Privacy Policy

Date of last revision: 30th of March, 2026

PRIVACY POLICY

BEFORE OPPENING AN ACCOUNT WITH US, WE ADVICE YOU TO CAREFULLY READ THIS PRIVACY POLICY AND IN CASE YOU HAVE ANY QUESTIONS CONTACT HEREIN MENTIONED DATA PROTECTION OFFICER.

1. About Valyuz

1.1. Valyuz, UAB, a private limited liability company, established and operating under Lithuanian law, legal entity code 304782929, Correspondence address: Saltoniskiu Str. 2, Vilnius, Lithuania; Registered office address: Gedimino ave. 44A-201, Vilnius, Lithuania, is an electronic money institution which is considered as Data Controller for the purposes of this Privacy Policy.

2. Definitions

2.1. The following definitions when used in this Privacy policy have the following meanings

2.2. Account or Valyuz Account has the meaning of the account created by Valyuz to the Client;

2.3. Client has the meaning of an individual or legal entity holding Valyuz Account;

2.4. Mobile APP has the meaning of Valyuz mobile app application used for provision of Services;

2.5. Privacy Policy has the meaning of this privacy policy;

2.6. Personal data has the meaning of information that can be used to directly or indirectly identify you.

2.7. Services has the meaning of the services provided by VALYUZ to its Clients;

2.8. Valyuz has the meaning prescribed in Art. 1.1 of this Privacy Policy;

2.9. Website or Valyuz Website has the meaning of the website available at https://www.valyuz.com/;

2.10. We has the meaning of Valyuz;

2.11. You has the meaning of the person whose Personal data is processed by Valyuz;

2.12. Valyuz partners has the meaning of third-party companies, that take part in serving Valyuz Clients based on relevant contracts between the parties.

3. Scope of Privacy Policy

3.1. This Privacy Policy describes how Valyuz collects, uses, stores, shares and protects your Personal Data whenever you use Services through the Website or Valyuz Mobile APP (Apple iTunes, Google Play) or by corresponding with us (for example by email or via the internal massaging functions on the Mobile APP and/or the Website).

3.2. We assume that You have carefully read this document and accepted it. If you do not agree with this Privacy Policy, then You should refrain from using our Services or opening an Account. This Privacy Policy is an integral part of Valyuz’s Terms of Use.

3.3. We may change this Privacy Policy from time to time. We will post any Privacy Policy changes on Website and Mobile APP additionally sending You an email informing about changes made, if you are registered with us. Continued use of Valyuz’s Website and/or Mobile APP implies your acceptance of the revised Privacy Policy.

4. Personal data we collect

4.1. General

4.1.1. In order to provide You with Valyuz Account and Services thereof, Valyuz collects various types of your Personal Data.

4.1.2. Personal data is collected and used during 3 principal steps: registration, identity verification and the use of Valyuz Account and Services.

4.2.  Processing of registration data

4.2.1. In the registration process We collect some important details about You, such details may include: name, surname, email address, mobile phone number. Submission of herein mentioned Personal data is mandatory for your registration. Failure to provide any of this data or decision to delete or object to processing of any of such data will result in dismissal of your registration.

4.2.2. In case You have not finished your registration and have not deleted all your Personal data submitted in the registration form We will understand it as your request for us to take steps before entering into contract and We will contact You in order to assist You with registration for opening the Account process.

4.2.3. Finalizing your registration You will have to confirm your email address and/or phone number provided after the respective message is sent to it.

4.2.4. After providing Personal data for registration You can continue with application for opening the Account. For this purpose We need to request more information in order to meet legal and regulatory obligations. Therefore proceeding with the Account opening You should provide us your additional Personal data, which may include data as such: Residential address, Correspondence address for delivery of Debit card (if different from residential address), ID document number (national identification card/ Passport number), Passport expiry date, Passport nationality, Occupation, Employment status and details of employment, Reason for opening the account, Source of funds, copy of identification document (ID, Passport, utility bill), personal description and photograph and any other information You provide us in order to prove your eligibility to use our Services. Submission of herein mentioned Personal data is mandatory for Account to be created and opened. Failure to provide mentioned Personal data will lead to dismissal of application for Account opening.

4.2.5. In order to open the Account We need to know what expected activities on it are. Therefore during the process of opening your Valyuz Account You must determine and indicate such activities and provide details of it. Such information is collected and processed in order to comply with legal and regulatory obligations. Sometimes We need to request more information to identify You or to meet legal and regulatory obligations. When that is necessary, You will be prompted to provide such information.

4.2.6. If You contact us, We will keep a record of that correspondence.

4.2.7. Personal data collected by Valyuz in the Registration step is used for the following purposes:

4.2.7.1. Account opening;

4.2.7.2. Client identification;

4.2.7.3. Client risk assessment mandatory under the applicable laws;

4.2.7.4. provide Clients with support, letting them know about upcoming changes or improvements of Website and/or Mobile APP;

4.2.7.5. Provide Clients with information regarding changes of any terms or conditions applicable to them or Services they use as well as other important information.

4.2.7.6. Provide and/or exchange Clients personal data with Valyuz partners that provides the services requested by Clients in accordance with the Client’s consent.

4.2.8. Valyuz processes Client’s registration data on the legal basis of:

4.2.8.1. Your consent, expressed when voluntarily submitting and filling your Personal Data details in our registration form which are not mandatory to fill in; and

4.2.8.2. Conclusion and performance of contractual arrangements and obligations between Valyuz and/or Valyuz partners and the Client; Compliance with a legal and regulatory obligations to which Valyuz is subject. You may at any time edit, update or delete Your contact details contacting our service centre though internal messaging system in Your Account. Please note that You will be able to request deletion of Your contact details and other registration data only if there is no legal obligation for Valyuz to preserve such data by the applicable laws.

4.3. Processing of Client verification data

4.3.1. In order for the Account to be created you must verify your identity. We verify you by the Personal data you provide during registration. However such Personal data must be confirmed, therefore in addition, for verification purposes we also rely on verification services, managed and provided to us by our service providers.

4.3.2. While exercising this verification step, you will be requested to upload your ID document and proof of address. You will undergo facial verification. For the mentioned purposes we receive and rely on a certain confirmation from our service providers that your identity is verified. Please note, that under the applicable laws Valyuz is obligated to collect and store all data received during Client identification and verification process therefore scanned copies of ID documents, proof of address, data related to facial recognition and other information will be stored by Valyuz in accordance to this Privacy policy and applicable legislation.

4.3.3. may request to provide further information that will allow Valyuz to reasonably identify you and verify your identity. Valyuz reserves the right to contact you and request to provide more information or confirm that provided information is up-to-date and valid.

4.3.4. processes the above mentioned Personal data used for Client’s verification (point 4.3.1, 4.3.2 and 4.3.3 of this Privacy policy) in order to comply with regulatory and legal obligations as well as to ensure that Clients are not attempting to create additional Accounts or to commit fraudulent actions. Refusal to undergo ID and facial verification will terminate your Account opening process.

4.3.5. Processing of your ID document, address proof, facial verification data, uploaded to third-party database as described above, is covered by third parties’ privacy policies. You shall be notified about exact third party performing your verification process before starting such process. All Personal data you provide for verification process shall be provided directly by you to our service provider performing your verification and therefore processing of such data shall be covered by the policies of such Service provider. You should carefully review privacy policies of such Service provider before starting the verification process.

4.4. Processing of data generated while using our Mobile App

4.4.1. To provide quality user experience for you we create a possibility to use our Services through the Mobile App. For installing purposes of such Mobile App we do not process any of Your personal data. While you are using our Mobile App we collect and process:

4.4.1.1. your login history for the security purposes.

4.4.1.2. history and other information of your actions while using Mobile app in order to: (i) ensure the functionality of Mobile App and to provide further updates and improvements, (ii) ensure compliance with a legal and regulatory obligations.

4.4.2. Processing of data generated while using Valyuz Account

4.4.2.1. While you are using our Services and Account we are collecting the following information:

4.4.2.1.1. History of transactions (date, information of payer and payee, amount of transaction) is processed in order to: (i) ensure the functionality of Mobile App and to provide further updates and improvements, (ii) ensure compliance with a legal and regulatory obligations;

4.4.2.1.2. Internal messaging history on Account, including, but not limited to, claims and complaints made by you is processed in order to: ensure duly performance of obligations regarding provision of Services. Please note that you should limit personal information and details provided during internal massaging to the extent necessary for Service provision or asked by us;

4.4.2.1.3. Your behavior while using Account (your clicks, visited sections) is processed in order to ensure the improvements of functionality of Website;

4.4.2.1.4. Your payment card information (date of issue and expiry date) is processed in order to provide you Services;

4.4.2.1.5. Massage content: if you include a message with your payments, the content of that massage is stored by Valyuz;

4.4.2.1.6. Cookies: like most of Websites and mobile applications we use cookies. Please see information on cookies we use in our cookie policy https://valyuz.com/cookies-policy/.

4.4.2.2. Valyuz processes Personal Data collected while using Services and Account on the following legal basis:

4.4.2.2.1. Conclusion and performance of contractual arrangements and obligations between Valyuz and you; and

4.4.2.2.2. Pursuance of legitimate interests of Valyuz, as controller and manager of Webpage and Mobile app;

4.4.2.2.3. for compliance with a legal obligation to which Valyuz is subject.

4.4.2.3. Personal data of other individuals. By providing personal data of any individual other than yourself to us during the use of our Services, you confirm that you have obtained consent from such individual to disclose their personal data for collection and use. By providing such Personal data to us you bear all the responsibility towards such individual if you have not received proper consents for such provision and you undertake to indemnify us for any liability which may appear due to unlawful provision and/or disclosure of personal data made by you.

5. Other purposes for use of Personal Data

5.1. Developing the Website and Mobile App

5.1.1. We use Personal data to conduct research and development of our Website, Mobile App and Services in order to provide you and others with a better, more intuitive and personalized experience, drive membership growth.

5.2. Client support

5.2.1. We use Personal data to keep in touch with you in order to provide you with customer service, notify you on news and updates, provide you with the security notices or information.

5.3. Security and investigations

5.3.1. We use Personal data for security, fraud prevention and investigations. We use your Personal data (including your communications) if we think it’s necessary for security purposes or to investigate possible fraud or other violations of our Terms of Services, this Privacy Policy, implementing the regulatory and legal obligations.

5.4. Providing information on similar products and services

5.4.1. We use Personal data to provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about.

5.5. Third Party Information

5.5.1. We will combine Personal data with information we have collected about you and we will use this information to help us better understand your financial circumstances and behaviour so that we may make decisions about how we manage your Account and in order to make a decisions about whether to agree to approve application on Account opening.

5.6. Providing information to Valyuz partners

5.6.1. We may provide to and/or exchange the Personal data we have collected about You with our partners that intends to provide or already provides the services to You based on Your request.

6. Use of the Mobile APP

6.1. Mobile APP Installation and Eligibility. Mobile APP provides Clients with a convenient way to access their Valyuz Account and Services on iOS or Android devices. The Mobile APP is available via the Apple Store and Google Play, and it requires an active internet connection to function (no offline mode is supported). Please note that You must already have a Valyuz Account to use the Mobile APP; the Mobile APP does not itself offer new Account registration or onboarding (these processes are conducted via our Website or other channels). Likewise, the Mobile APP currently does not support in-Mobile APP identity verification (e.g., uploading identity documents or completing KYC checks). The Mobile APP is intended for use only by individuals who meet our eligibility criteria (for example, You must be at least 18 years old to be a Valyuz Client). We do not knowingly allow persons under the age of 18 to use the Mobile APP or any Valyuz services, and We do not intentionally collect Personal data from anyone under 18. If You do not meet this minimum age requirement, You should not install or use the Mobile APP, and We will not intentionally process your data in the Mobile APP.

6.2. Data Collected through the Mobile APP. For installing the Mobile APP from official Mobile APP stores, Valyuz does not require or process any of your personal information (though your Mobile APP store provider may collect certain data under its own policies). However, once You begin using the Mobile APP, We will collect and process certain Personal data related to your usage in order to provide the Service and ensure its security and functionality. This includes the following categories of data:

6.2.1. Account Login and Authentication Data. When You log into the Mobile APP, We process your authentication credentials – such as your email address and password – along with any required two-factor authentication codes (sent via email or SMS, or generated through our Canopus OTP Mobile application) to verify your identity and grant You access. Each time You log in, We record the date, time, and outcome of the login attempt (success or failure) as part of your login history, which We use for security monitoring and fraud prevention. For security purposes, the Mobile APP also require You to set up a personal login PIN code; this PIN is stored locally in an encrypted form and is used to quickly re-authenticate You after short periods of inactivity. The Mobile APP additionally supports optional biometric authentication (e.g. fingerprint or facial recognition) to expedite login. Use of biometrics is entirely at your discretion and requires your explicit consent – if You choose to enable biometric login, the Mobile APP will interface with your device’s built-in secure authentication (for example, Apple Face ID or Android fingerprint scanner). Valyuz does not receive or collect any of your biometric identifiers; the verification is done on your device, and We only receive confirmation from the device’s operating system that the biometric check was successful. Enabling or disabling biometric access will not affect your ability to use the Mobile APP; it is provided solely for your convenience and remains under your control. We also enforce automatic session timeouts: if the Mobile APP detects inactivity for a certain duration (e.g., 15 minutes) it will lock and require You to re-enter your PIN or login credentials to continue, as a safeguard against unauthorized access.

6.2.2. Mobile APP Usage and Activity Information. While You use the Mobile APP, We collect limited information about your activities within the Mobile APP. This includes maintaining a login history and general usage metrics, such as how frequently You access the Mobile APP and session durations. We do not record granular details of every user action (for instance, We do not actively track each button tap or employ screen recording or heatmaps on the Mobile APP). However, We do register certain key actions and events necessary for providing the service and for security/compliance – for example, events like viewing your Account balance, initiating a payment or transfer, changing settings, or logging out may be logged by our system. We collect history of actions You take in the Mobile APP insofar as it is needed (i) to ensure the Mobile APP functions properly and to provide updates/improvements, and (ii) to ensure compliance with our legal and regulatory obligations. In practice, this means We might log which major sections of the Mobile APP You visit or if You perform important transactions, so that We have an audit trail and can troubleshoot issues or investigate unusual activities if necessary. If the Mobile APP offers an internal messaging feature (for example, allowing You to send inquiries or support messages from within your Account), We will collect and store the internal messaging content and history associated with your Account. This includes any messages You send to us through the Mobile APP (such as support requests, feedback, or complaint communications) and our responses. Please refrain from including excessive Personal data in messages; share only what is necessary for your request, as these communications will be accessible to our support team. Additionally, if You include any notes or descriptions with your transactions through the Mobile APP (e.g., a payment reference or message to a payee), that information will be stored as part of the transaction record.

6.2.3. Device and Technical Data. The Mobile APP automatically collects basic technical information about the mobile device and environment You use, which helps us ensure compatibility and optimize our services for our user base. This device and Mobile APP information may include: your device’s model and manufacturer, the operating system (OS) type and version, the Mobile APP version You are running, device hardware identifiers (such as model numbers), screen resolution, and default language/locale and time zone settings of your device. We also collect network and routing data such as your device’s IP (Internet Protocol) address, which can give us a general indication of your geographic region or country at time of Mobile APP access. This technical data is collected largely through integrated analytics tools (for example, Google Firebase Analytics) and via our servers when You connect. We use this information to monitor the Mobile APP’s performance (e.g., to see what devices or OS versions We need to support), to detect and fix technical issues, and to tailor the service to our users’ technical needs. Importantly, We do not collect precise geolocation (GPS) data from your mobile device via the Mobile APP. Location services are not accessed or used by the Valyuz Mobile APP, meaning the Mobile APP does not track or know your exact whereabouts. The only location-related data We might have is an approximate location inferred from your IP address (for security and fraud-detection purposes, such as noticing if an Account login comes from a new country), and even that is used in a limited manner consistent with our legal obligations.

6.2.4. Device Identifiers and Notifications. When You install and use the Mobile APP, it will generate a unique internal identifier for your device which We use to manage your session and to enable push notifications. For example, if You opt to receive push notifications, the Mobile APP registers your device for that service and obtains a device token (a random string of characters issued by the Apple or Google push notification system). This device token, which serves as a device identifier for notifications, is stored in our system and associated with your Account so that We can route authorized notifications to your specific device. We treat this token as Personal data because it can indirectly identify You (when tied to your Account). Push notifications themselves are opt-in – the Mobile APP will ask your permission to send notifications, and no push alerts will be sent unless You have allowed them. If You do grant permission, the Mobile APP  may use push notifications to deliver important Account-related or transactional messages to You (for instance, alerts about a successful payment, a login from a new device, or other security notices). We do not use push notifications for advertising purposes, and in general the notifications You receive will be of a transactional or service nature (not marketing). You have control over push notifications: You may disable or adjust notification preferences anytime via your device’s settings (and if in the future the Mobile APP provides in-Mobile APP notification settings, You could use that as well). If You choose not to enable push notifications or if You turn them off later, You will still receive any essential communications via email or when You log into your Account through other means.

6.2.5. Cookies and Similar Technologies. Like most Websites and Mobile applications, our Mobile APP uses cookies or analogous tracking technologies to enhance your user experience and to collect analytics data. In a Mobile APP context, “cookies” might include small data files or tokens stored on your device, or settings and preferences saved within the Mobile APP. For example, the Mobile APP may store a secure session token or remember your language preference so You don’t have to re-enter it each time. We also utilize third-party analytics SDKs (such as Firebase Analytics) which set their own identifiers to measure usage of the Mobile APP (for instance, Firebase assigns an instance ID to each Mobile APP installation for analytics purposes). These technologies are used only to support the functionality of the Mobile APP and to gather aggregated usage information; they do not intrusively track You across other Mobile APPs or Websites. For more information about our use of cookies and related technologies, please refer to our Cookie Policy (available on our Website), which applies similarly to the Mobile APP’s use of such technologies.

For a structured overview of the types of Personal data processed through the Mobile APP, their purposes, legal bases and retention periods, please see the Annex 1 – Mobile APP Data Processing Table at the end of this Section.

6.3. Legal Bases for Mobile APP Data Processing. In accordance with data protection law (such as the EU General Data Protection Regulation), Valyuz must have a valid legal basis to process your Personal data. For Personal data collected via the Mobile APP, We rely on the following legal grounds:

6.3.1. Performance of a Contract. We process most Mobile APP data because it is necessary to perform our contract with You – namely, the Terms of Use (and associated agreements) that allow You to use Valyuz services. When You use the Mobile APP, You are availing yourself of the services We have agreed to provide, and We must process Your data in order to fulfill our obligations and provide You with those services. For example, authenticating your login, executing transactions You initiate, displaying Account information, and communicating with You about your Account are all fundamental to the services We provide via the Mobile APP. Without processing your Personal data for these purposes, We would not be able to offer the Mobile APP functionalities as promised. Thus, such processing is based on contractual necessity.

6.3.2. Legitimate Interests. Some data processing related to the Mobile APP is based on the legitimate interests pursued by Valyuz (or sometimes by our Clients). We have a legitimate interest in ensuring the security, stability, and efficiency of our Mobile APP and services. Therefore, We process certain data – like login histories, device information, and usage analytics – to maintain security (protecting against fraud, abuse, and unauthorized access) and to drive improvements in the user experience and functionality of the Mobile APP. We also have an interest in providing effective customer support (hence retaining in-Mobile APP messages) and in safeguarding our legal rights. When relying on this basis, We always consider your rights and freedoms: We ensure that our data processing is proportionate and does not override your privacy interests. You have the right to object to processing based on our legitimate interests if You have grounds relating to your particular situation. If You object, We will assess whether our legitimate interests in the processing outweigh your privacy rights, and We will abide by legal requirements in responding to such an objection.

6.3.3. Compliance with Legal Obligations. We process certain Mobile APP data because it is necessary for compliance with a legal obligation to which Valyuz is subject. As noted, Valyuz must meet regulatory requirements applicable to financial institutions. Some examples include anti-money laundering laws that require us to verify client activities and retain evidence of financial transactions, cybersecurity regulations that mandate activity logging, or consumer protection laws that require sending certain notifications. In these cases, the law itself is the basis for processing – We will only collect and use the data to the extent We are required to do so by applicable legislation. For instance, if a law requires us to keep records of Account access or transactions for a minimum period, We will do so, and this retention is legally justified (even if You might otherwise request erasure, We may not be able to delete data that We must keep by law).

6.3.4. Consent. In limited situations, We rely on your consent to process Personal data via the Mobile APP. Consent is used when processing is optional and not strictly necessary for the service, such that You have a genuine choice. Within the Mobile APP, the primary instances of consent-based processing are: (i) the use of biometric authentication, and (ii) the sending of push notifications. We will only enable fingerprint/face ID login for your Mobile APP if You actively opt-in (e.g., by clicking “Enable biometrics” and going through your device’s consent prompt); You can withdraw this consent at any time by disabling the feature in the Mobile APP or your device settings. Similarly, push notifications are only sent if You allow them, and You can revoke that permission whenever You wish. In these cases, consent is the appropriate legal basis because these features are not strictly necessary for providing the core service – they are provided for your convenience or enhanced security. If We ever seek to collect analytics or tracking data in the Mobile APP beyond what is necessary for our legitimate interests, We would ask for your consent (for example, if in the future We implement optional marketing analytics or personalized offers via the Mobile APP, it would be consent-based). Note: if You choose not to give consent (or withdraw consent) for an optional feature, We will simply not process the data related to that feature – You can continue using the Mobile APP normally otherwise. Withdrawal of consent will not affect the lawfulness of any data processing that happened while consent was in effect.

6.4. Data Sharing and Third-Party Involvement. Valyuz treats your Personal data with care and confidentiality. In general, We do not disclose information about your Mobile APP usage to third parties except as necessary to provide our services, fulfill the purposes described above, or as required by law. Any sharing of data is done under strict conditions and safeguards. The main categories of third parties who may process data related to the Mobile APP are:

6.4.1. Service and Infrastructure Providers. The Mobile APP is a gateway to Valyuz’s core banking platform and services. This means that when You perform actions in the Mobile APP (like making a transaction or viewing your Account), the relevant data is routed through our backend systems and sometimes through integrated third-party systems that help us deliver the service. For example, Centrolink (our payment processing partner) and other technical infrastructure providers will process your transaction instructions and Account information as needed to execute payments or update your Account balance. Similarly, if the Mobile APP connects to any cloud-based API or service run by a supplier (for instance, for currency exchange rates or identity verification), those interactions may involve your Personal data. All such providers act as data processors on Valyuz’s behalf. We ensure that they are bound by data protection agreements, meaning they can only use your data to provide services to us and not for their own purposes. We also select reputable providers that employ strong security measures. These third parties will only get the information necessary for their task – for example, our card processing partner sees the data needed to issue or manage your payment card, and our cloud host stores the data securely but does not actively use it.

6.4.2. Analytics and Crash Monitoring Tools. As mentioned, We use third-party analytics frameworks (notably Google Firebase Analytics) within the Mobile APP. These tools collect technical and usage information (device details, Mobile APP events, etc.) and transmit them to the third-party’s servers for aggregation and analysis. In the case of Firebase, the data may be processed by Google’s infrastructure, which can involve servers located outside of the European Economic Area. We have taken steps to ensure that any such transfers are lawful and protected – for instance, Google is bound by Standard Contractual Clauses and other safeguards when handling European user data. The analytics data helps us understand Mobile APP performance and user behavior in general terms (e.g., number of active users, which features are most popular, crash reports). We do not use any advertising identifiers in the Mobile APP, and We have configured our analytics to not collect personally identifiable information like your name or Account number. The data is primarily statistical. Additionally, the Mobile APP may use integrated crash reporting or error tracking services (for example, Firebase Crashlytics or similar), which automatically send us diagnostic reports if the Mobile APP crashes or encounters a serious error on your device. These reports help us fix bugs and improve stability; they typically include technical data like device model, OS version, and a code trace of what went wrong at the time of the crash, but do not include sensitive personal content. By using the Mobile APP, You understand that such analytics and crash data will be shared with our appointed analytics providers. If You do not wish to share even this limited data, your option would be to disable analytics at the device level (where possible) or refrain from using the Mobile APP, as the Mobile APP does not currently offer an in-Mobile APP opt-out for these basic analytics functions.

6.4.3. Push Notification Services. If You have allowed push notifications on the Mobile APP, We will utilize the notification delivery systems operated by Apple (for iOS devices) or Google (for Android devices) to send those notifications to You. This works by us sending the message (with your device’s push token) to Apple’s or Google’s push service, which then delivers it to your device. The content of notifications will typically include brief information such as “Transaction of EUR X completed” or “New login to your Account,” etc., but We try not to include highly sensitive personal details in push messages for your privacy and security. Apple and Google will process the push message and device token to the extent necessary to deliver it; these companies operate as independent data controllers for delivering push messages. The device token by itself is an encrypted string that does not reveal your identity to Apple/Google, and they cannot read the content of notifications if it’s end-to-end encrypted. We encourage You to review Apple’s and Google’s privacy policies regarding push notifications if You have concerns. In summary, to send You a notification, We share only the necessary data (your device token and the message payload) with the push service. This is done securely, and the third-party push services are trusted, large-scale providers. If You disable push notifications, your device token is either not collected or will be deregistered from our system, and no further data is sent to the push service on our behalf.

6.4.4. Other Valyuz Partners and Legal Disclosures. In the course of providing services via the Mobile APP, other Valyuz partners or service providers might become involved in processing your data. For example, We use SALV (a compliance and anti-financial crime service) to monitor transactions for suspicious activity – if You initiate a payment through the Mobile APP that triggers an alert, the details of that transaction (and possibly some user info) will be processed through SALV’s system for compliance checking. Likewise, if at any point identity re-verification is required while using the Mobile APP, We might involve our KYC service provider (such as iDenfy), though typically such identity verification steps occur during registration or specific compliance reviews rather than during routine Mobile APP usage. All such partners are listed in our Privacy Policy (see other sections) and they process data under strict agreements. We do not share your Mobile APP data with any third parties except those engaged to fulfill the services (or if required by law enforcement or regulatory authorities, in which case We would only share data under proper authorization). In the event Valyuz needs to transfer Mobile APP-related Personal data outside the EU/EEA (for instance, to an international cloud server or to a partner in another country), We will do so in compliance with Chapter V of the GDPR – meaning We will ensure the country has an adequate data protection ruling by the EU, or We will implement Standard Contractual Clauses or obtain your consent, or rely on another permitted derogation, as Mobile appropriate. We remain responsible for the processing of your Personal data by all our partners and service providers, and We continuously monitor compliance with data protection standards.

For clarity, Valyuz does not sell Personal data collected from the Mobile APP to third parties. We also do not share it with third-party advertisers or social media platforms. Any third-party involvement is strictly limited to the categories described above, primarily to deliver core services and maintain the Mobile APP.

6.5. Data Storage and Security in the Mobile APP. We apply high standards of security to protect Personal data processed via the Mobile APP. Valyuz has implemented a range of technical and organizational measures to safeguard your information against unauthorized access, alteration, disclosure, or destruction. Key aspects of our data security Mobile approach for the Mobile APP include:

6.5.1. Encrypted Communications. All data transmission between the Mobile APP and our servers is encrypted using industry-standard protocols (such as HTTPS over TLS). This means that any Personal data (for example, your login credentials, or Account information You view in the Mobile APP) is scrambled in transit and cannot be easily intercepted by third parties. You can typically see a lock icon or similar indicator in the Mobile APP or device status bar when data is being securely transmitted. We also enforce server authentication, ensuring that the Mobile APP only communicates with Valyuz’s legitimate servers.

6.5.2. Secure Data Storage. Personal data collected via the Mobile APP is stored on secure servers managed by Valyuz and our trusted hosting providers. We utilize cloud infrastructure that adheres to strong security certifications and standards (for example, ISO 27001). Data at rest in our databases is encrypted and safeguarded by firewalls and strict access controls. Within the Mobile APP on your device, We store only minimal data – primarily to keep You logged in or to remember your preferences – and any such data is stored in secure areas of your device’s storage. For instance, sensitive tokens or keys are stored using the iOS Keychain or Android’s Keystore mechanisms, which are encrypted and sandboxed to that Mobile APP, making it very difficult for other Mobile APPs or attackers to access. We do not store your plaintext password or full Account information on the device. If You use biometric or PIN login, the biometric template or PIN itself is handled by the device’s secure hardware/enclave – our Mobile APP only receives confirmation of a successful match.

6.5.3. Access Control and Authentication. Valyuz restricts access to back-end systems where Mobile APP data is stored. Only authorized personnel with a valid business need can access user data, and even then, they can only see the data necessary for their role (for example, a support agent can see your Account info and messages to assist You, but not sensitive internal logs they don’t require). All staff access to Personal data is logged and monitored. Internally, We enforce strong authentication measures (like multi-factor authentication) for our employees and administrators who manage the Mobile APP infrastructure. Within the Mobile APP, as described, We provide You tools like PIN codes and biometric locks to prevent unauthorized use of your Account on Your device. We strongly encourage You to keep your device itself secure (with a strong password or biometric) to complement our in-Mobile APP protections.

6.5.4. Session Management and Data Retention on Device. The Mobile APP is designed such that no extensive Personal data is permanently stored on your device beyond what is necessary.. If You uninstall the Mobile APP, the Mobile APP will no longer have access to your data on that device. There may remain some residual data such as the secure authentication token or settings stored in the device’s secure storage (keychain) even after uninstall, because those are managed by the device operating system. However, that data is inert without the Mobile APP present (and is only accessible again if You reinstall the Mobile APP on the same device using the same credentials). We want to clarify that uninstalling the Mobile APP does not delete your Valyuz Account or any Personal data held on our servers. If You wish to close your Account or have your data deleted, simply removing the Mobile APP from your phone is not sufficient – You would need to follow the Account closure procedure or submit a data deletion request. That said, if You do reinstall the Mobile APP, You will need to log in again as fresh; any old session data remaining on the device (if not automatically purged by the OS) would be tied to the previous installation and is not reused.

6.5.5. Internal Security Policies and Training. Valyuz maintains internal policies that comply with data protection regulations and industry best practices, governing how We handle client data (including that collected via the Mobile APP). All employees and contractors with access to Personal data are trained in these policies and in general IT security practices. We ensure that anyone with such access is bound by confidentiality obligations. Regular training and awareness programs are conducted so that our team understands the importance of protecting Personal data and the specific procedures to follow to keep data safe (for example, how to identify phishing attempts, how to properly handle user data exports, etc.). We limit the use of actual Personal data in testing or development of the Mobile APP – whenever possible, anonymized or dummy data is used in non-production environments.

6.5.6. Monitoring and Incident Response. Our security team monitors the Valyuz systems, including the Mobile APP environment, for potential vulnerabilities or unauthorized access attempts. We employ tools to detect anomalies in how the Mobile APP or related Accounts are being used (for example, multiple failed login attempts could trigger alerts, as could unexpected patterns of data access). If any security incident or data breach is suspected or detected, We have an incident response plan in place. This plan includes steps to contain the incident, assess the scope, mitigate any harm, and notify affected users and authorities as required. In the unfortunate event of a confirmed Personal data breach affecting Mobile APP data, Valyuz will follow all legal requirements for notification (for instance, under the GDPR We would notify the relevant Data Protection Authority and affected individuals within the required timeframe) and We will provide guidance on protective measures You should take, if applicable. Our goal is to be transparent and proactive in the event of any security issue.

6.6. User Rights and Choices in Relation to Mobile APP Data. As a user of Valyuz services (including the Mobile APP), You retain full control over your Personal data and have various rights under data protection laws. These rights, detailed in this Privacy Policy, apply to the data collected and processed via the Mobile APP just as they do to data collected through other channels. Below is a summary of your key data subject rights and how You can exercise them in the context of Mobile APP data:

6.6.1. Right of Access and Rectification. You have the right to access the Personal data that We hold about You. This means You can ask us to confirm if We are processing your personal information collected from the Mobile APP and request a copy of that information. For example, You can request to see records of Your login history, device information, or any messages You sent through the Mobile APP that We have stored. We will provide this information unless legal exceptions apply. You also have the right to rectify (correct) your Personal data if it is inaccurate or incomplete. Much of the data in the Mobile APP (like your contact details or profile info) can be updated by You through your Account settings. For any other corrections (say, if You notice an error in data that You cannot edit Yourself), You can contact us and We will amend it if appropriate. We may need to verify the new information or ask for confirmation, but We will make corrections promptly as needed.

6.6.2. Right to Erasure (Right to be Forgotten) and Data Retention. You have the right to request erasure of your Personal data in certain circumstances. In terms of Mobile APP data, this could include asking us to delete specific logs or messages associated with your Account. We will honor such requests to the extent possible; however, please be aware that Valyuz is legally required to retain certain data for fixed periods due to financial regulations (for instance, records of transactions and related access logs must be kept for a number of years). This means We might not be able to immediately delete some data from the Mobile APP (like transaction histories or login records) if they overlap with data We must retain for compliance. If You request deletion, We will remove what data We can and inform You of any data We must retain and for how long. Outside of legal requirements, if You simply stop using the Mobile APP, the data collected through it will typically be retained as long as You maintain your Valyuz Account. We align deletion of Mobile APP data with the deletion of your overall Account data – so if your Account is closed and data deletion criteria are met, data from the Mobile APP will be deleted as well. Uninstalling the Mobile APP from your device does not automatically erase any server-side data. If You want to exercise the right to be forgotten, please formally request data deletion or Account closure through our support or DPO contact.

6.6.3. Right to Object and Restrict Processing. You have the right to object to our processing of your Personal data when such processing is based on our legitimate interests (or those of a third party). In the Mobile APP context, for example, You might object to our use of your data for analytics or certain security logging if You feel it is not warranted by your situation. If You raise an objection, We will review the grounds of your request and stop (and/or restrict) the contested processing unless We have compelling legitimate grounds to continue that override your interests, rights, and freedoms, or unless the processing is necessary for legal claims. Additionally, You have the right to request that We restrict the processing of your data in certain cases (for instance, while a data accuracy issue or objection is being resolved, or if You need data preserved for a legal claim while We would otherwise delete it). Restriction means that We would store your data but not use it until the restriction is lifted. Keep in mind that objecting to or restricting some processing (such as security logs) could affect our ability to provide the Mobile APP services. We will inform You if any such effect would result from honoring your request, so You can decide if You want to proceed.

6.6.4. Right to Data Portability. Under certain conditions, You have the right to receive the Personal data that You have provided to us in a structured, commonly used, machine-readable format, and to have that data transmitted to another controller at your request. For Mobile APP data, this right would generally cover information You directly gave us (for example, any profile information or contact details provided through the Mobile APP, or messages You wrote to us). It would likely not cover generated data like internal logs. If You need a portable copy of the data You entered via the Mobile APP, let us know and We will provide it if it’s feasible and required by law.

6.6.5. Right to Withdraw Consent. If any part of our Mobile APP processing is based on your consent, You have the right to withdraw that consent at any time. As discussed, the main consent-driven features in the Mobile APP are biometric login and push notifications. You can withdraw consent for biometrics by disabling the biometric feature in the Mobile APP’s settings (or simply not using it, and perhaps resetting any stored biometric credentials on your device for the Mobile APP). To withdraw consent for push notifications, You can adjust your device’s notification settings to block the Valyuz Mobile APP from sending notifications. Once consent is withdrawn, We will stop the related processing promptly. Withdrawal of consent does not affect the lawfulness of processing that happened before the withdrawal. Also note that if in the future We introduce other consent-based data processing in the Mobile APP (for example, optional location-based features or marketing communications via the Mobile APP), You will equally have the ability to opt in or out, and to withdraw consent later on.

6.6.6. Exercising Your Rights / Contacting Us. The Mobile APP is designed primarily as a service interface, and it does not currently have a dedicated menu or form to submit formal data subject requests (such as a “download my data” or “delete my data” button). Therefore, to exercise any of the above rights in relation to your Mobile APP data, You should contact Valyuz through our regular support channels. You may send us a secure message (for example, via the internal messaging feature on your Account, if available) or send an email to our Data Protection Officer at the contact details provided in Section 12 of this Privacy Policy. Please indicate clearly what right You wish to exercise and detail your request (for example, “I would like a copy of my login history from the Mobile APP” or “Please delete the support chat I had through the Mobile APP on [date]”). We may need to verify your identity before fulfilling requests, to ensure We do not disclose or alter data to the wrong person. Once We have confirmed the request is legitimate, We will respond without undue delay and at the latest within the timeframe required by law. We will provide information on actions taken or, if We do not take action based on an exception, We will inform You of the reason.

6.6.7. Complaints. We are committed to protecting your privacy and addressing any concerns You have. If You believe that your data related to the Mobile APP has been handled in a way that violates your rights or this Privacy Policy, please let us know. You can contact our Data Protection Officer (see Section 12) or customer support to raise your complaint, and We will do our best to resolve the issue. Additionally, You have the right to lodge a complaint with a supervisory authority (Data Protection Authority) in the EU country where You reside or work, or where You believe the infringement has occurred. Lodging a complaint with a DPA does not cost You anything and can be done regardless of any other administrative or judicial remedy. We would, however, Mobile Appreciate the chance to address your concerns first before You approach the authorities, as We are confident We can find a satisfactory solution. Your trust is extremely important to us, and We take any privacy-related complaints seriously.

7. Personal Data received from third parties

7.1. We collect and receive your Personal data from yourself, as well as from the following sources:

7.1.1. We work closely with third parties in order to deliver our Service to you. These third parties are business partners, sub-contractors in technical, payment services, advertising networks, analytics providers, search information providers, credit reference agencies, fraud prevention agencies, customer service providers and developers. Information we may collect about you from such parties can include credit search information, information which helps us to verify your identity or information relating to your payment transactions;

7.1.2. Other legal sources, such as public registers, internet search engines, public sources such as social media.

7.2. If you are a beneficial owner, shareholder, representative or employee of our corporate client we are collecting your Personal data in order to fulfill legal and regulatory obligations. Your Personal data is provided to us by the representatives of the company where you hold a certain position. Personal data received under this clause is processed in accordance to the provisions of this Privacy policy and you have all the rights of the Data subject listed herein in this Privacy policy and in the applicable laws.

8. How we share personal data

8.1. In order to provide you with the Services and meet our legal and regulatory obligations, we use third parties services and such third parties use personal data in delivering their services to us. Therefore we may share the information we collect about you with our service providers (Data processors) such as:

8.1.1. Cloud storage/servers providers. We use their service in order to store your data safely and securely.

8.1.2. Card issuing institutions. For the purpose of providing you with a card in order to use our Services.

8.1.3. Auditors, accountants and lawyers: In order to complete financial, technical and legal audits of Valyuz operations or provide us with respective services, we may need to share some information about you as part of such audit or in service.

8.2. We only use the services of those Data processors which ensure safeguards and use technical and organizational security measures equivalent to the ones required by EU General Data Protection Regulation.In order to provide you with related services provided by our partners, such as card issuing institutions, we act as a personal data processor and collect and process your personal data on behalf of card issuing institution. Please be informed that card issuing institutions are independent service providers and the controller of your personal data. We advice you to carefully read privacy policies of such service providers

8.3. Processing personal data inside and outside the EEA

8.3.1. The data that we collect from You will be  stored at, a destination inside the European Economic Area (EEA).

8.3.2. Personal data may be processed outside of the EEA in order for us to fulfill our contractual obligations towards you to provide the Services. We will need to process your personal data in order for us, for example, to action a request made by you to execute an international payment, process your payment details, provide global anti-money laundering and counter terrorist financing solutions and provide ongoing support services. We will take all steps to ensure that your data is treated securely and in accordance with this privacy policy.

8.3.3. Please note that your Personal data may be transferred outside EEA. Your personal data is transferred outside the EEA if the following conditions are met:

8.3.3.1. Personal data is transferred only to our reliable partners that ensure the provision of our services to you;

8.3.3.2. Data processing agreements are sign and partners have made obligations to ensure the security of your personal data as required by law;

8.3.3.3. The commission of the European Union has made decision of security level adequacy of the country in which our partner is established, an appropriate level of security is ensured;

8.3.3.4. Partners ensure the level of security of Personal data in accordance with the “EU-US privacy shield”.

8.3.4. Our Legal Obligation to Use or Disclose Personal Data

8.3.4.1. As a regulated financial institution, we may need to share your Personal Data to state and public authorities. We will only do so when we are legally required to provide information or when we need to take legal action to defend our rights, as well as the cases, where we have a belief in good faith that access, use, preservation or disclosure of the information is reasonably necessary to meet any applicable law, regulation, legal process or enforceable governmental request, enforce applicable Terms of Services, including investigation of potential violations, detect, prevent or otherwise address fraud, security or technical issues.

8.3.5. Other

8.3.5.1. Valyuz may partner with other financial institutions, such as credit and financial services partners, including banking partners, banking intermediaries, credit companies and international payments services providers. With their help we are able to provide you Services and in order to meet legal and regulatory requirements we might be obligated to share your Account details with such partners to the extent you actually transact or interact with customers of such partners.

8.3.6. We may, at your request, share your Personal Data with selected Valyuz partners acting as independent data controllers, where this is necessary to enable you to conclude a contract for the partner’s services (for example, when you actively request such transfer of Personal Data by selecting the relevant option when applying for such services).

9. Your rights

9.1. You are entitled to the following rights regarding the protection of your Personal Data:

9.1.1. The right to request access information we process about you: this right enables you to receive a copy of the personal data we hold about you;

9.1.2. The right to request to correct incorrect / inaccurate information about you: this right enables you to have any incomplete or inaccurate Personal data we hold about you to be corrected. Please note that we may need to verify the accuracy of the new data you provide to us.

9.1.3. The right to request to transfer all or part of the Personal data: This right enables you to ask us to provide you with your Personal data in a structured, commonly used, machine-readable format, which you can then transfer to other appropriate data controller. Note that this right only applies to automated information which you initially provided for us to use and consented for it use or where we used the information to perform a contract with you.

9.1.4. The right to request erasure of Personal data: This right enables you to ask us to delete or remove personal data where there is no good reason for us to process it, or if you have successfully exercised your right to object to processing (as described in clause 9.1 herein below). Please note that Valyuz as a regulated financial institution is obligated under the applicable laws regarding prevention of money laundering and terrorist financing as well as of Law on Electronic Money and Electronic Money Institutions of the Republic of Lithuania to retain certain information you have provided for a number of years, as indicated per clause 8.6.4 below, therefore we may not always be able to comply with your request of erasure for the mentioned reasons. We will notify you at the time of your request if it the situation is as described.

9.1.5. The right to request restriction of data processing: This right enables you to ask us to suspend the processing of your personal data. Please note that such requests may lead to a situation that we may not be able to perform our contractual obligations towards you or enter into a contract with you. If this would be the case we will notify you about it.

9.1.6. The right to object to processing of Personal Data when processing is carried out on the basis of legitimate interest: This right can be exercised in a situation where we are relying on our legitimate interest (or those of a third party) but in your particular situation such processing impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. Please note that Valyuz as a regulated financial institution is obligated under the applicable laws regarding prevention of money laundering and terrorist financing as well as of Law on Electronic Money and Electronic Money Institutions of the Republic of Lithuania to process your certain Personal data for compliance purposes, therefore in some cases, we may demonstrate that we have compelling legitimate grounds to process your Personal data which override your rights. Requirements of the mentioned laws supersede any right to objection under applicable data protection laws. If you object to the processing of certain data then we may not be able to provide you Services and it is likely we will have to terminate your Account.

9.1.7. To exercise any of the rights mentioned above, please reach out to our client support team via the internal massaging available in your Account or contact our Data Protection Officer as indicated below. We may ask you to verify your identity and provide us with more information regarding your request.

10. How long do we keep Personal data

10.1. Valyuz as a regulated financial institution is obligated under the applicable laws regarding prevention of money laundering and terrorist financing as well as of Law on Electronic Money and Electronic Money Institutions of the Republic of Lithuania to retain your Personal data for a number of years:

10.1.1. Client identification data and verification data – 8 years after termination of the contract relations;

10.1.2. History of transactions – 5 years after terminations of the contract relations.

10.2. We therefore use this retention requirement as a benchmark for all personal data that we receive from you. In order to not hold your information for longer than it is strictly necessary we will not hold any of your personal data for more than 8 years after the termination of our business relationship.

11. Complaints

11.1. We would appreciate the chance to deal with any of your concerns regarding Personal data and we will try to find a solution at your satisfaction. So please contact us in the first instance. Also know that you have the right to lodge a complaint to the national Data Protection Agency (DPA) in the country of your residence in the event where your rights may have been infringed.

12. Valyuz’s Data Protection Officer

12.1. Data Protection Officer (email: DPO@valyuz.com) is responsible for matters relating to privacy and data protection.

If you have any further questions regarding the Personal data Valyuz collects, or how we use it, then please feel free to contact Data Protection Officer at the details as indicated above hereof.

‍