Privacy Notice for Candidates

The GSR group of companies (“GSR Group”) is made up of different legal entities.

Details of which GSR Group companies this Privacy Notice is issued on behalf, their roles and location, can be found below.

GSR’s business is that of dealing in, with and across cryptocurrencies, cryptocurrency trading platforms and across cryptocurrency markets globally. It includes (a) the provision and administration of various trading services and instruments to Clients, (b) engaging with Clients, exchanges, token issuers, miners and other market participants, (c) the provision of market liquidity as a market maker, and (d) the provision of our Website and Newsletter.

This Privacy Notice is issued on behalf of the GSR Group so when we mention “GSR“, “we“, “us‘ or “our” in this Privacy Notice, we are referring to the relevant company in the GSR Group responsible for processing your data as the context admits.

GSR is a “controller”. This means that GSR is responsible for deciding how it holds and uses personal information about you.

Because you are applying for a Role or we would like to include you in our talent management programme, we are required by law to make a privacy notice available to you containing certain information to make you aware of how and why your Personal Information will be used (namely for the purposes of receiving applications and/or the active recruitment for a Role, and/or talent management) and how long it will be retained for. This Privacy Notice contains that information.

This Privacy Notice applies to Candidates applying and being considered through the recruitment process for a Role, whether you are internal or external to GSR. It also applies to those Candidates included in our talent management programme who wish to be kept informed about future opportunities within GSR.

It is important that you read and retain this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using that information and what your rights are under the relevant data protection legislation.

We have appointed a data protection officer (“DPO”) who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, you can contact the DPO via dpo@gsr.io or via the contact form on our Website (Contact us – GSR Markets).

In connection with your application for a Role, our recruitment of you and managing our prospective candidate pool, we will collect, store, and use the following categories of Personal Information about you:

• The information you have provided to us in your curriculum vitae / resume (together “CV”) and any covering message or letter.
• The information you have provided on our application form, including name, title, address, telephone number, personal email address, date of birth, gender, employment history, qualifications, skills and/or experience, remuneration, notice period, status of right to work etc.
• Any information you provide to us during an interview. For example, and not as an exhaustive list, there may also be a restricted few roles for which we require an assessment to be completed.  Currently this is restricted to only those roles that require coding skills or being skilled in designing or building information technology processes, systems and/or environments (together “IT Skills”). We assess a Candidate’s IT Skills via a live interview using a technical assessment platform called Coderpad. This helps Candidates easily share their skills and demonstrate their work.
• References.
• Your image, for example via CCTV footage. If you are applying for a role that requires IT Skills we may record the live part of the interview for the primary purpose of helping us assess Candidates coding skills. As part of that we may also record your image or voice.
• Details about your visits to the web-portal housing the Role by using Cookies (see our Cookie Notice), including, but not limited to:
  • traffic data;
  • location data; and/or,
  • other communication data from the website that referred you to our career’s website and any information that you access.
• If you are an internal Candidate, GSR may collect data from your line manager, which in addition to the above may include, but not be limited to, performance information.
• Any other information you share with us, verbally or in written form.

We may also collect, store and use more Sensitive Categories of Data about your race or ethnicity, religious beliefs, sexual orientation, political opinions and/or data concerning health.

We collect Personal Information about Candidates from the following sources:

• You, the Candidate.
• Your recruitment agency or other representative, from which we collect the following categories of data: CV and vocational history, contact details, remuneration and notice period, and any other information they supply. We may also collect information about your visa status, if relevant.
• Other referrals, for example, from current staff.
• Third party publicly accessible sources are not used, except LinkedIn which acts to funnel candidates into Greenhouse.

We also need to process your Personal Information to decide whether to enter a contract with you.

Having received your CV and/or covering message or letter and/or application form, we will then process that information to decide whether you meet our requirements to be shortlisted for a Role. If you do, we will decide whether your application is strong enough to invite you for an interview. If we decide to call you for an interview, we will use the information you provide to us at the interview to decide whether to progress further with your application, including whether to offer you a Role (where relevant).  If we decide to offer you a Role, we will take up your references, carry out criminal records checks (where legally permissible) and/or carry out any other pre-employment checks we feel prudent before confirming your appointment. We may use a third party to help co-ordinate and conduct our background checks and the taking of references.

Please note that we may process your Personal Information without your knowledge or consent, in compliance with the above, and/or where it is required or permitted by law.

Please also see our Cookie Notice for how and why we use which cookies.

If you fail to provide information when requested, which is necessary for us to consider your suitability for a Role (such as evidence of qualifications or work history), we may not be able to process your application successfully. For example, if we require a credit check or references for a Role and you fail to provide us with relevant details, we may not be able to progress with the evaluation of your suitability for a Role.

We will only use your Personal Information for the purposes for which we collected it as outlined in this Privacy Notice, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

We will use your particularly Sensitive Categories of Data in the following ways:

• We will use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made throughout our recruitment process.
• We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.

The lawful bases GSR relies on when processing your special category data (as defined under the GDPR in the UK and EU) are for the purposes of carrying out GSR’s obligations under employment law, other applicable law or regulation with which GSR must comply, or, for reasons of substantial public interest.

If we offer you a Role, only then will we carry out criminal records checks.  We will be informed of the results being clear or not clear.  We do not envisage that we will process information about criminal convictions at this stage.

We may then approach you for clarification of the criminal records certificate.

If you volunteer any criminal convictions, we may process that data and if so, such processing shall be within our legitimate interests, and additionally for reasons of substantial public interest, to satisfy ourselves that there is nothing in your criminal convictions history which makes you unsuitable for a Role.

We use automated decision making only at the beginning of the recruitment process when we use a list of general questions to screen for suitable candidates.  For example, as part of our screening process we may include questions to identify those candidates that have a right to work in the jurisdiction where the role is located. It is within GSR legitimate interests to screen for candidate applications the most appropriate candidates.

Automated decision making does not currently involve the use of any model of artificial intelligence.

If your application is rejected and you would like the decision to reject your application reviewed, you can write to us and ask that an appropriate person in HR at GSR reviews the automated decision.

Except as above, you will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Who do you share my Personal Information with?

We will only share your Personal Information internally within GSR and with those members of Staff involved in recruiting for Roles you are applying for or may be suitable for or assessing your suitability for such a Role.

We may also share your Personal Information across the GSR Group.  We may share your Personal Information internally across the GSR Group where necessary to support of the recruitment process, the processing your application, assessment of you as a prospective candidate, evaluating your suitability for a Role, progressing your application, and where you are successful, up to and including extending to you an offer of a job with GSR as a member of Staff.

Members of the GSR Technology team may have incidental access to your Personal Information when providing technical support to the operation of GSR technology.

We will never rent or sell your Personal Information.

Which third-party service providers process my Personal Information?

We use a software hiring platform called ‘Greenhouse’ provided by Greenhouse Software, Inc. which GSR uses on a global basis.

Should you be successful, some of the information obtained during the recruitment process may be shared with our pre-employment screening provider, currently Jefferson Hunt (and their affiliates).

Where appropriate we may also use advisers for services such as visas / work permits or for the purposes of relocation.

All our third-party service providers and other entities in the Group are required to take appropriate security measures to protect your Personal Information in line with our policies. We do not allow our third-party service providers to use your Personal Information for their own purposes. We only permit them to process your Personal Information for specified purposes and in accordance with our instructions.

All Personal Information obtained as part of the recruitment and talent management processes will be processed in the UK and EU, as well as the country within which a Role is based, in compliance with all applicable privacy and data protection laws that GSR is subject to, including but not limited to the GDPR.

Where your Personal Information is transferred outside of the UK / EU or the country where a Role you are applying for is based, GSR complies with all obligations imposed on it regarding international transfers.  For the avoidance of doubt, if a Role is based in one of our international offices, your Personal Information will be processed by GSR employees based in that location as well as within the UK / EU. Additionally, GSR may share your Personal Information with any of the GSR Group companies globally for purposes connected with the Role you are applying for and / or other potential opportunities you may be suitable for.

GSR complies with all obligations imposed on it regarding international transfers.  Where such sharing involves a transfer to any party in a jurisdiction which is regarded as not having an adequate level of protection for your Personal Information to a standard at least equivalent to GDPR, or that required by the privacy and data protection laws applicable within the country where a Role is based (if a higher standard), GSR will nevertheless ensure that your Personal Information receives an adequate level of protection by putting in place appropriate measures to ensure that your Personal Information is treated by those third parties in a way that is consistent with, and which respects the applicable law, including GDPR. For example, transfers from:

• the UK, shall be made subject to the ICO’s International Data Transfer Agreement;
• the EU, shall be made subject to the specific contractual clauses approved by the European Commission (the “EU Standard Contractual Clauses”); and,
• in the case of a transfer of Personal Information from both the UK and EU, the EU Standard Contractual Clauses together with the ICO’s International Data Transfer Addendum.

We have put in place appropriate security measures to prevent your Personal Information from being accidentally or unlawfully destroyed, lost, altered or the authorised disclosure of, or access to, Personal Information transmitted, stored or otherwise processed.

We limit access to your Personal Information to those Staff and other third parties who have a business need-to-know. They will only process your Personal Information on our instructions, and contractually have agreed to treat the information confidentially and to keep it secure.

We have put in place procedures to deal with any suspected or actual data security breach and will notify you and any applicable regulator of a suspected or actual breach where we are legally obligated to do so.

We may retain your Personal Information after we have communicated to you our decision about whether to appoint you to a Role.

We will only retain your Personal Information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying or complying with any applicable legal, regulatory, compliance, or internal policy requirements (which comply with the minimum requirements of applicable law and regulation) and/or risk management purposes.

We retain your Personal Information so that we can show, in the event of a legal claim, that we have not discriminated against Candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way.

After this period, we will securely destroy your Personal Information in accordance with our Data Retention Policy.

If we wish to retain and process your Personal Information as part of our talent management programme on the basis that a further opportunity may arise in future and we may wish to consider you for that, our practice is to separately seek your consent to retain your Personal Information.  We may also seek your consent at the same time you submit any application to us online.

Where you consent, we will keep your Personal Information as part of our talent management programme for a maximum of two (2) years from last meaningful contact.

After the expiry of the two (2) years we will securely destroy your Personal Information in accordance with our Data Retention Policy.

Under certain circumstances, by law you have the right to:

• Request access to your Personal Information (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Information we hold about you and to check that we are lawfully processing it.
• Request correction of the Personal Information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your Personal Information. This enables you to ask us to delete or remove Personal Information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Information where you have exercised your right to object to processing (see below).
• Object to processing of your Personal Information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
• Request the restriction of processing of your Personal Information. This enables you to ask us to suspend the processing of Personal Information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your Personal Information to another party.

If you want to exercise any of your rights in relation to your Personal Information please contact the Privacy Team via hr@gsr.io

No fee usually required

You will not have to pay a fee to access your Personal Information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is an appropriate security measure to ensure that Personal Information is not disclosed to any person who has no right to receive it.

You have the right to withdraw your consent or to opt out of the processing for the purposes of recruitment or talent management at any time where and to the extent that consent is the legal basis for the processing of some or all of your Personal Information, including in jurisdictions where that consent is deemed or implied.

To withdraw your consent or to opt out, please contact hr@gsr.io

Once we have received notification that you have withdrawn your consent / opted out, we will no longer process your application or include you in our talent management programme (as applicable) and, subject to our Data Retention Policy, we will dispose of your Personal Information securely.

We have appointed a DPO to oversee compliance with this Privacy Notice.

If you have any questions about this Privacy Notice or how we handle your Personal Information, please contact the Privacy Team via dpo@gsr.io.  You can also write to:

• For the UK: FAO The Privacy Team, GSR Resources UK Limited, 3rd Floor, 65 Curzon Street, London W1J 8PE
• For any EU country: FAO The Privacy Team (London), Edificio Eurocomsur, Oficina 6, C / Mauricio Moro Pareto, 2. Malaga 29006
• For all other countries: FAO The Privacy Team (London), at the office address in the country where the Role is based

You have the right to make a complaint at any time if you feel the processing of your Personal Information infringes the applicable privacy and data protection laws:

• For UK Candidates: to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk)
• For EU Candidates: to the Agencia Española de Protección de Datos, the Spanish regulator for data protection issues, and GSR’s lead supervisory authority within the EU (www.aepd.es)
• For all other Candidates:  As per the applicable Annex

We would, however, appreciate the chance to deal with your concerns before you approach a supervisory authority so please contact us in the first instance.

We reserve the right to update this Privacy Notice at any time, and we will make a new Privacy Notice available to you when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your Personal Information.

Additional terms applicable to Candidates in the Cayman Islands

1. “Personal Information” in the Privacy Notice shall include the definition of personal data under the Cayman Islands Data Protection Act (2021 revision) (“Cayman DPA”).
2. Your Personal Information is transferred to the UK and may be processed by any member of the GSR Group for purposes connected with the recruitment and talent management processes.  Cayman Island data protection law deems UK GDPR to provide an adequate level of protection, and no additional transfer mechanism is required.
3. GSR may, where not prohibited under the Cayman DPA, charge an individual a fee to recover the costs of responding to an access request.

The data protection supervisory authority for the Cayman Islands is the Office of the Ombudsman of the Cayman Islands (www.ombudsman.ky)

Additional terms applicable to Candidates in Singapore

1. “Personal Information” in the Privacy Notice shall include the definition of personal data under the Personal Data Protection Act of 2012 (No. 26 of 2012) of Singapore (“PDPA”).
2. For the purposes of interpreting ‘consent’ under the PDPA in the context of this Privacy Notice, your consent can either be:
   1. Deemed consent by notification arising after being provided with the information in this Privacy Notice;
   2. Deemed consent by conduct arising where you voluntarily provide Personal Information in connection with the purposes as outlined in this Privacy Notice; or,
   3. Deemed consent by contractual necessity where the disclosure of Personal Information is necessary for the performance or conclusion of a transaction.
3. Your Personal Information is transferred to the UK and may be processed by any member of the GSR Group for purposes connected with the recruitment and talent management processes.
4. GSR may, where not prohibited under the PDPA, charge an individual a fee to recover the costs of responding to an access request. Before doing so, GSR shall provide you with a written estimate of the fee.
5. Although not currently available under Singaporean law, GSR will endeavour to service a data portability request.
6. There is no general right to object to direct marketing. However, you can withdraw consent to the collection, use and disclosure of your Personal Information at any time.

The data protection supervisory authority for Singapore is The Personal Data Protection Commission, (www.pdpc.gov.sg).

Terms applicable in Spain 

Si necesita traducir la Política de Privacidad, por favor, envíe un correo electrónico a privacy@gsr.io

In addition to the terms of the Privacy Notice if you are in Spain, the following additional terms apply:

1.1 To the extent Spanish privacy and data protection law over and above GDPR applies directly to GSR, GSR will comply with Spanish law in all material respects.

1.2 Your subject access rights are not unqualified under Spanish law.  Because GSR is a financial entity that is subject to anti-money laundering regulations, GSR has an obligation to both block data (i.e., not comply with a request for rectification or erasure) and adopt technical and organisational measures to prevent the processing of blocked data (unless otherwise directed by a competent authority with jurisdiction).  This obligation to block only applies once any retention period applicable to the Personal Information has expired, and such block must remain in place for no less than a further three (3) years.

1.3 We may transfer your Personal Information outside of Spain. When transferring your Personal Information outside of Spain, we will, where required by applicable law, implement at least one of the safeguards set out below which give your Personal Information the same protection it has in Spain.

1.4 Please contact us if you would like further information on the specific mechanisms used by us when transferring your Personal Information outside of Spain.

1.5 If you have any questions about this Privacy Notice, about the use of your Personal Information or you want to exercise your privacy rights, please contact the Data Protection Officer and their team in the following ways:

1.5.1 Email address: dpo@gsr.io

1.5.2 Postal address: FAO The Privacy Team (London), Edificio Eurocomsur, Oficina 6, C / Mauricio Moro Pareto, 2. Malaga 29006

You can complain at any time if you feel the processing of your Personal Information infringes GDPR and/or the local implementing Spanish law (‘LOPDGDD’ – Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales) by contacting the Agencia Española de Protección de Datos, the Spanish regulator for data protection issues (www.aepd.es), which is also GSR’s lead supervisory authority within the EU.  We would appreciate the chance to deal with your concerns before you approach an appropriate authority and ask that you contact us in the first instance.

1. Under the Federal Act on Data Protection of 25 September 2020 and its ordinances, (i.e., the Ordinance on Data Protection and the Ordinance on Data Protection Certification 2023) (“FADP”) there is no requirement for a legal basis to be shared prior to processing, so the legal bases outlined in the Privacy Notice are provided for information only.
2. In responding to an access request there are a limited set of circumstances where GSR is not obliged to disclose Personal Information, including to the extent that:
   1. You already have the information;
   2. The processing is required under Swiss law (which includes collecting Personal Information for employment purposes not requiring any notice under Swiss law);
   3. There is an overriding third party interest (which may include interests of other employees), and no data is shared with third party controllers (except for companies in the Group);
   4. Providing the Personal Information defeats the purpose of the processing;
   5. The access request is evidently of a frivolous nature or evidently unfounded, or contrary to data protection law; and/or,
   6. As otherwise provided for under Swiss law (for example: a professional secrecy obligation).
3. In addition to your rights as provided for in the main part of the Privacy Notice, where you have requested your Personal Information be corrected or rectified, you also have the right for the relevant Personal Information to be marked as disputed.
4. Reviews by a GSR member of Staff of automated decisions made about individuals do not need to be conducted where the decision:
   1. is taken with your explicit consent; or
   2. occurs directly in connection with the conclusion or performance of an agreement with you, where the outcome of the automated decision-making process is in your favour or approving that which you request.
5. GSR may, where not prohibited under the FADP, charge a fee of up to CHF 300 if the fulfillment of the request would involve a disproportionate effort. GSR will notify you of the amount of contribution required (if applicable) before fulfilling the request and you will have ten (10) days to accept our offer.
6. Your Personal Information may be transferred to the UK and be processed by any member of the Group for purposes connected with the recruitment and talent management processes.  Under the FADP, the United Kingdom and Spain are deemed to provide an adequate level of protection, and no additional transfer mechanism is required, as are any transfers to the United States of America under the CH-US Data Privacy Framework.  In addition to the UK and EEA countries, the Federal Council maintains a list of countries it regards as providing an adequate level of protection. Transfers to other third countries shall be subject to standard contractual clauses approved, recognised or issued by the Federal Data Protection and Information Commissioner.
7. The data protection supervisory authority for Switzerland is Federal Data Protection and Information Commissioner (www.edoeb.admin.ch)

Additional terms applicable to Candidates in the United States of America

1. For the purposes of this Annex 4, the following amended definitions shall apply:
   1. a ‘business’ is defined as the entity that determines which Personal Information is collected and what it is to be used for, and any reference to ‘controller’ in this Privacy Notice shall also include reference to a business; and,
   2. a ‘service provider’ (which under the California Consumer Privacy Act 2018 (“CCPA”) shall include references to a ‘contractor’) is defined as an entity that processes Personal Information at the direction of a ‘business’, and any reference to ‘processor’ in this Privacy Notice shall also include reference to a service provider (and under the CCPA a contractor).
2. In the United States of America (“US”):
   1. Most state general privacy laws do not cover Personal Information processed in the context of considering an application by a Candidate for a Role;
   2. Most state laws generally allow processing of Personal Information by default, without a requirement to state the legal basis for processing Personal Information, so the legal bases outlined in this Privacy Notice are provided for information purposes only;
   3. Collecting Personal Information about prospective staff is generally seen as a legitimate activity, provided that it is carried out for non-discriminatory and legitimate business purposes. (However, general restrictions to Personal Information processing under the CCPA apply in the employment context); and,
   4. We do not need your consent to de-identify your Personal Information for our further use.
3. The CCPA only applies where and to the extent that “Personal Information” is collected by GSR about you:
   1. in the course of you applying for a job with, being an employee of, owner of, director of, officer of, or independent contractor of, GSR (a “workforce” member), then to the extent that your Personal Information is collected and used by the business solely within that workforce context;
   2. that is emergency contact information of a workforce member, to the extent that such Personal Information is collected and used solely within that “emergency contact” context; and / or,
   3. that is necessary for the business to retain to administer benefits for another person relating to the workforce member, to the extent that the Personal Information is collected and used solely within the context of administering those benefits.
4. Your Personal Information is transferred to the UK and EU and may be processed by any member of the GSR Group for purposes connected with the recruitment and talent management processes.
5. Under CCPA we limit our collection, use, retention, and sharing of Personal Information to what is reasonably necessary and proportionate to achieve the purposes for which the Personal Information was collected or processed, or for another disclosed purpose that is compatible with the context in which the Personal Information was collected, and not further processed in a manner that is incompatible with those purposes. In the past 12 months GSR may have collected the categories of Personal Information as outlined in ‘What kind of Personal Information do we hold about you?’ (paragraph 3) in above for our business purposes (as defined by Cal. Civ. Code 1798.140(e)).
6. We do not:
   1. Use:
      1. Automation software or tools to screen or assess applicants or employees for “honesty”, “integrity”, or similar characteristics; or,
      2. Artificial intelligence,

      in deciding whether or not to offer you a Role at GSR;

   2. Sell, rent out, release, disclose, disseminate, make available, transfer, or otherwise communicate your Personal Information to another business or a third party for monetary or other valuable consideration. We only share your Personal Information with our GSR Group, and third parties as required to process your application.
7. We will not share your non-public information with any third party, otherwise than:
   1. To comply with any rule, regulation, law, or otherwise any direction of a competent authority with jurisdiction;
   2. To perform a contract between us or to enter into a contract between us;
   3. Where within our legitimate interests (having regards to your rights and freedoms); or,
   4. With your consent.
8. Depending on which US state you reside in, you may have various qualified rights relating to Personal Information that GSR collects and processes about you – please see Your legal rights in connection with your Personal Information (paragraph 15). In addition, you have the right to opt out of commercial electronic mail messages (e.g., such as direct marketing emails and text messages). For the avoidance of doubt, we currently do not send you marketing emails where you have not consented to receive them.  We will not text or call your mobile number to market to you. We do not use fax. We do not engage in targeted advertising;
9. Direct GSR to stop selling or sharing your Personal Information. For the avoidance of doubt, we do not sell, rent out, release, disclose, disseminate, make available, transfer, or otherwise communicate your Personal Information to another business or a third party for monetary or other valuable consideration. We only share your Personal Information with our GSR Group and third parties to the extent where necessary to process, review, consider, evaluate, and where relevant progress an application for a Role (see also Data sharing (paragraph 11).
10. If you are in California, then you may have the right:
    1. To direct GSR to stop sharing your Personal Information. Please see also ‘If you fail to provide Personal Information’ (paragraph 6);
    2. To limit our use and disclosure of your Sensitive Personal Information.  Please see also ‘If you fail to provide Personal Information’ (paragraph 6); and,
    3. To avoid discrimination upon exercising the rights granted by the California Privacy Rights Act 2020.
11. If you exercise your privacy rights (“Privacy Rights Request”):
    1. We will endeavour to respond to a request from you within the timeframes required by the law of the relevant US state.
    2. If we need more time or an extension, we will inform you in writing of the reason and extended time period.  Where a US state law prescribes a maximum response time period, any extra time or extended period we require, will comply with any relevant US state’s prescribed maximum response time period.
    3. Via:
       1. Email or other electronic means, we will deliver our written response to a verified email address associated with the request; or,
       2. Telephone, you will need to provide us with either your preferred (and verifiable) physical or email address, which we will then use to provide a written response to you.
12. GSR may, but is not obligated to, charge an individual a fee in order to recover the costs of responding to a Privacy Rights Request. If we determine that the request warrants a fee (for example where it is excessive, repetitive, or manifestly unfounded), we will tell you why we made that decision and provide you with a cost estimate before completing your request.
13. Depending on which US state you reside in (for example only, Connecticut), you may have the right to appeal where we decline your Privacy Rights Request. You must appeal within a reasonable time after your receipt of our decision. Following receipt of your appeal, then within any time period prescribed under the relevant states law, GSR will write to you clarifying what action it has taken or not taken, and an explanation of the reasons for the decision. If an appeal is denied, where required by state law, you can contact the relevant state attorney general to complain if you wish to.
14. Your Personal Information may be transferred to any other GSR Group company or any third party we engage to enable us to progress with your application for a Role. Please see also ‘Where we process your Personal Information in paragraph 12. Your Personal Information may be transferred to any other company in the Group, including to the UK and EU, and may be processed for purposes connected with your application or enquiry about a Role with GSR. If GSR were to transfer your Personal Information to a recipient in a country whose laws provide a lower level of protection (both from a privacy and security perspective) as compared to the relevant US state(s) law(s), we require such recipient to comply with a standard no less than as is provided by the applicable US state(s) law(s).
15. We will comply with all federal and state law breach notification requirements including but not limited to the requirement to notify, the contents of any notification, the parties to be notified and any required remedial steps.
16. Some Privacy regulations in US states (for example only, California and Delaware), require GSR to indicate whether it honours your browser’s “Do Not Track” settings. GSR adheres to the standards set out in this Privacy Notice and does not respond to Do Not Track browser requests. To find out more about “Do Not Track,” please visit www.allaboutdnt.com. Our Third-Party Suppliers, such as web analytics companies and third-party networks may collect information about you and your online activities over time and across our Website. These third parties may not change their tracking practices in response to do not track settings in your web browser and we do not obligate these parties to honour do not track settings.  We utilise Google Analytics for our web analytics, and you can opt out of your usage data being included in our Google Analytics reports by visiting https://tools.google.com/dlpage/gaoptout. As stated, GSR does not engage in targeted advertising.  For more information on any third parties that process any Personal Information about you on our Website.
17. If we update this Privacy Notice, except to the extent that the processing is for a lawful reason, we will give you notice of the changes and the opportunity to opt out.
18. If you have a question about this Privacy Notice, about the use of your Personal Information or want to exercise your privacy rights, please contact the Data Protection Officer and their team by:
    1. Email to: dpo@gsr.io
    2. Post to: FAO The Privacy Team (London), GSR Markets, 347 5th Avenue, Suite 1402-700, New York, NY 10016
    3. Toll free telephone by calling: 888-560-8266.
19. We would appreciate the chance to deal with your concerns before you approach an appropriate authority and ask that you contact us in the first instance.
20. If you want to make a complaint or if you feel your rights have been infringed, you can contact:
    1. The relevant attorney generals of the states who have authority to enforce their state’s privacy laws (if any). In particular:
       1. Wyoming, Wyoming’s Attorney General can be contacted via www.ag.wyo.gov/home. Wyoming does not currently have a law in place that specifically regulates data protection and consumer privacy. However, the Consumer Protection Unit of Wyoming’s Attorney General has the authority to examine, among other things, consumer privacy invasions.
       2. The California Attorney General (www.oag.ca.gov) and the California Privacy Protection Agency (www.cppa.ca.gov) share authority to enforce the CCPA.
    2. Otherwise for the following states the relevant State Attorneys (or district attorneys where empowered by their state to enforce the law, e.g., Colorado) for each of Colorado, Connecticut, Delaware (from 1 January 2025), Florida, Indiana (from 1 July 2026), Iowa (from 1 January 2025), Kentucky (from 1 January 2026), Maryland (from 1 October 2025), Minnesota (from 31 July 2025), Montana, Nebraska (from 1 January 2025), Nevada, New Hampshire (1 January 2025), New Jersey, Oregon, Rhode Island (from 1 January 2026), Tennessee (from 1 July 2025), Texas, Utah and Virginia have authority to enforce their state’s privacy laws.
    3. the United States Federal Trade Commission (www.ftc.gov) in certain circumstances.