Privacy policy

Introduction

Thank you for reading our privacy policy.

We respect your privacy and are committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you.

Who we are: Layer Flow Gateway FZCO (“LFG”, “we”, “us”). Contact: [email protected] (Data Privacy Manager) • Support: [email protected]

This Privacy Policy explains how LFG collects, uses, shares and protects personal data when you use our website, app and related services (the “Services”). Our Services are offered exclusively in the United Arab Emirates (UAE) and this Policy is written to comply with UAE data protection law (including Federal Decree-Law No. 45 of 2021 and related regulations).

We provide non-custodial software. We do not hold private keys or seed phrases and we do not initiate, transmit, or settle blockchain transfers.

1) Scope & eligibility

  • This Policy applies to personal data we process about users (businesses and individuals) of the Services, website visitors, and contacts (e.g., support, sales).

  • The Services are intended for adults (18+). We do not knowingly collect personal data from children.

2) The data we collect

We collect the categories of data described below, which may vary depending on your use of the Services.

2.1 Data you provide to us

  • Account / KYC / KYB. Name, date of birth, nationality, Emirates ID/passport details, selfie/liveness checks (biometric for verification), business licence, UBOs/authorised signatories, and contact details.

  • Profile & settings. Company name, logo, wallet labels, preferences.

  • Support & communications. Enquiries, emails, chat messages, survey responses.

  • Billing (web). Billing contact, plan, invoices, payment status. (If you pay via a payment service provider, we do not store the full card number (PAN); we may receive the last 4 digits and a token from the PSP.)

Regulatory changes. The precise identity/KYC/KYB and billing information we request may change from time to timeto reflect updates to applicable regulations, regulator guidance, and government rules. We will always request only the minimum necessary to comply and provide the Service.

2.2 Data we collect automatically

  • Device/usage. App version, device type/OS, language, time zone, IP address, logs, crash/diagnostic data.

  • Service telemetry. Feature interactions, performance and error events (to secure, operate and improve the Service).

2.3 Blockchain & compliance data

  • Public blockchain data. Wallet addresses you connect, transaction hashes, timestamps, token/amounts, smart-contract interactions.

  • Risk & sanctions signals. Results from blockchain analytics (e.g., sanctions/watchlist exposure, mixer proximity, scam cluster tags).

  • Travel Rule / IVMS101 (where applicable). Minimal originator/beneficiary information required by law or by regulated counterparties (e.g., VASPs/PSPs/EMIs).

2.4 Data from other sources

  • Service providers (e.g., KYC vendors, payment processors), public sources (e.g., public blockchains, sanctions/PEP lists, company registries), and regulated counterparties (VASPs/PSPs/EMIs) in connection with specific features.

2.5 Data we do not collect/store

  • We do not collect or store your private keys, seed phrases/backup words, wallet passcodes or biometrics used to unlock your device/wallet. These remain on your device (e.g., secure hardware area). We cannot recover them.

  • We do not record full payment card numbers if payments are processed by a third-party PSP.

2.6 How we classify the personal data we collect (for clarity)

  • Identity Data — first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, and gender.

  • Contact Databilling address, delivery address, email address, and telephone numbers.

  • Special Category Personal Databiometric data used for selfie/liveness checks, and (only if strictly required by law or you choose to provide it) ethnicity, sexual orientation, trade union membership, health information. We do not seek these attributes for ordinary use of the Service; where collected for compliance or where you choose to provide them (e.g., accessibility needs), we apply enhanced safeguards.

  • Financial Data — bank account details and payment method details (e.g., last 4 digits / tokenised reference from our PSP; we do not store full card PAN).

  • Transaction Data — details about payments to and from you and other details of products and services you have purchased from us.

  • Technical Data — internet protocol (IP) address, login timestamps, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website/app.

  • Profile Data — your username, (hashed) password, purchases or orders made by you, your interests, preferences, feedback and survey responses.

  • Usage Data — information about how you use our website, app, products and services.

  • Marketing & Communications Data — your preferences in receiving marketing from us and our third parties, and your communication preferences.

  • Blockchain & Compliance Data — wallet addresses, transaction hashes, on-chain metadata, and risk/sanctionssignals from analytics providers; Travel Rule originator/beneficiary fields where required.

2.7 Aggregated Data

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

3) How we use personal data (purposes & legal bases)

  • Provide and operate the Services (create/maintain your account, connect wallets, show balances/metadata, provide features). Legal basis: performance of a contract.

  • Onboard & verify (KYC/KYB) (identity verification, liveness, business documents, UBO checks). Legal basis: legal obligation; performance of a contract.

  • AML/CFT screening & Travel Rule (sanctions screening, blockchain analytics; share minimal IVMS101 data with regulated counterparties where required). Legal basis: legal obligation; substantial public interest where applicable.

  • Risk management & fraud prevention (detect abuse, structuring, anomalous behaviour; secure the platform). Legal basis: legitimate interests; legal obligation.

  • Enable/disable features based on risk (e.g., off-ramping, payouts, routing). Legal basis: legitimate interests; legal obligation.

  • Customer support & service communications (tickets, incident alerts, policy updates). Legal basis: performance of a contract; legitimate interests.

  • Billing & accounting (web billing, invoicing, tax records). Legal basis: performance of a contract; legal obligation.

  • Service improvement & analytics (quality, performance, usability). Legal basis: legitimate interests.

  • Marketing with consent (where applicable, and you can opt out at any time). Legal basis: consent/legitimate interests (as applicable).

4) Automated decisions & profiling

We use automated risk signals (e.g., sanctions exposure, mixer proximity, anomaly scores) to enable/disable certain features and to help prevent fraud and financial crime. You may contact us to request human review of a decision, to express your view, or to contest a decision.

5) Sharing your information

We share personal data only as needed to provide and secure the Services or as required by law:

  • Blockchain analytics providers (risk/sanctions screening).

  • Regulated counterparties (VASPs/PSPs/EMIs, banks) to facilitate Travel Rule obligations, payouts, or integrations (we share the minimum required).

  • Vendors (cloud hosting, security, support, email, product analytics) under contracts that require confidentiality and robust safeguards.

  • Professional advisers (legal, accounting, audit) and competent authorities/regulators where required by law.

  • Business transfers (merger, acquisition, restructuring) — we’ll continue to protect your data per this Policy. We do not sell personal data.

6) International transfers (UAE-first)

We may transfer personal data outside the UAE where one of the following applies:

  • the destination is subject to an adequacy decision;

  • we implement appropriate safeguards (e.g., contractual protections);

  • a permitted derogation applies (e.g., performance of a contract with you; public interest; establishment, exercise or defence of legal claims; or your explicit consent).

7) Security

We apply appropriate technical and organisational measures: encryption in transit/at rest (where applicable), access controls, network and application security, secure development practices, and vendor due diligence. No method of transmission or storage is 100% secure; your role matters too. You are responsible for securing your devices and keeping backup words/keys secret.

8) Retention

We keep personal data only as long as needed for the purposes described or as required by law. Statutory minimums include:

  • AML/CFT records: at least 5 years;

  • Corporate tax and accounting records: at least 7 years after the end of the relevant tax period. We may retain data longer if required for legal claims, disputes, fraud prevention, or pursuant to a lawful legal hold. Backup copies may persist for a limited period.

9) Your rights

Subject to UAE law, you may have rights to:

  • Access the personal data we hold about you;

  • Rectify inaccurate or incomplete data;

  • Erase data (where applicable);

  • Restrict or object to certain processing;

  • Data portability (receive certain data in a usable format);

  • Withdraw consent (where processing is based on consent);

  • Complain to the UAE Data Office.

To exercise your rights, email [email protected] from your registered email. We may ask for additional information to verify your identity and, for business accounts, your authority.

10) Non-custodial wallets & backups (important)

  • We do not collect or store private keys, seed phrases/backup words, passcodes or biometrics.

  • If you lose your backup words/keys, we cannot recover them or restore access to your wallets.

  • Deleting the app or closing your account does not move funds or delete blockchain data. (See also our Account Deletion page for practical guidance.)

11) Cookies & similar technologies (summary)

We may use essential cookies/SDKs to operate the site/app (e.g., security, session management) and limited analytics to understand feature usage and improve the Service. Where consent is required, we’ll ask in-app.

12) Contact, complaints & how to reach us

  • Data Privacy Manager: [email protected]

  • Support: [email protected]

  • Regulator: You may lodge a complaint with the UAE Data Office. We’d appreciate the chance to resolve your concerns first.

13) Changes to this Policy

We may update this Policy from time to time (for example, to reflect changes in law or our Services). We’ll post the updated Policy with a new effective date and, where appropriate, notify you in-app or by email. If you continue using the Services after the effective date, you acknowledge the updated Policy.

14) Definitions (extract)

  • Personal data: information relating to an identified or identifiable natural person.

  • Travel Rule/IVMS101: regulatory information-sharing obligations for certain virtual asset transfers.

  • VASPs/PSPs/EMIs: regulated virtual asset service providers, payment service providers, and electronic money institutions.

  • Public blockchain data: on-chain information such as addresses, transaction hashes, timestamps and token amounts that is publicly available on distributed ledgers.

Plain-English summary (non-binding)

We keep the minimum personal data needed to run and secure LFG. We’re non-custodial: we never see your seed phrases/keys and can’t move your funds. We use blockchain analytics and share only what’s legally required (e.g., Travel Rule) with regulated partners. You can ask to access, fix, or delete your data where the law allows. We follow UAE law only; our Services are UAE-only.

Last updated