Stanza Privacy Policy

WHO THIS APPLIES TO: This Privacy Policy applies to individuals who use the Stanza Platform as Business Customers, Admins, Cardholders, or visitors to our website. If you are an employee or job applicant, a separate policy applies. Business Customer company data is also governed by our Data Processing Addendum.

Stanza is a product of Global Stack Services LLC (GSSL), incorporated in the United States. Stanza distributes financial services to businesses through licensed infrastructure providers including Bridge Financial Technologies, Inc. (Payment Infrastructure Provider), Rain / Third National (card programme), and Global Stack (Local Currency Funding and Payout). This Privacy Policy explains how we collect, use, share, and protect personal information in connection with the Stanza Platform and Services.

1. WHO WE ARE AND HOW TO CONTACT US

Stanza is a product of Global Stack Services LLC (GSSL), incorporated in the United States.

For privacy questions, to exercise your rights, or to contact our Data Protection Officer (where required by applicable law), please reach out at: [[email protected]].

This Policy covers personal information processed by Stanza in connection with the Platform and Services. Personal information processed by our infrastructure providers under their own policies is governed by those providers' privacy notices, which are referenced in Section 5 below.

Any violation of this Privacy Policy should be reported to the Data Protection Officer at the contact above for appropriate review and action.

2. INFORMATION WE COLLECT

2.1 Information you provide to us

When you apply for an Account, use the Platform, or communicate with us, we collect:

  • Business Customer information: registered business name, address, registration number, tax identification number, nature of business, expected transaction volumes, and source of funds declarations;
  • Director and UBO information: legal name, role, nationality, date of birth, residential address, government-issued photo ID, and tax identification number;
  • Admin information: name, email address, phone number, job title, and Platform credentials;
  • Cardholder information: name, date of birth, contact details, and government-issued ID (collected by see Section 2.3);
  • Transaction information: payout beneficiary details, payment references, transaction amounts, and purpose of payment declarations;
  • Communications: correspondence, support requests, and feedback you provide to us.

2.2 Information we collect automatically

When you use the Platform we automatically collect:

  • Usage and device data: IP address, browser type and version, operating system, device identifiers, pages visited, time spent, and clickstream data;
  • Location information: we may infer your general geographic location from your IP address;
  • Log data: access times, error reports, and security event logs;
  • Transaction logs: wallet funding events, payout initiations, card spend records, and webhook events.

2.3 Information we receive from third parties

We receive information about you from:

  • Identity verification providers: Rain and Third National conduct Cardholder KYC directly via the Persona SDK and share verification outcomes with us;
  • The Payment Infrastructure Provider (Bridge): account status, transaction records, compliance flags, and sub-account data;
  • Global Stack affiliates: Local Currency Funding and Payout transaction data, FX conversion records, and funding corridor onboarding data;
  • Sanctions and KYB screening providers: screening outcomes against OFAC, UN, EU, UK, and other sanctions lists;
  • Credit reference and business information agencies: business verification data used during KYB onboarding;
  • Publicly available sources: company registries, regulatory databases, and adverse media.

3. GROUNDS FOR AND PURPOSES OF PROCESSING

We process personal information only where we have a lawful basis for doing so under applicable data protection law. The lawful bases on which we rely are:

  • Consent: where you have given clear consent for a specific purpose (for example, receiving marketing communications);
  • Contract performance: where processing is necessary to perform our obligations under the Platform Agreement or to take steps at your request before entering into an agreement;
  • Legal obligation: where processing is necessary to comply with applicable law or regulation (including AML/CFT obligations, sanctions screening, and financial reporting requirements);
  • Legitimate interests: where processing is necessary for our legitimate business interests or those of a third party, provided those interests are not overridden by your rights and freedoms. Where we rely on legitimate interests, we have considered and balanced those interests against your rights and concluded they are not overridden. You may object to processing based on legitimate interests; see Section 7.
PurposeLawful basisInformation used
Onboarding and KYB verificationContract performance; legal obligation (AML/CFT)Business, director, UBO, and Admin data
Providing the Platform and ServicesContract performanceAll categories
Processing transactions (funding, payouts, card spend)Contract performanceTransaction and Account data
Sanctions and PEP screeningLegal obligation; legitimate interestsDirector, UBO, Cardholder identity data
AML/CFT monitoring and escalationLegal obligationTransaction data, funding patterns, Account data
Fraud prevention and securityLegitimate interestsUsage data, transaction data, device data
Compliance with legal and regulatory obligationsLegal obligationAll categories as required
Identity verification using automated tools (see Section 9)Legal obligation; contract performanceDirector, UBO, Cardholder identity documents
Improving the Platform and ServicesLegitimate interestsUsage data, aggregated/anonymised data
Customer support and communicationsContract performance; legitimate interestsContact and Account data
Marketing and product updates (where consented)ConsentContact data
Sharing with infrastructure providers for their own complianceLegal obligation; contract performanceBusiness, director, UBO, Cardholder data

4. HOW LONG WE KEEP YOUR INFORMATION

We retain personal information for as long as necessary to fulfil the purposes in Section 3 and to comply with our legal and regulatory obligations. The following minimum retention periods apply:

CategoryRetention periodBasis
KYB files (business, director, UBO data)5 years from account closure or last transactionAML/CFT regulatory requirement
Transaction records5 years from transaction dateAML/CFT regulatory requirement
Admin and Cardholder identity data5 years from account closureAML/CFT and card programme requirements
Sanctions and PEP screening records5 years from date of screeningAML/CFT regulatory requirement
Support communications3 years from resolutionContractual obligations/Legitimate interests
Usage and device data12 monthsLegitimate interests
Marketing data (where consented)Until consent withdrawn or 3 years of inactivityConsent

Where a longer retention period is required by our infrastructure providers, applicable law, or a legal hold, the longer period applies. When the applicable retention period expires, we securely delete, erase, anonymise, or pseudonymise personal information in accordance with our data retention procedures. We may retain de-identified data indefinitely for statistical and analytical purposes.

5. WHO WE SHARE YOUR INFORMATION WITH

Stanza does not sell, trade, or rent personal information to third parties. We share personal information only as described below.

5.1 Infrastructure providers

We share personal information with our licensed infrastructure providers to enable them to provide services and fulfil their own legal and regulatory obligations:

ProviderWhat we shareWhy
Bridge Financial Technologies, Inc. (Payment Infrastructure Provider)Business Customer KYB data, director and UBO information, transaction dataAccount verification, sub-wallet operation, US BSA/AML compliance
Rain (Signify Holdings, Inc.) / Third NationalBusiness Customer KYB data, director information, Cardholder data via Persona SDKCard programme management, Cardholder underwriting, Visa network compliance
Global Stack affiliatesBusiness Customer KYB data, Local Currency Funding transaction dataLocal Currency Funding and Payout operations, funding corridor compliance
Persona (via Rain)Cardholder identity documents and biometric dataCardholder KYC, collected and processed by Rain directly

5.2 Service providers and processors

We engage third-party service providers who process personal information on our behalf under data processing agreements, including: cloud infrastructure providers; analytics and monitoring tools; customer support platforms; and sanctions screening providers. These providers are contractually prohibited from using personal information for any purpose other than providing services to us. A current list of sub-processors is available at link to sub-processor list / DPA.

5.3 Legal and regulatory disclosure

We may disclose personal information: to comply with applicable law, regulation, or court order; in response to lawful requests from regulatory authorities or law enforcement (including the US FinCEN, OFAC, or other competent authorities); to protect the rights, property, or safety of Stanza, our infrastructure providers, Business Customers, Cardholders, or others; or in connection with the enforcement of our legal rights.

5.4 Business transfers

If Stanza or GSSL is involved in a merger, acquisition, financing, or sale of all or part of our business, personal information may be transferred to the relevant third party as part of that transaction. We will notify affected individuals of any such transfer and the applicable privacy policy that will govern their information.

6. INTERNATIONAL DATA TRANSFERS

Stanza is a US-based platform. Personal information we collect is processed in the United States and may be transferred to and processed by our infrastructure providers in other countries.

Where we transfer personal information internationally, we ensure appropriate safeguards are in place in accordance with applicable data protection law. For transfers from jurisdictions with data transfer restrictions, we rely on appropriate mechanisms such as standard contractual clauses or equivalent safeguards approved by the relevant regulatory authority.

For personal information of individuals in Nigeria and other jurisdictions with specific cross-border transfer requirements, we implement appropriate contractual safeguards consistent with the applicable requirements of those jurisdictions. Details of the safeguards in place for specific transfers are available on request.

7. YOUR RIGHTS

Depending on your location and the applicable data protection law, you may have the following rights in relation to your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Rectification: Ask us to correct inaccurate or incomplete personal information
  • Erasure: Ask us to delete your personal information (subject to our legal retention obligations)
  • Restriction: Ask us to restrict processing of your personal information in certain circumstances
  • Portability: Receive your personal information in a structured, commonly used electronic format
  • Objection: Object to processing based on legitimate interests, including profiling; you have an absolute right to object to direct marketing
  • Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at [email protected]. We will acknowledge your request promptly and respond within 30 days of receipt. We may extend this period by a further 30 days where requests are complex or numerous, and we will notify you if this is the case. We may need to verify your identity before processing your request.

If you are a Cardholder and your personal information is processed by Rain or Third National as part of the card programme, you should also contact Rain directly at ........Rain privacy contact to exercise your rights in respect of data they hold about you.

If you are dissatisfied with our response or believe we have processed your personal information in breach of applicable data protection law, you have the right to lodge a complaint with the supervisory authority responsible for data protection in your jurisdiction. The relevant authority will depend on your country of residence, your place of work, or the location of the alleged infringement. Section 12 identifies the relevant supervisory authorities for specific jurisdictions.

8. COOKIES AND TRACKING TECHNOLOGIES

8.1 Cookies

We use cookies and similar tracking technologies on the Platform and our website to: authenticate users and maintain session security; remember your preferences; analyse Platform usage and performance; and detect and prevent fraud and security incidents.

Cookies are small text files stored on your device when you visit a website. They enable the Platform to remember your actions and preferences over time. Cookies do not typically contain information that directly identifies you, but the personal information we hold about you may be linked to information stored in cookies.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Platform. Unless you have adjusted your browser settings to refuse cookies, our system will issue cookies when you access the Platform or our website. For more information about the specific cookies we use, see our Cookie Notice at: link.

8.2 Analytics and tracking technologies

Our website may use analytics tools (such as Google Analytics) to help us understand how visitors interact with our website and improve our services. These tools may collect usage data including pages visited, time spent, and referring URLs. You can opt out of Google Analytics data collection by using the Google Analytics opt-out browser add-on available at tools.google.com/dlpage/gaoptout.

We do not currently use advertising pixels or cross-site behavioural tracking technologies in connection with the Platform. If this changes, we will update this Policy and our Cookie Notice accordingly and obtain any consents required by applicable law.

9. AUTOMATED PROCESSING AND ARTIFICIAL INTELLIGENCE

Stanza and its infrastructure providers use automated tools and artificial intelligence in certain aspects of the Services, including:

  • Identity document verification: during KYB onboarding, automated tools may be used to extract and match information from identity documents submitted by directors, UBOs, and Admins. Where automated verification is used, human review is applied to cases that require closer attention. The underlying decision to approve or decline an Account remains subject to human oversight and is not made solely by automated means;
  • Cardholder KYC: Rain conducts Cardholder identity verification via the Persona SDK, which may include automated document verification. This is conducted by Rain under its own policies;
  • Sanctions and fraud screening: automated screening tools are used to screen against sanctions lists and to detect suspicious activity. Where a potential match is identified, a human compliance review is conducted before any action is taken;
  • Platform analytics: aggregated and anonymised usage data may be analysed using automated tools to improve Platform features and performance.

Where automated processing is used in ways that produce legal or similarly significant effects for you, you have the right to: request human review of the decision; express your point of view; and contest the decision. No individual will be penalised for choosing to opt out of processing activities that rely solely on automated decision-making. To exercise these rights, contact us at [email protected].

We will continue to review and update our approach to automated processing and AI as the technology and applicable regulatory standards evolve, and will notify you of any material changes in accordance with Section 11.

10. SECURITY AND DATA BREACH NOTIFICATION

10.1 Security measures

We implement technical, administrative, and organisational measures designed to protect personal information against unauthorised access, disclosure, alteration, or destruction. These include:

  • Encryption of personal information in transit and at rest;
  • Access controls and authentication requirements for Platform access, including multi-factor authentication for administrative access;
  • Regular security assessments and vulnerability management;
  • Incident detection, response, and recovery procedures;
  • Employee and contractor training on data protection and information security.

No system is completely secure. If you become aware of a potential security incident affecting your Account or personal information, please notify us immediately at [email protected].

10.2 Data breach notification

In the event of a personal data breach, we have established procedures for identifying, containing, and reporting the incident. When we become aware of a breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with applicable data protection law;
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms;
  • Include in any notification: a description of the nature of the breach; the categories and approximate number of individuals and records affected; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its effects.

We maintain a record of all personal data breaches, including those that do not require notification, and will provide this information to the relevant supervisory authority on request.

11. CHILDREN'S INFORMATION

The Platform and Services are intended for use by businesses and their employees aged 18 or over. We do not knowingly collect personal information from individuals under the age of 18. If you believe we have inadvertently collected information from a minor, please contact us at [email protected] and we will take steps to delete it promptly.

12. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable law, or requirements imposed by our infrastructure providers (including the Payment Infrastructure Provider, Rain, Third National, or Global Stack). When we make material changes, we will notify you through the Platform or by email at least 30 days before the changes take effect, except where a shorter period is required by law or by our infrastructure providers. The current version of this Policy is always available at link. Continued use of the Platform after any update constitutes your acceptance of the updated Policy.

13. JURISDICTION-SPECIFIC DISCLOSURES

13.1 Nigeria (NDPA 2023 / NDPR 2019)

For individuals in Nigeria, Stanza processes personal data in accordance with the Nigeria Data Protection Act 2023 (Act No. 14 of 2023) (NDPA), the Nigeria Data Protection Act Implementation Framework 2023 (NDPA-IF), and the Nigeria Data Protection Regulation 2019 (NDPR) to the extent it remains operative in respect of matters not yet fully superseded by the NDPA and NDPA-IF.

Stanza acts as a data controller in respect of personal data of Nigerian Business Customers, their directors, UBOs, and Admins collected through the KYB onboarding process and in connection with the Services. Where Stanza shares personal data of Nigerian individuals with its infrastructure providers, appropriate data processing agreements consistent with the requirements of the NDPA are in place.

The lawful bases for processing personal data of Nigerian individuals are as set out in Section 3. Cross-border transfers of Nigerian personal data are conducted in accordance with the transfer mechanisms recognised under the NDPA and NDPA-IF, including appropriate contractual safeguards with receiving parties.

13.2 United States (Gramm-Leach-Bliley Act / state privacy laws)

Stanza's infrastructure providers (Bridge and Rain/Third National) are subject to US federal financial privacy laws including the Gramm-Leach-Bliley Act (GLBA). Stanza's data handling practices are designed to be consistent with GLBA standards as applied to programme managers operating within a licensed financial services stack.

If you are a California resident, you may have additional rights under the California Privacy Rights Act (CPRA), including the right to know, correct, delete, and opt out of the sale or sharing of your personal information. To exercise these rights, contact us at [email protected]. You have the right to lodge a complaint with the California Privacy Protection Agency (CPPA) or your applicable state supervisory authority.