PRIVACY POLICY

WHAT THIS POLICY COVERS

Your privacy is important to us, and this Privacy Policy is meant to help you understand what information we collect, why we collect it, and how it is used.

This policy is intended to comply with GDPR, CCPA, and any other relevant jurisdictional laws (e.g., LGPD, PIPEDA).

Note: GlobalFinex B2B may act as either a Data Controller (determines the purposes and means of processing) or a Data Processor (processes data only on the Customer’s instructions). The role is determined on a per-service basis.

WHO THIS POLICY APPLIES TO

This Privacy Policy applies to all visitors and users (“you”) of GlobalFinex B2B (“we,” “our,” “us”).

If you are a business that has contracted with us, this policy governs the processing of personal data you provide to us or to us via your employees, agents, or authorized third-party partners (“end-users”).

CONSENT

By using our Services, you give specific, informed consent for each purpose listed in the Consent & Preference Management table below.

If you do not agree with any part of this policy, you may refuse to use our Services and may withdraw consent at any time (see “Your Rights”).

SERVICES

GlobalFinex B2B provides a number of Services to help connect businesses and streamline their processes. These Services include, but are not limited to:

  • Buyer B2B ePayment
  • Supplier B2B ePayment
  • Buyer Dynamic Discounting
  • Supplier Dynamics Discounting

DEFINITIONS

Term Definition GDPR reference Quick Example
Personal Data Any information that can identify an individual either directly or indirectly (e.g., name, email, unique identifier). GDPR Article 4(1) Email address, phone number
Sensitive Personal Data Personal data likely to cause harm or discrimination if mishandled; also known as “special categories.” GDPR Article 4(13)(14)(15) Race, religion, health data, biometric data
Data Controller The entity that determines the purpose and means of processing personal data. GDPR Article 4(7) GlobalFinex B2B
Data Processor The entity that processes personal data on behalf of the data controller. GDPR Article 4(8) Payment-gateway provider
Data Subject The natural person whose personal data is being processed. GDPR Article 4(1) Buyer or supplier contact
Third-Party Service Provider External entity receiving personal data for specific services (hosting, analytics, etc.). GDPR Article 4(10) Cloud host, email-marketing platform
Processing Any operation performed on personal data, automated or manual. GDPR Article 4(8) Storing records, sending payroll emails

GDPR article: https://gdpr-info.eu/art-4-gdpr/

WHAT INFORMATION WE COLLECT

Information provided to us

  • Personal Information (name, email address, phone number, company name)
  • Customer Identification Information (details of both customer and supplier necessary for payment processing)
  • Payment Information (VCN, bank account numbers, transaction amount, currency, reference number, invoices, remittance records)
  • Compliance & Verification Information (KYC/AML) (supporting documents, classified as special category personal data)
  • Technical Data (IP address, device identifier, OS, browser type, usage logs)
  • Cookies (see our separate Cookie Policy)

Information we collect when you use our Services

      • Website Use: Personal identifiable information voluntarily submitted (e.g., contact form, comments)
      • Technical Information: Browser type, OS, domain name of linking site (non‑PII)
      • Cookies: Used to improve experience; users may opt‑out via the Data‑Subject Portal
      • Web Portal Use: Log of access attempts, viewed or changed information
      • Device & Connection Information: Device, OS, browser type, IP address, device identifiers (varies by service)

HOW THE INFORMATION IS USED

Purpose Legal Basis / Quick Example
Transaction & Payment Processing Contractual / Consent (VCN, EFT)
KYC / AML Verification Consent (special category)
Marketing / Promotional Offers Legitimate interest / Consent
Service Provider Communications Legitimate interest
Sharing with Trading Partners Contractual
Regulatory Reporting (AML, tax) Lawful obligation
Security & Fraud Prevention Legitimate interest

If you have consented to a specific purpose, you may change your mind at any time; this does not affect already‑processed data.

SHARING OF INFORMATION

  • Financial Institutions & Payment Partners – for authorization, settlement, remittance
  • Regulatory Authorities – when required by law (AML, tax)
  • Service Providers – vendors that assist us (cloud hosting, analytics, etc.) under strict confidentiality and data‑protection obligations; DPAs in place
  • Trading Partners (Supplier/Buyer) – to verify or confirm payment status
  • Enforcement Requests – for compliance with laws, legal requests, protection against illegal activities

TRANSFER AND STORAGE OF YOUR INFORMATION

Information Storage & Retention

Data Type Minimum Retention Legal / Regulatory Retention Deletion Method
Personal Data (name, email, phone) 6 months 12 months Secure deletion (AES wipe, key destruction)
Payment Information (VCN, bank details) 12 months 12 months Secure deletion
KYC/AML Documents 7 years 7 years Secure deletion (destroy all copies, keys, backups)
Technical Data (IP, device ID) 12 months 12 months Secure deletion

Upon request, or at the end of the retention period, data is securely deleted (e.g., encryption keys destroyed).

Security of Your Information

  • All personal data in transit is protected by TLS 1.3.
  • Data at rest is encrypted with 256‑bit AES.
  • With our ISMS security framework we conduct monthly network scans, annual external penetration tests, annual security reviews, and maintain an incident‑response plan.

Breach Notification

  • Authoritative Authority – notified within 72 hours.
  • Affected Data Subjects – notified within 30 days if the breach poses or within 72 hours for high-risk breaches (authoritative requirement).

International Transfer of Information

For EU personal data transferred outside the EU, we use Standard Contractual Clauses (SCCs) and maintain a documented Transfer Impact Assessment (TIA). Servers are located worldwide; data is protected at the same level as within the EU.

ACCESS TO YOUR INFORMATION

Your Rights

  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to restriction
  • Right to data portability
  • Right to object (marketing)
  • Right to withdraw consent

How to Exercise These Rights

Requests can be made via email address in the Contact Us section below.

  • 30 days (or 90 days for complex requests).

NOTICE TO END USERS

Our Services are primarily provided to organisations, which then make the Services available to you. The contracting organisation is the administrator and is responsible for end‑user privacy controls; contact them for any specific privacy questions.

INFORMATION ON CHILDREN

We may update this Privacy Policy from time to time. For material changes, we provide a prominent banner within the Service and send an email to users who have opted in to receive updates at least 14 days before the change. “Material change” includes new services or data uses that differ from the original consent agreement.

NOTIFICATION OF CHANGES AND UPDATES

We may update this Privacy Policy from time to time. For material changes, we provide a prominent banner within the Service and send an email to users who have opted in to receive updates at least 14 days before the change. “Material change” includes new services or data uses that differ from the original consent agreement.

CONTACT US

  • Email: privacy@globalfinexb2b.com
  • Data Protection Officer: Suite A809, Jalan 16/11, Phileo Damansara 1, Off Jalan Damansara, 46350 Petaling Jaya, Selangor D. E., Malaysia
  • Phone: +60 3 7660 8818
  • DPO Email: dpo@globalfinexb2b.com

SUPERVISORY AUTHORITIES (DATA PROTECTION REGULATORS)

Country Supervisory Authority (Data Protection Authority) Website
European Union (EU) European Data Protection Board (EDPB) – coordinates national authorities
National authorities – each member state has its own DPA		 https://edpb.europa.eu/
https://ec.europa.eu/justice/data-protection/data-protection-eudpa_en
AustriaDatenschutzbehördehttps://www.dsb.gv.at/
BelgiumCommission voor de privacyhttps://www.dataprotectioncommission.be/
BulgariaCommission for Personal Data Protectionhttps://www.csdps.bg/
CroatiaIndependent Commission for Personal Data Protectionhttps://www.pdpa.hr/
CyprusOffice of the Commissioner for Personal Data Protectionhttps://www.dpo.gov.cy/
Czech RepublicOffice for Personal Data Protectionhttps://www.uoou.cz/
DenmarkDanish Data Protection Agency (Datatilsynet)https://www.datatilsynet.dk/
EstoniaPersonal Data Protection Inspectorate (Isikuandmete Kaitseinspektsioon)https://www.iva.ee/
FinlandOffice of the Data Protection Ombudsmanhttps://tietooikeus.fi/
FranceCommission Nationale de l’Informatique et des Libertés (CNIL)https://www.cnil.fr/
GermanyFederal Commissioner for Data Protection and Freedom of Information (BfDI)
State-level authorities (Landesdatenschutzbeauftragter)		https://www.bfdi.bund.de/
GreeceIndependent Authority for Personal Data Protection (OAED)https://oaed.gr/
HungaryHungarian Personal Data Protection Officehttps://adathivatal.gov.hu/
IrelandData Protection Commission (DPC)https://www.dataprotection.ie/
ItalyItalian Data Protection Authority (Garante)https://www.garanteprivacy.it/
LatviaData Controller Commissionerhttps://www.dcc.gov.lv/
LithuaniaState Data Protection Inspectoratehttps://www.dpat.lt/
LuxembourgCommission nationale pour la protection des donnéeshttps://www.cnddp.lu/
MaltaInformation Technology & Data Protection Commissionerhttps://www.dataprotection.gov.mt/
NetherlandsDutch Data Protection Authorityhttps://autoriteitpersoonsgegevens.nl/
PolandOffice of the Data Protection Commissioner (UODO)https://uodo.gov.pl/
PortugalNational Data Protection Authorityhttps://www.anpd.pt/
RomaniaNational Data Protection Authorityhttps://www.ans.dp.ro/
SlovakiaOffice for Personal Data Protectionhttps://www.uko.sk/
SloveniaInformation Commissionerhttps://www.uvp.gov.si/
SpainSpanish Data Protection Agencyhttps://www.aepd.es/
SwedenSwedish Authority for Privacy Protectionhttps://www.imy.se/
United KingdomInformation Commissioner’s Office (ICO)https://ico.org.uk/
United StatesFederal Trade Commission (FTC)
California CCPA – Attorney General
New York Privacy Law – Attorney General
Washington Privacy Act – Attorney General
Other states with individual AG offices		https://www.ftc.gov/
https://oag.ca.gov/privacy
https://ag.ny.gov/privacy
https://www.atg.wa.gov/privacy-act
CanadaOffice of the Privacy Commissioner of Canada (OPC)https://www.priv.gc.ca/
AustraliaOffice of the Australian Information Commissioner (OAIC)https://www.oaic.gov.au/
BrazilNational Data Protection Authority (ANPD)https://www.gov.br/anpd/pt-br
ChinaMinistry of Public Security (MPS)
Cyberspace Administration (CAC)		http://www.mps.gov.cn/
http://www.cac.gov.cn/
IndiaData Protection Authority (under establishment)https://data-protection.gov.in/
JapanPersonal Information Protection Commission (PPC)https://www.ppc.go.jp/
South AfricaInformation Regulatorhttps://www.justice.gov.za/ips/regs/regulation-0.html
South KoreaPersonal Information Protection Commission (PIPC)https://www.pipc.go.kr/
SingaporePersonal Data Protection Commission (PDPC)https://www.pdpc.gov.sg/
New ZealandPrivacy Commissionerhttps://www.privacy.org.nz/
MexicoNational Institute for Transparency (INAI)https://www.inai.org.mx/
ArgentinaNational Directorate for Personal Data Protection (DNEPD)https://www.argentina.gob.ar/dnepd
ChileNational Commission for the Protection of Personal Data (CONPDP)https://www.conpdp.cl/
ColombiaSuperintendency of Industry and Commercehttps://www.sic.gov.co/
RussiaRoskomnadzorhttps://rkn.gov.ru/
TurkeyData Protection Authority (KVKK)https://www.kvkk.gov.tr/
IranData Protection Authorityhttps://www.dpo.ir/

Last Updated: 27-Nov-2025

Cart (0 items)