Stanza Privacy Policy
WHO THIS APPLIES TO: This Privacy Policy applies to individuals who use the Stanza Platform as Business Customers, Admins, Cardholders, or visitors to our website. If you are an employee or job applicant, a separate policy applies. Business Customer company data is also governed by our Data Processing Addendum.
Stanza is a product of Global Stack Services LLC (GSSL), incorporated in the United States. Stanza distributes financial services to businesses through licensed infrastructure providers including Bridge Financial Technologies, Inc. (Payment Infrastructure Provider), Rain / Third National (card programme), and Global Stack (Local Currency Funding and Payout). This Privacy Policy explains how we collect, use, share, and protect personal information in connection with the Stanza Platform and Services.
1. WHO WE ARE AND HOW TO CONTACT US
Stanza is a product of Global Stack Services LLC (GSSL), incorporated in the United States.
For privacy questions, to exercise your rights, or to contact our Data Protection Officer (where required by applicable law), please reach out at: [[email protected]].
This Policy covers personal information processed by Stanza in connection with the Platform and Services. Personal information processed by our infrastructure providers under their own policies is governed by those providers' privacy notices, which are referenced in Section 5 below.
Any violation of this Privacy Policy should be reported to the Data Protection Officer at the contact above for appropriate review and action.
2. INFORMATION WE COLLECT
2.1 Information you provide to us
When you apply for an Account, use the Platform, or communicate with us, we collect:
- •Business Customer information: registered business name, address, registration number, tax identification number, nature of business, expected transaction volumes, and source of funds declarations;
- •Director and UBO information: legal name, role, nationality, date of birth, residential address, government-issued photo ID, and tax identification number;
- •Admin information: name, email address, phone number, job title, and Platform credentials;
- •Cardholder information: name, date of birth, contact details, and government-issued ID (collected by see Section 2.3);
- •Transaction information: payout beneficiary details, payment references, transaction amounts, and purpose of payment declarations;
- •Communications: correspondence, support requests, and feedback you provide to us.
2.2 Information we collect automatically
When you use the Platform we automatically collect:
- •Usage and device data: IP address, browser type and version, operating system, device identifiers, pages visited, time spent, and clickstream data;
- •Location information: we may infer your general geographic location from your IP address;
- •Log data: access times, error reports, and security event logs;
- •Transaction logs: wallet funding events, payout initiations, card spend records, and webhook events.
2.3 Information we receive from third parties
We receive information about you from:
- •Identity verification providers: Rain and Third National conduct Cardholder KYC directly via the Persona SDK and share verification outcomes with us;
- •The Payment Infrastructure Provider (Bridge): account status, transaction records, compliance flags, and sub-account data;
- •Global Stack affiliates: Local Currency Funding and Payout transaction data, FX conversion records, and funding corridor onboarding data;
- •Sanctions and KYB screening providers: screening outcomes against OFAC, UN, EU, UK, and other sanctions lists;
- •Credit reference and business information agencies: business verification data used during KYB onboarding;
- •Publicly available sources: company registries, regulatory databases, and adverse media.
3. GROUNDS FOR AND PURPOSES OF PROCESSING
We process personal information only where we have a lawful basis for doing so under applicable data protection law. The lawful bases on which we rely are:
- •Consent: where you have given clear consent for a specific purpose (for example, receiving marketing communications);
- •Contract performance: where processing is necessary to perform our obligations under the Platform Agreement or to take steps at your request before entering into an agreement;
- •Legal obligation: where processing is necessary to comply with applicable law or regulation (including AML/CFT obligations, sanctions screening, and financial reporting requirements);
- •Legitimate interests: where processing is necessary for our legitimate business interests or those of a third party, provided those interests are not overridden by your rights and freedoms. Where we rely on legitimate interests, we have considered and balanced those interests against your rights and concluded they are not overridden. You may object to processing based on legitimate interests; see Section 7.
4. HOW LONG WE KEEP YOUR INFORMATION
We retain personal information for as long as necessary to fulfil the purposes in Section 3 and to comply with our legal and regulatory obligations. The following minimum retention periods apply:
Where a longer retention period is required by our infrastructure providers, applicable law, or a legal hold, the longer period applies. When the applicable retention period expires, we securely delete, erase, anonymise, or pseudonymise personal information in accordance with our data retention procedures. We may retain de-identified data indefinitely for statistical and analytical purposes.
5. WHO WE SHARE YOUR INFORMATION WITH
Stanza does not sell, trade, or rent personal information to third parties. We share personal information only as described below.
5.1 Infrastructure providers
We share personal information with our licensed infrastructure providers to enable them to provide services and fulfil their own legal and regulatory obligations:
5.2 Service providers and processors
We engage third-party service providers who process personal information on our behalf under data processing agreements, including: cloud infrastructure providers; analytics and monitoring tools; customer support platforms; and sanctions screening providers. These providers are contractually prohibited from using personal information for any purpose other than providing services to us. A current list of sub-processors is available at link to sub-processor list / DPA.
5.3 Legal and regulatory disclosure
We may disclose personal information: to comply with applicable law, regulation, or court order; in response to lawful requests from regulatory authorities or law enforcement (including the US FinCEN, OFAC, or other competent authorities); to protect the rights, property, or safety of Stanza, our infrastructure providers, Business Customers, Cardholders, or others; or in connection with the enforcement of our legal rights.
5.4 Business transfers
If Stanza or GSSL is involved in a merger, acquisition, financing, or sale of all or part of our business, personal information may be transferred to the relevant third party as part of that transaction. We will notify affected individuals of any such transfer and the applicable privacy policy that will govern their information.
6. INTERNATIONAL DATA TRANSFERS
Stanza is a US-based platform. Personal information we collect is processed in the United States and may be transferred to and processed by our infrastructure providers in other countries.
Where we transfer personal information internationally, we ensure appropriate safeguards are in place in accordance with applicable data protection law. For transfers from jurisdictions with data transfer restrictions, we rely on appropriate mechanisms such as standard contractual clauses or equivalent safeguards approved by the relevant regulatory authority.
For personal information of individuals in Nigeria and other jurisdictions with specific cross-border transfer requirements, we implement appropriate contractual safeguards consistent with the applicable requirements of those jurisdictions. Details of the safeguards in place for specific transfers are available on request.
7. YOUR RIGHTS
Depending on your location and the applicable data protection law, you may have the following rights in relation to your personal information:
- •Access: Request a copy of the personal information we hold about you
- •Rectification: Ask us to correct inaccurate or incomplete personal information
- •Erasure: Ask us to delete your personal information (subject to our legal retention obligations)
- •Restriction: Ask us to restrict processing of your personal information in certain circumstances
- •Portability: Receive your personal information in a structured, commonly used electronic format
- •Objection: Object to processing based on legitimate interests, including profiling; you have an absolute right to object to direct marketing
- •Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
To exercise any of these rights, contact us at [email protected]. We will acknowledge your request promptly and respond within 30 days of receipt. We may extend this period by a further 30 days where requests are complex or numerous, and we will notify you if this is the case. We may need to verify your identity before processing your request.
If you are a Cardholder and your personal information is processed by Rain or Third National as part of the card programme, you should also contact Rain directly at ........Rain privacy contact to exercise your rights in respect of data they hold about you.
If you are dissatisfied with our response or believe we have processed your personal information in breach of applicable data protection law, you have the right to lodge a complaint with the supervisory authority responsible for data protection in your jurisdiction. The relevant authority will depend on your country of residence, your place of work, or the location of the alleged infringement. Section 12 identifies the relevant supervisory authorities for specific jurisdictions.
8. COOKIES AND TRACKING TECHNOLOGIES
8.1 Cookies
We use cookies and similar tracking technologies on the Platform and our website to: authenticate users and maintain session security; remember your preferences; analyse Platform usage and performance; and detect and prevent fraud and security incidents.
Cookies are small text files stored on your device when you visit a website. They enable the Platform to remember your actions and preferences over time. Cookies do not typically contain information that directly identifies you, but the personal information we hold about you may be linked to information stored in cookies.
You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Platform. Unless you have adjusted your browser settings to refuse cookies, our system will issue cookies when you access the Platform or our website. For more information about the specific cookies we use, see our Cookie Notice at: link.
8.2 Analytics and tracking technologies
Our website may use analytics tools (such as Google Analytics) to help us understand how visitors interact with our website and improve our services. These tools may collect usage data including pages visited, time spent, and referring URLs. You can opt out of Google Analytics data collection by using the Google Analytics opt-out browser add-on available at tools.google.com/dlpage/gaoptout.
We do not currently use advertising pixels or cross-site behavioural tracking technologies in connection with the Platform. If this changes, we will update this Policy and our Cookie Notice accordingly and obtain any consents required by applicable law.
9. AUTOMATED PROCESSING AND ARTIFICIAL INTELLIGENCE
Stanza and its infrastructure providers use automated tools and artificial intelligence in certain aspects of the Services, including:
- •Identity document verification: during KYB onboarding, automated tools may be used to extract and match information from identity documents submitted by directors, UBOs, and Admins. Where automated verification is used, human review is applied to cases that require closer attention. The underlying decision to approve or decline an Account remains subject to human oversight and is not made solely by automated means;
- •Cardholder KYC: Rain conducts Cardholder identity verification via the Persona SDK, which may include automated document verification. This is conducted by Rain under its own policies;
- •Sanctions and fraud screening: automated screening tools are used to screen against sanctions lists and to detect suspicious activity. Where a potential match is identified, a human compliance review is conducted before any action is taken;
- •Platform analytics: aggregated and anonymised usage data may be analysed using automated tools to improve Platform features and performance.
Where automated processing is used in ways that produce legal or similarly significant effects for you, you have the right to: request human review of the decision; express your point of view; and contest the decision. No individual will be penalised for choosing to opt out of processing activities that rely solely on automated decision-making. To exercise these rights, contact us at [email protected].
We will continue to review and update our approach to automated processing and AI as the technology and applicable regulatory standards evolve, and will notify you of any material changes in accordance with Section 11.
10. SECURITY AND DATA BREACH NOTIFICATION
10.1 Security measures
We implement technical, administrative, and organisational measures designed to protect personal information against unauthorised access, disclosure, alteration, or destruction. These include:
- •Encryption of personal information in transit and at rest;
- •Access controls and authentication requirements for Platform access, including multi-factor authentication for administrative access;
- •Regular security assessments and vulnerability management;
- •Incident detection, response, and recovery procedures;
- •Employee and contractor training on data protection and information security.
No system is completely secure. If you become aware of a potential security incident affecting your Account or personal information, please notify us immediately at [email protected].
10.2 Data breach notification
In the event of a personal data breach, we have established procedures for identifying, containing, and reporting the incident. When we become aware of a breach that is likely to result in a risk to your rights and freedoms, we will:
- •Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with applicable data protection law;
- •Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms;
- •Include in any notification: a description of the nature of the breach; the categories and approximate number of individuals and records affected; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its effects.
We maintain a record of all personal data breaches, including those that do not require notification, and will provide this information to the relevant supervisory authority on request.
11. CHILDREN'S INFORMATION
The Platform and Services are intended for use by businesses and their employees aged 18 or over. We do not knowingly collect personal information from individuals under the age of 18. If you believe we have inadvertently collected information from a minor, please contact us at [email protected] and we will take steps to delete it promptly.
12. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable law, or requirements imposed by our infrastructure providers (including the Payment Infrastructure Provider, Rain, Third National, or Global Stack). When we make material changes, we will notify you through the Platform or by email at least 30 days before the changes take effect, except where a shorter period is required by law or by our infrastructure providers. The current version of this Policy is always available at link. Continued use of the Platform after any update constitutes your acceptance of the updated Policy.
13. JURISDICTION-SPECIFIC DISCLOSURES
13.1 Nigeria (NDPA 2023 / NDPR 2019)
For individuals in Nigeria, Stanza processes personal data in accordance with the Nigeria Data Protection Act 2023 (Act No. 14 of 2023) (NDPA), the Nigeria Data Protection Act Implementation Framework 2023 (NDPA-IF), and the Nigeria Data Protection Regulation 2019 (NDPR) to the extent it remains operative in respect of matters not yet fully superseded by the NDPA and NDPA-IF.
Stanza acts as a data controller in respect of personal data of Nigerian Business Customers, their directors, UBOs, and Admins collected through the KYB onboarding process and in connection with the Services. Where Stanza shares personal data of Nigerian individuals with its infrastructure providers, appropriate data processing agreements consistent with the requirements of the NDPA are in place.
The lawful bases for processing personal data of Nigerian individuals are as set out in Section 3. Cross-border transfers of Nigerian personal data are conducted in accordance with the transfer mechanisms recognised under the NDPA and NDPA-IF, including appropriate contractual safeguards with receiving parties.
13.2 United States (Gramm-Leach-Bliley Act / state privacy laws)
Stanza's infrastructure providers (Bridge and Rain/Third National) are subject to US federal financial privacy laws including the Gramm-Leach-Bliley Act (GLBA). Stanza's data handling practices are designed to be consistent with GLBA standards as applied to programme managers operating within a licensed financial services stack.
If you are a California resident, you may have additional rights under the California Privacy Rights Act (CPRA), including the right to know, correct, delete, and opt out of the sale or sharing of your personal information. To exercise these rights, contact us at [email protected]. You have the right to lodge a complaint with the California Privacy Protection Agency (CPPA) or your applicable state supervisory authority.