← Back to home

// LEGAL

Privacy Policy

Last updated · 2026-05-02

LurraPay Inc. (“LurraPay”, “we”, “our”) operates a financial-services platform that resells regulated multi-currency stablecoin banking, on-ramp, off-ramp, and swap services from licensed partners. This policy explains what personal data we collect, how it flows between LurraPay and our partners, and the rights you have under the GDPR, the UK GDPR, and the CCPA/CPRA.

Scope

This policy covers data processed in connection with the LurraPay marketing site, customer accounts, and the financial services we resell. It applies whether you are a prospective customer, an account holder, a press contact, or a visitor to lurrapay.com.

Data We Collect

Account information

  • Name, email address, and password hash for authentication.
  • Optional profile information you choose to provide (display name, country of residence, preferred currency).
  • Communication you send us (support tickets, email replies).

KYC and identity verification

Identity documents, selfies, proof of address, and source-of-funds information collected during onboarding are submitted directly to our regulated KYC, banking, ramps, and custody processor. LurraPay does not see, store, or process raw KYC documents in its own systems. We receive only a verification status (pending / approved / rejected) and a partner-issued reference identifier.

Transaction data

Balances, transaction histories, IBAN/account references, and other ledger data are held by our regulated banking and ramp partners. LurraPay surfaces this information to you through their APIs but is not the legal record holder for it. Retention windows for transaction data are governed by the partner bank’s licence obligations (typically five to ten years; partner-specific terms apply).

Technical data

  • IP address, user agent, and timestamps for security and rate-limiting.
  • Session cookies (first-party, essential).
  • Theme and consent preferences (first-party cookies).

Analytics

We use Plausible Analytics, which is cookie-free and does not collect or process personal data. No cross-site tracking, no fingerprinting, no advertising identifiers. See /cookies for details.

Data We Do Not Collect

  • We do not run advertising trackers, remarketing pixels, or third-party SDKs.
  • We do not store payment-card numbers; ramp partners handle card processing.
  • We do not collect biometric data ourselves; KYC biometrics go directly to our regulated processor.
  • Plausible does not set cookies or build user profiles.

How We Use Your Data

  • To create and operate your account.
  • To route requests to the correct partner (banking, ramps, swap) and surface their responses to you.
  • To meet anti-money-laundering, counter-terrorist-financing, and sanctions-screening obligations imposed on us and our partners.
  • To provide customer support and security monitoring.
  • To improve the platform and aggregate non-identifying usage trends.

Legal Bases (GDPR / UK GDPR)

  • Contract — providing the services you have signed up for.
  • Legal obligation — AML/CTF, sanctions, tax reporting where applicable.
  • Legitimate interest — fraud prevention, network and information security, product improvement.
  • Consent — non-essential cookies and marketing communications, where required.

Sharing With Partners and Sub-Processors

To deliver financial services, we share the minimum necessary personal data with:

  • Our regulated KYC, banking, ramps, and custody processor — provides identity verification, virtual accounts, fiat ↔ stablecoin conversion, and custody. Account holders interact with the processor through embedded flows; raw documents and payment instructions flow directly to the processor, not through LurraPay.
  • Cloud infrastructure providers — for hosting and database services inside the EU/EEA.
  • Email delivery (Proton Mail) — for transactional emails.

A complete sub-processor list is available on request.

International Transfers

Where personal data is transferred outside the EU/EEA or UK, we rely on Standard Contractual Clauses or another approved transfer mechanism. Transfers to US partners are covered by SCCs plus partner-side certifications where available.

Retention

Account data is retained while your account is active and for a reasonable closure window thereafter. Transaction and KYC records are retained according to the partner bank’s licence requirements — typically five to ten years from the last transaction. Marketing-list data is retained until you unsubscribe.

Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion (subject to AML/CTF retention obligations).
  • Receive your data in a portable format.
  • Object to or restrict certain processing.
  • Withdraw consent at any time without affecting prior lawful processing.
  • Lodge a complaint with your supervisory authority (GDPR) or the California Privacy Protection Agency (CCPA/CPRA).

California Residents (CCPA / CPRA)

We do not sell or share personal information for cross-context behavioural advertising. California residents may exercise the rights described above and may designate an authorised agent to act on their behalf.

Security

We use TLS in transit, encrypted storage at rest, scoped access, and audit logging. Sensitive operations (transfers, key changes) require multi-factor authentication where offered.

Children

LurraPay services are not directed at and not available to anyone under 18. We do not knowingly collect data from minors.

Changes

We may update this policy as the platform evolves. Material changes will be announced on the site and, where appropriate, by email.

Data Protection Officer

Contact our DPO at privacy@lurrapay.com for any privacy question or rights request.