Privacy Policy

Last updated: January 11, 2026

This Privacy Policy outlines the comprehensive policies and detailed procedures that govern the collection, processing, storage, use, and disclosure of Your personal information when You interact with, access, or use the Service. It also provides a clear explanation of Your privacy rights, including how these rights are protected under applicable laws such as the UK Data Protection Act 2018, the General Data Protection Regulation (GDPR), and other relevant international data protection frameworks. Our commitment to transparency ensures that You understand exactly how We handle Your data to foster trust and compliance.

We collect and process Your Personal Data primarily to deliver, maintain, and enhance the Service, tailoring experiences to meet Your needs while adhering to the highest standards of data protection. By accessing or using the Service, You explicitly consent to the collection, processing, and use of Your information as described in this Privacy Policy. If You do not agree with these terms, please refrain from using the Service. We encourage You to read this policy carefully and contact Us if You have any questions or concerns.

Interpretation and Definitions

Interpretation

The words and phrases whose initial letters are capitalized throughout this Privacy Policy have specific meanings defined under the following conditions. These definitions apply uniformly whether the terms are used in singular or plural form, ensuring consistency and clarity across the document. Where context requires, interpretations may be adjusted to align with legal standards, but the core meanings remain fixed unless explicitly amended.

Definitions

For the purposes of this Privacy Policy, the following terms and their interpretations shall apply:

Account means a unique, personalized profile or account established for You, enabling secure access to the full range of features, functionalities, and content available through Our Service or specific sections thereof. This includes login credentials, profile settings, and associated permissions.
Affiliate means any entity, organization, or corporate body that directly or indirectly controls, is controlled by, or is under common control with a party to this policy. “Control” is defined as ownership of 50% or more of the shares, equity interests, voting rights, or other securities entitled to elect directors or managing authorities, including parent companies, subsidiaries, and joint ventures.
Company (referred to interchangeably as “the Company”, “We”, “Us”, or “Our” in this Agreement) refers to Trezor group LTD, a limited liability company registered in England and Wales with its registered office at [Registered Address], London, United Kingdom.
Cookies are small text files or data packets that are stored on Your computer, mobile device, tablet, or any other connected device by a website or online service. They capture details of Your browsing history, preferences, session information, and interactions on that site, serving various purposes such as personalization, analytics, and functionality enhancement.
Country refers to: United Kingdom, where the Company is primarily established and operates its core data processing activities.
Device means any hardware apparatus capable of accessing the Service, including but not limited to desktop computers, laptops, smartphones, cell phones, digital tablets, smartwatches, or other internet-enabled devices.
Personal Data is any information—whether digital, physical, or otherwise—that relates to an identified individual or one who can be reasonably identified from such data, either directly (e.g., name and email) or indirectly (e.g., IP address combined with browsing patterns). This aligns with definitions under GDPR Article 4(1).
Service refers to the Website, including all associated web pages, applications, features, and digital content provided by the Company.
Service Provider means any natural person, legal entity, third-party vendor, contractor, or partner who processes Personal Data on behalf of the Company. This includes external companies or individuals engaged to facilitate Service operations, deliver the Service, perform ancillary tasks (e.g., hosting, analytics), or assist in usage analysis and optimization.
Usage Data refers to data collected automatically through the Service, generated either by Your interactions or from the underlying infrastructure (e.g., server logs tracking page visit duration, session length, or error rates). It provides insights into how the Service is utilized without directly identifying individuals unless combined with Personal Data.
Website refers to Trezor group, accessible from https://trezorgroup.com, encompassing all linked subdomains, resources, and integrated tools.
You means the individual user accessing or utilizing the Service, or the corporate entity, organization, or legal body on whose behalf such individual acts, including employees, agents, or representatives.

Collecting and Using Your Personal Data

We are committed to collecting only the data necessary for legitimate purposes, always with respect for Your privacy. Below, we detail the types of data We collect, how it is gathered, and the mechanisms involved.

Types of Data Collected

Personal Data

While engaging with Our Service, We may request that You voluntarily provide certain personally identifiable information to enable core functionalities, such as account creation, communication, or personalized recommendations. This information is used solely to contact or identify You as needed. Examples of such Personal Data include, but are not limited to:

Email address (for notifications, verification, and account recovery).
First name and last name (for personalization and addressing You directly in communications).
Usage Data (as detailed below, which may be linked to Your identity for enhanced analytics).
Phone number (if provided for two-factor authentication or support queries).
Billing or payment details (e.g., credit card information, processed securely via third-party gateways, not stored by Us).
Profile preferences (e.g., language settings, notification opt-ins).

We only collect this data with Your explicit consent or as necessary for contractual performance, and You can withdraw consent at any time via account settings.

Usage Data

Usage Data is gathered passively and automatically whenever You interact with the Service, without requiring active input from You. This helps Us understand user behavior, troubleshoot issues, and optimize performance. Key elements of Usage Data may include:

Your Device’s Internet Protocol address (IP address, including IPv4 and IPv6 variants, for geolocation and security).
Browser type and version (e.g., Chrome 120, Firefox 115), operating system (e.g., Windows 11, iOS 17), and screen resolution.
Pages or sections of Our Service visited, including timestamps, referral sources, and exit points.
Time and date of visits, session duration, and bounce rates.
Unique device identifiers (e.g., advertising IDs on mobile devices) and other diagnostic metrics (e.g., CPU usage indicators for performance monitoring).

When accessing the Service via mobile devices, additional automated collection may occur, such as mobile device model (e.g., iPhone 15), unique hardware IDs, mobile IP address, operating system version, mobile browser type, and app-specific telemetry. Your browser or device may also transmit header information (e.g., User-Agent strings) during each visit, which We log for operational purposes. All Usage Data is anonymized where possible to minimize privacy risks.

Tracking Technologies and Cookies

To enhance functionality, security, and user experience, We employ Cookies and a suite of similar tracking technologies. These tools monitor activity on Our Service, store preferences, and enable analytics. Our tracking arsenal includes, but is not limited to, beacons (invisible pixels), tags (HTML snippets), scripts (JavaScript code), and local storage objects. These technologies collect and transmit data to improve Service delivery, analyze trends, and prevent abuse.

The specific technologies We deploy include:

Cookies or Browser Cookies. Small data files deposited on Your Device to remember state information. You can configure Your browser (e.g., via settings in Chrome or Safari) to refuse Cookies or receive alerts on placement. Note that disabling Cookies may impair features like login persistence or shopping cart functionality. By default, Our Service places Cookies unless You opt out.
Web Beacons (also known as Clear GIFs, Pixel Tags, or Single-Pixel GIFs). Tiny, invisible image files embedded in web pages, emails, or ads. They allow Us to track metrics like page views, email open rates, click-throughs, and user engagement. For instance, beacons help verify email deliverability, measure content popularity, and ensure system integrity by detecting server errors.
Local Storage and Session Storage. Browser-based storage mechanisms that retain data longer than session Cookies, used for offline capabilities or caching user inputs.
Third-Party Analytics Tools. Integrated services like Google Analytics (with anonymized IP tracking) to aggregate usage insights across sessions.

Cookies are categorized as “Persistent” (surviving browser closure, e.g., for 30 days to recall preferences) or “Session” (temporary, deleted on browser exit). We utilize both types for the following purposes:

Necessary / Essential Cookies
Type: Session Cookies
Administered by: Us
Purpose: Fundamental to Service operation, these enable core features like user authentication, session management, and fraud detection (e.g., preventing multiple logins from suspicious IPs). Without them, requested services—such as secure transactions—cannot function, and We limit their use strictly to delivery.
Cookies Policy / Notice Acceptance Cookies
Type: Persistent Cookies
Administered by: Us
Purpose: Record Your acceptance or rejection of Our Cookies Policy, ensuring compliance with consent requirements under ePrivacy Directive and GDPR. These persist for up to one year or until revoked.
Functionality Cookies
Type: Persistent Cookies
Administered by: Us
Purpose: Enhance usability by storing choices like login credentials (if “remember me” is selected), language selections, or theme preferences. This reduces friction, providing a seamless, personalized experience without repeated data entry.
Analytics and Performance Cookies
Type: Persistent Cookies
Administered by: Us and Third-Party Providers (e.g., Google)
Purpose: Analyze aggregate trends, such as most-visited pages or load times, to refine Service quality. Data is pseudonymized and not used for direct marketing.
Marketing and Advertising Cookies
Type: Persistent Cookies
Administered by: Third-Party Advertisers
Purpose: Deliver tailored ads based on interests inferred from browsing (e.g., retargeting past visitors). You can opt out via Our preferences center or tools like Your Online Choices.

For comprehensive details on Cookies, including opt-out instructions, management tools, and a full inventory, please refer to Our dedicated Cookies Policy or the Cookies section herein. We respect Do Not Track (DNT) signals where supported and provide granular controls.

Use of Your Personal Data

The Company processes Personal Data in a lawful, fair, and transparent manner, relying on bases such as consent, contract necessity, legitimate interests, or legal obligations (per GDPR Article 6). We may use Your data for:

To provide and maintain our Service, including real-time monitoring of usage patterns, load balancing, and automated backups to ensure 99.9% uptime.
To manage Your Account: Handling registration, verification (e.g., email confirmation), profile updates, and access controls. This unlocks premium features like saved preferences or history tracking for registered users.
For the performance of a contract: Fulfilling obligations under user agreements, such as processing orders, delivering digital goods, or providing subscription-based access, including post-purchase support and refunds.
To contact You: Via email, phone, SMS, in-app notifications, or push alerts for essential updates (e.g., security patches), service announcements, or troubleshooting. We limit frequency and honor opt-outs promptly.
To provide You with news, special offers, newsletters, and promotional content about similar products/services (e.g., if You’ve inquired about a feature, We may suggest related upgrades). This is opt-in only; unsubscribe via links in emails.
To manage Your requests: Responding to support tickets, feedback forms, or feature suggestions, including escalation to specialized teams for complex issues.
For business transfers: Evaluating or executing corporate events like mergers, acquisitions, or asset sales, where user data may be treated as a transferred asset. We’ll notify affected users in advance.
For other purposes: Conducting advanced data analysis (e.g., machine learning for trend prediction), identifying emerging usage patterns, measuring campaign ROI, and iteratively improving Service UX/UI, product roadmaps, and marketing strategies based on anonymized aggregates.
For compliance and risk management: Auditing internal processes, detecting anomalies (e.g., via AI-driven fraud alerts), and ensuring adherence to regulatory standards.

Sharing of Your Personal Data

We do not sell Your Personal Data. Sharing occurs only in limited, controlled scenarios, always with safeguards like data processing agreements (DPAs) enforcing GDPR compliance. Situations include:

With Service Providers: Trusted vendors for tasks like cloud hosting (e.g., AWS), email delivery (e.g., SendGrid), analytics (e.g., Google Analytics), or payment processing (e.g., Stripe). They are contractually bound to use data only for specified purposes and delete it upon task completion.
For business transfers: During negotiations or execution of mergers, asset sales, financings, or acquisitions, data may be disclosed to potential buyers under strict NDAs, with continuity of this Privacy Policy unless otherwise notified.
With Affiliates: Shared internally across Our corporate family (e.g., parent or subsidiary entities) for consolidated operations, provided they adhere to equivalent privacy standards and this Policy.
With business partners: Collaborators for co-branded promotions, joint ventures, or integrated services (e.g., affiliate marketers), but only with Your prior consent and limited to relevant subsets of data.
With other users: In public forums, comments, or shared content areas, where You choose to post (e.g., reviews), making it visible Service-wide or externally via APIs/social integrations.
With Your consent: For ad-hoc purposes, such as research studies or custom integrations, explicitly approved by You.
For legal or safety reasons: As detailed in the Disclosure section below.

All recipients are vetted for security, and We minimize data shared (data minimization principle).

Retention of Your Personal Data

Your Personal Data is retained only as long as necessary to fulfill the purposes outlined herein, guided by retention schedules aligned with legal requirements. For example:

Account data: Retained while active, plus 12 months post-deletion for backup/recovery.
Transaction records: 7 years for tax/audit compliance (UK HMRC standards).
Usage Data: 26 months for analytics, shorter (90 days) for raw logs unless needed for disputes.

We securely delete or anonymize data upon expiry, except where retention is mandated (e.g., litigation holds) or justified for legitimate interests like security enhancements. Usage Data for internal reviews is kept briefly, extended only for Service improvements or legal mandates.

Transfer of Your Personal Data

Data processing occurs primarily in Our UK-based facilities, but may involve global partners. Transfers to countries outside the UK/EEA (e.g., US-based providers) comply with adequacy decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs) under UK GDPR Chapter V.

By submitting data, You consent to such transfers, acknowledging potential variances in protection levels. We implement safeguards like encryption (AES-256), access controls, and regular audits to ensure security parity with UK standards. No transfers occur to high-risk jurisdictions without equivalent protections.

Your Data Protection Rights

Under UK/EU law, You hold extensive rights over Your data:

Access: Request confirmation of processing and a copy of Your data (free once annually).
Rectification: Correct inaccurate or incomplete information.
Erasure (“Right to be Forgotten”): Delete data where no longer needed, subject to exceptions.
Restriction: Limit processing during disputes.
Portability: Receive data in structured format for transfer.
Objection: Oppose processing based on legitimate interests.
Withdraw Consent: At any time, without affecting prior lawfulness.

Exercise via account dashboard or email; responses within one month.

Delete Your Personal Data

You may request deletion of collected Personal Data at any time. Our Service includes self-service tools (e.g., “Delete Account” button) for immediate removal of visible info. For comprehensive erasure:

Log in and navigate to Account Settings > Privacy > Data Management.
Select deletion options and confirm.

Alternatively, email Us for assistance. We’ll process within 30 days, retaining minimal data for legal reasons (e.g., fraud prevention logs for 6 years). Bulk deletions may take longer for verification.

Disclosure of Your Personal Data

Business Transactions

In events like mergers or acquisitions, Your data may transfer to successors. We’ll notify You via email/Service notice at least 30 days prior, outlining any Policy changes.

Law Enforcement

We disclose data only if compelled by valid legal processes (e.g., court orders, ICO requests), minimizing scope and notifying You unless prohibited.

Other Legal Requirements

Disclosure occurs in good faith to:

Fulfill legal duties (e.g., anti-money laundering reports).
Safeguard Company rights/property (e.g., IP infringement claims).
Investigate/prevent Service-related misconduct (e.g., spam, harassment).
Protect user/public safety (e.g., imminent harm alerts).
Avoid liability (e.g., subpoena responses).

Security of Your Personal Data

Protecting Your data is paramount. We employ industry-leading measures:

Encryption: In-transit (TLS 1.3) and at-rest (AES-256).
Access: Role-based controls, multi-factor authentication (MFA), and regular audits.
Monitoring: Intrusion detection systems (IDS), DDoS protection, and SIEM tools.
Training: Annual staff privacy education.
Incident Response: 24/7 monitoring with breach notifications within 72 hours per GDPR.

Despite these, no system is infallible; We recommend strong passwords and vigilance against phishing.

Children’s Privacy

Our Service targets users 13+ and does not knowingly solicit data from children under 13 (or 16 in some jurisdictions). If We discover unverified child data, We delete it immediately and notify guardians. Parents/guardians: Contact Us to review/remove child data. For consent-based processing, parental verification (e.g., credit card check) is required. We comply with COPPA and UK Age-Appropriate Design Code.

Links to Other Websites

The Service may link to external sites for resources or integrations (e.g., social media shares). These are not under Our control; We disclaim liability for their content, policies, or practices. Review third-party privacy notices before interacting—e.g., Facebook’s for login via OAuth.

Changes to this Privacy Policy

We may revise this Policy to reflect legal, operational, or Service evolutions. Material changes (e.g., new data uses) trigger:

Email notifications to registered users.
Prominent banners/pop-ups on the Service.
Updated “Last updated” date.

Minor tweaks are effective immediately upon posting. Review periodically; continued use post-change implies acceptance. For disputes, prior version applies until notice.

Contact Us

For inquiries, complaints, or rights exercises, reach Our Data Protection Officer:

- By email: privacy-policy@trezorgroup.com (responses within 48 hours).