Kraken
Legal Bases for AI
The policy does not explicitly use terms like 'AI' or 'machine learning' in a dedicated section, but it strongly implies their use through mentions of 'biometric data' for identity verification, 'inferences' for profiling, 'automated decision making,' and 'profiling in furtherance of decisions that produce legal or similarly significant effects.' It also mentions 'detecting security incidents' and 'internal research for technological development,' which are common AI applications.
"Biometric data" means data generated by automatic measurements of an individual's biological characteristics, such as a facial geometry or other unique biological patterns or characteristics that are used to identify a specific individual.
Inferences: inferences drawn from any of the information identified above to create a profile about you reflecting your preferences, characteristics, behavior, and attitudes.
A prohibition against a business making decisions about a consumer based solely on automated processing.
Opt-out of personal data processing for: targeted advertising (excluding Iowa); sales; or profiling in furtherance of decisions that produce legal or similarly significant effects (excluding Iowa and Utah).
Identity verification using biometric data.
Kraken collects, uses, stores, and processes Biometric Data to verify or confirm your identity, both when you initially open or verify your Kraken account and at any point thereafter as deemed necessary by Kraken or required by law or regulation.
Detecting security incidents and protecting against malicious, deceptive, fraudulent, or illegal activity.
Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity;
Drawing inferences to create a profile reflecting user preferences, characteristics, behavior, and attitudes, and tailoring communications and promotions.
Inferences: inferences drawn from any of the information identified above to create a profile about you reflecting your preferences, characteristics, behavior, and attitudes.
Processing data for decisions that produce legal or similarly significant effects, and general automated processing.
A prohibition against a business making decisions about a consumer based solely on automated processing.
Internal research for technological development and demonstration, and improving/developing services.
Undertaking internal research for technological development and demonstration; and/or Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us.
The policy indicates a high user impact due to the collection and processing of biometric data for identity verification, the creation of user profiles through inferences, and the explicit mention of 'automated decision making' and 'profiling in furtherance of decisions that produce legal or similarly significant effects.' These activities can have significant consequences for users.
The policy states that Kraken collects information from 'KYC service providers' and lists 'Third Party Identity Verification Services' as recipients of personal data, both of which commonly employ AI. It also mentions sharing identifiers with 'third party analytics providers, advertising partners, and ad networks' for analytics and advertising, which often involve AI-driven processing.
The policy mentions 'internal research for technological development' and 'developing new products and improving our Services,' which could involve training AI models with personal data. However, it does not explicitly state that personal data is used for 'training' AI or machine learning models, making the status unclear.
Undertaking internal research for technological development and demonstration;
To assist us in developing new products and improving our Services.
The policy mentions 'internal research for technological development' and 'developing new products and improving our Services,' which could involve training AI models with user interaction data. However, it does not explicitly state that user interactions are used for 'training' AI or machine learning models, making the status unclear.
Undertaking internal research for technological development and demonstration;
To assist us in developing new products and improving our Services.
The policy does not mention the use of public content for AI training or any form of technological development or service improvement.
While Kraken shares data with service providers for 'research' and 'analytics,' it does not explicitly state that this sharing is for the purpose of AI training by either Kraken or the third parties. Therefore, it is unclear if data is shared specifically for AI training.
Any of our service providers, specialist advisors, and business partners who need access to perform their services for/with Kraken, these services may include but are not limited to administrative, financial, commercial, legal, tax, compliance, insurance, IT, debt-recovery, marketing, analytics, research, blockchain, DeFi, or other advisory services.
Kraken collects extensive personal and biometric data, which is common for financial services due to strict KYC/AML regulations. While they do not sell user data and offer clear mechanisms for exercising privacy rights, the lack of explicit GDPR support is a significant concern for users outside of CCPA jurisdictions.
Recommended Actions
Utilize Kraken's online form or email (legal@kraken.com) to exercise your privacy rights, such as data access or deletion.
Review your privacy settings within your Kraken account to understand and manage data sharing preferences where available.
Be aware of the extensive data collection required for identity verification and regulatory compliance when using the service.
Ensure you use strong, unique passwords and enable two-factor authentication (2FA) for your Kraken account.