Политика конфиденциальности

PRIVACY POLICY

Effective Date: 25/02/2026 Last Updated: 25/02/2026 Version: 1

1. WHO WE ARE AND HOW TO CONTACT US

This Privacy Policy applies to personal data processed by Veltpay OÜ, a company incorporated in Estonia under company registration number 17214840, with its registered address at Rävala tänav 2, Pärnu, Pärnu County, Estonia (referred to throughout this document as “we,” “us,” or “our”).

For any questions, concerns, or requests relating to your personal data, you may contact our Data Protection Officer at any time through the following channels. By email at [email protected], by post at Registered Office: Rävala tänav 2, Pärnu, Pärnu County, Estonia marked for the attention of the Data Protection Officer, or through the in-app support function within the Veltpay application. We aim to respond to all privacy-related enquiries within 72 hours of receipt.

2. IMPORTANT NOTICE REGARDING THIRD-PARTY SERVICES

Veltpay is a technology platform that aggregates financial services provided by third-party institutions. The financial services, payment accounts, cards, and other services made available through the Veltpay platform are provided by our third-party partners, each of whom operates under their own regulatory framework and maintains their own privacy and data processing obligations.

By using Veltpay services, you acknowledge that your data will be shared with and processed by these third-party service providers, and that you will be required to accept their respective terms, conditions, and privacy policies in addition to this one. A full list of our current third-party service providers and links to their applicable privacy policies is set out in Section 5 of this document.

 

 

 

3. WHAT PERSONAL DATA WE COLLECT AND WHY

We collect personal data about you from three primary sources: information you provide directly to us, information generated by your use of our services, and information received from our third-party service providers as part of the account creation and verification process.

Identity and Registration Data. When you create an account with us, we collect your full legal name, date of birth, nationality, country of residence, email address, mobile telephone number, and a username or display name of your choosing. This data is necessary for us to create and manage your account and to establish your identity before enabling access to our services. We process this data on the basis that it is necessary for the performance of our contract with you under Article 6(1)(b) of the GDPR.

Identity Verification and KYC Data. To comply with our obligations under applicable anti-money laundering legislation and to satisfy the identity verification requirements of our licensed third-party partners, we collect and transmit copies of government-issued identity documents such as passports, national identity cards, and residence permits, as well as photographic identity verification data including selfie images and, where required, liveness verification data. We also collect proof of address documentation. This processing is mandatory. Without successful identity verification, we are unable to provide services to you. We process this data on the basis of compliance with our legal obligations under Article 6(1)(c) of the GDPR.

Financial Account Data. Once your identity is verified and your accounts are created with our third-party partners, we receive and store account reference numbers, IBAN details, wallet addresses, and account status information. We use this data to provide you with a unified view of your accounts and to facilitate transfers between services. This processing is necessary for the performance of our contract with you under Article 6(1)(b) of the GDPR.

Transaction Data. We receive records of your financial transactions across all connected service providers, including payment instructions, amounts, currencies, merchant details, and timestamps. We use this data to display your transaction history within the application, to provide customer support, to detect fraud and suspicious activity, and to comply with our record-keeping obligations. We process transaction data on the basis of contractual necessity under Article 6(1)(b), legal obligation under Article 6(1)(c), and our legitimate interests under Article 6(1)(f) of the GDPR.

Device and Technical Data. When you access the Veltpay application or website, we automatically collect information about your device, including your IP address, device type, operating system, browser type, mobile device identifiers, and application version. We also collect information about your in-app behaviour, including pages viewed, features used, and session duration. This data is used for security monitoring, fraud prevention, platform performance optimisation, and statistical analysis. We process this data on the basis of our legitimate interests under Article 6(1)(f) of the GDPR.

Location Data. We may collect your general geographic location based on your IP address. Where you grant explicit permission, we may access your device’s more precise location data. Precise location access is optional and is not required for most of our services. You can manage location permissions through your device settings at any time. Where we rely on your consent for precise location data, the legal basis is Article 6(1)(a) of the GDPR.

Communications Data. When you contact us through in-app support, email, or other channels, we retain records of those communications including the content of your messages and any attachments. We use this data to resolve your query, to train and quality-assure our support team, and to maintain a record of our interactions with you. This processing is based on our legitimate interest under Article 6(1)(f) of the GDPR in providing quality customer service and maintaining accurate records.

Marketing and Preference Data. If you have consented to receive marketing communications from us, we maintain a record of that consent and of your communication preferences. We use this data to personalise the communications we send to you and to comply with our obligations under applicable electronic communications legislation. The legal basis for this processing is your consent under Article 6(1)(a) of the GDPR.

4. HOW LONG WE RETAIN YOUR DATA

We retain your personal data for as long as is necessary to fulfil the purposes described in this Privacy Policy, subject to the following considerations.

For as long as you maintain an active account with us, we retain all account, identity, and transaction data required to provide you with our services and to comply with applicable regulatory requirements.

Account data and transaction records are retained for a minimum of five years from the date of each transaction to satisfy our obligations under European anti-money laundering regulations, which require financial service providers and their technology partners to maintain detailed records of customer transactions.

Upon closure of your account, we retain your identity data and transaction history for a further period of six years from the end of the fiscal year in which your account was closed. This retention period reflects the standard statutory limitation periods applicable to financial and commercial disputes, as well as the record-keeping requirements of applicable AML and CFT regulations.

Identity verification data processed by [KYC PROVIDER NAME] is subject to that provider’s own retention policies in addition to the above, and may be retained by them independently of our own retention practices.

Marketing data is retained until you withdraw your consent or update your preferences. Technical and device data used for security and analytics purposes is retained for a period of up to two years.

If you exercise your right to erasure, we will delete your data where we are not required by law to retain it and will provide you with a clear explanation of any data we are required to retain along with the legal basis for doing so.

5. THE THIRD-PARTY SERVICE PROVIDERS THAT PROCESS YOUR DATA

Delivering our services to you necessarily requires us to share your personal data with a number of third-party providers. Each of these providers acts as an independent data controller for the services they deliver and maintains their own privacy policy, which you will be required to read and accept during onboarding or at the point of activating each specific service.

Delivering our services to you necessarily requires us to share your personal data with a number of third-party providers. Each of these providers acts as an independent data controller for the services they deliver and maintains their own privacy policy, which you will be required to read and accept during onboarding or at the point of activating each specific service.

Sumsub is our identity verification and Know Your Customer (KYC) partner. Sumsub processes the personal and identity documentation you submit during onboarding, including identity documents, biometric data, and proof of address, in order to verify your identity in accordance with applicable anti-money laundering and counter-terrorism financing regulations. Your data is transmitted to Sumsub securely and processed by them as an independent data controller subject to their own privacy policy. Their privacy policy is available at https://sumsub.com/privacy-notice/

Pecunia EDE provides the European virtual IBAN (vIBAN) accounts and payment processing infrastructure that forms the basis of our payment account services. When you open a payment account through our platform, you are entering into an account relationship with Pecunia EDE, a regulated Electronic Money Institution authorised to issue electronic money and provide payment services within the European Economic Area. Your account data, transaction data, payment instructions, and associated personal information will be processed by Pecunia EDE as the licensed account provider and independent data controller. You will be required to read and accept Pecunia EDE’s terms and conditions and privacy policy at the point of account creation.

Wirex provides the Visa-branded payment card programme and associated stablecoin wallet infrastructure available through our platform. The payment card issued to you is issued by Wirex, a regulated electronic money institution and licensed card issuer. Your cardholder data, spending transaction records, wallet balances, and associated personal data will be processed by Wirex as an independent data controller subject to their own regulatory obligations and privacy policy. Wirex’s privacy policy will be presented to you at the point of card issuance and is also available athttps://wirexapp.com/legal/privacy-policy

Be1B (be1b.com) provides the underlying technology platform, backend infrastructure, and software development framework upon which our platform operates. Be1B processes technical and operational data, including account management data, transaction routing information, and platform usage data, as a data processor acting strictly under our instructions and subject to a binding data processing agreement. Be1B does not use your data for their own independent purposes. Their privacy policy is available at https://be1b.com/privacy-policy.

Lunarxy Solutions SL (Paynex) provides spot trading and liquidity infrastructure for virtual asset exchange operations conducted through our platform. Lunarxy Solutions SL, operating under the Paynex brand, is registered with the Banco de España in the Registry of Providers of Virtual Currency Exchange Services for Fiat Currency and Custody of Electronic Wallets, with registration code E062, in accordance with the provisions of the Additional Second Provision of Law 10/2010 of 28 April on the prevention of money laundering and terrorist financing. This registration was granted on 22 July 2024 under expediente number CRIPTO-2024-051. Lunarxy Solutions SL processes trading instructions, account balance information, order history, and transaction records for all virtual asset trading and custody activities you carry out through the platform as an independent data controller subject to their own regulatory obligations and privacy policy. You will be required to read and accept Lunarxy Solutions SL’s terms and conditions and privacy policy at the point of activating trading or virtual asset services on our platform.

BCB Group provides fiat currency settlement and banking services, facilitating the conversion and transfer of funds between currencies and accounts in connection with our operational and treasury activities. BCB Group may process limited financial transaction data, counterparty information, and settlement instructions in connection with these operations as a regulated financial institution and independent data controller. Their privacy policy is available athttps://bcbgroup.com/privacy-policy/

You should review each provider’s privacy policy before activating the relevant service. We will provide you with links to the applicable policies at each relevant stage of your user journey within the application.

6. WHO ELSE WE SHARE YOUR DATA WITH

In addition to the third-party service providers described in Section 5 above, we may share your personal data in the following circumstances.

We share data with regulatory authorities, law enforcement agencies, tax authorities, courts, and other public bodies where we are required to do so by applicable law or where disclosure is necessary to protect our legal rights or comply with a valid legal order. We will notify you of any such disclosure to the extent we are legally permitted to do so.

We share data with our technology service providers, hosting providers, and infrastructure partners who process data on our behalf as data processors acting under our instructions and subject to binding data processing agreements. These processors do not use your data for their own purposes. Current categories of processors include cloud hosting providers, data analytics platforms, customer communications platforms, fraud detection services, and software development partners.

We may share data with professional advisors including lawyers, accountants, auditors, and insurers where necessary for the purposes of managing our business, obtaining professional advice, or managing legal claims.

In the event of a merger, acquisition, restructuring, or sale of all or part of our business, your data may be transferred to the acquiring entity or successor business, subject to appropriate confidentiality obligations and legal protections. We will notify you of any such transfer in advance wherever possible.

We do not sell your personal data to third parties for commercial purposes.

7. INTERNATIONAL DATA TRANSFERS

Some of our service providers are located outside the European Economic Area. Where we transfer data outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other legally recognised transfer mechanisms.

You may request a copy of the relevant transfer mechanism documentation by contacting our Data Protection Officer at [email protected].

8. YOUR RIGHTS AS A DATA SUBJECT

Under the General Data Protection Regulation and applicable national data protection legislation, you have the following rights in relation to your personal data processed by us as controller. For data processed independently by our third-party partners, you should exercise your rights directly with those organisations.

You have the right to access the personal data we hold about you and to receive a copy of that data in a structured, commonly used, and machine-readable format under Article 15 of the GDPR.

You have the right to request correction of any inaccurate or incomplete personal data we hold about you under Article 16 of the GDPR. Where possible, please update your information directly through the in-app account settings before making a formal request.

You have the right to request erasure of your personal data under Article 17 of the GDPR where we no longer have a legal basis to retain it, where you withdraw consent that was the only basis for processing, or where processing has been unlawful. As noted in Section 4 above, certain data must be retained to comply with regulatory obligations, and we will explain any such limitations when you make a request.

You have the right to object to processing under Article 21 of the GDPR that we carry out on the basis of our legitimate interests, or to processing for direct marketing purposes. Where you object to legitimate interest processing, we will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

You have the right to restrict our processing of your data under Article 18 of the GDPR in certain circumstances, including while we are investigating a complaint you have made about the accuracy or lawfulness of our processing.

You have the right to data portability under Article 20 of the GDPR, meaning the right to receive your data in a structured format and to transmit that data to another controller, where technically feasible and where processing is based on consent or contractual necessity.

Where we rely on your consent for any processing activity, you have the right to withdraw that consent at any time under Article 7(3) of the GDPR. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects concerning you under Article 22 of the GDPR. Where we carry out automated decision-making, you have the right to request human review of that decision, to express your point of view, and to contest the decision.

You have the right to lodge a complaint with a supervisory authority under Article 77 of the GDPR. You may do so in the member state of your habitual residence, your place of work, or the place of the alleged infringement.

To exercise any of these rights, please contact our Data Protection Officer at [DPO EMAIL ADDRESS]. We will respond to all requests within one month of receipt. Where a request is particularly complex or numerous, we may extend this period by a further two months and will notify you of any such extension within the first month.

We will not charge a fee for handling your request unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request, providing you with written reasons for our decision.

9. COOKIES AND TRACKING TECHNOLOGIES

Our website and application use cookies and similar tracking technologies to enable core functionality, analyse usage patterns, and where you have consented, to support personalised features.

Essential cookies are strictly necessary for the operation of our services and cannot be disabled without affecting core functionality. These include session authentication cookies, security tokens, and cookies that store your privacy preferences.

Analytical cookies help us understand how users interact with our platform, which features are most used, and where users encounter difficulties. We use this information to improve our services. Analytical cookies are only deployed where you have provided your prior consent.

We do not use advertising cookies or third-party tracking cookies for the purpose of serving targeted advertising.

You can manage your cookie preferences through the cookie settings tool available on our website and within the application at any time. You may also control cookies through your browser settings, though disabling certain cookies may affect the functionality of our services.

10. SECURITY MEASURES

We implement technical and organisational security measures designed to protect your personal data against accidental loss, unauthorised access, alteration, disclosure, or destruction in accordance with Article 32 of the GDPR.

These measures include end-to-end encryption of data in transit using industry-standard TLS protocols, encryption of sensitive data at rest, multi-factor authentication requirements for account access, access controls limiting data access to authorised personnel on a need-to-know basis, regular security assessments and penetration testing, and incident response procedures designed to detect, contain, and remediate security incidents promptly.

Where our third-party service providers handle your data, we require them by contract to maintain security standards equivalent to those we apply ourselves and we conduct due diligence on their security practices as part of our vendor management programme.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and in any event within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. Where the risk to your rights and freedoms is high, we will also notify you directly with information about the nature of the breach and the steps we are taking to address it, in accordance with Article 34 of the GDPR.

11. THIRD-PARTY TERMS YOU ARE REQUIRED TO ACCEPT

Your use of specific services within the application requires your agreement to the terms and privacy policies of the relevant third-party service providers set out in Section 5 above. These agreements are presented to you at the relevant point in your user journey and must be accepted before the corresponding service is activated.

We strongly encourage you to read each of these documents carefully before accepting them. You have the right to contact each provider directly to ask questions about their data practices before proceeding.

12. CHILDREN

Our services are intended exclusively for individuals who are at least 18 years of age. We do not knowingly collect personal data from persons under the age of 18. If we become aware that we have collected data from a minor, we will take immediate steps to delete that data and close the associated account without undue delay.

If you believe that a minor has registered for our services, please contact us immediately at [email protected].

13. CHANGES TO THIS PRIVACY POLICY

We reserve the right to update and amend this Privacy Policy from time to time to reflect changes in applicable law, changes in our business practices, or changes in the services we offer.

When we make material changes, we will notify you through the application, by email to your registered address, or by in-app notification at least 30 days before the changes take effect. For non-material changes, we may update the policy with shorter or no advance notice.

The date of the most recent update is always displayed at the top of this document. We encourage you to review this Privacy Policy periodically.

Where changes materially affect how we process your data or your rights in relation to that processing, and where we rely on your consent as the legal basis for that processing, we will seek your renewed consent before the new processing begins.

Your continued use of our services after the effective date of any changes constitutes your acknowledgement of the updated Policy.

14. GOVERNING LAW AND SUPERVISORY AUTHORITY

This Privacy Policy is governed by and construed in accordance with the laws of Estonia, without prejudice to any mandatory data protection rights you may have under the laws of your country of habitual residence. The General Data Protection Regulation applies across all processing activities conducted by us regardless of any governing law clause in this document.

Any disputes arising in connection with this Privacy Policy that cannot be resolved through our internal complaints process will be subject to the non-exclusive jurisdiction of the courts of Estonia, without prejudice to your right to bring proceedings before a supervisory authority or court in your member state of habitual residence.

CONTACT SUMMARY

Veltpay OÜ | Company Registration: 17214840 | Rävala tänav 2, Pärnu, Pärnu County, Estonia | [email protected]

Data Protection Officer: [email protected]