IMPORTANT NOTICE — READ BEFORE PROCEEDING
1. Personal Data We Collect
We collect the following categories of personal data:
| Category | Data Items | Purpose |
|---|---|---|
| Account Data | Full name, email, username, password (hashed), preferences, time zone, language. | Account registration and management |
| Identity / KYB Data | Enterprise Clients: legal entity name, registered address, beneficial ownership, director names, corporate documents, regulatory status, sanctions screening results. | Enterprise onboarding, AML/KYB compliance |
| Subscription & Billing | Subscription tier, billing address, invoice records, payment method type (card last 4 digits only — full card data processed by PCI-DSS processor, never stored by DCC). | Subscription management and billing |
| Usage Data | IP address, browser type, OS, pages visited, features used, session duration, API call logs, error logs. | Service delivery, security, platform improvement |
| Communication Data | Email content, support ticket content, survey responses, and any data voluntarily submitted in communications. | Support and service improvement |
| Compliance Data | Jurisdiction of residence, self-declared investor type, risk profile, and regulatory acknowledgements made on the Platform. | Regulatory compliance and appropriate use verification |
We do NOT collect biometric data, government ID numbers (except for specific enterprise KYB), or special category personal data unless explicitly required for a compliance purpose and separately consented to.
2. Legal Bases for Processing
| Legal Basis | Processing Activities |
|---|---|
| Contract Performance | Processing necessary to deliver subscribed Services, manage accounts, provide support, and execute billing. |
| Legitimate Interests | Usage analytics to improve the Platform, security monitoring, fraud prevention, marketing to existing Users (with opt-out), and enforcement of Terms. |
| Legal Obligation | AML/KYB screening for Enterprise Clients, sanctions compliance, tax records retention, and regulatory reporting obligations. |
| Consent | Marketing to prospective Users where required by law; non-essential cookie placement (see Cookie Policy); research participation. |
4. International Data Transfers
The Company operates primarily from the UAE and may process data on servers in the EU, UK, or US. International transfers are conducted under: EU/EEA Standard Contractual Clauses (SCCs); UK International Data Transfer Agreements (IDTAs) or SCCs with UK Addendum; DIFC mechanisms compliant with DIFC Data Protection Law 2020; and adequacy decisions where applicable.
To request a copy of the applicable transfer mechanism, contact support@digitalcreditcompass.com.
5. Data Security
We implement appropriate technical and organisational security measures including:
- Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256).
- Access controls with role-based permissions and multi-factor authentication for internal systems.
- Regular security vulnerability assessments and penetration testing.
- Vendor security due diligence for all sub-processors.
- Incident response procedures with defined escalation protocols and employee training on data protection.
In the event of a personal data breach likely to result in high risk to individuals' rights, we will notify affected Users and relevant supervisory authorities within the timescales required by Applicable Law (typically 72 hours under GDPR/UK GDPR).
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Duration of active account + 7 years |
| KYB / AML records | 5 years from end of business relationship (or longer if required by applicable AML law) |
| Transaction / billing records | 7 years (tax and financial record-keeping) |
| Usage logs | 13 months (security and analytics) |
| Support communications | 3 years from last interaction |
| Marketing consent records | Until consent withdrawn + 3 years |
| Anonymised / aggregated data | Indefinitely (no personal data identifiable) |
Following the applicable retention period, data is securely deleted or anonymised. You may request earlier deletion subject to the Company's legal retention obligations.
7. Your Rights
Depending on applicable law, you may have the following rights:
| Right | Description |
|---|---|
| Access | Obtain a copy of personal data we hold about you (Data Subject Access Request). |
| Rectification | Require correction of inaccurate or incomplete personal data. |
| Erasure | Request deletion of personal data where no longer necessary, or where processing was based on withdrawn consent. |
| Restriction | Request that processing be restricted in certain circumstances (e.g., while accuracy is contested). |
| Data Portability | Receive personal data in a structured, machine-readable format. |
| Objection | Object to processing based on legitimate interests, including direct marketing. |
| Withdrawal of Consent | Withdraw consent at any time without affecting the lawfulness of prior processing. |
| Complaints | Lodge a complaint with the relevant supervisory authority (e.g., ICO — UK, CNIL — France, PDPC — Singapore, DIFC Commissioner — DIFC, UAE TDRA — UAE). |
To exercise any of these rights, submit a request to support@digitalcreditcompass.com with sufficient information to verify your identity. We will respond within 30 days (extendable by 60 days for complex requests, with notice).
8. Data Processing Addendum
Enterprise Clients who act as data controllers in respect of their end users' personal data processed through the DCC API or integrated workflows may require a Data Processing Addendum (DPA). The DPA documents the parties' respective roles and obligations under GDPR, UK GDPR, and equivalent frameworks, and specifies processing purposes, data categories, sub-processor lists, security measures, audit rights, and data subject rights procedures. DPAs are available upon request and form part of the Enterprise Services Agreement.