— Legal / Privacy
Privacy Policy
Last updated: May 2026 · Version 2.0
Pre-launch notice. Twinfin is on the MiCA CASP and EMI authorisation pathways and is not yet operating live payment services. This policy describes (A) the processing that happens today via the marketing website, waitlist, contact form, and scheduling, and (B) the processing that will apply once the live platform launches. Sections marked "from launch" do not apply yet.
This Privacy Policy describes how Twinfin Ltd. ("TWINFIN™", "Twinfin", "we", "our", "us") collects, uses, and shares information about you when you visit our website, join our waitlist, contact us, schedule a call, and (from launch) use our payment services.
1. Who we are
Twinfin Ltd. is incorporated under the Cyprus Companies Law (Cap. 113), Limassol, Cyprus. From launch, our payment activities will fall under the EU regulatory perimeter of MiCA (Regulation (EU) 2023/1114), the EMI Directive (2009/110/EC) as transposed in Cyprus, PSD2 (Directive (EU) 2015/2366), and the GDPR (Regulation (EU) 2016/679).
Data Protection Officer: Sergey Semeniuk — dpo@twinfin.tech. General privacy inquiries: privacy@twinfin.tech.
2. What we collect — today (pre-launch website)
You provide
- Waitlist: work email, and optionally company name, when you submit the hero or footer waitlist form.
- Contact form: name, email, and message text, when you write to us via the contact section.
- Scheduling: name, email, time-slot preference, and any optional notes you provide to Calendly when booking a founder call.
Collected automatically
- Plausible analytics: aggregated, cookieless pageview metrics — country (no city-level), device type, browser, referrer. Plausible does not set cookies and does not assemble personal profiles. IPs are hashed briefly server-side for de-duplication and discarded; no IPs are stored.
- Server access logs (Vercel): IP address, request path, status, user-agent — for security and operational monitoring. Held for short retention windows by our hosting provider.
3. What we will collect — from launch (live platform)
The categories below apply only after Twinfin holds the relevant authorisations and onboards customers to the live platform.
- Identity (KYC/KYB): legal name, date of birth, nationality, photo ID, proof of address, UBO declarations, source-of-funds and source-of-wealth evidence.
- Financial: bank account details, IBAN, crypto wallet addresses, transaction history.
- Company data: registry extracts, corporate documents.
- Platform usage: API calls, dashboard activity, audit-log entries.
4. Why we process your data
- Perform a contract or pre-contractual steps — process your waitlist signup, respond to your contact message, manage scheduled calls, and (from launch) operate accounts, execute transactions, and provide support.
- Comply with legal obligations (from launch) — AML, CTF, sanctions screening, tax reporting, MiCA Travel Rule, record retention.
- Legitimate interests — security, fraud prevention, service improvement, aggregated analytics, occasional product-update emails to people on the waitlist (you can opt out at any time).
- Consent — for any future direct-marketing communications and for Calendly's own optional cookies set if you book a call.
5. Who we share data with
Today (pre-launch)
| Processor | Purpose | Location · Transfer basis |
|---|---|---|
| Vercel Inc. | Website hosting, edge logs | USA · EU SCCs + DPF |
| Cloudflare, Inc. | DNS resolution, email routing | USA · EU SCCs + DPF |
| Plausible Insights OÜ | Cookieless pageview analytics | EU (Estonia) |
| Formspree, Inc. | Waitlist + contact form intake | USA · EU SCCs |
| Calendly LLC | Founder-call scheduling | USA · EU SCCs + DPF |
| Google LLC (Workspace) | Email and calendar for our team | USA · EU SCCs + DPF |
From launch
Once the live platform launches we will additionally engage: a regulated EMI partner (interim fiat rail, named at engagement), Sumsub (KYC/KYB verification), Chainalysis (blockchain analytics, Travel Rule), and competent authorities where required by law. The processor register will be updated and Sub-Processor changes notified to active business customers per our DPA.
6. International transfers
Where data is transferred outside the EEA — most relevantly to the US-based processors named above — we rely on the EU-US Data Privacy Framework where the recipient is certified, the EU Standard Contractual Clauses with appropriate supplementary measures otherwise, and a Transfer Impact Assessment for each material transfer.
7. Retention
| Data | Retention period |
|---|---|
| Waitlist email | Until launch + 90 days, or earlier on opt-out |
| Contact-form data | 24 months, then deleted |
| Plausible aggregates | 24 months (Plausible default) |
| Calendly events | Per Calendly retention; we delete from our calendars 12 months after the event |
| Vercel access logs | Per Vercel default (typically 30 days) |
| KYC / transaction (from launch) | 5 years after the end of the customer relationship, per AML rules |
8. Cookies and similar technologies
The twinfin.tech website itself does not set cookies. The third parties we load are:
- Plausible analytics: cookieless. No cookies, no localStorage tracking, no fingerprinting. Loaded on every page view.
- Formspree (waitlist + contact forms): a small CSRF cookie may be set during form submission. Functional only, no cross-site tracking.
- Calendly (only when you click "Schedule a call"): Calendly's widget sets functional cookies and — if you accept Calendly's own consent prompt — optional analytics cookies. These are loaded on demand, not on initial page view.
Because no tracking cookies are set on initial page load, we do not present a consent banner. If you book through Calendly, that interaction is governed by Calendly's own cookie and privacy notices.
9. Your rights
- Access, rectification, and erasure (where applicable).
- Restriction of and objection to processing.
- Data portability.
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with the Cyprus Commissioner for Personal Data Protection or your local supervisory authority.
To exercise any right, contact dpo@twinfin.tech. We respond within one month per GDPR Art. 12(3).
10. Security
For the marketing website today, we use TLS 1.3 in transit, modern security headers (HSTS preload, X-Frame DENY, strict referrer policy), and do not store sensitive personal data on our own infrastructure beyond the email addresses you provide. Once the live platform launches we will operate under the security framework described on our Compliance page (encryption at rest, RBAC, MFA, third-party audits). No system is perfectly secure; we will notify regulators and affected users of any qualifying breach within statutory timeframes.
11. Changes to this policy
We will post any material changes on this page and notify waitlist members or active customers by email where the change materially affects their data. Your continued use of our website or services after a change constitutes acceptance.
12. Contact
Privacy questions or rights requests: privacy@twinfin.tech. Data Protection Officer: dpo@twinfin.tech (Sergey Semeniuk). General inquiries: hello@twinfin.tech.
© 2026 Twinfin Ltd. All rights reserved.