Privacy Policy

1. Personal Information We Collect Directly from You

We collect Personal Information from you when you use our Services and interact with us (such as speaking with Bakkt representatives). The information we collect may include your name, state or country of residence, date of birth, address, phone number, social security number, account number, job title, company, email address, marketing and communications preferences, and other information you choose to provide us, including information provided when you register with us, such as citizenship or citizenship status. In some circumstances, we may collect information such as a government-issued ID, proof of address, or photograph(s) (if you elect to provide them to us). We may also collect information relating to:

• Records and copies of your correspondence (including email addresses), if you contact us.
• Your responses to surveys, such as those that we might ask you to complete for research purposes.
• Details of transactions you carry out using our Services. You may be required to provide financial information before using our Services.

We do not knowingly collect information about your race or ethnicity, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation. We do not knowingly collect Personal Information from consumers under the age of 13. If you learn that a child has provided us with Personal Information in violation of this Privacy Policy, please alert us at privacy@bakkt.com with Subject Line: Children’s Privacy.

2. Personal Information We Collect Automatically

We collect certain information automatically when you interact with our Services. For example, we may use cookies, web beacons, and other similar technologies to collect information about you as you use our Services. Examples of this type of information include the dates and times of your use of the Services, your IP (Internet Protocol) address, your browser type, your operating system, device identifiers, and the webpages or content to or from which you navigate.

Third parties may use cookies or similar technologies on our Services. For example, these technologies may be used to provide content and advertisements. Other parties may collect Personal Information about your online activities over time and across different websites when you use our Services.

3. Personal Information We Collect From Third Parties

We also collect information about you from third parties, such as money laundering and fraud prevention information providers, marketing agencies, identity and creditworthiness verification services, and analytics and information providers. We may combine information we collect about you with information from third parties.

We use the information we gather to provide services to you and to respond to your inquiries. This includes:

• Providing Services, including to:
• Register, create, and maintain your account;
• Authenticate your identity and/or your access to an account;
• Initiate, facilitate, process, and/or execute transactions;
• Communicate with you regarding your account or any Services you use;
• Perform creditworthiness, fraud prevention or other similar reviews;
• Evaluate applications; or
• Compare information for accuracy and verification purposes.

• Managing our business and protecting ourselves, you, other persons, and the Services.
• Providing a personalized experience and implementing your preferences.
• Better understanding our customers and how they use and interact with the Services.
• Personalizing our Services and providing offers and promotions for our Services via our websites and third-party websites.
• Providing you with location-specific options, functionalities, and offers.
• Complying with our policies and obligations, including but not limited to, disclosures made in response to any requests from law enforcement authorities and/or regulators in accordance with any applicable law, rule, regulation, judicial or governmental order, regulatory authority of competent jurisdiction, discovery request, advice of counsel or similar legal process.
• Resolving disputes, collecting fees, or troubleshooting problems.
• Providing customer service to you or otherwise communicating with you.

We may also process your Personal Information to fulfill the purposes for which you provide it, or with your consent.

We may disclose the information we gather to our affiliates and to third parties. For example, we may share information with:

• Service providers and/or data processors: We may share Personal Information with third party service providers that perform services and functions at our direction and on our behalf. These third-party service providers may, for example, provide you with services, verify your identity, assist us to comply with law or combat fraud, assist in processing transactions, store your Personal Information on our behalf, or provide customer support.
• Other parties to transactions, or which work with us in relation to transactions: We may share Personal Information with the other parties to your transactions, including brokerage firms/retailers with whom we have partnered to provide the Services. We also share Personal Information with liquidity providers, and Apex Clearing Corporation, which holds your brokerage account and facilitates transfers of funds.
• Any Authorized Users you may allow to access and use your account.
• Financial Institutions and Credit Bureaus: We may share information with financial institutions and credit bureaus involved in supporting transactions in which you engage or assessing creditworthiness. For example, we may share information with your bank when you link your bank account to our Services.
• Financial Institutions and Credit Bureaus: We may share information with financial institutions and credit bureaus involved in supporting transactions in which you engage or assessing creditworthiness. For example, we may share information with your bank when you link your bank account to our Services.
• Other third parties: We may share information with other third parties for our business purposes or as permitted or required by law, including:
• To comply with any legal, regulatory or contractual obligation, or with any legal or regulatory process (such as a valid court order or subpoena) or with the advice of counsel;
• To market our or their products or services to you;
• To establish, exercise, or defend legal claims or our policies;
• If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of ourselves, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud prevention and credit risk reduction; or
• In connection with the purchase, sale, merger, consolidation or transfer of all or part of Bakkt’s business.

We may also disclose data to fulfill the purposes for which you provide it, or with your consent.

CHANGES TO THIS PRIVACY NOTICE

We will notify you of changes to this Notice by revising this Notice and updating the Effective Date above. If you have an account with us, we may notify you of material changes to this notice by e-mail.

If you wish to stop receiving marketing communications, you can opt out by emailing us at help@bakkt.com or privacy@bakkt.com. We may continue to send you non-marketing messages, such as messages relating to your transactions with us.

As of the Effective Date listed above, we participate in a service called Global Privacy Control (GPC) that lets you set a “Do Not Sell or Share” preference at the browser level.  

First, you’ll need a GPC-enabled browser or browser extension. Next, you’ll activate or turn on the GPC setting in the browser. When you visit a website, your browser will automatically send the site a “Do Not Sell or Share” signal and participating websites, like ours, will honor your preference.

Note: Not all browsers and extensions offer a GPC setting. To download a GPC-enabled browser, go to the Global Privacy Control website.

If you are a registered user of the Services, you may access your personal account information online and make changes by logging into your account.

You may control how your browser accepts cookies. If you reject cookies, you may still use our website, but your ability to use some features or areas of our website may be limited. Please see our cookie policy for more information.

SECURITY

Bakkt has implemented administrative, physical and technical safeguards designed to protect your Personal Information. Still, Bakkt cannot guarantee the security or confidentiality of information you transmit to us or receive from us.

For Vermont Customers.

• We will not disclose information about your creditworthiness to our affiliates and will not disclose your Personal Information, financial information, credit report, or health information to nonaffiliated third parties to market to you, other than as permitted by Vermont law, unless you authorize us to make those disclosures.
• Additional information concerning our privacy policies can be found at https://www.bakkt.com/privacy-policy.

State consumer privacy laws may provide their residents with the following additional rights regarding our use of their Personal Information. If you are a California resident, see the Bakkt California Privacy Rights Addendum below for more information about our privacy practices and your rights under California law.

The right to confirm whether we process Personal Information about you and request access to such Personal Information (including, if applicable, in a portable and readily usable format).  

• The right to correct inaccuracies in certain Personal Information we may hold about you; and
• The right to request that we delete Personal Information collected about you.
• The right to opt out of the processing of Personal Information for the purposes of (i) targeted advertising, (ii) the sale of Personal Information, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
• Although we may process your information for targeted advertising, we do not process Personal Information for purposes that, under applicable law, require us to support the right to opt out of the sale of Personal Information or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
• The right to appeal our decision regarding your rights request.
• The right to not be discriminated against for the exercise of your state privacy rights.

You may exercise these rights by:

• Logging in to your account (if you have an account) and submitting a request;
• Emailing us at privacy@bakkt.com;
• Calling our toll-free number 1-800-322-1719; or
• Completing our Privacy requests form.

Verification

As required under applicable law, please note that we may take steps to verify your identity before granting you access to information or acting on your request to exercise your rights. We may require you to provide additional Personal Information including name, physical address, email address, contact information, account login credentials, and other information about your previous transactions with us to verify your identity in response to exercising requests of the above type. We may limit our response to your exercise of rights as permitted under applicable law.

Agent Authorization

Under applicable state law, you may designate an authorized agent to make a request on your behalf. You may make such a designation by providing the agent with written permission, signed by you, to act on your behalf. Your agent will need to complete the Authorized Agent Designation Form by clicking here. Please upload the completed Authorized Agent Designation Form to the completed Bakkt privacy request form.As permitted by law, we may require verification of the agent’s authorization to act on your behalf, require you to confirm you have authorized the agent to act on your behalf, or require you to verify your own identity. We may deny a request by an agent if they fail to submit proof that they act on your behalf.

The following provisions apply to individuals who are residents of California and whose Personal Information we collect (such as website visitors). For such residents, the provisions of this California Privacy Rights Addendum (“California Addendum”) prevail over any conflicting provisions of this Notice. If you use one of our financial products or services for personal or household use, our collection of your Personal Information in connection with such product or service is subject to a separate privacy notice that we are required by federal law to provide, and is not subject to this Notice or this California Addendum.

Personal Information We Collect

Within the last 12 months, we may have collected the following categories of Personal Information about you:

1. Identifiers.

Real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

2. Information under the California Customer Records statute.

Personal Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to their name, signature, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, bank account number, credit card number, debit card number, or any other financial information.

3. Characteristics of protected classifications under California or federal law

Characteristics of protected classifications under California or federal law (such as race, gender, age, disability status).

4. Commercial information.

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

5. Biometric information

Images, including facial data. We may also require you to provide fingerprint data (e.g., through your device to verify your identity).

6. Internet or other similar network activity.

Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with a website, application or advertisement.

7. Geolocation information.

Geolocation data.

8. Sensory data.

Audio, electronic, visual, or similar information.

9. Inferences drawn from other Personal Information.

Inferences drawn from any of the Personal Information we collect to create a profile about you reflecting your preferences, characteristics, behavior, and attitudes.

10. Sensitive Personal Information

We collect Sensitive Information (which includes social security, driver’s license, state identification card, passport number, or precise geolocation), to the extent noted above.

We obtain Personal Information from a variety of sources. These sources include: yourself with respect to both online and offline interactions you may have with us or our service providers; other entities with whom you transact business; others with whom you maintain relationships who may deal with us on your behalf; the devices you use to access our websites, mobile applications, and online services; credit bureaus; identity verification and fraud prevention services; marketing and analytics providers; public databases; social media platforms; and others consistent with this Notice and California Addendum. For more information, please see the PERSONAL INFORMATION WE COLLECT section of this Privacy Notice.

Disclosures of Personal Information for Monetary or Other Valuable Consideration, for Behavioral Advertising, or for Business Purposes

Bakkt does not sell or disclose Personal Information for money or other valuable consideration. However, as is common practice among businesses that operate Internet websites and mobile apps, within the last 12 months, we may have disclosed through cookies or similar technologies certain identifiers such as email addresses, pseudonymized identifiers and internet activity, information about the use of our websites and apps, and inferences drawn about you to our social media, analytics, and advertising partners for targeted marketing purposes.

Within the last 12 months, we have disclosed Personal Information identified in the above categories (A)-(J) and/or PERSONAL INFORMATION WE COLLECT for our business purposes. To learn more about the categories of third parties with whom we share such information, please see HOW WE SHARE INFORMATION section of this Notice.

Sales or Sharing of Minors’ Personal Information

We do not sell Personal Information of individuals we know to be under the age of 16, or share such Personal Information with third parties for cross-context behavioral advertising.

Use of Personal Information

For each of the above categories, we use the Personal Information we collect for the business purposes disclosed in HOW WE USE YOUR INFORMATION section of this Notice. Please note that the business purposes for which we use your information may include:

• Audits and reporting relating to particular transactions and interactions, including online interactions, you may have with us or others on our behalf;
• Detecting and protecting against security incidents and malicious, deceptive, fraudulent or illegal activity, and prosecuting the same;
• Debugging to identify and repair errors in our systems;
• Short-term, transient use including contextual customization of ads;
• Providing services on our behalf or on behalf of another, including maintaining or servicing accounts, providing customer service, fulfilling transactions, verifying identity information, processing payments, and other services;
• Conducting internal research to develop and demonstrate technology; and
• Conducting activity to verify, enhance, and maintain the quality or safety of services or devices which we may own, control, or provide.

We may also use the information we collect for our own or our service providers’ other operational purposes, purposes for which we provide you additional notice, or for purposes compatible with the context in which the Personal Information was collected.

How Long We Keep Personal Information

The amount of time we retain a particular category of Personal Information will vary depending on the purpose for which it was collected, our business need for it, and our legal obligations to retain it. We retain your Personal Information for the time needed to fulfill the purpose for which that information was collected and as required pursuant to our data retention policies, which reflect applicable statute of limitation periods and legal requirements. In determining the retention period for Personal Information, we consider the nature and sensitivity of your Personal Information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we collect, use and maintain your Personal Information and our legal requirements to retain such information.

Your California Rights

If you are a California resident, you have certain rights related to your Personal Information, including:

• Right to Access and Right to Know. You have the right to request that we disclose the following to you:
• Specific pieces of Personal Information we have collected;
• Categories of Personal Information we have collected about you;
• Categories of sources from which the Personal Information is collected;
• Our business or commercial purpose for collecting ,selling, or sharing Personal Information; and
• Categories of third parties to whom we disclose Personal Information;
• Right to Deletion. You have the right to request that we delete Personal Information about you that we have collected from you.
• Right to Correction. You have the right to request that we correct inaccurate Personal Information we may have about you.
• The Right to Opt-Out of Sales or Sharing. The CCPA gives you the right to opt-out of the disclosure of Personal Information about you for monetary or other valuable consideration (“sale”) and/or the disclosure of personal information for purposes of behavioral advertising (“sharing”). Our use of tracking technologies may be considered a “sale” or “sharing” under California law. To opt-out, select the Bakkt Privacy Request form, then complete the form by selecting the option Do Not Sell or Share My Personal Information, or by broadcasting an Opt-Out Preference Signal, such as the Global Privacy Control (GPC) (on the browsers and/or browser extensions that support such a signal).

We collect certain sensitive Personal Information (as discussed above in the “Personal Information We Collect” section). However, we do not use or disclose sensitive information in a manner that requires us to offer a right to limit such use under the CCPA.

You may exercise these rights by:

• Logging in to your account (if you have an account) and submitting a request;
• Emailing us at privacy@bakkt.com;
• Calling our toll-free number 1-800-322-1719; or
• Completing our Privacy requests form.

Verification

As required under applicable law, please note that we may take steps to verify your identity before granting you access to information or acting on your request to exercise your rights. We may require you to provide additional Personal Information including name, physical address, email address, contact information, account login credentials, and other information about your previous transactions with us to verify your identity in response to exercising requests of the above type. We may limit our response to your exercise of rights as permitted under applicable law.

Nondiscrimination

Subject to applicable law, we may not discriminate against you because of your exercise of any of the above rights, or any other rights under the California Consumer Privacy Act, including by:

• Denying you goods or services;
• Charging different prices or rates for goods or services, including through the use of discounts or other benefits or by imposing penalties;
• Providing you a different level or quality of goods or services; or
• Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

We may, however, charge different prices or rates, or provide a different level or quality of goods or services, if that difference is reasonably related to the value of the Personal Information provided to us and to the extent permitted by law.

Agent Authorization

Under California law, you may designate an authorized agent to make a request on your behalf. You may make such a designation by providing the agent with written permission, signed by you, to act on your behalf. Your agent will need to complete the Authorized Agent Designation Form by clicking here. Please upload the completed Authorized Agent Designation Form to the completed Bakkt privacy request form. As permitted by law, we may require verification of the agent’s authorization to act on your behalf, require you to confirm you have authorized the agent to act on your behalf, or require you to verify your own identity. We may deny a request by an agent if they fail to submit proof that they act on your behalf.

HOW TO CONTACT US

You may contact us with questions and concerns about the California Addendum or about the above practices by contacting us at privacy@bakkt.com or at 1-800-322-1719.

This UK and EU Privacy Policy Addendum (“UK and EU Addendum”) applies where your Personal Information is protected by either the UK General Data Protection Regulation or the EU General Data Protection Regulation (jointly referred to as “Data Protection Laws”). Typically, this will be the case where you use services that Bakkt specifically makes available to UK or EU customers (the “UK and EU Services”), including where you are a customer or an authorized user of such services. Where your Personal Information is protected by Data Protection Laws, this UK and EU Addendum prevails over any conflicting descriptions set out elsewhere in the Notice.

For the purposes of this UK and EU Addendum, Bakkt Crypto Solutions, LLC is the controller responsible for the processing of your Personal Information. In connection with some services, we have partnered with Apex Clearing Corporation, and retailers/brokers with whom you may already have a relationship. Apex Clearing Corporation and such retailers/brokers act as separate controllers acting independently to us, and we encourage you to refer to their respective privacy policies for further information about how they collect, use, and disclose information about you.

Personal Information We Process

We may process the following information about you:

• Contact Details, such as first name, middle name, last name, mailing street address, city, county, country, postcode, email address and telephone number.
• Account Opening, Anti-Money Laundering and KYC Information, date of birth, tax identification number, national identification number, occupation / position, annual net income, source of funds, browser type, IP address, risk profile; screenings against government sanctions lists, politically exposed persons, and enforcement lists; screening against global watchlists for individuals and entities; government-issued photo ID; information about suspicious activities or transactions; annual income range, total net worth range, investment experience, liquidity net worth range, source of funds, investment experiences, investment objective, risk tolerance; citizenship, visa type, occupation, employer name, employment status, employer job position, years employed at employer; transaction information and bank information (account number and routing number), login, password.
• Trade Request Information, including account number, trade type (i.e., buy, sell), trading pair, cryptocurrency asset type (i.e. BTC, ETH, etc.), order type (i.e. market, limit, stop limit), amount of cryptocurrency to trade (by number of shares or currency amount) and time in force, price information, fees, order ID.
• Creditworthiness Information, including credit reference and credit score information.
• Service Improvement Information, including information about your usage of our Services, and survey response information.
• Other Transaction, Transfer, Receipt, and Account Information, including wallet information, such as addresses/keys, balances, beneficiaries; transaction information, such as senders and recipients, amounts transferred, currency, payment methods, timestamps, transaction IDs, transaction limits; bank account number and other payment information; available cash, aggregated daily transactions, bounce-backs and other failures of delivery.
• Support and Complaint Information, information relating to complaints and support requests.
• Tax Information, including taxpayer identification numbers and certifications, provided by you on tax forms and similar.
• Statements of accounts, notices of error and accompanying information, and other books and records.
• Information about your activities in connection with the Service, your correspondence, and other information about whether your account may be eligible for escheatment.

Sources of Personal Information

We also collect information about you from third parties, such as your brokerage firm/retailer, money laundering and fraud prevention information providers, identity and creditworthiness verification services, and analytics and information providers. Personal Information about you may be obtained from publicly available government sanctions or watch lists, such as the Office of Foreign Assets Control list.

Further information about the sources from which we collect Personal Information is available on request, by contacting us using the details in the “How To Contact Us” section below.

Your decision to provide Personal Information to Bakkt is typically voluntary, except where it is, for example:

• collected to meet a legal requirement; or
• necessary in connection with a contract we have with you.

If you do not provide certain Personal Information to us, we may not be able to achieve some of the purposes outlined in this UK and EU Addendum – and may therefore not be able to provide you with UK and EU Services.

How We Use Personal Information

For each of the above categories, we use the Personal Information we collect for the purposes disclosed in the above section titled "HOW WE USE YOUR INFORMATION".

We may also use the Personal Information we collect for our own or our service providers’ other operational purposes, purposes for which we provide you additional notice before processing your Personal Information, or for purposes compatible with the context in which the Personal Information was collected and in accordance with Data Protection Laws.

How We Justify Processing Personal Information

We process your Personal Information where we have a justification for doing so. In particular, this will be the case where:

• You have given consent to the processing of your Personal Information for one or more specific purposes;
• Processing is necessary for the performance of a contract to which you are party, or in order to take steps at your request prior to entering into a contract;
• We must process your Personal Information to comply with our legal obligations; or
• Processing is necessary for the purposes of our legitimate (commercial) interests, or the legitimate interests of a third party. In particular, we rely on our legitimate commercial interests in (i) providing, improving, and promoting our services; (ii) protecting our business and exercising our rights; and (iii) complying with certain laws in jurisdictions outside the UK or EU that protect us, customers, partners, and others.

We do not generally process special categories of Personal Information. However, where we do process such Personal Information, we will do so in accordance with the law. For example, we may process such special category Personal Information where:

• You have given your explicit consent to the processing;
• The processing is necessary for the purpose of establishing, exercising or defending legal claims;
• The processing is necessary to protect the vital interests of you or another person, where you or that person is incapable of giving consent;
• You have manifestly made the information public;
• The processing is necessary for reasons of substantial public interest, on the basis of relevant laws which are proportionate and provide appropriate safeguards;
• Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with law.

Where we process Personal Information relating to criminal convictions or offences, we have an appropriate basis in law to justify it.

If you would like further information about our justifications for processing your Personal Information, including our legitimate interests, please contact us using the details set out in the “How To Contact Us” section below.

How Long We Keep Personal Information

The amount of time we retain a particular category of Personal Information will vary depending on the purpose for which it was collected. In general, we will keep Personal Information only as long as is needed to achieve the relevant purpose.

To determine how long we retain Personal Information for, we also consider the nature and sensitivity of your Personal Information, the potential risk of harm from unauthorised use or disclosure of your Personal Information, applicable statute of limitation periods, and any other business need or legal obligation to retain it.

Further information about our retention periods is available on request, by contacting us using the details set out in the “How To Contact Us” section below.

How We Share Personal Information

We may disclose the Personal Information we gather to our affiliates and to third parties, as further described in the section above titled "HOW WE SHARE INFORMATION".

You can obtain further information by contacting us using the details in the “How To Contact Us” section below.

When we share Personal Information, as specified above, with any service provider, processor, or any other third party, we will take appropriate measures to protect your Personal Information.

How We Secure Personal Information

We maintain technical, organisational, and physical safeguards designed to protect the Personal Information we have concerning you, against accidental loss, misuse or unauthorised access, alteration, or destruction.

Your Rights Under Data Protection Laws

You can request to exercise certain rights, subject to applicable exclusions, limitations, and conditions in accordance with Data Protection Laws.

One key right is the right to object. When we process your Personal Information for purposes of pursuing our legitimate interests, you have the right to object to such processing. If you exercise this right, we will stop the processing unless we have strong and legitimate reasons to continue using your Personal Information. You also have an absolute right to object to our processing of your Personal Information for direct marketing purposes.

You also have the following rights:

• The right of access: You may request confirmation as to whether we process your Personal Information and request access to the Personal Information we process about you. You also have the right to ask us for information about our processing of your Personal Information.
• The right of rectification: You have the right to ask us to correct any Personal Information we process about you that is inaccurate or incomplete (such as your Login Credentials).
• The right to erasure or to be forgotten: You have in some cases the right to request that we delete the Personal Information we have concerning you. Please note that exercising this right may affect our ability to provide you certain UK and EU Services that require us to process Personal Information about you.
• The right to restriction of processing: You have the right to request that we restrict the processing of your Personal Information, for example if your Personal Information is inaccurate, or if the processing is unlawful. Please note that exercising this right may affect our ability to provide you with certain UK and EU Services that require us to process Personal Information about you.
• The right to data portability: You have the right to request that we transmit your Personal Information to another controller or to you in a commonly used and machine-readable format.
• The right to withdraw consent: If you have given (explicit) consent to us to process your Personal Information, you may withdraw it at any time.

To exercise your rights as listed above, and to otherwise change your preferences, you can:

• Access our UK and EU GDPR data subject rights portal, by clicking [HERE].
• Unsubscribe from newsletters, marketing, announcements, and other promotional communications received from us by following the unsubscribe link included at the bottom of each email. Please note that you may continue to receive non-promotional communications to the extent permitted by Data Protection Laws;
• Contact us as set out in the “How To Contact Us” section below.

We will handle your requests in accordance with Data Protection Laws. Please note that we may take reasonable steps to verify your identity before responding to or complying with your request.

If you have questions or concerns about the information provided in this UK and EU Addendum, or about the way we process your Personal Information, we encourage you to contact us in the first instance. You also have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work or place of an alleged infringement of Data Protection Laws. For the UK, the competent supervisory authority is the UK Information Commissioner’s Office (the ICO). The ICO can be reached at https://ico.org.uk/.

You can lodge a complaint or seek a judicial remedy if you believe we have not properly acted upon your request to exercise a right.

Direct Marketing (Personalised Advertising)

In some cases, and as permitted by Data Protection Laws, we may use your Personal Information to provide you with marketing messages you may be interested in, including by sending you direct marketing, and/or by delivering targeted and interest-based marketing.

Cross-Border Transfers of Personal Information

We may collect Personal Information in, or transfer Personal Information to countries with laws that offer different levels of data protection compared to Data Protection Laws. In particular, Bakkt and its affiliates and service providers are based in the U.S..

Where we transfer your Personal Information outside of your country (which for UK GDPR purposes is the UK, and for EU GDPR purposes is the European Economic Area), we put appropriate measures in place to protect it in accordance with Data Protection Laws, including by entering into EU Standard Contractual Clauses (and the equivalent clauses available under the UK GDPR), or by relying on the EU-U.S. Data Privacy Framework (and the UK Extension).

You can obtain further information by contacting us using the details in the “How To Contact Us” section below.

Children’s Personal Information

We do not offer our UK and EU Services to customers under the age of 18 and in particular, do not directly offer them to children under the age of 13, and do not knowingly collect their Personal Information. If you learn that a child has provided us with Personal Information in violation of this UK Addendum, please alert using the details in the “How To Contact Us” section below.

How To Contact Us

If you have any questions about this UK and EU Addendum or our practices with respect to Personal Information, please send your request to privacy@bakkt.com.

This Australian Privacy Policy Addendum (“Australian Addendum”) applies where your Personal Information is protected by the Australian Privacy Principles (APPs) within the Privacy Act 1988 (“Privacy Act”). Typically, this will be the case where you use services that BakktAustralia specifically makes available to Australian customers, including where you are a customer or an authorized user of such Services. Where your Personal Information is protected by the Privacy Act, this Australian Addendum prevails over any conflicting descriptions set out elsewhere in the Notice.

For the purposes of this Australian Addendum, Bakkt Australia is the controller responsible for the processing of your Personal Information. In some cases, we partnered with a retailer/broker with whom you already have a relationship. Such retailers/brokers act as separate controllers acting independently to us, and we encourage you to refer to their privacy policies for further information about how your retailer/broker collects, uses, and discloses information about you.

Your Privacy

Your privacy is important to us, and we want you to understand our practices with respect to gathering personal information and with respect to the uses we make of Personal Information.

Privacy deals with Personal Information, that is, “information that is linked or reasonably linkable to an identified or identifiable natural person.” This policy describes how we collect, store, and use Personal Information in connection with our business. In the event we do collect Personal Information from you, the following describes the standards we apply in handling that information.

Australian Privacy Principles

This privacy policy is compliance with the Privacy Act and its Australian Privacy Principles. In applying the Australian Privacy Principles, we seek to protect an individual’s privacy by ensuring that the handling of Personal Information by us is fair.

Personal information We Collect

1. Personal Information We Collect Directly from You

We collect Personal Information from you when you use our Services and interact with us (such as speaking with BakktAustralia representatives). The information we collect includes your name, country of residence, date of birth, address, phone number, tax file number / social security number, account number, job title, company, email address, marketing and communications preferences, and other information you choose to provide us, including information provided when you register with us. In some circumstances, we will collect information such as a government-issued ID, proof of address, or photograph(s) (if you elect to provide them to us).

We do not generally collect sensitive information and would only do so with your consent and where it is necessary for our business. Sensitive information means details about your racial/ethnic origin, political, religious, or philosophical beliefs, membership of a professional or trade association or union, sexual orientation/preference, or health.

2. Personal Information We Collect Automatically

We collect certain information automatically when you interact with our Services. For example, we use cookies, web beacons, and other similar technologies to collect information about you as you use our Services. Examples of this type of information include the dates and times of your use of the Services, your IP (Internet Protocol) address, your browser type, your operating system, device identifiers, and the webpages or content to or from which you navigate.

3. Personal Information We Collect from Third Parties

We also collect information about you from other sources and sometimes combine that information with other information collected from you or from third parties, such as money laundering and fraud prevention information providers, marketing agencies, identity and creditworthiness verification services, and analytics and information providers.

How We Use Your Personal Information

We use the information we gather to provide services to you and to respond to your inquiries. This includes:

• Providing Services, including to:
• Register, create, and maintain your account;
• Authenticate your identity and/or your access to an account;
• Initiate, facilitate, process, and/or execute transactions;
• Communicate with you regarding your account or any Services you use;
• Perform creditworthiness, fraud prevention or other similar reviews;
• Evaluate applications; or
• Compare information for accuracy and verification purposes.
• Managing our business and protecting ourselves, you, other people, and the Services.
• Providing a personalized experience and implementing your preferences.
• Better understanding our customers and how they use and interact with the Services.
• Personalizing our Services and providing offers and promotions for our Services via our websites and third-party websites.
• Providing you with location-specific options, functionalities, and offers.
• Complying with our policies and obligations, including but not limited to, disclosures made in response to any requests from law enforcement authorities and/or regulators in accordance with any applicable law, rule, regulation, judicial or governmental order, regulatory authority of competent jurisdiction, discovery request, advice of counsel or similar legal process.
• Resolving disputes, collecting fees, or troubleshooting problems.
• Providing customer service to you or otherwise communicating with you.

You do not have to provide us with your Personal Information

If you choose not to, we may not be able to process your application for a product or service, assist with your enquiries, provide all of the features available for a product or service, or respond to any complaint to us.

How We Secure Your Personal Information

We maintain technical, organisational, and physical safeguards designed to protect the Personal Information we have concerning you, against accidental loss, misuse or unauthorised access, alteration, or destruction.

We hold Personal Information either on internal physical servers that we control or through cloud-based storage offered by third-party service providers. We control Personal Information held on these servers at all times and Personal Information is not accessible by third parties in the ordinary course of business when using such storage methods. When personal information is no longer required by us and if permitted by law, we will take reasonable steps to de-identify and/or destroy the information in accordance with our internal records retention policy.

All our employees and contractors, who have access to, and are associated with the processing of Personal Information, are obliged to respect the confidentiality of our records. We have procedures in place to destroy information that we no longer need.

Your Rights Under the Privacy Act

You can request to exercise certain rights, subject to applicable exclusions, limitations, and conditions in accordance with the Privacy Act. Your rights include the following:

• The right of access: You can request confirmation as to whether we process your Personal Information and request access to the Personal Information we process about you. You also have the right to ask us for information about our processing of your Personal Information.
• The right of rectification: We take all reasonable precautions to ensure that the personal information we collect, use, and disclose is accurate, complete, up-to-date, and relevant. However, if you believe that this is not the case, you have the right to ask us to correct any Personal Information we process about you that is inaccurate or incomplete.
• The right to lodge a complaint: You have the right to lodge a complaint or seek a judicial remedy if you believe we have breached the Privacy Act and/or not properly acted upon your request to exercise a right. If you have questions or concerns about the information provided in the Australian Addendum, or about the way we process your Personal Information, we encourage you to contact us in the first instance.

To exercise your rights as listed above, and to otherwise change your preferences, you can:

• Access the Bakkt data subject rights portal, by clicking [HERE].
• Unsubscribe from newsletters, marketing, announcements, and other promotional communications received from us by following the unsubscribe link included at the bottom of each email.
• Contact us as set out in the “How To Contact Us” section below.

We will handle your requests in accordance with the Privacy Act. Please note that we will take reasonable steps to verify your identity before responding to or complying with your request.

Retention of Personal Information

We will not keep your Personal Information for longer than its intended use. In most cases, this means that we will only retain your Personal Information for the duration of your relationship with us unless we are required to retain your Personal Information to comply with applicable laws, for example record-keeping obligations.

International Disclosure of Personal Information

We operate our business in Australia and overseas. We reserve the right to share some of your information with organisations outside Australia. When we transfer your Personal Information outside of your country, we put appropriate measures in place to protect it in accordance with the Privacy Act. We reserve the right to disclose your personal information to overseas recipients, including but not limited to recipients in the United States of America.

You can obtain further information by contacting us using the details in the “How To Contact Us” section below.

How To Contact Us

If you have any questions about this Australian Addendum or our practices with respect to Personal Information, please send your request to privacy@bakkt.com.

Changes to the Australian Addendum

This addendum is published and effective as of 1 June 2024. We reserve the right to change this addendum, as necessary. Any changes to this addendum will be updated on this web site, so please visit the web site periodically to ensure that you have our most current Australian Addendum.

To the extent Mexican privacy laws or regulations apply, the following additional Mexico-specific provisions apply and shall prevail over conflicting provisions in the Privacy Notice.

Collected Data

We may collect and process the following information about you:

• Contact Details, such as first name, middle name, last name, mailing street address, city, county, country, post code, email address and telephone number.
• Account Opening, Anti-Money Laundering and Know Your Customer Information, date of birth, tax identification number, national identification number, occupation / position, annual net income, source of funds, browser type, IP address, risk profile; screenings against government sanctions lists, politically exposed persons, and enforcement lists; screening against global watchlists for individuals and entities; government-issued photo ID; information about suspicious activities or transactions; annual income range, total net worth range, investment experience, liquidity net worth range, source of funds, investment experiences, investment objective, risk tolerance; citizenship, visa type, occupation, employer name, employment status, employer job position, years employed at employer; transaction information and bank information (account number and routing number), login, password.
• Trade Request Information, including account number, trade type (i.e., buy, sell), trading pair, cryptocurrency asset type (i.e. BTC, ETH, etc.), order type (i.e. market, limit, stop limit), amount of cryptocurrency to trade (by number of shares or currency amount) and time in force, price information, fees, order ID.
• Creditworthiness Information, including credit reference and credit score information.
• Service Improvement Information, including information about your usage of our Services, and survey response information.
• Other Transaction, Transfer, Receipt, and Account Information, including wallet information, such as addresses/keys, balances, beneficiaries; transaction information, such as senders and recipients, amounts transferred, currency, payment methods, timestamps, transaction IDs, transaction limits; bank account number and other payment information; available cash, aggregated daily transactions, bounce-backs and other failures of delivery.
• Support and Complaint Information, information relating to complaints and support requests.
• Tax Information, including taxpayer identification numbers and certifications, provided by you on tax forms and similar.
• Statements of accounts, notices of error and accompanying information, and other books and records.
• Information about your activities in connection with the Service, your correspondence, and other information about whether your account may be eligible for escheatment.

Purpose of Data Processing

Your personal data is collected and processed for the following purposes:

• Service Provision: To create and manage your account, process transactions, and provide customer support.
• Security: To protect against fraud, unauthorized transactions, and other liabilities.
• Compliance: To comply with legal and regulatory requirements, including anti-money laundering (AML) and know your customer (KYC) obligations.
• Improvement: To enhance our services, analyze usage trends, and develop new features.

Data Transfer

We may transfer your personal data to:

• Service Providers: For transaction processing, data storage, and customer support.
• Regulatory Authorities: To comply with legal obligations and requests from government bodies.
• Partners: For joint marketing activities, subject to obtaining your consent.

ARCO Rights

You have the right to Access, Rectify, Cancel, or Oppose (ARCO) the use of your personal data. To exercise these rights, please completed the Bakkt Online Privacy Request form or contact us at Privacy@Bakkt.com. Your request should include your full name, home mailing address, account information, and a detailed description of your request. Please note that we may take steps to verify your identity before granting you access to information or acting on your request to exercise your rights.

Revoking Consent

You can revoke your consent for the processing of your personal data at any time by contacting us at Privacy@Bakkt.com. Please note that revoking consent may impact our ability to provide certain services.

Limiting Use or Disclosure

To limit the use or disclosure of your personal data, please contact us at Privacy@Bakkt.com. We will address your request promptly in accordance with applicable laws.

Use of Tracking Technologies

We use cookies and similar technologies to collect data about your interaction with our services. These technologies help us improve user experience and monitor the performance of our services. You can manage or disable these technologies through your browser settings.

Changes to the Privacy Notice

We may update this Privacy Notice from time to time. Any changes will be communicated to you through our website. Please review this notice periodically to stay informed about how we collect, process, transfer, manage and protect your data.

Identity and Address of the Data Controller

Bakkt Holdings, INC

10000 Avalon Boulevard, Suite 1000

Alpharetta, Georgia 30009

Contact: Privacy@Bakkt.com

Contact Information

If you have any questions or concerns about this Privacy Notice or our data practices, please contact us at:

Email: Privacy@Bakkt.com

Phone: 1-800-322-1719

Address: 10000 Avalon Boulevard, Suite 1000; Alpharetta, Georgia 30009

Addenda al Aviso de Privacidad de México

Al punto que se apliquen las leyes o regulaciones de privacidad mexicanas, se aplican las siguientes disposiciones adicionales específicas de México y prevalecerán sobre las disposiciones en conflicto en el Aviso de Privacidad.

Data Colectada

Podemos colectar y procesar la siguiente información sobre usted:

• Información de Contacto, por ejemplo su nombre, su segundo nombre, apellidos, dirección de casa, ciudad, condado, código postal, correo electrónico y numero de teléfono.
• Apertura de cuenta, información contra el lavado de dinero y conozca a su cliente, fecha de nacimiento, número de identificación para los impuestos, número de identificación nacional, ocupación/posición, saldo neto anual, fuente de fondos, tipo de buscador, dirección IP, perfil de riesgo; exámenes de las listas de sanciones gubernamentales, personas políticamente expuestas, y listas de aplicación de la ley; revisión de listas de vigilancia globales para individuos y entidades, identificación oficial con foto proveída por el gobierno; información sobre actividades y transacciones sospechosas; rango de ingresos anuales, valor neto total, experiencia en inversión, rango de ingresos anuales en liquidez, recurso de fondos, experiencia en inversiones, objetivo de inversiones, tolerancia en riesgo; ciudadanía, tipo de visa, ocupación, nombre del empleador, estatus de empleo, posición de trabajo del empleador, años trabajados con el empleador; información de transacción y banco (número de cuenta y numero de ruta), usuario, contraseña.
• Solicitud de información de canjeo, incluye numero de cuenta, tipo de canjeo (ej., comprar, vender), par de canjeo, tipo de criptomonedas (ej., BTC, ETH, etc.), tipo de orden (ej., mercado, limite, punto de limite), cantidad de criptomoneda para canjear (por número de acciones o moneda total) y tiempo en la fuerza, costo de la información, tarifa, orden de identificación.
• Crédito de solvencia, incluye referencia de crédito e información de puntaje de crédito.
• Información de mejoramiento de servicio, incluyendo el uso de nuestros Servicios, e información de encuestas resueltas.
• Otra transacción, Transferencia, Recibo, e Información de Cuenta, incluyendo información de cartera, como direcciones/llaves, balances, beneficiarios; información de transacción, como el remitente y el destinatario, cantidades transferidas, moneda, método de pago, marcas de tiempo, identificación de transacciones, limite de transacciones; numero de cuenta bancaria e información de pago; efectivo disponible, transacciones diarias agregadas, envíos fallidos y rebotados.
• Soporte y Reclamo de Información, información relacionada a reclamos y peticiones de soporte.
• Información de Impuestos, incluye números y certificaciones del contribuyente, proporcionado por usted en formularios de impuestos y similares.
• Declaraciones de cuentas, avisos de error e información adjunta, y otros libros y registros.
• Información sobre sus actividades en conexiones a el Servicio, su correspondencia, y otra información sobre si su cuenta es elegible para ser proclamada.

Propósito de Procesamiento de Datos

Sus datos personales son colectados y procesados para el siguiente motivo:

• Disposición de Servicio: Crear y manejar la cuenta, procesamiento de transacciones, y aporta atención al cliente.
• Seguridad: Protección contra fraude, transacciones sin autorización, y otros pasivos.
• Cumplimiento: Cumplir con los requisitos legales y reglamentarios, incluyendo lavado de dinero y conocer las obligaciones de tu cliente.
• Mejoramiento: Mejorar nuestro servicio, analizar tendencias de uso, y desarrollar nuevas características.

Transferencia de Datos

Nosotros podremos transferir datos personales a:

• Proveedores de Servicios: Para procesamiento de transacciones, almacenamiento de datos, y atención al cliente.
• Autoridades Regulatorias: Para seguir con las obligaciones legales y solicitudes de organismos gubernamentales.
• Socios: Para actividades de marketing conjuntas, sujeto a obtener tu consentimiento.

Derechos ARCO

Tienes el derecho de Acceder, Rectificar, Cancelar, o Oponer (ARCO) el uso de su información personal. Para ejercer estos derechos, por favor completar el Formulario de solicitud de privacidad en línea de Bakkt o contactarnos a Privacy@Bakkt.com. Su solicitud debe incluir su nombre completo, dirección de casa, información de la cuenta, y una descripción detallada de su solicitud. Por favor tenga en cuenta que podremos tomar pasos para verificar su identidad antes de concederle acceso a información o actuando sobre su solicitud para ejercer sus derechos.

Consentimiento Revocado

Usted puede revocar su consentimiento a sus datos personales en cualquier momento al contacta Privacy@Bakkt.com. Tenga en cuenta que revocar el consentimiento puede afectar nuestra capacidad para proporcionar ciertos servicios.

Limitar el uso o la divulgación

Para limitar el uso o divulgación de sus datos personales, por favor contacta a Privacy@Bakkt.com. Atenderemos su solicitud con rapidez de acuerdo con las leyes aplicables.

Uso de Tecnología de Localización

Utilizamos cookies y tecnologías similares para colectar datos sobre su interacción con nuestros servicios. Estas tecnologías no ayudan a improvisar la experiencia del usuario y monitorear el desempeño de nuestros servicios. Usted puede manejar o deshabilitar esta tecnología a través de los ajustes de nuestro navegador.

Cambios al Aviso de Privacidad

Podemos actualizar este Aviso de Privacidad de vez en cuando. Cualquier cambio le será comunicado a través de nuestro sitio web. Revise este aviso periódicamente para mantenerse informado sobre cómo colectamos, procesamos, transferimos, administramos y protegemos sus datos.

Identidad y Dirección del controlador de Datos

Bakkt Holdings, INC

10000 Avalon Boulevard, Suite 1000

Alpharetta, Georgia 30009

Contacto: Privacy@Bakkt.com

Información del contacto

Si tiene alguna pregunta o inquietud sobre este Aviso de Privacidad o nuestras prácticas de datos, comuníquese con nosotros a:

Correo electrónico: Privacy@Bakkt.com

Teléfono: 1-800-322-1719

DIRECCIÓN: 10000 Avalon Boulevard, Suite 1000; Alpharetta, Georgia 30009

This Biometric Information Privacy Policy Addendum governs the collection, use, retention, and protection of biometric information by Bakkt (also referred to as “Bakkt,” “we,” “us,” or “our). We define Biometric Information as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual“. Biometric identifier “means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry”.

The Biometric Information Privacy Policy Addendum outlines how we handle biometric information, specifically customer facial scans used for identity verification and fraud prevention purposes, in compliance with applicable laws, including the Illinois Biometric Information Privacy Act (BIPA) and other relevant data privacy regulations.

Scope

This policy applies to all biometric information collected by Bakkt from customers, users, employees, contractors, and others who interact with our company and services.

Collection of Biometric Information

Bakkt collects biometric information solely for identity verification purposes as part of our Know Your Customer (KYC) and Customer Identification Program (CIP) protocols. This process ensures compliance with anti-money laundering (AML) and counter-terrorism financing (CTF) regulations. Biometric information is collected in the following scenarios:

• When a customer creates an account on our platform and completes identity verification via facial scan technology.
• When periodic identity verification is required due to security reviews or regulatory needs.

Notice and Consent

Before collecting biometric information, Bakkt will:

• Inform individuals that their biometric information is being collected.
• Explain the specific purpose for which the biometric information will be used.
• Obtain explicit consent from the individual before collecting or using their biometric information.

Use of Biometric Information

Biometric information collected by Bakkt is used exclusively for the following purposes:

• Identity Verification: To verify customer identities during account creation and KYC/CIP processes.
• Fraud Prevention: To protect customers and Bakkt from fraudulent activity.
• Compliance: To comply with applicable legal and regulatory requirements, including AML and CTF laws.

Bakkt does not sell, lease, trade, or otherwise profit from biometric data.

Retention of Biometric Information

Bakkt will retain biometric information only until, and shall request that its third-party service providers and their subcontractors destroy such data when, the first of the following occurs:

• The initial purpose for collecting or obtaining such biometric information has been satisfied, such as the termination of the relationship between you and Bakkt; or
• Within three (3) years of your last interaction with Bakkt.

If legal obligations require us to retain biometric information for longer than the above, we will destroy such information not later than the first anniversary of the date the information is no longer required to be maintained by law.

Security Measures

We maintain technical, organizational, and physical safeguards designed to protect the biometric information we have concerning you, against accidental loss, misuse or unauthorized access, alteration, or destruction. All our employees and contractors who have access to, and are associated with the processing of biometric information, are obliged to respect the confidentiality of our records.

Policy Updates

We reserve the right to change this addendum, as necessary. Any changes to this addendum will be updated on this web site, so please visit the web site periodically to ensure that you have our most current Biometric Information Privacy Policy Addendum.