Global Privacy Notice V1.0, Last Updated: 13th March 2026
Privacy Notice
Introduction
This Privacy Notice applies to the processing activities performed by Salteno Limited, a company incorporated in the Republic of Cyprus (hereinafter referred to as “Salteno”, “we”, “us” or “our”), in respect of the personal data of its clients, prospective clients, and website visitors.
Your privacy is of the utmost importance to us. It is our policy to safeguard the confidentiality of information and respect the privacy of individuals.
Salteno is a payment card programme manager offering debit and prepaid card services. In the course of providing these services, Salteno processes specific data categories required by law, including residential address fields and additional risk scoring fields, collected to meet obligations under applicable EU and Cyprus legislation, including the General Data Protection Regulation (GDPR), the Payment Services Directive (PSD2), Anti-Money Laundering Directives (AMLD). These data points are mandatory for customer verification, anti-fraud monitoring, and regulatory reporting.
This Privacy Notice provides you with information regarding:
What personal data we collect and process
How we process your personal data
The reasons we process your personal data
Our obligations in processing your data responsibly and securely
Your data subject rights
For further information about how we collect, use and store your personal data, and to exercise your rights as a data subject, you may contact us by emailing support@spnd.xyz.
Definitions
The following terms are defined as follows:
2.1 “AML” means anti-money laundering.
2.2 “Personal Data” refers to any information relating to an identified or identifiable natural person, including names, identification numbers, location data, an online identifier, or to one or more factors specific to the physical, economic, cultural or social identity of a natural person.
2.3 “Salteno”, “We”, “Us” refers to Salteno Limited, a payment card programme manager registered in the Republic of Cyprus.
2.4 “Card Services” means the issuance and management of debit and prepaid payment cards, including card loading, transaction processing, and related payment services provided by Salteno.
2.5 “GDPR” means the General Data Protection Regulation (EU) 2016/679.
2.6 “PSD2” means the Payment Services Directive (EU) 2015/2366.
Your Data Controller
Salteno Limited is the Data Controller responsible for the collection, use, disclosure, retention and protection of your personal data in accordance with this Privacy Notice, as well as any applicable national and European Union laws, including the GDPR.
How Do We Protect Personal Data?
Salteno takes the security of personal data seriously. We have implemented and maintain appropriate technical and organisational security measures, policies and procedures designed to reduce the risk of accidental destruction or loss, or the unauthorised disclosure of or access to such information, appropriate to the nature of the information concerned. Measures we take include:
Placing confidentiality requirements on our staff members and service providers;
Destroying or permanently anonymising personal data if it is no longer needed for the purposes for which it was collected;
Applying security controls in the storage and disclosure of your personal data to prevent unauthorised access;
Maintaining dedicated information security and data protection functions, with encryption by default on all environments;
Compliance with the Payment Card Industry Data Security Standard (PCI DSS) for the protection of cardholder data.
How We Use Your Personal Data and What We Collect
We use and share Personal Data as described in this Privacy Notice, and for the following purposes:
To provide you with Salteno’s card services, including account opening, card issuance, payment processing and funds transfers;
To identify and authenticate your access;
To conduct analytics in order to improve and customise our websites and the ways we communicate with you;
To present you business opportunities regarding our products and services;
To send you marketing communications, updates and newsletters, provided that you can opt to stop receiving marketing materials at any time (opt-out);
To enter into a contract or perform a contract with you (as applicable);
To support and troubleshoot our services, to respond to your queries and communicate with you;
To investigate violations and enforce our policies, and as required by legal obligations applicable to Salteno, as per applicable law, regulation or other governmental authority, or to comply with a subpoena or similar legal process;
To secure our IT systems, information and facilities.
We obtain information about you in several ways through your use of our products and services, including through our website, the account opening process, and from information provided in the course of ongoing service communications.
To open an account with us, you must first complete and submit an online registration form. By completing this form, you are requested to disclose personal data in order to enable Salteno to assess your application and comply with the relevant laws and regulations.
The minimum information required for entering into a contract governing your use of our products and services, and for enabling us to comply with our statutory obligations in respect of anti-money laundering and crime and fraud prevention, is Biographical Information and Contact Information, Verification Information, PEP Information and Financial Information (defined below). Without this information, we cannot commence, or continue to provide our services and products to you.
5.1 Information We Collect
The information that we may collect from you is as follows:
Biographical Information and Contact Information – full name, residential address and contact details (e.g. email address, telephone number), date of birth, place of birth, gender, citizenship;
Financial Information – bank account information, card details, details about your source of funds, assets and liabilities, Tax ID and information relating to economic and trade sanctions lists;
Transaction Information – card account balances, transaction activity, your inquiries and our responses;
PEP Information – information on whether you (or someone close to you) holds a prominent public function;
Verification Information – information necessary to verify your identity such as a passport, driver’s licence, selfie photos/videos, login credentials or government-issued identity card;
Residential Address Information – Address Line 1 (street and number), Address Line 2 (optional apartment or suite), City, Postal Code and Country. This may also include the timestamp and source of collection and the IP address from which it was submitted if permitted by law;
Additional Risk Scoring Fields – Citizenship, Source of Funds, Purpose of Use, Expected Turnover, and Occupation. These fields support Enhanced Due Diligence and Customer Risk Assessment;
Other Information – other personal data or identification information which we, in our sole discretion, deem necessary to comply with our internal risk assessments and legal obligations under various AML regulations.
5.2 Information Collected Automatically
Browser Information – information automatically collected via analytics systems from your browser, including your IP address, domain name, device ID, browser type and version, timezone setting, operating system, and platform;
Log Information – information generated by your use of Salteno’s websites or applications, including device information, system activity, and the full URL clickstream to, through and from our website.
5.3 Information from Other Sources
We also receive information about you from third parties such as your payment providers, our service providers assisting with AML, fraud, and security compliance, and through publicly available sources. For example:
The banks you use to transfer money to us will provide us with your basic personal data, such as your name and address, as well as your financial information such as your bank account details;
Advertising networks, analytics providers and search information providers may provide us with anonymised or de-identified information about you.
Legal Basis for Processing
We process your personal data on the following legal grounds:
6.1 Performance of a Contract
We process your data when necessary to provide our card services, including account opening, card issuance, payment processing and funds transfers.
6.2 Legal Obligation
We are required by law to process certain personal data for:
Customer identification and verification (Know Your Customer / Customer Due Diligence) under anti-money laundering legislation, including the EU Anti-Money Laundering Directives (AMLD) and the Cyprus Prevention and Suppression of Money Laundering Activities Law (L.188(I)/2007, as amended);
Collection and maintenance of Residential Address and Risk Scoring information under AML and tax reporting legislation;
Compliance with the Payment Services Directive (PSD2) and applicable regulatory requirements;
Compliance with court orders, tax laws, and other reporting obligations;
Notification of changes to products, services, laws or regulations.
6.3 Legitimate Interest
We may process your data based on our legitimate interests for:
Administering, improving, and developing our products and services;
Internal business purposes and recordkeeping;
Enforcing and defending our legal rights;
Securing our IT systems, preventing crime and ensuring asset security;
Conducting data analysis and surveys;
Communicating with you about our services;
Receiving services from third parties (administrative, legal, tax, compliance, IT, analytics, identity verification).
Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) to ensure your rights and freedoms are not overridden. You may object to such processing at any time by contacting us.
6.4 Consent
Where you have agreed to receive marketing communications directly, we rely on your consent. You may withdraw this consent at any time.
As part of processing your personal data for the purposes set out above, Salteno may share your personal data with:
Third parties and service providers with whom Salteno has a business relationship, where these parties have agreed to confidentiality restrictions and use any personal data we share with them solely for the purpose of providing the contracted service;
Cloud storage providers, fraud detection partners, compliance vendors, and payment processors, each bound by confidentiality and data protection obligations;
Card scheme operators (e.g. Visa, Mastercard) as required for card issuance and transaction processing;
Regulatory authorities and law enforcement agencies where required by law.
We may share personal data in the event of a corporate transaction (e.g. sale of a substantial part of our business, merger, consolidation or asset sale). In such event, the acquiring company will assume the rights and obligations as described in this Privacy Notice.
Salteno may also share Residential Address and Risk Scoring data with its regulated partners and authorities for the specific purposes of KYC/AML verification, risk assessment and tax reporting. These disclosures are limited to authorised entities and secured through data-processing agreements and appropriate safeguards.
We may also share personal data if we have a good faith belief that disclosure is necessary to: (i) comply with any applicable law, regulation, legal process or governmental request; (ii) enforce our policies; (iii) investigate, detect, prevent, or take action regarding illegal activities, suspected fraud or security issues; (iv) establish or exercise our rights to defend against legal claims; (v) prevent harm to the rights, property or safety of us, our users, yourself or any third party; or (vi) collaborate with law enforcement agencies.
Where We Store Your Personal Data
Our operations are supported by a network of computers, servers, and other infrastructure, including third-party service providers. We and our third-party service providers store and process your personal data within the European Union and the European Economic Area. Where transfers to countries outside the EEA occur, appropriate safeguards are in place as described in Section 9 below.
We may transfer your personal data outside the EEA to service providers and business partners. Transfers outside of the EEA are done in accordance with lawful transfer mechanisms under GDPR, specifically:
Where the European Commission has issued an adequacy decision for the recipient country;
On the basis of Standard Contractual Clauses (SCCs) approved by the European Commission;
Other appropriate safeguards as required under Article 46 of the GDPR.
. Data Retention
When personal data is no longer necessary for the purposes for which it may lawfully be processed, we will remove any details that may identify you, or we will securely destroy the relevant records.
For Residential Address and Risk Scoring Fields, Salteno retains these records for a minimum of five (5) years after the end of the business relationship or last transaction, and for up to ten (10) years where local law or regulators require longer storage.
We may need to maintain records for a significant period after you cease being our client, for legal or regulatory reasons. This includes copies of records used to comply with our customer due diligence obligations and records of transactions with you. If you have opted out of receiving marketing communications, we will retain your details on our suppression list.
Cookies
In the event that Salteno operates a website that uses cookies, a separate Cookie Notice will be published.
Your Rights Regarding Your Personal Data
Under the GDPR, you have the following rights in relation to the personal data we process. You may exercise these rights subject to any limitations provided for under applicable data protection laws.
12.1 Right of Access
You can ask us to confirm whether we are processing your personal data and, if so, what information we process, and to provide you with a copy of that information.
12.2 Right to Rectification
It is important to us that your personal data is up to date. If the personal data we hold about you is inaccurate or incomplete, you are entitled to have it rectified. You may inform us at any time that your personal details have changed by emailing us at
support@spnd.xyz.
12.3 Right to Erasure
You can ask us to delete or remove your personal data in certain circumstances. Such requests may be subject to any retention limits we must comply with in accordance with applicable laws. Please note that erasure requests cannot apply to data subject to legal retention requirements under AML and tax laws. Such data will be restricted from active use but retained securely until the mandatory period expires.
12.4 Right to Restriction of Processing
You can ask us to block or suppress the processing of your personal data in certain circumstances, such as if you contest the accuracy of that personal data or object to us processing it.
12.5 Right to Data Portability
In certain circumstances you may have the right to obtain personal data you have provided to us, in a structured, commonly used, and machine-readable format, and to re-use it elsewhere or ask us to transfer this to a third party of your choice, where technically feasible.
12.6 Right to Object
You can ask us to stop processing your personal data, and we will do so, if we are:
Relying on our own or someone else’s legitimate interests to process your personal data, except if we can demonstrate compelling legal grounds;
Processing your personal data for direct marketing;
Processing your personal data for research unless we reasonably believe such processing is necessary for a task carried out for reasons of public interest.
12.7 Rights Related to Automated Decision-Making
If we have made a decision about you based solely on an automated process (e.g. through automatic profiling) that affects your ability to access our services or has another significant effect on you, you can request not to be subject to such a decision unless we can demonstrate it is necessary for entering into, or the performance of, a contract between you and us.
12.8 Right to Lodge a Complaint
You have the right to complain to a competent data protection authority. Contact details are set out in Section 16 below. We ask that you first contact support@spnd.xyz to give us an opportunity to address any concerns.
12.9 Right to Withdraw Consent
You have the right to withdraw consent to processing based on consent at any time. Note this will not affect the lawfulness of processing based on consent prior to the withdrawal.
Changes to This Privacy Notice
Our Privacy Notice is reviewed regularly in light of new regulations, technologies and any changes to our business operations. Any personal data we process will be governed by our most recent Privacy Notice. We will update the “Last Updated” date accordingly at the beginning of this Privacy Notice and will announce any material changes on our website.
Children
Our products and services are not directed towards anyone under the age of 18 and we do not knowingly collect personal data from children. If we learn that we have inadvertently processed personal data from a child, we will take all legally permissible measures to remove that data from our records and will require the user to close their account. If you are a parent or guardian, and you suspect that a child has provided personal data to us, please contact us at support@spnd.xyz.
Contact Information
Any questions, complaints, comments and requests regarding this Privacy Notice are welcome and should be addressed to support@spnd.xyz.
Data Protection Authorities
If you are not satisfied with our response to your complaint, you have the right to submit a complaint to a competent data protection authority.
For citizens/residents of Cyprus:
Office of the Commissioner for Personal Data Protection Iasonos 1, 1082 Nicosia, Cyprus
Tel: +357 22818456
www.dataprotection.gov.cy
For citizens/residents of other EU Member States:
You may complain to your local supervisory authority in accordance with Article 77 of the GDPR.