Last Updated: March 26, 2024.
We at Coinbase (the Coinbase entities listed in Section 11 below, referred to here as “we”, “us” or “our”) respect and protect the privacy of those who explore our Services (“Users”) and Users who sign up for and access our Services (“Customers”) (together referred throughout this policy as “you” and “your”).
This Privacy Policy describes how we collect, use, and share personal information when you explore, sign up for or access our “Services”, which include the services offered on our websites, including coinbase.com, coinbase.com/exchange, coinbase.com/prime, coinbase.com/futures, coinbase.com/cloud (each a “Site” and collectively the "Sites") or when you use the Coinbase mobile app, the Coinbase Card App, Coinbase Exchange, Coinbase Prime, Dapp Wallet, or Coinbase Custody application programming interface (“API”) or third party applications relying on such APIs (together, our “Apps”) and related services.
If you reside outside of the UK and the European Economic Area (the “EEA”), accessing and using our Services means that you accept this Privacy Policy and its terms.
It is important that you understand how we use your information. You should read this page in full, but below are the key highlights and some helpful links:
Our goal is to simplify your crypto experience. If you do not wish for your personal information to be collected, used, or disclosed as described in this Privacy Policy, or you are under 18 years of age, you should stop accessing our Services.
We collect and use your information in order to provide and improve our Services and your experience, protect the security and integrity of our platform, and meet our legal obligations.
To learn more, explore Section 1. What Information We Collect and Section 2. How We Use Your Information.
We share your information with other Coinbase companies, as well as trusted third parties and service providers, in order to offer our Services and fulfill legal requirements.
To learn more, explore Section 3. How And Why We Share Your Information.
We offer privacy tools for you to request access to or deletion of information we hold about you. You can use these tools by visiting your Privacy Rights Dashboard. Depending on where you live, you may also have other privacy rights under law.
If you have any questions, please contact us on our Support Portal or at dpo@coinbase.com. See Section 9. How to Contact Us With Questions for more information.
We collect the following personal information and documentation:
Information You Provide to Us
Information Collected Automatically
Information we obtain from Affiliates and third parties
We use your personal information to deliver, personalize, operate, improve, create, and develop our Services, to provide you with a secure, smooth, efficient and customized experience as you use them, and for legal compliance, loss prevention, and anti-fraud purposes. Learn more about how we use your personal information and our legal basis for each such data use:
Data use necessary to perform our contract with you
Data use to comply with our legal obligations
Data use for our Legitimate Interests
Data use based on your consent
Data use to protect your or others’ vital interests
We work with service providers, partners and other third parties to help us provide our Services, and as a result we need to share certain information with these third parties. Here’s how:
Affiliates
Linked Third Party Websites
TRUST
Professional advisors, industry partners, authorities and regulators
Asset Transfer or Company Acquisition
Third-Party Service Providers
We retain your information as needed to provide our Services, comply with legal obligations, or protect our or others’ interests. While retention requirements vary by country, we maintain internal retention policies on the basis of how information needs to be used. This includes considerations such as when the information was collected or created, whether it is necessary in order to continue offering you our Services, whether we are required to hold the information to comply with our legal obligations, including AML/KYC compliance or other financial regulatory obligations, or information preservation requirements. We also keep certain information where necessary to protect the safety, security and integrity of our Services, Customers, and Users. Our third-party electronic identity verification providers collect and retain biometric information for the period required for financial regulatory compliance or otherwise as required by applicable law. They retain this information for as long as set out in their applicable notices/policies. In line with these considerations, we delete information that is no longer needed for the above purposes when you close your account, or when you request deletion of your information (which you can initiate through your Privacy Rights Dashboard).
The Sites and Services are not directed to persons under the age of 18, and we do not knowingly request or collect any information about persons under the age of 18. If you are under the age of 18, please do not provide any personal information through the Sites or Services. If a User or Customer submitting personal information is suspected of being younger than 18 years of age, Coinbase will require the relevant Customer or User to close his or her account, and will take steps to delete the individual’s information as soon as possible.
To facilitate our global operations, Coinbase, its Affiliates, third-party partners, and service providers may transfer, store, and process your personal information throughout the world, including Ireland, Germany, Singapore, the UK, the US, and the Philippines. See here for more information.
If you reside in the EEA, Switzerland, or the United Kingdom, we rely upon a variety of legal mechanisms to facilitate these transfers of your personal information (collectively, “European Personal Data”).
We rely primarily on the European Commission’s Standard Contractual Clauses to facilitate the international and onward transfer of European Personal Data to third countries, including from our EU operating entities to Coinbase, Inc. in the United States. For a copy of the Standard Contractual Clauses, please contact dpo@coinbase.com.
In addition, we may rely on certain exemptions provided for under data protection law for our international transfers. We also rely on adequacy decisions from the European Commission where available and exemptions provided for under data protection law. For example, because Coinbase operates and provides its Services globally, we need to share information with our Affiliates and to data centers outside the EEA in order to develop, offer, and improve our Services (Article 49(1)(b) GDPR). In addition, we may rely on certain exemptions for sharing personal information with law enforcement outside of the EEA in emergency situations (Article 49(1)(f) GDPR).
EU-US, UK-US, and Swiss-US Data Privacy Framework
Coinbase complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (together referred to as the “Data Privacy Frameworks”) and the DPF Principles as set forth by the U.S. Department of Commerce. Coinbase has certified to the U.S. Department of Commerce that it adheres to:
the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF;
the UK-U.S. Data Privacy Framework Principles (EU-UK DPF Principles) with regard to the processing of personal data received from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF; and
the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.
In the context of an onward transfer, Coinbase has responsibility for the processing of personal data it receives under the DPF and subsequently transfers to a third party acting as a service provider, partner and/or other third party to help us provide our Services on our behalf (as described in Section 4 of this policy). Coinbase remains liable under the DPF if any such third party processes personal data in a manner inconsistent with the DPF, unless Coinbase can prove that we are not responsible for the event giving rise to the damage. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, visit https://www.dataprivacyframework.gov
In compliance with the Data Privacy Frameworks, Coinbase commits to resolve all DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the relevant Data Privacy Frameworks should first contact Coinbase at: dpo@coinbase.com
For unresolved complaints concerning our handling of personal information in reliance on the Data Privacy Frameworks, Coinbase is a member of and relies upon the ICDR-AAA services for the Data Privacy Framework Program, see here https://go.adr.org/dpf_irm.html, which may involve, under certain conditions, binding arbitration.
The Federal Trade Commission has jurisdiction over Coinbase’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
Depending on where you live, you may be able to exercise certain privacy rights related to your personal information. For any of your privacy rights and choices referenced below, requests relating to your personal information can be made by logging into your account and going to your Privacy Rights Dashboard or by submitting a request via our Support Portal or at dpo@coinbase.com. If any of the rights listed below are not provided under law for your operating entity or jurisdiction, Coinbase has absolute discretion in providing you with these rights.
Right to access and portability:
You may request that we provide you a copy of your personal information held by us through your Privacy Rights Dashboard, or by submitting a request via our Support Portal.
Right to rectification:
You may request us to rectify or update any of your personal information held by Coinbase that is incomplete or inaccurate by logging in to your account and clicking the Profile or My Account tab.
Right to deletion/erasure:
You may request to erase your personal information, subject to applicable law. If you close your Coinbase Account, we will retain or delete information associated with your account as described in Section 4. How Long We Keep Your Personal Information.
Right to withdraw your consent:
To the extent the processing of your personal information is based on your consent, you may withdraw your consent at any time. The lawfulness of Coinbase’s processing before you withdraw your consent will not be affected by such withdrawal.
Right to object to or restrict processing:
You may have the right to restrict or object to us using or transferring your personal information based on our legitimate interests, in the public interest, or for direct marketing. We may continue to process your personal information where permitted or required by applicable law. You can opt-out of receiving marketing communications from Coinbase through your account settings or by submitting a request via our Support Portal.
Right to non-discrimination: We will not discriminate against you for exercising any of your rights provided to you under law.
Right to lodge a complaint:
If you reside in the EEA, Switzerland, or the UK, you have the right to lodge a complaint about our practices with respect to your personal information with the supervisory authority of your country or state. In the UK, the relevant data protection authority is the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, +44 (0303) 123 1113, email: casework@ico.org.uk. In Ireland, the relevant data protection authority is the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, +353 017650100 / + 353 1800437737, email: info@dataprotection.ie or by using the following online form: Forms for Data Protection.
If you reside in Australia or the Philippines, you may lodge a complaint about our practices with respect to your personal information with the supervisory authority of your country. In Australia, the relevant data protection authority is the Office of the Australian Information Commissioner, and complaints may be made through their website at www.oaic.gov.au. In the Philippines, the relevant data protection authority is the National Privacy Commission, email: complaints@privacy.gov.ph.
To protect your privacy and security, we may take steps to verify your identity before complying with your request and we may decline your request if we are unable to verify your identity.
Under certain US data privacy laws, as well as in Brazil, you may also designate an authorized agent to make these requests on your behalf.
These rights are not absolute, and may be denied: (a) when granting access or assisting portability would adversely affect the rights and freedoms of others; (b) to protect our rights and properties; (c) where the request is frivolous or vexatious; or (d) as otherwise permitted by law.
If you are a United States Resident, you can learn more about how we use your information and your privacy rights by reviewing our United States Privacy Notice. Any terms defined in the California Consumer Privacy Act (as amended) (“CCPA”) have the same meaning when used in the US Privacy Notice.
If you have questions or concerns regarding this Privacy Policy, or if you have a complaint, please contact us on our Support Portal, at dpo@coinbase.com, or by writing to us at the address of your Coinbase service provider (provided in Section 11. Our Relationship With You below).
We’re constantly trying to improve our Services, so we may need to change this Privacy Policy from time to time as well. We post any changes we make to our Privacy Policy on this page and, where appropriate, we will provide you with reasonable notice of any material changes before they take effect or as otherwise required by law. The date the Privacy Policy was last updated is identified at the top of this page.
We may provide additional "just-in-time" disclosures or information about how we collect or use your information in the context of specific Services; these in-product notices may supplement or clarify our privacy practices or may provide you with additional choices about how we use your information.
If you reside in the EEA or Switzerland, Coinbase Ireland Limited, Coinbase Europe Limited and Coinbase Germany GmbH act as joint controllers in respect of your personal information. Coinbase Ireland Limited is the joint controller with primary responsibility for your personal information, including with respect to providing you with information and responding to any requests you may make under the GDPR. Please see more about how you can exercise your rights under the GDPR through our Privacy Rights Dashboard.
CONSUMER/INSTITUTIONAL SERVICES
DEVELOPER SERVICES