Document 2: Rekashpay Privacy Policy (Phase 1 Edition)

Effective Date: [Date]

1. INTRODUCTION

This Privacy Policy governs the collection and use of personal data for Rekashpay's Services, which are offered to both individual consumers ("Personal Users") and corporate entities ("Business Users"). If you use our Services on behalf of a Business User (e.g., as an administrator or authorized user), please also note that your personal data is processed in that capacity and shared with the Business User.

2. DATA COLLECTION SPECIFIC TO OUR BUSINESS

To provide On/Off-Ramp and Card services, we must collect:

2.1. For All Users (Personal & Business)

Identity Data (Necessary for KYC/AML compliance and contract performance)

For Personal Users: Name, Address, Date of Birth, Government ID, Selfie.

For Business Users: This extends to data of representatives, Beneficial Owners, and Authorized Users as required.

Financial Data (Necessary for the performance of our contract with you (to process your ramp transactions))

• Bank Account Number / IBAN (for Off-Ramp payouts).

• Credit/Debit Card partial numbers (for On-Ramp purchases).

• Wallet Addresses and Transaction Hashes.

Transactional Data (Necessary for the performance of our contract (to settle transactions and maintain your balance) and for our legitimate interests in preventing fraud and ensuring network security)

Merchant Name, Location, Amount, and Currency for every card transaction.

2.2. Specific to Business Users & Their Accounts:

Business Entity Data (Necessary for KYB/AML and contract performance with the entity)

Company registration number, legal name, registered address, Tax ID. Constitutional documents, proof of good standing.

Authorized User Management Data (Processed on instructions of the Business User)

Names, email addresses, and roles of Authorized Users designated by the Business User.

Note: We use this data to calculate your remaining crypto balance and detect fraud.

3. HOW WE SHARE YOUR DATA

We function as a bridge between Crypto and Traditional Finance. Data sharing is strictly limited to:

  • 3.1. The Card Issuer: We share necessary KYB/KYC data (including data of representatives, UBOs, and Authorized Users) for card issuance and compliance.
  • 3.2. Payment Processors & Card Networks: To process your On-Ramp fiat payments and settle transactions.
  • 3.3. Card Networks (Visa/Mastercard): To settle transactions globally.
  • 3.4. AML Screening Partners: To check your name against sanctions lists (e.g., OFAC) before onboarding.
  • 3.5. The Business User (For Authorized Users): Administrators of a Business Account will have access to transaction data and activity logs of their Authorized Users.

We DO NOT share your data with advertisers.

4. DATA RETENTION

4.1. We retain personal data only for as long as necessary to fulfill the purposes we collected it for, including for satisfying any legal, accounting, or reporting requirements. Upon expiry of the applicable retention period, we will securely delete or anonymize your personal data in a manner consistent with our data retention schedule.

4.2. KYC/Identity Records: For Personal Users: Retained for 5 years after the closure of your Account or the last transaction, as required by anti-money laundering regulations. For Business Users: We retain the company's KYB (Know Your Business) documentation, including identification data of Beneficial Owners (UBOs), controlling persons, and authorized representatives (Business Users), for 5 years after the closure of the Business Account or the last transaction. This period may be extended if required by specific regulations in the jurisdiction of the corporate entity.

4.3. Transaction Records: Retained for 7 years after account closure for financial auditing, tax, and compliance purposes (standard financial regulation). This applies uniformly to transactions conducted through both Personal and Business Accounts.

4.4. Business Account Metadata: Non-transactional data related to Business Account administration (e.g., corporate registration documents, list of Authorized Users and their assigned permissions, internal approval logs) is retained for 5 years after account closure to comply with potential regulatory inquiries and for internal audit purposes.

4.5. Authorized User Data: Personal data of Authorized Users (name, contact details) provided by the Business User is retained for the duration of their active association with the Business Account plus 2 years after disassociation or account closure, whichever is later, unless a longer period is required for compliance with Applicable Law.

4.6. Card Data: Stored securely in compliance with PCI-DSS standards and retained as required by Card Network rules (typically for dispute resolution periods, which can be up to 13 months for standard disputes or longer for specific investigations).

5. INTERNATIONAL TRANSFERS

As our services are global, your data may be transferred to and processed in countries outside your country of residence. Your card transaction data may be processed globally (e.g., if you travel and use the card abroad). We ensure all transfers comply with applicable data protection laws by implementing appropriate safeguards, such as the European Commission's Standard Contractual Clauses. You may contact us to obtain a copy of these safeguards.

6. YOUR RIGHTS

Depending on your jurisdiction and the nature of our data processing, you may have certain rights regarding your personal data. This section explains these rights and how you may exercise them.

6.1. You may have the right to:

  • Access and obtain a copy of your personal data we process.
  • Rectification of inaccurate or incomplete personal data.
  • Erasure ("right to be forgotten") of your personal data under certain conditions (e.g., where the data is no longer necessary for the purposes collected).
  • Restriction of processing of your personal data in specific circumstances.
  • Object to our processing of your personal data, particularly where we rely on legitimate interests as the legal basis.
  • Data Portability, where applicable, to receive your data in a structured, machine-readable format.
  • Withdraw Consent, where processing is based on your consent, without affecting the lawfulness of processing before the withdrawal.

6.2. How to Exercise Your Rights (Distinct Paths)

For Personal Account Holders (Individual Consumers): If you hold a Personal Account with us, you are the direct data subject. You may exercise your rights directly against Rekashpay by submitting a verifiable request through the designated channels in our App or by contacting our Data Protection Officer at the details provided at the end of this Policy. We will respond to your request in accordance with Applicable Law.

For Individuals Associated with a Business Account: If your personal data is processed in connection with a Rekashpay Business Account (e.g., as an administrator, Beneficial Owner, or Authorized User), please note the following important distinction:

Primary Relationship: In this context, Rekashpay primarily processes your personal data on behalf of and under the instructions of the Business User (your employer or the entity you represent). For such data, the Business User is the data controller, and Rekashpay acts as a data processor or service provider.

Initial Point of Contact: Therefore, you should first direct your privacy requests (e.g., to access, correct, or delete the data provided to us by your organization) to the administrator of the relevant Business Account. We are contractually obligated to assist the Business User in fulfilling such requests.

Direct Requests to Rekashpay: You may also contact us directly. However, if we determine that your request relates to data we process as a processor for a Business User, we will typically forward your request to that Business User for action, unless prohibited by law. We will notify you of this action.

For All Individuals: Regardless of your account type, you always have the right to lodge a complaint with a competent supervisory authority in your country of residence.

6.3. Our Response to Your Requests We will make good-faith efforts to respond to verifiable requests within 1 month. If we require more time, we will inform you of the reason and extension period. We may need to verify your identity before processing your request. In certain cases, we may charge a reasonable fee if a request is manifestly unfounded or excessive.

6.4. Exceptions and Limitations Your rights are not absolute. We may be required or entitled by Applicable Law to retain or continue processing your personal data, even in the face of a request, for purposes including but not limited to:

  • Complying with a legal obligation (e.g., AML record-keeping for 5-7 years).
  • Exercising or defending legal claims.
  • Detecting, preventing, or investigating security incidents, fraud, or illegal activity.
  • Protecting the rights, property, or safety of Rekashpay, our users, or the public.

7. Liability Limitation

  • 7.1. To the extent permitted by Applicable Law, Rekashpay shall not be liable for any indirect, incidental, or consequential damages arising from the use of our services or this Privacy Policy.
  • 7.2. This limitation does not apply to damages arising from our gross negligence, wilful misconduct, or material breach of our data protection obligations under Applicable Law.

8. Governing Law and Dispute Resolution

  • 8.1. This Agreement shall be governed by and construed in accordance with the laws of Seychelles.
  • 8.2. Any dispute arising out of or in connection with this Agreement shall be referred to and finally resolved by arbitration administered by the Singapore International Arbitration Centre (SIAC) in accordance with its rules. The seat of arbitration shall be Singapore. The language of the arbitration shall be English. The number of arbitrators shall be one.
© SparkFire Group Limited.All Rights Reserved|Disclaimer