1 Data Controller
INVEST IN IDEA INC, operating as iiii.agency, is the data controller for all personal and financial data processed through the Platform. We are committed to protecting your data in accordance with the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and other applicable data protection laws.
Data Protection Contact: privacy@iiii.agency
2 Data We Collect
We collect and process the following categories of data:
- Account Data — Name, email address, company name, business registration details, and authentication credentials
- Banking Data — IBAN, BIC/SWIFT codes, account balances, and transaction history (only with your explicit PSD2/Open Banking consent)
- Transfer Data — Payment instructions, SWIFT UETRs, MT103/MT202 message content, FX rates applied, settlement confirmations
- KYC/AML Data — Identity verification documents, proof of address, beneficial ownership information
- Technical Data — IP addresses, browser type, device information, session tokens, access logs, and API call metadata
3 Legal Basis (GDPR Art. 6)
We process your data under the following legal bases:
- Performance of Contract — Processing necessary to execute wire transfers, settlements, and FX conversions you request
- Legal Obligation — AML/KYC compliance, sanctions screening, transaction reporting to regulatory authorities
- Consent — Open Banking account access via PSD2, marketing communications
- Legitimate Interest — Fraud prevention, platform security, service improvement analytics
4 Open Banking Data
Account information accessed via Deutsche Bank, HSBC, or other Open Banking APIs is used exclusively to execute the transfer and settlement services you request. We adhere to the following principles:
- Purpose Limitation — Data is only used for the specific transaction you authorize
- No Selling — We never sell, rent, or share Open Banking data with third parties for marketing
- Encryption — OAuth2 access tokens and refresh tokens are encrypted at rest using AES-256
- Expiry — Tokens expire per the bank's policy and are automatically purged
- Revocation — You can revoke Open Banking consent at any time via the platform or directly with your bank
5 Data Security
We implement enterprise-grade, multi-layered security measures to protect your data:
- Encryption in Transit — TLS 1.3 for all communications, mTLS for bank-to-bank channels
- Encryption at Rest — AES-256 encryption for all stored personal and financial data
- Authentication — OAuth 2.0 with PKCE, JWT token management, PS256 digital signatures
- Access Control — Role-based access control (RBAC), principle of least privilege
- Monitoring — 24/7 security monitoring, intrusion detection, comprehensive audit logging
- Certifications — PCI DSS Level 1, SOC 2 Type II, ISO 27001, GDPR compliant
6 Data Retention
We retain data for the minimum period necessary to fulfil legal, regulatory, and operational requirements:
| Data Type | Retention Period | Basis |
|---|---|---|
| Transfer Records | 7 years | AML Directive / MLD5 |
| KYC Documents | 5 years post-relationship | AML Directive |
| OAuth2 Tokens | Until expiry or revocation | Technical necessity |
| Session Data | 24 hours | Operational |
| Audit Logs | 3 years | PCI DSS / SOC 2 |
| Support Tickets | 2 years | Legitimate interest |
7 Your Rights (GDPR)
Under the GDPR, you have the following rights regarding your personal data:
Access
Request a copy of your data
Rectification
Correct inaccurate data
Erasure
Request deletion of data
Restriction
Limit how data is processed
Portability
Export data in machine-readable format
Object
Object to processing activities
Submit data subject requests to privacy@iiii.agency. We will respond within 30 days as required by GDPR.
8 International Transfers
Your data may be processed in EU/EEA countries. Where transfers occur outside the EEA, we ensure adequate safeguards via:
- Standard Contractual Clauses (SCCs) — EU-approved data transfer agreements
- Adequacy Decisions — Transfers to countries with EU adequacy rulings
- Binding Corporate Rules — For intra-group transfers where applicable
9 Cookies
We use strictly necessary cookies for platform functionality:
- Session Cookies — Required for authentication and maintaining your session (expires on logout)
- Security Cookies — CSRF protection tokens (session-scoped)
No tracking cookies. We do not use any third-party analytics, advertising, or behavioral tracking cookies.
10 Third-Party Services
We share data with the following categories of third parties, solely for service delivery:
- Banking Partners — Deutsche Bank, HSBC, and other CBS-integrated banks for payment execution
- SWIFT Network — For international messaging and gpi tracking
- Blockchain Providers — Alchemy for on-chain settlement verification
- KYC Providers — Identity verification and sanctions screening services
All third-party processors are bound by Data Processing Agreements (DPAs) and comply with GDPR requirements.
11 Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified via email or a prominent notice on the platform. Continued use of the platform after changes constitutes acceptance of the revised policy.