PRIVACY POLICY
WHAT THIS POLICY COVERS
Your privacy is important to us, and this Privacy Policy is meant to help you understand what information we collect, why we collect it, and how it is used.
- What information we collect
- How the information is used
- Sharing of information
- Transfer and storage of your information
- Access to your information
- Notice to end users
This policy is intended to comply with GDPR, CCPA, and any other relevant jurisdictional laws (e.g., LGPD, PIPEDA).
Note: GlobalFinex B2B may act as either a Data Controller (determines the purposes and means of processing) or a Data Processor (processes data only on the Customer’s instructions). The role is determined on a per-service basis.
WHO THIS POLICY APPLIES TO
This Privacy Policy applies to all visitors and users (“you”) of GlobalFinex B2B (“we,” “our,” “us”).
If you are a business that has contracted with us, this policy governs the processing of personal data you provide to us or to us via your employees, agents, or authorized third-party partners (“end-users”).
CONSENT
By using our Services, you give specific, informed consent for each purpose listed in the Consent & Preference Management table below.
If you do not agree with any part of this policy, you may refuse to use our Services and may withdraw consent at any time (see “Your Rights”).
SERVICES
GlobalFinex B2B provides a number of Services to help connect businesses and streamline their processes. These Services include, but are not limited to:
- Buyer B2B ePayment
- Supplier B2B ePayment
- Buyer Dynamic Discounting
- Supplier Dynamics Discounting
DEFINITIONS
| Term | Definition | GDPR reference | Quick Example |
|---|---|---|---|
| Personal Data | Any information that can identify an individual either directly or indirectly (e.g., name, email, unique identifier). | GDPR Article 4(1) | Email address, phone number |
| Sensitive Personal Data | Personal data likely to cause harm or discrimination if mishandled; also known as “special categories.” | GDPR Article 4(13)(14)(15) | Race, religion, health data, biometric data |
| Data Controller | The entity that determines the purpose and means of processing personal data. | GDPR Article 4(7) | GlobalFinex B2B |
| Data Processor | The entity that processes personal data on behalf of the data controller. | GDPR Article 4(8) | Payment-gateway provider |
| Data Subject | The natural person whose personal data is being processed. | GDPR Article 4(1) | Buyer or supplier contact |
| Third-Party Service Provider | External entity receiving personal data for specific services (hosting, analytics, etc.). | GDPR Article 4(10) | Cloud host, email-marketing platform |
| Processing | Any operation performed on personal data, automated or manual. | GDPR Article 4(8) | Storing records, sending payroll emails |
GDPR article: https://gdpr-info.eu/art-4-gdpr/
WHAT INFORMATION WE COLLECT
Information provided to us
- Personal Information (name, email address, phone number, company name)
- Customer Identification Information (details of both customer and supplier necessary for payment processing)
- Payment Information (VCN, bank account numbers, transaction amount, currency, reference number, invoices, remittance records)
- Compliance & Verification Information (KYC/AML) (supporting documents, classified as special category personal data)
- Technical Data (IP address, device identifier, OS, browser type, usage logs)
- Cookies (see our separate Cookie Policy)
Information we collect when you use our Services
- Website Use: Personal identifiable information voluntarily submitted (e.g., contact form, comments)
- Technical Information: Browser type, OS, domain name of linking site (non‑PII)
- Cookies: Used to improve experience; users may opt‑out via the Data‑Subject Portal
- Web Portal Use: Log of access attempts, viewed or changed information
- Device & Connection Information: Device, OS, browser type, IP address, device identifiers (varies by service)
HOW THE INFORMATION IS USED
| Purpose | Legal Basis / Quick Example |
|---|---|
| Transaction & Payment Processing | Contractual / Consent (VCN, EFT) |
| KYC / AML Verification | Consent (special category) |
| Marketing / Promotional Offers | Legitimate interest / Consent |
| Service Provider Communications | Legitimate interest |
| Sharing with Trading Partners | Contractual |
| Regulatory Reporting (AML, tax) | Lawful obligation |
| Security & Fraud Prevention | Legitimate interest |
If you have consented to a specific purpose, you may change your mind at any time; this does not affect already‑processed data.
SHARING OF INFORMATION
- Financial Institutions & Payment Partners – for authorization, settlement, remittance
- Regulatory Authorities – when required by law (AML, tax)
- Service Providers – vendors that assist us (cloud hosting, analytics, etc.) under strict confidentiality and data‑protection obligations; DPAs in place
- Trading Partners (Supplier/Buyer) – to verify or confirm payment status
- Enforcement Requests – for compliance with laws, legal requests, protection against illegal activities
TRANSFER AND STORAGE OF YOUR INFORMATION
Information Storage & Retention
| Data Type | Minimum Retention | Legal / Regulatory Retention | Deletion Method |
|---|---|---|---|
| Personal Data (name, email, phone) | 6 months | 12 months | Secure deletion (AES wipe, key destruction) |
| Payment Information (VCN, bank details) | 12 months | 12 months | Secure deletion |
| KYC/AML Documents | 7 years | 7 years | Secure deletion (destroy all copies, keys, backups) |
| Technical Data (IP, device ID) | 12 months | 12 months | Secure deletion |
Upon request, or at the end of the retention period, data is securely deleted (e.g., encryption keys destroyed).
Security of Your Information
- All personal data in transit is protected by TLS 1.3.
- Data at rest is encrypted with 256‑bit AES.
- With our ISMS security framework we conduct monthly network scans, annual external penetration tests, annual security reviews, and maintain an incident‑response plan.
Breach Notification
- Authoritative Authority – notified within 72 hours.
- Affected Data Subjects – notified within 30 days if the breach poses or within 72 hours for high-risk breaches (authoritative requirement).
International Transfer of Information
For EU personal data transferred outside the EU, we use Standard Contractual Clauses (SCCs) and maintain a documented Transfer Impact Assessment (TIA). Servers are located worldwide; data is protected at the same level as within the EU.
ACCESS TO YOUR INFORMATION
Your Rights
- Right to access
- Right to rectification
- Right to erasure
- Right to restriction
- Right to data portability
- Right to object (marketing)
- Right to withdraw consent
How to Exercise These Rights
Requests can be made via email address in the Contact Us section below.
- 30 days (or 90 days for complex requests).
NOTICE TO END USERS
Our Services are primarily provided to organisations, which then make the Services available to you. The contracting organisation is the administrator and is responsible for end‑user privacy controls; contact them for any specific privacy questions.
INFORMATION ON CHILDREN
We may update this Privacy Policy from time to time. For material changes, we provide a prominent banner within the Service and send an email to users who have opted in to receive updates at least 14 days before the change. “Material change” includes new services or data uses that differ from the original consent agreement.
NOTIFICATION OF CHANGES AND UPDATES
We may update this Privacy Policy from time to time. For material changes, we provide a prominent banner within the Service and send an email to users who have opted in to receive updates at least 14 days before the change. “Material change” includes new services or data uses that differ from the original consent agreement.
CONTACT US
- Email: privacy@globalfinexb2b.com
- Data Protection Officer: Suite A809, Jalan 16/11, Phileo Damansara 1, Off Jalan Damansara, 46350 Petaling Jaya, Selangor D. E., Malaysia
- Phone: +60 3 7660 8818
- DPO Email: dpo@globalfinexb2b.com
SUPERVISORY AUTHORITIES (DATA PROTECTION REGULATORS)
| Country | Supervisory Authority (Data Protection Authority) | Website |
|---|---|---|
| European Union (EU) | European Data Protection Board (EDPB) – coordinates national authorities National authorities – each member state has its own DPA |
https://edpb.europa.eu/ https://ec.europa.eu/justice/data-protection/data-protection-eudpa_en |
| Austria | Datenschutzbehörde | https://www.dsb.gv.at/ |
| Belgium | Commission voor de privacy | https://www.dataprotectioncommission.be/ |
| Bulgaria | Commission for Personal Data Protection | https://www.csdps.bg/ |
| Croatia | Independent Commission for Personal Data Protection | https://www.pdpa.hr/ |
| Cyprus | Office of the Commissioner for Personal Data Protection | https://www.dpo.gov.cy/ |
| Czech Republic | Office for Personal Data Protection | https://www.uoou.cz/ |
| Denmark | Danish Data Protection Agency (Datatilsynet) | https://www.datatilsynet.dk/ |
| Estonia | Personal Data Protection Inspectorate (Isikuandmete Kaitseinspektsioon) | https://www.iva.ee/ |
| Finland | Office of the Data Protection Ombudsman | https://tietooikeus.fi/ |
| France | Commission Nationale de l’Informatique et des Libertés (CNIL) | https://www.cnil.fr/ |
| Germany | Federal Commissioner for Data Protection and Freedom of Information (BfDI) State-level authorities (Landesdatenschutzbeauftragter) | https://www.bfdi.bund.de/ |
| Greece | Independent Authority for Personal Data Protection (OAED) | https://oaed.gr/ |
| Hungary | Hungarian Personal Data Protection Office | https://adathivatal.gov.hu/ |
| Ireland | Data Protection Commission (DPC) | https://www.dataprotection.ie/ |
| Italy | Italian Data Protection Authority (Garante) | https://www.garanteprivacy.it/ |
| Latvia | Data Controller Commissioner | https://www.dcc.gov.lv/ |
| Lithuania | State Data Protection Inspectorate | https://www.dpat.lt/ |
| Luxembourg | Commission nationale pour la protection des données | https://www.cnddp.lu/ |
| Malta | Information Technology & Data Protection Commissioner | https://www.dataprotection.gov.mt/ |
| Netherlands | Dutch Data Protection Authority | https://autoriteitpersoonsgegevens.nl/ |
| Poland | Office of the Data Protection Commissioner (UODO) | https://uodo.gov.pl/ |
| Portugal | National Data Protection Authority | https://www.anpd.pt/ |
| Romania | National Data Protection Authority | https://www.ans.dp.ro/ |
| Slovakia | Office for Personal Data Protection | https://www.uko.sk/ |
| Slovenia | Information Commissioner | https://www.uvp.gov.si/ |
| Spain | Spanish Data Protection Agency | https://www.aepd.es/ |
| Sweden | Swedish Authority for Privacy Protection | https://www.imy.se/ |
| United Kingdom | Information Commissioner’s Office (ICO) | https://ico.org.uk/ |
| United States | Federal Trade Commission (FTC) California CCPA – Attorney General New York Privacy Law – Attorney General Washington Privacy Act – Attorney General Other states with individual AG offices | https://www.ftc.gov/ https://oag.ca.gov/privacy https://ag.ny.gov/privacy https://www.atg.wa.gov/privacy-act |
| Canada | Office of the Privacy Commissioner of Canada (OPC) | https://www.priv.gc.ca/ |
| Australia | Office of the Australian Information Commissioner (OAIC) | https://www.oaic.gov.au/ |
| Brazil | National Data Protection Authority (ANPD) | https://www.gov.br/anpd/pt-br |
| China | Ministry of Public Security (MPS) Cyberspace Administration (CAC) | http://www.mps.gov.cn/ http://www.cac.gov.cn/ |
| India | Data Protection Authority (under establishment) | https://data-protection.gov.in/ |
| Japan | Personal Information Protection Commission (PPC) | https://www.ppc.go.jp/ |
| South Africa | Information Regulator | https://www.justice.gov.za/ips/regs/regulation-0.html |
| South Korea | Personal Information Protection Commission (PIPC) | https://www.pipc.go.kr/ |
| Singapore | Personal Data Protection Commission (PDPC) | https://www.pdpc.gov.sg/ |
| New Zealand | Privacy Commissioner | https://www.privacy.org.nz/ |
| Mexico | National Institute for Transparency (INAI) | https://www.inai.org.mx/ |
| Argentina | National Directorate for Personal Data Protection (DNEPD) | https://www.argentina.gob.ar/dnepd |
| Chile | National Commission for the Protection of Personal Data (CONPDP) | https://www.conpdp.cl/ |
| Colombia | Superintendency of Industry and Commerce | https://www.sic.gov.co/ |
| Russia | Roskomnadzor | https://rkn.gov.ru/ |
| Turkey | Data Protection Authority (KVKK) | https://www.kvkk.gov.tr/ |
| Iran | Data Protection Authority | https://www.dpo.ir/ |
Last Updated: 27-Nov-2025