Privacy Policy

This Privacy Policy explains how Codego Group ("Codego", "we", "us"), the operator of the Banqa brand, collects, uses, shares and protects personal data when you use the Banqa platform, website or card ("Service"). It is written to satisfy the GDPR, UK GDPR and the UAE PDPL.

1. Data controller

Codego Group is the data controller for personal data processed through theBanqa Service. Contact our Data Protection Officer at [email protected].

2. Categories of personal data we collect

• Identification: full name, date of birth, nationality, national ID / passport number, photograph, signature, address.
• Contact: email address, phone number.
• Account & security: hashed password, login timestamps, IP addresses, user-agent, device fingerprints, session metadata.
• KYC artefacts: ID document images, liveness/selfie video, proof of address (utility bill, bank statement).
• Financial & transactional: wallet address, deposit and withdrawal records, card transactions (amount, merchant, MCC, currency, time, location).
• Compliance: sanctions / PEP / adverse-media screening results, risk score, internal case notes.
• Communications: support tickets, in-app messages, emails.
• Cookies & analytics: see our Cookie Policy.

3. Why we use your data (lawful bases)

• Performance of contract — to create your account, issue your card, process transactions and provide support.
• Legal obligation — KYC, AML, sanctions screening, transaction monitoring, tax and regulatory reporting.
• Legitimate interests — fraud prevention, security, product improvement, business operations.
• Consent — optional marketing emails (you can opt out anytime).

4. Who we share your data with

• Card-issuing partner (regulated EMI / card processor): for card issuance, transaction processing and dispute handling.
• KYC providers (e.g. AWS Textract, Sumsub, internal face-match): for identity verification.
• Cloud & infrastructure: AWS, Cloudflare, Proxmox-hosted internal infrastructure.
• Email delivery: SMTP via codegogroup.com mail servers.
• Regulators & law enforcement: where legally required.
• Professional advisors: auditors, accountants, lawyers under confidentiality.

We do not sell your personal data.

5. International transfers

Some of our processors are located outside the EEA / UK / UAE. Transfers are protected by Standard Contractual Clauses, adequacy decisions, or equivalent safeguards required by the relevant data-protection law.

6. Retention

We retain personal data for as long as necessary to provide the Service and meet legal obligations:

• Account & transaction records: 5 years after account closure (AML retention).
• KYC artefacts: 5 years after the business relationship ends.
• Marketing consent: until you withdraw it.
• Web logs: 90 days.

7. Your rights

Subject to applicable law you have the right to:

• access the personal data we hold about you;
• request rectification of inaccurate data;
• request erasure (where not overridden by legal retention duties);
• restrict or object to processing;
• data portability;
• withdraw consent at any time for consent-based processing;
• lodge a complaint with your data-protection authority.

To exercise these rights email [email protected].

8. Security

We employ defence-in-depth security: encryption in transit (TLS 1.3) and at rest (AES-256 for sensitive payloads), private VPN networking (WireGuard) for internal services, role-based access controls, MFA on admin accounts, audit logging, and regular vulnerability assessments.

9. Self-custody wallet

Your 24-word recovery phrase and private key are generated for you and shown only once. We do not store them. We have no technical means to recover lost keys. The associated public wallet address is stored to operate the Service.

10. Children

The Service is not directed to anyone under 18 and we do not knowingly collect data from minors.

11. Changes

We may amend this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice.

12. Contact

Data Protection Officer
Codego Group
[email protected]