Privacy Policy
ShareMatch Limited - Customer Privacy Notice
Version 1.1 | Last updated: 2026-06-18
Data Controller and Company Identification
ShareMatch Limited (BVI)
ShareMatch Limited (BVI company number: 2211401), a company limited by shares incorporated in the British Virgin Islands on 15 June 2026, of c/o Walkers Corporate (BVI) Limited, 171 Main Street, PO Box 92, Road Town, Tortola, British Virgin Islands, VG 1110.
ShareMatch Ltd (United Kingdom)
ShareMatch Ltd (registration number: 15720628) of C/o Prysm Financial, Francis Barber House, 9 Gough Square, London, EC4A 3DG, United Kingdom.
ShareMatch sp. z.o.o. (Poland)
ShareMatch sp. z.o.o. (KRS: 0001143766) of pl. Andersa 3, 61-894 Poznań, Poland.
ShareMatch Software Design L.L.C. (UAE)
ShareMatch Software Design L.L.C. (Licence no. 912622) Office No. 807, Westburry Office Tower, Marasi Drive, Business Bay, Dubai, UAE.
1. Information We Collect
1.1.) Information You Provide
Name, address, e-mail, phone number, and financial/debit card details.
1.2.) Identity Verification Data
Copies of government-issued ID (passports/driving licences) and biometric "samples" (facial images/selfies/video).
1.3.) Information We Collect Automatically
IP addresses, login data, browser types, and full URL clickstreams.
1.4.) Crypto-Asset Data
Public wallet addresses and transaction data associated with Distributed Ledger Technology (DLT).
2. Third-Party KYC & AML Verification
Introduction
To meet our legal obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and applicable EU Anti-Money Laundering Directives, we share your data with specialised third-party identity verification providers.
2.1.) Digital Verification Services (DVS)
We prioritise providers certified under the UK's DVS Trust Framework, ensuring high standards of security and reliability.
2.2.) Biometric Processing
When you provide a "selfie" or video for identity verification, our third-party processors use it to extract facial scan data to uniquely identify you.
2.3.) Lawful Basis
We process your Special Category Biometric Data on the basis of Substantial Public Interest (under Schedule 1 of the UK Data Protection Act 2018 and relevant EU member state laws) to prevent and detect unlawful acts, specifically money laundering and fraud. For residents of Saudi Arabia, the lawful basis for processing this sensitive data is explicit consent, as detailed in Section 7.
2.4.) Automated Decision-Making (ADM)
If our KYC provider uses automated systems to verify your identity, you have the right under the Data (Use and Access) Act 2025 ("the Data Act") to request human intervention, contest the decision, and receive an explanation of any "failed" verification.
3. Cookies and Tracking Technologies
Introduction
Our site uses cookies to distinguish you from other users.
3.1.) Strictly Necessary
Essential for secure login and secure transactions.
3.2.) Analytical (Low-Risk)
Under the Data Act, first-party statistical cookies are used without prior consent to improve our site, provided a clear opt-out is available.
3.3.) Marketing
These are only set if you provide explicit, affirmative consent. Our banner includes a "Reject All" button with equal prominence to "Accept All".
4. International Data Sharing
Introduction
We share information with our 100% owned subsidiaries and trusted processors:
4.1.) Poland (EEA)
Permitted under current UK GDPR adequacy standards.
4.2.) United Arab Emirates (UAE)
Protected by the UK International Data Transfer Agreement (IDTA) and mandatory Transfer Risk Assessments (TRA) to ensure data security.
4.3.) Kingdom of Saudi Arabia (KSA)
Data collected from KSA residents is transferred internationally to our servers and third-party processors. These transfers are strictly safeguarded by Standard Contractual Clauses (SCCs) explicitly approved by the Saudi Data and Artificial Intelligence Authority (SDAIA).
5. Your Rights
Introduction
Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data (for KSA-specific rights, please see Section 7):
5.1.) Right of Access (SAR)
You can request a copy of your data, free of charge. We will respond within 30 days, though we may "stop the clock" if we require further information to verify your identity.
5.2.) Right to Rectification
You can request that we correct inaccurate or incomplete data.
5.3.) Right to Erasure (Deletion)
You can request that we delete your data. Please note: we may be legally required to deny or defer this request for certain data (such as your ID and transaction history) due to strict anti-money laundering retention laws.
5.4.) Right to Portability & Restriction
You can request that we transfer your data to another provider, or limit how we process it.
5.5.) Right to Complain
You have a statutory right to lodge a complaint with us or with your local data protection supervisory authority (such as the UK ICO or Polish UODO).
6. Data Retention
Introduction
Retention periods are strictly governed by our legal obligations:
6.1.) KYC/AML Data
Retained for 5 to 10 years after the business relationship ends, per UK, EU and UAE financial laws.
6.2.) Tax/Crypto Asset Reporting Framework (CARF) Records
Retained for at least 6 years for HMRC and relevant tax authority reporting.
7. Special Notice for Residents of the Kingdom of Saudi Arabia
Purpose and Legal Basis
The cross-border transfer of this data is strictly for the purpose of verifying your identity to grant you secure access to the ShareMatch platform. By proceeding with the KYC verification process, you provide your explicit consent to the international transfer and processing of this sensitive data.
Data Minimisation and Retention
We strictly adhere to the principle of data minimisation. We only transfer the minimum data necessary to complete the verification. ShareMatch does not retain physical copies of your government ID on our primary databases; they are processed securely by our verification partner and are subject to deletion protocols once the verification is complete and the applicable legal retention period (5 to 10 years, as per Section 6.1) has expired.
Your Data Protection Rights (KSA)
Under the Saudi Personal Data Protection Law (PDPL), residents of the Kingdom of Saudi Arabia have specific rights regarding their personal data:
- Right to be Informed: You have the right to know how we collect your data, the legal basis for processing, and the purpose of collection.
- Right to Access and Request: You have the right to request access to your personal data held by ShareMatch and request a copy in a clear and readable format.
- Right to Correction: You have the right to request that we correct, complete or update your personal data.
- Right to Destruction: You have the right to request the deletion of your personal data when it is no longer necessary for the purpose for which it was collected (subject to financial retention laws).
- Right to Withdraw Consent: You may withdraw your consent for processing at any time. Withdrawing consent for mandatory KYC processing will result in the loss of platform access.
- Right to Claim Compensation: You have the right to claim compensation for material or moral damage if you are harmed as a result of any violation of the PDPL by ShareMatch.
Exercising Your Rights and Filing Complaints
To exercise any of the rights listed above, or to file a complaint regarding our data processing practices, please contact our Data Protection Officer at: [email protected]. We will process and respond to all requests within 30 days. If you are dissatisfied with how ShareMatch has handled your request or complaint, you maintain the legal right to submit a formal objection directly to the Competent Authority in Saudi Arabia: the Saudi Data and Artificial Intelligence Authority (SDAIA).
Contact
Contact Information
All privacy inquiries, including data deletion requests or rights under the GDPR and PDPL, must be addressed to our Data Protection Officer at: [email protected]