Legal

Spend.Net — Privacy Policy

Effective date: 15 May 2026

1. Who we are

This Privacy Policy explains how Widberg Affiliates Limited, registered at Trust Company Complex, Ajeltake Road, Ajeltake Island, Majuro, Republic of the Marshall Islands, MH 96960 ("Spend.Net", "we", "us", or "our"), collects, uses, discloses, and safeguards information about you when you visit https://spend.net (the "Website") or use the Spend.Net platform and the virtual debit card services offered through it (together, the "Services"). It should be read together with our Cookies Policy, AML Policy, Acceptable Use and Restrictions Policy (the "AUP", formerly the "Internal Policy"), and Terms and Conditions.

For the purposes of applicable data-protection law, Widberg Affiliates Limited acts as the controller of the personal data described in this Privacy Policy, unless otherwise indicated. Card issuance and underlying payment processing are performed by our regulated Issuing Partners, which act as independent controllers of the personal data they process for those purposes.

2. Information we collect

2.1 Information you provide to us

We collect personal data that you provide when you apply for an Account, complete identity verification, use the Services, or contact us. This may include:

  • Identification data: full legal name, date of birth, nationality, residential address, gender (where required), and government-issued identification numbers.
  • Contact data: email address, telephone number, and messaging-network identifiers.
  • Identity-verification data: copies of identity documents, selfie / liveness images and the biometric template derived from them, and information about the device used to perform verification.
  • Financial information: card-related information, wallet balances, transaction history, source of funds and source of wealth information, and information required for the Services.
  • Business data (for legal entities and individual entrepreneurs): corporate registration details, business description, beneficial-owner information, and authorisations of directors and signatories.
  • Communication data: the content of any messages, support tickets, or other correspondence you exchange with us.

2.2 Information collected automatically

When you use the Website or the Services we automatically collect:

  • IP address, approximate location, browser type and version, device type and identifiers, operating system, and language settings.
  • Information about your interactions with the Website: pages visited, referral source, date and time of visit, and feature usage.
  • Information collected through cookies and similar technologies (see our Cookies Policy).
  • Security and fraud-prevention signals, including device-fingerprinting data, login attempts, and unusual activity indicators.

2.3 Information from third parties

We may receive information about you from third-party sources, including:

  • Identity-verification, KYC, KYT, and fraud-prevention providers.
  • Sanctions, PEP, and adverse-media screening providers.
  • Our Issuing Partners and other payment service providers.
  • Credit-reference and similar databases where permitted by law.
  • Public registries and other publicly available sources.
  • Other Spend.Net users where you are named in a transaction or communication.

2.4 Biometric data

As part of identity verification, we and our identity-verification providers process several distinct categories of data: (a) the image of your government-issued identity document, (b) a selfie image of your face, (c) a liveness check result (a numerical or boolean score indicating that the selfie was captured from a live person rather than a photograph or screen), and (d) a biometric template derived from the selfie, which is a mathematical representation of facial features used to compare with the photograph on your identity document. The biometric template constitutes biometric data for the purpose of uniquely identifying a natural person. Where applicable law (including, where relevant, Article 9 of the GDPR or the UK GDPR) treats biometric data as a special category of personal data, we process it on the basis of your explicit consent and, in parallel, on the basis that processing is necessary for reasons of substantial public interest in preventing fraud, money laundering, and terrorist financing, and for compliance with our legal and contractual AML/CTF obligations. The biometric template is retained for the periods set out in Section 11 (Data retention). Identity-verification checks may involve automated decision-making — for example, an automated mismatch between the selfie and the identity document may result in an application being rejected or referred for further review. You can request human review of any decision that produces legal or similarly significant effects on you, contest the decision, and obtain an explanation, by contacting [email protected]. You can withdraw your consent to the processing of biometric data at any time; withdrawal does not affect the lawfulness of processing prior to withdrawal, and may result in our being unable to provide the Services to you.

3. How we use your information

We use your personal data for the following purposes:

3.1 Providing and operating the Services

  • Establishing and administering your Account, including issuing virtual debit cards through our Issuing Partners.
  • Verifying your identity, performing KYC, KYT, and EDD checks, and preventing fraud and other financial crime.
  • Processing and facilitating transactions and providing related information (e.g. confirmations, statements).
  • Providing customer support, responding to enquiries, and managing complaints.
  • Operating, maintaining, securing, and improving the Website and the Services.
  • Personalising features such as language and currency preferences.

3.2 Compliance with law and risk management

  • Complying with applicable AML/CTF, sanctions, tax, and financial-crime obligations.
  • Cooperating with our Issuing Partners, regulators, courts, and law-enforcement authorities.
  • Establishing, exercising, or defending legal claims, and enforcing our Terms and Conditions and AUP.
  • Performing risk assessments, audits, and internal investigations.

3.3 Communications

  • Sending operational communications such as transaction confirmations, security alerts, and policy updates.
  • Sending information about new features, promotions, or surveys, where you have consented or where permitted by applicable law. You can opt out at any time.

3.4 Analytics and product development

  • Analysing aggregated and pseudonymised usage patterns.
  • Conducting research and developing new products, features, and services.

4. Legal bases for processing

Where applicable data-protection law requires a legal basis, we rely on:

  • Performance of a contract with you (for example, to provide the Services you have requested).
  • Compliance with a legal obligation (for example, AML/CTF and sanctions obligations imposed on us or on our Issuing Partners and contractually flowed down to Spend.Net).
  • Our legitimate interests in operating, securing, and improving the Services, and in preventing fraud and financial crime, where those interests are not overridden by your rights and freedoms.
  • Your consent — for example, for non-essential cookies, certain marketing communications, and the processing of biometric data where required.

5. How we share your information

We may share your personal data with the following categories of recipient:

5.1 Issuing Partners and payment service providers

We share information with the banks and payment service providers that issue and process your virtual debit cards. These parties may use your information in accordance with their own privacy policies and the regulatory requirements applicable to them.

5.2 Service providers

We engage third-party service providers to support the Services, including identity-verification, sanctions and PEP screening, fraud-prevention, hosting, analytics, communications, and customer-support providers. These providers process personal data on our instructions and are bound by appropriate confidentiality and data-protection obligations.

5.3 Legal and regulatory disclosures

We may disclose information to comply with applicable laws and regulations, to respond to lawful requests from public authorities (including for AML/CTF, sanctions, tax, and law-enforcement purposes), or to protect our rights, property, or safety, those of our customers, or of others.

5.4 Business transfers

In the event of a merger, acquisition, reorganisation, financing, or sale of all or part of our business or assets, your information may be transferred as part of that transaction, subject to appropriate confidentiality protections.

5.5 With your consent or at your direction

We may share your information with other third parties where you have given us your consent or directed us to do so.

6. International transfers

Spend.Net operates internationally. Personal data may be transferred to, stored in, and processed in jurisdictions outside the country in which you are located, including the Republic of the Marshall Islands and the jurisdictions in which our service providers and Issuing Partners operate. As at the effective date of this Privacy Policy, the Republic of the Marshall Islands is not the subject of an adequacy decision adopted by the European Commission or by the UK Government. Where personal data is transferred from the European Economic Area, the United Kingdom, or another jurisdiction with similar restrictions on international transfers, to a country that is not the subject of an adequacy decision, we put in place appropriate safeguards under applicable data-protection law, which may include: (i) the European Commission’s Standard Contractual Clauses (SCCs) adopted in 2021, in the module appropriate to the transfer; (ii) the UK International Data Transfer Agreement or the UK Addendum to the SCCs; (iii) a transfer impact assessment (TIA) considering the laws of the destination country and any supplementary measures required; and (iv) appropriate technical and organisational measures, such as encryption in transit and at rest, access controls, and pseudonymisation where feasible. You can request a copy of the safeguards we use, or further information about specific transfers and recipients, by contacting [email protected].

7. Your choices and rights

Subject to applicable law, you may have the following rights in relation to your personal data:

  • Access — to obtain confirmation of whether we process your personal data and a copy of that data.
  • Rectification — to correct inaccurate or incomplete personal data.
  • Erasure — to request deletion of your personal data in certain circumstances.
  • Restriction or objection — to restrict or object to certain processing.
  • Portability — to receive certain personal data in a structured, commonly used, machine-readable format.
  • Withdrawal of consent — where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Lodging a complaint with a competent supervisory authority.

These rights are not absolute. In particular, we may be required to retain certain personal data — for example, identification, KYC, and transactional records — for AML/CTF and other regulatory or contractual reasons, even where you have requested deletion.

To exercise any of these rights, please contact us using the details in Section 12. We may need to verify your identity before responding.

8. Marketing communications

You may opt out of marketing communications at any time by following the unsubscribe instructions in our emails or by contacting us. Even if you opt out of marketing, we will continue to send you operational and security communications related to your Account and the Services.

9. Cookies and tracking technologies

We use cookies and similar technologies as described in our Cookies Policy. You can control non-essential cookies through your browser settings or the cookie controls provided on the Website.

10. Data security

We implement and maintain technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include access controls, encryption in transit and at rest where appropriate, audit logging, and staff training. No method of transmission over the Internet and no method of electronic storage is fully secure, however, and we cannot guarantee absolute security.

11. Data retention

We retain personal data only for as long as is necessary for the purposes set out in this Privacy Policy, or for any longer period required by law or by our contractual arrangements with our Issuing Partners. In particular, identification, KYC, and transactional records are typically retained for at least five (5) years from the end of the customer relationship or the date of the transaction, whichever is later.

12. Children's privacy

The Services are not directed to children under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us so that we can take appropriate action.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Effective date" and will be effective as soon as it is accessible on the Website. Where the changes are material, we will provide additional notice (for example, by email or through the Services).

14. Contact us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact:

Widberg Affiliates Limited

Trust Company Complex, Ajeltake Road, Ajeltake Island, Majuro, Republic of the Marshall Islands, MH 96960

Privacy and data-protection requests: [email protected]

General enquiries: [email protected]

Complaints and legal notices: [email protected]

Website: https://spend.net