Privacy Policy

ShareMatch Limited - Customer Privacy Notice

Version 1.1 | Last updated: 2026-06-18

This Customer Privacy Notice outlines how we collect, use and protect your personal information when you interact with ShareMatch. We also explain what data we collect, how we process it and what rights you have as a data subject when using ShareMatch services. We adhere to the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the UAE Personal Data Protection Law (PDPL) and the Saudi Arabian Personal Data Protection Law (KSA PDPL). ShareMatch is committed to protecting and respecting your privacy.

Data Controller and Company Identification

The data controller is the entity that decides how your data is processed. The ShareMatch group is headed by ShareMatch Limited, a company limited by shares incorporated in the British Virgin Islands (BVI company number: 2211401, incorporated on 15 June 2026), whose registered office is c/o Walkers Corporate (BVI) Limited, 171 Main Street, PO Box 92, Road Town, Tortola, British Virgin Islands, VG 1110. The specific ShareMatch entity that acts as your Data Controller depends on your region of residence and the platform you are onboarded to:

ShareMatch Limited (BVI)

ShareMatch Limited (BVI company number: 2211401), a company limited by shares incorporated in the British Virgin Islands on 15 June 2026, of c/o Walkers Corporate (BVI) Limited, 171 Main Street, PO Box 92, Road Town, Tortola, British Virgin Islands, VG 1110.

ShareMatch Ltd (United Kingdom)

ShareMatch Ltd (registration number: 15720628) of C/o Prysm Financial, Francis Barber House, 9 Gough Square, London, EC4A 3DG, United Kingdom.

ShareMatch sp. z.o.o. (Poland)

ShareMatch sp. z.o.o. (KRS: 0001143766) of pl. Andersa 3, 61-894 Poznań, Poland.

ShareMatch Software Design L.L.C. (UAE)

ShareMatch Software Design L.L.C. (Licence no. 912622) Office No. 807, Westburry Office Tower, Marasi Drive, Business Bay, Dubai, UAE.


1. Information We Collect

1.1.) Information You Provide

Name, address, e-mail, phone number, and financial/debit card details.

1.2.) Identity Verification Data

Copies of government-issued ID (passports/driving licences) and biometric "samples" (facial images/selfies/video).

1.3.) Information We Collect Automatically

IP addresses, login data, browser types, and full URL clickstreams.

1.4.) Crypto-Asset Data

Public wallet addresses and transaction data associated with Distributed Ledger Technology (DLT).


2. Third-Party KYC & AML Verification

Introduction

To meet our legal obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and applicable EU Anti-Money Laundering Directives, we share your data with specialised third-party identity verification providers.

2.1.) Digital Verification Services (DVS)

We prioritise providers certified under the UK's DVS Trust Framework, ensuring high standards of security and reliability.

2.2.) Biometric Processing

When you provide a "selfie" or video for identity verification, our third-party processors use it to extract facial scan data to uniquely identify you.

2.3.) Lawful Basis

We process your Special Category Biometric Data on the basis of Substantial Public Interest (under Schedule 1 of the UK Data Protection Act 2018 and relevant EU member state laws) to prevent and detect unlawful acts, specifically money laundering and fraud. For residents of Saudi Arabia, the lawful basis for processing this sensitive data is explicit consent, as detailed in Section 7.

2.4.) Automated Decision-Making (ADM)

If our KYC provider uses automated systems to verify your identity, you have the right under the Data (Use and Access) Act 2025 ("the Data Act") to request human intervention, contest the decision, and receive an explanation of any "failed" verification.


3. Cookies and Tracking Technologies

Introduction

Our site uses cookies to distinguish you from other users.

3.1.) Strictly Necessary

Essential for secure login and secure transactions.

3.2.) Analytical (Low-Risk)

Under the Data Act, first-party statistical cookies are used without prior consent to improve our site, provided a clear opt-out is available.

3.3.) Marketing

These are only set if you provide explicit, affirmative consent. Our banner includes a "Reject All" button with equal prominence to "Accept All".


4. International Data Sharing

Introduction

We share information with our 100% owned subsidiaries and trusted processors:

4.1.) Poland (EEA)

Permitted under current UK GDPR adequacy standards.

4.2.) United Arab Emirates (UAE)

Protected by the UK International Data Transfer Agreement (IDTA) and mandatory Transfer Risk Assessments (TRA) to ensure data security.

4.3.) Kingdom of Saudi Arabia (KSA)

Data collected from KSA residents is transferred internationally to our servers and third-party processors. These transfers are strictly safeguarded by Standard Contractual Clauses (SCCs) explicitly approved by the Saudi Data and Artificial Intelligence Authority (SDAIA).


5. Your Rights

Introduction

Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data (for KSA-specific rights, please see Section 7):

5.1.) Right of Access (SAR)

You can request a copy of your data, free of charge. We will respond within 30 days, though we may "stop the clock" if we require further information to verify your identity.

5.2.) Right to Rectification

You can request that we correct inaccurate or incomplete data.

5.3.) Right to Erasure (Deletion)

You can request that we delete your data. Please note: we may be legally required to deny or defer this request for certain data (such as your ID and transaction history) due to strict anti-money laundering retention laws.

5.4.) Right to Portability & Restriction

You can request that we transfer your data to another provider, or limit how we process it.

5.5.) Right to Complain

You have a statutory right to lodge a complaint with us or with your local data protection supervisory authority (such as the UK ICO or Polish UODO).


6. Data Retention

Introduction

Retention periods are strictly governed by our legal obligations:

6.1.) KYC/AML Data

Retained for 5 to 10 years after the business relationship ends, per UK, EU and UAE financial laws.

6.2.) Tax/Crypto Asset Reporting Framework (CARF) Records

Retained for at least 6 years for HMRC and relevant tax authority reporting.


7. Special Notice for Residents of the Kingdom of Saudi Arabia

To provide our services and ensure the security of our platform, ShareMatch utilises third-party identity verification partners (currently Sumsub) to conduct mandatory Know Your Customer (KYC) checks. Because our platform and our partners operate globally, the personal and sensitive data you provide during the onboarding process, specifically your government-issued identification and associated biometric data, will be transferred to, hosted and processed on secure servers located outside of the Kingdom of Saudi Arabia.

Purpose and Legal Basis

The cross-border transfer of this data is strictly for the purpose of verifying your identity to grant you secure access to the ShareMatch platform. By proceeding with the KYC verification process, you provide your explicit consent to the international transfer and processing of this sensitive data.

Data Minimisation and Retention

We strictly adhere to the principle of data minimisation. We only transfer the minimum data necessary to complete the verification. ShareMatch does not retain physical copies of your government ID on our primary databases; they are processed securely by our verification partner and are subject to deletion protocols once the verification is complete and the applicable legal retention period (5 to 10 years, as per Section 6.1) has expired.

Your Data Protection Rights (KSA)

Under the Saudi Personal Data Protection Law (PDPL), residents of the Kingdom of Saudi Arabia have specific rights regarding their personal data:

  • Right to be Informed: You have the right to know how we collect your data, the legal basis for processing, and the purpose of collection.
  • Right to Access and Request: You have the right to request access to your personal data held by ShareMatch and request a copy in a clear and readable format.
  • Right to Correction: You have the right to request that we correct, complete or update your personal data.
  • Right to Destruction: You have the right to request the deletion of your personal data when it is no longer necessary for the purpose for which it was collected (subject to financial retention laws).
  • Right to Withdraw Consent: You may withdraw your consent for processing at any time. Withdrawing consent for mandatory KYC processing will result in the loss of platform access.
  • Right to Claim Compensation: You have the right to claim compensation for material or moral damage if you are harmed as a result of any violation of the PDPL by ShareMatch.

Exercising Your Rights and Filing Complaints

To exercise any of the rights listed above, or to file a complaint regarding our data processing practices, please contact our Data Protection Officer at: [email protected]. We will process and respond to all requests within 30 days. If you are dissatisfied with how ShareMatch has handled your request or complaint, you maintain the legal right to submit a formal objection directly to the Competent Authority in Saudi Arabia: the Saudi Data and Artificial Intelligence Authority (SDAIA).


Contact

Contact Information

All privacy inquiries, including data deletion requests or rights under the GDPR and PDPL, must be addressed to our Data Protection Officer at: [email protected]