Privacy Policy
- Introduction
- How We Collect Your Information
- How We Use Your Information
- How We Share Your Information
- Location of Processing
- How We Protect Your Information
- How Long We Retain Your Information
- Children’s Information
- Your Rights
- Changes To This Privacy Policy
- Third-Party Services, Applications, and Websites
- Contacting Us
- Appendix A: California Consumer Privacy Act Addendum
- Appendix B: General Data Protection Regulation Addendum
- Appendix C: Ripple Sub-Processors
Effective Date: August 15, 2024
Ripple Labs Inc. (“Ripple”, “we”, “our”, “us”) understands and respects our users’ need for privacy. This Ripple Privacy Policy (“Privacy Policy”) explains how Ripple collects, uses, and shares information we collect about you when you use our websites (including our company website www.ripple.com, our RippleNet service website, and our developer website developers.ripple.com, collectively, the “Site”), and when you interact with our RippleNet services (including Ripple’s OnDemand Liquidity service, collectively, the “RippleNet Service”).
Introduction
This Privacy Policy also does not apply to the XRP ledger software, which is open source, or the distributed open-source global network accessed through that software (collectively, “XRP Ledger”). However, if you access XRP Ledger-related content from a hyperlink on our Site, we may collect the information identified in the “Information We Collect Automatically” sections below in connection with your use of the Site.
How We Collect Your Information
Information We Collect From Our Websites and Events:
Information You Provide to Us: We collect information you provide directly to us when you browse our Site, create an online account, post messages to our forums or wikis, provide feedback through surveys, participate in any interactive features, contests, promotions, sweepstakes, activities, or events. The types of information we may collect include: your name, email address, username, password, location and any other information you choose to provide.
Information We Collect Automatically Through the Use of Cookies and Other Tracking Technology: When you visit the Company’s website, we obtain certain information by automated means, such as cookies, web beacons, web server logs, and other technologies. A “cookie” is a text file that websites send to a visitor’s computer or other Internet-connected device to identify the visitor’s browser or to store information or settings in the browser. A “web beacon”, also known as an Internet tag, pixel tag or clear GIF, links web pages to web servers and their cookies and may be used to transmit information collected through cookies back to a web server.
We may use these automated technologies to collect information about your equipment, browsing actions, and usage patterns. The information we obtain in this manner may include: your device IP address, identifiers associated with your devices, types of devices connected to our services, web browser characteristics, device characteristics, language preferences, referring/exit pages, clickstream data and dates and times of visits to our Site.
The information we collect through cookies and similar technologies helps us (1) remember your information so you will not have to re-enter it; (2) understand how you use and interact with our website; (3) measure the usability of our website and the effectiveness of our communications; and (4) otherwise manage and enhance our website, and (5) help ensure it is working properly.
Your browser may tell you how to be notified when you receive certain types of cookies or how to restrict or disable certain types of cookies. Please note, however, that without cookies you may not be able to use all the features of our website.
Information We Collect Relating to the RippleNet Service:
Financial institutions and other organizations around the world, together referred to as “RippleNet Customers” use the RippleNet Service to exchange data relating to financial transactions and, in the case of OnDemand Liquidity, settle those financial transactions.
The RippleNet Service processes personal information in the two following contexts:
- Ripple’s Provision of the RippleNet Service: Personal information that Ripple collects for its own purposes relating to the provision of the RippleNet Service (for example, contact details of employees of RippleNet Customers)
- Customer Use of the Services: Personal information that RippleNet Customers collect and supply to the RippleNet Service as part of their use of the Services (for example, personal information contained in messages or files that RippleNet Customers send)
Ripple’s Provision of the RippleNet Service:
Information You Provide to Us: Ripple collects personal information relating to employees, officers, and/or directors of RippleNet Customers that is directly provided to us. Personal information typically includes: name, title, work address, work email address, and work telephone number.
Information from Other Sources: Ripple collects information publicly available on a RippleNet Customer’s website, or through publicly available resources relating to employees, officers, or directors of RippleNet Customers and potential customers. This information typically includes publicly available information such as: name, title, work address, work email address, and work telephone number.
Information We Collect Automatically: Ripple may collect: RippleNet usernames, user passwords, user’s Internet Protocol (“IP”) addresses, and computer and connection information such as browser type, version, and operating system during the course of managing the RippleNet Service.
Customer’s Use of the RippleNet Services:
The OnDemand Liquidity product enables RippleNet Customers to connect to their digital asset exchange accounts in order to check balances, receive payment estimates, submit instructions for payments initiation, and check status of payments in progress.
The RippleNet Cloud product enables RippleNet Customers to connect to multiple banks and other financial institutions through one API, in order to initiate payments, purchase FX, and view and manage balances and transaction listings.
Information You Provide to Us: Through use of the RippleNet Services, RippleNet may collect and process personal information of individuals collected by RippleNet Customers for purposes of processing payments in accordance with the Terms and Conditions we have entered into with you.
Personal information used for facilitating payments typically includes: sender and beneficiary account name and account number (which could be the account holder’s name), description of the transaction, payment amounts and instructions, and sender and beneficiary addresses and phone number.
How We Use Your Information
Ripple Websites and Events:
Ripple collects this data for various purposes, including to:
- Respond to your comments, questions and requests and provide customer service;
- Monitor and analyze trends, usage, and activities in order to operate and improve our Site;
- Manage your online account(s) and send you technical notices, updates, security alerts and support and administrative messages;
- Organize regional or local events, and the registration and management of customer representatives that are active in RippleNet advisory and working groups;
- Link or combine with information we get from others to help understand your needs and provide you with better service; and
- Carry out any other purpose for which the information was collected.
Ripple’s Provision of the RippleNet Service
Ripple collects this data for purposes relating to the provision of the Services, and include the following:
- The administration, monitoring, and ongoing management of the services and products;
- The development, deployment, management, support, and invoicing of the services and products; and
- The organization of regional or local events, and the registration and management of customer representatives that are active in RippleNet advisory and working groups.
Customer Use of the RippleNet Service
Ripple collects this data for various purposes, including to:
- Respond to your comments, questions and requests and provide customer service;
- Monitor and analyze trends, usage, and activities in order to operate and improve our products and services;
- Manage your online account(s) and send you technical notices, updates, security alerts and support and administrative messages; and
- Carry out any other purpose for which the information was collected.
Location of Processing
Ripple’s headquarters are in the United States, and it has offices around the world. In providing its services, Ripple may process your personal information on servers outside the country where you live, including to countries that do not have the same data protection laws as your country. Although the data protection laws of various countries may differ from those in your own country, we take appropriate steps to ensure that your personal information is processed as described in this Privacy Policy and under the law.
If you are located in the European Union (“EU”), the United Kingdom (“UK”), or Switzerland, please see the “Transfer of Personal Information to Other Countries” section in Appendix B for more information.
How We Protect Your Information
We are committed to protecting your information. We maintain appropriate administrative, technical, and physical safeguards designed to protect the personal information you provide against accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure, or use.
How Long We Retain Your Information
We will retain your personal information on file for as long as necessary for our legitimate business purposes. Please note that in certain cases, legal or regulatory obligations require us to retain specific records for a longer period of time.
Children’s Information
Our Services are not directed to children under the age of 16. If you learn that a child under the age of 16 has provided us with personal information without consent, please contact us.
Your Rights
You have the right to request a copy of your information, to object to our use of your personal information (including for marketing purposes), where applicable, to correct your personal information, to request the deletion or restriction of your personal information, or to request your personal information in a structured, electronic format.
Depending on where you are located, you may have certain rights in connection with your personal information that we obtain. These rights vary depending on your jurisdiction. To learn more about your rights, see:
- Appendix A for CCPA rights if you are a California resident.
- Appendix B for GDPR rights if you are located in the EU, UK, or Switzerland.
Changes To This Privacy Policy
We periodically review and update this Privacy Policy to describe new services or changes to our practices. You can determine when this Privacy Policy was last revised by referring to the “Updated” date at the top of this document. We encourage you to review the Privacy Policy whenever you interact with us to stay informed about our privacy practices and the ways that you can help protect your privacy.
If we make significant changes to this Privacy Policy, we may provide additional notice through a prominent notice on the RippleNet Service or via email address associated with your account.
Third-Party Services, Applications, and Websites
Certain third-party services, websites, or applications you use, or navigate to from our Services may have separate user terms and privacy policies that are independent of this Policy. This includes, for example, websites owned and operated by our customers or partners. We are not responsible for the privacy practices of these third-party services or applications. We recommend carefully reviewing the user terms and privacy statement of each third-party service, website, and/or application prior to use.
Contacting Us
Attention: General Counsel
600 Battery Street
San Francisco, CA 94111
U.S.A.
Appendix A: California Consumer Privacy Act Addendum
Additional provisions applicable to processing personal information of California residents.
Scope and Applicability
This Appendix A to the Privacy Policy (“Appendix A”) applies to California residents and outlines individuals’ rights and choices with respect to the processing of your personal information under the California Consumer Privacy Act (“CCPA”). This Appendix A controls to the extent it conflicts with any provision in the main body of the Privacy Policy.
Data Collection, Use and Sharing
The CCPA requires that we inform individuals whether we collect any categories of personal information as classified under the CCPA, and whether we share this information with selected recipients for specific purposes.
Categories of Information
We collect the following categories of information as classified under CCPA:
- Personal identifiers - We collect name, IP address, email address, and username.
- Commercial information - From RippleNet Customers, we collect payment information such as sender/beneficiary account names and numbers; descriptions of transactions; payment amounts and instructions; and sender/beneficiary addresses and phone numbers. We also collect information about the products requested and records of services purchased.
- Internet or other network activity information - We collect IP address, device information, clickstream data, and dates and times of visits to our Site.
- Geolocation - We collect geolocation information directly from RippleNet Customers and Site visitors and, on a less granular level, automatically on the Ripple platform through the use of cookies and related technologies.
Please see the “How We Collect Your Information” section in our Privacy Policy to see the full description of the information that we collect.
Publicly Available Information: Personal information does not include publicly available information. For purposes of this paragraph, “publicly available” means information that is lawfully made available from federal, state, or local government records.
Sharing Information
Using Information
We collect and use personal information to:
- Interact with RippleNet Customers;
- Facilitate transactions;
- Provide the RippleNet Service;
- Conduct internal research and development;
- Improve the quality and safety of our products and services; AND
- Detect security incidents and prevent fraud.
Please see the “How We Use Your Information” section in the Privacy Policy for a full description of how we use personal information.
Your CCPA Rights
The CCPA grants California consumers certain rights in connection with the personal information we collect, as described below.
- Right to Know: You have the right to know the categories and specific pieces of your personal information we have collected in the previous 12 months.
- Right to Deletion: You have the right to request that we delete any of your personal information we have collected.
- Right to Request Information: You have the right to request information about the collection, sale, and disclosure of your personal information from the previous 12 months.
- Right to Opt-out of the Sale of Information: You have the right to opt-out of the sale of personal information we have collected about you.
- Right to Non-Discrimination: You have the right to not receive discriminatory treatment for exercising any of your CCPA rights. We do not treat individuals differently for exercising any of the rights described above.
Exercising Your Rights
If you wish to exercise any of the above rights, see the “Contact Us” section in this Appendix A. You may also authorize an individual to submit a verifiable consumer request relating to your personal information.
We verify your request using your email address. Government identification may be required. We cannot respond to your request if we cannot verify your identity and/or authority to make the request on behalf of another and confirm the personal information related to you.
If you wish to use an authorized agent to submit a request to opt-out on your behalf, you must provide the authorized agent written permission signed by you, the consumer. We may deny a request from an authorized agent if the agent cannot provide Ripple with your signed permission demonstrating that the agent is authorized to act on your behalf.
We fulfill requests within 45 days of receiving your request. Please note that your request may be limited in certain cases, for example if complying with your request would conflict with:
- Federal, state, or local law;
- Regulatory inquiries;
- Subpoenas; or
- Exercising or defending legal claims.
Contact Us
Attention: General Counsel
600 Battery Street
San Francisco, CA 94111
U.S.A.
Appendix B: General Data Protection Regulation Addendum
Additional provisions applicable to the processing personal information of individuals based in the European Union (“EU”), the United Kingdom (“UK”), or Switzerland.
Scope and Applicability
This Appendix B to the Privacy Policy (“Appendix B”) applies to individuals based in the EU, UK, and Switzerland, and outlines their rights and choices regarding the processing of their personal information under the General Data Protection Regulation or related regulations (collectively, the “GDPR”). Capitalized terms not defined in this Appendix B are defined in the Privacy Policy above.
Data Collection, Use, and Sharing
Ripple acts as a data controller for personal information that we collect about individuals while using the RippleNet Service as described in the Privacy Policy.
Ripple acts as a data processor on behalf of our RippleNet Customers for most of the personal information we process through the RippleNet Services. Our RippleNet Customers primarily control what personal information we collect and process through the Service and how we use it, and we only process information in accordance with their instructions.
Ripple acts as a data controller for certain limited personal information collected from individuals working with RippleNet Customers as required to provide the RippleNet Service as described in the Privacy Policy.
This Appendix B does not apply to any personal information that we process as a processor, as we only process that information on behalf of the RippleNet Customer and in accordance with our agreement with them. A RippleNet Customer that has entered into an agreement to use the RippleNet Services controls its instance of the Service and any associated data.
We collect and process personal information about you only where we have a legal basis for doing so under applicable data protection laws. Our legal bases include processing personal information under:
- Your consent: Where appropriate or legally required, we collect and use information about you subject to your consent. For example, we collect your email address when you sign up for emails and updates on the RippleNet Services.
- Performance of contract: We collect and use information about you to contract with you or to perform a contract that you have with us. For example, we collect your name, email, and billing addresses when you purchase the RippleNet Services and process transactions.
- Legitimate interests: We collect and use information about you for our legitimate interests to improve the RippleNet Services, deliver content, optimize your experience, and market the RippleNet Services. For example, we collect your IP address and device information when you use the RippleNet Services to prevent malicious activity and fraudulent transactions.
- Compliance with laws: We may also collect and use information about you:
- As required by law, such as to comply with a subpoena or similar legal process;
- When we believe in good faith that disclosure is necessary to protect our rights or property, protect your health and safety or the health and safety of others, investigate fraud, or respond to a government request; or
- If we participate in a merger, acquisition, or sale of all or a portion of its assets.
Transfer of Personal Information to Other Countries
We transfer your personal information to countries outside the EU, UK, or Switzerland, including, but not limited to the United States, where Ripple Labs Inc. Corporate Headquarters is located, and where our IT systems (including email) are located. When required for the provision of the RippleNet Service, we may transfer and store personal information to locations in or outside the EU, UK, or Switzerland.
If we transfer your personal information out of the EU, UK, or Switzerland and are required to apply additional safeguards to your personal information under European data protection legislation, we will do so. Such safeguards may include applying the European Commission-approved standard contractual data protection clauses or other appropriate legal mechanisms.
Our Commitment to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) and to the rights of EU and UK individuals and Swiss individuals.
In cases of onward transfer to third parties of personal information received pursuant to the DPF Principles, Ripple shall remain potentially liable.
Data Subject Rights
You have certain rights related to your personal information when you use the RippleNet Services. Some of these rights only apply in certain circumstances, as set out below. We also describe how to exercise these rights in the “Exercising your Rights” section of this Appendix B.
If you are an end user of the RippleNet Services seeking to access, correct, amend, or delete personal information, please contact the RippleNet Customer (the data controller) that has transferred such data to us for processing. If the RippleNet Customer receives a data subject request and sends the request to us, we will respond to the RippleNet Customer’s request within the agreed timeframe outlined in our Customer agreement. The RippleNet Customer is responsible for responding to its end user data subject requests as determined under the applicable local data protection law.
The GDPR provides data subjects with the following rights:
- Right of Access: Data subjects have the right to request access and receive certain information about how we use their personal information and who we share it with.
- Right to Rectification: Data subjects have the right to request correction of personal information we hold about them where it is inaccurate or incomplete.
- Right to Data Portability: Data subjects have the right to request a copy of data we hold about them in a structured, machine-readable format, and to ask us to share this information with another entity.
- Right to Erasure: Data subjects have the right to request deletion of the personal information we hold about them:
- Where one believes that it is no longer necessary for us to hold their personal information;
- Where we are processing personal information based on legitimate interests and a data subject objects to such processing, and we cannot demonstrate an overriding legitimate ground for the processing;
- Where a data subject has provided their personal information to us with consent, and they wish to withdraw their consent and there is no other ground under which we can process their personal information; or
- Where a data subject believes their personal information is being unlawfully processed by us.
- Right to Restriction of Processing: Data subjects have the right to ask us to restrict (stop any active) processing of their personal information:
- Where they believe their personal information is inaccurate and while we verify accuracy;
- Where we want to erase their personal information as the processing is unlawful, but they want us to continue to store it;
- Where we no longer need their personal information for our processing, but they require us to retain the data for the establishment, exercise, or defense of legal claims; or
- Where they have objected to us processing their personal information based on our legitimate interests and we are considering their objection.
- Right to Object: Data subjects can object to our processing of their personal information based on our legitimate interests. We will no longer process their personal information unless we can demonstrate an overriding legitimate purpose.
- Objection to Marketing, Automated Decision Making, and Profiling: Data subjects have the right to object to our processing of personal information for marketing communications, automated decision making and profiling. We will stop processing the data for that purpose.
- Withdrawal of Consent: Where a data subject has provided consent for us to process their personal information, they can withdraw their consent by emailing [email protected].
Please note that before we respond to requests for information, we will require that identity verification, or the identity of any data subject for whom one is requesting information. Our verification methods may include requesting that the data subject log into their Ripple account, confirm their contact information or email address, and/or provide documents for identity verification.
Attention: General Counsel
600 Battery Street
San Francisco, CA 94111
U.S.A.
Exercising Your Rights
To exercise any of the rights above, please contact us as noted in the “Contact Us” section in this Appendix B. If you are a Customer end user, contact the applicable Customer acting as the data controller directly to fulfill any requests.
We will fulfill your request within 30 days of receipt. Please note that the above rights may be limited in the following situations:
- Where fulfilling your request would adversely affect other individuals, company trade secrets or intellectual property;
- Where there are overriding public interest reasons; or
- Where we are required by law to retain your personal information.
If you have unresolved concerns, we encourage you to come to us in the first instance, but you are entitled to address any grievance directly to the relevant supervisory authority. If you are a Customer end user, we encourage you to reach out to the relevant Customer first to address any complaints.
Contacting Us
To submit questions about Appendix B or to update or request changes to personal information, please contact us as outlined in the Privacy Policy or contact our European representative as outlined below.
Our European representative is DataRep (Data Protection Representative Limited). Data subjects may contact DataRep by:
- Sending an email to DataRep at [email protected],
- Contacting DataRep on its online webform at www.datarep.com/data-request, or
- Mailing the inquiry to DataRep at any of the following addresses:
Country | Address |
---|---|
Austria | DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria |
Belgium | DataRep, Rue des Colonies 11, Brussels, 1000 |
Bulgaria | DataRep, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria |
Croatia | DataRep, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia |
Cyprus | DataRep, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus |
Czech Republic | DataRep, IQ Ostrava Ground floor, 28. rijna 3346/91, Ostrava-mesto, Moravska, Ostrava, Czech Republic |
Denmark | DataRep, Lautruphøj 1-3, Ballerup, 2750, Denmark |
Estonia | DataRep, 2nd Floor, Tornimae 5, Tallinn, 10145, Estonia |
Finland | DataRep, Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100, Finland |
France | DataRep, 72 rue de Lessard, Rouen, 76100, France |
Germany | DataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany |
Greece | DataRep, 24 Lagoumitzi str, Athens, 17671, Greece |
Hungary | DataRep, President Centre, Kálmán Imre utca 1, Budapest, 1054, Hungary |
Iceland | DataRep, Kalkofnsvegur 2, 101 Reykjavík, Iceland |
Ireland | DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland |
Italy | DataRep, Viale Giorgio Ribotta 11, Piano 1, Rome, Lazio, 00144, Italy |
Latvia | DataRep, 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011, Latvia |
Lithuania | DataRep, 44A Gedimino Avenue, 01110 Vilnius, Lithuania |
Luxembourg | DataRep, BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre, Luxembourg |
Malta | DataRep, Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta |
Netherlands | DataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands |
Norway | DataRep, C.J. Hambros Plass 2c, Oslo, 0164, Norway |
Poland | DataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland |
Portugal | DataRep, Torre de Monsanto, Rua Afonso Praça 30, 7th floor, Algès, Lisbon, 1495-061, Portugal |
Romania | DataRep, 15 Piaţa Charles de Gaulle, nr. 1-T, Bucureşti, Sectorul 1, 011857, Romania |
Slovakia | DataRep, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia |
Slovenia | DataRep, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia |
Spain | DataRep, Calle de Manzanares 4, Madrid, 28005, Spain |
Sweden | DataRep, S:t Johannesgatan 2, 4th floor, Malmo, SE - 211 46, Sweden |
Switzerland | DataRep, Leutschenbachstrasse 95, ZURICH, 8050, Switzerland |
In compliance with the DPF Principles, Ripple commits to resolve complaints about our collection or use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our privacy policy should first contact Ripple as outlined above.
Appendix C: Ripple Sub-Processors
We use the following sub-processors to operate our services:
Third-Party Service or Vendor | Type of Service | Location |
---|---|---|
Salesforce | Sales Data Host Platform | United States |
Zendesk | Cloud-based Customer Support Services | United States |
Atlassian | Cloud-based Customer Support Services | United States |
Amazon Web Services | Cloud Service Provider | United States, United Kingdom |
Google Cloud | Cloud Service Provider | United States |
IBM Softlayer | Cloud Service Provider | United States |
Netscope | Cloud Service Provider | United States |
Auth0 | Cloud-based Customer Support Services | United States |
Chekk | Digital Identity, Know Your Customer, and Case Management Services | United States |