Privacy Policy

Privacy Policy

1. About this Policy

Bitgateway Technology Ltd (“Bitgateway”, “we”, “us”) is the data controller for personal data we process in the operation of our website (Bitgatewaytech.com) and our products and services. We provide stablecoin and Bitcoin-based cross-border payment infrastructure to merchants, businesses, and financial institutions.

This Policy is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The EU GDPR also applies where we process the personal data of individuals located in the EEA.

Contact details

  • Registered office: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
  • Company number: 16453007
  • ICO registration: 00014189775
  • General enquiries: contact@bitgatewaytech.com
  • Data Protection Officer: dpo@bitgatewaytech.com

2. Who this Policy applies to

This Policy applies to website visitors, merchants and businesses using our services, end-customers whose transactions pass through our systems, counterparties to cross-border payments, individuals at financial institutions licensing our white-label software, investors, suppliers, and job applicants.

White-label SaaS: when a company licence our software, we act as their data processor. The licensee’s privacy policy governs end-users; our processing is set out in the relevant Data Processing Agreement. This Policy describes our role as controller only.

3. What we collect, why, and on what basis

We collect identification and contact data, business and beneficial-ownership information. We collect this data directly from you, from your organisation, from public registries (Companies House, FCA, public blockchains), from KYC and screening providers, from counterparties (including under the FATF Travel Rule), and from regulators and law enforcement where they share information with us lawfully.

The table below sets out the purposes for which we process your data, the lawful basis for each, and how long we keep it.

Purpose

Lawful basis (UK GDPR)

Retention 

Onboarding and identity verification (KYC); Legal obligation (Art. 6(1)(c)) — MLR 2017; contract (Art. 6(1)(b)) - 5 years from end of relationship

Sanctions, PEP, and adverse-media screening,; Legal obligation; substantial public interest (Art. 9(2)(g)) - 5 years

Processing payments and cross-border settlement

Contract; legal obligation 6 years

 

4. AML, sanctions, and crypto-specific points

Mandatory processing. As a software company providing a software as a service like a fintech, we are required by law to verify customers and beneficial owners, screen against sanctions lists, monitor transactions, and submit Suspicious Activity Reports to the National Crime Agency where required. We are not permitted to inform you that a SAR has been submitted (“tipping off”). You cannot opt out of these activities; if you object, we cannot provide you with services.

Public blockchains. Once a transaction is broadcast to a blockchain, the wallet addresses and transaction details are public and immutable. We treat wallet addresses linked to identified customers as personal data. If you exercise your right to erasure, we can delete your data from our internal systems but cannot remove records from a public blockchain.

Travel Rule. For crypto asset transfers above the applicable threshold (currently £1,000 in the UK), we are legally required to share originator and beneficiary information with counterparty Virtual Asset Service Providers.

Self-custody wallet. Where you use Bitgateway’s integrated self-custody wallet, you control your private keys. We do not hold them and cannot recover them. We do process metadata about your wallet usage (transactions, balances, addresses interacted with).

Blockchain analytics. We use specialist providers to assess risk associated with wallet addresses, which may result in transactions being delayed or refused.

5. Who we share data with

We share personal data with the recipients below, only where there is a lawful basis to do so.

Recipient category

Purpose

KYC, identity, and screening providers

Identity verification, sanctions/PEP/adverse-media checks

Blockchain analytics providers

Wallet and on-chain risk scoring

Banking, BaaS, card, and payment partners

Settlement of fiat legs of transactions

Counterparty VASPs

Travel Rule data exchange

Cloud hosting, IT, and cybersecurity providers

Operating and securing our platform

Auditors, lawyers, accountants

Audit, legal, tax, regulatory advice

Regulators, NCA, law enforcement, courts, HMRC, OFSI

Legal obligation, court orders, regulatory reporting

Credit reference and fraud prevention agencies

Identity confirmation, fraud prevention

Prospective buyers and their advisers

Sale, merger, or restructuring (under confidentiality)

White-label licensees

Operation of licensed product (Bitgateway as processor)

A current list of named sub-processors is available on request from our DPO.

6. International transfers

We are headquartered in the UK and host data primarily in the UK and EEA. Because we operate cross-border payment corridors covering Africa, the Middle East, Europe and the UK, personal data may be transferred to countries that the UK Government has not designated as offering adequate protection.

Where we transfer data outside the UK, we rely on:

  • UK adequacy regulations (currently including the EEA, Switzerland, Japan, Republic of Korea, Israel, and others) where the destination is covered;
  • UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supported by a documented Transfer Risk Assessment, for transfers to non-adequate countries (including African corridors and the United Arab Emirates);
  • Article 49 derogations only where appropriate (e.g. transfers necessary for performance of a contract with you).

You can request a copy of the safeguards applied to a specific transfer, with appropriate redactions, from our DPO.

7. How we protect your data

We apply technical and organisational measures proportionate to the risk: encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent), role-based access control with multi-factor authentication, environment segregation, security monitoring and logging, regular vulnerability scanning and penetration testing, employee background screening, and documented incident-response procedures.

If we suffer a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform you without undue delay where the breach is likely to result in a high risk.

8. Your rights

Under UK GDPR you have the right to: access your data; have it corrected; have it erased (limited where we are required by law to retain it, and not technically possible for data already on a public blockchain); restrict or object to its processing; receive it in portable form; withdraw consent where consent is the basis; not be subject to solely automated decisions with significant effect; and complain to a regulator.

How to exercise rights. Email our DPO at [dpo@bitgatewaytech.com]. We will respond within one calendar month (extendable by two further months for complex requests). We may need to verify your identity first.

Automated decision-making

We use automated systems for sanctions and PEP screening, transaction monitoring, and fraud detection. Where an automated system produces a legal or similarly significant effect on you, you have the right under Article 22 UK GDPR to obtain human intervention, express your view, and contest the decision. Positive screening matches are reviewed by a compliance officer before any termination decision.

Marketing

We send marketing to existing business clients about similar products and services on the basis of legitimate interests (the PECR soft opt-in), and to other recipients only with prior consent. Every marketing message includes an unsubscribe link. You can also opt out at any time by emailing info@bitgatewaytech.com

Cookies

We use cookies on our website. Details and preference controls are set out in our separate Cookie Policy. Non-essential cookies are set only with your consent.

Children

Our services are intended for adults (18+) and businesses. We do not knowingly collect personal data from children.

9. Complaints, updates, contact

If you have a concern about our handling of your personal data, contact our DPO first. You also have the right to complain to the Information Commissioner’s Office at ico.org.uk (helpline 0303 123 1113). If you are based in the EEA you may also contact your local Data Protection Authority.

We review this Policy at least annually and update it to reflect changes in our processing, services, or applicable law. Material changes will be notified by email (where we have an active relationship with you) and published on our website at least 30 days before they take effect, except where the law requires sooner. The version number and effective date appear at the top of this Policy.

 

Logo

©Copyright. All rights reserved.

Information icon

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.