Individuals Privacy Notice

Due Network”, “we”, “us” and “our” means:

  • Due Ltd, registered in the United Kingdom (“UK”) with registered address at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, and company registration number of 14369984;
  • Due Payments EOOD, registered in Bulgaria with registered address at Hubcha Str. No. 8, Floor 2, A-1, Krasno Selo, Sofia 1618, and company registration number of 207457701;
  • Due Network, S.L., registered in Spain with registered address at Paseo de la Castellana 91, 4ª, 1ª, Madrid 28046, and company registration number of 16407272;
  • Due Payments Inc., registered in Canada with registered address at 80 Birmingham Street, Unit C6, Etobicoke, Ontario M8V3W6, and Ontario Corporation Number of 1000864948; and/or
  • Due Technologies Inc., registered in the State of Delaware in the United States, with registered address at 169 Madison Avenue, STE 11441 New York 10016, NY,
  • Due Network Argentina S.R.L. registered in Argentina with registered address at Tucuman 1, piso 4, CP1049, Ciudad Autónoma de Buenos Aires, Argentina and company registration number 2024182.

and we are committed to respecting your privacy. 

About this privacy notice

For the purposes of data protection law, we are a data controller in respect of your personal data. We are responsible for ensuring that it uses your personal data in compliance with data protection law.

This privacy notice applies if you are an end user of our products and services. The privacy notice sets out the basis on which any personal data about you that you provide to us, that we create, or that we obtain about you from other sources, will be processed by us. Please take the time to read and understand this privacy notice. 

We process your personal data on the following legal basis, as applicable:

Compliance with a legal obligation: when processing is necessary to comply with applicable legal obligations (e.g. AML/CFT obligations, record-keeping, reporting to authorities, and obligations imposed under MiCA).

Performance of a contract: when processing is necessary to perform a contract with the client or to take pre-contractual measures at the client’s request.

Legitimate interests: when processing is based on the legitimate interests of the group (e.g. fraud detection and prevention, risk management, cybersecurity), provided that such interests are not overridden by your fundamental rights. We can describe these interests and the outcome of the balancing test upon request.

Consent: only when we expressly request it for specific purposes (e.g. marketing communications), you will be informed and may withdraw your consent at any time.

Data relating to convictions or offences: when we process data relating to criminal convictions or offences, we will do so only when necessary and permitted by law (e.g. under AML obligations), in accordance with the applicable regulations.

Personal data that we collect about you

We will collect and process the following personal data about you:

Information that you provide to us or one of our affiliates. This includes information about you that you give us by filling in forms or by communicating with us, whether face-to-face, by phone, e-mail or otherwise. This information may include:

  • contact details, including postal /shipping address, billing address, email address and phone number;
  • country of residence;
  • date of birth;
  • full name;
  • ID;
  • on-chain wallet address;
  • open banking details: bank credentials; and
  • photograph.

Information we collect or generate about you. This includes:

  • contact details, including postal /shipping address, billing address, email address and phone number;
  • country of residence;
  • date of birth;
  • full name;
  • ID;
  • on-chain wallet address;
  • open banking details: bank credentials; 
  • photograph; and
  • transaction data, including:
  • date of transaction(s);
  • transaction amount;
  • transaction currency;
  • counterparty (i.e. client/merchant);
  • payment method; and
  • payment type (POS, online, etc.).

Information we obtain from other sources.

  • information provided by KYC/KYB third parties to carry out background screening checks (e.g. for sanctions etc); and
  • information provided by wallet screening and transaction monitoring providers to check that the wallet being used is safe and that the funds being used are not connected to fraudulent/criminal activity.

As part of our AML/CFT and sanctions checks we may process information relating to criminal convictions or offences. Such processing is necessary for compliance with applicable law and for the exercise of our legal obligations as an obliged entity under AML legislation. Where required by local law, we rely on the specific legal grounds provided by that law to process such data. If you require further detail, contact legal@due.network.

Uses of your personal data

Your personal data may be stored and processed by us in the following ways and for the following purposes to ensure that you are eligible to use our services:

  • to verify that the you are who you say you are (i.e. identity verification); 
  • to confirm that you have the sufficient funds to be able to make the purchase; and 
  • to ensure that you are a "good user" and are not associated with fraud, sanctions, crime, etc. 

We are entitled to use your personal data in these ways because:

  • we have legal and regulatory obligations that we have to discharge; 
  • we may need to in order to establish, exercise or defend our legal rights or for the purpose of legal proceedings; or
  • the use of your personal data as described is necessary for our legitimate business interests (or the legitimate interests of one or more of our affiliates) set out above.

We process your personal data for the following purposes and on the following legal bases:

  • Identity verification and KYC/KYB, including sanctions screening, beneficial ownership checks, and ID document verification.
  • Legal basis: We are legally required to process this data to comply with applicable anti-money laundering (AML), counter-terrorism financing (CFT), and sanctions laws.
  • Monitoring transactions, screening wallets, and preventing fraud, including through automated analytics.
  • Legal basis: This processing is necessary to comply with legal obligations under AML/CFT legislation and, where applicable, for our legitimate interests in detecting and preventing fraud. We have conducted a Legitimate Interests Assessment to document this.
  • Performing the contract with you, including on-boarding, payment execution, and customer service.
  • Legal basis: Processing is necessary for the performance of the contract with you.
  • Marketing communications (if any).
  • Legal basis: We will process your personal data for marketing only with your explicit consent. You may withdraw this consent at any time.
  • Handling legal claims and complying with regulators or law enforcement requests.
  • Legal basis: Processing is necessary to comply with legal obligations and to establish, exercise, or defend our legal rights.

If you would like a copy of our Legitimate Interests Assessment or further details about the specific legal basis for a particular processing, please contact legal@due.network.

Security and operational resilience

We implement reasonable, technical and organizational measures to protect data against loss, unauthorized access, and disclosure. As part of our regulatory obligations, we may process data for incident detection, forensic investigation, and notification to competent authorities in the event of security incidents. These activities are carried out in accordance with applicable regulations and with due respect for the protection of personal data.

Other compatible purposes

We may process your personal data for other purposes compatible with those set out above. Where required by law or good practice we will document the legal basis (including Legitimate Interests Assessments) and inform you if the processing is materially different or requires your consent.

Disclosure of your information to third parties

We will take steps to ensure that the personal data is accessed only by our employees that have a need to do so for the purposes described in this notice.

Your data may be disclosed, as applicable, to the following categories of recipients:

  • Public authorities and supervisory bodies (including FIUs, law enforcement, and tax authorities) when required by law or necessary for the prevention or detection of criminal activity.
  • Compliance and KYC/KYB service providers, sanctions screening providers, and risk data suppliers (acting as processors).
  • Banking partners, payment partners, and other financial service providers acting as data processors or joint controllers.
  • IT, hosting, cloud, and data storage service providers (acting as processors).
  • External auditors, legal advisers, and forensic auditors when necessary for audit or investigation purposes.
  • Purchasers or potential purchasers of the business in the event of a sale or corporate restructuring.
  • In all cases, recipients will be contractually required to process the data in accordance with this notice and not use it for any other purposes.

Processors and subcontractors

We work with service providers acting as data processors (for example, KYC/IDV providers, banking partners, hosting services, cloud services, and screening providers). All processors are bound by contracts containing appropriate safeguards (including standard contractual clauses) and security obligations.

Transfers of personal data outside the European Economic Area (“EEA”) and UK

The personal data that we collect from you may be transferred to, and stored at, a destination outside the EEA/UK. It may also be processed by staff operating outside of the EEA/UK who work for our affiliates or for one of our suppliers. 

Where we transfer your personal data outside the EEA/UK, we will ensure that it is protected in a manner that is consistent with how your personal data will be protected by us in the EEA/UK. This can be done in a number of ways, for instance:

  • the country to which we send the data is approved by the European Commission/UK Government (as applicable); 
  • the recipient may have adhered to binding corporate rules (only for intragroup transfers); or
  • the recipient has signed a contract based on “model contractual clauses” approved by the UK Government / European Commission (as applicable), obliging them to protect your personal data.

In other circumstances the law may permit us to otherwise transfer your personal data outside the EEA/UK. In all cases, however, we will ensure that any transfer of your personal data is compliant with data protection law. 

You can obtain more details of the protection given to your personal data when it is transferred outside the EEA/UK (including a copy of the standard data protection clauses which we have entered into with recipients of your personal data) by contacting us in accordance with the “Contacting us” section below.

Retention of personal data

How long we hold your personal data for will vary. The retention period will be determined by various criteria including:

  • the purpose for which we are using it – we will need to keep the data for as long as is necessary for that purpose; and
  • legal obligations – laws or regulation may set a minimum period for which we have to keep your personal data.
  • retention requirements may vary by jurisdiction, for example, certain countries require personal data to be retained for longer periods under local law.

Your rights

You have a number of legal rights in relation to the personal data that we hold about you. These rights include:

  • the right to obtain information regarding the processing of your personal data and access to the personal data which we hold about you;
  • the right to withdraw your consent to our processing of your personal data at any time. Please note, however, that we may still be entitled to process your personal data if we have another legitimate reason (other than consent) for doing so; 
  • in some circumstances, the right to receive some personal data in a structured, commonly used and machine-readable format and/or request that we transmit those data to a third party where this is technically feasible. Please note that this right only applies to personal data which you have provided to us;
  • the right to request that we rectify your personal data if it is inaccurate or incomplete;
  • the right to request that we erase your personal data in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal data, but we are legally entitled to retain it;
  • the right to object to, and the right to request that we restrict, our processing of your personal data in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your personal data but we are legally entitled to continue processing your personal data and / or to refuse that request; and
  • the right to lodge a complaint with the data protection regulator (details of which are provided below) if you think that any of your rights have been infringed by us.

You can exercise your rights by contacting us using the details set out in the “Contacting us” section below.

Further information about your rights may be obtained by contacting the supervisory data protection authority located in your jurisdiction: 

  • In the UK, the supervisory data protection authority is the Information Commissioner’s Office (“ICO”) - https://ico.org.uk/

A list of National Data Protection Authorities in the EU can be found here.

Contacting us

If you would like further information on the collection, use, disclosure, transfer or processing of your personal data or the exercise of any of the rights listed above, please address questions, comments and requests to legal@due.network.