Privacy Policy
Last updated: June 1, 2026
1. DUE group entities
“ Due Network”, “we”, “us” and “our ” mean:
• Due Ltd , registered in the United Kingdom (“UK”), with registered office at 71–75 Shelton Street, Covent Garden, London WC2H 9JQ, and company registration number 14369984;
• Due Network, SL, registered in Spain, with registered office at Paseo de la Castellana 91, 4th, 1st, Madrid 28046, and company registration number 16407272;
• Due Payments Inc., registered in Canada (registration number 1000864948), with registered office at 80 Birmingham Street, Unit C6, Etobicoke (Ontario) M8V 3W6, Canada; and/or
• Due Technologies Inc., registered in the state of Delaware (USA), with registered office at 169 Madison Avenue, Suite 11441, New York, NY 10016, USA;
• Due Tecnologia Brasil LTDA. registered and incorporated under the Laws of Brasil, enrolled with the Corporate Tax ID of the Ministry of Economy under CNPJ/ME No. 58.138.976/0001-05 and whose registered office is Avenida Paulista 1636, sala 1504, 01310-200, São Paulo - SP, Brasil.
• Due Network Argentina SRL, registered in Argentina, with registered office at Tucumán 1, 4th floor, CP1049, Autonomous City of Buenos Aires, Argentina, and commercial registration number 2024182.
We are committed to respecting your privacy.
2. About this privacy notice
For the purposes of data protection regulations, we act as the controller of your personal data. We are responsible for ensuring that we use your personal data in accordance with data protection law.
This privacy notice is a single, unified document that applies, as the case may be, to two categories of data subjects: (i) individuals who are end users of our products and services (B2C); and (ii) representatives, directors, authorised signatories, attorneys, contact persons, shareholders and ultimate beneficial owners (UBOs) of our institutional clients (B2B). It sets out the basis on which we will process the personal data that you provide to us, that we generate internally or that we obtain from other sources. Please read and make sure you understand this privacy notice.
This notice also applies, where relevant, to prospective clients (before onboarding), users who contact customer support and website visitors (for data processing related to website use and security). The processing of personal data through cookies and similar tracking technologies is governed by our Cookie Policy, available at https://www.opendue.com/es/legal/cookie-policy.
Certain sections or paragraphs apply only to one of the two categories above; in such cases this is expressly indicated by means of a highlighted note such as «Applicable to individuals (B2C)» or «Applicable to representatives and ultimate beneficial owners of institutional clients (B2B)». The remainder of the notice applies to both categories.
Applicable framework according to the data subject's jurisdiction. Without prejudice to the general regime of this notice—the GDPR and, in Spain, the LOPDGDD—applicable to data subjects in the European Economic Area (including entities in Spain and Bulgaria), the following local specificities apply depending on the data controller or your location:
United Kingdom. If the data controller is Due Ltd or you are located in the United Kingdom, your processing is governed by the UK GDPR and the Data Protection Act 2018, which take precedence over any reference in this notice to the EU GDPR or Spanish law; the competent supervisory authority is the Information Commissioner’s Office (ICO).
Canada. If the data controller is Due Payments Inc. or you are located in Canada, your processing is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) and, with respect to residents of Quebec, by Act 25 of that province, which take precedence over any reference in this notice to the GDPR or Spanish law. The competent supervisory authority is the Office of the Privacy Commissioner of Canada (OPC).
United States. If the data controller is Due Technologies Inc. or you reside in the United States, your processing is governed by applicable federal and state privacy laws, including, where applicable, state consumer privacy laws (e.g., the California Consumer Privacy Act, as amended by the CPRA, and equivalent laws of other states), which supersede any reference in this notice to the GDPR or Spanish law.
Brazil. If the data controller is Due Tecnologia Brasil LTDA or you are located in Brazil, your processing is governed by Law No. 13.709/2018 (LGPD), which supersedes any reference in this notice to the GDPR or Spanish law; the competent supervisory authority is the National Data Protection Authority (ANPD).
Argentina. If the data controller is Due Network Argentina SRL or you are located in Argentina, your processing is governed by Law 25.326 on the Protection of Personal Data and its regulatory Decree 1558/2001, which prevail over any reference in this notice to the GDPR or Spanish regulations; the competent supervisory authority is the Agency for Access to Public Information (AAIP).
3. Your controller and its roles within the group
Products and services are provided through the group's local operating entities. The entity with which you contract (in accordance with the applicable Terms and Conditions) is the controller of your data within the contractual relationship.
Other group entities may act as independent controllers for specific processing activities (for example, due to their own legal obligations or for the technical provision of the service).
Where two or more entities jointly determine the purposes and means of processing, they may act as joint controllers (art. 26 GDPR). In that case, we will provide you with the essential information about the joint controllership arrangement, which you may request at any time from our Data Protection Officer at dpo@due.network. We will also inform you of the main point of contact for exercising your rights vis-à-vis the group.
4. Legal basis
We process your personal data on the following legal bases, as applicable:
• Compliance with a legal obligation : where processing is necessary to comply with applicable legal obligations (for example, anti-money laundering and counter-terrorist financing obligations, record-keeping, reporting to authorities and obligations imposed under Regulation (EU) 2023/1114 (MiCA)).
• Performance of the contract : where processing is necessary to perform a contract with the client or to take pre-contractual steps at the client's request.
• Legitimate interests : where processing is based on the group's legitimate interests (for example, fraud detection and prevention, risk management, cybersecurity), provided that such interests are not overridden by your fundamental rights and freedoms. We can describe these interests and the outcome of the balancing test to you upon request.
• Consent : We will only process your personal data on this basis where we have expressly requested and obtained your consent for specific purposes (for example, marketing communications). You may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Compliance with MiCA obligations (Art. 6(1)(c) GDPR): As a crypto-asset service provider (CASP) authorised under Regulation (EU) 2023/1114 (MiCA), we process personal data to comply with the regulatory obligations that MiCA imposes on us, including customer onboarding documentation, transaction records, wallet verification data and transparency requirements. This processing does not constitute a standalone legal basis but falls within Article 6(1)(c) GDPR (compliance with a legal obligation), with MiCA being the sectoral regulation that gives rise to that obligation, in the same way as Law 10/2010 in the context of the fight against money laundering and terrorist financing. The processing is necessary for regulatory compliance, risk management and investor protection.
Where we process personal data relating to criminal convictions and offences, such processing is carried out in accordance with Article 10 GDPR and on the basis of Article 6(1)(c) GDPR (legal obligation).
This processing is strictly necessary to comply with the applicable anti-money laundering and counter-terrorist financing (AML/CFT) obligations under Law 10/2010 of 28 April, as amended by Royal Decree-Law 7/2021.
Such processing is limited to what is strictly necessary for these purposes and includes the retention of identification documentation and transaction records for a period of 10 years, in accordance with Article 25 of Organic Law 10/2010. Where processing is based on legitimate interests, you may object at any time on grounds relating to your particular situation. In particular, you have the right to object at any time, with immediate effect, to the processing of your personal data for direct marketing purposes.
5. Personal data we collect about you
We will collect and process the following personal data about you:
Information that you provide directly to us or to one of our affiliates when completing forms, going through the onboarding process or communicating with us, whether in person, by telephone, email or in any other way. This information may include:
- Contact details, including postal/shipping address, billing address, email address and telephone number;
- country of residence;
- nationality;
- tax residence;
- date of birth;
- Place of birth (used to cross-check the client's profile against possible matches on sanctions lists, politically exposed persons (PEP) registers and adverse media searches, and as required by the Travel Rule in jurisdictions that impose it in accordance with Regulation (EU) 2023/1113 and applicable equivalent legislation);
- full name;
- identity document number;
- identity document expiry date;
- on-chain wallet address (wallet address);
- open banking credentials (account details for payment initiation); and
- photograph (selfie or image of identity document);
Applicable to representatives and ultimate beneficial owners of institutional clients (B2B). If you belong to this category, we will also collect and process:
• commercial name of the organisation you represent and the sector in which it operates;
• contact details, including postal address, email address and telephone number;
• registered office;
• date of incorporation.
We will also collect and process the following personal data about the directors, officers, authorised signatories and ultimate beneficial owners (UBOs) of your organisation: full name; nationality; country of residence; date of birth; place of birth; identity document number and expiry date; and photograph (selfie or image of identity document).
Where necessary to provide the service, comply with regulatory obligations or protect security, we may process additional categories in respect of institutional clients, such as: identification/verification data (document type and number, date of issue/expiry, nationality, proof of address, position/role and powers of representation); corporate and beneficial ownership data (ownership/control structure, UBOs and corporate documentation); compliance and risk data (PEP status, sanctions screening results and, where applicable, public/adverse media sources); and operational and security data (access logs, IP addresses, technical identifiers and security events).
5.1 Information we collect or generate internally about you (not provided directly by you). This includes:
- Contact details, including postal/shipping address, billing address, email address and telephone number;
- country of residence;
- date of birth;
- full name;
- identity document data;
- blockchain wallet address;
- open banking credentials (account details for payment initiation);
- photograph; and
- Transaction data, including:
- transaction date(s);
- transaction amount;
- transaction currency;
- counterparty (i.e. client/merchant);
- payment method; and
- payment type (POS, online, etc.).
- Facial biometric data/attributes extracted from selfies/videos for liveness verification and face matching, and for duplicate detection (biometric search), where applicable. The processing of biometric data constitutes a special category of data under Article 9 GDPR. The applicable legal basis for this processing is Article 9(2)(g) GDPR (processing necessary for reasons of substantial public interest, specifically the prevention of money laundering and terrorist financing, as established in the applicable anti-money laundering and counter-terrorist financing legislation, including Organic Law 10/2010 of 28 April), in conjunction with Article 9(2)(b) GDPR where applicable (processing necessary for carrying out obligations and exercising rights in the field of employment and social security law), and, where applicable, Article 9 of Organic Law 3/2018 of 5 December on the Protection of Personal Data and guarantee of digital rights (LOPDGDD) for processing carried out in Spain. The processing is strictly limited to what is necessary for identity verification, fraud prevention and compliance with anti-money laundering and counter-terrorist financing regulations, and is subject to the safeguards required by applicable law.
- Video identification: The recording of the video identification process, with reliable evidence of its date and time, will be stored in digital format in accordance with Article 25 of Law 10/2010 for a period of ten (10) years from the termination of the business relationship or execution of the transaction.
The legal basis for retaining the video recordings is compliance with a legal obligation under Spanish anti-money laundering legislation (Article 25 of Law 10/2010). The «consent» referred to here relates to your acknowledgement of the recording process and its retention period, not to the legal basis for the processing. You may not object to this retention where it is required by anti-money laundering regulations; however, access to these recordings is strictly limited to authorised compliance personnel, SEPBLAC and the competent judicial authorities.
This section on video identification applies exclusively to clients who complete their onboarding process with Due Network SL. Clients who register through other group entities will be subject to the specific procedures and policies of the relevant entity.
5.2 Information we obtain from other sources.
• information provided by third-party KYC/KYB providers to carry out background checks (for example, for sanctions, etc.); and
• Information provided by transaction monitoring and wallet verification providers to check that the wallet used is secure and that the funds used are not linked to fraudulent or criminal activity.
• Technical and security data (when you use the website or the app): We may process online identifiers (for example, IP), access logs, device identifiers and security events to prevent fraud, protect the account and maintain operational resilience.
• Mandatory/Voluntary: Certain data (e.g. identification/KYC) is mandatory to comply with AML/CFT regulations and to provide the service. If you do not provide this data, we may be unable to open or maintain your account or carry out transactions.
• Transfer of Funds Regulation (TFR) data: In accordance with Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets (TFR), we are required to collect, verify and retain specific information relating to crypto-asset transfers, which includes:
- Originator information (such as name, address, wallet address and other identifiers, where applicable).
- Beneficiary information (such as name and wallet address)
- Transaction details, including identifiers and timestamps.
- Beneficiary address in the case of Due Payments Inc. (Canada).
This data is processed to ensure the traceability of crypto-asset transfers and to comply with applicable anti-money laundering and counter-terrorist financing obligations. It may be made available to the competent authorities upon request.
The processing is carried out on the basis of Article 6(1)(c) GDPR (legal obligation), in accordance with the requirements established in the TFR.
As part of our anti-money laundering and counter-terrorist financing (AML/CFT) and sanctions controls, we may process information relating to criminal convictions or offences. This processing is necessary to comply with applicable law and with our legal obligations as an obliged entity under AML/CFT legislation. Where required by local law, we rely on the specific legal bases it establishes to process such data. For more information, please contact dpo@due.network.
Safeguards (Article 10 GDPR): We limit access to authorised personnel, apply access and logging controls, minimise data and ensure confidentiality.
6. Uses of your personal data
Your personal data may be stored and processed by us in the following ways and for the following purposes to ensure that you meet the requirements to use our services:
• to verify that you are who you say you are (i.e. identity verification);
• to confirm that you have sufficient funds to complete the purchase; and
• to ensure that you are a "good user" and are not associated with fraud, sanctions, crime, etc.
We are entitled to use your personal data in these ways because:
• We have legal and regulatory obligations that we must comply with;
• We may need it to establish, exercise or defend our legal rights or for the purposes of legal proceedings; or
• The use of your personal data as described is necessary for our legitimate business interests (or the legitimate interests of one or more of our affiliates) set out above.
We process your personal data for the following purposes and on the following legal bases:
If you would like a copy of our Legitimate Interests Assessment or further details about the specific legal basis for a particular processing activity, please contact dpo@due.network. Due Network SL maintains a Record of Processing Activities (RoPA) in accordance with Article 30 GDPR, detailing the processing activities carried out as controller. You may request further information about the specific processing activities that concern you by contacting the Data Protection Officer at dpo@due.network.
Brief summary of purposes and bases:
– KYC/AML and sanctions: legal obligation.
– Provision of services: contract.
– Fraud/security and resilience: legal obligation and/or legitimate interest (with balancing test).
– Marketing (where applicable): consent (with withdrawal/opt-out option).
– Authorities/litigation: legal obligation and/or claims.
We may use automated tools to detect fraud, manage risk and comply with anti-money laundering and counter-terrorist financing regulations (for example, risk scoring, rules/alerts and automated analysis). Unless otherwise indicated, these tools are used for support purposes and are subject to human review.
If, in any case, a decision is taken based solely on automated processing that produces legal effects or significantly affects you (for example, automatic rejection of registration), you will be informed, including meaningful information about the logic applied, the significance and the envisaged consequences, and you may request human intervention, express your point of view and contest the decision (art. 22 GDPR), in accordance with applicable law.
6.1 Profiling and automated decision-making (Article 22 GDPR)
We use automated tools to support regulatory compliance, including:
- Sanctions/politically exposed persons (PEP) screening against global watchlists using matching algorithms;
- Fraud detection through the analysis of transaction patterns, geolocation and user interaction data;
- Risk assessment for client onboarding based on identity verification confidence levels.
Logic: Rule-based algorithms and machine learning models trained on historical compliance data and regulatory watchlists.
Possible consequences: Account restrictions, transaction blocking or enhanced due diligence requirements. All automated alerts are subject to human review by qualified compliance personnel before any final decision is taken.
Solely automated decisions: Where a decision that produces legal effects or similarly significant effects (for example, automatic rejection of registration) is based solely on automated processing, you have the right, under Article 22(3) GDPR, to:
- Obtain human intervention;
- Express your point of view; and
- Contest the decision.
6.2 Cryptocurrencies, wallets and blockchains
The use of crypto-assets or wallets may involve the recording of certain transactions on public networks (blockchains). These networks are third-party networks and are not controlled by Due.
Consequently, certain data (such as public addresses, transaction hashes and associated metadata) may be public or subject to forensic analysis by third parties, and may be immutable (cannot be modified or deleted). We recommend that you bear these implications in mind before operating on public networks.
6.3 Security and operational resilience
We implement reasonable technical and organisational measures to protect data against loss, unauthorised access and disclosure. As part of our regulatory obligations, we may process data for incident detection, forensic investigation and notification to the relevant authorities in the event of security incidents. These activities are carried out in accordance with applicable regulations and with due regard to the protection of personal data. As an entity subject to Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA), we may also process data relating to information and communication technology (ICT) incidents, including incident logs, data relating to critical third-party ICT service providers and information required for major incident reports under DORA (Articles 9, 17 and 19 of the DORA Regulation). Such processing is carried out on the basis of Article 6(1)(c) GDPR (compliance with a legal obligation) and is subject to the security and proportionality measures set out in the DORA Regulation itself.
6.4 Other compatible purposes
We may process your personal data for other purposes compatible with those mentioned above, applying the compatibility test established in Article 6(4) GDPR, taking into account factors such as the relationship between the original purpose and the new one, the context in which the data was collected and the possible risks to your rights and freedoms. We will document the applicable legal basis (including legitimate interest assessments, where applicable). If the new purpose is incompatible with the original purpose for which your data was collected, we will inform you proactively and, where necessary, obtain your consent before initiating such processing.
7. Age restrictions
Our services are not directed at persons under the age of 18. We do not knowingly collect personal data from minors. If you believe we have collected a minor's data by mistake, please contact dpo@due.network immediately and we will delete that information.
8. Disclosure of your information to third parties
We will take the necessary steps to ensure that only those of our employees who need access to personal data for the purposes described in this notice have such access.
Your data may be disclosed, as applicable, to the following categories of recipients:
• Public authorities and supervisory bodies (including FIUs, law enforcement authorities and tax authorities) where required by law or necessary for the prevention or detection of criminal activity.
• The National Competent Authorities (NCAs) for crypto-asset services, the European Securities and Markets Authority (ESMA) and the European Banking Authority (EBA), where required by the MiCA Regulation for the purposes of authorisation, supervision or enforcement;
• Compliance and KYC/KYB service providers, sanctions screening providers and risk data providers (acting as processors).
• Banking partners, payment partners and other financial service providers acting as processors or joint controllers.
IT, web hosting, cloud and data storage service providers (acting as processors).
• External auditors, legal advisers and forensic auditors where necessary for audit or investigation purposes.
• Buyers or prospective buyers of the business in the event of a sale or corporate restructuring.
• In all cases, recipients will be contractually obliged to process the data in accordance with this notice and not to use it for any other purpose.
Clarification of roles: Some recipients (for example, certain banking/payment partners) may act as independent controllers for their own regulatory purposes.
Processors and sub-processors
We work with service providers that act as processors (for example, KYC/IDV providers, banking partners, web hosting services, cloud services and verification providers). All processors are subject to contracts that include appropriate safeguards (including standard contractual clauses) and security obligations.
9. Transfers of personal data outside the European Economic Area ("EEA") and the United Kingdom.
The personal data we collect may be transferred to and stored at a destination outside the EEA/UK. It may also be processed by staff operating outside the EEA/UK who work for our affiliates or for one of our suppliers.
Personal data is mainly stored and processed within the European Economic Area (EEA) and the United Kingdom. However, due to the group's international structure and/or specific operational or supplier needs (for example, support, regulatory compliance or resilience), transfers outside the EEA/UK may take place in specific cases.
When we transfer your personal data outside the EEA/UK, we will ensure that it is protected in a manner consistent with the way we protect it within the EEA/UK. The safeguards applied vary depending on the destination jurisdiction:
• United Kingdom: recognised as an adequate destination by the European Commission (Adequacy Decisions 2021/1772 and 2021/1773). For onward transfers originating in the United Kingdom, we apply the ICO's International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs, as applicable;
• Argentina: recognised as an adequate country by the European Commission. In addition, we apply standard contractual clauses as a complementary measure; • Canada: benefits from a partial adequacy decision by the European Commission (private sector under PIPEDA), currently under review. For transfers to Due Payments Inc. we use standard contractual clauses (SCCs) approved by the European Commission; • United States (Due Technologies Inc.): there is no general adequacy decision. Transfers are carried out on the basis of standard contractual clauses (SCCs) approved by the European Commission, supplemented by technical and organisational measures following a transfer impact assessment (TIA); • Intra-group transfers: may be based on binding corporate rules (BCRs) where applicable.
• Other jurisdictions: the recipient has signed a contract based on standard contractual clauses approved by the European Commission or the UK Government (as applicable), supplemented by such additional measures as are necessary following a transfer risk assessment.
In other circumstances, the law may permit us to transfer your personal data outside the EEA/UK. However, in all cases, we will ensure that any transfer of your personal data complies with data protection law.
For more information about the protection afforded to your personal data when it is transferred outside the EEA/UK (including a copy of the standard data protection clauses we have entered into with the recipients of your personal data), please contact us in accordance with the "Contact" section below.
For transfers from the EEA/UK, we may use, where appropriate, the European Commission's Standard Contractual Clauses (SCCs) and, for the UK, the ICO's IDTA or the UK Addendum to the SCCs, together with supplementary measures where appropriate following the transfer risk assessment.
10. Retention of personal data
The length of time we retain your personal data will vary. The retention period will be determined according to several criteria, including:
• the purpose for which we are using it: we will need to retain the data for as long as is necessary for that purpose; and
• Legal obligations: laws or regulations may set a minimum period during which we must retain your personal data.
• Retention requirements may vary by jurisdiction; for example, some countries require personal data to be retained for longer periods under local law.
Indicative retention periods (subject to applicable legal and regulatory requirements):
- KYC/AML records and due diligence evidence: 10 years from the end of the business relationship or the execution of an occasional transaction, in accordance with Article 25 of Law 10/2010 on the Prevention of Money Laundering and Terrorist Financing. This includes identification documents, video identification recordings, beneficial ownership information, risk assessments and due diligence documentation.
- Transactional and accounting records: retained in accordance with applicable legal obligations, including anti-money laundering and counter-terrorist financing requirements (10 years under Organic Law 10/2010) and commercial and accounting obligations (generally 6 years under the Spanish Commercial Code). Data will be retained for the period required by the applicable regulations in each case. This may include transaction details, amounts, currencies, counterparties, payment methods, blockchain transaction hashes and TFR-related data.
- Security and anti-fraud records: retained for a limited period based on proportionality and security needs (generally up to 2 years), unless they are required for longer periods in connection with money laundering investigations, suspicious activity reports or legal obligations.
- Claims and litigation: retained for the applicable limitation period (generally 5 years under Spanish civil law, unless extended by specific regulations) and until the final resolution of the matter.
Once the applicable retention periods have elapsed, personal data will be securely deleted or irreversibly anonymised in accordance with our data retention and destruction procedures. Anonymised data may be retained for statistical or research purposes, provided that it is not possible to re-identify users.
11. Your rights
You have a number of legal rights in relation to the personal data we hold about you. These rights include:
• the right to obtain information about the processing of your personal data and to access the personal data we hold about you;
• the right to withdraw your consent at any time; this will not affect the lawfulness of processing based on consent before its withdrawal, nor will it prevent us from continuing to process data where another valid legal basis other than consent exists.
• the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, and to obtain human intervention, express your point of view and contest the decision;
• In certain circumstances, you have the right to receive certain personal data in a structured, commonly used and machine-readable format, and/or to request that we transmit that data to a third party where technically feasible. Please note that this right only applies to the personal data you have provided to us and, in addition, only where the processing is based on consent or a contract; it does not apply to processing based on a legal obligation, which covers most of the processing carried out in the B2B context;
• the right to request that we rectify your personal data if it is inaccurate or incomplete;
• You have the right to request that we delete your personal data in certain circumstances. Please note that there may be cases in which you request the deletion of your personal data but we have the legal right to retain it.
• the right to object and the right to request that we restrict the processing of your personal data in certain circumstances. Again, there may be circumstances in which you object or request that we restrict the processing of your personal data, but we have the legal right to continue processing your personal data and/or to refuse such a request; and
• The right to lodge a complaint with the data protection authority (whose details are provided below) if you consider that we have infringed any of your rights.
You may exercise your data protection rights by contacting our Data Protection Officer (DPO), formally appointed and registered with the Spanish Data Protection Agency (AEPD), through the following channels:
Email: dpo@due.network (recommended for a faster response)
Postal address:
Data Protection Officer
Due Network SL
Paseo de la Castellana 257, torre Sur, 1ª
28046 Madrid, Spain
To help us process your request efficiently, please include your name, contact details, the right you wish to exercise and any information that may help us identify your data.
We may ask you for additional information to verify your identity where necessary, in accordance with Article 12(6) GDPR.
We will respond to your request without undue delay and, in any event, within one month of receipt. This period may be extended by up to two further months if necessary, taking into account the complexity and number of requests.
As a general rule, the exercise of your rights is free of charge. However, in accordance with Article 12(5) GDPR, we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.
If you consider that your rights have not been adequately addressed, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) (www.aepd.es), C/ Jorge Juan, 6, 28001 Madrid.
Customer complaints and claims (applicable to institutional clients B2B). In accordance with applicable Spanish financial regulations, any complaint, incident or claim submitted will receive an acknowledgement of receipt with a unique reference number. For data protection rights requests we will respond within the time limits of Article 12 GDPR; for financial services complaints under applicable Spanish regulations we will provide a reasoned resolution within two months of receipt (or within 15 business days for payment-related incidents under PSD2, where applicable).
You can consult the list of EU national data protection authorities on the website of the European Data Protection Board (https://edpb.europa.eu).
You may exercise your rights by contacting us using the contact details in the "Contact us" section below.
For more information about your rights, you may contact the data protection supervisory authority in your jurisdiction:
In the United Kingdom, the data protection supervisory authority is the Information Commissioner's Office ("ICO").
Supervisory authority in Spain: Spanish Data Protection Agency (AEPD).
How we handle requests: We may request reasonable additional information to verify your identity and protect your data; we will respond within the applicable legal time limits.
12. Contact us
If you would like more information about the collection, use, disclosure, transfer or processing of your personal data, or about exercising any of the rights mentioned above, please direct your questions, comments and requests to dpo@due.network .
We may update this notice periodically. Where changes are substantial, we will notify you by appropriate means (for example, by email or by a notification in the dashboard/portal, if any). The date of the last update appears at the beginning of the notice.