Privacy Policy

Privacy Notice
dtcpay Luxembourg S.A.

Effective date: 2026.04.24

Last updated date: 2026.04.24


1. ABOUT THIS POLICY AND DATA CONTROLLER

1.1 Identity of the Data Controller

This Privacy Policy is issued by dtcpay Luxembourg S.A. ("dtcpay", "we", "us", "our"), a company incorporated under the laws of Luxembourg, registered with the Luxembourg Trade and Companies Register under number B294535, with registered office at 53, Boulevard Royal, L-2449, Luxembourg.

dtcpay Luxembourg S.A. is authorised as an Electronic Money Institution (EMI) by the Commission de Surveillance du Secteur Financier (CSSF) under authorisation number W00000020, pursuant to the Law of 10 November 2009 on payment services, as amended.

1.2 Scope

This Privacy Policy describes how we collect, use, disclose, store and otherwise process personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "General Data Protection Regulation" or "GDPR") and other applicable data protection laws when you:

  • access or use our websites, mobile applications and web-based platforms (collectively, "Applications");
  • use our electronic money, payment services or related services; and/or
  • interact with us in any other way.

    1.3 Data Protection Officer

    We have appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Policy and applicable data protection legislation. If you have any questions, concerns or requests relating to your personal data or this Privacy Policy, you may contact our DPO at:

    dtcpay Luxembourg S.A. — Data Protection Officer

    53, Boulevard Royal, L-2449, Luxembourg

    Email: dpo@dtcpay.lu

    You also have the right to lodge a complaint with the Luxembourg data protection supervisory authority:

    Commission Nationale pour la Protection des Données (CNPD)

    15, Boulevard du Jazz

    L-4370 Belvaux, Luxembourg

    Website: www.cnpd.lu

    Email: info@cnpd.lu

    1.4 Relationship to Group Entities

    dtcpay Luxembourg S.A. is part of the Digital Treasures Center group. Where relevant, this Privacy Policy will identify where personal data may be shared with other group entities. Each entity within the group is independently responsible for its own data processing activities.

    1.5 Amendments

    We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements or regulatory guidance. When we make material changes, we will notify you by posting the updated policy on our website and, where required by law, by sending you prior notice. The date of the latest revision is shown at the top of this document. We encourage you to review this Privacy Policy periodically.


    2. PERSONAL DATA WE COLLECT

    2.1 Categories of Personal Data

    We collect the following categories of personal data:

    Identity Data:

    Full name, date of birth, place of birth, nationality, gender, government-issued identification documents (passport, national identity card, driving licence), tax identification number, and photographs.

    Contact Data:

    Residential address, email address, telephone number, and other contact details.

    Financial Data:

    Bank account details, IBAN, payment card details (where applicable), transaction history, account balances, source of funds, source of wealth, and financial statements.

    Know Your Customer (KYC) and Compliance Data:

    Information collected as part of our legal obligations under anti-money laundering (AML) and counter-terrorist financing (CTF) legislation, including identity verification documents, politically exposed person (PEP) status, sanctions screening results, and beneficial ownership information.

    Technical Data:

    Internet Protocol (IP) addresses, browser type and version, device identifiers, operating system, login data, time zone settings, and cookie data.

    Usage Data:

    Information about how you use our Applications, including access logs, page views, click-through data, and navigation patterns.

    Communications Data:

    Records of your correspondence with us, including emails, chat messages, and call recordings (where applicable).

    Employment Data:

    Curriculum vitae, employment history, educational qualifications, and references (for job applicants).

    2.2 Special Categories of Personal Data

    We do not intentionally collect special categories of personal data (including data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data) unless required by applicable law (for example, in the context of AML/CTF compliance).

    2.3 Accuracy

    You are responsible for ensuring that the personal data you provide to us is accurate, complete and up to date. Please notify us promptly of any changes.

    2.4 Minors

    Our services are not intended for persons under the age of 18. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data without appropriate parental consent, please contact our DPO.


    3. HOW WE COLLECT PERSONAL DATA

    3.1 Data You Provide Directly

    We collect personal data that you provide to us directly, including when you:

    • register for an account on our Applications;
    • apply for or use our electronic money or payment services;
    • complete identity verification or KYC procedures;
    • contact us by email, telephone, post or through our Applications;
    • respond to surveys or participate in promotions;
    • attend events organised by us; or
    • apply for employment with us.

      3.2 Data Collected Automatically

      When you use our Applications, we may automatically collect Technical Data and Usage Data through the use of cookies and similar tracking technologies (see Section 10 — Cookies).

      3.3 Data from Third Parties

      We may receive personal data about you from third parties, including:

      • identity verification and KYC service providers;
      • sanctions screening and fraud prevention databases;
      • credit reference agencies;
      • public registers and databases;
      • our business partners and agents; and
      • competent authorities and law enforcement agencies, to the extent permitted by applicable law.


        4. LEGAL BASES FOR PROCESSING

        Under the GDPR, we are required to identify a valid legal basis for each processing activity. We rely on the following legal bases:

        4.1 Performance of a Contract (Article 6(1)(b) GDPR)

        We process your personal data where it is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract. This includes processing necessary to:

        • open and manage your electronic money account;
        • execute payment transactions and related services;
        • process your identity verification during onboarding; and
        • provide customer support.

          4.2 Compliance with a Legal Obligation (Article 6(1)(c) GDPR)

          We process your personal data where it is necessary to comply with our legal and regulatory obligations, including under:

          • the Law of 10 November 2009 on payment services (as amended);
          • the Law of 12 November 2004 on the fight against money laundering and terrorist financing (as amended);
          • Regulation (EU) 2015/847 on information accompanying transfers of funds;
          • Directive (EU) 2015/849 (Fourth Anti-Money Laundering Directive) and its implementing measures;
          • CSSF regulations and circulars, including Circular CSSF 26/906;
          • GDPR and applicable data protection legislation; and
          • tax and accounting obligations.

            4.3 Legitimate Interests (Article 6(1)(f) GDPR)

            We process your personal data where it is necessary for the purposes of our legitimate interests or those of a third party, provided that such interests are not overridden by your interests or fundamental rights and freedoms. Our legitimate interests include:

            • preventing fraud, financial crime and misuse of our services;
            • improving and developing our products and services;
            • maintaining the security and integrity of our Applications and systems;
            • managing our business operations effectively; and
            • communicating with you about matters relevant to your account or our services.

              When we rely on legitimate interests, we carry out a balancing test to ensure that our interests do not override your rights. You may request information about this balancing test by contacting our DPO.

              4.4 Consent (Article 6(1)(a) GDPR)

              We may process your personal data based on your consent where no other legal basis applies, in particular for:

              • direct marketing communications (where consent is required); and
              • the use of non-essential cookies and similar technologies.

                Where we rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal.


                5. PURPOSES OF PROCESSING

                We process your personal data for the following purposes:

                Purpose

                Legal Basis

                Account registration and management

                Contract

                Identity verification and KYC/AML compliance

                Legal obligation

                Processing electronic money and payment transactions

                Contract

                Fraud prevention and financial crime detection

                Legal obligation; Legitimate interests

                Customer support and complaint handling

                Contract; Legitimate interests

                Regulatory reporting to CSSF and other authorities

                Legal obligation

                Security monitoring and IT system integrity

                Legitimate interests

                Product development and service improvement

                Legitimate interests

                Marketing communications (with consent)

                Consent

                Record keeping and audit

                Legal obligation

                Legal proceedings and dispute resolution

                Legitimate interests; Legal obligation

                Employment and recruitment

                Contract; Legal obligation


                6. DISCLOSURE OF PERSONAL DATA

                6.1 Recipients

                We may share your personal data with the following categories of recipients:

                Group Companies: Other entities within the Digital Treasures Center group, where necessary to provide our services or comply with legal obligations, subject to appropriate data sharing agreements.

                Service Providers and Data Processors: Third parties that process personal data on our behalf, including:

                • identity verification and KYC providers;
                • cloud hosting and IT infrastructure providers;
                • payment processing partners;
                • fraud detection and sanctions screening providers;
                • professional advisors (lawyers, auditors, accountants); and
                • customer support platform providers.

                  All processors are required to process personal data only on our documented instructions and to implement appropriate technical and organisational security measures.

                  Regulatory and Law Enforcement Authorities: The CSSF, the CNPD, the Luxembourg Financial Intelligence Unit (Cellule de Renseignement Financier — CRF), and other competent authorities, courts, and law enforcement agencies, where required by law or in response to lawful requests.

                  Banking and Financial Partners: Correspondent banks, card scheme operators (Visa, Mastercard), and other financial institutions involved in the execution of payment transactions.

                  Business Transfers: In the event of a merger, acquisition, restructuring, or sale of all or part of our business, personal data may be transferred as part of that transaction.

                  6.2 No Sale of Personal Data

                  We do not sell your personal data to third parties.


                  7. INTERNATIONAL TRANSFERS OF PERSONAL DATA

                  7.1 Transfers Outside the European Economic Area

                  Some of our service providers and group entities are located outside the European Economic Area (EEA). Where we transfer your personal data to countries that have not been assessed as providing an adequate level of data protection by the European Commission, we implement appropriate safeguards, including:

                  • Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Article 46(2)(c) GDPR;
                  • Binding Corporate Rules (BCRs) where applicable; or
                  • Other appropriate safeguards as permitted under Article 46 GDPR.

                    You may obtain a copy of the relevant safeguards by contacting our DPO.

                    7.2 Transfers Required by Law

                    In certain circumstances, we may be required to transfer personal data to authorities outside the EEA on the basis of legally binding requests under applicable law.


                    8. RETENTION OF PERSONAL DATA

                    8.1 Retention Periods

                    We retain personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with our legal obligations. The following retention periods apply as a minimum:

                    Category of Data

                    Retention Period

                    KYC and identity verification records

                    5 years from the end of the business relationship (as required by AML legislation)

                    Transaction records

                    5 years from the date of the transaction

                    Contractual documentation

                    Duration of the contract + 10 years

                    Regulatory correspondence

                    5 years

                    Customer support records

                    3 years from the date of the interaction

                    Marketing consent records

                    Until consent is withdrawn + 1 year

                    Employment records

                    Duration of employment + applicable statutory period

                    Longer retention periods may apply where required by applicable law, regulatory guidance, or where personal data is necessary for the establishment, exercise or defence of legal claims.

                    8.2 Anonymisation

                    At the end of the applicable retention period, personal data will be securely deleted or anonymised in a manner that prevents re-identification.


                    9. YOUR RIGHTS UNDER GDPR

                    As a data subject under the GDPR, you have the following rights:

                    9.1 Right of Access (Article 15 GDPR)

                    You have the right to obtain confirmation as to whether we process your personal data and, if so, to receive a copy of your personal data and supplementary information about our processing activities.

                    9.2 Right to Rectification (Article 16 GDPR)

                    You have the right to request that we correct inaccurate or incomplete personal data held about you without undue delay.

                    9.3 Right to Erasure / Right to be Forgotten (Article 17 GDPR)

                    You have the right to request that we erase your personal data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected. This right is subject to exceptions, in particular where processing is required by law (e.g. AML retention obligations).

                    9.4 Right to Restriction of Processing (Article 18 GDPR)

                    You have the right to request that we restrict the processing of your personal data in certain circumstances, for example, while we verify the accuracy of your data or assess an objection you have raised.

                    9.5 Right to Data Portability (Article 20 GDPR)

                    Where processing is based on your consent or on the performance of a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit it to another controller.

                    9.6 Right to Object (Article 21 GDPR)

                    You have the right to object to processing of your personal data where we rely on legitimate interests as our legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

                    9.7 Rights in Relation to Automated Decision-Making (Article 22 GDPR)

                    You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Where we engage in such processing, we will inform you and provide you with the opportunity to request human review.

                    9.8 Right to Withdraw Consent (Article 7(3) GDPR)

                    Where processing is based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

                    9.9 How to Exercise Your Rights

                    To exercise any of the above rights, please submit a written request to our DPO at dpo@dtcpay.lu. We will respond to your request within one month of receipt. This period may be extended by a further two months where requests are complex or numerous, in which case we will notify you within one month of receipt of the request.

                    We will process requests free of charge. However, where requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request.

                    We may require you to verify your identity before responding to your request.

                    9.10 Right to Lodge a Complaint

                    Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the CNPD (Luxembourg's supervisory authority) or with the supervisory authority in your EU Member State of habitual residence, place of work or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.


                    10. COOKIES AND SIMILAR TECHNOLOGIES

                    10.1 What Are Cookies

                    Cookies are small text files stored on your device when you visit our Applications. We use cookies and similar technologies (including web beacons and tracking pixels) to operate and improve our Applications, understand how users interact with our content, and deliver relevant content and advertising.

                    10.2 Categories of Cookies

                    Strictly Necessary Cookies: These cookies are essential for the operation of our Applications and cannot be disabled. They include session cookies that enable you to log in and navigate securely.

                    Analytical/Performance Cookies: These cookies allow us to measure and analyse how visitors use our Applications, including through tools such as Google Analytics. We use this information to improve the performance and user experience of our Applications.

                    Functional Cookies: These cookies enable enhanced functionality and personalisation, such as remembering your preferences.

                    Targeting/Advertising Cookies: These cookies may be set by our advertising partners to build a profile of your interests and display relevant advertisements. We will only deploy these cookies with your prior consent.

                    10.3 Your Cookie Choices

                    When you first visit our Applications, you will be presented with a cookie consent banner allowing you to accept or decline non-essential cookies. You can change your cookie preferences at any time through our cookie settings tool.

                    You may also manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our Applications.

                    For further information about managing cookies, please visit www.aboutcookies.org.


                    11. SECURITY

                    We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include:

                    • encryption of data in transit and at rest;
                    • access controls and authentication mechanisms;
                    • regular security assessments and penetration testing;
                    • staff training on data protection and information security; and
                    • incident response and breach notification procedures.

                      In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the CNPD without undue delay and, where required, notify affected individuals.

                      We cannot guarantee absolute security of data transmitted over the internet. The transmission of data to our Applications is at your own risk.


                      12. LINKS TO THIRD-PARTY WEBSITES

                      Our Applications may contain links to third-party websites. This Privacy Policy applies only to our Applications. We are not responsible for the privacy practices of third-party websites and encourage you to review their privacy policies before providing any personal data.


                      13. CONTACT US

                      For any questions, concerns or requests relating to this Privacy Policy or our data processing practices, please contact:

                      dtcpay Luxembourg S.A.

                      Data Protection Officer

                      53, Boulevard Royal, L-2449

                      Luxembourg

                      Email: dpo@dtcpay.lu


                      This Privacy Policy was last updated on [DATE] and supersedes all previous versions.