Privacy policy

Last updated on March 24, 2023


1.1. We are delighted that you have chosen to use our app or visit our website. We take our data protection responsibilities with the utmost seriousness.

This privacy policy (the “Policy”) outlines how we may collect, use, store and disclose your personal data when you:

1.1.1 access or use our websites, including, or any apps, software or services we provide (collectively the Portal Services); and/or

1.1.2. provide us with your personal data, regardless of the medium through which such personal data is provided.

This Policy also applies to any individual’s personal data which is in our possession or under our control. Please take a moment to read about how we collect, use and/or disclose your personal data so that you know and understand the purposes for which we may collect, use and/or disclose your personal data.

1.2. The Portal Services are owned and operated by BMall Limited (a company incorporated in the British Virgin Islands, and operating at Floor 4, Banco Popular Building, Road Town, Tortola, VG1110, British Virgin Islands) and its related corporations, business units and affiliates (collectively referred to herein as “BMall”, “us”, “we”, or “our”). We are the controller (also known as a data controller) of, and are responsible for, your personal information. The term “you” refers to the user wishing to access and/or use the Services.

1.3. We will only use your personal data where you have given us your consent or where we have other lawful basis for doing so, and in the manner set out in this Privacy Policy.

1.4. By providing us with personal data, you acknowledge that our collection, use, disclosure and processing of personal data will be in accordance with this Policy, including, for the avoidance of doubt, the cross-jurisdictional transfer of your data. DO NOT provide any personal data to us if you do not accept this Policy.

1.5. The Portal Services may contain links to other websites which are not owned or maintained by us. This Policy only applies to the related websites of BMall and the Portal Services. These links are provided only for your convenience. When visiting these third party websites, their privacy policies apply, and you should read their privacy policies which will apply to your use of such websites. When you are in Decentraland, Decentraland Privacy Policy ( will apply.

1.6. This Policy supplements but does not supersede nor replace any other consent which you may have previously provided to us nor does it affect any rights that we may have at law in connection with the collection, use and/or disclosure of your personal data.

1.7. If you: (i) have queries about our data protection processes and practices; (ii) wish to make a request pursuant to paragraph 11 below; or (iii) or wish to withdraw your consent to our collection, use or disclosure of your personal data pursuant to paragraph 3.2 below; (iv) contact  us on any aspect of this Policy or your personal data or (v) to provide any feedback that you may have, please submit a written request (with supporting documents, (if any) to:


We shall endeavour to respond to you within 30 days of your submission. For the avoidance of doubt, this paragraphdoes not affect your statutory rights. For example, if the GDPR applies to you, you may also have a right to lodge a complaint with a European supervisory authority, in particular in the Member State in the European Union where you are habitually resident, where you work or where an alleged infringement of Data Protection law has taken place. We may also require that you submit certain forms or provide certain information, including verification of your identity, before we are able to respond.


2.1 We may from time to time, without notice to you, amend, modify and/or update this Policy to ensure that this Policy is consistent with our future developments, industry trends and/or any changes in legal or regulatory requirements. The updated Policy will supersede earlier versions and will apply to personal data provided to us previously. Subject to your rights at law, the prevailing terms of this Policy shall apply. If we make a change that significantly affects your rights or, to the extent we are permitted to do so, significantly changes how or why we use personal data, we will notify you by way of a prominent notice on our website or, if we have your email address, by email.


3.1 What is personal data. “Personal data” means data, whether true or not, about an individual who can be identified (i) from that data, or (ii) from that data and other information to which the organisation has or is likely to have access. Some examples of personal data that we may collect include:
3.1.1. personal particulars (e.g. name, email, contact details, residential address, date of birth, identity card/passport details, social media handles and other social media profile information, and/or education details);
3.1.2. financial details (e.g. income, expenses, credit history and/or credit card and bank information);
3.1.3 images and voice recordings of our conversations with you;
3.1.4. tax and insurance information;
3.1.5. information about your use of the Portal Services;
3.1.6. usernames and password, third party account credentials (such as your Decentraland login/username/digital signature, and Portal unique ID) and IP address;
3.1.7. banking information (e.g. account numbers and banking transactions);
3.1.8. private or public cryptographic key relating to addresses on distributed ledger networks and/or similar information (i.e. public wallet address); and/or
3.1.9. personal opinions made known to us (e.g. feedback or responses to surveys);
3.1.10. relevant details of your company’s legal structure for contracting purposes.

3.2. Voluntary provision of personal data.
We may collect personal data (i) that you voluntarily provide to us; or (ii) from third parties; or (iii) through your use of our (or our services provider’s) digital technologies and services (Please see Section 4 How We Collect Personal Data for further details). What personal data we collect depends on the purposes for which the personal data is collected and what you have chosen to provide.

When our collection is based on consent, you can choose not to provide us with personal data. You also have the right to withdraw your consent for us to continue collecting, using, disclosing and processing your personal data, by contacting us in accordance with paragraph 1.6. Please note that if you withdraw your consent to any or all use or disclosure of your personal data, depending on the nature of your request, we may not be in a position to continue to provide our services or products to you or administer any contractual relationship in place. Such withdrawal may also result in the termination of any agreement you may have with us. Our legal rights and remedies are expressly reserved in such event.

3.3. Accuracy and completeness of personal data.
You are responsible for ensuring that the personal data you provide to us is true, accurate, complete, and not misleading and that such personal data is kept up to date. You acknowledge that failure on your part to do so may result in our inability to provide you with the products and services you have requested. To update your personal data, please contact us (please see paragraph 1.6 above for contact details).

3.4. Minors.
The Portal Services are not intended to be accessed or used by children, minors or persons who are not of legal age. If you are a parent or guardian and you have reason to believe your child or ward has provided us with their personal data without your consent, please contact us. If we find that a child’s personal data has been collected without his/her parents’ or guardian’s prior consent, we will delete relevant data as soon as possible.


4.1 Personal data you provide.
We collect personal data that is relevant to our relationship with you. We may collect your personal data directly or indirectly through various channels, such as  when:
4.1.1. you register an account with us through the Portal Services;
4.1.2. you download or use the Portal Services;
4.1.3. you download or use any documentation, information or materials comprised within the Portal Services;
4.1.4. you authorise us to obtain your personal data from a third party;
4.1.5. you enter into agreements with us;
4.1.6. you enter into partnerships or other arrangements with us; you transact with us, contact us or request that we contact you through various communication channels, for example, through social media platforms, messenger platforms, face-to-face meetings, telephone calls, emails, fax and letters;
4.1.7. you request or agree to be included in an e-mail, marketing or other mailing list;
4.1.8. you attend, participate in or register for events, courses, research groups or functions organised by us;
4.1.9. we seek information about you and receive your personal data in connection with your relationship with us; and
4.1.10. when you submit your personal data to us for any other reason.

4.2. Personal data provided by others. Depending on your relationship with us, we may also collect your personal data from third party sources, for example, from:
4.2.1. any third parties whom you have authorised us to obtain your personal data from;
4.2.2. entities in which you (or a party connected to you) have an interest;
4.2.3. our business partners such as third parties providing services to us;
4.2.4. your family members or friends who provide your personal data to us on your behalf; and/or; and
4.2.5. public agencies or other public sources.


5.1. What we do. We collect, use, disclose, process or entrust the processing of, share and transfer your personal data where:
5.1.1. you have given us consent;
5.1.2. necessary to comply with our legal or regulatory obligations, e.g. responding to valid requests from public authorities;
5.1.3. necessary to support our legitimate business interests, provided that this does not override your interests or rights; and
5.1.4. necessary to perform a transaction you have entered into with us, or provide a service that you have requested or require from us.

5.2. General purposes. We may collect, use, disclose, process or entrust the processing of, share and transfer your personal data for purposes connected or relevant to our business, and/or to manage your relationship with us. These may include, without limitation, the following:

5.2.1. developing and providing facilities, products or services (whether made available by us or through us) to you, including but not limited to: sale of digital tokens or virtual currencies; acting as intermediaries through any network or platform developed or managed by us; recording and/or encryption on any network or platform developed or managed by us; providing various products and/or services (whether digital or not, and whether provided through an external service provider or otherwise); providing, managing or accessing digital wallets for holding digital assets; making payments to you for participation in any network or platform developed or managed by us (as applicable); various products and/or services related to digital assets; transactions and clearing or reporting on these transactions; analytics for the purposes of developing or improving our products, services, security, and service quality;

5.2.2 assessing and processing your applications, instructions, transactions, or requests with us and/or our business partners, or taking steps as may be directed by you;
5.2.3. facilitating your use of the Portal Services, including verifying and establishing your identity, and authenticating, operating and maintaining your accounts and/or transaction details;
5.2.4. facilitating business asset transactions;
5.2.5. communicating with you, and assisting you with your queries, requests, applications, complaints and feedback;
5.2.6. administrative purposes, including finance, IT and HR purposes, quality assurance and staff training, and compliance with internal policies and procedures, including audit, accounting, risk management and record keeping;
5.2.7. resolving any disputes, addressing or investigating any complaints, claims or disputes or any actual or suspected illegal or unlawful conduct;
5.2.8. maintaining legal and regulatory compliance, including (i) verifying your identity in order to comply with all applicable laws (including anti-money laundering and countering the finance of terrorism laws) for the purposes of providing facilities, products or services; and (ii) conducting credit checks, screenings or due diligence checks as may be required under applicable law, regulation or directive;
5.2.9. complying with all applicable laws, regulations, rules, directives, orders, instructions and requests from any local or foreign authorities, including regulatory, governmental, tax and law enforcement authorities or other regulatory authorities;
5.2.10. carrying out research and statistical analysis, including development of new products and services or evaluation and improvement of our existing products and services;
5.2.11. security purposes, e.g. monitoring products and services provided by or made available through us for any fraudulent activities and/or security threats, and/or protecting the Portal Services from unauthorised access and/or usage;
5.2.12. complying with obligations and requirements imposed by us from time to time by any credit bureau or credit information sharing services of which we are a member or subscriber;
5.2.13. creating and maintaining credit and risk related models;
5.2.14. financial reporting, regulatory reporting, management reporting, risk management (including monitoring credit exposures, preventing, detecting and investigating crime, including fraud and any form of financial crime), audit and record keeping purposes;
5.2.15. performing data analytics and related technologies on data, to enable us to deliver relevant content and information to you, and to improve our websites and digital platforms;
5.2.16. enabling any actual or proposed assignee or transferee, participant or sub-participant of our  rights or obligations to evaluate any proposed transaction
5.2.17. managing and engaging third parties or data processors that provide services to us,
e.g. IT services, technological services, delivery services, and other professional services;
5.2.18. seeking professional advice, including legal or tax advice;
5.2.19. carrying out our legitimate business interests (listed below);
5.2.20. such purposes that may be informed to you when your personal data is collected; and/or
5.2.21. any other reasonable purposes related to the aforesaid.

For the avoidance of doubt, we may also use personal data for purposes set out in the terms and conditions that govern our relationship with you. Where personal data is used for a new purpose and where required under applicable law, we shall obtain your consent.

5.3. Legitimate business interests.
We may also collect, use, disclose, process or entrust the processing of, share and transfer your personal data for the following purposes to support our legitimate business interests, provided that this does not override your interests or rights, which include:
5.3.1. managing our business and relationship with you, and providing services to our customers;
5.3.2. assistance of carrying out corporate restructuring plans;
5.3.3. complying with internal policies, and procedures;
5.3.4. protecting our rights and interests, and those of our customers;
5.3.5. enforcing our terms and conditions, and obligations owed to us, or protecting ourselves from legal liability; and
5.3.6. managing our investor and shareholder relations.

5.4. Marketing purposes. In order for us to market products, events and services which are of specific interest and relevance to you, we may analyse and rely on your personal data provided to us, or data collected from your interactions with us. However, no marketing, using your personal data in non-aggregated and/or identifiable form would be carried out unless you have provided us with your consent to use your personal data for such marketing purposes. If you do not want us to use your personal data for the purposes of marketing you can withdraw your consent at any time by contacting us in accordance with paragraph 1.7. above.

5.5. Use permitted under applicable laws
. We may also collect, use, disclose, process and entrust the processing of, share and transfer your personal data for other purposes, without your knowledge or consent, where this is required or permitted by law. Your personal data may be processed if it is necessary on reasonable request by a law enforcement or regulatory authority, body or agency or in the defence of a legal claim. We will not delete personal data if relevant to an investigation or a dispute. It will continue to be stored until those issues are fully resolved.

5.6. Contacting you. When we contact or send you information for the above purposes and purposes for which you have consented, we may do so by post, e-mail, SMS, telephone or such other means provided by you. If you do not wish to receive any communication or information from us, or wish to restrict the manner by which we may contact or send you information, you may contact us in accordance with paragraph 1.7. above.


6.1. Cookies.
In order to improve our products or services, we collect data by way of “cookies”. A cookie is a small text file placed on your computer or mobile device when you visit a website or use an app. Cookies collect information about users and their visit to the website or use of the app, such as their Internet protocol (IP) address, how they arrived at the website (for example, through a search engine or a link from another website) and how they navigate within the Website or app.. There are three main types of cookies:

6.1.1. Session cookies
: specific to a particular visit and limited to sending session identifiers (random numbers generated by the server) so you do not have to re-enter information when you navigate to a new page or check out. Session cookies are not permanently stored on your device and are deleted when the browser closes;

6.1.2. Persistent cookies
: record information about your preferences and are stored in your browser cache or mobile device; and

6.1.2. Third party cookies
: placed by someone other than us which may gather data across multiple websites or sessions.

6.2. How we use cookies.
We use cookies for the following purposes:

6.1.1. Strictly necessary:
These cookies are essential for you to browse the Portal Services and use its features. The information collected relates to the operation of the Portal Services (e.g. website scripting language and security tokens) and enables us to provide you with the service you have requested.

6.1.2. Functionality: These cookies remember the choices you have made, for example the country you visit the Portal Services from, your language and any changes you have made to text size and other parts of the web pages that you can customise to improve your user experience and to make your visits more tailored and enjoyable.

6.1.3. Performance/analytics: These cookies collect information on how users use the Portal Services, for example which pages you visit most often, whether you receive any error messages and how you arrived at the Portal Services. Information collected by these cookies is used only to improve your use of the Portal Services. These cookies are sometimes placed by third party providers of web traffic and analysis services. We use Google Analytics. For information on how Google processes and collects your information and how you can opt out, please refer to Section 6.5.1.

6.1.4. Social Media: These cookies allow users to share our website content on social media such as Facebook and Twitter. These cookies are not within our control. Please refer to the respective privacy policies of the social media providers for how their cookies work.We may also automatically collect and store certain information about your interaction with the Portal Services including IP address, browser type, internet service provider, referring/exit pages, operating system, date/time stamps and related data.

6.3. Cookies we use.
A list of cookies used in the Portal Services, their functionalities and expiry dates are set out in Annex A.

6.4. Refusing or deleting cookies. Most internet browsers are set up by default to accept cookies. However if you want to refuse or delete them (or similar technologies) please refer to the help and support area on your browser for instructions on how to block or delete cookies (for example: Internet Explorer, Google Chrome, Mozilla Firefox and Safari). Please note you may not be able to take advantage of all the features of the Portal Services, including certain personalised features, if you delete or refuse cookies.

6.5. Mobile Opt-out. If you access the Portal Services through mobile devices, you can enable a "do not track" feature so as to control interest-based advertising on an iOS or Android mobile device by selecting the Limit Add Tracking option in the privacy section of your Settings on iOS or via advertising preferences on Android devices (e.g. in Google Settings). This will not prevent the display of advertisements but will mean that they will no longer be personalised to your interests.

6.5.1. To opt out of Google Analytics, visit

6.5.2. For more information on managing cookies, please go to

6.6. If you are a resident in the EU. For more information on managing cookies, please visit which has further information about behavioural advertising and online privacy.

6.7. Changes to our uses of Cookies. If we change anything important about this Paragraphon cookies, we will notify you through a pop-up on the website for a reasonable length of time prior to and following the change.


7.1. Disclosure to related parties. Subject to applicable law, we may disclose or share your personal data with our related parties, in connection with use of the Portal Services, in order to provide the Portal Services and for the purposes described in this paragraph 7.

7.2. Disclosure to third parties.
We may from time to time, disclose your personal data to third parties in connection with purposes described in paragraph 5 above including without limitation the following circumstances:

7.2.1. disclosing your personal data to third parties who provide services to us (including but not limited to, data providers and technology providers (including services relating to telecommunications, information technology, payment, data processing, storage and archival), and professional services (including our accountants, auditors and lawyers).
7.2.2. disclosing your personal data with third party identity verification and transaction monitoring services to assist in the prevention of fraud and other illegal activities and to fulfill our obligations under anti-money laundering and countering the financing of terrorism laws and regulations.
7.2.3. disclosing your personal data to third parties who provide web monitoring services
7.2.4. disclosing your personal data to third parties in order to fulfil such third party products and/or services as may be requested or directed by you;
7.2.5. disclosing your personal data to third parties that we conduct marketing and cross promotions with;
7.2.6. disclosing your personal data to regulators, governments, law enforcement agencies, public agencies and/or authorities;
7.2.7. if we are discussing selling or transferring part or all of our business – the information may be transferred to prospective purchasers under suitable terms as to confidentiality;
7.2.8. if we are reorganised or sold, information may be transferred to a buyer who can continue to provide continued relationship with you; and
7.2.9. if we are defending a legal claim your information may be transferred as required in connection with defending such claim.

7.3. When disclosing personal data to third parties, please be assured that we will (where appropriate and permissible) enter into contracts with third parties to protect your personal data in accordance with applicable laws and/or ensure that they only process your personal data in accordance with our instructions.

7.4. For more information about the third parties with whom we share your personal data, you may, where appropriate, wish to refer to the agreement(s) and/or terms and conditions that govern our relationship with you or our customer. You may also contact us for more information (please see paragraph 1.6 above).


8.1. Transfer.
We may transfer, store, process and/or deal with your personal data to different jurisdictions in connection with the purposes described in paragraph 5 above:
8.1.1. from the jurisdiction where it is collected (or where you are located) to any other jurisdiction that we operate in; and
8.1.2 to third parties in other jurisdictions.

8.2. Safeguards.
Where we transfer your personal data across jurisdictions, we will ensure that your personal data is protected in accordance with this policy and applicable laws regardless of the jurisdictions they are transferred to, but in any event to a level that is no less stringent than the jurisdiction from which the personal data is transferred. When we transfer your personal data internationally and where required by applicable law we put in place appropriate safeguards including EU Model Clauses or rely on EU Commission adequacy decisions. You may obtain details of these safeguards by contacting us.


9.1. Unauthorised access.
At each stage of data collection, use and disclosure, we have in place physical, electronic, administrative and procedural safeguards to protect the personal data stored with us. While we take reasonable precautions to safeguard your personal data in our possession or under our control, you agree not to hold us liable or responsible for any loss or damage resulting from unauthorised or unintended access that is beyond our control, such as hacking or cybercrimes.

9.2. Vulnerabilities
. We do not make any warranty, guarantee, or representation that your use of our systems or applications is safe and protected from malware, and other vulnerabilities. We also do not guarantee the security of data that you choose to send us electronically. Sending such data is entirely at your own risk.

9.3. Anonymised data
. In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we are entitled to retain and use such data without restriction.


Period of retention.
We will only keep your Information for as long as it is necessary for the purposes set out in this Policy, unless a longer retention period is required or permitted by law (such as tax law, accounting requirements or other legal or regulatory requirements).


11.1. Rights you may enjoy.
Depending on the jurisdiction that you are in or where we operate, you may enjoy certain rights under applicable law in relation to our collection, use, disclosure and processing of your personal data. Such rights may include:

11.1.1. Access:
you may ask us if we hold your personal data and, if we are, you can request access to your personal data. This enables you to receive a copy of and information on the personal data we hold about you.
11.1.2. Correction: you may request that any incomplete or inaccurate personal data we hold about you is corrected.
11.1.3. Erasure: you may ask us to delete or remove personal data that we hold about you in certain circumstances.
11.1.4. Restriction: you may withdraw consent for our use of your personal data, or ask us to suspend the processing of certain of your personal data about you, for example if you want us to establish its accuracy.
11.1.5. Portability: you may request the transfer of certain of your personal data to another party under certain conditions.
11.1.6. Objection: where we are processing your personal data based on a legitimate interest (or those of a third party) you may object to processing on this ground.

If you wish to exercise any of your rights, you may contact us in accordance with paragraph 1.7  above. Where permitted by law, we may charge you a fee for processing your request. Such a fee depends on the nature and complexity of your request. Information on the processing fee will be made available to you.

11.2. Limitations. We may be permitted under applicable laws to refuse a request, for example, we may refuse (a) a request for erasure where the personal data is required for in connection with claims; or (b) an objection request and continue processing your personal data based on compelling legitimate grounds for the processing.


Website: Portal Website (
Used by
Used by
Essential (reCAPTCHA)
1 year
Essential (reCAPTCHA)
2 years
Essential (reCAPTCHA)
2 years
Essential (reCAPTCHA)
2 years
Essential (reCAPTCHA)
2 years
Essential (reCAPTCHA)
2 years
2 years
2 years
7 months
1 month
1 year
1 day
6 months
2 years
2 years
1 year