About this Privacy Policy
This Privacy Policy explains how Salteno Limited collects, uses, shares, stores and protects personal data. Salteno Limited is a company incorporated in the Republic of Cyprus with registration number HE 485474 and registered address at Dimitraki Dianellou 80, 6050 Larnaca, Cyprus. In this Privacy Policy, Salteno Limited is referred to as “Salteno”, “we”, “us” or “our”.
This Privacy Policy applies to personal data processed by Salteno in relation to our website, business contacts, prospective business clients, client and supplier representatives, communications, marketing, corporate administration, security, and other activities where Salteno determines why and how personal data is processed.
Salteno also provides technology, operational and programme-support services in connection with payment card programmes operated by regulated financial institutions, e-money institutions, payment institutions, issuers or other programme controllers. In those arrangements, Salteno normally acts as a processor and processes personal data only on documented instructions from the relevant controller for that programme, which we call the “Programme Controller” in this Privacy Policy.
This Privacy Policy does not replace any programme-specific privacy notice, application notice, cardholder terms, cardholder agreement or other information provided by the relevant Programme Controller. If you are a programme applicant, cardholder or other programme end user, the Programme Controller’s privacy information will explain how your personal data is processed for the relevant payment-services-related activities.
Our website and services are not directed at children under the age of 18, and we do not knowingly collect personal data from children. If you believe that a child has provided personal data to us, please contact us using the details in this Privacy Policy.
Who is responsible for your personal data
For activities where Salteno determines the purposes and means of processing, Salteno Limited is the controller of your personal data. This includes, for example, processing related to our website, business-to-business (B2B) relationship management, communications with prospective business clients, supplier management, internal administration, security of Salteno systems, recruitment where applicable, and Salteno’s own legal and corporate obligations.
For those controller activities, you can contact Salteno’s privacy contact/Data Protection Officer at support@spnd.xyz. You may use the same address to exercise your data protection rights in relation to personal data for which Salteno is controller.
Where Salteno processes personal data in connection with payment-services-related activities for a Programme Controller, Salteno normally acts as processor. In that capacity, Salteno does not determine the core purposes and means of the regulated payment-service processing and does not rely on its own legal basis for that processing. The Programme Controller is responsible for identifying the applicable lawful basis and providing the relevant privacy information to programme applicants, cardholders and other programme end users.
Salteno may assist the Programme Controller with privacy requests, but we will do so in accordance with the applicable data processing agreement and documented instructions.
Personal data we collect
The personal data we collect depends on your relationship with Salteno and the context in which the data is processed.
For Salteno controller activities, we may process identification and business contact information such as your name, business email address, telephone number, job title, organisation, country, professional role and correspondence with us. We may also process website and technical information such as IP address, device identifiers, browser type, operating system, time zone, access logs, security logs, cookie choices and information about how you interact with our website or communications.
We may process marketing and communication preferences, records of consents or opt-outs, meeting notes, support requests, enquiries, commercial correspondence, supplier or client representative details, contractual and billing information, professional adviser records, and other information that is reasonably necessary for our corporate, legal, administrative and business purposes.
We may receive personal data directly from you when you contact us, use our website, complete a form, subscribe to communications or correspond with us. We may also receive personal data from your organisation, employer or business contact; from service providers that support our website, communications, security, hosting, CRM, analytics, compliance or other operational activities; and from public sources such as company registries, professional networking platforms, sanctions lists or regulatory registers where permitted by law.
For programme-support processing, the exact categories of personal data are determined by the Programme Controller and the relevant programme documentation. Depending on the programme and the controller’s instructions, Salteno may process identification and contact data, application and onboarding data, verification information, transaction, account, card, balance, reconciliation, dispute, chargeback and support data, risk, fraud, sanctions, PEP, screening, Know Your Customer / Anti-Money Laundering (KYC/AML) support and case-management data, technical and security data, and communications or support records relating to programme operations.
Salteno does not use programme end-user personal data for Salteno’s own marketing, unrelated analytics, profiling, model training, product development or other independent purposes unless a separate controller role, lawful basis and transparency information have been documented.
How and why we use personal data
Where Salteno acts as controller, we process personal data only where we have a lawful basis under applicable data protection law. We may process personal data to respond to enquiries, manage business relationships, take pre-contractual steps, perform contracts, provide corporate or B2B services, manage suppliers and professional advisers, maintain business records, administer accounts, communicate with you, operate and secure our website and systems, prevent misuse, protect our legal rights, comply with legal or regulatory requirements, and improve our website, services and communications.
The lawful bases we rely on for Salteno controller activities may include performance of a contract where processing is necessary for a contract with you or to take steps at your request before entering into a contract; legal obligation where processing is necessary to comply with laws applicable to Salteno; legitimate interests where processing is necessary for Salteno’s or a third party’s legitimate business, security, administrative, legal or relationship-management interests and those interests are not overridden by your rights; and consent where consent is required, for example for certain marketing communications or non-essential cookies.
Where we rely on legitimate interests, those interests may include managing our business relationships, responding to enquiries, developing and improving our services, maintaining accurate records, protecting our systems and premises, preventing fraud or misuse, obtaining professional advice, enforcing or defending legal claims, and conducting proportionate B2B marketing where permitted by law. We assess and document legitimate interests where appropriate.
Where Salteno processes personal data as processor for programme-support activities, the Programme Controller determines the purposes and lawful basis for the relevant processing. This may include onboarding, operational servicing, technical platform workflows, customer support, reconciliation, reporting, dispute handling, KYC/AML support, fraud monitoring support, sanctions screening support and similar activities. Salteno processes this data only on documented instructions from the Programme Controller and does not present the Programme Controller’s legal bases as Salteno’s own legal bases.
If Salteno is separately required by law to process personal data in its own capacity, or if Salteno separately determines a controller purpose, that processing will be documented and reflected in the relevant privacy information.
When personal data is required
Where Salteno collects personal data directly from you as controller, we will indicate where information is mandatory. If you do not provide mandatory information, we may not be able to respond to your enquiry, communicate with you, provide requested information, enter into or perform a contract, manage a business relationship, or comply with a legal requirement.
For programme-support activities where Salteno acts as processor, the Programme Controller is responsible for explaining which personal data is required for the programme and the consequences of not providing it.
Marketing and communications
We may send marketing communications, service updates or business information to business contacts where permitted by law. We will rely on consent where consent is required. In other cases, we may rely on legitimate interests for proportionate B2B marketing, subject to your right to object and any applicable e-privacy rules.
You can opt out of marketing communications at any time by using the unsubscribe link in the message or by contacting support@spnd.xyz. We will keep a suppression record to make sure we respect your opt-out. Personal data processed by Salteno as processor for a Programme Controller is not used for Salteno’s own marketing unless a separate controller role, lawful basis and transparency notice apply.
Cookies and similar technologies
Our website may use cookies and similar technologies. Essential cookies are used to make the website function, maintain security and remember necessary settings. Optional analytics, marketing or similar cookies are used only where a valid legal basis is available, including consent where required.
Where non-essential cookies are used, Salteno should make available a separate Cookie Notice or cookie banner explaining the categories of cookies, purposes, providers, expiry periods and how you can change your choices.
Sharing personal data
We may share personal data where necessary and lawful. This may include sharing data with service providers that support hosting, cloud storage, CRM, communications, IT support, security, analytics, compliance, professional services and similar functions; professional advisers, auditors, insurers, banks and other providers supporting Salteno’s corporate operations; public authorities, courts, regulators, law enforcement bodies or other parties where required by law or necessary to protect legal rights; and a purchaser, successor or relevant adviser in connection with a merger, acquisition, restructuring or sale of assets, subject to appropriate safeguards.
Where Salteno processes personal data in connection with programme-support activities, we may share personal data with the relevant Programme Controller, authorised programme participants, payment infrastructure providers, card schemes, compliance vendors, fraud-prevention vendors or other authorised subprocessors where this is required for programme operations and permitted under the applicable controller instructions and contractual arrangements.
We require processors and subprocessors to protect personal data through appropriate contractual, technical and organisational safeguards. Where Salteno acts as processor, any onward sharing of programme data must comply with the applicable controller instructions, subprocessor approval requirements and data processing agreement.
International transfers
We and our service providers may process personal data in the European Economic Area (EEA) and, where necessary, in other countries. Where personal data is transferred outside the EEA or otherwise accessed from a third country, we apply appropriate safeguards as required by applicable data protection law.
Safeguards may include an adequacy decision, Standard Contractual Clauses approved by the European Commission, transfer impact assessments, supplementary technical and organisational measures, or another lawful transfer mechanism. For programme-support data processed by Salteno as processor, international transfers and remote access must be authorised by the Programme Controller and must comply with the applicable data processing agreement.
Retention
We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, or as required to comply with legal, accounting, regulatory, contractual or dispute-resolution requirements. Retention periods are set out in Salteno’s internal Data Retention Policy and may vary depending on the type of data, the purpose of processing, applicable limitation periods, legal requirements, contractual commitments and the need to establish, exercise or defend legal claims.
Where we no longer need personal data, we securely delete it, anonymise it, restrict it from active use or archive it in line with applicable requirements. If you opt out of marketing, we may retain limited information on a suppression list to make sure we do not contact you again for marketing purposes.
Where Salteno processes programme-support data as processor, retention, deletion, return and archiving follow the applicable data processing agreement, Programme Controller instructions and documented retention requirements. Salteno does not independently set retention periods for programme end-user data processed solely in its processor capacity.
Security
We maintain technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Measures may include role-based access controls, confidentiality obligations, encryption where appropriate, logging, monitoring, backup controls, supplier due diligence, incident response procedures, staff awareness and other controls appropriate to the nature of the data and the risks involved.
Where cardholder or programme data is processed in a controlled programme environment, Salteno applies the security obligations agreed with the relevant Programme Controller and any applicable contractual, regulatory or industry requirements.
Automated decision-making and profiling
Salteno does not make solely automated decisions in its own capacity as controller that produce legal effects or similarly significant effects on individuals.
Where automated tools support screening, fraud detection, transaction monitoring, risk operations or similar programme workflows for a Programme Controller, Salteno uses those tools only under the applicable processor arrangement and documented instructions. The Programme Controller’s privacy information should explain any automated decision-making or profiling for which the Programme Controller is responsible, where applicable.
Your rights
Subject to applicable law and any relevant limitations, you may have the right to request access to your personal data, rectification of inaccurate or incomplete personal data, erasure of personal data, restriction of processing, data portability, and objection to processing based on legitimate interests or direct marketing. Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
You can exercise rights in relation to personal data for which Salteno is controller by contacting support@spnd.xyz. We may need to verify your identity before responding. We aim to respond within the timeframe required by applicable data protection law.
If your request relates to programme-support data processed by Salteno as processor for a Programme Controller, Salteno may refer the request to the Programme Controller or handle it under the Programme Controller’s documented instructions. Some rights may be limited where personal data must be retained for legal, regulatory, security, dispute-resolution or evidential reasons.
Contact details and complaints
If you have questions about this Privacy Policy, want to exercise your rights, or want to raise a privacy concern, please contact Salteno Limited at Dimitraki Dianellou 80, 6050 Larnaca, Cyprus, or by email at support@spnd.xyz.
If you are not satisfied with our response, you have the right to complain to a competent data protection authority. In Cyprus, the supervisory authority is the Office of the Commissioner for Personal Data Protection, Kypranoros 15, 1061 Nicosia, Cyprus, postal address P.O. Box 23378, 1682 Nicosia, Cyprus, telephone +357 22818456, website www.dataprotection.gov.cy. If you are located in another EU Member State, you may also contact your local supervisory authority.
Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in law, technology, our business operations or the way we process personal data. The latest version will be published on our website and will show the date of the most recent update. Where changes are material, we will take appropriate steps to bring them to your attention.