1) Who We Are & Scope
Conduit Technology, Inc. and its affiliates (collectively, “Conduit,” “we,” “us,” or “our”) provide B2B cross‑border payments, treasury, and fiat‑to‑stablecoin conversion solutions. This Notice explains how we collect, use, disclose, and protect personal data about representatives of our business clients, suppliers, counterparties, website visitors, job applicants, and other business contacts (“you”). It does not apply to data we process strictly on behalf of our clients as a processor/service provider (see Section 5 on processor obligations). If you are a consumer using services provided by our clients, please refer to their privacy notices.
Controller/Responsible Party: Conduit Technology, Inc. (Delaware C‑Corp)
Contact: privacy@conduitpay.com | Conduit Technology, Inc., [postal address]
EU/EEA Representative (Art. 27 GDPR): None; not applicable
UK Representative (UK GDPR Art. 27): None; not applicable
Brazil DPO (Encarregado): Conduit Paga Brasil Ltda
Nigeria DPO (if designated): None; not applicable
Data Protection Officer (if required by law): Mark Graves
Effective date: November 7, 2025
Previous major revision: 13 October 2023
2) Categories of Personal Data We Process
We do not intentionally collect sensitive personal data unless legally required (e.g., identity documents for KYC) or you provide it to us.
3) Sources of Personal Data
4) Purposes of Processing
We process personal data to:
5) Roles: Controller vs. Processor
6) Legal Bases & Regional Disclosures
We comply with applicable data protection laws in the regions below. Where multiple laws apply, we apply the stricter standard.
6.1 European Union / EEA (GDPR)
Legal bases (Art. 6): performance of a contract; legitimate interests (B2B operations, fraud prevention, network security); legal obligation (AML/CFT, sanctions, tax); consent where required (e.g., certain cookies/marketing). We conduct legitimate‑interest assessments and honor data subject rights (Art. 12–22). Cross‑border transfers use adequacy, EU SCCs, and/or other GDPR‑compliant mechanisms. We do not use the EU Data Privacy Framework (DPF) for EU transfers (DPF is EU→US).
Your rights: access, rectification, erasure, restriction, portability, objection (including to direct marketing), and not to be subject to decisions based solely on automated processing where producing legal or similarly significant effects.
Complaints: You may contact us or your local EU supervisory authority.
6.2 United Kingdom (UK GDPR & PECR)
We apply UK GDPR equivalents. Transfers from the UK rely on the UK International Data Transfer Agreement (IDTA)/Addendum, adequacy (including the UK‑US Data Bridge), or other mechanisms. PECR governs cookies and electronic marketing (see Section 11). DUAA‑related changes to UK GDPR are reflected in our transparency, lawful bases, and complaints handling.
Your rights: UK‑equivalent to EU rights.
6.3 United States (Federal & State)
Financial privacy: As a money services business and financial institution under the GLBA, we provide GLBA notices where required, apply the Safeguards Rule, and restrict sharing of non‑public personal information as required. COPPA does not apply to our B2B services; we do not target children under 13.
State privacy laws: We honor consumer rights and disclosures under comprehensive state privacy laws that may apply to our B2B processing, including (illustrative, non‑exhaustive): CA (CCPA/CPRA), VA, CO, CT, UT, OR, TX, MT, FL (narrow scope), DE, IA, NE, NH, NJ, TN, MN, MD. Rights commonly include access, correction, deletion, portability, and opt‑out of “sale,” “sharing,” targeted advertising, and certain profiling. We recognize applicable universal opt‑out mechanisms where required (e.g., CO).
Automated Decision‑Making (ADMT): We do not make decisions producing legal or similarly significant effects solely by automated means for our clients or their representatives. Where ADMT is used (e.g., fraud scoring), we provide meaningful information and offer applicable opt‑out or human review as required by law (e.g., California ADMT rules once effective).
6.4 Canada (PIPEDA; Québec Law 25; provincial private‑sector laws)
We rely on appropriate consent models under PIPEDA or recognized exceptions (e.g., investigations, fraud prevention). For Québec, we meet Law 25 requirements (privacy governance, PIAs for high‑risk projects, cross‑border transfer assessments, consent for certain disclosures, and data subject rights). Provincial PIPA laws (Alberta/BC) may also apply.
6.5 Brazil (LGPD)
We process under lawful bases including performance of contract, legitimate interests, and legal/regulatory obligations (e.g., AML/CFT). When applicable we appoint an Encarregado (DPO), maintain governance records, and honor LGPD rights. For international transfers, we use adequacy (if available), standard contractual clauses or other mechanisms recognized by the ANPD.
6.6 Mexico (NLFPDPPP)
We comply with Mexico’s Federal Law for the Protection of Personal Data Held by Private Parties (NLFPDPPP) enacted on March 20, 2025, including principles of legality, purpose, proportionality, transparency, data subject rights (access, rectification, cancellation, opposition, portability), privacy notices, and security measures. We manage cross‑border transfers via contractual safeguards and, where applicable, consent. We maintain a contact point for ARCO requests and a complaints channel.
6.7 Colombia
We comply with Law 1581/2012 and decrees/circulars (e.g., registration of databases, privacy notices, data subject rights, and restrictions on international transfers to non‑adequate countries unless exceptions/contractual safeguards apply). We maintain authorization records and enable revocation/opposition.
6.8 Chile
We comply with Law 19,628 (as amended) and related rules. We will update this Notice ahead of the new comprehensive data protection law’s effective date once secondary regulations and enforcement dates are finalized.
6.9 Argentina
We comply with Law 25,326 and recent agency resolutions. Cross‑border transfers require adequacy or appropriate safeguards/consent. We monitor reforms; if a new law is enacted, we will update this Notice.
6.10 Peru
We comply with the updated Personal Data Protection Law, governed by Law No. 29733 and its implementing Regulation approved by Supreme Decree No. 016-2024-JUS, which came into effect on March 30, 2025 (including potential DPO appointment criteria, incident notification, and expanded rights). International transfers rely on consent or contractual safeguards and registry updates where required.
6.11 South Africa (POPIA)
We are an operator or responsible party depending on context. We implement appropriate security and notify material security compromises to the Information Regulator and affected individuals as required. Cross‑border transfers proceed under statutory conditions (e.g., adequate protection, consent, contract performance).
6.12 Nigeria (NDPA 2023 & Regulations)
We implement a privacy policy conforming to NDPR/NDPA, and will designate a DPO where appropriate, file returns where required, and comply with breach reporting, data subject rights, and cross‑border transfer rules (adequacy, SCCs, or other safeguards).
6.13 Côte d’Ivoire
We comply with local data protection and cybersecurity laws, including registration/authorization requirements for certain processing and cross‑border transfers where applicable. We cooperate with ARTCI as required.
6.14 Hong Kong (PDPO)
We follow the six Data Protection Principles (DPPs), provide collection/usage notices, honor access/correction rights, and handle data breaches consistent with PCPD guidance (including voluntary notifications). We do not engage in doxxing and comply with the 2021 anti‑doxxing regime.
6.15 Singapore (PDPA)
We honor PDPA obligations including purpose limitation, notification, consent/legitimate interests exceptions, protection, retention, accuracy, and accountability. We assess breaches promptly and notify PDPC/individuals where thresholds are met (generally within 3 days of determining notifiability). We use the Transfer Limitation Obligation with appropriate contractual clauses for cross‑border transfers.
6.16 Ghana (Data Protection Act, 2012)
Where the Act applies, we register with the Data Protection Commission as a data controller/processor, implement security measures, and honor data subject rights (access, rectification, erasure, objection). International transfers are carried out with appropriate safeguards.
6.17 United Arab Emirates (Federal PDPL; Free Zones)
7) Sharing of Personal Data
We share personal data with:
We do not sell or share personal data for cross‑context behavioral advertising/targeted advertising.
8) International Transfers
We use recognized transfer tools (e.g., EU SCCs/UK IDTA, LGPD transfer mechanisms, contractual clauses under PDPA/PDPL/NDPA/POPIA) and perform transfer risk assessments where required. We disclose key third‑country recipients upon request where permitted.
9) Data Retention
We keep personal data only as long as necessary for the purposes in this Notice, our contracts, and to meet legal, regulatory, tax, accounting, audit, and AML/CFT obligations. We apply jurisdiction‑specific minimum retention rules (e.g., AML records) and securely dispose of data at end‑of‑life.
10) Security
We maintain an information security program proportionate to our risk and legal obligations (administrative, technical, and physical controls; encryption in transit/at rest where appropriate; access controls; vulnerability management; security training; incident response). We assess vendors for security and privacy before onboarding and periodically thereafter.
11) Cookies & Similar Technologies
We use cookies and similar technologies for site functionality, analytics, and (limited) B2B marketing. In jurisdictions requiring consent (e.g., EU/UK), we obtain consent and provide granular controls. In US states recognizing universal opt‑out signals, we honor those signals where applicable. See our Cookie Notice for details.
12) Automated Decision‑Making & Profiling
We do not make decisions solely by automated means that produce legal or similarly significant effects. Where we use automated tools (e.g., fraud scoring), human review is available, and you may opt out or request an explanation where required by local law. See Section 6 (United States) regarding California ADMT rules once effective.
13) Your Rights & How to Exercise Them
Depending on your location, you may have rights to: access, correction/rectification, deletion/erasure, restriction, portability, objection/opt‑out (including to direct marketing, targeted advertising, sale/sharing, and certain profiling), and to withdraw consent.
To exercise rights: email privacy@conduitpay.com with your name, employer, relationship to Conduit, and the right you wish to exercise. We may request additional information to verify your identity/authority. You may also appoint an authorized agent where permitted.
Appeals: If we deny your request, you may appeal by replying to our decision email with “APPEAL” in the subject line. You may also lodge a complaint with your local authority.
14) Children’s Data
Our services are B2B and are not directed to children. We do not knowingly collect personal data from children under applicable age thresholds. If you believe a child has provided us personal data, contact us to request deletion.
15) Changes to This Notice
We may update this Notice from time to time. Material changes will be announced on this page with a new effective date. We encourage you to review this Notice periodically.
16) Jurisdiction‑Specific Contacts (Regulatory)
Version History