Privacy Policy

This Privacy Policy explains how mavi finans ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our products and services, including mavi pay, mavi card, mavi wallet, and mavi finans banking. We are committed to protecting your privacy and processing your data in compliance with the General Data Protection Regulation (GDPR) and applicable Belgian and European data protection laws. By using any mavi finans product, you acknowledge that you have read and understood this Privacy Policy.

The data controller responsible for your personal data is: mavi finans Flanders, Belgium For any questions about how we handle your data, reach out via our contact page at mavifinans.sh/contact.

We collect the following categories of personal data depending on the products you use and your KYC tier: Identity data: Full name, date of birth, nationality, government-issued identity documents (passport, ID card, driving licence), selfie photograph, proof of address. Collected during KYC verification via our partner Sumsub. Financial data: Transaction history, payment methods, bank account details (IBAN), card details, wallet addresses, payout records. Technical data: IP address, device type and identifier, browser type and version, operating system, referral source. Usage data: Pages visited, features used, session duration, interaction patterns. Collected via Umami, a privacy-focused analytics platform that does not use cookies or collect personally identifiable information. Communication data: Emails you send to us, support requests, and any feedback you provide.

We process your personal data for the following purposes: Service delivery: To create and manage your account, process transactions, issue cards, facilitate banking services, and operate the mavi wallet. KYC and AML compliance: To verify your identity, assess risk, and comply with anti-money laundering regulations as required by European law. Fraud prevention: To detect, prevent, and investigate fraudulent or unauthorised activity, including sanctions screening via Chainalysis. Product improvement: To understand how our products are used and improve the user experience. Analytics are privacy-focused and do not track individuals. Communication: To send transactional emails (receipts, verification, security alerts) and, with your consent, product updates.

We process your personal data under the following legal bases: Contract performance (Article 6(1)(b) GDPR): Processing necessary to provide the services you signed up for — account creation, transaction processing, card issuance, wallet operation, banking services. Legal obligation (Article 6(1)(c) GDPR): Processing required to comply with anti-money laundering (AML) directives, KYC requirements, sanctions screening obligations, and tax reporting requirements. Legitimate interest (Article 6(1)(f) GDPR): Processing necessary for fraud prevention, security monitoring, and product improvement, where our interests do not override your fundamental rights. Consent (Article 6(1)(a) GDPR): For optional communications such as marketing emails. You may withdraw consent at any time.

We share your personal data with the following third-party processors, each bound by data processing agreements: Sumsub — Identity verification (KYC). Processes identity documents, selfies, and proof of address. EU-compliant identity verification provider. Stripe — Payment processing for mavi pay. Processes transaction data, payment methods, and payout information. PCI DSS Level 1 certified. Swan.io — Banking services for mavi finans. Licensed by Banque de France. Processes banking data including IBAN, SEPA transfers, and account information. Wallester — Card issuance for mavi card. Licensed by Bank of Lithuania. Processes card data, transaction history, and cardholder information. Chainalysis — OFAC and sanctions screening. Processes transaction data and wallet addresses to ensure compliance with international sanctions. Resend — Transactional email delivery. Processes email addresses and email content for account notifications and verification. Umami — Privacy-focused website analytics. Does not collect personal data, does not use cookies, and is fully GDPR-compliant. We do not sell your personal data to any third party. Data is shared only as necessary to provide our services and comply with legal obligations.

Some of our processors operate outside the European Economic Area (EEA). When your data is transferred outside the EEA, we ensure adequate safeguards are in place, including: Standard Contractual Clauses (SCCs) approved by the European Commission. Adequacy decisions where the European Commission has determined the receiving country provides adequate data protection. Binding corporate rules where applicable. You may request details about the safeguards in place for specific transfers by contacting us.

We retain your personal data only as long as necessary for the purposes described in this policy, or as required by law: KYC and identity data: Retained for 5 years after the end of the business relationship, as required by EU Anti-Money Laundering Directives (AMLD). Transaction records: Retained for 7 years for tax and regulatory compliance. Account data: Retained for the duration of your account. Upon account closure and request for deletion, all data not subject to legal retention requirements is deleted within 30 days. Analytics data: Umami does not store personally identifiable data. Aggregated analytics are retained indefinitely. Technical logs: Retained for up to 12 months for security and debugging purposes.

As a data subject under the GDPR, you have the following rights: Right of access: Request a copy of the personal data we hold about you. Right to rectification: Request correction of inaccurate or incomplete data. Right to erasure: Request deletion of your personal data, subject to legal retention obligations. Right to restriction: Request that we limit how we process your data in certain circumstances. Right to data portability: Receive your data in a structured, machine-readable format and transfer it to another controller. Right to object: Object to processing based on legitimate interest or for direct marketing purposes. Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing. Right to lodge a complaint: File a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données) at www.dataprotectionauthority.be. To exercise any of these rights, reach out via our contact page at mavifinans.sh/contact. We will respond within 30 days.

mavi finans uses a minimal cookie approach: Essential cookies: Used only for session management and security (e.g., cookie consent preference). These are strictly necessary and do not require consent. Analytics: We use Umami, a privacy-focused analytics platform. Umami does not use cookies, does not track users across websites, and does not collect personal data. It is fully GDPR-compliant without requiring cookie consent. We do not use advertising cookies, tracking pixels, or third-party marketing cookies.

We implement appropriate technical and organisational measures to protect your personal data, including: Encryption of data in transit (TLS/SSL) and at rest. Access controls limiting data access to authorised personnel only. Regular security assessments and vulnerability monitoring. Secure infrastructure hosted within the European Union where possible. KYC data processed through Sumsub's certified secure infrastructure. While we take all reasonable precautions, no method of transmission or storage is 100% secure. If you suspect a security breach, contact us immediately via mavifinans.sh/contact.

mavi finans services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email or through a prominent notice on our website. We encourage you to review this policy periodically.

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at: Contact form: mavifinans.sh/contact Website: mavifinans.sh