Privacy Policy
Last updated: July 2025
Vuzza Ltd. Effective date: 1 July 2025 Last updated: 1 July 2025
Your privacy matters to us. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have. We've tried to write it in plain language — if something isn't clear, email us at privacy@vuzza.eu.
Vuzza Ltd. is the data controller for personal data processed through the vuzza.eu website and the Vuzza platform. Our registered address is Dzirnavu iela 34a-6, Riga, LV-1010, Latvia.
1. What Data We Collect
1.1 Data you give us
When you use Vuzza, you provide us with:
- Account information: name, work email address, job title, company name, country.
- KYB/KYC data: business registration documents, beneficial ownership information, identity documents for authorised users — collected and processed by our settlement partner Striga on our behalf, to fulfil regulatory obligations.
- Payment data: payee names, IBANs, wallet addresses, payment amounts, currencies, cost centres, invoice references, and related metadata.
- Approval records: who approved what, when, and under what policy conditions.
- Communications: anything you send us via email, support tickets, or in-platform chat.
1.2 Data we collect automatically
When you visit our website or use the platform, we may collect:
- Usage data: pages visited, features used, clicks, session duration, errors encountered.
- Device and technical data: IP address, browser type and version, operating system, time zone.
- Cookies and similar technologies: see our Cookie Policy for full details.
1.3 Data from third parties
- Slack / Microsoft Teams: if you connect these integrations, we receive basic profile data (name, email, user ID) to enable approval notifications. We do not read your messages.
- ERP and accounting systems: if you connect Xero, SAP Business One, NetSuite, or similar, we receive payment and invoice data you choose to sync.
- Compliance screening: our compliance partner (Witness, built on Sumsub) processes data about payees and transactions to screen for AML and sanctions risk. Results are returned to Vuzza as a compliance verdict; we do not store raw screening data beyond what is necessary.
2. How We Use Your Data
We process your personal data for the following purposes:
| Purpose | Legal basis |
|---|---|
| Providing and operating the Service | Performance of contract (Art. 6(1)(b) GDPR) |
| KYB/KYC onboarding and compliance screening | Legal obligation (Art. 6(1)(c) GDPR); AML/CFT regulations |
| Processing and routing payments | Performance of contract |
| Generating Proof-of-Compliance audit records | Legitimate interests; legal obligation |
| Sending transactional emails (confirmations, alerts) | Performance of contract |
| Sending product updates and marketing emails | Consent (Art. 6(1)(a) GDPR) — you can unsubscribe any time |
| Improving and developing the Service | Legitimate interests (Art. 6(1)(f) GDPR) |
| Fraud prevention and security | Legitimate interests; legal obligation |
| Complying with legal and regulatory requirements | Legal obligation |
| Responding to support and legal queries | Legitimate interests |
We never sell your personal data to third parties.
3. Proof-of-Compliance and Blockchain Records
When a payment is approved and executed on the Vuzza platform, we cryptographically hash a combination of transaction metadata (payment intent, approval record, compliance verdict ID, and timestamp) and anchor that hash to the Polygon blockchain.
Key things to know:
- No PII is stored on-chain. Only a cryptographic hash — essentially a digital fingerprint — is anchored. The hash cannot be reversed to reveal personal data.
- GDPR erasure: all underlying personal data is stored off-chain. Deleting your off-chain data and its decryption keys renders the on-chain hash permanently non-recoverable, satisfying the right to erasure under GDPR Article 17.
- Permanence: the hash itself, once anchored, is permanently on the blockchain. This is by design — it is the audit guarantee. But it contains no personal data.
4. Who We Share Data With
We share personal data only with:
- Striga (a Lightspark company): our primary settlement partner, for KYB, payment execution, and AML/KYC screening. Striga holds EU VASP licences across 30 EEA countries and processes data under its own privacy policy and our data processing agreement.
- Witness / Sumsub: our compliance screening provider, for real-time AML and sanctions checks.
- Polygon network: for on-chain anchoring of cryptographic hashes only (no PII).
- Cloud infrastructure providers: we use cloud services (within the EU/EEA) to host the platform. These providers are bound by data processing agreements.
- Professional advisors: legal counsel, accountants, and auditors, where necessary and under confidentiality obligations.
- Law enforcement and regulators: where required by applicable law, court order, or to protect our legal rights or the rights of others.
We do not share your data for advertising purposes.
5. International Transfers
Vuzza is incorporated in Latvia and primarily operates within the EU/EEA. Where personal data is transferred outside the EEA (for example, to cloud infrastructure in the US), we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Transfers to countries with an EU adequacy decision.
You can request information about the specific safeguards we use by contacting privacy@vuzza.eu.
6. How Long We Keep Your Data
We keep personal data for as long as necessary for the purposes described in this Policy, and as required by law.
| Data type | Retention period |
|---|---|
| Account data | Duration of your subscription + 3 years |
| Payment records and approval history | 7 years (AML/tax legal obligation) |
| KYB/KYC documentation | 5 years after relationship ends (AML legal requirement) |
| Compliance screening records | 5 years (AML legal requirement) |
| Support correspondence | 3 years |
| Website analytics | 26 months (rolling) |
| Marketing preferences and consent | Until withdrawn, then 1 year |
When the retention period expires, we securely delete or anonymise the data.
7. Your Rights
Under GDPR, you have the following rights. We'll respond to requests within 30 days (extendable to 3 months for complex cases — we'll tell you if that's needed).
- Access: get a copy of the personal data we hold about you.
- Rectification: ask us to correct inaccurate or incomplete data.
- Erasure ("right to be forgotten"): ask us to delete your personal data where we no longer have a lawful basis to hold it. Note that some data (payment records, KYB documents) must be retained for regulatory reasons.
- Restriction: ask us to restrict processing of your data in certain circumstances.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interests.
- Withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting past processing.
- Lodge a complaint: you have the right to complain to a supervisory authority. In Latvia, this is the Data State Inspectorate (Datu valsts inspekcija) at dvi.gov.lv. You may also contact the supervisory authority in your EU member state.
To exercise any right, email privacy@vuzza.eu with your request and enough information to identify your account.
8. Security
We take security seriously. Measures include:
- Encryption of data in transit (TLS) and at rest.
- Access controls and role-based permissions within the platform.
- Regular security reviews and penetration testing.
- A designated security contact at security@vuzza.eu.
No system is 100% secure. If you become aware of a security vulnerability or incident involving Vuzza, please let us know promptly.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, and notify affected individuals where required by law.
9. Children
The Service is intended for business use only and is not directed at anyone under the age of 18. We do not knowingly collect personal data from minors.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we'll notify you by email or via an in-product notice at least 30 days before the change takes effect. The "last updated" date at the top always reflects the current version.
11. Contact
Data controller: Vuzza Ltd. Dzirnavu iela 34a-6, Riga, LV-1010, Latvia
Privacy enquiries: privacy@vuzza.eu
General: vuzza.eu