Business Privacy Notice

Last updated: Apr 24, 2026

1. Entities of the DUE group

Due Network”, “we”, “us” and “our” means:

Due Ltd , registered in the United Kingdom (“UK”), with registered office at 71–75 Shelton Street, Covent Garden, London WC2H 9JQ, and company registration number 14369984;

Due Payments EOOD , registered in Bulgaria, with registration number 207457701 and registered office at Hubcha Street, No. 8, 2nd floor, apt. A-1, Krasno Selo, Sofia 1618, Bulgaria;

Due Network, SL, registered in Spain, with registered office at Paseo de la Castellana 91, 4th floor, 1st office, Madrid 28046, and commercial registration number 16407272;

Due Payments Inc., registered in Canada (registration no. 1000864948), with its registered office at 80 Birmingham Street, Unit C6, Etobicoke (Ontario) M8V 3W6, Canada; and/or

Due Technologies Inc., registered in the state of Delaware (USA), with registered office at 169 Madison Avenue, Suite 11441, New York, NY 10016, USA;

Due Network Argentina SRL, registered in Argentina, with registered office at Tucumán 1, 4th floor, CP1049, Autonomous City of Buenos Aires, Argentina, and commercial registration number 2024182.

We are committed to respecting your privacy.

2. About this privacy notice

For the purposes of data protection regulations, we act as the data controller of your personal data. We are responsible for ensuring that the processing of your data complies with applicable data protection legislation.

This privacy notice applies if you are a representative, director, authorised signatory, or shareholder of one of our institutional clients. It sets out the basis on which any personal data about you that you provide to us, that we generate internally, or that we obtain from third-party sources will be processed by us. Please read and understand this notice carefully.

This notice also applies, where appropriate, to authorised users, signatories, proxies, contact persons, and ultimate beneficial owners (UBOs) of the company.

This notice does not apply to job applicants or consumer end users (B2C), who are governed by specific notices (where they exist).

3. Data controller responsibilities and intragroup roles

The entity within the Due group that acts as the data controller will depend on the entity with which your company contracts and/or the entity providing the service, subject to applicable regulatory obligations.
As a general rule, the entity that signs the contract with your company will act as the data controller for processing activities related to the contractual relationship (onboarding, service delivery, support, and billing).

In certain circumstances, other entities within the group may act as independent controllers for specific processing activities (for example, due to their own regulatory obligations or for the technical provision of the service).

When two or more entities jointly determine the purposes and means of processing, they may act as joint controllers (Art. 26 GDPR). In that case, the essence of the joint controller arrangement will be made available to you and may be requested at any time from our Data Protection Officer at dpo@due.network.

4. Legal basis

We process your personal data on the following legal bases, as applicable:

Compliance with a legal obligation: when processing is necessary to comply with applicable legal obligations (e.g., AML/CFT obligations under Law 10/2010, record keeping, reporting to authorities, and obligations imposed under Regulation (EU) 2023/1114 (MiCA)).

Performance of a contract: when the processing is necessary to perform a contract with the customer or to take pre-contractual steps at the customer's request.

Legitimate interests: when the processing is based on the legitimate interests of the group (for example, fraud detection and prevention, risk management, cybersecurity), provided that these interests do not override your fundamental rights. We can describe these interests and the result of the balancing assessment upon request.

Consent: we will only process your personal data on this basis where we have expressly requested and obtained your consent for specific purposes (for example, marketing communications). You may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

Data relating to criminal convictions or offences: where we process personal data relating to criminal convictions or offences, such processing is carried out in accordance with Article 10 GDPR and Article 6(1)(c) GDPR (legal obligation). This processing is strictly necessary for compliance with applicable AML/CFT obligations under Law 10/2010 of 28 April, as amended by Royal Decree-Law 7/2021, and is limited to what is necessary for those purposes.

As a Crypto-Asset Service Provider (CASP) authorised under Regulation (EU) 2023/1114 (MiCA), we process personal data to fulfil the regulatory obligations that MiCA imposes on us, including custody and administration of crypto-assets, transaction monitoring, and prevention of market abuse. This processing does not constitute an autonomous legal basis: it falls within Article 6(1)(c) GDPR (compliance with a legal obligation), with MiCA being the sectoral regulation that gives rise to that obligation.When processing is based on legitimate interests, you may object at any time on grounds relating to your particular situation. In particular, where processing is for direct marketing purposes, you have the right to object at any time without giving a reason, with immediate effect.

5. Personal data that we collect about you

We will collect and process the following personal data about you:

Information that you provide directly to us or to one of our affiliates when completing forms, going through the onboarding process, or communicating with us, whether in person, by phone, email, or other means. This information may include:

  • trade name of the organisation you represent and the sector in which it operates;
  • contact details, including postal address, email address and telephone number;
  • registered office address;
  • date of incorporation.

We will also collect and process the following personal data about the directors, officers, authorised signatories, and Ultimate Beneficial Owners (UBOs) of your organisation:

  • full name;
  • nationality;
  • country of residence;
  • date of birth;
  • place of birth;
  • identity document number;
  • identity document expiry date; and
  • photograph (selfie or identity document image);
  • facial biometric data/attributes extracted from selfie/video for liveness verification and face matching, and for duplicate detection (biometric search), where applicable. The processing of biometric data constitutes special category data under Article 9(1) GDPR. The applicable legal basis is Article 9(2)(g) GDPR (processing necessary for reasons of substantial public interest, specifically the prevention of money laundering and terrorist financing, as laid down in applicable AML/CFT legislation including Law 10/2010), in conjunction with Article 9(2)(b) GDPR where applicable, and Article 9 of Organic Law 3/2018 (LOPDGDD) for processing carried out in Spain. Processing is strictly limited to what is necessary for identity verification, fraud prevention and AML/CFT compliance;
  • video identification: The video identification process, including reliable proof of date and time, is recorded and stored for 10 years in digital format as required by Article 25 of Law 10/2010.

The legal basis for the retention of video identification recordings is compliance with a legal obligation under Spanish AML law (Article 25, Law 10/2010).

Prior to starting the recording, you will be requested to provide technical consent through a clear affirmative action to proceed with the video identification procedure, separate from other terms and conditions. This recording is strictly necessary for AML/CFT compliance and SEPBLAC authorization requirements.

Information we obtain from other sources , including:

Information provided by third parties for KYC/KYB to carry out background checks (e.g., sanctions, etc.).

In addition, when necessary to provide the service, comply with regulatory obligations, or protect security, we may process additional categories (as applicable), such as: 

– identification/verification data: type and number of identity document, issue/expiry date, nationality, proof of address, position/role, and powers of representation; 

– corporate and beneficial ownership data: ownership/control structure, UBOs, and corporate documentation;
– compliance and risk data: PEP status, sanctions screening results, and, where applicable, public/adverse media sources; 

– operational and security data: access logs, IP addresses, technical identifiers, and security events, necessary to prevent fraud and investigate incidents.

Mandatory/Voluntary: Certain data is mandatory to comply with AML/CFT obligations and/or to execute the contract. Failure to provide this data may prevent us from completing your company registration, providing the service, or processing transactions.

As part of our AML/CFT and sanctions checks, we may process information relating to criminal convictions or offenses. This processing is necessary for compliance with applicable law and for fulfilling our legal obligations as an AML-regulated entity. Where required by local law, we will rely on the legal grounds provided for in that law for processing this data. For more information, please contact dpo@due.network .

Safeguards (Art. 10 GDPR): We limit access to authorized personnel under a duty of confidentiality, we apply access and registration controls, and data minimization.

6. Uses of your personal data

Your personal data may be stored and processed by us in the following ways and for the following purposes:

• To communicate with you;

• To ensure that our customers are eligible to use our services, which includes:

• verify that the client and the UBOs (ultimate/beneficial owners), authorized users and contact persons are who they claim to be;

• ensure that the client has sufficient funds to complete the transaction; and

• conduct background checks (e.g., in relation to fraud, sanctions, crimes, etc.).

We are authorised to use your personal data in these ways because:

• we have legal and regulatory obligations that we must fulfil;

• we may need it to establish, exercise or defend our legal rights or for the purposes of legal proceedings; or

• the use of your personal data as described is necessary for our legitimate business interests (or the legitimate interests of one or more of our affiliates) as set out above.

We process your personal data for the following purposes and on the following legal bases:

• Identity verification and KYC/KYB (including sanctions, beneficial ownership, and identity document checks): legal obligation (AML/CFT legislation and sanctions regulations). These checks may be carried out by specialised providers.

• Transaction monitoring, wallet analysis and fraud prevention (including automated analysis): legal obligation (AML/CFT) and, where applicable, legitimate interests (fraud detection and prevention). A Legitimate Interests Assessment has been conducted and is available upon request.

• Contract execution (registration, payment processing, customer service): contract.

• Marketing communications (if applicable): consent — we will request your consent before using your personal data for direct marketing. Where legally applicable, certain B2B communications may rely on legitimate interests, provided an opt-out mechanism is always offered.

• Legal claims and compliance with requests from regulators or authorities: legal obligation / to establish, exercise or defend legal claims.

If you would like a copy of our Legitimate Interests Assessment or more details on the specific legal basis for a particular processing activity, please contact dpo@due.network. Due Network S.L. maintains a Record of Processing Activities (RoPA) in accordance with Article 30 GDPR, which documents in detail the processing activities carried out as data controllers. You may request further information about specific processing activities by contacting the Data Protection Officer at dpo@due.network.

Brief summary of aims and bases:

– KYC/KYB/AML and sanctions: legal obligation.

– Provision of the service: contract.

– Fraud prevention/security/DORA resilience: legal obligation and/or legitimate interest (with weighting).

– Marketing (if applicable): consent (and opt-out where appropriate for legitimate interest).

– Authorities/litigation: legal obligation and/or claims.

6.1 Automated decisions and profiling (Art. 22 GDPR)

 We use automated tools to support regulatory compliance, including:

  1. Sanctions/PEP screening against global watchlists using matching algorithms;
  2. Fraud detection analysing transaction patterns, geolocation, and user interaction data;
  3. Risk scoring for customer onboarding based on identity verification confidence levels.

Logic: Rule-based algorithms and machine learning models trained on historical compliance data and regulatory watchlists.

Possible consequences: Account restrictions, transaction blocking, or enhanced due diligence requirements. All automated alerts are subject to human review by qualified compliance personnel before any final decision is taken.

Solely automated decisions: Where a decision producing legal effects or similarly significant effects (e.g., automatic registration rejection) is based solely on automated processing, you have the right under Article 22(3) GDPR to:

  1. Obtain human intervention;
  2. Express your point of view; and
  3. Contest the decision.

6.2 Cryptocurrencies, wallets and blockchains

Your use of crypto assets and/or wallets may result in certain transactions being recorded on public networks (blockchains). These networks are third-party and not controlled by Due.
Consequently, certain data (e.g., public addresses, transaction hashes, and associated metadata) may be public or subject to forensic analysis by third parties, and may be immutable (cannot be modified or deleted). We recommend that you consider these implications before operating on public networks.

6.3 Security and operational resilience

We implement reasonable technical and organisational measures to protect data against loss, unauthorised access, and disclosure. As part of our regulatory obligations, we may process data for incident detection, forensic investigations, and notification to competent authorities in the event of security incidents. These activities are carried out in accordance with applicable regulations and with due regard for the protection of personal data.As an entity subject to Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA), we may also process data relating to ICT incidents, including incident logs, data concerning critical third-party ICT service providers, and information required for major incident reports under DORA (Arts. 9, 17 and 19). Such processing is carried out on the basis of Article 6(1)(c) GDPR (compliance with a legal obligation) and is subject to the security and proportionality measures set out in the DORA Regulation. We maintain comprehensive ICT risk management frameworks, incident reporting protocols to competent authorities, and resilience testing programmes.

6.4 Other compatible purposes

We may process your personal data for other purposes compatible with those set out above, applying the compatibility test set out in Article 6(4) GDPR, taking into account factors such as the link between the original and the new purpose, the context in which the data were collected, and the possible risks to your rights and freedoms. We will document the applicable legal basis (including Legitimate Interest Assessments where relevant). If the new purpose is materially different from the original purpose for which your data were collected, we will inform you proactively and, where required, obtain your consent before commencing such processing.

7. Disclosure of your information to third parties

We will take steps to ensure that personal data is only accessible to those employees who need to access it for the purposes described in this notice.

Your data may be disclosed, as appropriate, to the following categories of recipients:

• Public authorities and supervisory bodies (including FIUs , law enforcement agencies and tax authorities), when required by law or necessary for the prevention or detection of criminal activity;

• National Competent Authorities (NCAs) for crypto-asset services, the European Securities and Markets Authority (ESMA), and the European Banking Authority (EBA), when required under MiCA for authorization, supervision, or enforcement purposes;

• compliance and KYC/KYB service providers, sanctions verification providers and risk data providers (acting as data processors);

• IT service providers, hosting, cloud and data storage (acting as data processors);

• external auditors, legal advisors and forensic auditors, when necessary for audit or investigation purposes;

• buyers or potential buyers of the business in the event of a sale or corporate restructuring;

• banking partners and payment service providers (including clearing banks, acquiring banks, card processors, payment gateways and payroll/payment facilitators), for the purpose of executing, clearing and settling transactions and performing related compliance checks.

In all cases, recipients will be contractually obligated to process the data in accordance with this notice and not use it for other purposes.

Sub-processors: where applicable, we will maintain contracts containing appropriate safeguards and governance arrangements for sub-processors.

7.1 Data processors, controllers and sub-processors

We work with service providers who may act as data processors (processing personal data on our behalf, for example, payment processors, KYC/IDV providers, hosting/cloud providers) or as independent controllers (for example, banking partners processing data for their own regulatory purposes). All processors and sub-processors are bound by contracts containing appropriate safeguards (including standard contractual clauses where necessary) and security obligations. When a partner acts as an independent controller, we will inform you about the processing they carry out and the corresponding legal basis, providing contact details or a link to their privacy information where possible.

8. Transfers of personal data outside the European Economic Area (“EEA”) and the United Kingdom

The personal data we collect may be transferred to and stored outside the EEA/UK. It may also be processed by staff operating outside the EEA/UK who work for our subsidiaries or suppliers.

Personal data is primarily hosted and processed within the EEA and the UK. However, due to the group's international structure and/or the use of certain providers or operational needs (e.g., support, regulatory compliance, or resilience), personal data may be transferred to and stored outside the EEA/UK in certain cases.

When we transfer personal data outside the EEA/UK, we will ensure that it is protected in a manner consistent with the level of protection applicable in the EEA/UK, by, for example:

• the transfer to a country approved by the European Commission or the UK Government, as appropriate;

• the recipient's adherence to binding corporate rules (only for intragroup transfers); or

• the signing of contracts based on standard contractual clauses approved by the European Commission or the UK Government, as appropriate.

The safeguards applied vary by destination jurisdiction. In particular: the United Kingdom is recognised as an adequate destination by the European Commission (Adequacy Decisions 2021/1772 and 2021/1773); Argentina benefits from a European Commission adequacy decision, supplemented by standard contractual clauses as an additional measure; transfers to Due Payments Inc. (Canada) are carried out using Standard Contractual Clauses (SCCs) approved by the European Commission, given that Canada's adequacy decision is currently under review; transfers to Due Technologies Inc. (United States) are carried out on the basis of SCCs, supplemented by technical and organisational measures following a Transfer Impact Assessment (TIA).In other cases, the law may permit transfers outside the EEA/UK. In all cases, we will ensure that any transfer complies with data protection regulations.

You can obtain further information about the safeguards applicable to such transfers (including a copy of the standard contractual clauses) by contacting us in accordance with the “11. Contact” section below.

For transfers from the EEA/UK we may use, where appropriate, the European Commission's SCCs and, for the UK, the ICO's IDTA or the UK Addendum to the SCCs, together with supplementary measures where appropriate following the risk assessment of the transfer.

For all transfers outside the EEA/UK, we conduct Transfer Impact Assessments (TIA) evaluating the data protection regime of the destination country and the specific risks to personal data. Where necessary, we implement supplementary technical measures (pseudonymisation, encryption) in addition to contractual safeguards.

9. Retention of personal data

The retention period for your personal data will depend on the purpose of the processing and applicable legal obligations. These criteria include:

• the purpose for which the data is used, keeping it only for as long as necessary for that purpose; and

• legal obligations, as laws or regulations may establish a minimum retention period.

Retention requirements may vary by jurisdiction; for example, some countries require longer retention periods in accordance with local legislation.

  • Indicative retention periods (subject to applicable legal requirements):
  • KYC/KYB/AML and due diligence evidence: 10 years from the termination of the business relationship or occasional transaction completion, as required by Article 25 of Law 10/2010.
  • Transactional/accounting records: 10 years from the transaction date (AML/CFT obligations under Law 10/2010, prevailing over Commercial Code requirements).
  • Video identification recordings: 10 years from the verification date, per Article 25 of Law 10/2010.
  • Security and anti-fraud logs: retained for a limited period based on proportionality and security needs (generally up to 2 years), unless required for longer periods in connection with AML investigations, suspicious activity reporting, or legal obligations.
  • Claims and litigation: retained for the duration of the applicable statute of limitations (generally 5 years under Spanish civil law, unless extended by specific regulations), and until the final resolution of the matter.

10. Your rights

You have a number of legal rights in relation to the personal data we process about you, including:

• the right to obtain information about the processing of your personal data and to access such data;

• the right to withdraw your consent at any time; this will not affect the lawfulness of processing based on consent before its withdrawal, nor will it prevent us from continuing to process data where there is another valid legal basis other than consent.

• the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, and to

  1. obtain human intervention;
  2. express your point of view; and
  3. contest the decision.

• in certain circumstances, the right to receive certain personal data in a structured, commonly used and machine-readable format and/or to request its transmission to a third party where technically feasible. Please note that this right only applies to data that you have provided to us, and only where the processing is based on consent or on a contract — it does not apply to processing based on legal obligation, which covers the majority of processing carried out in the B2B context;

• the right to request the rectification of inaccurate or incomplete data;

• the right to request the deletion of your personal data in certain circumstances, without prejudice to our legal obligation to retain it;

• the right to object to the processing and to request its limitation in certain circumstances; and

• the right to lodge a complaint with the competent data protection authority if you believe that we have violated your rights.

You can exercise your rights by contacting us in accordance with the “11. Contact” section below.

You can find out more about your rights by contacting the data protection supervisory authority in your jurisdiction. A list of national data protection authorities in the EU is available on the European Data Protection Board website (https://edpb.europa.eu).

In the UK, the supervisory authority is the Information Commissioner's Office (ICO), which can be contacted at https://ico.org.uk.

Supervisory authority in Spain: Spanish Data Protection Agency (AEPD).

How we will handle requests: we may request reasonable additional information to verify your identity and protect your data; we will respond within applicable legal timeframes.

Customer complaints and claims:

In accordance with applicable Spanish financial regulations, any complaint, incident, or claim submitted will receive an acknowledgement with a unique reference number.

For data protection rights requests, we will respond within the timeframes set out in Article 12 GDPR: within one month of receipt, extendable by a further two months where necessary given the complexity and volume of requests. For financial service complaints under applicable Spanish regulations, we will provide a reasoned resolution within two months of receipt (or within 15 business days for payment-related incidents under PSD2, where applicable).

11. Contact

If you would like more information about the collection, use, disclosure, transfer or processing of your personal data, or about exercising any of the above rights, please contact our Data Protection Officer (DPO), formally designated and registered with the Spanish Data Protection Authority (AEPD):

Email: dpo@due.network (recommended for a faster response)

Postal address:

Data Protection Officer

Due Network S.L.

Paseo de la Castellana 91, 4º 1ª

28046 Madrid, Spain

We may update this notice periodically. When changes are material, we will notify you through reasonable means (for example, by email to corporate contacts or by posting a notification on the dashboard/portal, if one exists). The date of the last update appears at the beginning of the notice.