Privacy policy
Introduction
Thank you for reading our privacy policy.
We respect your privacy and are committed to protecting your personal data. This policy explains how we look after your personal data, your privacy rights, and how the law protects you.
Who we are: Layer Flow Gateway FZCO (“LFG”, “we”, “us”).
Contact: [email protected] (Data Privacy Manager) - Support: [email protected]
This Privacy Policy explains how LFG collects, uses, shares and protects personal data when you use our website, app and related services (the “Services”). Our Services are made available globally except in the United States, mainland China, Nigeria, and other sanctioned jurisdictions. This Policy complies with UAE Federal Decree-Law No. 45 of 2021 (Data Protection Law) and, where applicable, the EU/UK GDPR.
We provide non-custodial software. We do not hold private keys or seed phrases and we do not initiate, transmit, or settle blockchain transfers.
This Privacy Policy should be read together with our Terms of Service.
1. Scope & Eligibility
This Policy applies to personal data we process about users (businesses and individuals) of the Services, website visitors, and contacts (e.g., support, sales).
The Services are intended for adults (18+). We do not knowingly collect personal data from children. The Services are available only in approved jurisdictions and app stores.
2. The Data We Collect
We collect the categories of data described below, which may vary depending on your use of the Services.
Account / KYC / KYB: Name, date of birth, nationality, ID/passport details, liveness/biometric verification, business licence, ownership/UBOs, and contact details.
Profile & settings: Company name, logo, wallet labels, preferences. - Support & communications: Enquiries, emails, chat messages, survey responses.
Billing: Contact, plan, invoices, payment status. We never store full card numbers; payment providers give us tokenised references only.
Device & usage: App version, device type, IP, logs, crash and diagnostic data.
Blockchain data: Wallet addresses you connect, transaction hashes, token details, timestamps.
Compliance signals: Risk/sanctions flags and Travel Rule data where legally required.
We do not collect or store your private keys, seed phrases, wallet passcodes or biometrics used to unlock your device. These remain entirely on your device.
3. How We Use Personal Data
We process personal data to:
Provide and operate the Services — legal basis: contract performance.
Onboard & verify (KYC/KYB) — legal basis: legal obligation / contract.
AML/CFT screening & Travel Rule compliance — legal basis: legal obligation / public interest.
Risk management & fraud prevention — legal basis: legitimate interests / legal obligation.
Enable or disable features based on risk — legal basis: legitimate interests.
Customer support & communications — legal basis: contract performance.
Billing & accounting — legal basis: contract / legal obligation.
Service improvement & analytics — legal basis: legitimate interests.
Marketing with consent — legal basis: consent / legitimate interests.
4. Automated Decisions & Profiling
We use automated risk and sanctions signals to enable or disable certain features and to help prevent fraud and financial crime. You may contact us to request human review of a decision, to express your view, or to contest a decision.
5. Sharing Your Information
We share personal data only as needed to provide and secure the Services or as required by law:
Regulated counterparties (VASPs/PSPs/EMIs, banks) for compliance and settlements.
Vendors (cloud hosting, security, analytics, support) under confidentiality agreements.
Professional advisers and regulators where required by law.
In the event of a merger, acquisition or restructuring, data remains protected by this Policy.
We do not sell personal data.
6. International Transfers
We may transfer personal data outside the UAE where:
the destination has an adequacy decision;
appropriate safeguards (e.g., contractual clauses) are in place; or
a permitted exception applies (e.g., for contract performance or legal claims).
7. Security
We apply appropriate technical and organisational measures such as encryption, access controls, network and application security, and vendor due diligence. No method of transmission or storage is 100% secure; you are responsible for securing your devices and keeping backup words/keys secret.
8. Retention
We retain personal data only as long as needed or required by law:
AML/CFT records: at least 5 years;
Tax and accounting records: at least 7 years.
Data may be retained longer for legal claims, disputes, or fraud prevention. Backups persist for limited periods.
9. Your Rights
Subject to UAE and applicable international law, you may have rights to:
Access, rectify, or erase your data;
Restrict or object to certain processing;
Data portability;
Withdraw consent;
Complain to the UAE Data Office or relevant authority.
EU/UK users may also exercise rights under the GDPR by contacting [email protected].
10. Non-Custodial Wallets & Backups
We are non-custodial and cannot recover private keys, seed phrases, or funds. If you lose your keys or backups, we cannot restore access. Deleting the app or closing your account does not move funds or delete blockchain data.
11. Cookies & Similar Technologies
We may use essential cookies/SDKs to operate the app and limited analytics to understand usage. Where consent is required, we will request it in-app.
12. Contact, Complaints & How to Reach Us
Data Privacy Manager: [email protected]
Support: [email protected]
You may also contact the UAE Data Office to lodge a complaint, but we appreciate the chance to resolve concerns first.
13. Changes to This Policy
We may update this Policy from time to time. We will post a new effective date and, where appropriate, notify you in-app or by email. If you continue using the Services after the effective date, you acknowledge the updated Policy.
14. Definitions (Extract)
Personal data: information relating to an identified or identifiable person.
Travel Rule / IVMS101: information-sharing rules for certain virtual asset transfers.
VASPs/PSPs/EMIs: regulated virtual asset, payment or e-money institutions.
Public blockchain data: on-chain data (addresses, transaction hashes, timestamps, token amounts).
Plain-English Summary (Non-binding)
We collect the minimum personal data needed to run and secure LFG. We never see your keys or move your funds. We share data only when legally required (e.g., Travel Rule) and follow UAE and international privacy standards. You can access, correct, or delete your data within legal limits.
Last updated