Privacy Policy

1     Who are we and what do we do?

C Herbst Consulting Proprietary Limited trading as CountDeFi (“we“, “our” or “us“) is a South African company who, amongst others, provides crypto tax reporting services to its customers in various countries.

2    What is the purpose of this policy?

This Policy tells you, as our customer (“you” or “your“), how we collect, use, store and share (“process“) data which tells us who you are, from which someone can determine who you are or otherwise relates to you (collectively, “personal data“).

If you are a prospective or present customer, this policy should be read together with our terms of service (“Ts&Cs“).

3    What is our privacy vision?

Our privacy vision is to provide you with accurate tax efficient crypto tax reports in a manner that respects and protects your privacy. You should know what personal data we process, why we process it and what rights you have in relation to your personal data which we hold.

4     What information do we process and where is it collected from?

We process, amongst others, the following types of personal data:

DATA SET

TYPE OF DATA, DESCRIPTION AND SOURCE

Contact data

If you request that we contact you through our website or otherwise request that we contact you, we will process data to enable us to do so, including –

  • name and surname;
  • contact details: email and telephone number; and
  • any information that you provide in the “message” block on our website.

You are the source of this data.

Onboarding data

If you appoint us to provide services to you, we will need to process your –

  • name and surname;
  • contact details: email and telephone number; and
  • terms of services / terms and conditions with us.

You are the source of this data.

Tax report data

If you appoint us to provide services to you, we will need to process information regarding the type of crypto tax report you purchase (a Basic, Standard, Premium, Degen or other report) (a “report”) and what the factors taken into account or which comprise such report, including –

  • the number of transactions;
  • software;
  • transaction reconciliation;
  • annual tax reporting (Y/N);
  • 8949 report and schedule D (US) / local equivalent;
  • number of video calls;
  • missing data analysis (Y/N);
  • negative balance analysis (Y/N);
  • liquidity pools / mining / staking / lending / nodes / futures / margin (Y/N);
  • IDOs (Y/N);
  • NFT (Y/N);
  • tax optimisation (Y/N);
  • number of revisions (Y/N); and
  • timeframe.

You are the source of this data and some of it is automatically generated by purchasing our services, dependent on the report you purchase.

Payment and billing data

If you appoint us to provide services to you, we will need to process –

  • the price of your report, taxes and amounts levied thereon;
  • the deposit amount required;
  • if you pay by credit card – your billing information, including your credit card number, bank and billing address;
  • if you pay with crypto – your crypto wallet number and any linked information;
  • your invoices; and
  • your payment history, including date, time and information.

We process credit card payments through our credit card payment services provider, Practice Ignition Limited (“Practice Ignition”) through Stripe. We Use CountDeFi, a company within our group of companies in the United States of America as an accredited card processing agent (“CountDeFi USA”).

You, your payment services provider,  Stripe and CountDeFi USA are the sources of this data.

Crypto and financial data

If you appoint us to provide services to you, we will need to process information about your crypto assets including –

  • your cryptocurrency wallet, number and linked information;
  • types of cryptocurrency;
  • number and value of crypto assets;
  • number, type and number of crypto related transactions;
  • crypto purchases invoices and sales, at what prices and on what dates;
  • public address of crypto wallets (not private keys);
  • read only API key and secret to centralised exchanges;
  • CSV exports of with wallet data or centralised exchange data;
  • FIAT bank account data;
  • operational data on relevant business processes or trading strategies; and
  • contextual and related data.

You are the source of this data.

Tax data

If you appoint us to provide services to you, we will need to process your tax information, including –

  • the countries in which you are a tax resident;
  • your tax number; and
  • the amount of tax you are required to pay in relation to your crypto assets.

You are the source of this data.

Aggregated data

As we provide crypto tax reporting services, different data sets or points may be aggregated by us to produce your tax report.

We do not make any decisions using this data that have legal consequences for you.

Communications data

If you appoint us to provide services to you, we will process your communications with us, which includes the meta data of communications. If you call or video call us, we may transcribe or record such call to monitor our services and record your instructions.

You are the source of this data and some of this data is generated by us.

5     Why do we process your personal data?

We process your personal data for the following purposes and based on the legal bases:

5.1  Operations
We may process your personal data for the purposes of operating our website; providing our services and products in the form of tax reports to customers; generating invoices, bills and other payment-related documentation; and credit control. The legal bases for this processing are –
●       our legitimate interests, namely the proper administration of our website, services and business; and/or
●       the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.

5.2  Relationships and communications
We may process your personal data for the purposes of managing our relationships and communicating with you (excluding communicating for the purposes of direct marketing) by email, Whatsapp, website chatbot, SMS and/or telephone, providing support services and complaint handling. The legal bases for this processing are –
●       our legitimate interests, namely communications with our website visitors, service users, individual customers and the maintenance of relationships, and the proper administration of our website, services and business; and/or
●       the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.

5.3  Research and analysis
We may process personal data for the purposes of researching and analysing the use of our website and services, as well as researching and analysing other interactions with our business. The legal basis for this processing is our legitimate interests, namely monitoring, supporting, improving and securing our website, services and business generally.

5.4 Record keeping
We may process your personal data for the purposes of creating and maintaining our databases, back-up copies of our databases and our business records generally. The legal bases for this processing is –
●       our legitimate interests, namely ensuring that we have access to all the information we need to properly and efficiently run our business in accordance with this policy; and/or
●       the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.

5.5 Security
We may process your personal data for the purposes of security and preventing fraud and other criminal activity. The legal basis of this processing is our legitimate interests, namely the protection of our website, services and business and the protection of others.

5.6 Insurance and risk management
We may process your personal data where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks and/or obtaining professional advice. The legal basis for this processing is our legitimate interests, namely the proper protection of our business against risks.

5.7 Legal claims
We may process your personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.

5.8 Legal compliance and legitimate interests
We may also process your personal data where such processing is necessary for compliance with a legal obligation to which we are subject or in order to protect your legitimate interests or the legitimate interest of another person.

 

6      Who do we share your personal data with?

We may disclose your personal data to our insurers and/or professional advisors insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks and/or obtaining professional advice.
We may disclose your personal data to CountDeFi USA [●], a company within our company group and vice versa, to process your credit card payment to us and any refunds. We ensure that CountDeFi USA protects your data in a manner that is substantially similar to us.
Financial transactions relating to our services are handled by our payment services provider, Ignition through Stripe. We will share transaction data with our payment services provider only to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds. You can find information about the payment services providers’ privacy policies and practices at https://stripe.com/en-gb-us/privacy.
In addition to the specific disclosures of personal data set out in this 6, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, including a subpoena, reporting obligation or request by a regulator or tax authority in any applicable jurisdiction, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise, or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

 

7       Do we transfer your personal data to other countries?

We process your personal data in the Republic of South Africa (“RSA”), which is the country where we are situated and from which our employees work. We also transfer your personal data to CountDeFi USA to process your payments and other payment services providers. Where we transfer your data to CountDeFi USA and/or other countries, we ensure that we have a lawful basis to do so, it being necessary to do so to provide our services to you as our customer. We ensure that your personal data is protected in RSA both by contractual and other reasonably practicable measures. 

8       How do we store your personal data?

Your personal data will be stored on the services of our hosting services providers: Google Cloud Services, whose servers are located in RSA and abroad and Karbon https://karbonhq.com/en-GB/security/, whose servers are located.in the United States of America.
Your personal data may be kept in paper copy by our employees, but only to the extent necessary.
Only authorised personnel have access to your data. 

9       How do we ensure your personal data kept is kept secure?

We use administrative, technological and physical controls to protect your personal data against unauthorised loss, damage, modification, disclosure or access. Such controls includes policies, monitoring, access control, password protection, firewalls, anti-virus and encryption where possible.
Even though we take reasonable measures to protect your personal data, transmitting information over electronic platforms creates certain risks which we cannot prevent. We will not be held responsible for any loss occurred in the transmission of data.

10       How long do we store your personal data for?

We store information for as long we have a purpose to keep it, being either a business purpose or where the law requires us to keep it, whichever is longer.
We completely delete and destroy personal data two years after the completion of our mandate with you.

11       How do we make sure your personal data is accurate?

The personal data you provide us must be accurate and up to date – you are responsible for doing so. Providing us with inaccurate, false, misleading or incomplete information may affect the services we provide you and the correctness of the crypto tax report we issue you. It is therefore imperative that you provide data to us in time and which is correct.
We have processes in place for you to request that the personal data we hold about you is amended, corrected or deleted. We have the right to refuse any request where it requires disproportionate effort, threatens the privacy of others or would be impractical.
If the data we have about you is out of date or inaccurate, please contact our information officer at the details at 13.

12       What happens if your data is subject to a data breach?

If an unauthorised person has accessed your data, we will notify you to the extent we are required by law to do so. We will also notify the South African Information Regulator to the extent that we are required to. 

13       What are your rights regarding your data?

You have the rights to –
●       request access to the personal data we hold;
●       request that we correct or delete personal data;
●       object to the processing of personal data in certain instances; and/or
●       withdraw consent where consent is the basis we rely on for processing.

Should you have a question or query with regards to the processing of personal data, please contact our information officer with the following details:

Name:
Chris Herbst

Physical Address:
2nd Floor, Oude Poskantoor Building, C/O Bird and Plent Street, Stellenbosch

Email:
chris@chconsulting.co.za

Telephone No:
+27 21 205 8211 

 14       The Protection of Personal Information Act No 4 of 2013 (“POPIA”)

Given that we process data in RSA and because we are domiciled in RSA, we are required to comply with RSA’s data privacy legislation, POPIA. Should we have a complaint about the way we process your data, you can contact RSA’s Information Regulator at the following details:

Email:
complaints.IR@justice.gov.za

Physical address:
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

Postal address:
P.O Box 31533, Braamfontein, Johannesburg, 2017

This policy amounts to a notice of processing as is required by POPIA.

15       The General Data Protection Regulation 206/679 (“GDPR”)

Given that we do not have an establishment in the European Union (“EU”), nor do we directly market our goods and services to EU data subjects, or monitor EU data subjects, we are not required to comply with the GDPR, however, we ensure that fair information processing principles are complied with in relation to your data, as set out in this notice.

16       Will this policy change?

This policy is subject to change. We will tell you if it does.

17       Version Control

Last updated 14 February 2023.   

Ready to get you crypto tax reports sorted?