Toro Coin – Privacy Policy

    Last updated: April 8, 2026. This Privacy Policy explains how Toro Coin collects, uses, and protects your personal data when you use our mobile application. By using the App, you agree to the practices described in this Policy.
  

1 Who We Are

Toro Coin ("we", "us", or "our") operates the Toro Coin mobile application (the "App"). We act as the data controller for personal data collected through the App, as defined under the EU General Data Protection Regulation (GDPR) (Regulation EU 2016/679).

If you have any questions about how we handle your data, please refer to the Contact Us section below.

2 Data We Collect

We may collect the following categories of personal data:

👤

Identity Data

Full name, username, profile photo

📧

Contact Data

Email address, phone number

🔐

Account Data

Wallet addresses, authentication credentials

💸

Transaction Data

Transfer history, balances, timestamps

📱

Device Data

Device model, OS version, unique device identifiers

📊

Usage Data

App interaction logs, feature usage, session data

📍

Location Data

Approximate location (IP-based), only if legally required

✅

KYC Data

Government ID, selfie (for regulatory compliance only)

      We collect only the minimum data necessary for the purposes described below (data minimisation principle under GDPR Article 5(1)(c)).
    

3 How We Use Your Data

We use your personal data for the following purposes:

Account creation & authentication — to register and verify your identity securely.
Transaction processing — to execute and record cryptocurrency transfers involving Toro Coin.
Regulatory compliance (KYC/AML) — to fulfil Anti-Money Laundering and Know Your Customer obligations.
Customer support — to respond to your enquiries and resolve issues.
Security monitoring — to detect fraud, suspicious activity, and protect the integrity of the platform.
App improvement — to analyse usage patterns and enhance features and performance.
Legal obligations — to comply with applicable laws, regulations, or court orders.
Communications — to send you important notices, updates, or (with your consent) marketing messages.

4 Legal Basis for Processing

Under GDPR Article 6, we rely on the following legal bases:

Contract performance (Art. 6(1)(b)) — processing is necessary to provide the App services.
Legal obligation (Art. 6(1)(c)) — processing required to comply with KYC/AML and financial regulations.
Legitimate interests (Art. 6(1)(f)) — fraud prevention, platform security, and product improvement.
Consent (Art. 6(1)(a)) — marketing communications or optional features that rely on your explicit consent (which you may withdraw at any time).

Where we process special categories of data (e.g. biometric data for KYC), we rely on explicit consent under GDPR Article 9(2)(a).

5 Data Sharing & Third Parties

We do not sell your personal data. We may share your data with the following categories of recipients:

KYC/Identity verification providers — third-party services that verify identity documents to meet regulatory requirements.
Blockchain infrastructure providers — node operators and smart-contract environments required to process on-chain transactions.
Cloud hosting & storage providers — to securely store application data (e.g. AWS, Google Cloud).
Analytics providers — aggregated, anonymised analytics to improve the App (e.g. Firebase Analytics).
Legal authorities — when required by law, court order, or to protect the rights of users and the company.

All third-party processors are bound by Data Processing Agreements (DPAs) and are required to handle your data only on our documented instructions.

6 International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When such transfers occur, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V, including:

Standard Contractual Clauses (SCCs) approved by the European Commission.
Transfers to countries covered by an adequacy decision by the European Commission.
Other legally recognised transfer mechanisms where SCCs are not applicable.

You may request a copy of the applicable transfer safeguards by contacting us (see Section 12).

7 Data Retention

We retain your personal data only as long as necessary for the purposes it was collected:

Account data — retained for the duration of your account and up to 5 years after account closure for legal and audit purposes.
Transaction records — retained for a minimum of 5 years to comply with financial regulations (AML/KYC requirements).
KYC/identity documents — retained for the period required by applicable law (typically 5–10 years).
Usage & analytics data — retained in aggregated, anonymised form; raw logs deleted within 12 months.
Marketing consent — retained until you withdraw consent.

After the retention period, data is securely deleted or anonymised.

8 Your GDPR Rights

As a data subject under the GDPR, you have the following rights:

📋 Right of AccessObtain a copy of the personal data we hold about you (Art. 15).

✏️ Right to RectificationCorrect inaccurate or incomplete data (Art. 16).

🗑️ Right to ErasureRequest deletion of your data where no longer necessary (Art. 17).

⏸️ Right to RestrictionRestrict our processing in certain circumstances (Art. 18).

📦 Right to PortabilityReceive your data in a structured, machine-readable format (Art. 20).

🚫 Right to ObjectObject to processing based on legitimate interests or direct marketing (Art. 21).

↩️ Withdraw ConsentWithdraw consent at any time without affecting prior lawful processing (Art. 7(3)).

⚖️ Right to Lodge a ComplaintLodge a complaint with your local supervisory authority (Art. 77).

      To exercise any of these rights, contact us at privacy@torocoin.io. We will respond within 30 days as required by GDPR.
    

9 Security Measures

We implement technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

End-to-end encryption (TLS/SSL) for all data in transit.
AES-256 encryption for data at rest.
Two-factor authentication (2FA) for user accounts.
Regular security audits and penetration testing.
Role-based access controls limiting staff access to personal data.
Incident response procedures to notify affected users and supervisory authorities within 72 hours of a data breach (as required under GDPR Art. 33–34).

Despite these measures, no method of transmission or storage is 100% secure. We encourage you to use a strong, unique password and enable 2FA on your account.

10 Children's Privacy

The Toro Coin App is intended solely for users aged 18 years and older. We do not knowingly collect personal data from individuals under 18. If you believe a minor has provided us with personal data, please contact us immediately at privacy@torocoin.io and we will delete that data promptly.

11 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will notify you via:

An in-app notification at your next login.
An email to the address registered on your account.

The "Last updated" date at the top of this Policy will always reflect when the most recent changes were made. Continued use of the App after the effective date constitutes your acceptance of the revised Policy.

12 Contact Us

If you have any questions, concerns, or wish to exercise your data rights, please contact our Data Protection team:

Toro Coin — Data Protection Officer

📧 Email: privacy@torocoin.io

🌐 Website: www.torocoin.io

📬 Postal Address: Toro Coin Ltd., [Your Registered Address]

You also have the right to lodge a complaint with your national data protection supervisory authority. In the EU, a list of authorities is available at edpb.europa.eu.