Privacy Policy

This policy explains how Settled Ltd handles personal data when you use our website, apply for an account, or use our payment services. As a regulated financial institution we take privacy and security seriously, and we collect only what we need to run a safe, compliant service.

Last updated: 1 June 2026 · Version 1.0

1. Who we are

Settled Ltd is the data controller for the personal data described in this policy. We are registered in Malta with our registered office in the Central Business District, Birkirkara, Malta, and we are authorised and regulated by the MFSA as a financial institution under the Financial Institutions Act (Cap. 376 of the Laws of Malta).

2. What data we collect

Depending on how you interact with us, we may collect:

• Identity and business data: names, dates of birth, nationality, identification documents, company details, ownership structure and roles of directors and beneficial owners.
• Contact data: email address, phone number and postal address.
• Account and transaction data: balances, payments, beneficiaries, card activity and statements.
• Verification and compliance data: information needed to meet anti-money-laundering, sanctions and fraud-prevention obligations, including results of screening checks.
• Technical and usage data: device, browser, IP address and how you use our website and app, collected partly through cookies (see our cookie policy).
• Communications: records of your contact with our support and compliance teams.

3. Why we use it and our lawful bases

Under the GDPR we must have a lawful basis for using your personal data. We rely on the following:

• Performance of a contract: to open and operate your account, process payments and provide support.
• Legal obligation: to meet our regulatory duties, including customer due diligence, anti-money-laundering, sanctions screening, tax reporting and record-keeping.
• Legitimate interests: to prevent fraud, secure our systems, improve our services and manage our business, where these interests are not overridden by your rights.
• Consent: for certain optional cookies and marketing communications, which you can withdraw at any time.

4. Who we share it with

We share personal data only where necessary, with appropriate safeguards in place. This may include payment schemes and partner banks, identity-verification and screening providers, card issuers, technology and infrastructure providers acting on our instructions, professional advisers, and regulators or authorities where we are legally required to do so. We do not sell your personal data. Where data is transferred outside the EEA, we put in place appropriate legal safeguards such as standard contractual clauses.

5. How long we keep it

We keep personal data only for as long as needed for the purpose it was collected, and to meet our legal and regulatory obligations. As a financial institution, we are generally required to retain account, transaction and due-diligence records for at least five years after the end of our relationship with you, and sometimes longer where the law requires. When data is no longer needed, we securely delete or anonymise it.

6. How we protect it

We use technical and organisational measures appropriate to the sensitivity of the data, including encryption, access controls, strong customer authentication and continuous monitoring. Access to personal data is limited to staff and partners who need it to do their job, and they are bound by confidentiality obligations.

7. Your rights

Subject to certain conditions and exemptions under the GDPR, you have the right to:

• Access the personal data we hold about you.
• Have inaccurate or incomplete data corrected.
• Request erasure of your data where we are no longer required to keep it.
• Restrict or object to certain processing.
• Request portability of data you provided to us.
• Withdraw consent where we rely on it, without affecting prior processing.

Some of these rights are limited where we must keep data to meet our regulatory obligations. For example, we cannot delete records we are required by law to retain.

8. Complaints to a supervisory authority

If you have concerns about how we handle your data, please contact us first so we can put things right. You also have the right to lodge a complaint with the Information and Data Protection Commissioner (IDPC) in Malta, or with the data protection authority in your country of residence.

9. Contacting our Data Protection Officer

We have appointed a Data Protection Officer (DPO) who oversees how we handle personal data. You can reach the DPO by emailing dpo@settled.cc or by writing to the Data Protection Officer, Settled Ltd, Central Business District, Birkirkara, Malta. We will respond to data-protection requests within the timeframes required by law.