Wayex Global Global Privacy Policy

This Privacy Policy explains how Wayex Global S.A. ("Wayex Global", "we", "us", "our") collects, uses, stores, and shares personal data in compliance with Panama's Law 81 on Personal Data Protection and applicable international standards (e.g., GDPR, UK GDPR, and certain U.S. state privacy laws). This Policy forms part of our User Agreement.

Introduction

This Policy applies to personal data we process when you visit our websites or apps, open or use a Wayex Global account, complete KYC/KYB, use the Wayex Global card, interact with customer support, or otherwise engage with our Services. It also covers personal data we receive from partners, issuers, and service providers. It does not apply to third-party sites or services that have their own privacy policies.

Controller & Contact

Information We Collect (Categories of Data)

We collect the following categories of personal data, depending on how you use the Services:

• Personal Identifiers: name, email, phone, residential address, date/place of birth, nationality.
• Government & KYC/KYB Data: ID documents (passport, driver's license, national ID), tax IDs, proof of address, liveness checks, and, only where lawful and necessary, biometric templates used by our KYC provider to verify identity.
• Account & Transaction Data: account numbers, balances, wallet addresses, card PAN tokens (we do not store full PAN where prohibited), purchase history, merchant category codes, ATM withdrawals, conversions, deposits/withdrawals, and internal fraud/AML flags.
• Technical & Usage Data: IP address, device IDs, operating system, app version, log files, crash reports, cookies and similar technologies, approximate geolocation (derived from IP), session metadata, referral URLs.
• Communications: support tickets, chat transcripts (e.g., Intercom), emails, phone recordings (where permitted), survey responses, and feedback.
• Marketing Preferences: in-app notification settings, emails, social media and event participation.
• Financial Crime & Screening Data: sanctions and watchlist screening, PEP status, adverse media hits, and risk scores (where legally permitted).
• Business Customer Data (KYB): incorporation documents, ownership/UBO details, board/officer information, corporate address, and proofs.

Sources of Data

• Directly from you (onboarding, forms, uploads, support).
• Automatically collected (apps, SDKs, cookies, analytics).
• Third parties (KYC/AML providers, sanctions-screening tools, card Issuer/Program Manager, payment processors, banks, blockchain analytics vendors, identity verification vendors, advertising/analytics partners, where applicable).

Sensitive Data

We may process biometrics (for KYC liveness/face match) and other sensitive data only where legally permitted and strictly necessary for identity verification, fraud prevention, and compliance, based on consent and/or legal obligation as applicable.

How We Use Information (Purposes & Legal Bases)

We use personal data to:

• Verify identity and comply with AML/CFT regulations (legal obligation; substantial public interest where applicable).
• Provide Services (contract performance): open/maintain accounts, enable crypto/fiat transactions, issue and service cards, process payments, handle refunds/chargebacks, and provide customer support.
• Protect the Services & users (legitimate interests/legal obligation): prevent, detect, and investigate fraud, scams, money laundering, sanctions evasion, unauthorised access, and abuse.
• Improve and develop the Platform (legitimate interests/consent where required): diagnostics, analytics, A/B testing, quality assurance, and product research using de-identified/aggregated data wherever feasible.
• Marketing & communications (consent/legitimate interests): send service and transactional messages; send marketing messages where permitted (opt-out any time).
• Comply with laws, requests, and audits (legal obligation): respond to regulators, law enforcement, tax authorities, card networks, and disputes/arbitrations.

We do not use personal data for automated decisions that produce legal or similarly significant effects without human involvement, except where required for fraud/AML controls; where such processing occurs, you may have rights to contest or request human review.

Cookies & Similar Technologies

We use cookies, SDKs, and similar tools for authentication, security, preferences, analytics, and (where permitted) marketing attribution. You can manage preferences via our Cookie Settings link in-app or on the website. Browser settings and Global Privacy Control (GPC) signals will be honoured where legally required. Disabling cookies may affect functionality.

Automated Decision-Making & Profiling

For fraud and AML/CFT purposes, we use risk models, sanctions/PEP screening, and behavioural analytics to detect suspicious activity. These systems may affect your ability to transact. You may contact us to request an explanation and, where applicable, human review.

Data Sharing (Recipients & Categories)

We share data with:

• Card Issuer & Program Manager and Card Networks or card issuance, processing, disputes, and network compliance.
• Payment Processors, Banks, and PSPs for funding, settlements, and payouts.
• KYC/AML, Sanctions & Fraud Vendors (identity verification, screening, blockchain analytics, device fingerprinting).
• Cloud, Hosting, and Security Providers (infrastructure, backups, logging, monitoring).
• Customer Support & Communications (e.g., Intercom, email/SMS providers).
• Analytics & Diagnostics (product analytics, crash reporting) — configured to minimise data where possible.
• Auditors, Consultants, Insurers, and Professional Advisors under confidentiality.
• Regulators and Law Enforcement where required by law, subpoena, court order, or to protect rights, users, or the public.
• VASPs & Travel Rule Counterparties to exchange originator/beneficiary information for qualifying transfers.
• Corporate Transactions: In an acquisition, merger, financing, or sale of assets, data may be transferred under appropriate safeguards.

We do not sell personal information in the traditional sense. Where "sale" or "share" is defined broadly, we disclose our practices and provide opt-outs as required (see Regional Notices).

International Data Transfers

We may transfer personal data to countries other than your own (including the U.S., EU/EEA, UK, and others). Where required, we use adequacy decisions, Standard Contractual Clauses (SCCs), the UK IDTA/Addendum, and complementary measures based on transfer risk assessments. Copies of executed SCCs can be requested (with redactions).

Data Security

We implement industry-standard organisational and technical controls, including:

• Encryption in transit and at rest; segregation of environments; key management.
• Access controls based on least privilege, MFA, and regular access reviews.
• Secure software development lifecycle, dependency scanning, and vulnerability management.
• Logging, monitoring, anomaly detection, and periodic penetration testing.
• Vendor due diligence and security addenda for processors.
• Business continuity and disaster recovery plans.

No system is perfectly secure; we cannot guarantee absolute security.

Breach Notification

Where required by law, we will notify you and relevant authorities of a personal data breach without undue delay.

Data Retention

We retain personal data only as long as necessary for the purposes described or to comply with legal, regulatory, accounting, and reporting obligations.

Illustrative ranges:

• KYC/KYB records: at least 5–10 years after account closure (jurisdiction-dependent).
• Transaction & ledger records: 7–10 years.
• Customer support records: 2–5 years.
• Marketing preferences: until you opt out.

We may retain aggregated/de-identified data indefinitely for analytics, research, and security.

Your Privacy Rights

Depending on your location, you may have the right to:

• Access your personal data and receive a copy.
• Rectify inaccurate or incomplete data.
• Restrict or object to certain processing (including profiling for direct marketing).
• Portability (receive your data in a structured, commonly used format).
• Withdraw consent where processing is based on consent.
• Not be subject to solely automated decisions with legal/similar effects, and to request human review.
• Appeal a refusal of a privacy request..

How to Exercise Your Rights

Submit a request via support@wayex.com or through in-app settings. We will verify your identity (and authority, if acting as an authorised agent) and respond within the timeframes required by law. We may decline requests where an exception applies, but will explain our reasoning.

Marketing Communications

You can manage marketing preferences in-app or via unsubscribe links in emails. We will continue to send transactional or service messages (e.g., security alerts, receipts) even if you opt out of marketing.

Children's Privacy

Our Services are not directed to individuals under the age of majority. We do not knowingly collect personal data from minors. If you believe a minor has provided data, contact us to request deletion.

Third-Party Services & Links

Our Services may include links to third-party websites, SDKs, or features. Their privacy practices govern those services; review their policies before use.

Changes to This Policy

We may update this Policy from time to time. We will post the updated version and revise the Last Updated date. Material changes will be notified via email or in-app notice. Continued use means you accept the changes.

Complaints & Contact

If you have concerns about our handling of personal data, contact us at support@wayex.com. You may also have the right to lodge a complaint with Wayex Global, your complaint will go under a complaints procedure to ensure that a resolution is found.

Additional Disclosures for Financial Crime Compliance

• Travel Rule: We may transmit your name, account identifiers, and other required originator/beneficiary data to VASPs or financial institutions for qualifying transfers.
• Sanctions/Watchlists: Screening results may be retained as evidence of compliance.
• Automated Risk Decisions: See Sections 5 and 10 for your rights.

Retention & Deletion Annex

Definitions

• Personal Data: Information that identifies or can reasonably identify a natural person.
• Processing: Any operation on personal data (collection, storage, use, disclosure, etc.).
• Controller/Processor: Entity determining purposes/means of processing; entity processing on behalf of a controller.
• VASP: Virtual Asset Service Provider (e.g., exchanges, custodians).
• SCCs/IDTA: EU/UK legal mechanisms for cross-border transfers.