Data Protection Policy
Last updated: March 2025 • GDPR & CCPA Compliant
CardFi is committed to protecting your personal data. This policy explains how we collect, process, store, and protect your information in accordance with GDPR, CCPA, and applicable international data protection laws.
1. Data Controller
CardFi Technologies Inc. is the data controller responsible for your personal data. For data protection enquiries, contact our Data Protection Officer at dpo@cardfi.online.
2. Data We Collect
Account Data: Name, email address, phone number, date of birth, nationality
Identity Documents: Passport, national ID, driver's licence, proof of address (for KYC)
Financial Data: USDT wallet addresses, transaction history, card spending data, balance information
Technical Data: IP address, device type, browser type, operating system, session data
Usage Data: Pages visited, features used, login timestamps, navigation patterns
Communication Data: Support ticket content, email correspondence
3. Legal Basis for Processing
- Contract performance: Processing necessary to provide CardFi services to you
- Legal obligation: KYC/AML compliance, regulatory reporting, tax obligations
- Legitimate interests: Fraud prevention, security monitoring, service improvement
- Consent: Marketing communications (you may withdraw consent at any time)
4. How We Use Your Data
- Account creation and authentication
- Processing deposits, withdrawals, and card transactions
- KYC identity verification and ongoing compliance monitoring
- Fraud detection and prevention
- Customer support and dispute resolution
- Platform improvement and analytics
- Legal and regulatory compliance
- Sending transactional emails (receipts, alerts, OTP codes)
5. Data Storage and Security
CardFi employs industry-standard security measures to protect your data:
- AES-256 encryption for sensitive data at rest
- TLS 1.3 encryption for all data in transit
- Access controls — staff access is role-based and logged
- Regular security audits and penetration testing
- KYC documents stored in isolated, access-controlled environments
- Passwords stored as salted hashes (never in plain text)
6. Data Retention
- Account data: Retained for the duration of your account + 7 years after closure
- Transaction records: 7 years minimum (regulatory requirement)
- KYC documents: 5–7 years after account closure
- Support tickets: 3 years
- Technical/log data: 12 months
7. Data Sharing
We may share your data with:
- Card issuing partners: Required to issue and manage your virtual card
- KYC verification providers: For identity document verification
- Banking partners: For transaction processing
- Regulatory authorities: When legally required to do so
- Law enforcement: In response to valid legal orders
We never sell your personal data to third parties for commercial purposes.
8. International Data Transfers
Your data may be processed in countries outside your own. When transferring data internationally, we ensure adequate protections are in place through:
- Standard Contractual Clauses (SCCs) for EU data transfers
- Adequacy decisions where applicable
- Data Processing Agreements with all third-party processors
9. Your Rights
Under GDPR and applicable laws, you have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate or incomplete data
- Erasure: Request deletion of your data (subject to legal retention requirements)
- Portability: Receive your data in a portable format
- Restriction: Restrict how we process your data
- Objection: Object to processing based on legitimate interests
- Withdrawal of consent: Withdraw consent for marketing at any time
To exercise your rights, email dpo@cardfi.online. We will respond within 30 days.
10. Breach Notification
In the event of a personal data breach, CardFi will notify affected users and relevant supervisory authorities within 72 hours of becoming aware of the breach, in accordance with GDPR requirements.
11. Complaints
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection authority. In the EU, this is your national Data Protection Authority.
12. Contact
Data Protection Officer: dpo@cardfi.online
General privacy queries: privacy@cardfi.online
© 2025 CardFi Technologies Inc. All Rights Reserved.