Privacy Policy
Effective April 21, 2026
DITC LLC operating as DITC.io · www.ditc.io · Version 3.0
1. Controllers and Single Point of Contact
Joint controllers. For the purposes of account opening, identity verification, KYC and AML compliance, transaction monitoring, fraud prevention, and sanctions screening, DITC LLC and its licensed partner institution(s) are joint controllers within the meaning of Article 26 of the EU General Data Protection Regulation (GDPR) and the UK GDPR.
DITC LLC alone is controller for website operation, user accounts on www.ditc.io, marketing communications, and website analytics.
The essence of the joint-controller arrangement is published at www.ditc.io/joint-controllers. The single point of contact for data-subject rights is privacy@ditc.io.
| Party | Contact |
|---|---|
| DITC LLC (DITC.io) | 30 N Gould St Ste N, Sheridan, WY 82801, USA | privacy@ditc.io |
| Licensed partner institution(s) | Offshore jurisdiction, disclosed to the client during onboarding | via privacy@ditc.io |
| Privacy Contact | privacy@ditc.io |
Note on Data Protection Officer. DITC LLC has assessed its data-processing activities and determined that the mandatory appointment of a Data Protection Officer under Article 37 GDPR is not currently triggered: DITC LLC is not a public authority, does not carry out large-scale systematic monitoring of individuals, and does not process special-category data on a large scale as a core activity. Should processing activities change such that Art. 37 GDPR requires formal DPO appointment, a DPO will be designated and identified in this Privacy Policy without delay. In the meantime, all data-subject rights requests and privacy-related enquiries may be directed to privacy@ditc.io.
EU and UK GDPR Article 27 Representatives. DITC LLC does not actively market or direct services at residents of the European Union, the European Economic Area, or the United Kingdom. As a result, DITC LLC does not currently consider itself obligated to appoint EU or UK GDPR Article 27 representatives under Article 3(2) GDPR or the equivalent UK GDPR provision, which apply where a non-EEA/UK controller specifically targets individuals in those territories. Should DITC LLC’s business activities change such that active targeting of EU, EEA, or UK individuals occurs, an Article 27 representative will be appointed and identified in this Privacy Policy before such targeting commences. EU/EEA residents who choose to access www.ditc.io on their own initiative may direct data-subject rights requests to privacy@ditc.io and may lodge complaints with the data-protection authority of their country of residence (a directory is published at edpb.europa.eu). UK residents may contact the Information Commissioner’s Office at ico.org.uk.
2. Personal Data We Collect
2.1 Data you provide directly
Full name, date of birth, nationality, residential address, email address, telephone number, government-issued identity documents (passport, national ID, driving licence), tax identification number, occupation, source-of-funds and source-of-wealth declarations, expected transaction volumes, and any other information submitted during account opening, support contacts, or complaints.
2.2 Data collected automatically
IP address, browser type and version, operating system, pages visited, time and date of visits, referring URL, device identifiers, session logs, and information placed or read via cookies and similar technologies (see our Cookie Policy at www.ditc.io/cookies).
2.3 Financial and transactional data
Account balances, transaction history, payment counterparties, cryptocurrency wallet addresses you provide or that you transact with, and the results of blockchain risk screening applied to those addresses.
2.4 Compliance and sanctions data
Results of identity checks, liveness checks, sanctions screening, PEP screening, adverse-media checks, and blockchain analytics results performed in connection with our legal obligations under AML and counter-terrorist-financing law.
2.5 Special-category data (biometric data)
Identity verification during account opening includes a liveness check in which your facial image is captured and processed to uniquely identify you. This is biometric data under Article 9(1) GDPR and Article 9(1) UK GDPR. Legal basis: Article 9(2)(g) GDPR (substantial public interest) read with applicable AML and anti-terrorist-financing legislation. You may object to biometric processing; if you do, we cannot verify your identity and no account can be opened.
2.6 Data from third parties
Identity-verification providers, sanctions and PEP databases, credit-reference agencies, and blockchain-analytics providers may supply additional data to fulfil our legal obligations.
3. Purposes and Legal Bases for Processing
| Purpose | Legal basis (GDPR / UK GDPR) |
|---|---|
| Account opening | Art. 6(1)(b) – performance of a contract |
| KYC, AML, sanctions and PEP screening | Art. 6(1)(c) – legal obligation; Art. 9(2)(g) for biometrics |
| Transaction processing and account management | Art. 6(1)(b) – performance of a contract |
| Transaction monitoring, fraud prevention, blockchain risk screening | Art. 6(1)(c) – legal obligation; Art. 6(1)(f) – legitimate interest |
| Regulatory reporting (STR/SAR and mandatory reports) | Art. 6(1)(c) – legal obligation |
| Complaints management and dispute resolution | Art. 6(1)(b) and Art. 6(1)(c) |
| Marketing communications | Art. 6(1)(a) – consent, revocable at any time |
| Placement of analytics / marketing cookies | Consent under ePrivacy Art. 5(3); associated processing: Art. 6(1)(f) |
| Website operation and security | Art. 6(1)(f) – legitimate interest in operating a secure website |
4. Automated Decision-Making
Some onboarding and transaction decisions involve automated processing: identity-verification scoring, sanctions and PEP match scoring, AML risk scoring, and blockchain risk scoring of cryptocurrency wallet addresses. Where an automated decision would have a material effect on you (such as refusal of onboarding, block of a transaction, or freeze of an account), the final decision is reviewed by a human before it takes effect, except where immediate action is legally required (e.g. a confirmed sanctions match).
You have the right under Article 22 GDPR / UK GDPR to (i) express your point of view, (ii) obtain human review, and (iii) contest the decision. Requests: privacy@ditc.io.
5. Who We Share Personal Data With
We share personal data with: (a) the licensed partner institution(s) as joint controller(s) (see section 1); (b) sub-processors providing services on our behalf; (c) competent regulatory and law-enforcement authorities where required by law.
A named sub-processor list with entity name, country of processing, purpose and transfer mechanism is published and kept current at www.ditc.io/processors. The current list includes (non-exhaustive):
| Sub-processor | Location | Purpose |
|---|---|---|
| Sumsub (sumsub.com) | Global | Identity verification, liveness checks, document authentication, biometric processing, ongoing due diligence |
| Chainalysis (chainalysis.com) | Global | Blockchain analytics, wallet risk scoring, AML / sanctions screening |
| Cloudflare | Global | Security, performance, bot management |
| Google LLC | Global | Analytics and tag management (consent-gated) |
| Meta Platforms | Global | Marketing attribution (consent-gated) |
| Cloud / hosting providers | Global | IT infrastructure and hosting |
This list is not exhaustive. Each sub-processor is bound by a written data-processing agreement compliant with Article 28 GDPR / UK GDPR.
6. International Data Transfers
Personal data may be transferred outside the European Economic Area or the United Kingdom to, in particular: (i) our licensed partner institution(s) in their offshore jurisdiction(s); (ii) sub-processors and service providers operating globally; (iii) cloud infrastructure in various regions.
We rely on the following Article 46 mechanisms as applicable:
- EU–US Data Privacy Framework and its UK Extension, or equivalent transfer frameworks, where the recipient is certified.
- Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914), and the UK International Data Transfer Addendum to the EU SCCs where DPF coverage is not available.
- Transfer Impact Assessments (TIAs) completed before each transfer, with supplementary measures including encryption in transit and at rest, minimum-necessary data, pseudonymisation where feasible, contractual audit rights, and restrictions on government-access requests.
Transfers to offshore jurisdictions. For transfers to our partner institution(s) we rely on SCCs and additional safeguards (encryption, minimum-necessary data, restricted access, contractual right of audit). A TIA summary is available on request from privacy@ditc.io. Because the destination country does not have an EU adequacy decision, safeguards are described in detail in our Transfer Impact Assessment register.
7. Retention Periods
| Category | Period |
|---|---|
| Account data and transaction records | 5 years from account closure; extendable up to 10 years where required by applicable AML law or ongoing investigation |
| Identity documents (KYC) | 5 years from end of business relationship; then deleted unless a legal extension applies |
| Biometric templates (liveness check) | Deleted after verification or at most 12 months from verification, whichever is earlier, unless a litigation hold applies |
| Complaints records | Minimum 5 years from closure of the complaint (or longer if required by local financial-services law) |
| Marketing consents and communications | Until withdrawal of consent or 24 months of inactivity, whichever is earlier |
| Website log data | 12 months |
| Analytics and marketing cookies | Maximum 13 months (see Cookie Policy) |
8. Your Rights
- Access – to obtain confirmation of processing and a copy of your personal data (Art. 15).
- Rectification – to have inaccurate data corrected (Art. 16).
- Erasure – subject to legal retention obligations (Art. 17).
- Restriction – to limit processing in certain circumstances (Art. 18).
- Objection – to object to processing based on legitimate interest, including profiling, at any time (Art. 21(1)).
- Object to direct marketing – unconditionally, at any time (Art. 21(2)).
- Portability – to receive data you provided, for processing based on consent or contract (Art. 20).
- Withdraw consent – where processing is based on consent, without affecting lawfulness of prior processing (Art. 7(3)).
- Not to be subject to a solely automated decision – as set out in section 4 (Art. 22).
- Complaint – to lodge a complaint with the data-protection authority of your country of residence.
To exercise any of these rights, contact privacy@ditc.io. Competent authorities: for EU/EEA residents, the DPA of your country (directory at edpb.europa.eu); for UK residents, the ICO (ico.org.uk).
9. Exclusion of US Persons
The services offered via www.ditc.io are not available to US Persons. ‘US Person’ means any citizen of the United States of America, any holder of a US permanent resident card (Green Card), any person resident or domiciled in the United States of America (including any state, territory, or possession thereof), and any legal entity organised or incorporated under the laws of the United States.
DITC LLC does not direct its services at US Persons and does not accept registrations from US Persons. By accessing www.ditc.io or submitting any personal data through this website, you represent and warrant that you are not a US Person. If DITC LLC determines at any time that you are or have become a US Person, DITC LLC reserves the right to terminate your account and delete your personal data (subject to mandatory legal retention obligations) without prior notice. US Persons who believe their personal data has been inadvertently collected may contact privacy@ditc.io to request deletion.
10. Security and Breach Notification
We implement technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration, including encrypted data transmission (TLS), encryption at rest, least-privilege access controls, multi-factor authentication for administrators, logging, and regular security reviews.
Breach notification. In the event of a personal-data breach, we will notify the relevant supervisory authorities within 72 hours of becoming aware, as required by Article 33 GDPR / UK GDPR. Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34.
11. Minors
Our services are available only to persons aged 18 or over. Date of birth is collected and verified during identity verification; accounts where the date of birth indicates the applicant is under 18 are rejected automatically. If you believe a minor has provided us with personal data, contact privacy@ditc.io and we will delete it.
12. Changes to This Privacy Policy
We may update this Privacy Policy. Material changes will be notified by email and on the website at least 30 days before they take effect. The current version is always available at www.ditc.io/privacy, together with a dated change log. A change to this Policy is not a substitute for an Article 6 or 9 GDPR legal basis; we do not treat continued use of the website as consent to new processing.
13. Contact
| Purpose | Contact |
|---|---|
| General enquiries | info@ditc.io |
| Account & service support | support@ditc.io |
| Data-subject rights | privacy@ditc.io |
| Formal complaints | complaints@ditc.io |
| Security incidents | security@ditc.io |
| Legal & compliance | legal@ditc.io |
| EU Digital Services Act | dsa@ditc.io |
14. Change Log
| Version | Changes |
|---|---|
| Version 3.0 | 21 April 2026 | Domain updated to ditc.io. Removed EU/UK Art. 27 representative placeholders; replaced with clear explanation that no active EU/UK targeting takes place and reps are therefore not currently required. Privacy contact aligned to ditc.io. Offshore fintech framing. GPC and US state-privacy block retained. Joint controllership with licensed partner institution(s). Art. 9(2)(g) biometric basis. Art. 22 automated decision-making. Named sub-processors. Bounded retention periods. International transfer mechanisms. Breach-notification commitment. US state-privacy block. |
| Version 2.0 | 20 April 2026 | Joint controllership with licensed partner institution(s). Art. 9(2)(g) biometric basis. Art. 22 automated decision-making. Named sub-processors. Bounded retention periods. International transfer mechanisms. Breach-notification commitment. US state-privacy block. |
| Version 1.0 | 19 April 2026 | Initial publication (superseded). |
DITC LLC · 30 N Gould St Ste N, Sheridan, WY 82801, USA · www.ditc.io