Privacy Policy
Cardsflow policies and documentation for users and partners.
Last Updated: April 29, 2026 | Version: 2.0
Your money, your life — that principle shapes how we handle your personal data.
Questions? privacy@cardsflow.net
We collect as little as possible. We store only what we need. We never sell your data. Ever.
1. DATA CONTROLLER
The organisation responsible for your personal data is:
- Name: CardsFlow
- Address: [Full Registered Address]
- Email: privacy@cardsflow.net
2. DATA PROTECTION OFFICER
Contact our DPO directly for any data protection concern relating to your personal data.
- DPO Email: dpo@cardsflow.net
3. DATA WE COLLECT
We apply data minimisation throughout. The table below lists every category of personal data we collect, where it comes from, and why we need it.
| Category | What It Includes | Source |
|---|---|---|
| Identity data | Name, date of birth, nationality | You provide at signup |
| Contact data | Email, postal address, phone number | You provide at signup |
| Eligibility token | A ZK cryptographic proof of eligibility. No documents. No biometrics. No raw data. | Generated by verification partner |
| Financial data | E-Money balance, transaction history, tokenised card references. We never store raw card numbers. | Generated through use of Service |
| Technical data | IP address, browser type, device type, operating system, session data | Automatically collected |
| Usage data | Pages visited, session duration. Aggregate counts only. Not linked to you. | Simple Analytics (cookieless) |
| Communications data | Emails and support messages sent to us | You send to us |
4. PURPOSES AND LEGAL BASES
We process your data only for the purposes listed below. We have a legal basis for every activity.
| Purpose | Legal Basis |
|---|---|
| Create and manage your Account | Contract (Art. 6(1)(b) UK GDPR) |
| Verify eligibility via ZK proofs | Legal obligation (Art. 6(1)(c) UK GDPR) |
| Issue and manage Cards | Contract (Art. 6(1)(b) UK GDPR) |
| Process Transactions via NowPayments | Contract (Art. 6(1)(b) UK GDPR) |
| Detect and prevent fraud | Legitimate interests (Art. 6(1)(f) UK GDPR) |
| AML compliance via NowPayments | Legal obligation (Art. 6(1)(c) UK GDPR) |
| Platform analytics — Simple Analytics (aggregate, anonymous only) | Legitimate interests (Art. 6(1)(f)). No personal data processed. |
| Respond to support queries | Contract and legitimate interests |
| Send transactional emails | Contract (Art. 6(1)(b) UK GDPR) |
| Send marketing emails | Consent (Art. 6(1)(a)) — withdraw anytime |
We will never sell your personal data, share it for third-party advertising, or use it for purposes beyond those listed above without telling you first.
5. THIRD-PARTY PROCESSORS
We share data only where necessary, with processors bound by data processing agreements under UK GDPR.
| Processor | Purpose | Location |
|---|---|---|
| NowPayments nowpayments.io | Payment processing and transaction AML monitoring. Their AML programme applies. | EU / Global (SCCs in place) |
| Amazon Web Services (AWS) aws.amazon.com | Platform hosting and encrypted data storage | EU region |
| SendGrid sendgrid.com | Transactional email delivery | USA (SCCs in place) |
| Simple Analytics simpleanalytics.com | Privacy-first website analytics. No cookies. No personal data. Aggregate counts only. | EU (Netherlands) GDPR compliant by design |
| Privacy-Preserving Verification Partner | ZK eligibility proofing. Returns only a cryptographic proof of eligibility. No raw identity data is shared. | N/A |
We do not use Google Analytics, Meta Pixel, Hotjar, Intercom, or any advertising network. No other third-party tools are used on cardsflow.net.
6. INTERNATIONAL DATA TRANSFERS
Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place including Standard Contractual Clauses (SCCs) approved by the UK ICO or European Commission, and adequacy decisions where applicable.
NowPayments processes transactions globally. Their international transfer safeguards are documented at nowpayments.io/privacy-policy. For details on safeguards for any specific transfer, email privacy@cardsflow.net.
7. RETENTION PERIODS
We hold your data only as long as legally required or operationally necessary.
| Data Category | Retention Period |
|---|---|
| Account and identity data | Duration of account + 6 years |
| Eligibility tokens (ZK proofs) | Duration of account + 5 years (ML Regulations 2017, Reg. 40) |
| Transaction records | Duration of account + 6 years (HMRC / Companies Act) |
| Support communications | 3 years from last interaction |
| Technical and log data | 13 months rolling |
| Marketing preferences | Until consent withdrawn or account closed |
| Analytics data | Not applicable — Simple Analytics stores no personal data |
After each retention period, data is securely deleted or irreversibly anonymised. We do not hold data longer than required.
8. YOUR RIGHTS
| Right | What It Means |
|---|---|
| Access | Request a copy of all personal data we hold about you. |
| Rectification | Request correction of inaccurate or incomplete data. Update basic details in your Dashboard. |
| Erasure | Request deletion of your data where it is no longer necessary or where you withdraw consent. Note: we may retain legally required data (e.g., transaction records under AML law). |
| Restriction | Request that we pause processing of your data in certain circumstances. |
| Portability | Receive your data in a structured, machine-readable format (CSV or JSON) to transfer to another provider. |
| Objection | Object to processing based on legitimate interests. Absolute right to object to direct marketing at any time. |
| Withdraw Consent | Withdraw consent for marketing at any time via unsubscribe link or privacy@cardsflow.net. |
| Human Review | Request human review of any automated decision with significant legal effect on you. |
9. HOW TO EXERCISE YOUR RIGHTS
- Email: privacy@cardsflow.net
- Response time: Within 30 calendar days of receipt
- Fee: None in normal circumstances. We may ask you to confirm your identity before processing.
10. RIGHT TO LODGE A COMPLAINT
If you believe we have handled your personal data unlawfully, you have the right to contact the UK Information Commissioner's Office (ICO). We would appreciate the opportunity to address your concern first — please email privacy@cardsflow.net before contacting the ICO.
- ICO Website: ico.org.uk
- ICO Helpline: 0303 123 1113
- ICO Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
11. CHANGES TO THIS POLICY
We will update this Policy when our data practices change. Material changes will be notified by email at least 30 days before taking effect. The "Last Updated" date at the top of this page reflects the most recent revision.