Effective: June 2026
REDFi PRIVACY POLICY
Redline Blockchain S.A. | REDFi | Panama City, Republic of Panama
This Master Privacy Policy explains how Redline Blockchain S.A., operating as REDFi ("REDFi," "Redline Blockchain," "Company," "we," "us," or "our"), collects, uses, shares, stores, protects, transfers, and otherwise processes personal information when you use REDFi websites, web applications, dashboards, APIs, account services, payment and stablecoin-related features, support channels, communications, and any other products or services that link to this policy (collectively, the "Services").
This policy is intended to comply with applicable privacy and data protection requirements, including Panama Law No. 81 of March 26, 2019 on Personal Data Protection, Executive Decree No. 285 of May 28, 2021, applicable anti-money laundering and counter-terrorist financing recordkeeping obligations, and, where applicable, regional privacy laws such as the GDPR, UK GDPR, California privacy laws, Brazil LGPD, and other similar laws. This policy does not replace any privacy notice, user agreement, or legal terms provided directly by REDFi service providers.
Important: REDFi provides a technology and account-experience layer. Certain financial infrastructure, identity verification, stablecoin, custody, wallet, payment, virtual account, and compliance functions are provided by third-party service providers, including Bridge, Stripe, Persona, banks, custodians, payment processors, blockchain networks, blockchain analytics providers, fraud-prevention vendors, and other regulated or technical providers. These parties may process personal information under their own privacy notices and legal obligations.
Contents
-
Privacy Commitment and Scope
-
Roles: REDFi, Service Providers, and Independent Controllers
-
Information We Collect
-
Sensitive Personal Information and Biometric-Related Data
-
How We Use Information
-
Legal Bases for Processing
-
How We Share Information
-
Public Blockchain Data and Data Immutability
-
Cookies, Analytics, and Similar Technologies
-
International Transfers
-
Data Retention
-
Data Security
-
Your Privacy Rights and Choices
-
Jurisdiction-Specific Disclosures
-
Marketing Communications
-
Account Closure and Privacy Requests
-
Children and Minors
-
Changes to This Policy
-
Contact Us
1. Privacy Commitment and Scope
REDFi respects privacy and recognizes that financial, identity, compliance, and transaction data require a higher level of protection. We apply a data-minimization approach designed to limit the highly sensitive information stored directly in REDFi systems, while allowing regulated and specialized providers to perform identity verification, compliance, custody, stablecoin, payment, and settlement functions.
This policy applies when you create or access a REDFi account, complete KYC or KYB onboarding, receive or send fiat or digital assets, convert fiat or supported stablecoins into USDB, participate in REDFi rewards programs, contact support, use the REDFi dashboard, interact with REDFi websites or APIs, or otherwise interact with REDFi. It also applies to business-account representatives, beneficial owners, directors, officers, employees, authorized users, counterparties, beneficiaries, payees, and other persons whose information is provided to REDFi in connection with the Services.
By using the Services, submitting information to us, or authorizing a transaction, you acknowledge that REDFi may process your personal information as described in this policy and as required to provide the Services, satisfy legal obligations, protect against fraud, comply with sanctions and AML/CTF requirements, and operate our platform.
2. Roles: REDFi, Service Providers, and Independent Controllers
Depending on the activity, REDFi may act as a data controller, responsible party, business, processor, service provider, or similar role under applicable law. REDFi determines how certain account, dashboard, support, transaction, compliance, and communications data is processed for REDFi platform purposes.
Some service providers may act as independent controllers or separately regulated entities for their own services. For example, Bridge may process information to provide stablecoin, wallet, virtual account, payment, compliance, and settlement services; Stripe may process information for payment infrastructure and related financial services; Persona may process information for identity verification, document verification, biometric-matching workflows where applicable, fraud prevention, and KYC/KYB support. Banks, custodians, payment processors, blockchain networks, and financial partners may also process information independently under their own legal obligations.
Where a third-party provider processes your information under its own legal authority, REDFi does not control all aspects of that provider’s data processing. You may be required to accept the provider’s privacy policy, user agreement, or legal terms as part of your use of the Services.
3. Information We Collect
We may collect the categories of information below. The exact information collected depends on the type of account, jurisdiction, product, transaction, verification requirement, risk profile, and service-provider requirements.
| Category | Examples | Primary Sources |
|---|---|---|
| Account and contact information | Name, email address, phone number, username, login credentials, account profile, communication preferences, support identifiers. | You; authorized users; business representatives. |
| Identity and verification information | Date of birth, government-issued ID numbers, tax IDs, proof of address, identity-verification status, verification results, sanctions-screening status, risk flags. | You; Persona; Bridge; Stripe; compliance providers; government or commercial databases. |
| Business and KYB information | Business name, registration number, tax ID, formation documents, operating address, beneficial owners, directors, officers, ownership percentages, bank statements, source of funds, source of wealth, invoices, contracts. | You; business representatives; public registries; verification providers; financial partners. |
| Financial and transaction information | Bank account details, routing or payment rail details, virtual account information, fiat deposits and withdrawals, stablecoin and crypto transactions, conversions, fees, rewards calculations, counterparties, beneficiaries, transaction descriptions, timestamps, transaction hashes. | You; REDFi systems; Bridge; Stripe; banks; payment processors; blockchain networks; counterparties. |
| Wallet, blockchain, and digital-asset information | Wallet addresses, blockchain networks, transaction hashes, memos/tags, token type, transaction status, blockchain analytics risk scores, public-chain activity connected to your wallet. | You; blockchains; blockchain analytics providers; service providers. |
| Device, usage, and technical information | IP address, browser type, device identifiers, operating system, app/browser version, pages viewed, session logs, API usage, crash data, authentication events, security logs. | Your device; cookies; logs; security tools; analytics providers. |
| Approximate location information | Country, region, city-level location inferred from IP address; jurisdictional signals used for compliance, sanctions, fraud, or product availability. | Your device; IP address; service providers. |
| Communications and support information | Emails, chat messages, support tickets, attachments you provide, call notes, surveys, feedback, complaints, and records of communications. | You; customer support systems; REDFi personnel. |
| Derived, inferred, and risk information | Risk scores, fraud signals, device trust signals, transaction pattern inferences, compliance review outcomes, product eligibility, transaction limits, automated or manual review results. | REDFi; service providers; analytics and compliance systems. |
3.1 Information You Provide Directly
We collect information you provide when you create an account, submit identity or business information, update your profile, initiate transactions, add beneficiaries or counterparties, contact support, complete surveys, respond to requests for information, submit documentation, or otherwise communicate with us.
3.2 Information Collected Automatically
When you use the Services, we automatically collect device, usage, log, authentication, transaction, security, and approximate-location information. We use this information to provide the Services, maintain platform reliability, protect against unauthorized access, detect suspicious activity, enforce product availability by jurisdiction, debug errors, and improve the user experience.
3.3 Information From Third Parties
We may receive information from identity verification providers, Bridge, Stripe, Persona, banks, payment processors, custodians, financial institutions, blockchain analytics providers, sanctions-screening providers, fraud-prevention vendors, credit or risk databases, public registries, government databases, business verification sources, counterparties, beneficiaries, and other users. This information may include verification results, transaction confirmations, compliance flags, account status, business details, ownership information, wallet risk scores, payment status, and account or transaction history.
3.4 Legacy or Migrated Provider Data
If REDFi previously used or migrated from another service provider, such as legacy financial infrastructure, custody, payment, or compliance providers, REDFi may retain or process historical information from those providers as required to maintain records, provide support, investigate transactions, satisfy legal obligations, resolve disputes, and comply with applicable AML/CTF, sanctions, tax, accounting, or regulatory requirements.
4. Sensitive Personal Information and Biometric-Related Data
Some information collected or processed in connection with the Services may be considered sensitive personal information under applicable law. This may include government-issued identification numbers, passport or national ID information, tax identifiers, precise financial account data, authentication data, proof-of-address documents, business ownership information, sanctions-screening information, source-of-funds information, source-of-wealth information, and biometric-related information used for identity verification where applicable.
4.1 No Toxic Asset Identity Data Architecture
REDFi uses a data-minimization architecture for identity verification. Where possible, REDFi does not download, store, or maintain raw images of passports, government IDs, biometric selfies, or similarly sensitive identity documents in REDFi’s primary platform systems. Instead, specialized identity and compliance providers such as Persona and Bridge collect, verify, and securely maintain sensitive identity-verification materials under their own controls and legal obligations.
REDFi may receive and store verification outputs, status results, approved text payloads, risk flags, business-verification details, beneficial ownership information, and compliance records necessary to operate the Services, support users, maintain audit trails, and satisfy legal obligations. If you voluntarily send raw identity documents or sensitive information to REDFi support outside the approved onboarding flow, REDFi may process that information to resolve your request and may retain it as legally required.
4.2 Biometric-Related Verification
Where applicable, our verification providers may use facial matching, liveness checks, selfie comparison, or similar technologies to verify that a person matches a government-issued identity document and to prevent fraud. REDFi does not use biometric-related information for advertising. Biometric-related data is processed only as necessary for identity verification, fraud prevention, security, compliance, and legal obligations, and is retained by the applicable verification provider according to its policies and applicable law.
5. How We Use Information
We use personal information for the purposes described below and for any purpose disclosed to you at the time of collection.
To create, maintain, authenticate, secure, and manage REDFi accounts and authorized users.
To perform KYC, KYB, beneficial ownership review, sanctions screening, AML/CTF controls, fraud prevention, source-of-funds review, source-of-wealth review, transaction monitoring, and ongoing compliance checks.
To provide the Services, including fiat deposits and withdrawals, stablecoin and digital-asset transactions, USDB conversion, supported wallet services, virtual account functionality, transaction records, fee display, rewards calculations, dashboard access, support, and account reporting.
To process, approve, reject, delay, return, freeze, restrict, review, or investigate transactions, accounts, wallets, balances, deposits, withdrawals, conversions, rewards, payouts, or counterparties where required or appropriate.
To communicate with you about onboarding, account status, receipts, confirmations, security alerts, compliance requests, legal notices, operational updates, support responses, changes to terms, and service availability.
To detect, investigate, prevent, and respond to fraud, suspicious activity, unauthorized access, account takeover, cyber incidents, sanctions exposure, prohibited activity, chargebacks, disputes, reversals, and other security or compliance concerns.
To provide analytics, diagnose issues, improve platform reliability, test and develop new features, train internal personnel, and evaluate user experience.
To send marketing communications where permitted by law and honor marketing opt-out requests.
To enforce our Terms of Service, policies, partner requirements, legal rights, and contractual obligations.
To comply with applicable laws, legal process, sanctions programs, tax obligations, accounting rules, regulatory inquiries, law enforcement requests, audit requirements, and record-retention obligations.
To de-identify, anonymize, or aggregate information so that it no longer reasonably identifies you, and use such information for analytics, reporting, compliance, product improvement, and business purposes.
6. Legal Bases for Processing
Where a legal basis is required under applicable law, REDFi may process personal information under one or more of the following bases:
Contractual necessity: to provide the Services, manage your account, process transactions, support onboarding, and perform obligations under our Terms of Service.
Legal obligation: to comply with AML/CTF, sanctions, fraud-prevention, tax, accounting, consumer-protection, law-enforcement, regulatory, recordkeeping, and other legal requirements.
Legitimate interests: to operate and secure our platform, prevent fraud, enforce terms, improve products, communicate with users, maintain business records, and protect REDFi, users, partners, and the public, provided such interests are not overridden by applicable legal rights.
Consent: where required for certain marketing, cookies, biometric-related verification, optional features, international transfers, or other processing. Where consent is the legal basis, you may withdraw consent at any time, subject to legal and contractual limitations and without affecting prior lawful processing.
Vital, public-interest, or legal-defense grounds: where necessary to protect individuals, respond to emergencies, cooperate with lawful authorities, establish or defend legal claims, or satisfy other grounds recognized by applicable law.
7. How We Share Information
REDFi does not sell personal information for money. We may share personal information as described below to provide the Services, comply with law, protect against fraud, support transactions, and operate our business.
| Recipient Category | Purpose / Examples |
|---|---|
| Service providers and infrastructure partners | Bridge, Stripe, Persona, banks, financial partners, custodians, payment processors, liquidity providers, blockchain networks, blockchain analytics providers, fraud-prevention vendors, sanctions-screening providers, cloud hosting providers, customer support tools, analytics providers, communications vendors, and other vendors that help us provide and secure the Services. |
| Financial institutions and payment partners | Banks, virtual account providers, payment processors, local payment rail providers, card or payment networks if offered in the future, and other partners involved in receiving, settling, converting, returning, or transmitting funds or stablecoins. |
| Compliance, fraud, and security providers | Identity verification providers, business verification providers, sanctions-screening vendors, transaction-monitoring providers, blockchain analytics providers, law-enforcement response vendors, and cybersecurity vendors. |
| Counterparties and transaction participants | Recipients, beneficiaries, counterparties, connected accounts, senders, receivers, and other participants where necessary to complete or investigate a transaction or provide a requested service. |
| Affiliates and corporate group | Redline Blockchain S.A. affiliates and related companies for internal administration, support, compliance, security, operations, reporting, and business purposes consistent with this policy. |
| Professional advisors | Lawyers, auditors, accountants, consultants, insurers, and other professional advisors where reasonably necessary for business, compliance, legal, risk, audit, or insurance purposes. |
| Legal and regulatory recipients | Courts, regulators, law enforcement, tax authorities, financial intelligence units, sanctions authorities, government agencies, dispute-resolution bodies, or other parties where disclosure is required or permitted by law, legal process, provider rules, or to protect rights and safety. |
| Business transfers | Potential or actual buyers, investors, lenders, merger partners, acquirers, successors, or advisors in connection with a merger, acquisition, financing, restructuring, bankruptcy, sale of assets, or similar transaction. |
| With consent or at your direction | Any party you authorize or direct us to share information with, including when you initiate transactions, request account connections, invite authorized users, provide information to counterparties, or consent to specific sharing. |
We may also share aggregated or de-identified information that cannot reasonably be used to identify you. We may disclose information if we believe disclosure is necessary to prevent harm, investigate fraud, enforce our agreements, protect rights or safety, comply with law, or respond to legal process.
8. Public Blockchain Data and Data Immutability
Certain REDFi Services involve stablecoins, digital assets, wallet addresses, blockchain networks, transaction hashes, and related on-chain activity. Public blockchain networks may permanently record wallet addresses, token movements, transaction amounts, timestamps, and other transaction metadata. This information may be publicly visible, searchable, immutable, and beyond REDFi’s ability to delete, edit, restrict, or anonymize.
Although REDFi does not intentionally publish your legal name to a public blockchain as part of ordinary platform use, wallet addresses and transaction details may be linked to you through your use of the Services, blockchain analytics, counterparties, public records, subpoenas, hacks, or third-party data sources. You acknowledge that blockchain data may remain available even if your REDFi account is closed or if you exercise privacy rights with REDFi.
9. Cookies, Analytics, and Similar Technologies
We and our service providers may use cookies, pixels, SDKs, local storage, device identifiers, session replay or diagnostic tools, log files, and similar technologies to operate the Services, authenticate users, remember preferences, secure accounts, detect fraud, measure performance, understand usage, improve features, and conduct analytics.
Most browsers allow you to remove or reject cookies. If you disable cookies or similar technologies, some Services may not function properly. Where required by law, we will provide additional cookie choices, consent tools, or opt-out mechanisms. If we use technologies that are considered "sale," "sharing," targeted advertising, or cross-context behavioral advertising under applicable law, you may have the right to opt out as described in Section 13.
10. International Transfers
REDFi is headquartered in Panama, and our service providers, partners, infrastructure, users, counterparties, banks, financial institutions, and compliance systems may be located in Panama, the United States, the European Economic Area, the United Kingdom, Latin America, and other jurisdictions. Your personal information may therefore be transferred to, stored in, accessed from, or processed in countries that may have privacy laws different from those in your country of residence.
Where required by applicable law, REDFi uses safeguards designed to protect transferred information, which may include user consent, contractual protections, data-processing agreements, vendor due diligence, security controls, transfer-impact reviews, standard contractual clauses or similar mechanisms, and other safeguards recognized by applicable law. International transfers may also occur where necessary to perform a contract, provide requested Services, complete transactions, comply with law, establish or defend legal claims, or protect against fraud and security threats.
11. Data Retention
We retain personal information for as long as reasonably necessary to provide the Services, maintain accounts, process transactions, resolve disputes, support users, comply with legal and regulatory obligations, conduct audits, enforce agreements, prevent fraud, preserve business records, and satisfy AML/CTF, sanctions, tax, accounting, and legal requirements.
Financial, compliance, KYC/KYB, transaction, audit, and related records may be retained for at least five (5) years after the end of the relationship or longer where required by applicable law, provider requirements, pending investigations, disputes, legal holds, tax obligations, law enforcement requests, or regulatory expectations. Some records may be retained for seven (7) years or longer depending on jurisdiction, accounting requirements, provider obligations, litigation risk, or business necessity.
If you request deletion or close your account, we may retain information where required or permitted for legal, compliance, fraud prevention, security, audit, accounting, tax, dispute, recovery, or legitimate business purposes. We may retain backups for a limited period in accordance with our backup and disaster-recovery processes. Public blockchain data cannot be deleted by REDFi.
12. Data Security
We implement administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, loss, misuse, alteration, disclosure, and destruction. These safeguards may include encryption in transit, access controls, role-based permissions, logging and monitoring, secure API practices, credential controls, vendor reviews, system hardening, incident-response procedures, and internal personnel restrictions.
No system, blockchain network, financial rail, internet transmission, storage system, or security control is completely secure. You are responsible for maintaining the security of your account credentials, devices, email, phone, authenticator apps, private keys or wallets you control, and any connected accounts. You should notify REDFi immediately if you believe your account, credentials, device, wallet, or transaction instructions have been compromised.
13. Your Privacy Rights and Choices
Depending on your jurisdiction and the nature of our relationship with you, you may have rights regarding your personal information. These rights may be subject to verification, exceptions, legal limitations, AML/CTF retention requirements, security restrictions, provider requirements, and the rights of others.
Access / know: request confirmation of whether we process your personal information and obtain access to certain information we hold about you.
Correction / rectification: request correction of inaccurate or incomplete personal information.
Deletion / cancellation / erasure: request deletion of personal information, subject to legal, compliance, retention, security, blockchain, and business-record exceptions.
Opposition / objection: object to certain processing where permitted by law.
Restriction / limitation: request restriction of certain processing where applicable.
Portability: request a copy of certain information in a structured, commonly used, machine-readable format where applicable.
Withdraw consent: withdraw consent where processing is based on consent, without affecting prior lawful processing or processing required by law.
Opt out of marketing: opt out of promotional emails or marketing communications.
Opt out of sale/share or targeted advertising: where applicable, request that we not sell or share personal information or use it for targeted advertising.
Limit sensitive personal information: where applicable, request limitation of the use or disclosure of sensitive personal information to permitted purposes.
Automated decision review: where applicable, request information about, or review of, certain automated decisions that produce legal or similarly significant effects.
Non-discrimination: exercise privacy rights without unlawful discrimination or retaliation.
To exercise privacy rights, contact us at privacy@redfi.io or help@redfi.io. We may need to verify your identity, authority, account ownership, jurisdiction, and request scope before responding. If you submit a request through an authorized agent, we may require proof of authorization and may ask you to verify your identity directly with us. If the request concerns information processed by Bridge, Stripe, Persona, a bank, or another independent provider, we may direct you to that provider or cooperate with the provider as appropriate.
14. Jurisdiction-Specific Disclosures
14.1 Panama
For users whose personal data is subject to Panama Law No. 81 of March 26, 2019 and Executive Decree No. 285 of May 28, 2021, REDFi processes personal data in accordance with principles such as legality, loyalty, purpose, proportionality, truthfulness, data security, transparency, confidentiality, and lawful transfer. You may have rights to access, rectification, cancellation, opposition, portability, and withdrawal of consent, subject to exceptions and legal obligations. REDFi may process and retain information as necessary for contracts, consent, legal obligations, compliance, security, fraud prevention, AML/CTF obligations, and legitimate business purposes.
14.2 European Economic Area and United Kingdom
Where the GDPR, UK GDPR, or similar laws apply, REDFi may process personal data under the legal bases described in Section 6. Individuals may have rights to access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and rights related to certain automated decision-making. You may also have the right to lodge a complaint with a supervisory authority. Cross-border transfers may be supported by appropriate safeguards such as standard contractual clauses, transfer-impact assessments, and other mechanisms recognized by applicable law.
14.3 California and Certain U.S. State Privacy Laws
Where California privacy laws or similar U.S. state privacy laws apply, California residents and other eligible individuals may have rights to know/access, delete, correct, opt out of sale or sharing, opt out of targeted advertising, limit use or disclosure of sensitive personal information, and not receive unlawful discriminatory treatment for exercising privacy rights. REDFi does not sell personal information for money. If any REDFi advertising or analytics activity is deemed a "sale," "sharing," or targeted advertising under applicable law, eligible users may request an opt-out by contacting privacy@redfi.io or using any available opt-out mechanism we provide.
Certain personal information collected in connection with financial services, identity verification, fraud prevention, AML/CTF compliance, security, or transaction processing may be exempt from some U.S. state privacy rights or subject to different financial privacy obligations. We will apply applicable rights and exemptions on a case-by-case basis.
14.4 Brazil and Other Latin American Jurisdictions
Where Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) or similar Latin American privacy laws apply, you may have rights to confirm processing, access data, correct incomplete or inaccurate data, request anonymization, blocking or deletion of unnecessary or excessive data, request portability where applicable, obtain information about sharing, withdraw consent, and request review of certain automated decisions. These rights are subject to legal, compliance, security, and record-retention limitations.
14.5 Other Jurisdictions
Users in other jurisdictions may have additional rights under local law. REDFi will respond to privacy requests in accordance with applicable law, service-provider obligations, identity-verification requirements, and legal exceptions.
15. Marketing Communications
We may send marketing emails, newsletters, product updates, event invitations, or promotional communications where permitted by law. You may opt out of marketing emails by following the unsubscribe instructions in the message or contacting us. Even if you opt out of marketing, we may continue to send transactional, security, compliance, legal, support, account, and service-related communications.
16. Account Closure and Privacy Requests
You may request account closure through REDFi support. Closing your account does not automatically delete all personal information. REDFi and its service providers may retain information as required or permitted by law, including for AML/CTF, sanctions, fraud prevention, transaction monitoring, recordkeeping, tax, accounting, dispute, chargeback, legal, and audit purposes. Account closure does not affect information maintained by independent providers under their own legal obligations or public blockchain data that REDFi cannot alter or delete.
Privacy requests may be denied, limited, delayed, or fulfilled in part if fulfilling the request would conflict with legal obligations, AML/CTF requirements, sanctions screening, fraud prevention, security, transaction finality, public blockchain immutability, preservation of evidence, contractual obligations, provider requirements, or the rights and freedoms of others.
17. Children and Minors
The Services are intended only for individuals who are at least eighteen (18) years old or the age of legal majority in their jurisdiction, whichever is higher. We do not knowingly collect personal information from children or minors. If we learn that a minor has provided personal information to us without appropriate authorization, we may terminate the account and delete or restrict the information, subject to legal and compliance retention requirements.
18. Changes to This Policy
We may update this policy from time to time to reflect changes in our Services, providers, legal obligations, technology, data practices, or business operations. When we update this policy, we will revise the effective date. Where required by law or where changes are material, we may provide additional notice through the REDFi dashboard, website, email, or other communication channels. Your continued use of the Services after an updated policy becomes effective means you acknowledge the updated policy, subject to applicable law.
19. Contact Us
For questions, privacy requests, complaints, or concerns about this policy or REDFi data practices, please contact:
Redline Blockchain S.A.
Panama City, Republic of Panama
Support Email: help@redfi.io
If you have a concern about how a third-party provider such as Bridge, Stripe, Persona, a bank, a custodian, or a payment processor processes your personal information, you may also need to contact that provider directly under its own privacy policy and request procedures.