> For the complete documentation index, see [llms.txt](https://docs.bankly.cc/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.bankly.cc/legal/privacy-policy.md). # Privacy Policy *Effective Date: \[date]* This Privacy Policy ("Policy") explains how CavaleroTech, operating as Bankly ("Bankly," "we," "us," or "our"), collects, uses, stores, shares, and protects your personal information when you access or use the Bankly mobile application, Telegram mini-app, website (bankly.cc), and related services (collectively, the "Platform"). This Policy also describes your rights regarding your personal data and how to exercise them. This Policy applies to all users of the Platform globally. Additional jurisdiction-specific disclosures for users in the European Economic Area ("EEA"), United Kingdom, and California are set out in Sections 15, 16, and 17 respectively. Where those sections conflict with the general provisions of this Policy, the jurisdiction-specific section governs for users in that jurisdiction. By accessing or using the Platform, you acknowledge that you have read and understood this Policy. If you do not agree, you must discontinue use of the Platform immediately. *** ### 1. KEY DEFINITIONS As used in this Policy: * "Biometric Data" means facial recognition data, liveness detection data, or other physiological identifiers collected during identity verification. * "Blockchain Data" means wallet addresses, transaction hashes, and other information recorded on a public blockchain that is inherently public and immutable. * "KYC Data" means identity documents, proof of address, selfies, Biometric Data, and other information collected for Know Your Customer and Anti-Money Laundering compliance purposes. * "Personal Data" means any information relating to an identified or identifiable natural person, including name, email address, wallet address, IP address, KYC Data, and usage data. * "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, transfer, or deletion. * "Sensitive Personal Data" means data revealing racial or ethnic origin, political opinions, religious beliefs, health data, Biometric Data, or financial account details. * "Third-Party Provider" means any external service provider, including our licensed Card Partner, KYC verification vendor (Sumsub), payment and crypto top-up processors, cloud infrastructure providers, and analytics services. *** ### 2. DATA CONTROLLER The data controller responsible for your Personal Data is: **CavaleroTech** \[CavaleroTech registered office — Dubai, United Arab Emirates] Email: Where Bankly acts as a data processor on behalf of a Third-Party Provider (for example, transmitting KYC data to the Card Partner for card issuance purposes), the relevant Third-Party Provider acts as the data controller for that processing activity. Please refer to the applicable Third-Party Provider's privacy policy for details. *** ### 3. INFORMATION WE COLLECT #### 3.1 Information You Provide Directly We collect the following categories of information that you provide when registering for or using the Platform: | Category | Examples | Purpose | | -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------- | | Identity & Registration Data | Full legal name, date of birth, email address, username | Account creation, authentication | | KYC / Identity Verification Data | Government-issued ID (passport, national ID, driver's license), proof of address, selfie, liveness detection / Biometric Data | AML/KYC compliance, Card Partner requirements | | Account & Wallet Data | Crypto top-up wallet address(es), USD balance, transaction history, membership tier | Service delivery, compliance, fraud prevention | | Payment & Card Data | Card-related information processed through the Card Partner's PCI-DSS compliant infrastructure. Bankly does not store full card numbers. | Card issuance and transaction processing | | Communications Data | Support requests, feedback, complaints, correspondence with Bankly | Customer support, dispute resolution | | Referral & Loyalty Data | Referral codes, XP balances, cashback records, membership status | Loyalty program administration | #### 3.2 Information Collected Automatically When you access or use the Platform, we automatically collect: * Device information: device type, operating system, app version, device identifiers; * Network information: IP address (truncated or anonymized where required by applicable law), approximate geolocation derived from IP address; * Usage data: session activity, features accessed, clicks, page views, time spent on Platform, crash logs, and error reports; * Analytics data: aggregated and anonymized behavioral analytics; * Cookie and tracking data: as described in Section 8 below. #### 3.3 Blockchain and On-Chain Data When you fund your Bankly USD balance through a crypto top-up, certain data is recorded on public blockchains and is outside Bankly's control: * The wallet addresses you use to send a crypto top-up (in USDC, USDT, BTC, ETH, SOL, or BNB) are publicly visible on the relevant blockchain network; * Transaction hashes, amounts, timestamps, and the deposit addresses you send funds to are permanently and immutably recorded on-chain; * Bankly cannot delete, alter, or restrict access to Blockchain Data. Your right to erasure does not extend to information recorded on a public blockchain. For the avoidance of doubt, Bankly holds your funded balance in US dollars. Bankly does not take custody of your crypto wallet, private keys, or on-chain assets, and does not control the public ledgers on which your top-up transactions are recorded. #### 3.4 KYC and Biometric Data Bankly collects Biometric Data as part of identity verification through Sumsub (Sumsub Identity Verification Service). This may include facial recognition data and liveness detection scans collected to verify your identity against government-issued identification documents. Biometric Data is Sensitive Personal Data. It is collected solely for KYC/AML compliance purposes, processed by Sumsub under data processing agreements, and not used for any commercial, marketing, or unrelated analytical purpose. Biometric Data is retained only for the period required by applicable AML law and is then deleted or anonymized in accordance with Section 11. Identity verification through KYC applies to all membership tiers except the Private tier, which is offered without KYC. The scope of KYC Data we collect may vary by tier and by the applicable regulatory requirements. #### 3.5 Information We Do Not Collect Bankly does not collect: * Private keys or seed phrases — these remain solely in your control; * Card numbers, CVV codes, or sensitive card authentication data beyond what is processed by the Card Partner through PCI-DSS compliant infrastructure; * Health data, political opinions, religious beliefs, or other Sensitive Personal Data beyond Biometric Data collected for KYC purposes; * Personal data for targeted advertising or sale to third parties. *** ### 4. HOW WE USE YOUR INFORMATION We process your Personal Data only for the purposes described below and only to the extent necessary for each purpose: | Purpose | Data Used | Lawful Basis | | -------------------------------------------------------------------- | --------------------------------------------- | ---------------------------------------------- | | Account creation and authentication | Identity data, email, wallet address | Contract performance | | KYC / AML compliance and identity verification | KYC Data, Biometric Data, transaction history | Legal obligation | | Delivering Platform services (USD balance, card access, top-ups, XP) | Account data, wallet data, membership data | Contract performance | | Transaction monitoring and fraud prevention | Transaction data, IP address, behavioral data | Legal obligation; Legitimate interests | | Sanctions and geographic restriction screening | Identity data, IP address, KYC data | Legal obligation | | Customer support and dispute resolution | Communications data, account data | Contract performance; Legitimate interests | | Platform security and abuse prevention | Device data, IP address, usage data | Legitimate interests | | Analytics and Platform improvement | Aggregated / anonymized usage data | Legitimate interests | | Legal compliance and regulatory reporting | Any data required by law or regulator | Legal obligation | | Transactional and service communications | Email address, account activity | Contract performance; Consent (where required) | | Referral program and loyalty administration | Referral data, XP data, cashback, membership | Contract performance | We do not use your Personal Data for targeted advertising, profiling for commercial purposes unrelated to the Platform, or sale to third parties. *** ### 5. LAWFUL BASIS FOR PROCESSING We process your Personal Data under the following lawful bases, consistent with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL"), the EU General Data Protection Regulation ("GDPR") where applicable, and equivalent frameworks: * **Contract Performance:** Processing necessary to provide you with the Platform services you have requested, including account management, USD balance maintenance, crypto top-up processing, and Bankly Card access. * **Legal Obligation:** Processing required to comply with applicable law, including AML/CFT obligations, KYC requirements, sanctions screening, tax reporting, and regulatory record-keeping. * **Legitimate Interests:** Processing necessary for our legitimate business interests, including Platform security, fraud prevention, abuse detection, and service improvement, provided those interests are not overridden by your rights and freedoms. * **Consent:** Processing based on your freely given, specific, informed, and unambiguous consent, including for optional marketing communications where required by law. You may withdraw consent at any time without affecting the lawfulness of prior processing. Where we process Biometric Data or other Sensitive Personal Data, we rely on explicit consent and/or legal obligation as the lawful basis, as required by applicable law. *** ### 6. DATA SHARING AND DISCLOSURE We do not sell, rent, or trade your Personal Data. We share your Personal Data only in the following circumstances: #### 6.1 Card Partner We share KYC Data, identity verification results, and transaction-related data with our licensed Card Partner (\[Card-issuing partner]) as required to: (a) issue and manage your Bankly Card; (b) conduct card authorization, clearing, and settlement; (c) comply with card network and regulatory requirements; and (d) perform fraud prevention and transaction monitoring. The Card Partner acts as an independent data controller for card-related processing and is subject to its own privacy policy and applicable financial services regulations. #### 6.2 KYC Verification Vendor — Sumsub We share identity documents and Biometric Data with Sumsub (Sumsub Identity Verification Service) solely for the purpose of verifying your identity against applicable AML/KYC requirements. Sumsub acts as a data processor under a data processing agreement and is prohibited from using your data for any purpose beyond identity verification. For more information on Sumsub's data practices, please refer to Sumsub's privacy policy at sumsub.com. #### 6.3 Payment and Crypto Top-Up Processors When you fund your Bankly USD balance, your top-up wallet address and transaction details are transmitted to and processed by the payment and crypto top-up processors that facilitate the conversion of your incoming crypto into your held USD balance. These processors receive only the data necessary to validate, settle, and credit your top-up. As on-chain transactions are public and immutable, any data recorded on the blockchain is outside Bankly's control. #### 6.4 Infrastructure and Technology Providers We use third-party infrastructure providers including cloud hosting services, database providers, and application performance monitoring tools. These providers process Personal Data solely as data processors under our instructions and subject to data processing agreements, including for analytics, crash reporting, performance monitoring, and authentication services. #### 6.5 Legal and Regulatory Disclosure We may disclose Personal Data to government authorities, regulators, law enforcement agencies, or courts where required by applicable law, regulation, court order, or legal process. This includes disclosures required by UAE financial regulators, AML/CFT supervisory authorities, sanctions authorities, and tax authorities, as well as disclosures necessary to establish, exercise, or defend legal claims, or to protect the rights, property, or safety of Bankly, our users, or the public. #### 6.6 Corporate Transactions If Bankly is involved in a merger, acquisition, financing, reorganization, or sale of all or part of its business or assets, Personal Data may be transferred to the relevant counterparty or successor entity, subject to this Policy and applicable law. We will take reasonable steps to ensure your Personal Data continues to be protected to the standard described in this Policy. *** ### 7. INTERNATIONAL DATA TRANSFERS Bankly operates globally, and your Personal Data may be transferred to, stored in, or processed in countries other than the one in which you reside, including the United Arab Emirates and jurisdictions where our Third-Party Providers operate. These countries may have data protection laws that differ from those of your home jurisdiction. Where we transfer Personal Data internationally, we implement appropriate safeguards, which may include: * Standard Contractual Clauses approved under the GDPR or equivalent mechanisms for transfers out of the EEA or United Kingdom; * Adequacy decisions, where the destination country is recognized as providing an adequate level of protection; * Data processing agreements imposing contractual data protection obligations on recipients consistent with the UAE PDPL and applicable law. By using the Platform, you acknowledge that your Personal Data may be transferred as described in this Section. *** ### 8. COOKIES AND TRACKING TECHNOLOGIES We and our service providers use cookies and similar tracking technologies on our website and within the Platform to operate, secure, and improve the service. These technologies fall into the following categories: * **Strictly necessary:** required to authenticate sessions, maintain security, and deliver core Platform functionality. These cannot be disabled. * **Functional:** remember your preferences and settings to improve your experience. * **Analytics:** help us understand how users interact with the Platform so we can improve it. Analytics data is aggregated and, where feasible, anonymized. We do not use advertising or cross-site tracking cookies for targeted advertising. You can manage non-essential cookies through your browser settings or any in-product cookie controls we make available. For more detail, see our Cookie Policy. *** ### 9. DATA SECURITY We implement technical and organizational measures designed to protect your Personal Data against unauthorized access, disclosure, alteration, and destruction. These measures include: * Encryption of Personal Data in transit and at rest; * Access controls and the principle of least privilege for personnel who handle Personal Data; * Network security controls, monitoring, and logging; * Reliance on PCI-DSS compliant infrastructure operated by the Card Partner for card data; * Regular review of our security practices and those of our Third-Party Providers. No method of transmission or storage is completely secure. While we strive to protect your Personal Data, we cannot guarantee absolute security. You are responsible for safeguarding your account credentials, device, and any private keys or seed phrases, which Bankly never collects or stores. *** ### 10. DATA BREACH NOTIFICATION In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required by applicable law, affected users without undue delay and in accordance with the timelines mandated by the UAE PDPL, GDPR, and other applicable frameworks. Our notification will describe the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address it. *** ### 11. DATA RETENTION We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including to comply with our legal, regulatory, accounting, and reporting obligations, and to resolve disputes and enforce our agreements. * **KYC Data and Biometric Data:** retained for the period required by applicable AML/CFT law (typically at least five years after the end of the customer relationship), after which it is deleted or anonymized. * **Transaction and account records:** retained for the period required by applicable financial, tax, and AML record-keeping obligations. * **Communications and support data:** retained for as long as necessary to address your inquiry and for a reasonable period thereafter. * **Usage and analytics data:** retained in aggregated or anonymized form, or for the limited period necessary for security and product improvement. When Personal Data is no longer required, we delete or anonymize it. Blockchain Data recorded on a public ledger cannot be deleted and falls outside the scope of our retention controls. *** ### 12. YOUR PRIVACY RIGHTS Subject to applicable law and to the verification of your identity, you may have the following rights in relation to your Personal Data: * **Access:** request confirmation of whether we process your Personal Data and a copy of that data. * **Rectification:** request correction of inaccurate or incomplete Personal Data. * **Erasure:** request deletion of your Personal Data, subject to our legal retention obligations and the immutable nature of Blockchain Data. * **Restriction:** request that we restrict the processing of your Personal Data in certain circumstances. * **Objection:** object to processing based on our legitimate interests. * **Portability:** request a copy of certain Personal Data in a structured, commonly used, machine-readable format. * **Withdraw consent:** withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing. * **Complaint:** lodge a complaint with a competent supervisory authority. To exercise any of these rights, contact us at . We will respond within the timeframes required by applicable law. Certain rights may be limited where we are legally required to retain data (for example, for AML/CFT compliance) or where the data is recorded on a public blockchain. *** ### 13. CHILDREN'S PRIVACY The Platform is not directed to, and we do not knowingly collect Personal Data from, individuals under the age of 18 (or the higher age of majority in your jurisdiction). If we become aware that we have collected Personal Data from a minor without appropriate consent, we will take steps to delete that data. If you believe a minor has provided us with Personal Data, please contact us at . *** ### 14. CHANGES TO THIS POLICY We may update this Policy from time to time to reflect changes in our practices, the Platform, or applicable law. When we make material changes, we will notify you through the Platform, by email, or by other appropriate means, and we will update the "Effective Date" above. Your continued use of the Platform after the updated Policy takes effect constitutes your acknowledgment of the changes, except where additional consent is required by law. *** ### 15. ADDITIONAL DISCLOSURES FOR EEA USERS If you are located in the European Economic Area, the following additional disclosures apply, and the GDPR governs the processing of your Personal Data: * **Controller:** CavaleroTech is the controller of your Personal Data as described in Section 2. * **Lawful bases:** as set out in Section 5. * **International transfers:** where we transfer your Personal Data outside the EEA, we rely on the safeguards described in Section 7, including Standard Contractual Clauses. * **Your rights:** in addition to the rights in Section 12, you have the right to lodge a complaint with your local Data Protection Authority. * **Automated decision-making:** we may use automated processes for fraud prevention, sanctions screening, and AML monitoring. Where such processing produces legal or similarly significant effects, you have the right to request human review, subject to applicable legal exemptions for compliance purposes. *** ### 16. ADDITIONAL DISCLOSURES FOR UK USERS If you are located in the United Kingdom, the UK GDPR and the Data Protection Act 2018 govern the processing of your Personal Data. The disclosures in Section 15 apply equally, with references to EEA authorities and mechanisms read as references to their UK equivalents. You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO). Where we transfer your Personal Data outside the United Kingdom, we rely on UK-approved transfer mechanisms, including the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses. *** ### 17. ADDITIONAL DISCLOSURES FOR CALIFORNIA USERS If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), provides you with the following rights, subject to certain exceptions: * **Right to know:** the categories and specific pieces of Personal Information we have collected, the sources, the purposes, and the categories of third parties with whom we share it. * **Right to delete:** request deletion of Personal Information we collected from you, subject to legal retention obligations. * **Right to correct:** request correction of inaccurate Personal Information. * **Right to opt out of sale or sharing:** we do not sell or share your Personal Information as those terms are defined under the CCPA/CPRA. * **Right to limit use of Sensitive Personal Information:** we use Sensitive Personal Information (such as Biometric Data) only for permitted purposes, including KYC/AML compliance, and not for inferring characteristics or for advertising. * **Right to non-discrimination:** we will not discriminate against you for exercising your privacy rights. To exercise these rights, contact us at . We will verify your request as required by law and respond within the applicable timeframes. You may use an authorized agent to submit a request on your behalf, subject to verification. *** ### 18. CONTACT US If you have questions, concerns, or requests regarding this Policy or your Personal Data, please contact us at: **CavaleroTech** (operating as Bankly) \[CavaleroTech registered office — Dubai, United Arab Emirates] Email: Support: Documentation: docs.bankly.cc --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bankly.cc/legal/privacy-policy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.