Cipago Data Protection Policy

Effective Date: 31st August, 2025

Cipago is committed to protecting personal data and privacy. This policy explains how we collect, process, share, protect, retain, and respond to requests concerning personal data in accordance with applicable laws (including NDPR, GDPR where applicable, and other local regulations).

1. Scope & Applicability

This policy applies to all personal data controlled or processed by Cipago Financial Technologies Ltd (“Cipago”, “we”, “us”, “our”), across all products and services including wallet services, fiat on/off ramps, virtual cards, merchant onboarding, KYC, analytics, and customer support. It applies to all employees, contractors, and third-party processors acting on our behalf.

2. Key Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data (collecting, storing, using, sharing).
  • Data Controller: Cipago (decides why and how personal data is processed).
  • Data Processor: Third party acting on Cipago’s behalf under contract (e.g., cloud provider).
  • Special Category Data: Sensitive personal data requiring extra protection (e.g., biometric data).

3. Legal Basis for Processing

We process personal data only where we have a lawful basis, which may include:

  • Performance of a contract (to provide Cipago services).
  • Compliance with legal obligations (AML/KYC, tax, reporting to regulators).
  • Legitimate interests (fraud prevention, service improvements) balanced against data subject rights.
  • Consent, where required (marketing communications, cookies).

4. Data We Collect

4.1 Personal Information

  • Full name, date of birth, national ID/passport, email, phone number, address.
  • Biometric data (only when explicitly collected for identity verification).

4.2 Financial & Transactional Data

  • Bank account numbers, card details (tokenized/stored by partners where applicable).
  • Crypto wallet addresses and on-chain transaction history required to provide services.
  • Transaction amounts, dates, merchant metadata, receipts.

4.3 Technical & Behavioural Data

  • IP addresses, device fingerprints, browser characteristics, log files.
  • Security logs, error reports, and analytics used to secure and improve our services.

4.4 Third-Party & Derived Data

  • Screening results (sanctions/PEP/negative media) from third-party providers.
  • Credit or identity verification data provided by partners under contract.

5. Purposes of Processing

  • Verify customer identity and perform KYC/AML checks.
  • Process and reconcile payments (fiat and crypto) and issue virtual cards.
  • Detect and prevent fraud, money laundering, and other financial crimes.
  • Provide, secure and improve Cipago services and user experience.
  • Communicate important account or regulatory information.
  • Perform analytics and reporting (in aggregate/anonymized form where possible).

6. Data Sharing & Disclosures

We will not sell personal data. We may share personal data in the following limited scenarios:

  • Regulatory & Law Enforcement: Disclosures to FIUs, tax authorities, regulators when required by law.
  • Service Providers: Cloud hosting, KYC/AML vendors, payment processors, card networks (under contracts that enforce confidentiality and security).
  • Banking & Card Partners: For fiat settlement, card issuance and reconciliation.
  • Blockchain Analytics: To support investigations and compliance (e.g., Chainalysis) where necessary.
  • Merger / Acquisition: In the event of a corporate reorganization, data may be transferred subject to confidentiality and legal safeguards.

All third-party processors are selected after due diligence and bound by written contracts that require appropriate safeguards, confidentiality, and only processing for specified purposes.

7. Security Measures

  • AES-256 encryption at rest and TLS 1.2/1.3 for data in transit.
  • Role-based access control (RBAC), least-privilege policies and multi-factor authentication for staff.
  • Secure key management and multi-signature custody for crypto assets where Cipago holds custody.
  • Network segmentation, vulnerability management and quarterly penetration testing.
  • Logging, monitoring, and incident response procedures; regular backups and disaster recovery plans.
  • Employee background checks and mandatory security & privacy training.

8. Data Retention

  • KYC records: retained for a minimum of 7 years after account closure (or longer if required by law).
  • Transaction records: retained for a minimum of 10 years for tax, audit and regulatory compliance.
  • Technical logs: retained for at least 2 years for security and fraud investigations.
  • Marketing data: retained until consent is withdrawn or as permitted by law.

Where possible, data is archived and pseudonymized to reduce privacy risk. Immutable on-chain records cannot be deleted, and we will limit linking on-chain data to personal identifiers except where necessary for compliance.

9. Data Subject Rights

Subject to applicable law and exemptions (e.g., AML/legal obligations), data subjects may exercise rights including:

  • Access personal data (Subject Access Request).
  • Rectify inaccurate or incomplete information.
  • Request erasure of non-essential data (Right to be forgotten), where lawful and feasible.
  • Request portability of personal data in a structured, machine-readable format.
  • Withdraw consent for marketing processing at any time.
  • Object to or restrict processing where applicable.

Requests may be submitted via [email protected]. We will authenticate requests and respond within statutory timeframes.

10. International Data Transfers

Personal data may be transferred to countries where Cipago or its processors operate. Such transfers are protected by appropriate safeguards (e.g., contractual clauses, adequacy decisions, and/or encryption). Transfers to providers in non-adequate jurisdictions require additional contractual safeguards and internal approvals.

11. Cookies & Tracking

We use cookies and similar technologies for essential functionality, security, analytics and (with consent) marketing. Users can manage cookie preferences through our consent banner or browser settings. Types used include:

  • Essential cookies (authentication, session management).
  • Analytics cookies (service usage and improvements).
  • Security cookies (CSRF tokens, fraud detection).

12. Special Category & Biometric Data

We minimize collection of special category data. Biometric data (e.g., facial recognition) is collected only with explicit consent and processed under stricter protections, retention limits, and additional security controls.

13. Third-Party Processors & Vendors

Third-party processors are selected using risk-based due diligence. Contracts require:

  • Processing only on our documented instructions.
  • Appropriate technical and organizational security measures.
  • Confidentiality obligations and subprocessors restrictions.
  • Data breach notification obligations and audit rights.

14. Monitoring, Audits & Reporting

Regular internal audits and periodic third-party assessments (security, privacy) are performed. We maintain records of processing activities and DPIAs for high-risk processing. Material privacy incidents are reported to regulators where required.

15. Incident Response & Breach Notification

Cipago maintains an incident response plan. On confirming a personal data breach, we:

  • Contain and mitigate the breach.
  • Assess the severity and impacted data.
  • Notify affected individuals and regulators as required by law and within statutory timeframes.
  • Document actions taken and remedial measures to prevent recurrence.

16. Training & Awareness

All relevant staff receive mandatory privacy and security training upon hiring and periodic refresher training. Training records are maintained and updated annually or when processes change.

17. Children & Age-Restricted Services

Cipago’s services are intended for users who meet the minimum legal age in their jurisdiction. We do not knowingly collect personal data from children under applicable age limits. If we become aware of such collection, we will take steps to remove the data.

18. Automated Decision Making

We use automated tools (e.g., fraud scoring, transaction monitoring) to support decisions. Where decisions have legal or similarly significant effects, we provide human review and the right to challenge or seek explanation in line with applicable law.

19. Policy Changes

Material changes to this policy will be communicated at least 30 days in advance via email, in-app notifications, and website notices. Non-material updates may be posted directly to the website with an updated effective date.

20. Contact & Data Protection Officer

Data Protection Officer:
[email protected]
Billpago Digital Integrated Limited.
For privacy inquiries, subject access requests, or complaints, contact the Legal Team. We aim to respond to verified requests in accordance with legal timeframes.