Privacy Policy

At Norxio, your privacy is important to us. This Privacy Policy explains how we collect, use, store, and protect your personal and business information when you access our website, use our platform, interact with our APIs, or engage with any of our services. By using Norxio, you agree to the practices described in this policy.

We collect information to provide and improve our services. This includes information you provide directly, such as when you create an account, submit forms, contact support, or communicate with us. This may include your name, email address, company details, and other information necessary to operate your account.

We also collect information automatically when you use Norxio. This includes technical data such as IP address, device type, browser information, usage logs, and API activity. These details help us maintain security, monitor performance, and improve reliability.

In some cases, we may receive information from third parties, such as compliance partners, identity verification services, payment processors, and publicly available sources. This helps us verify your identity, prevent fraud, and comply with legal requirements.

Categories of Personal Data

The personal data we collect includes:

• Identity Data: Full name, date of birth, place of birth, nationality, government-issued identification numbers (passport, driver's license, national ID), gender, and username
• Contact Data: Residential address, billing address, email address, telephone numbers, and business contact information
• Financial Data: Bank account details, IBAN, payment card information, transaction history, credit reference data, and authorized signatory details
• Transaction Data: Payment details, transaction amounts, currencies, dates and times, recipient and sender information, purpose of payments, and records of services purchased
• Technical Data: IP address, login credentials, browser type and version, time zone settings, geolocation data, device information, operating system, and API usage data
• Usage Data: Information about how you use our website, platform, and services, including pages visited, features used, and navigation patterns
• Communications Data: Your preferences for receiving marketing communications and your communication history with us

Special Categories of Personal Data

We may collect certain special categories of personal data where required for regulatory compliance and service provision:

• Biometric Data: Facial recognition data obtained through identity verification processes (e.g., selfie verification) to uniquely identify you when you open an account
• Criminal Convictions Data: Information about criminal convictions and offenses as required for anti-money laundering (AML) compliance, sanctions screening, and fraud prevention in accordance with local laws

We process special category personal data only when it is required for the services we provide, for reasons of substantial public interest, where you have provided explicit consent, or where we have a legal obligation to do so. We do not otherwise collect sensitive data such as details about race, ethnicity, religious beliefs, sexual orientation, or health information.

We use your personal data to provide and improve our services, meet contractual obligations, comply with legal requirements across multiple jurisdictions, and pursue legitimate business interests such as fraud prevention and service improvement.

Legal Basis for Processing

We process your personal data based on the following legal grounds:

Performance of Contract: Processing necessary to fulfill our contractual obligations to you or to take steps at your request prior to entering into a contract

Legitimate Interests: Processing necessary for our legitimate interests or those of a third party, except where such interests are overridden by your fundamental rights and freedoms

Legal Obligation: Processing necessary to comply with legal obligations to which we are subject, including AML, KYC, tax, and regulatory requirements

Consent: Where you have given clear consent for us to process your personal data for a specific purpose. You have the right to withdraw consent at any time

Purposes of Processing

We use your personal data for the following purposes:

• To provide, maintain, and improve our services and platform
• To process transactions and payments
• To verify your identity and conduct customer due diligence (KYC/CDD)
• To comply with anti-money laundering (AML), counter-terrorist financing (CTF), sanctions screening, and other regulatory obligations
• To prevent fraud, financial crime, and unauthorized access
• To communicate with you about your account and transactions
• To provide customer support and respond to inquiries
• To send service-related notifications and updates
• To conduct marketing activities (with your consent where required)
• To analyze usage patterns and improve user experience
• To conduct risk assessment and credit checks
• To enforce our terms and conditions
• To meet audit, compliance, and reporting requirements

We share personal data with third parties only as necessary to provide our services, comply with legal obligations, and operate our business. We require all third parties to respect the security of your personal data and to treat it in accordance with applicable law.

Who We Share Information With

We may share your personal data with:

Norxio Group Companies: Other entities within the Norxio group for operational, administrative, and reporting purposes

Service Providers: Third-party vendors who provide IT infrastructure, cloud storage, payment processing, identity verification, compliance screening, customer support, and analytics services

Financial Institutions: Banks, payment service providers, and other financial institutions for transaction processing and account management

Compliance Partners: Identity verification services, KYC/AML screening providers, sanctions databases, credit reference agencies, and fraud prevention services

Professional Advisors: Lawyers, accountants, auditors, and consultants who assist with legal, tax, and business advisory matters

Regulators and Authorities: Regulatory bodies, law enforcement agencies, courts, government authorities, and tax authorities as required by law

Business Transferees: Potential buyers, investors, or successors in the event of a merger, acquisition, or sale of assets

Note: We do not sell your personal data to third parties. We do not allow third parties to use your personal data for their own marketing purposes, except where you have explicitly provided consent.

We take data security seriously and implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, alteration, or disclosure.

Our Security Measures

• Encryption of data in transit and at rest
• Multi-factor authentication for account access
• Firewalls and intrusion detection systems
• Regular security audits and penetration testing
• Access controls and role-based permissions
• Employee training on data protection and security
• Confidentiality obligations for all personnel
• Regular backups and disaster recovery procedures

However, no data security measures are perfect. While we strive to protect your personal data, we cannot guarantee absolute security. In the event of a data breach, we will notify affected individuals and relevant authorities as required by applicable law.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations in applicable jurisdictions, resolve disputes, enforce agreements, and meet audit requirements.

Retention Periods by Jurisdiction

Retention periods vary by jurisdiction based on local regulatory requirements. We apply the retention period required by the laws applicable to your data controller:

United Kingdom

• Financial and transaction records: 6 years from last transaction
• KYC/AML documentation: 6 years from relationship end
• Regulatory basis: Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017

United States

• Financial and transaction records: 5-7 years (varies by state)
• KYC/AML documentation: Minimum 5 years
• Regulatory basis: FinCEN regulations and state-specific requirements

Canada

• Financial and transaction records: 6 years from fiscal year end
• KYC/AML documentation: 5 years from last transaction
• Regulatory basis: FINTRAC regulations and PIPEDA requirements

Other Jurisdictions

• Retention periods as required by applicable local laws and regulations

Note: Where we process data across multiple jurisdictions, we apply the longest applicable retention period to ensure compliance with all relevant laws. After the retention period expires, personal data will be securely deleted or anonymized

Depending on your location and the applicable privacy laws, you may have certain rights regarding your personal data.

Rights for All Users

• Right to Access: Request a copy of the personal data we hold about you
• Right to Correction: Request correction of inaccurate or incomplete personal data
• Right to Erasure: Request deletion of your personal data, subject to legal retention requirements
• Right to Restriction: Request restriction of processing in certain circumstances
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Data Portability: Receive your personal data in a structured, machine-readable format

Additional Rights for Specific Jurisdictions

European Union and United Kingdom (GDPR/UK GDPR):

• Right to lodge a complaint with your local data protection authority
• Right to withdraw consent at any time where processing is based on consent

United States (State Privacy Laws):

• Right to know what personal information is collected and shared
• Right to opt out of the sale of personal information (note: we do not sell personal data)
• Right to opt out of targeted advertising
• Right to non-discrimination for exercising privacy rights

Canada (PIPEDA):

• Right to challenge the accuracy of personal information
• Right to withdraw consent for certain processing activities

How to Exercise Your Rights

To exercise any of these rights, please contact us at [email protected]. We may need to verify your identity before processing your request. We will respond within the timeframes required by applicable law (typically 30 days).

Our website and services may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services before providing them with your personal information.

Our website and services may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services before providing them with your personal information.

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how we handle your personal data, please contact us:

General Privacy Inquiries:

• Email: [email protected]
• Website: www.norxio.com/privacy

Note: For the most current contact information for your jurisdiction, please visit www.norxio.com/contact

We would appreciate the opportunity to address your concerns before you contact a supervisory authority. Please contact us first. However, you have the right to lodge a complaint with your local data protection authority if not satisfied;

• United Kingdom: Information Commissioner's Office (ICO) - www.ico.org.uk
• European Union/Ireland: Data Protection Commission (DPC) - www.dataprotection.ie
• United States: Your State Attorney General or state privacy authority
• Canada: Office of the Privacy Commissioner of Canada - www.priv.gc.ca