> For the complete documentation index, see [llms.txt](https://help.getlfg.app/p/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://help.getlfg.app/p/agreements/privacy-policy.md). # Privacy policy ## Introduction Thank you for reading our privacy policy. We respect your privacy and are committed to protecting your personal data. This policy explains how we look after your personal data, your privacy rights, and how the law protects you. **Who we are:** Layer Flow Gateway FZCO (“LFG”, “the Company”, “we”, “us”, or “our”), a company registered in the Dubai World Trade Centre (DWTC) free zone, UAE with licence number L-3426, acts as the sole data controller for the personal data processed in connection with our Services. **Contact:** (Data Privacy Team) - **Support:** This Privacy Policy explains how LFG collects, uses, shares and protects personal data when you use our website, application, and related services (the “Services”). In strict alignment with our Terms of Service, our Services are purely non-custodial software tools and are **not made available** to residents, citizens, or entities within the United Kingdom, the European Union (EU), the European Economic Area (EEA), the United States, mainland China, Nigeria, or any other prohibited jurisdictions listed in our Global Availability Statement. This Policy complies exclusively with **UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL)** and relevant local standards. We provide non-custodial software. We do not hold private keys or seed phrases and we do not initiate, transmit, or settle blockchain transfers. This Privacy Policy should be read together with our Terms of Service. ## 1. Scope & Eligibility 1.1 This Policy applies strictly to the personal data we process about users (businesses and individuals) who reside or operate within our approved operational jurisdictions, as well as website visitors and contacts (e.g., support, sales) from allowed regions. 1.2 The Services are intended for adults (18+). We do not knowingly collect personal data from children. 1.3 If your residency, incorporation, principal place of business, or operational footprint shifts to a prohibited jurisdiction (including the UK, US, or any EU/EEA member state), you are no longer eligible to use the Services, and any ongoing data processing activities under this platform will be terminated. ## 2. The Data We Collect To maintain a privacy-first, non-custodial software layer, we limit data collection to the absolute technical minimum required to operate our SaaS platform, manage accounts, and prevent financial crime: * **Account / KYC / KYB Data:** Name, date of birth, nationality, ID/passport details, liveness/biometric verification (for allowed individual accounts), business licence, ownership/UBO details, corporate registration files, and company contact details. * **Profile & Settings:** Company name, logo, wallet labels, and configuration preferences. * **Support & Communications:** Enquiries, emails, chat messages, and support ticket details. * **Billing Metadata:** Contact details, subscription plan history, invoices, and payment statuses. We never store or view full payment card numbers; our payment providers give us tokenised references only. * **Device & Technical Logs:** App version, device type, IP addresses (used strictly for geo-fencing, anti-circumvention, and fraud monitoring), server logs, crash reports, and system diagnostic data. * **Public Blockchain Data:** Public wallet addresses you explicitly connect or interact with, transaction hashes, token contract metrics, and network timestamps. * **Compliance Signals:** Risk/sanctions flags and Travel Rule data where required to facilitate data pass-through. *LFG explicitly guarantees that it does not collect, view, or store your wallet's private keys, seed phrases, or backup words. These remain entirely on your device and are completely inaccessible to us.* ## 3. How We Use Personal Data In accordance with Article 6 of the UAE PDPL, we process personal data under the following lawful grounds: * **To Provide and Operate the Services** — basis: contract performance (maintaining your software account and delivering SaaS workflows). * **Onboard & Verify (KYC/KYB)** — basis: legal obligation / contract performance. * **AML/CFT Screening & Travel Rule Data Pass-Through** — basis: legal obligation / public interest (facilitating mandated compliance reporting to regulated counterparties). * **Risk Management & Fraud Prevention** — basis: legitimate interests of the platform / legal obligation. * **Territorial Enforcement & Geo-fencing** — basis: legitimate interests / legal obligation (ensuring users from the UK, EU, US, and other banned regions are prevented from accessing the app). * **Customer Support & Communications** — basis: contract performance. * **Billing & Accounting** — basis: contract / legal obligation. * **Service Improvement & Infrastructure Stability** — basis: legitimate interests. We do not engage in the monetization, profiling, or selling of user data to third-party advertising or marketing networks. ## 4. Automated Decisions & Profiling We use automated risk and sanctions signals to enable or disable certain interface features (such as token swaps or off-ramp rails) and to help prevent financial crime. You may contact us at to request a human review of an automated decision, to express your view, or to contest an access limitation. ## 5. Sharing Your Information Because LFG operates purely as a technology interface, we share personal data only as needed to provide and secure the Services or as required under explicit legal compliance frameworks: * **Regulated Counterparties:** Virtual Asset Service Providers (VASPs), Payment Service Providers (PSPs), or Electronic Money Institutions (EMIs) integrated into our platform ecosystem, strictly to facilitate your explicit payment or settlement instructions (e.g., passing public addresses to an on/off-ramp provider) or to handle Travel Rule compliance pass-through data. * **Vendors & Tech Providers:** Third-party sub-processors (cloud hosting, system security, compliance analytics, customer support software) operating under strict data-handling and confidentiality agreements. * **Professional Advisers & Competent Authorities:** Legal counsel, corporate auditors, and government regulators where required by applicable laws in the United Arab Emirates. * **Corporate Restructuring:** In the event of a merger, acquisition, or corporate asset sale, your personal data will remain fully protected under the terms of this Policy. ## 6. International Transfers As a platform operated by a corporate entity in the United Arab Emirates, personal data may be processed on servers located outside your home country. Any cross-border transfer of personal data outside the UAE is handled strictly in accordance with Article 22 of the UAE PDPL, applying appropriate technical and organizational safeguards (including data encryption and strict vendor assessment standard clauses) to ensure data integrity. ## 7. Security We apply industry-standard technical and organisational controls, including AES-256 data encryption at rest, TLS 1.2+ encryption for data in transit, network firewall isolation, role-based internal data access permissions, and multi-factor authentication (MFA) for administrative networks. Because no transmission or storage method is completely secure, you remain responsible for securing your personal device and keeping backup words, seed phrases, and account credentials strictly confidential. ## 8. Retention We retain personal data only as long as needed to fulfill our operational services or as dictated by applicable legal baselines: * **AML/CFT and Identity Verification Records:** At least five (5) years post-account closure to comply with federal compliance and anti-financial crime reporting thresholds. * **Tax, Invoicing, and Corporate Accounting Records:** At least seven (7) years. * **System Backups:** Automatically overwritten or permanently purged every ninety (90) days. Data may be retained for longer windows if required to manage active legal claims, historical corporate disputes, or ongoing fraud prevention investigations. ## 9. Your Rights Under UAE Law Subject to technical limitations and statutory exemptions under UAE Federal Decree-Law No. 45 of 2021 (PDPL), you possess the following explicit data privacy rights: * **Right to Access:** You may request confirmation of whether we are processing your data and receive a clear, machine-readable copy of your personal data records. * **Right to Rectification:** You can request the immediate correction of inaccurate, outdated, or incomplete data. * **Right to Erasure (Right to be Forgotten):** You may request the deletion of your personal data when it is no longer required for active contractual performance, legal obligation, or auditing baselines. * **Right to Restrict or Object:** You may object to automated software processing, profiling, or restrict specific data handling workflows. * **Right to Withdraw Consent:** Where a processing activity is based explicitly on your consent, you may withdraw that consent at any time. To exercise any of these statutory rights, please contact our privacy team directly at . ## 10. Non-Custodial Wallets & Blockchain Limitations LFG provides a non-custodial software interface and has zero custody over your cryptographic funds. Deleting the LFG application from your device or closing your account does not move your digital assets, cannot restore lost keys, and will not delete public blockchain logs. By their structural design, public block infrastructure logs (such as public wallet addresses, transaction weights, and hashes) are immutable and cannot be altered, corrected, or erased by us. ## 11. Cookies & Similar Technologies We use essential, first-party technical cookies and SDK variables to keep your account session secure, preserve interface preferences, and run basic performance analytics to monitor platform crashes. Where optional tracking tools are used, we will explicitly ask for your consent inside the app. ## 12. Contact, Complaints & Corporate Authority If you wish to ask questions or make a formal complaint regarding this Privacy Policy, our data workflows, or our security frameworks, please reach out to our team: * **Data Privacy Email:** * **General Support Email:** * **Corporate Operational Address:** Layer Flow Gateway FZCO, Level 17, Sheikh Rashid Tower, Dubai World Trade Centre, Dubai, United Arab Emirates. We acknowledge all data inquiries within five (5) business days and strive to deliver a final evaluation or response within thirty (30) days. If we are unable to resolve your privacy concern directly, you retain the legal right to escalate the matter to the **Emirates Data Office** (the central supervisory authority overseeing data protection compliance under the UAE PDPL). ## 13. Changes to This Policy We may update this Privacy Policy from time to time to align with software feature additions, changes in corporate layout, or updates to regional laws. We will publish the updated Policy with a new effective date and, where the changes are material, notify you via an in-app prompt or email broadcast. ## 14. Definitions (Extract) * **Personal Data:** Any information relating to an identified or identifiable natural person. * **Data Controller:** The entity that determines the method, purpose, and structural criteria of personal data processing. * **Travel Rule:** The international compliance tracking framework requiring the transmission of minimum sender and receiver identifiers during digital asset transfers between virtual asset service providers. * **Public Blockchain Data:** Immutable data written directly to a public distributed ledger (such as wallet addresses, transaction hashes, gas costs, and transfer amounts). ## Plain-English Summary (Non-binding) We collect the absolute minimum personal data needed to run, secure, and geo-fence our non-custodial software platform. We have zero visibility over your private keys and cannot touch your funds. We share metadata only when you instruct us to (such as interacting with an on-ramp) or when strictly necessary for regulatory pass-through (like the Travel Rule). We operate out of Dubai and strictly adhere to UAE and international privacy standards. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://help.getlfg.app/p/agreements/privacy-policy.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.