Privacy Policy

Last updated: 1 January 2025 · Version 1.0

This Privacy Policy applies to Arcap Partners Limited ("Arcap", "we", "us", "our") and describes how we process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection legislation.

Who We Are
What Data We Collect
How We Collect Data
Why We Use Your Data
Legal Basis for Processing
Who We Share Data With
International Transfers
Retention Periods
Security Measures
Your Rights
Cookies
Changes to This Policy
Contact Us

1. Who We Are

Arcap Partners Limited is the data controller in respect of personal data processed through the Platform and in connection with our services. We are responsible for deciding how and why personal data is processed.

Our registered address and contact details for data protection matters are set out in Section 13 below. We are registered with the Information Commissioner's Office (ICO) in the United Kingdom.

2. What Data We Collect

2.1 Business Representatives and Authorised Users

We collect personal data about individuals who are directors, officers, beneficial owners, authorised signatories, and day-to-day users of our Platform on behalf of corporate clients. This may include:

Full legal name and date of birth
Nationality and country of residence
Government-issued identity documents (passport, national ID card)
Proof of address documentation
Email address and telephone number
Role and relationship to the corporate entity
Source of funds and wealth information (where required for compliance)
PEP (Politically Exposed Person) and sanctions screening results
Login credentials (stored in hashed form) and access logs
IP address, device information, and browser type
Communication records including emails and support interactions

2.2 Corporate Client Data

We also process data relating to corporate entities, including:

Company name, registration number, and registered address
Corporate structure and ownership information
Trade and transaction data, including payment amounts, counterparties, and timestamps
Bank account details and wallet addresses
Financial statements and business information provided for KYB purposes

3. How We Collect Data

We collect personal data through the following means:

Directly from you: when you complete our onboarding application, submit documentation, use the Platform, or contact our team
From your employer or corporate client: when a company nominates you as an authorised user or beneficial owner
From third-party verification providers: including identity verification services, credit reference agencies, and sanctions screening databases
Automatically: through cookies and tracking technologies when you use our website or Platform
From public sources: such as company registries, regulatory databases, and publicly available records

4. Why We Use Your Data

We process personal data for the following purposes:

To onboard and verify clients and authorised users in compliance with KYB and AML obligations
To provide, operate, and improve the Platform and our services
To execute and settle transactions
To conduct ongoing monitoring of transactions and detect suspicious activity
To comply with legal and regulatory obligations, including reporting to authorities
To manage our relationship with clients, including support and communications
To investigate and resolve disputes or complaints
To protect the security and integrity of the Platform
To send service-related notices and updates
To analyse and improve our services (using anonymised or aggregated data where possible)

5. Legal Basis for Processing

We rely on the following legal bases under UK GDPR:

Contract (Article 6(1)(b)): processing necessary to perform our contract with the corporate client and to enable authorised users to use the Platform
Legal obligation (Article 6(1)(c)): processing required to comply with AML, KYB, sanctions, tax reporting, and other legal obligations
Legitimate interests (Article 6(1)(f)): processing for fraud prevention, security monitoring, business analytics, and improvement of our services, where your interests do not override ours
Consent (Article 6(1)(a)): where we rely on consent (e.g. for marketing communications), you may withdraw it at any time without affecting the lawfulness of prior processing

Where we process special category data (such as data revealing political opinions in the context of PEP screening), we rely on Article 9(2)(g) (substantial public interest) in conjunction with the Data Protection Act 2018, Schedule 1.

We share personal data with the following categories of recipients:

Licensed Partners: banks and payment service providers through whom services are delivered, as required to open accounts and process transactions
Identity verification providers: third-party KYB and AML screening services
Regulatory authorities: including financial intelligence units, tax authorities, and law enforcement agencies, where required by law
Technology service providers: cloud hosting, cybersecurity, and software providers acting as data processors under written agreements
Professional advisers: legal, compliance, and audit professionals under obligations of confidentiality
Business successors: in the event of a merger, acquisition, or sale of Arcap's business

We do not sell personal data to third parties for commercial purposes.

7. International Data Transfers

Given the nature of our operations across Latin America and Africa, personal data may be transferred to and processed in countries outside the UK and European Economic Area. Where such transfers occur, we ensure appropriate safeguards are in place, including:

UK International Data Transfer Agreements (IDTAs) or addenda
Standard Contractual Clauses approved by the relevant supervisory authority
Adequacy decisions by the UK Secretary of State or the European Commission
Binding Corporate Rules where applicable

You may request a copy of the relevant safeguards by contacting us at the address in Section 13.

8. Retention Periods

We retain personal data for as long as necessary to fulfil the purposes described in this Policy, subject to the following minimum retention periods:

KYB and identity documentation: 5 years from the end of the client relationship (or longer if required by applicable AML legislation)
Transaction records: 5 years from the date of the transaction
Communications and support records: 3 years from the date of the communication
Access and audit logs: 2 years
Legal claims: for the duration of any applicable limitation period

After the applicable retention period, data is securely deleted or anonymised.

9. Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

End-to-end encryption for data in transit and at rest
Multi-factor authentication for all Platform access
Role-based access controls limiting data access to authorised personnel only
Regular security assessments and penetration testing
Staff training on data protection and information security
Incident response procedures for data breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR.

10. Your Rights

Subject to applicable law and our compliance obligations, you have the following rights in respect of your personal data:

Access

Request a copy of the personal data we hold about you (Subject Access Request)

Rectification

Request correction of inaccurate or incomplete personal data

Erasure

Request deletion of your data where we no longer have a legal basis to process it

Restriction

Request that we restrict processing of your data in certain circumstances

Portability

Receive your data in a structured, machine-readable format where technically feasible

Objection

Object to processing based on legitimate interests or for direct marketing

Withdraw Consent

Withdraw consent at any time where processing is consent-based

Complain

Lodge a complaint with the ICO at ico.org.uk if you believe we have violated your rights

Please note that some rights are subject to limitations — for example, we may be required to retain certain data for AML compliance purposes even if you request erasure. To exercise any of your rights, please contact us using the details in Section 13.

11. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to improve your experience, analyse traffic, and ensure platform security. We use the following categories of cookies:

Strictly necessary: essential for the Platform to function. These cannot be disabled.
Functional: remember your preferences and settings.
Analytical: help us understand how visitors use the Platform, used in anonymised or aggregated form only.
Security: used for fraud prevention and access monitoring.

We do not use advertising or behavioural tracking cookies. You can manage cookie preferences through your browser settings. Please note that disabling certain cookies may affect Platform functionality.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the services we provide. Material changes will be notified to Clients by email and will be effective 14 days after notification unless you object. Your continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

13. Contact Us

For data protection enquiries, to exercise your rights, or to contact our Data Protection Officer, please write to:

Data Protection Officer
Arcap Partners Limited
Email: [email protected]

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk | 0303 123 1113

Contents