Book a demo

Privacy Policy

The last update was published on: 10 September 2025

The last update will come into force: 10 September 2025

1.PURPOSE AND SCOPE

Deverium, UAB (also referred to as we, us or the Company), company registration number 305215038, having its registered office at K.Donelaičio str. 62, Kaunas, Lithuania, is committed to protecting and respecting your privacy.

Therefore, in this privacy policy (the Policy) we explain what kind of personal data we collect and for what purposes, when providing you with our products and/or services (the Services), when you visit our website, and/or when you otherwise make contact with us.

In any case, all personal data collected by us are processed in accordance with the EU General Data Protection Regulation No. 2016/679 (the GDPR), Law on the Legal Protection of Personal Data of the Republic of Lithuania and other applicable legal acts.

For any questions regarding this Policy or any requests regarding the processing of your personal data, please contact us at dpo@deverium.com.

2.WHAT INFORMATION ABOUT YOU WE COLLECT, FOR WHAT PURPOSES AND ON WHAT LEGAL BASES

We have set out below, in a table format, a description of how and why we use your personal data – i.e. we listed the personal data or categories of personal data used for specific purposes and indicated which legal basis we rely on to do so.

Purpose Legal basis Personal data Why I am obligated to provide information
To enter into and fulfill a contract with you, including pre-contractual steps and providing our services. Terms of Use, and Article 6b(1)b of the GPDR. Name; Surname; Email Address; Decentralized Identifier. We collect your personal data to fulfill our contract with you, enabling your use of the App and its wallet service. This information is essential for providing our services and meeting legal obligations.
To enable push notifications. Legitimate interest (Art. 6(1)(f) GDPR) Decentralized Identifier; Notification Delivery Status; Consent log information. To allow the app to send you important alerts and notifications, even when the app is not actively open to establish the communication channel with your device and link it to your account. This is done with your explicit consent, which you provide when enabling notifications.
To respond to your inquiries and provide customer support. Your consent (Art. 6(1)(a) of GDPR) Email, address, name, and surname of the inquirer; subject, content, and attachments of the inquiry; and any information provided in the inquiry and its reply. To address your inquiries and provide efficient customer support.
To secure and improve our applications. For the purpose of ensuring the security and enhancing the performance of our application, we process data based on legitimate interest, in accordance with Article 6 (1) (f) of the GDPR. Decentralized Identifier, IP address of your device; Device fingerprint; Session information, Model and manufacturer of your mobile device; Operating system used by your mobile device (iOS, Android, etc.) firmware version. This data is used for security purposes, especially the prevention of cyberattacks such as data scraping, denial of service and distributed denial of service attacks, and for preventing multiple impermissible applications or extensions that could be used for malicious activity.
To conduct marketing activities and manage social media engagement. Data processed via consent (GDPR 6(1)(a), Electronic Communication. Law of Republic Lithuania and Article 81(1) and legitimate interest (GDPR 6(1)(f)) Name, surname, company represented, position, email, telephone number, social media profile, and interactions on social media with our social media profiles, any information exchanged. To provide you with marketing communications more suited to user preferences.
To carry out selection of potential employees. Consent (Article 6(1)(a) and (b) of GDPR) and legitimate interest (Article 6(1)(f) of GDPR) to contact you. Voluntarily provided applicant data, including name, phone number, CV, Cover letter, professional background, and other relevant information. To determine your fit for the position by reviewing your qualifications and relevant attributes.
Compliance with legal requirements and defence of our interest Legitimate interest (Article 6(1)(f) of GDPR) and Legal Obligation (Article 6(1)(c) GDPR) Name, surname, date of birth, legal documents, pleading annexes, court documents, investigative information, logs, possible breaches/incidents, other information To adherence to statutory obligations.
To comply with legal requirements and defend our interests, including enforcing IP blocks and sanctions. Legitimate interest IP address (used for review of the country and geo-blocking purposes. To adherence to statutory obligations.
To temporarily suspend the wallet To restore your account and prevent abuse, fulfilling our legitimate interests and legal obligations (GDPR Art. 6(1)(f) and 6(1)(c)). Decentralized identifier; Security and Activity Data, Device information;Transaction history. This information helps us confirm you own the wallet, allowing us to reverse the suspension.
To improve your experience when using the App Your consent(Art. 6(1)(a) of GDPR) App activity; Device information; Preferences and Setting. For a seamless user experience and optimal product performance.
To enable you to share your credentials Your consent(Art. 6(1)(a) of GDPR) Decentralized Identifier, Credential data; one time link; location data; usage data, history log, email, history log. To share your stored credentials with a third party.
To confirm the legitimacy of wallet activity when unauthorized or suspicious patterns are identified. To restore your account and prevent abuse, fulfilling our legitimate interests and legal obligations (GDPR Art. 6(1)(f) and 6(1)(c)). Decentralized Identifier, Behavioral/Contextual Data; IP Addresses/Device Information, history. To safeguard against fraud, abuse, and criminal activity, ensuring legitimate us.
3. HOW WE COLLECT YOUR PERSONAL DATA

We collect information you provide directly to us when you:

  1. fill out any forms on our website, and/or mobile application;
  2. communicate with our customer support team;
  3. contact us via our website or by using other means of communication (e.g., via our social network accounts);
  4. use our Services (for example adding credentials).

We may also receive your personal data from third parties. In particular:

  1. we may receive personal data from a third party which is connected to you or is dealing with us, for example, credentials issuers, business partners, sub–contractors, service providers,  etc.;
  2. we may collect personal data from banks or other financial institutions in case the personal data is received while executing payment operations;
  3. we may receive personal data from other entities that we collaborate with.
4. DIRECT MARKETING

In case you are our existing client (i.e. you already use our Services), we may use your e-mail address for direct marketing purposes, but only with regard to products and/or services that are similar or related to the Services, and only if you do not object to such use of your e-mail address. You are also granted with a clear, free of charge and easily realisable possibility to object or withdraw from such use of your contact details.

In other cases, we may use your personal data for the purposes of direct marketing, only if you give us your prior consent regarding such use of the data.

We provide a clear, free of charge and easily realisable possibility not to give your consent or, at any time, to withdraw your consent to receive our marketing communications. We shall state in each communication sent by e-mail that you are entitled to object to such processing of your personal data, and to refuse receiving communications from us. You shall be able to refuse receiving our marketing communications by clicking on the respective link in each marketing e-mail received from us.

5. HOW WE SHARE YOUR PERSONAL DATA

We may disclose your personal data to the recipients of the following categories:

  1. public authorities, institutions, organisations, courts and other third parties, but only upon request and only when required by applicable laws, or in cases and under procedures provided for by applicable laws, e.g. for the purposes to secure and/or defend Company’s legitimate interests;
  2. third parties providing services to the Company including providers of legal, financial, auditing, tax, business management, personnel administration, accounting, advertising (including online advertising), direct marketing, communications, data centers, hosting, cloud and/or other services. In each case, we provide such third parties with only as much data as necessary to provide their services. Service providers engaged by us may process your personal data only in accordance with our instructions and may not use them for other purposes;
  3. third parties for the purpose of performance of the contract concluded with you which provided in the Annex No. 1;
  4. third parties, when the Company intends to enter into a business sale transaction and/or to perform legal and/or financial due diligence of the Company prior to such transaction;
  5. other persons with your consent.
6. INTERNATIONAL DATA TRANSFERS

In case your personal data is transferred outside the European Economic Area (EEA), we will take necessary steps to ensure that your data is treated securely and in accordance with this Policy and we will ensure that it is protected and transferred in a manner consistent with the legal requirements applicable to the personal data. This can be done in a number of different ways, for example:

  1. the third country to which we send the personal data, a territory or one or more specified sectors within that third country, or the international organisation is approved by the European Commission as having an adequate level of protection;
  2. the recipient has signed or contains in its terms of service (service agreement) the standard contractual clauses (SCC) adopted by the European Commission (for more information please see here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en);
  3. special permission has been obtained from a supervisory authority.

We may transfer personal data to a third country by taking other measures if it ensures appropriate safeguards as indicated in the GDPR or on the basis of derogations.

7. HOW LONG WE KEEP YOUR PERSONAL DATA

We will keep your personal data for as long as it is needed for the purposes for which your data was collected and processed, but not longer than it is required by the applicable laws and regulations, including for the purposes to comply with any legal, regulatory, tax, accounting or reporting obligations. If the legislation of the Republic of Lithuania does not provide any applicable data retention period, it shall be determined by us, taking into account the legitimate purpose of the data retention, the legal basis and the principles of lawful processing of personal data. Personal data that is important for the contractual relationship between you and Company is normally stored for as long as the contractual relationship lasts and thereafter for a maximum period of 10 (ten) years after the relationship.

If you do not enter into a contract with us, the personal data is normally stored for a maximum of 3 years. We may retain your personal data for a longer period when:

  1. it is necessary for the Company to be able to defend itself against existing or threatened claims or to exercise its rights, or for the proper resolution of dispute, complaint or claim;
  2. there is a suspicion of illegal activity;
  3. it is required by applicable laws.

Upon expiration of the retention period, we will delete and/or reliably and irrevocably depersonalize your data as soon as possible, within a reasonable time required to perform such action.

8. YOUR RIGHTS
  1. The right to be informed. You have the right to be provided with a clear, transparent and easily understandable information about how we process your personal data.
  2. The right to access. You have the right to request from us the copy of your personal data. Where your requests are excessive, in particular if they are a repetitive, we may refuse to act on the request, or charge a reasonable fee taking into account the administrative costs for providing the information.
  3. The right to rectification. You have the right to request us to correct or update your personal data at any time, in particular if your personal data is incomplete or incorrect.
  4. The right to data portability. When a legal basis for data processing is consent or contract, you have the right to request that we transfer your data that we have collected to another organisation, or directly to you, under certain conditions.
  5. The right to be forgotten. When there is no good reason for us to process your personal data anymore, you can ask us to delete your data. We will take reasonable steps to respond to your request.
  6. The right to restrict processing. You have the right to restrict the processing of your personal data in certain situations (e.g., when you want us to investigate whether that data is accurate; we no longer need your personal data, but you want us to continue holding it for you in connection with a legal claim).
  7. The right to object to processing. Under certain circumstances you have the right to object to certain types of processing (e.g., to receive our marketing communications).
  8. The right to lodge a complaint with a supervisory authority. You have the right to lodge a complaint with a competent supervisory authority, if you believe that your personal data is processed in a way that violates your rights and legitimate interests stipulated by applicable legislation. Our data processing is supervised by the State Data Protection Inspectorate of the Republic of Lithuania (address: L. Sapiegos st. 17, LT-10312 Vilnius, phone No.: +370 5 271 2804 / 279 1445, e-mail address: ada@ada.lt, for more information, visit https://vdai.lrv.lt/en/).
  9. Right to withdraw your consent. If personal data is processed on the basis of your consent, you can withdraw it at any time. Withdrawal will not affect the lawfulness of processing of your data before the withdrawal.

If you would like to exercise any of these rights, please contact us via e-mail: dpo@deverium.com.

Your request shall be fulfilled, or fulfilment of your requests shall be refused by specifying the reasons for such refusal, within 30 (thirty) calendar days from the date of submission of the request that complies with our internal rules and the GDPR. The aforementioned term may be extended by 60 (sixty) calendar days taking into account the complexity and number of the requests. The Company will inform you of any such extension within 30 (thirty) calendar days of receipt of the request, together with the reasons for the delay.

We may refuse to satisfy your request if the exceptions and/or limitations to the exercise of data subjects’ rights set out in the GDPR apply, and/or if your request is found to be manifestly unfounded or disproportionate. If we refuse to satisfy your request, we will give you our reasons for such refusal in writing.

9. HOW WE PROTECT YOUR PERSONAL DATA

Please note that, although no system of technology is completely secure, we have implemented security measures to minimize the risk of unauthorised access to or improper use of your personal information.

We and our third-party service providers that may be engaged in the processing of personal data on our behalf (for the purposes indicated above) are contractually obligated to respect the confidentiality of the personal data.

10. COOKIE POLICY

If you access our information or Services through our website, you should be aware that we use cookies. For more information on how to control your cookie settings and related browser settings, or how to delete Cookie from your device.

Cookie Name Category Purpose Retention Period
_ga Functional/Analytics Collects information about how visitors use the website, which website the user came from, the number of each user’s visits, and how long a user stays on the website. Used by Google Analytics to distinguish users. 2 years
_gat Functional/ Analytics Used by Google Analytics to throttle the request rate (limit the amount of data sent). 1 minute
_gid Functional/ Analytics Collects information about how visitors use the website. Used by Google Analytics to distinguish users. 24 hours (1 day)
hubspotuk Functional Keeps track of a visitor’s identity while using chat functionality. Passed to HubSpot on form submission and used for deduplicating contacts. Contains an opaque GUID. 13 months
PHPSESSID Strictly Necessary / Functional This is a generic session cookie often used in PHP-based websites. It stores a unique session ID to link a user’s activities during a single Browse session (e.g., keeping you logged in, maintaining a shopping cart). Session (deleted when browser closes)
cookieconsent_status Strictly Necessary / Functional Remembers a user’s cookie consent preferences (e.g., whether they accepted or declined cookies). Typically 1 year or longer (to remember consent)
11. LINKS TO OTHER WEBSITES

Our website may contain links to other websites which are not operated by the Company. When you decide to click on these links and be led to such websites, we recommend familiarising yourself with their privacy policies or notices, cookie policies and/or other documents. The Company assumes no responsibility for the content, policies or practices of such third-party websites or services.

12. CHANGES TO THIS POLICY

We regularly review this Policy and reserve the right to modify it at any time in accordance with applicable laws and regulations. Any changes will take effect immediately upon their publication on our website.

Please review this Policy from time to time to stay updated regarding any changes.

13. CONTACT US

You may contact us by writing an e-mail to dpo@deverium.com or post by address K.Donelaičio str. 62, Kaunas, Lithuania.

14. OUR DATA PROTECTION OFFICER (DPO)

You may contact our DPO regarding all issues relating to the Company’s processing of your personal data and the exercise of your data protection rights by sending an e-mail to the address: K.Donelaičio str. 62, Kaunas, Lithuania.

ANNEX NO. 1. LIST OF SUB-PROCESSORS AND OTHER DATA RECIPIENTS
Company Name Country Registered Office Address Categories of Data Recipients Status Links to Documents Measures for Data Transfers
Atlassian Corporation Plc United Kingdom Level 6, 341 George Street, Sydney NSW 2000, Australia Project management software Processor Atlassian Data Processing Addendum DPA incorporating SCCs
Aware, Inc. USA 76 Blanchard Road, Burlington, Massachusetts 01803, United States Identity verification software Processor (primarily) / Controller (certain data) Aware DPA, Aware Security & Privacy DPA incorporating SCCs, adherence to GDPR, CCPA, LGPD, security measures
AWS (Amazon Web Services) USA 410 Terry Ave North, Seattle, WA 98109-5210, USA Cloud services Processor AWS DPA DPA incorporating SCCs, robust security (ISO 27001, SOC 1, 2, 3), customer controls
GBG Plc United Kingdom The Foundation, Chester Business Park, Wrexham Road, Chester, CH4 9GB, UK Identity verification software Controller / Processor GBG DPA Global DPA (incorporating EU Decision 2010/87/EU SCCs), access/transmission/separation/availability controls
Google LLC USA 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA Cloud Technology, Communication Services, and Language Modeling Controller / Processor Google Cloud DPA, Google Cloud & GDPR CDPA incorporating SCCs, HIPAA BAA (for relevant services), strong security
Miro USA 202 Spear Street, Suite 1100, San Francisco, CA 94105, USA Project management software Processor Miro DPA DPA incorporating SCCs, Security measures in Privacy Policy
Notion Labs, Inc. USA 2300 Harrison Street, San Francisco, CA 94110, United States Project management software Processor Notion Privacy Practices, Notion GDPR Page DPA incorporating EU and UK SCCs, technical/organizational measures
Slack Technologies, LLC USA 415 Mission St, 3rd Floor, San Francisco, CA 94105, USA Communications services provider Processor Salesforce DPA, Slack DPAs DPA
Figma, Inc. USA 760 Market Street, San Francisco, USA Design software service Processor Figma DPA DPA
Postman, Inc USA 1 Market Plaza, Ste 0800, Steuart Tower, San Francisco, CA 94105, USA AI Tool Builder service Processor Postman Privacy Policy DPA
Alchemy Insights, Inc. USA 542 Brannan Street, San Francisco, California, United States Blockchain network software service Processor Alchemy Legal DPA
GitLab Inc. USA 268 Bush Street #350, San Francisco, CA 94104-3503, USA Git repositories and DevOps workflows service Processor GitLab DPA DPA
Functional Software, Inc. USA 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA Product design software Processor Sentry DPA DPA
Regula Poland Sp. z o.o. Poland 00-801 Chmielna str. 73, Warsaw, Poland Identity Verification provider Processor Regula Privacy Privacy policy
JetBrains s.r.o. Czech Republic Na Hřebenech II 1718/8, 140 00 Prague, Czech Republic Coding agent service Processor JetBrains DPA DPA
Microsoft Corporation USA One Microsoft Way, Redmond, Washington, 98052-6399, USA Cloud Services, various Processor Microsoft DPA DPA
ANNEX NO. 2 TECHNICAL AND ORGANISATIONAL DATA SECURITY MEASURES

The Data Controller ensures that Data Processors that Company uses shall ensure an adequate level of security of Data provided for in the Applicable Laws. The Data Processor shall protect Data on destruction, alteration, unauthorised disclosure or unauthorised access. The Data shall also be protected against any other unauthorised methods of Processing Data.

With regards to the level of development of technical capabilities, implementation costs and the nature, coverage, context and objectives of the processing of Data, as well as the risks to the rights and freedoms of natural persons arising on the processing of Data, the Data Processor shall implement adequate technical and organisation means to ensure the security level consistent with risks, including, where appropriate: 

  • pseudonymisation of Data and their encryption;
  • the ability to ensure the continuing confidentiality, integrity, availability and resilience of systems and services of Data processing;
  • the possibility to restore conditions and access to Data in a timely manner in the case of a physical or technical incident; and
  • regular assessment of the efficiency of technical and organisational measures to ensure the security, verification, evaluation and performance of the processing of Data.

The Data Processor shall apply at least the following technical and organisational Data security measures:

  • protection of physical access. The unattended premises of the Data Processor, with computer equipment and personal information, must be locked in order to protect the Data against unauthorised use, exposure or theft;
  • data recovery process aimed at the retrieval of Data recovered on backups;
  • control of permits allowing access to Data through the technical authorisation control system. The permit must be limited to those persons for whom Data is required for direct work functions. User names and passwords must be confidential and not transferable to other entities. Procedures for the allocation and withdrawal of permits must also be in place;
  • possibility to register logins to Data. It must be possible to retrospectively view such logins in databases. The Data Processor has to check the databases and upon request to provide reports to the Data Controller;
  • secure communication, where external data transmission communications are protected by the use of
  • technical features that enable logging access, as well as content encryption in transit data
  • transmission channels outside the systems controlled by the Data Processor;
  • processes to ensure the safe destruction of Data when the media of Data are no longer used for the intended purpose;
  • agreements on confidentiality with service providers that provide service and uptime of equipment used for the storage of Data;
  • supervision of service providers on the premises of the Data Processor. Media containing Data must be removed on the premises if uptime is not possible.

The above list of technical and organizational, Data security measures shall not be construed as comprehensive or exhaustive. It is up to the Data Processor to decide and apply the necessary technical and organizational measures