Privacy Policy

This Privacy Policy describes how Twinfin Ltd. ("TWINFIN™", "Twinfin", "we", "our", "us") collects, uses, and shares information about you when you visit our website, create an account, or use our services. Twinfin operates under MiCA CASP and EMI authorisation pathways in Cyprus and the European Union.

1. Who we are

Twinfin Ltd. is incorporated under the Cyprus Companies Law (Cap. 113). Its payment activities fall under the EU regulatory perimeter of PSD2 (Directive (EU) 2015/2366), MiCA (Regulation (EU) 2023/1114), and the GDPR (Regulation (EU) 2016/679). Our registered address, data protection officer contact, and regulator details are available on request via hello@twinfin.tech.

2. What we collect

Information you provide

• Identity data: legal name, date of birth, nationality, photo ID, proof of address (for KYC/KYB).
• Contact data: email address, phone number, business address.
• Financial data: bank account details, IBAN, crypto wallet addresses, transaction history.
• Employer/company data: company registration, UBO declarations, source-of-funds evidence.

Information collected automatically

• Device and log data: IP address, browser type, device identifiers, access times.
• Usage data: pages visited, features used, API calls.
• Cookies and similar technologies — see our Cookie Notice for details.

3. Why we process your data

• Perform the contract — operate accounts, execute transactions, provide support.
• Comply with legal obligations — AML, CTF, sanctions screening, tax reporting, MiCA Travel Rule, record retention.
• Legitimate interests — fraud prevention, security, service improvement, marketing within permitted limits.
• Consent — optional communications, cookies, marketing.

4. Who we share data with

We share personal data only with parties that have a legitimate need: regulated EMI partners (for fiat rails prior to our own EMI authorisation), chain analytics providers (Chainalysis), KYC verification providers (Sumsub), cloud infrastructure providers, and competent authorities where required by law.

5. International transfers

Where data is transferred outside the EEA, we rely on adequacy decisions or EU Standard Contractual Clauses with appropriate supplementary measures.

6. How long we retain data

Financial and KYC records are retained for at least five (5) years after the end of the customer relationship, as required under AML rules. Marketing data is deleted when consent is withdrawn.

7. Your rights

• Access, rectification, erasure (where applicable).
• Restriction and objection to processing.
• Data portability.
• Withdraw consent at any time.
• Lodge a complaint with the Cyprus Commissioner for Personal Data Protection or your local supervisory authority.

To exercise any right, contact us at privacy@twinfin.tech.

8. Security

We use industry-standard security: encryption in transit and at rest, segregated customer funds, role-based access controls, and regular third-party audits. No system is perfectly secure; we commit to notifying regulators and affected users of any qualifying breach within the statutory timeframes.

9. Changes to this policy

We will post any material changes on this page and notify account holders by email. Your continued use of our services after a change constitutes acceptance of the updated policy.

10. Contact us

Questions about this Privacy Policy or your personal data: privacy@twinfin.tech. General inquiries: hello@twinfin.tech.