrorist financing, and amending and supplementing certain regulatory acts.
We only process your personal data when we have a legal basis to do so, including:

5. Principles of personal data processing that Konto.com Exchange adheres to
Konto.com Exchange adheres to the principles of Personal data protection as envisaged in the EU GDPR, and other applicable laws. Under these principles, Konto.com Exchange assists Controllers in ensuring that Users’ Personal data is:
- Processed fairly and lawfully and in a transparent manner in relation to the Data Subject;
- Processed for specified, explicit, and legitimate purposes only and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
- Kept accurate and up to date;
- Retained in a form permitting identification of Data Subjects for no longer than is necessary for the purposes for which they are processed;
- Processed in a manner that ensures their appropriate security;
- Not transferred outside the European Economic Area (EEA) without adequate protection.
6. Types of personal data processed
Examples:

Special categories of personal data
We do not intentionally collect special categories of personal data (such as health information or religious beliefs) unless legally required or you voluntarily provide such information with your explicit consent. However, please note that our identity verification provider may process special categories of personal data on our behalf as part of their verification procedures including biometrics.
7. Sharing and Disclosure of Data
We may share your personal data with the parties listed below for the purposes set out in the table in point 4 above.
- Internal third parties, as defined in the Definitions.
- External third parties, as defined in the Definitions.
- Third parties to whom we may choose to transfer or merge parts of our business or assets. Alternatively, we may seek to acquire or merge with other businesses. If there is a change in our business, then the new owners may use your personal data in the same way as described in this Policy.
We ask all our collaborators and partners to respect the security of your personal data and to treat them in accordance with the applicable legislation in force. We do not allow employees to use your personal data for their own purposes. They may use your personal data only if we give them permission to process it and only for the purposes mentioned by us.
We do not sell your data. We may share your personal data only with:
a. Third-Party Service Providers
- Cloud hosting (e.g., AWS, Google Cloud)
- Email and marketing tools (e.g., Mailchimp, SendGrid)
- Payment processors (e.g., OpenPayd, PayPal)
- Customer support platforms
These providers process data on our behalf and under strict contractual obligations (Data Processing Agreements).
b. Legal and Regulatory Authorities
When required by law or to protect our rights or the safety of users.
c. Business Transfers
If Konto.com Exchange is involved in a merger, acquisition, or asset sale, your personal data may be transferred under appropriate confidentiality safeguards.
8. Cookies and Tracking Technologies
We use cookies and similar technologies to improve functionality and personalize your experience. These may include:
- Necessary Cookies: Essential for site operation
- Analytics Cookies: To analyze Website performance (e.g., Google Analytics)
- Marketing Cookies: For advertising and retargeting (only with your consent)
You can manage your cookie preferences through our Cookie Banner and browser settings. For more, see our Cookie Policy.
9. Data Transfers Outside the EEA
Whenever a transfer of Personal data outside the EEA is carried out, Konto.com Exchange implements appropriate safeguards as set out in Chapter V of the EU GDPR by transferring based on an EU Adequacy Decision or by concluding Standard Contractual Clauses. Third-Party Processors likewise rely on appropriate safeguards, which include Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs), or other lawful bases.
10. Personal Data Retention
As long as we keep personal data
We will retain your personal data for as long as is necessary to fulfill the purposes for which we have collected it, including for the purpose of fulfilling any legal, accounting or reporting requirements. For complying with Anti-Money Laundering (AML) and Counter Terrorism Financing (CTF) legislation, your personal data is retained for a period of five (5) years from the moment the business relationship is closed. However, the term might be extended if required by competent authorities.
In order to properly determine the retention period for personal data, we consider the value, nature and sensitivity of personal data, the potential risk of harm caused by unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve these goals by other means.
11. Disposal and Destruction Policy
Any Personal data is deleted only after (a) obtaining an applicant's data deletion request in line with corresponding procedures by a Client or the Data Subject or (b) the satisfaction of the purpose for data processing, including expiration of retention period prescribed by applicable law.
To delete data from the files located in the removable media, we call the setting and tools designated to the relevant sanitisation method - clearing or purging. If the purging method is not secure enough considering the sensitivity of the information and such information may be recovered again, the removable media containing such information must be destroyed completely (e.g. shredded, crushed, disintegrated, pulverised, or incinerated by burning the device in a licensed incinerator, etc.).
To delete data from mobile devices, we use the means of a particular device. If a certain mobile device is intended to be reused/recycled/donated or is no longer to be used by the Konto.com Exchange staff, this staff member must reset the device to the original settings. As a general rule, the procedure for Apple iPhone and iPad OS: Select 'Settings > General > Reset > Erase All Content and Settings menu. For Android OS devices: Select ‘Settings > Backup & Reset > Factory Data Reset > Reset Phone’.
It is forbidden to handle any sensitive data in any equipment, removable media or mobile devices.
Any request to delete all or any Personal data related to a User is fulfilled within 30 days.
We may also have to store some records that have been confirmed as relating to fraudulent applications or accounts or obtaining and maintaining records to prove our compliance with legal obligations in and outside the EU.
When the purpose refers to the establishment, exercise or defence of legal claims (so-called ‘litigation hold’), the retention period is limited to the duration of such proceedings in a specific case or circumstance.
In any case, we do not keep your data longer than we have a lawful basis for doing so.
12. Your Data Protection Rights
In certain circumstances, you have rights under applicable data protection law in respect of your personal data. Such rights are:
- The right to access your personal data: provides that you have the right to a copy of personal data held by us and to verify that they are legally processed.
- The right to rectify your personal data: by which you can request the correction of personal data we hold about you. This allows you to request the correction of any incomplete or inaccurate data we hold about you. Please note that it may be necessary to verify the accuracy of the new data you provide to us.
- The right to request the deletion of your personal data: (“the right to be forgotten”). This allows you to ask us to delete or remove your data if there are no longer good reasons to continue processing. Please note, however, that we may not always be able to comply with your request of deletion, for specific legal reasons, which will be notified to you, if applicable, at the time of your specific request.
- The right of the opposition regarding the processing of your personal data: when we process data based on legitimate interest (ours or a third party) and when in your particular situation you consider that your fundamental rights and freedoms are violated. You may also object to the processing of your data for marketing purposes. In some cases we may demonstrate legitimate and compelling reasons justifying the processing and prevailing over personal interests, rights and freedoms.
- The right to request the restriction of the processing of your personal data: This right allows you to request that we suspend the processing of your personal data in the following cases: (a) whether you wish to establish the accuracy and correctness of the data; or; (b) if our processing of the data is illegal, but you object to the deletion; (c) if you need to keep the data, even if we no longer process it, because you need it to establish, exercise or defend rights in court; or (d) you objected to the processing of your data, but we must verify that we have mandatory legal reasons to process it.
- The right to request the transfer of your personal data (portability): We will provide you or a third party of your choice with your personal data in a structured, commonly used format that can be read automatically. Please note that right applies to automatic data processing for which you have given us your consent or, if we have used the data, to execute a contract with you.
- The right to withdraw consent: when we base our processing on your consent. However, this right shall not affect the lawfulness of the processing carried out before the withdrawal of the consent in question.
- The right not to be the subject of any individual decision or automated individual decision-making process (including, but not limited to, automated profiling that produces legal effects that concern or affect you in a similar way).
Without taxes
You will not have to pay any fees to access your personal data (or to exercise any of the rights granted to you in connection with them). However, we may charge a reasonable fee if your request is manifestly unfounded, repeated or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we can ask of you
We may request specific information from you to help you confirm your identity and secure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who is not entitled to receive it.
We try to respond to all legitimate requests within thirty (30) days. Occasionally, it may take more than 30 days, but no longer than two (2) months if your request is particularly complex or if you have made several requests. In this case, within a maximum of thirty (30) days of receipt of your request, we will notify you and keep you informed of the status of the request.
To exercise your rights, contact us at dpo@konto.com. We will respond within 30 days.
13. Security Measures
We have implemented appropriate security measures to prevent accidental loss of your personal data, unauthorized use or access, modification or disclosure of your personal data. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who are in dire need of such data. They will only process your personal data in accordance with our instructions and will be subject to confidentiality obligations in this regard.
The technical and organizational measures implemented by Konto.com Exchange to ensure Personal data protection, include, but are not limited to, the following:
- SSL/TLS encryption
Access controls and authentication - Regular security audits
- Staff training and confidentiality agreements
However, no online system is 100% secure. We encourage you to take precautions when sharing data online.
14. Data Breaches
Where a Personal data breach occurs or is suspected, it is reported immediately to the Data Protection Officer (DPO) or a director and, where applicable, to the data protection authority, the respective Client and, if applicable, to the individual affected by the breach. The report includes full and accurate details of the incident (including its reasons and magnitude) and outlines the planned measures to eliminate the breach.
The report is provided directly to the concerned Client, and further breach mitigation is supported.
15. Third-Party Links
Our Website may link to third-party sites. We are not responsible for their privacy practices. Please review their privacy policies before sharing data.
16. Changes to This Privacy Policy
We may update this policy to reflect legal, technical, or business changes. When we do, we will revise the “Last Updated” date. Material changes will be notified via email or prominent notice on the site.
17. Contact Us
For questions, concerns, or to exercise your rights, contact:
Konto.com Data Protection Officer
Email: dpo@konto.com
Website: www.konto.com
18. Timeline for Procedure Updates after Legal Changes
Konto.com is committed to updating its Privacy Policy promptly and proactively upon the issuance of legal or regulatory changes. If dependencies (e.g., external vendor updates) delay implementation, temporary risk mitigation controls are applied.