Privacy Policy

Effective date: 1 April 2026 Last updated: March 2026 Applies to: onoff.finance

1. Who we are

Trend IT OÜ (“we”, “us”, “our”) operates the onoff.finance platform. We are a company registered in Estonia (registry code 12637197, VAT EE101824907).

This Privacy Policy explains what data we collect, why we collect it, and your rights under the General Data Protection Regulation (GDPR) and applicable Estonian and EU law.

For any privacy-related questions, contact us at: [email protected]

2. What data we collect — and what we do not

      onoff.finance is designed to collect as little data as possible. The application itself does not collect or store your name, email address, identity documents, payment details, or wallet addresses. These are collected exclusively by our payment and identity provider.
    

Data we collect directly:

Transaction intent data: The direction (buy or sell) and amount you enter in the application before the widget loads. This is passed to the widget and is not stored on our servers.
Cookies: We use essential cookies required for the application to function. The widget embedded in our application may set its own cookies. See section 5 for details.
Technical data: Standard server logs (IP address, browser type, pages visited) for security monitoring and performance purposes. These are retained for 30 days and then deleted.

Data we do not collect: name, email address, identity documents, selfies or biometric data, payment card details, bank account details, wallet addresses, or transaction history. All of this is handled exclusively by XXX.

3. xxx — our payment and identity provider

When you use onoff.finance to buy or sell cryptocurrency, you interact with a widget provided by Inc., a globally licensed and regulated payment service provider. XXX operates as an independent data controller for the personal data you provide within their widget, including your email address, identity documents, and payment information.

XXX’s processing of your data is governed by XXX’s Privacy Policy. We encourage you to read it before completing a transaction.

We share no personal data with XXX beyond the transaction amount and direction you select in our application interface, which is used solely to pre-fill the widget for your convenience.

4. Legal basis for processing

Processing activity	Legal basis
Technical logs (IP, browser, access times)	Legitimate interests (Article 6(1)(f) GDPR) — security and performance monitoring
Essential cookies	Legitimate interests — required for the application to function
XXX widget cookies	Consent (Article 6(1)(a) GDPR) — obtained via cookie consent banner before the widget loads

5. Cookies

Essential cookies are set by onoff.finance for basic application functionality. These do not require consent and cannot be disabled.

Third-party cookies are set by the XXX widget (operated by XXX Inc.) when you interact with it. These are used by XXX for authentication, fraud prevention, and transaction security. We obtain your consent for these cookies via our cookie consent banner before the widget loads.

You can withdraw consent for third-party cookies at any time via the cookie settings link in the footer. Note that withdrawing consent will prevent the XXX widget from loading and means you will not be able to use the platform’s core functionality.

6. Data retention

Data type	Retention period
Server access logs	30 days, then automatically deleted
Cookie consent records	3 years from the date of consent
Identity and payment data	Not held by us — held by XXX per their retention policy

7. Data transfers outside the EEA

Our application is hosted on infrastructure with EU-region availability (Vercel). Server logs are processed within the EEA.

XXX Inc. is a US-registered company with global operations. Your data processed by XXX may be transferred outside the EEA. These transfers are governed by XXX’s Privacy Policy and conducted under appropriate safeguards including Standard Contractual Clauses. For details, refer to XXX’s Privacy Policy.

8. Your rights under GDPR

As a data subject under GDPR, you have the following rights in relation to data held by us:

Right of access: Request a copy of the data we hold about you.
Right to rectification: Request correction of inaccurate data.
Right to erasure: Request deletion of your data where we have no legal obligation to retain it.
Right to restriction: Request that we restrict processing of your data in certain circumstances.
Right to object: Object to processing based on legitimate interests.
Right to withdraw consent: Withdraw consent for cookie-based processing at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

For rights in relation to data held by XXX (identity documents, email, payment data), you must contact XXX directly via their privacy policy page.

You also have the right to lodge a complaint with your national data protection authority. In Estonia, this is the Estonian Data Protection Inspectorate (AKI). If you are located in another EU country, you may contact your local supervisory authority.

9. Security

We implement appropriate technical and organisational measures to protect the limited data we process against unauthorised access, disclosure, or loss. Our application is served over HTTPS and we do not store any personal or financial data on our own infrastructure.

10. Children

onoff.finance is not intended for use by individuals under the age of 18. We do not knowingly collect data from children. If you believe a minor has used our platform, please contact us immediately at [email protected].

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For material changes, we will provide notice via the platform. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.

12. Contact

Trend IT OÜ
Registry code 12637197
VAT EE101824907
Estonia, European Union

Privacy enquiries: