Privacy Policy

WamNow Technologies Limited

Last Updated: 10 April 2026

1. Introduction

WamNow Technologies Limited ("Wam", "we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the Wam mobile application, web portals, point-of-sale applications, NFC payment devices, APIs, and related services (collectively, the "Service").

WamNow Technologies Limited is a licensed Electronic Money Issuer and Payment Service Provider authorised by the Central Bank of Trinidad and Tobago. We are the data controller responsible for your personal data.

By creating an account or using any part of the Service, you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy should be read together with our [Terms of Service].

Contact details:

Email: privacy@wam.money
Address: WamNow Technologies Limited, [registered address], Trinidad and Tobago

2. Information We Collect

We collect personal data through several means, depending on how you interact with the Service.

2.1 Information You Provide Directly

Account Registration and Identity Verification:

Full legal name, date of birth, nationality, and gender
Email address and phone number
Residential address and proof of address documentation
Government-issued photo identification (e.g., national ID card, passport, driver's licence)
Selfie or biometric facial scan (for identity verification)
Politically Exposed Person (PEP) declaration
Tax identification number (where applicable)
Username and profile information

Business Account Information (if applicable):

Business name, type, and registration number
Business registration certificate and tax registration certificate
Beneficial ownership information (names, ownership percentages)
Bank statements (up to three months)
Business address and utility bills
Authorised representative details

Transaction Information:

Payment amounts, recipients, and descriptions
Bank account details for linked accounts
Debit and credit card details (tokenised and processed by our PCI-compliant payment processor)
Crypto Asset wallet addresses (external addresses you provide for deposits or withdrawals)

Communications:

Information you provide when contacting support (including email content, chat transcripts, and attachments)
Feedback, reviews, and survey responses

NFC Tag Information:

Tag labels, form factor selection, and spending limits you configure
PIN codes associated with NFC Tags (encrypted)

2.2 Information Collected Automatically

Device and Technical Data:

Device type, model, and operating system version
Unique device identifiers (device ID, advertising ID)
IP address and approximate geolocation derived from IP
App version, build number, and environment configuration
Browser type and version (for web portals)
Push notification tokens

Usage Data:

Pages, screens, and features accessed within the Service
Timestamps of access and interactions
Transaction history and patterns
Session duration and frequency of use
Error logs and crash reports
In-app navigation and interaction events

Biometric Data:

Biometric authentication data (Face ID, Touch ID, fingerprint) is processed locally on your device by the operating system. Wam does not store or have access to your raw biometric data.

2.3 Information from Third Parties

Identity Verification Providers:

Verification results, risk scores, and document authenticity assessments from our KYC providers (currently Veriff and/or SumSub)
Identity document data (document type, issuing country, document number, validity dates)
Person data extracted from identity documents (full legal name, date of birth, nationality, gender, ID number)
IP address used during the verification session
Cross-reference data indicating whether the same identity document or biometric data has been used by other accounts
Decision reasons and codes for declined or flagged verification attempts
PEP and sanctions screening results
Adverse media screening results

Blockchain Data:

Publicly available blockchain transaction data associated with your deposit or withdrawal addresses
Wallet address risk scores and screening results from blockchain analytics providers (e.g., Chainalysis, TRM Labs)

Financial Institutions:

Transaction confirmation data from banks and payment processors
Chargeback and dispute information from card networks

Authentication Provider:

Authentication tokens and session data from our authentication provider (Auth0)

Bridge (Global Account services):

Verification status, Virtual Account details, and transaction information from Bridge Building Inc. ("Bridge") — a US-based money services business (NMLS ID #2450917) — for Users who enrol in Wam's Global Account services
Bridge's own privacy practices are governed by its privacy policy, available at https://www.bridge.xyz/legal

3. How We Use Your Information

We use your personal data for the following purposes:

3.1 Providing and Operating the Service

Creating, verifying, and maintaining your Account
Processing Transactions (Top Ups, Transfers, Cash In, Cash Out, crypto operations, card payments, merchant payments, NFC Tag payments)
Generating and managing deposit addresses for Crypto Asset operations
Issuing and managing NFC Tags and virtual cards
Processing settlement and withdrawal requests
Providing customer support and responding to inquiries

3.2 Identity Verification and Compliance

Performing KYC and KYB verification at each tier
Conducting ongoing customer due diligence, including EDD for higher-risk profiles
PEP and sanctions screening
AML and CTF transaction monitoring
Blockchain address screening and risk assessment
Reporting suspicious activities to the Financial Intelligence Unit of Trinidad and Tobago and other competent authorities as required by law
Complying with regulatory obligations, court orders, and lawful requests from authorities

3.3 Security and Fraud Prevention

Detecting, preventing, and investigating fraud, unauthorised access, and other illegal activities
Monitoring Transactions for unusual patterns or behaviours, including rapid successive transactions, high volumes, and transfers between accounts with shared characteristics
Verifying device integrity and authentication
Managing and responding to security incidents
Validating that payment instruments (cards and bank accounts) are owned by the Account holder by comparing cardholder/holder names against your identity-verified name using automated fuzzy matching
Recording and analysing identity verification session data (including IP addresses, document details, biometric cross-references, and decline reasons) in an immutable audit log for fraud detection and regulatory compliance
Identifying fraud networks by analysing peer-to-peer transfer patterns, shared IP addresses across accounts, and reuse of identity documents across multiple accounts
Blocking access from IP addresses or devices associated with confirmed fraudulent activity
Issuing refunds to original cardholders where charges were made using stolen or third-party payment instruments, and debiting the corresponding amount from the responsible Account

3.4 Service Improvement and Analytics

Analysing usage patterns to improve the Service
Conducting internal research and analytics
Debugging errors and improving app performance
Developing new features and products

3.5 Communications

Sending service-related notifications (Transaction confirmations, security alerts, Account updates)
Sending administrative messages (policy changes, maintenance notices)
Sending marketing and promotional communications (with your consent, where required)
Responding to your inquiries and support requests

3.6 Legal and Regulatory

Establishing, exercising, or defending legal claims
Complying with applicable laws, regulations, and regulatory guidance
Maintaining records as required by the Central Bank of Trinidad and Tobago, the Financial Intelligence Unit, and other regulatory bodies

4. Legal Bases for Processing

We process your personal data on the following legal bases:

| Legal Basis | Examples | |-------------|---------| | Contract performance | Processing Transactions, maintaining your Account, providing the Service as described in our Terms | | Legal obligation | KYC/KYB verification, AML/CTF monitoring, regulatory reporting, tax reporting, responding to lawful authority requests | | Legitimate interests | Fraud prevention, security monitoring, service improvement, analytics, enforcing our Terms (balanced against your privacy rights) | | Consent | Marketing communications, optional data collection (e.g., precise location data), processing sensitive personal data where required |

Where processing is based on consent, you may withdraw your consent at any time by contacting us at privacy@wam.money or through the in-app settings. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

5. Data Sharing and Disclosure

We do not sell your personal information. We share personal data only as described below:

5.1 Service Providers and Processors

We share data with third-party service providers who process data on our behalf, subject to strict contractual obligations of confidentiality and data protection:

| Category | Purpose | Examples | |----------|---------|---------| | Identity verification | KYC/KYB document verification, biometric checks | Veriff, SumSub | | Payment processing | Card tokenisation, 3DS verification, payment processing | Cybersource | | Blockchain analytics | Wallet address screening, transaction monitoring | Chainalysis, TRM Labs | | Authentication | User authentication and session management | Auth0 | | Cloud infrastructure | Hosting, data storage, computing | Google Cloud Platform | | Email and messaging | Transactional emails, SMS notifications | SendGrid, Twilio, InfoBip | | Push notifications | Mobile push notifications | Firebase Cloud Messaging | | Banking partners | Bank transfers, settlement processing | Republic Bank, JMMB | | Global Account services | Foreign-currency Virtual Accounts, stablecoin wallets | Bridge Building Inc. (https://www.bridge.xyz/legal) |

5.2 Regulatory and Legal Disclosures

We may disclose your information:

To the Central Bank of Trinidad and Tobago, the Financial Intelligence Unit, or other regulatory bodies as required by law
In response to lawful requests from law enforcement agencies
To comply with court orders, subpoenas, or legal processes
To establish, exercise, or defend legal claims

5.3 Blockchain Networks

When you use Crypto Asset services, certain Transaction data (including wallet addresses and transaction amounts) is recorded on public blockchain networks. This data is publicly accessible and immutable. Wam cannot control or delete data recorded on public blockchains.

5.4 Card Networks

When you use the Virtual Card or card-based payment features, transaction data is shared with the card issuer (Bridge or Bridge's card-issuing partner), the applicable card networks (e.g., Visa), and the processing banks involved in the transaction, as required for payment processing and fraud prevention.

5.5 Merchants

When you make a payment to a merchant, the merchant may receive your Wam username or display name, the transaction amount, and a transaction reference. Merchants are responsible for their own handling of this information under their own privacy policies.

5.6 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred to the successor entity, subject to the same privacy protections described in this policy.

5.7 Mobile Information

No mobile information — including your phone number, text-messaging opt-in/opt-out data and consent, and messaging-related metadata — will be shared with third parties or affiliates for marketing or promotional purposes. Text-messaging originator opt-in data and consent will not be shared with any third parties. Service providers who receive mobile-related data for the purpose of delivering SMS or push notifications are prohibited from using this information for marketing or promotional purposes.

5.8 With Your Consent

We may share your information with third parties where you have given your explicit consent.

6. Data Retention

6.1 Retention Periods

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, subject to the following minimum retention periods required by law:

| Data Category | Retention Period | Basis | |--------------|-----------------|-------| | Account information and KYC records | Minimum 7 years after account closure | AML/CTF regulations, Financial Institutions Act | | Transaction records | Minimum 7 years from transaction date | AML/CTF regulations, tax requirements | | KYB (business verification) documents | Minimum 7 years after business account closure | AML/CTF regulations | | Blockchain transaction data | Permanent (on-chain data is immutable) | Nature of blockchain technology | | Customer support records | 3 years from resolution | Legitimate interest, potential claims | | Marketing consent records | Duration of consent plus 2 years | Compliance with consent requirements | | Device and usage analytics | 2 years from collection | Legitimate interest (service improvement) | | Security and fraud investigation records | 7 years from incident | Legal obligation, legitimate interest |

6.2 Deletion Requests

Due to regulatory requirements mandating retention of financial records for a minimum of seven (7) years, we may not be able to immediately delete all personal data upon request. Following the expiration of mandatory retention periods, data will be securely deleted or anonymised. See Section 8 (Your Rights) for more information.

6.3 Secure Disposal

When personal data is no longer required, it is securely deleted or irreversibly anonymised using industry-standard methods.

7. Data Security

7.1 Technical Measures

We implement robust technical security measures to protect your personal data, including:

Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
Encryption at rest: Sensitive data is encrypted at rest using AES-256 encryption
Tokenisation: Payment card details are tokenised by our PCI DSS-compliant payment processor and are never stored on our servers in plaintext
Secure key management: Cryptographic keys, including those for HD wallet derivation and NFC Tag authentication (AES-128 CMAC), are managed through dedicated key management infrastructure
Access controls: Role-based access controls limit employee access to personal data on a need-to-know basis
Multi-factor authentication: Administrative access to systems requires multi-factor authentication
Secret management: Secrets and API keys are stored in Google Cloud Secret Manager, not in application code

7.2 Organisational Measures

Regular security assessments and vulnerability testing
Employee privacy and security awareness training
Incident response procedures with defined notification processes
Third-party vendor security assessments
Data processing agreements with all service providers
Segregation of customer funds data from operational data

7.3 Biometric Security

Biometric authentication data (Face ID, Touch ID, fingerprint) used to access the Service is processed and stored locally on your device by the operating system's secure enclave. Wam does not receive, transmit, or store raw biometric data.

Identity verification biometric data (facial scans submitted during KYC) is processed by our verification partners (Veriff/SumSub) in accordance with their privacy policies and our data processing agreements.

7.4 NFC Tag Security

NFC Tags use NXP NTAG 424 DNA chips with AES-128 CMAC cryptographic authentication, rolling counters for anti-replay protection, and unique per-tag keys to prevent cloning.

7.5 Incident Response

In the event of a data breach that poses a risk to your rights and freedoms, we will:

(a) Notify the relevant supervisory authority without undue delay;

(b) Notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms;

8. Your Rights

8.1 Rights Available to You

Subject to applicable law and regulatory requirements, you have the following rights regarding your personal data:

Right of Access — You may request a copy of the personal data we hold about you.

Right to Rectification — You may request correction of inaccurate or incomplete personal data. You can update certain information directly through the Service (email, phone number, profile details).

Right to Erasure — You may request deletion of your personal data, subject to our legal obligations to retain certain records (see Section 6). Financial and KYC records must be retained for a minimum of seven (7) years.

Right to Restriction — You may request that we restrict the processing of your personal data in certain circumstances.

Right to Data Portability — You may request a copy of your personal data in a structured, commonly used, machine-readable format.

Right to Object — You may object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.

Right to Withdraw Consent — Where processing is based on consent, you may withdraw consent at any time.

Right to Opt Out of Marketing — You may opt out of marketing communications at any time via the unsubscribe link in emails, in-app notification settings, or by contacting us.

8.2 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@wam.money with sufficient information to identify yourself and specify your request. We will respond within thirty (30) days. We may request additional information to verify your identity before processing your request.

8.3 Limitations

We may be unable to comply with certain requests where:

Retention is required by law (e.g., AML/CTF record-keeping obligations);
Data is necessary for the establishment, exercise, or defence of legal claims;
Compliance would infringe on the rights of others;
The request is manifestly unfounded or excessive.

We will explain the reasons for any refusal or limitation.

9. Cookies and Tracking Technologies

9.1 Mobile Application

The Wam mobile application uses:

Analytics tools to collect usage data and improve the Service
Crash reporting tools to identify and fix technical issues
Push notification services to deliver real-time alerts
Device identifiers for security, fraud prevention, and device management

9.2 Web Portals and Websites

Our websites and web portals (including business.wam.money and festival.wam.money) may use:

Essential cookies — Required for the operation of the website (session management, authentication)
Analytics cookies — To understand how visitors interact with our websites
Preference cookies — To remember your settings and preferences

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of the Service.

9.3 Do Not Track

We currently do not respond to "Do Not Track" browser signals.

10. International Data Transfers

10.1 Where We Process Data

Your personal data may be processed in jurisdictions outside of Trinidad and Tobago, including the United States and the European Economic Area, where our service providers operate. These transfers are necessary to provide the Service.

10.2 Safeguards

Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:

Data processing agreements with all service providers
Standard contractual clauses or equivalent protections where applicable
Selection of service providers that maintain robust security certifications (e.g., SOC 2, ISO 27001)
Ensuring the recipient jurisdiction provides adequate data protection, or implementing supplementary measures where it does not

10.3 Transfers to Bridge (United States)

For Users who enrol in Wam's Global Account services, personal data (including identity verification information, transaction data, and wallet addresses) is transferred to Bridge Building Inc. in the United States. Bridge is a US-registered money services business and money transmitter, subject to US federal and state financial regulation, and maintains its own data protection program. Bridge processes this data for the purposes of operating Virtual Accounts and stablecoin wallets, performing its own compliance obligations, and fulfilling regulatory reporting requirements. Bridge's data processing is governed by its privacy policy at https://www.bridge.xyz/legal. You may exercise your rights with respect to data held by Bridge by contacting Bridge directly at support@bridge.xyz.

11. Children's Privacy

The Service is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal data from children under 18 without verifiable parental or guardian consent. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that data promptly.

12. Privacy Risk Assessment and Compliance

12.1 Privacy Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals' rights and freedoms, including:

Implementation of new data processing technologies
Large-scale processing of sensitive data
Systematic monitoring or profiling of individuals
Cross-border data transfers involving sensitive data

12.2 Training and Awareness

We provide regular privacy and data protection training to employees and contractors who handle personal data. Third-party partners who process personal data on our behalf are required to maintain equivalent privacy standards.

12.3 Compliance Reviews

We periodically review and update our privacy practices to ensure compliance with applicable laws, regulatory guidance from the Central Bank of Trinidad and Tobago, and industry best practices.

13. Blockchain and Crypto-Specific Privacy Considerations

13.1 Public Blockchain Data

When you use Crypto Asset services, the following information is recorded on public blockchains:

Your deposit wallet address (a unique address generated by Wam, not linked to your identity on the blockchain itself)
Transaction amounts and timestamps
Sending and receiving wallet addresses
Network transaction fees

This data is publicly accessible, immutable, and cannot be deleted by Wam or any party. While your Wam deposit address does not reveal your identity on the blockchain, sophisticated blockchain analysis may be able to associate addresses with identities over time.

13.2 Address Screening

We use blockchain analytics services to screen wallet addresses for compliance purposes. This may involve sharing external wallet addresses you interact with to assess their risk profile. We do not share your personal identity information with blockchain analytics providers beyond what is necessary for screening.

14. Changes to This Privacy Policy

14.1 Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to you via:

In-app notification
Email notification
A prominent notice on our website

14.2 Effective Date

Changes become effective on the date specified in the updated policy. Your continued use of the Service after the effective date constitutes your acceptance of the updated Privacy Policy. We encourage you to review this policy periodically.

14.3 Previous Versions

Previous versions of this Privacy Policy are available upon request by contacting privacy@wam.money.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

Data Protection Contact WamNow Technologies Limited Email: privacy@wam.money Website: www.wam.money

For complaints that are not resolved to your satisfaction, you may contact the relevant data protection or supervisory authority in Trinidad and Tobago.

This Privacy Policy was last updated on 10 April 2026.