Privacy Policy | Brickfy


This Privacy Policy (hereinafter “Policy”) explains how Brick and Mortar Digital Assets OÜ (hereinafter “we”) processes (e.g. collects, uses, stores, shares) and protects the Personal Data of the natural persons, who have registered as Users of our services through our website ( (hereinafter “Users”) or by any other means of communication if such option has been made available.

We have the right to update or amend this Policy at any time. Should there be any amendments to the data processing purposes or any other material changes to this Policy, we will let you know via our website or using the contact details you have provided us.


  1. The following definitions (if capitalized) have been given the following meaning:

    1. “Data Subject” means natural person whose Personal Data is being collected, held or processed.

    2. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

    3. “Personal Data” means any information relating to an identified or identifiable natural person User.

    4. “Personal Data Processing” means any operation or set of operations which is performed on the Personal Data of a Data Subject.

    5. “Platform” means online Platform operated by us through website ( in order to provide our Services.

    6. "Principles" means principles relating to processing of Personal Data as set out in GDPR and applied to all Personal Data Processing made by us.

    7. “Services” means any or all of the services provided by us to the Users via Platform.

    8. “Terms of Service” means set forth the terms of service applied to the Users of Services;

    9. “Third party” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Platform.

    10. “User” means any legal or natural person who opens the User Account and uses the Services.


  1. While registering your User Account, using the Services or communicating with us via our Website or any other means, if such possibilities are available, the controller of your Personal Data is:

Brick and Mortar Digital Assets OÜ
register code: 14756307
legal address: Männimäe/1, Pudisoo küla, 74626, Harju Maakond, Estonia
Contact email:


  1. We shall always take into account the interests, rights and freedoms of Data Subjects.

  2. All the processes, guidelines, operations and activities of the Platform that are related to Personal Data Processing are based on the following principles:

    1. Lawfulness. There is always a legal basis for the Personal Data Processing.

    2. Fairness. Personal Data Processing shall be fair, while providing a Data Subject with sufficient information and communication on how the Personal Data are Processed;

    3. Transparency. Personal Data Processing shall be transparent for the Data Subject;

    4. Purposefulness. Personal Data shall be collected for legitimate purposes that have been established precisely and clearly and shall not later be processed in any manner which is in conflict with these purposes. A Data Subject will always be able to examine the established purpose of Processing for a specific purpose;

    5. Minimisation. Personal Data shall be adequate, relevant and limited to what is necessary for the purpose of Processing the given Personal Data. The Platform shall be guided by the principle of minimum Processing in Personal Data Processing, and as soon as the Personal Data are no longer necessary or are no longer needed for the purposes for which they were collected, the Personal Data shall be deleted or archived;

    6. Accuracy. Personal Data shall be correct and shall be updated as necessary, and all reasonable measures shall be taken to ensure that Personal Data which are incorrect in the light of the purpose of Personal Data Processing shall be deleted or corrected without delay;

    7. Limit of storage. Personal Data shall be stored in the format enabling the identification of Data Subjects only as long as it is necessary to achieve the purpose for which the Personal Data are processed. It means that in case the Platform wishes to store the Personal Data for a longer period of time than necessary for the purpose of collecting the data it shall anonymise the data in such manner that the Data Subject shall no longer be identifiable. The Platform shall store the data that have been received from a User in accordance with the law. The data processed under the basis of consent will generally be retained by the Platform until consent is withdrawn;

    8. Reliability and confidentiality. Personal Data Processing shall be carried out in the manner ensuring the adequate security of Personal Data, including their protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, by taking reasonable technical or organisational measures. The Platform has internal guidelines, rules for the employees, and separate agreements with every processor, stipulating the best practices, on-going risk assessment and adequate technical and organisational measures for Personal Data Processing;

    9. Data protection by design and by default. The Platform shall ensure that all the systems used shall meet the required technical criteria. The suitable data protection measures have been planned upon the renewal or design of every information or data system (e.g. the information systems and business processes are constructed using pseudonymisation and encryption).


  1. Personal Data Processing is, above all, the collection, recording, storage, organisation, usage, amendment, transmission, disclosure and deletion of Personal Data, but also other Personal Data processing activities set out by law.

  2. The Personal Data we require from you is relevant for specified purposes. We process your Personal Data in order to enable your registration to our Platform and to provide you with Services.

  3. During the provision of Services, we process the following Personal Data:

    1. Personal identification information: name, age, date of birth, nationality, gender, signature, utility bills, visual images, phone number, home address, and/or email; preferred language of communication;

    2. Formal identification information: copy and details of your personal identification document (national identity card, passport, driver’s licence, visa information).

    3. Transaction information: information about the transaction you make using our Services (name of the recipient, the amount, timestamp).

    4. Online identifiers: Geo location/tracking details, browser fingerprint, OS, browser name and version, and/or personal IP addresses.

    5. Usage data: Survey responses, information provided to our support team, public social networking posts, authentication data, security questions, User ID, click-stream data and other data collected via cookies and similar technologies.

  4. If the User is a legal person, then we process the data about the physical person representing the User. If the User is a legal person, then data about its owners and/or management board members (data which makes possible personal identification as described above).

  5. We collect your Personal Data mainly in the following ways:

    1. Personal Data you provide in the registration form;

    2. Data generated by you when using Services;

    3. Information we receive from third parties (KYC providers, on boarding providers, etc.)

    4. Automatically collected data (cookies, browser data, etc.)


  1. We use the collected information to create, develop, provide, maintain, protect, and improve our Services, content and advertising, and for loss prevention and anti-fraud purposes.

  2. Any Personal Data Processing must be justified. We may use this information in the following ways under the applicable legal basis:

    1. Performance of contract - we process your Personal Data where it is necessary to enter into a contract with you for the provision of our Services or to perform our obligations under that contract. Processing of your Personal Data for the performance of a contract is necessary to assess and process applications for Services and to provide and administer Services throughout your relationship with us, including opening, setting up or closing your accounts; collecting and issuing all necessary documentation; executing your instructions; processing transactions, including transferring money between accounts; making payments to third parties; resolving any queries or discrepancies and administering any changes. We also process your Personal Data to provide you with customer service and communicate with you regarding the provision of Services.

    2. Legitimate Interest - we may process your information where it is in our legitimate interests to do so as an organisation and without prejudicing your interests or fundamental rights and freedoms. We may process your information in the day-to-day running of our business, to manage our business and financial affairs and to protect our customers, employees and property. It is in our interests to ensure that our processes and systems operate effectively and that we can continue operating as a business. We also process your personal information to better understand the way you use our Services and to provide a personalised experience. We use such information to customise, measure, and improve our Services and the content and layout of our website and applications, and to develop new services.

    3. Legal obligations - in some cases the requirement for the processing of Personal Data derives from the law, for example when applying the due diligence measures for the prevention of money laundering and terrorism financing. In addition, we may use third parties to verify your identity by comparing the personal information you provided against third-party databases and public records. We may require you to provide additional information which we may use in collaboration with service providers acting on our behalf to verify your identity or address, and/or to manage risk as required under applicable law.

    4. User’s consent - we will require your consent allowing us to communicate to you our products and marketing materials or notices related thereto, also the products and related marketing materials or notices from our affiliates or from our other third-party partners. We may request you to provide us with your consent also to perform other processes of Personal Data Processing, which have not been mentioned before. The User has always right to refuse from giving his/her consent. The consent given by the User for the Personal Data processing can be revoked at any time. This, however, will not affect the lawfulness of processing based on the User’s consent before its withdrawal.


  1. Your Personal Data is only accessible to authorised persons, who are obliged not to disclose your Personal Data to anyone. While providing services to you it may be necessary for us to share your personal information with third parties.

  2. We share your Personal Data only in accordance with the Principles as have been outlined in this Policy.

  3. We do not share your Personal Data with third parties unless it is necessary to provide services to you or is required by law.

  4. We may transmit User’s Personal Data:

    1. To another group undertaking, if this is necessary for the performance of the Services;

    2. to enterprises, who will help us to identify you and with whom we cooperate with respect to the application of the KYC measures to the Users;

    3. to an accountant or an auditor, if such service is outsourced;

    4. to credit institutions where we hold the funds transmitted by the Users for the performance of Services, in order to identify the User;

    5. to other persons, institutions and organisations (including bailiff, notary and to the persons and organisations dealing with the resolution of disputes arising from the usage of the Services or the transactions made via Platform);

    6. We may share and disclose your Personal Data in limited circumstances to other service providers, whose services are necessary for our everyday operations for example IT services, technology or security services. Our agreements with such service providers require these service providers to only use your data in connection with the services they perform for us and prohibit them from selling your data to anyone else. We provide to them only data inevitable for them to provide us their quality services

    7. We may share and disclose information your Personal Data if the sharing of Personal Data is required to fulfil obligations deriving from legislation. We may share your Personal Data with law enforcement agencies, officials or other third parties when we are compelled to do so by a subpoena, court order, or similar legal procedure or when we are the victim of a fraud or other crime (in the latter case, for example, data associated with the perpetrators may be shared with law enforcement).

    8. We may share and disclose your Personal Data with other third parties with your consent or direction to do so.

    9. Transmission of your Personal Data to third parties will only be conducted following the principles relating to Personal Data Processing and obligations arising from the EU and Estonian data protection laws. We share your Personal Data to third parties only to the necessary extent.

    10. Third parties to whom we will transmit Personal Data, can be in the European Economic Area and outside of it in countries where the European Commission has assessed the level of data protection or considered the respective country to be sufficient by way of its adequacy decision. The list of countries recognized by European Commission as proving adequate Personal Data protection is available here. Personal Data is transferred outside the European Economic Area only if it is in compliance with EU data protection laws and only if appropriate safeguards can be applied.

    11. We make sure that all third persons to whom the User’s Personal Data will be transferred have implemented appropriate technical and organisational measures in such a manner that processing will meet the requirements stipulated in EU data protection laws.


  1. We store the date connected to your use of our services (log files, transaction history, identification details, contact information, etc) for the duration of your use of our services and will be deleted within 2 years as of the termination of our relationship, unless otherwise requested by you or unless we have any reason or obligation to store the data for a longer period of time.

  2. We are not always in the position to delete or destroy your personal data as we them would be breaching our legal obligations. For example, transaction data and certain other documents must be stored for at least 7 years as of the relevant transaction or from the termination of our contractual relationship for accounting purposes. All data related to the due diligence measures applied under the money laundering and terrorism financing prevention requirements must be stored for at least 5 years as of the termination of our contractual relationship.

  3. Information we have stored for the purpose of fulfilling our contractual obligations will be stored for 3 years or, in case there is a risk of any potential claims towards us, for as long as all opportunities to submit such claims have been exhausted and all claims have been expired. This is necessary for us to be able to protect ourselves.


  1. Right to request access to own data. The User has at any time the right to get familiarised with his or her Personal Data disposed by the Platform. Usually the Platform makes User’s data in its disposal available to this User through the portal. Nevertheless, the User has the right to request from the Platform to transmit the Personal Data collected about the User with which the User is unable to familiarise his or herself via the portal.

  2. Right to request correction of data, where the data at the disposal of the Platform is not correct.

  3. Right to request deletion of data stored by Platform, first of all, where the data is processed based on a legitimate interest or User’s consent. The deletion of Personal Data is not possible, where data processing or storage is necessary to perform an obligation arising from law, the data is necessary for the performance of the objective for which it has been collected (first of all for the performance of the agreements concluded via the portal). If the Platform is unable to delete the data, the Platform justifies this to the User requesting the deletion.

  4. Right to submit an objection to an action of Personal Data Processing, where the processing of Personal Data is performed on legitimate interest grounds (see above).

  5. Right to restrict processing of Personal Data, if:

    1. the User has challenged the correctness of the Personal Data until the Platform has controlled the correctness of the data;

    2. the processing of Personal Data is illegal, but the User does not with the data to be deleted;

    3. the User requires the data to compose a legal claim, to present or to defend such claim;

    4. the User has objected to the data processing until the Platform controls whether the Platform’s legitimate justifications outweigh the User’s reasons.

  6. Right to lodge a complaint. To exercise any of the rights listed above the User can send to the Platform a request through customer service or to an e-mail address The exercise of a right must be clearly designated in the request provided to the Platform. A copy of all personal details relative to the User, which are not available via the portal, must be transmitted to the User within 30 day from the submission of the request. To protect his or her rights, the User may lodge a complaint with the relevant public authority in the EU Member State of your residence. Contact details of such authorities can be found here: