1. Introduction
This Privacy Policy explains how the Zori brand (the "Zori Group"), which is currently operated by Charon Digital Ltd and may be operated by additional legal entities in the future ("Zori", "we", "us", or "our"), collects, uses, shares, and protects personal information when you access or use our websites, applications, and related online services (collectively, the "Services"). Any reference to "Zori", "we", "us", or "our" in this Policy shall mean the specific member of the Zori Group that is providing the Services to you at the relevant time.
For the personal information we process about you, Zori acts as the data controller. Our third-party identity verification provider, Sumsub, acts as a data processor on our behalf for verification purposes (and, in limited circumstances described below, as a separate controller for its own compatible purposes).
By using the Services, you acknowledge that you have read and understood this Privacy Policy.
2. Personal Information We Collect
We may collect the following types of personal information:
- Identification information, such as your full name, date of birth, gender, nationality, and government-issued identification details (for example, ID card or passport numbers and document images), where required for verification purposes.
- Contact information, such as your residential address, email address, and phone number.
- Biometric and verification information, such as a facial scan and liveness-check images or video collected during identity verification, photographs, and identity documents. Biometric data is collected and processed only after we (or our verification provider) obtain your consent.
- Financial and transaction information, such as your bank account details (in your own name), transaction amounts, currencies, digital asset wallet addresses, and source-of-funds or source-of-wealth information.
- Account and usage information, such as username, account settings, login timestamps, IP address, and device information.
- Technical information, such as browser type, operating system, and information collected through cookies and similar technologies.
- Screening information, such as data generated from checks against sanctions lists, politically-exposed-person ("PEP") lists, and adverse-media sources.
You may choose not to provide certain information, but this may limit or prevent your ability to use the Services, including the ability to be onboarded.
3. How We Use Personal Information
We use your personal information for the following purposes:
- To create and manage your account and to provide the On/Off-Ramp Services you request.
- To conduct identity verification, onboarding, and other "know-your-customer" ("KYC") and anti-money-laundering ("AML") checks, including sanctions and PEP screening, and to comply with applicable legal and regulatory obligations.
- To process, settle, and record your transactions, including communicating necessary information to banks, payment providers, and liquidity providers.
- To operate, maintain, and improve the Services, including troubleshooting, data analysis, testing, and security monitoring.
- To communicate with you about your account, the Services, and changes to our terms, policies, or features.
- To detect, prevent, and investigate fraud, abuse, or other harmful or unlawful activities, and to protect our rights, property, and safety and those of our users and others.
- To comply with any applicable law, regulation, legal process, or enforceable governmental request.
We will only process personal information where we have a lawful basis to do so under applicable data protection laws, such as your consent (where required, including for biometric data), the performance of a contract with you, compliance with legal obligations, or our legitimate interests.
4. Identity Verification through Sumsub
We use Sumsub (operated by Sum and Substance Ltd., a company incorporated in England, together with its affiliated companies) as our third-party identity verification provider. When you complete onboarding, the personal information described in Section 2 (including your identification documents and biometric data) is transferred to Sumsub so that it can perform identity verification, liveness/biometric checks, and AML/sanctions on our behalf.
Sumsub stores and processes this personal information on encrypted servers located in data centres within Europe (operated on cloud infrastructure such as Amazon Web Services at a security level no lower than Tier 3. At present, all personal data is stored and processed on specially designated servers in Germany. When data localisation in a certain region is required by law, we will ensure compliance with applicable data residency requirements.
In certain circumstances, Sumsub may process your personal information as a separate and independent data controller. Specifically, where Sumsub processes personal data for its own legitimate purposes (including fraud detection and prevention, compliance with its own legal obligations, and the maintenance of the security and integrity of its systems and services), Sumsub acts as a data controller in respect of such processing. In those circumstances, Sumsub’s processing of your personal information is governed by Sumsub’s own privacy policy, which is available at https://sumsub.com/privacy-notice/ .
5. Sharing of Personal Information
We may share your personal information with the following categories of recipients:
- Identity verification and KYC/AML providers, in particular Sumsub, as described in Section 4.
- Banks, payment institutions, payment gateways, and liquidity providers, where it is necessary to process, settle, or pay out a transaction. To complete an On/Off-Ramp transaction, necessary information such as your name, bank account details, and transaction amount may be shared with these parties.
- Service providers who perform services on our behalf, such as cloud hosting, data storage, security, analytics, and customer support.
- Professional advisers, such as lawyers, auditors, and consultants, where reasonably necessary for compliance, risk management, or the establishment, exercise, or defence of legal claims.
- Government authorities, regulators, law enforcement agencies, or courts, where we believe disclosure is required by applicable law, regulation, or legal process, or where it is necessary to protect our rights or the rights of others.
We do not sell your personal information to third parties. Service providers who process personal information on our behalf are required to use the information only in accordance with our instructions and to implement appropriate security measures.
6. Where We Store Your Information and International Transfers
The account and registration information you submit directly to Zori is hosted on our servers located in Japan. Personal information processed for identity verification is stored by our verification provider, Sumsub, in data centres located within Europe, as described in Section 4.
Where required by applicable law, we will take appropriate steps to ensure that any international transfer of personal information is subject to suitable safeguards designed to protect your information.
Zori is established in the British Virgin Islands and, as a data controller, is subject to the BVI Data Protection Act, 2021 (the "BVI DPA"). Where the BVI DPA applies, you are entitled to exercise the rights described in Section 8 of this Privacy Policy, and Zori has appointed a data protection officer who may be contacted at [DPO email address]. International transfers of personal information by Zori are made in compliance with the requirements of the BVI DPA.
7. Data Retention
We retain personal information for as long as necessary to fulfil the purposes for which it was collected, including to provide the Services, comply with legal, regulatory, accounting, or reporting requirements, resolve disputes, and enforce our agreements.
In particular, to comply with applicable anti-money-laundering and counter-terrorist-financing laws, we (and our verification provider) are required to retain your KYC/identity records and transaction records for a minimum period of five (5) years after the end of our business relationship or the date of the relevant transaction, and in some cases longer where required by law. This statutory retention obligation applies even after you close your account and may take precedence over a request to delete your information. When personal information is no longer required, we will take reasonable steps to delete or anonymise it.
8. Your Rights
Depending on your jurisdiction and applicable law, you may have certain rights in relation to your personal information, which may include:
- the right to access and obtain a copy of your personal information;
- the right to request correction or updating of inaccurate or incomplete information;
- the right to request deletion of your personal information, subject to certain exceptions (including the statutory retention obligations described in Section 7);
- the right to object to or request restriction of the processing of your personal information;
- the right to withdraw consent where processing is based on your consent, including consent to process biometric data (without affecting the lawfulness of processing before withdrawal);
- the right to data portability, where applicable; and
- the right to lodge a complaint with a competent supervisory authority.
To exercise any of these rights, you may contact us using the details in the "Contact Us" section below. We may need to verify your identity before responding. Your rights may be subject to limitations under applicable law.
9. Cookies and Similar Technologies
We may use cookies and similar technologies to operate and improve the Services. You may be able to manage your cookie preferences through your browser settings or, where available, through tools provided on our website. If you disable cookies, some features of the Services may not function properly.
10. Security
We implement reasonable and appropriate technical and organisational measures to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. However, no method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security of your information.
11. Children
The Services are not directed to, and we do not knowingly collect personal information from, anyone under the age of 18. If you believe we have collected information from a minor, please contact us so that we can take appropriate action.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this Privacy Policy and may provide additional notice as appropriate. Your continued use of the Services after any changes become effective will signify your acceptance of the updated Privacy Policy.
13. Contact Us
If you have any questions or concerns about this Privacy Policy or our privacy practices, please contact us at support@zori.pro.