Privacy Policy (GDPR)

Version 1.0
Effective Date: [Add Date]

Introduction

This Privacy Policy explains how Evolution Ltd collects, uses, stores, and protects your personal data. It also describes your rights under the General Data Protection Regulation (GDPR) and how you may exercise them.

This Policy applies to all personal and business customers who use Evolution’s services, including the app, website, cards, payments, FX, crypto features, and customer support channels.

By using Evolution services, you agree to the processing of your personal data as described in this Policy.

1. Who We Are

Evolution Ltd is the controller of your personal data.
We determine how your information is used and for what purposes.

Contact details
[Registered Address]
[Support Email]
[Website]

For data protection matters, you may contact our Data Protection Officer at:
[DPO Email]

2. The Types of Data We Collect

We collect the following categories of personal data, depending on the services you use:

Identity data
Name, date of birth, nationality, identification documents, verification recordings

Contact data
Email, phone number, address, communications

Financial data
Account balances, transactions, payment history, card numbers (tokenized), currency activity

Compliance data
KYC documents, risk assessments, sanctions screening results, AML information

Technical data
Device identifiers, app activity logs, crash reports, connection data

Usage data
Features accessed, interaction history, preferences, analytics

Communications
Messages sent to customer support, feedback, and reports

Marketing preferences
Opt-in choices, campaign interactions

We may also receive information from third parties, such as credit bureaus, payment partners, or identity verification providers.

3. How We Collect Your Data

We collect data in the following ways:

During account registration and onboarding
When submitting identity documents
When using payments, cards, or transfers
Through device and app interactions
When contacting support
Through third-party partners involved in delivering services
When required for compliance or regulatory checks

We do not collect more data than is necessary for each purpose.

4. Why We Process Your Data

We process your personal data for the following purposes:

To open and maintain your account
To verify your identity and comply with KYC and AML laws
To process payments, transfers, and card transactions
To provide customer support
To detect and prevent fraud
To manage risk and comply with regulations
To improve and personalize the app experience
To provide requested services such as lending, FX, or crypto features
To meet legal obligations and respond to authorities
To send service notifications or updates
To provide optional marketing communications when you consent

Every processing activity is based on a lawful basis under GDPR.

5. Legal Bases for Processing

We rely on the following legal bases:

Contractual necessity
To deliver banking and payment services you request

Legal obligation
To comply with AML, sanctions, payment regulations, tax rules, security requirements

Legitimate interests
To improve services, maintain security, prevent fraud, analyze product usage

Consent
For marketing messages
For optional data processing where required by law

Vital interests
To protect you or others in exceptional emergency scenarios

We always ensure your rights are balanced with our legitimate interests.

6. Automated Decision-Making

Automated systems may be used to:

Assess fraud risk
Perform identity checks
Evaluate credit eligibility
Detect suspicious transactions

If a decision significantly affects you, you may request human review and provide additional information.

7. Who We Share Your Data With

We may share your data with:

Payment networks and banks
Identity verification providers
Cloud service and hosting providers
Regulated partners involved in service delivery
Card manufacturers and processors
Fraud and sanctions screening systems
Analytics and product tools
Regulators, courts, and law enforcement where required

We do not sell your data.

All partners must meet strict data protection and security requirements.

8. International Transfers

Your data may be transferred outside the European Economic Area (EEA).
When this happens, we ensure one of the following safeguards:

Standard Contractual Clauses (SCCs)
Adequacy decisions
Binding corporate rules
Equivalent protection measures

We assess all third-party providers to ensure GDPR compliance.

9. How Long We Keep Your Data

We retain personal data only as long as necessary for:

Providing services
Complying with regulations
Meeting AML retention requirements
Handling disputes or audits

Examples:

KYC data: up to eight years after account closure
Transaction data: retained for regulatory reasons
Support communication: retained for quality and compliance

When data is no longer required, we delete or anonymize it.

10. Your Rights Under GDPR

You have the following rights:

Right to access
You may request a copy of your personal data.

Right to rectification
You may correct incomplete or inaccurate information.

Right to erasure
You may request deletion in certain circumstances.

Right to restrict processing
You may ask us to limit use of your data.

Right to data portability
You may request your data in a structured, machine-readable format.

Right to object
You may object to data processed based on legitimate interests or for marketing.

Right not to be subject to automated decisions
You may request a human review.

We may require identity verification before responding to requests.

11. Marketing and Communication Preferences

We may send:

Service-related notifications
Security alerts
Policy updates
Product updates
Optional marketing messages (only with your consent)

You can unsubscribe from marketing at any time.

Service-related communications cannot be disabled.

12. Cookies and Tracking

The website and app may use cookies or similar technologies for:

Improving performance
Measuring usage
Providing personalized content
Handling authentication
Storing preferences

You may manage cookie preferences in the Cookie Policy or provided settings.

13. Data Security

We use industry-leading measures to protect your data, including:

Encryption
Access controls
Secure data storage
Monitoring for threats
Regular audits and security testing

You must also protect your devices and credentials.

14. Children’s Data

Evolution services are not intended for individuals under 18 years of age.
We do not knowingly collect data from minors.

15. Changes to This Privacy Policy

We may update this Policy due to:

Changes in law
Product updates
New processing activities
Security requirements

Where required, we will notify you before changes take effect.

16. Contact Information

You may contact us about privacy matters at:

Evolution Ltd
[Registered Address]
[DPO Email]
[Support Email]
[Website]