1. INTRODUCTION

1.1 This Privacy Notice explains how Digital Capital Ltd (“Digital Capital”, “we”, “us”, “our”) collects, uses, shares, stores and otherwise processes personal data in connection with our electronic money, payment, account, card and related services.

1.2 Digital Capital Ltd is incorporated in England and Wales under company number 10222334 and has its registered office at 3rd Floor, 86–90 Paul Street, London, EC2A 4NE, United Kingdom.

1.3 Digital Capital Ltd is authorised by the Financial Conduct Authority as an Electronic Money Institution under Firm Reference Number 900710.

1.4 This Privacy Notice applies where we process personal data in connection with:

• our website

• onboarding and account opening

• provision of payment and electronic money services

• card services

• fraud prevention, risk management and compliance activities

• communications with customers and prospective customers

• relationships involving third-party platform partners through which our services may be accessed

1.5 We are committed to processing personal data fairly, lawfully, transparently and securely, and in accordance with applicable data protection laws, including the UK GDPR, the Data Protection Act 2018, and, where relevant, the EU GDPR.

2. WHO THIS PRIVACY NOTICE APPLIES TO

2.1 This Privacy Notice applies to the following categories of individuals:

• personal customers

• prospective personal customers

• directors, officers, shareholders, beneficial owners and employees of business customers

• authorised users and administrators on business accounts

• cardholders

• payers and payees

• individuals who contact us for support or complaints

• visitors to our website

• individuals whose data we receive from Partners, banks, payment systems, merchants, fraud prevention providers, identity verification providers, regulators or public sources

2.2 This Privacy Notice also applies where we process personal data about individuals associated with a business customer, including:

• directors

• beneficial owners

• authorised signatories

• controllers and representatives

• employees or users given access to the account or services

3. OUR ROLE IN RELATION TO YOUR PERSONAL DATA

3.1 In most cases relating to the provision of regulated services, Digital Capital acts as a data controller. This means that we determine the purposes and means of processing your personal data.

3.2 In some circumstances, third-party Partners may collect information through their interface before or during onboarding. In those circumstances:

• the Partner may act as a separate controller for its own purposes

• the Partner may act as a processor acting on our behalf

• the Partner may act as both, depending on the data flow and legal context

3.3 Where you access our regulated services through a Partner, Digital Capital remains the regulated provider of the account and payment services. That means we will ordinarily act as controller for the personal data we process for:

• onboarding

• account operation

• payments

• safeguarding-related operational administration

• fraud prevention

• AML/CTF compliance

• sanctions screening

• regulatory reporting

3.4 Where a Partner has its own customer relationship, website, platform, analytics, commercial communications or user environment, the Partner may separately determine how it processes data for those purposes. In those cases, the Partner’s own privacy notice will also apply.

3.5 If you are unsure whether Digital Capital or a Partner controls a particular processing activity, you may contact us using the details set out in this Privacy Notice.

4. SPECIAL CHARACTERISTICS OF OUR BUSINESS MODEL

4.1 Digital Capital operates a regulated electronic money and payment services model in which:

• Digital Capital provides the regulated service

• customer onboarding and account servicing occur through systems controlled by or on behalf of Digital Capital

• Partners may provide an interface or customer acquisition channel

• Partners may have limited visibility or reporting access within controlled parameters

• Partners do not provide the regulated service merely because their interface is used

4.2 Because of this model, personal data may move through more than one operational layer, including:

• the customer-facing interface layer

• account and onboarding systems

• identity verification and compliance tooling

• transaction monitoring systems

• payment rails and settlement infrastructure

• support, complaints and dispute handling systems

4.3 We design our privacy controls to reflect the sensitivity of regulated financial data and the fact that the same person’s data may be relevant across onboarding, ongoing service provision, fraud prevention, sanctions screening, risk management, customer support and legal compliance.

5. TYPES OF PERSONAL DATA WE COLLECT

5.1 We collect and process different categories of personal data depending on the product, customer type, transaction profile, legal requirements and risk profile.

5.2 The categories of personal data we may process include the following.

5.2.1 Identity Data

Identity Data may include:

• full name

• previous names

• date of birth

• place of birth

• nationality

• gender, where required or provided

• government-issued identification numbers

• passport details

• driving licence details

• national ID card details

• tax identification numbers, where relevant

• company registration-linked identity details for business-associated individuals

5.2.2 Contact Data

Contact Data may include:

• residential address

• correspondence address

• business address

• email address

• telephone number

5.2.3 Account and Relationship Data

Account and Relationship Data may include:

• customer ID

• account number or wallet identifier

• onboarding status

• customer type

• account permissions

• authorised user status

• role within a business account

• account preferences

• service selections

• linked product information

5.2.4 Financial Data

Financial Data may include:

• account balances

• payment details

• payer and payee details

• IBANs and sort code/account numbers where relevant

• transaction history

• merchant data

• settlement-related information

• fee data

• card usage data

• reimbursement and chargeback-related data

• information relating to the source and destination of funds

5.2.5 Verification and Due Diligence Data

Verification and Due Diligence Data may include:

• copies of identification documents

• selfies or liveness checks

• biometric verification outputs, where applicable

• proof of address

• business incorporation documents

• constitutional and ownership documents

• beneficial ownership information

• source of funds information

• source of wealth information

• employment and occupation data where relevant to AML risk assessment

• politically exposed person (PEP) screening results

• sanctions screening results

• adverse media screening results

• fraud flags and verification results

5.2.6 Transaction and Behavioural Data

Transaction and Behavioural Data may include:

• date, time, amount and currency of transactions

• payment initiation details

• device or session-linked transaction indicators

• transaction counterparties

• payment purpose information

• recurring transaction behaviour

• payment frequency and pattern information

• unusual activity indicators

• behaviour used to assess fraud or compliance risk

5.2.7 Technical and Device Data

Technical and Device Data may include:

• IP address

• device identifiers

• browser type

• operating system

• language settings

• mobile device data

• app usage data

• login timestamps

• session information

• security event logs

• authentication event data

5.2.8 Communications Data

Communications Data may include:

• customer support messages

• email correspondence

• complaint submissions

• dispute-related messages

• call recordings, where applicable and lawfully used

• internal notes created in connection with servicing, compliance or disputes

5.2.9 Website and Interaction Data

Website and Interaction Data may include:

• pages visited

• time spent on pages

• referral sources

• cookie-related information

• engagement with forms or site tools

• interaction with banners, disclosures and notices

5.2.10 Risk and Compliance Data

Risk and Compliance Data may include:

• internal risk scores

• transaction monitoring outputs

• fraud model outputs

• watchlist screening results

• compliance review notes

• restrictions or holds applied to an account

• suspicious activity escalations

• case management information

5.2.11 Corporate and Business Relationship Data

Where services are provided to a business customer, we may process:

• company name

• incorporation number

• registered office

• trading address

• ownership structure

• information about controllers, beneficial owners and management

• business activity and sector information

• website and commercial profile information

• payment activity profile

• partner or referral relationship identifiers

6. SPECIAL CATEGORY DATA AND SENSITIVE PROCESSING

6.1 We do not seek to process special category personal data unless this is necessary and lawful.

6.2 In limited cases, we may process special category data or data of a sensitive nature where:

• this is required for identity verification

• it is necessary to establish, exercise or defend legal claims

• it is necessary for substantial public interest reasons, including anti-money laundering or fraud prevention compliance where permitted by law

• it is provided by you in communications or complaints

• it is incidentally contained in supporting documentation

6.3 Biometric verification technologies may be used by identity verification providers where applicable. In such circumstances, biometric outputs may be processed by us or by providers acting on our behalf, subject to applicable legal safeguards.

6.4 We will not use sensitive data for unrelated marketing purposes.

7. CHILDREN’S DATA

7.1 Our regulated services are not intended for children unless expressly made available as part of a lawful and clearly described product offering.

7.2 If we become aware that we have collected personal data from a child unlawfully or without the required basis, we will take appropriate steps to delete or otherwise remediate that data.

8. HOW WE COLLECT PERSONAL DATA

8.1 We collect personal data directly from you when you:

• apply for an account

• complete onboarding

• submit documents

• use our payment services

• use a card

• contact us

• submit a complaint or dispute

• use our website or app

• respond to compliance enquiries

8.2 We may collect personal data indirectly through Partners where:

• a Partner provides the interface through which you access our service

• a Partner collects preliminary onboarding information

• a Partner transmits data needed for customer setup, servicing or support

• the Partner provides customer relationship or referral information relevant to the service

8.3 We may receive personal data from service providers and infrastructure providers, including:

• identity verification providers

• sanctions and PEP screening providers

• fraud prevention providers

• transaction monitoring providers

• customer communication and ticketing providers

• payment schemes

• card processors

• banking and safeguarding partners

• payment rail participants

8.4 We may receive personal data from publicly available or official sources, including:

• corporate registries

• sanctions lists

• court and insolvency records

• regulatory records

• adverse media sources

• public company websites and databases

8.5 We may also generate personal data ourselves through our operation of the services, including:

• internal account identifiers

• transaction and risk history

• fraud or compliance scores

• audit logs

• service usage records

• internal case notes

9. WHERE YOU PROVIDE DATA ABOUT OTHER PEOPLE

9.1 If you provide personal data about another individual, including an authorised user, beneficial owner, director, employee, payee or representative, you must ensure that:

• you are authorised to provide that data

• the data is accurate

• you have informed that person, where required, that their data may be provided to us and processed in accordance with this Privacy Notice

9.2 We may request evidence of authority where appropriate.

10. DATA QUALITY AND ACCURACY

10.1 We take reasonable steps to ensure that the personal data we process is accurate, complete and up to date.

10.2 Because our services are regulated and may involve fraud prevention and financial crime controls, it is important that the information you provide is accurate and promptly updated if it changes.

10.3 If we believe that data is inaccurate, incomplete or inconsistent, we may:

• request updated information

• restrict account functionality

• delay transactions

• apply further review or due diligence measures

11. PURPOSE LIMITATION AND DATA MINIMISATION

11.1 We seek to collect and process only the personal data that is reasonably necessary for the relevant purpose.

11.2 However, because we operate in a regulated financial services context, the data reasonably necessary for a particular purpose may be broader than in a non-regulated business, particularly where compliance, fraud prevention, sanctions, safeguarding administration, dispute handling or legal obligations are involved.

11.3 Where possible, we apply access controls, role restrictions and retention rules so that personal data is used only by those who need it for the relevant operational, legal or compliance purpose.

12. CONTACT

12.1 If you have questions about this Privacy Notice or how we process your personal data, you can contact us at:

Digital Capital Ltd

Email: info@digi-capital.co.uk

12.2 If a separate privacy or data protection contact channel is introduced, we may publish updated contact details in an updated version of this Privacy Notice.

PART 2 — PURPOSES OF PROCESSING AND LEGAL BASIS

13. PURPOSES OF PROCESSING

13.1 We process personal data for a range of purposes connected to the provision of regulated financial services, including operational, legal, risk management and compliance purposes.

13.2 These purposes are described in detail below.

14. SERVICE PROVISION AND ACCOUNT MANAGEMENT

14.1 We process personal data to:

• open and manage accounts

• verify identity and eligibility

• provide access to payment services

• process transactions

• manage account permissions and authorised users

• maintain transaction records

• provide customer support

14.2 This processing is necessary for the performance of a contract.

15. PAYMENT PROCESSING

15.1 We process personal data to:

• initiate, route and execute payments

• communicate with payment schemes and financial institutions

• validate payment instructions

• provide transaction confirmations

• investigate failed or delayed payments

15.2 This processing is necessary for the performance of a contract.

16. AML AND FINANCIAL CRIME COMPLIANCE

16.1 We process personal data to comply with legal obligations relating to:

• anti-money laundering (AML)

• counter-terrorist financing (CTF)

• sanctions screening

• fraud prevention

16.2 This may include:

• identity verification

• enhanced due diligence

• transaction monitoring

• screening against sanctions and PEP lists

• adverse media screening

16.3 This processing is necessary to comply with legal obligations and, where applicable, for reasons of substantial public interest.

17. FRAUD PREVENTION AND RISK MANAGEMENT

17.1 We process personal data to:

• detect and prevent fraud

• assess transaction risk

• identify suspicious behaviour

• protect customers and the financial system

17.2 This may include:

• analysing transaction patterns

• behavioural analysis

• device and session monitoring

• fraud scoring

17.3 This processing is based on our legitimate interests in preventing fraud and protecting our services, as well as legal obligations where applicable.

18. REGULATORY REPORTING AND LEGAL OBLIGATIONS

18.1 We process personal data to:

• comply with regulatory reporting obligations

• respond to requests from regulators or authorities

• maintain required records

• support audits and investigations

18.2 This processing is necessary to comply with legal obligations.

19. COMMUNICATIONS

19.1 We process personal data to:

• communicate with you regarding your account

• provide service updates

• respond to enquiries

• handle complaints and disputes

19.2 This processing is necessary for the performance of a contract and, in some cases, for our legitimate interests.

20. SERVICE IMPROVEMENT AND ANALYTICS

20.1 We process personal data to:

• analyse usage of our services

• improve functionality and performance

• identify operational issues

20.2 Where this involves personal data, it is based on legitimate interests, and in some cases consent (e.g. where cookies are involved).

21. LEGAL CLAIMS AND DISPUTES

21.1 We process personal data to:

• establish, exercise or defend legal claims

• investigate disputes

• enforce contractual rights

21.2 This processing is based on our legitimate interests and, where applicable, legal obligations.