Privacy & Cookie Policy
Version: 1.1 Last Updated: 01/06/2025Introduction
Welcome to Goldwise Holdings Limited’s Privacy Policy. Goldwise respects your privacy and is committed to protecting your personal data.Goldwise Holdings Limited is a company registered in England and Wales with registered company number 13223773 and its registered office at Tramshed Tech Unit D, Pendyris Street, Cardiff CF11 6BH (” Goldwise” also referred to as “we”, “us” or “our” in this Privacy Policy).
Goldwise Holdings Limited acts as an authorised agent of PayrNet Limited, which is authorised and regulated by the Financial Conduct Authority under Firm Reference Number 900594.
Glossary of Key Terms
Personal Data: Any information that relates to an identified or identifiable individual (data subject).Data Subject: The individual to whom the personal data relates. Processing: Any operation performed on personal data (e.g. collection, storage, use, disclosure, deletion).
Data Controller: The organisation that determines the purposes and means of processing personal data.
Data Processor: A third party that processes data on behalf of the controller.
Legitimate Interest: A lawful basis for processing where the organisation has a genuine reason that does not override individuals’ rights.
Consent: Freely given, specific, informed and unambiguous indication of a data subject’s wishes to permit processing.
Profiling: Processing of personal data to evaluate aspects of an individual (e.g. behaviour, location, preferences).
Special Category Data: Sensitive personal data such as biometric data, racial origin, health data, etc.
UK GDPR: The UK General Data Protection Regulation, incorporated into UK law after Brexit.
Important information and who we are
Purpose of this Privacy Policy
This Privacy Policy aims to give you information on how Goldwise collects and processes your personal data through your use of the App and website appearing at goldwise.com (“Goldwise Platform”) or directly in your dealings with us over the phone or by email or other correspondence.
The Goldwise Platform is not intended for children and we do not knowingly collect data relating to children.
Data Controller
Goldwise is the controller and responsible for your personal data collected through the website, App, or directly in dealings with us. We are registered with the Information Commissioner’s Office (ICO) as a data controller under registration number ZB301757.
We have appointed a Data Protection Manager who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions, please contact the data protection manager via our customer team at: [email protected]
You have the right to make a complaint at any time to the ICO (www.ico.org.uk). We would, however, appreciate the chance to address your concerns first.
Identity verification and compliance monitoring
To comply with our legal obligations under anti-money laundering and counter-terrorism financing regulations, we work with trusted third-party service providers.These providers may receive and process your name, date of birth, address, identification documents, and in some cases, biometric data or other sensitive information. Such processing is carried out on our behalf under UK GDPR and under contract. We do not store sensitive verification data directly but may access it securely.
Where biometric or other special category personal data is processed, it is done in accordance with Article 9(2)(g) of the UK GDPR and Schedule 1 of the Data Protection Act 2018, on the basis of substantial public interest (e.g., fraud prevention and financial compliance).
Automated Decision-Making and Profiling
We use automated tools and internal logic to carry out customer onboarding checks and risk assessments. Our platform incorporates inputs from trusted third-party providers (such as identity document verification, PEP and sanctions screenings), as well as customer-provided information — including employment status, source of funds, intended use of the platform, and forecast trading activity.Using these data points, we apply proprietary risk-scoring logic to assess whether a customer falls within our acceptable risk thresholds. This assessment may result in the customer being automatically approved, referred for Enhanced Due Diligence (EDD), or declined. Some decisions may be made without human intervention where predefined risk thresholds are met.
These profiling activities are used to determine the suitability of a customer’s use of the platform and to fulfil our legal, contractual, and operational obligations. As an authorised agent of a regulated Electronic Money Institution (EMI), we also carry out certain checks in support of our obligations under anti-money laundering (AML) and counter-terrorism financing (CTF) laws.
Where a decision based solely on automated processing produces legal or similarly significant effects, you have the right to request human intervention, express your point of view, and contest the decision — unless such processing is necessary to meet a legal requirement.
Changes to the Privacy Policy and Your Duty to Inform Us of Changes
We keep our Privacy Policy under regular review. Please keep your data accurate and current throughout your relationship with us.Third-party Links
Our platform may contain links to other websites. We are not responsible for their privacy statements and advise reviewing their policies.The Data We Collect About You
We may collect, use, store, and transfer different kinds of personal data about you:• Registration Data: e.g. name, email, password, phone, preferences
• Identity Data: e.g. Registration Data + ID, DOB, address, source of funds, PEP/AML risk indicators
• Financial Data: e.g. bank account details, card details
• Transaction Data: e.g. trades, deposits, withdrawals
• Technical Data: e.g. IP address, device/browser/OS, interactions
• Marketing & Communications Data: e.g. preferences and settings
• Profiling Data: e.g. behavioural, transactional, and risk modelling
• Special Categories of Data: only where required by law and only to the extent necessary for verification and compliance
We also collect and use Aggregated Data, such as statistical or demographic data, which is not considered personal data as it does not directly or indirectly reveal your identity. For example, we may compile anonymised statistics on user activity to analyse usage trends. This aggregated data cannot be traced back to any individual user.
If You Fail to Provide Personal Data
If you do not provide the data we require, we may not be able to enter into or fulfil a contract with you (e.g. providing access to the platform).How is Your Personal Data Collected?
• Direct interactions: via forms, emails, phone etc.• Automated technologies: such as cookies, server logs etc.
• Third parties: identity providers, compliance services etc.
Cookies
We use cookies for performance, personalisation, and security. We categorise cookies as follows:| Category | Purpose | Example Cookies | Retention |
|---|---|---|---|
| Essential | Enable core functionality (e.g. login, security) | session_id, auth_token | Session |
| Performance | Measure performance and usage | _ga, _gid | 30 days |
| Functionality | Remember preferences or settings | language, currency_pref | 1 year |
| Targeting/Ads | Deliver personalised ads or retargeting | fb_pixel, gads_id | Varies |
A full list of our cookies is provided below:
| Cookie Name | Provider | Purpose | Duration | Category |
|---|---|---|---|---|
| Google Tag Manager | Management of website tags | Essential | ||
| Google Analytics | Tracking of on-site behaviour and acquisition sources | Performance |
How We Use Your Personal Data
We use your data only where allowed by law. This includes:• To perform a contract (e.g. account access, trading)
• To comply with legal obligations (e.g. AML, reporting)
• For our legitimate interests, where these do not override your rights
• With your consent, for marketing or non-essential tracking
A table of purpose, data types, and legal basis is found below:
| Purpose | Type of Data | Lawful Basis |
|---|---|---|
| To register you as a customer | Registration | Performance of a contract |
| To verify your identity, perform AML/CFT checks and to assess risk | Identity, Biometric (via third parties) | Legal obligation; Substantial public interest (UK GDPR Art 9(2)(g)) |
| To process and execute trades and transactions | Financial, Transaction | Performance of a contract |
| To manage our relationship with you (e.g. support, notifications) | Contact, Registration, Communications | Performance of a contract; Legitimate interest |
| To administer and protect our platform | Technical, Usage | Legitimate interest (network security, fraud prevention) |
| To deliver relevant content or marketing to you | Marketing, Behavioural | Consent (where required); Legitimate interest |
| To comply with our legal, tax and regulatory obligations | All core data types | Legal obligation |
| To respond to complaints, disputes, or legal claims | Identity, Transaction, Communications | Legal obligation; Legitimate interest |
Marketing
You may receive marketing based on your preferences. You can opt out at any time via your settings or email. We do not share data for third-party marketing without your explicit consent.Change of Purpose
We will only use your data for the reason it was collected, or for a compatible purpose.Disclosures of Your Personal Data
We may share your personal data with:• Compliance and KYC vendors
• Payment processors
• Hosting and IT providers
• Legal or regulatory authorities
All processors are contractually bound to treat your data in accordance with the law and our instructions.
International Transfers
If we transfer your data outside the UK:• We will use jurisdictions with an adequacy decision, or
• We will use appropriate safeguards (e.g. Standard Contractual Clauses or UK IDTA)
Data Security
We employ measures to prevent unauthorised access, loss, misuse, or disclosure. Suspected breaches will be reported in line with legal requirements.Data Retention
We retain your personal data only for as long as reasonably necessary for the purposes for which it was collected, including to meet our legal, contractual, and operational obligations. This includes:• Legal, tax, and regulatory compliance
• Auditing and reconciliation
• Dispute resolution and fraud prevention
As an authorised agent of a regulated Electronic Money Institution (EMI), we are required — under our contractual and compliance obligations — to retain certain core customer data (such as identity, transaction, and compliance information) for up to seven years after your relationship with us ends. You cannot request deletion of your data where retention is required by applicable law, AML/CTF obligations, or where it is necessary for our legitimate interests — such as defending legal claims or meeting audit requirements.
Where your data is no longer required for these purposes and deletion is feasible, we will honour your erasure request. Alternatively, we may restrict processing or anonymise the data for internal analytics or reporting.
Your Legal Rights
You have the right to:• Access your data
• Correct incomplete or inaccurate data
• Request erasure, unless we are legally required to retain it
• Object to processing based on legitimate interest
• Restrict processing under specific circumstances
• Port your data to another provider
• Withdraw consent, where consent is the lawful basis
You can withdraw consent at any time by updating your preferences in the platform settings or by contacting [email protected]
Right to Erasure Clarification:
This right does not apply where we must retain data to comply with financial regulation, anti-money laundering law, or to defend legal claims.No Fee Usually Required
There is no fee for exercising your rights. However, if a request is unfounded or excessive, we may charge a fee or refuse.What We May Need From You
We may require ID verification to process your request and protect your data.Time Limit to Respond
We will respond to all valid requests within one calendar month, unless the request is complex or excessive.Contact
Data Protection Manager[email protected]
Complaints may also be raised with the ICO: www.ico.org.uk