Effective date: 2026.04.24
Last updated date: 2026.04.24
This Privacy Policy is issued by dtcpay Luxembourg S.A. ("dtcpay", "we", "us", "our"), a company incorporated under the laws of Luxembourg, registered with the Luxembourg Trade and Companies Register under number B294535, with registered office at 53, Boulevard Royal, L-2449, Luxembourg.
dtcpay Luxembourg S.A. is authorised as an Electronic Money Institution (EMI) by the Commission de Surveillance du Secteur Financier (CSSF) under authorisation number W00000020, pursuant to the Law of 10 November 2009 on payment services, as amended.
This Privacy Policy describes how we collect, use, disclose, store and otherwise process personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "General Data Protection Regulation" or "GDPR") and other applicable data protection laws when you:
We have appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Policy and applicable data protection legislation. If you have any questions, concerns or requests relating to your personal data or this Privacy Policy, you may contact our DPO at:
dtcpay Luxembourg S.A. — Data Protection Officer
53, Boulevard Royal, L-2449, Luxembourg
Email: dpo@dtcpay.lu
You also have the right to lodge a complaint with the Luxembourg data protection supervisory authority:
Commission Nationale pour la Protection des Données (CNPD)
15, Boulevard du Jazz
L-4370 Belvaux, Luxembourg
Website: www.cnpd.lu
Email: info@cnpd.lu
dtcpay Luxembourg S.A. is part of the Digital Treasures Center group. Where relevant, this Privacy Policy will identify where personal data may be shared with other group entities. Each entity within the group is independently responsible for its own data processing activities.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements or regulatory guidance. When we make material changes, we will notify you by posting the updated policy on our website and, where required by law, by sending you prior notice. The date of the latest revision is shown at the top of this document. We encourage you to review this Privacy Policy periodically.
We collect the following categories of personal data:
Identity Data:
Full name, date of birth, place of birth, nationality, gender, government-issued identification documents (passport, national identity card, driving licence), tax identification number, and photographs.
Contact Data:
Residential address, email address, telephone number, and other contact details.
Financial Data:
Bank account details, IBAN, payment card details (where applicable), transaction history, account balances, source of funds, source of wealth, and financial statements.
Know Your Customer (KYC) and Compliance Data:
Information collected as part of our legal obligations under anti-money laundering (AML) and counter-terrorist financing (CTF) legislation, including identity verification documents, politically exposed person (PEP) status, sanctions screening results, and beneficial ownership information.
Technical Data:
Internet Protocol (IP) addresses, browser type and version, device identifiers, operating system, login data, time zone settings, and cookie data.
Usage Data:
Information about how you use our Applications, including access logs, page views, click-through data, and navigation patterns.
Communications Data:
Records of your correspondence with us, including emails, chat messages, and call recordings (where applicable).
Employment Data:
Curriculum vitae, employment history, educational qualifications, and references (for job applicants).
We do not intentionally collect special categories of personal data (including data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data) unless required by applicable law (for example, in the context of AML/CTF compliance).
You are responsible for ensuring that the personal data you provide to us is accurate, complete and up to date. Please notify us promptly of any changes.
Our services are not intended for persons under the age of 18. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data without appropriate parental consent, please contact our DPO.
We collect personal data that you provide to us directly, including when you:
When you use our Applications, we may automatically collect Technical Data and Usage Data through the use of cookies and similar tracking technologies (see Section 10 — Cookies).
We may receive personal data about you from third parties, including:
Under the GDPR, we are required to identify a valid legal basis for each processing activity. We rely on the following legal bases:
We process your personal data where it is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract. This includes processing necessary to:
We process your personal data where it is necessary to comply with our legal and regulatory obligations, including under:
We process your personal data where it is necessary for the purposes of our legitimate interests or those of a third party, provided that such interests are not overridden by your interests or fundamental rights and freedoms. Our legitimate interests include:
When we rely on legitimate interests, we carry out a balancing test to ensure that our interests do not override your rights. You may request information about this balancing test by contacting our DPO.
We may process your personal data based on your consent where no other legal basis applies, in particular for:
Where we rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal.
We process your personal data for the following purposes:
Purpose | Legal Basis |
Account registration and management | Contract |
Identity verification and KYC/AML compliance | Legal obligation |
Processing electronic money and payment transactions | Contract |
Fraud prevention and financial crime detection | Legal obligation; Legitimate interests |
Customer support and complaint handling | Contract; Legitimate interests |
Regulatory reporting to CSSF and other authorities | Legal obligation |
Security monitoring and IT system integrity | Legitimate interests |
Product development and service improvement | Legitimate interests |
Marketing communications (with consent) | Consent |
Record keeping and audit | Legal obligation |
Legal proceedings and dispute resolution | Legitimate interests; Legal obligation |
Employment and recruitment | Contract; Legal obligation |
We may share your personal data with the following categories of recipients:
Group Companies: Other entities within the Digital Treasures Center group, where necessary to provide our services or comply with legal obligations, subject to appropriate data sharing agreements.
Service Providers and Data Processors: Third parties that process personal data on our behalf, including:
All processors are required to process personal data only on our documented instructions and to implement appropriate technical and organisational security measures.
Regulatory and Law Enforcement Authorities: The CSSF, the CNPD, the Luxembourg Financial Intelligence Unit (Cellule de Renseignement Financier — CRF), and other competent authorities, courts, and law enforcement agencies, where required by law or in response to lawful requests.
Banking and Financial Partners: Correspondent banks, card scheme operators (Visa, Mastercard), and other financial institutions involved in the execution of payment transactions.
Business Transfers: In the event of a merger, acquisition, restructuring, or sale of all or part of our business, personal data may be transferred as part of that transaction.
We do not sell your personal data to third parties.
Some of our service providers and group entities are located outside the European Economic Area (EEA). Where we transfer your personal data to countries that have not been assessed as providing an adequate level of data protection by the European Commission, we implement appropriate safeguards, including:
You may obtain a copy of the relevant safeguards by contacting our DPO.
In certain circumstances, we may be required to transfer personal data to authorities outside the EEA on the basis of legally binding requests under applicable law.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with our legal obligations. The following retention periods apply as a minimum:
Category of Data | Retention Period |
KYC and identity verification records | 5 years from the end of the business relationship (as required by AML legislation) |
Transaction records | 5 years from the date of the transaction |
Contractual documentation | Duration of the contract + 10 years |
Regulatory correspondence | 5 years |
Customer support records | 3 years from the date of the interaction |
Marketing consent records | Until consent is withdrawn + 1 year |
Employment records | Duration of employment + applicable statutory period |
Longer retention periods may apply where required by applicable law, regulatory guidance, or where personal data is necessary for the establishment, exercise or defence of legal claims.
At the end of the applicable retention period, personal data will be securely deleted or anonymised in a manner that prevents re-identification.
As a data subject under the GDPR, you have the following rights:
You have the right to obtain confirmation as to whether we process your personal data and, if so, to receive a copy of your personal data and supplementary information about our processing activities.
You have the right to request that we correct inaccurate or incomplete personal data held about you without undue delay.
You have the right to request that we erase your personal data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected. This right is subject to exceptions, in particular where processing is required by law (e.g. AML retention obligations).
You have the right to request that we restrict the processing of your personal data in certain circumstances, for example, while we verify the accuracy of your data or assess an objection you have raised.
Where processing is based on your consent or on the performance of a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit it to another controller.
You have the right to object to processing of your personal data where we rely on legitimate interests as our legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Where we engage in such processing, we will inform you and provide you with the opportunity to request human review.
Where processing is based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
To exercise any of the above rights, please submit a written request to our DPO at dpo@dtcpay.lu. We will respond to your request within one month of receipt. This period may be extended by a further two months where requests are complex or numerous, in which case we will notify you within one month of receipt of the request.
We will process requests free of charge. However, where requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request.
We may require you to verify your identity before responding to your request.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the CNPD (Luxembourg's supervisory authority) or with the supervisory authority in your EU Member State of habitual residence, place of work or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.
Cookies are small text files stored on your device when you visit our Applications. We use cookies and similar technologies (including web beacons and tracking pixels) to operate and improve our Applications, understand how users interact with our content, and deliver relevant content and advertising.
Strictly Necessary Cookies: These cookies are essential for the operation of our Applications and cannot be disabled. They include session cookies that enable you to log in and navigate securely.
Analytical/Performance Cookies: These cookies allow us to measure and analyse how visitors use our Applications, including through tools such as Google Analytics. We use this information to improve the performance and user experience of our Applications.
Functional Cookies: These cookies enable enhanced functionality and personalisation, such as remembering your preferences.
Targeting/Advertising Cookies: These cookies may be set by our advertising partners to build a profile of your interests and display relevant advertisements. We will only deploy these cookies with your prior consent.
When you first visit our Applications, you will be presented with a cookie consent banner allowing you to accept or decline non-essential cookies. You can change your cookie preferences at any time through our cookie settings tool.
You may also manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our Applications.
For further information about managing cookies, please visit www.aboutcookies.org.
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include:
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the CNPD without undue delay and, where required, notify affected individuals.
We cannot guarantee absolute security of data transmitted over the internet. The transmission of data to our Applications is at your own risk.
Our Applications may contain links to third-party websites. This Privacy Policy applies only to our Applications. We are not responsible for the privacy practices of third-party websites and encourage you to review their privacy policies before providing any personal data.
For any questions, concerns or requests relating to this Privacy Policy or our data processing practices, please contact:
dtcpay Luxembourg S.A.
Data Protection Officer
53, Boulevard Royal, L-2449
Luxembourg
Email: dpo@dtcpay.lu
This Privacy Policy was last updated on [DATE] and supersedes all previous versions.