Turing Financial Group (“TFG”, “we”, “us”, “our”) and its subsidiaries (“the Group”) are committed to protecting your privacy. This Privacy Policy (“Policy”) explains how we collect, use, disclose, and protect your Personal Information when you interact with our services (collectively, the “Services”).
This Policy applies to all users of our Services, including individuals, businesses, and entities using lending, custody, or transaction services. By using our Services, you agree to the practices described in this Policy. If you do not agree, please do not use our Services.
We operate in compliance with applicable data protection laws in all jurisdictions where we operate, including, but not limited to, the European Union’s General Data Protection Regulation (GDPR) for EU users, El Salvador’s data protection laws, and anti-money laundering and counter-terrorism financing (AML/CTF) regulations. Where local laws impose stricter requirements, we adapt our practices to ensure compliance. As a financial group, we prioritize transparency and security.
For questions about this Policy, contact us at dataprotection@turingfig.com.
1. Regulatory Compliance
We comply with applicable data protection laws in all jurisdictions where we operate, using the GDPR as a reference standard to ensure best practices. This includes, but is not limited to, El Salvador’s data protection laws, AML/CTF regulations, and specific regulations in regions where TFG or its subsidiaries provide services. We adapt to stricter local requirements when applicable, ensuring the protection of your Personal Information across all our global operations.
2. Personal Information We Collect
We collect Personal Information to provide, maintain, and improve our Services. Personal Information is any data that directly or indirectly identifies a living individual.
2.1 Information Provided Directly
- Account and Identification Data: Name, email address, phone number, date of birth, official identification (e.g., passport, driver’s license), proof of address, and tax identification numbers for KYC/AML compliance.
- Financial Information: Bank account details, cryptocurrency wallet addresses, transaction history, collateral details (e.g., Bitcoin holdings for loans), and source of funds verification.
- Communication Data: Information in emails, chats, or forms sent to us.
- Business Information: For corporate users, company name, registration details, beneficial owner information, and corporate documents.
2.2 Information Collected Automatically
- Usage Data: IP address, browser type, device information, operating system, pages visited, time and date of access, and referral sources.
- Transaction Data: Details of loans, repayments, and transfers.
- Location Data: Approximate location based on IP address or device settings (with consent where required).
2.3 Information from Third Parties
- Data from KYC/AML service providers (e.g., ComplyAdvantage), blockchain analysis tools (e.g., Chainalysis), or public sources for verification.
- References from partners or affiliates.
2.4 Special Category Data
We do not collect Special Category Data (e.g., racial or ethnic origins, political opinions, health data, biometric data, or criminal records) except in exceptional cases required for regulatory compliance, such as advanced KYC/AML verifications. Such data is processed with enhanced security measures, including high-level encryption and restricted access, and only with a valid legal basis, such as explicit consent or a regulatory obligation.
3. How We Use Your Personal Information
We use your Personal Information for legitimate business purposes, including:
- Service Provision: Processing loans, verifying identity for KYC/AML, executing transactions, and managing accounts.
- Compliance and Risk Management: Conducting due diligence, monitoring for fraud, money laundering, or terrorism financing, and reporting to regulators (e.g., CNAD/UIF in El Salvador).
- Service Improvement: Analyzing usage patterns to enhance platforms, develop new features, and personalize experiences. When using aggregated or anonymized data for analytics or reporting, we apply robust anonymization techniques to ensure it cannot be linked to an individual.
- Communications: Sending service updates, security alerts, marketing (with opt-out options), and regulatory notifications.
- Legal Obligations: Responding to subpoenas, audits, or requests from authorities.
- Analytics and Research: Using aggregated and anonymized data for internal reports or industry insights.
Legal bases for processing (under GDPR): consent; performance of a contract; legal obligations; legitimate interests (e.g., fraud prevention).
4. Sharing Your Personal Information
We do not sell your Personal Information. We share it only when necessary:
- Service Providers: Third-party providers for hosting, KYC/AML verification (e.g., ComplyAdvantage), transaction monitoring (e.g., Chainalysis), and payment processing. These providers are contractually obligated to protect the data.
- Subsidiaries and Affiliates: Within the Group (e.g., Turing Payments) for integrated services.
- Regulators and Authorities: To comply with laws, including sharing with authorities in El Salvador or international bodies for AML/CTF reporting.
- Business Transfers: In mergers, acquisitions, or asset sales, with notification where required.
- With Consent: For marketing partners or as permitted.
We ensure recipients comply with appropriate safeguards, such as standard contractual clauses for international transfers.
5. Data Security
We implement robust security measures to protect your Personal Information, including:
- Encryption of data in transit and at rest.
- Access controls (e.g., multi-factor authentication, role-based permissions).
- Regular audits, penetration testing, and breach monitoring.
- Compliance with ISO 27001 standards and blockchain best practices for custody and transactions.
Despite these measures, no system is infallible. In case of a security breach, we will notify affected users and regulators within legal deadlines (e.g., 72 hours under GDPR).
6. Data Retention
6.1 Retention Periods
We retain your Personal Information only for as long as necessary for the stated purposes or to comply with legal requirements:
- Account Data: During the duration of your relationship with us plus 7 years after termination (for AML records).
- Transaction Data: Indefinitely for blockchain immutability, with personal identifiers anonymized where possible.
- Logs: Up to 2 years for security purposes.
Data is securely deleted or anonymized at the end of retention periods.
6.2 Data on Blockchain
Due to the immutable nature of blockchains, certain transaction data may remain in public records. To comply with Data Subject rights, such as the right to erasure, we anonymize personal identifiers to the extent possible and manage sensitive data off-chain when necessary.
7. Your Rights and Options
7.1 Data Subject Rights
Depending on your location, you may have the following rights over your Personal Information under the GDPR and other applicable laws:
- Access: Request a copy of your data.
- Rectification: Update inaccurate or incomplete information.
- Erasure: Request deletion, subject to legal restrictions (e.g., AML requirements).
- Restriction: Restrict processing in certain cases.
- Objection: Object to processing based on legitimate interests or direct marketing.
- Portability: Receive data in a structured, transferable format.
- Withdrawal of Consent: Withdraw consent at any time, without affecting prior processing.
7.2 Procedure for Requests
To exercise your rights, send an email to dataprotection@turingfig.com. We respond within 30 days, extendable for complex cases. We verify the requester’s identity to ensure security. You can opt out of marketing through your account settings or unsubscribe links in our communications.
8. Cookies and Tracking Technologies
Our Services use cookies, web beacons, and similar tools for functionality, analytics, and security. Categories include:
- Essential: For login, transactions, and basic Service operations.
- Analytics: To understand Service usage (anonymized).
- Marketing: For targeted advertising (with opt-out options).
Manage your preferences through your browser settings or our cookie banner. We respect “Do Not Track” signals where feasible.
9. International Data Transfers
As a global group headquartered in El Salvador, we transfer data to countries such as affiliates in the European Union and South America. Before transferring Personal Information outside the European Economic Area (EEA), we conduct Transfer Impact Assessments (TIAs) to ensure that safeguards, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), are adequate and comply with legal requirements, especially in jurisdictions without adequacy decisions.
Transfers may occur without safeguards in exceptional cases, such as with explicit consent, to perform a contract, or for legal claims, subject to approval by the Data Protection Officer.
10. Children’s Privacy
Our Services are not directed to individuals under 18 years of age. We implement age verification in our forms and registration processes to prevent the collection of data from minors. If we discover that we have collected data from a minor, we delete it immediately. Parents or legal guardians may contact us at dataprotection@turingfig.com to request access, rectification, or deletion of a minor’s data.
11. Third-Party Links and Services
Our Services may include links to third-party sites or services. We are not responsible for their privacy practices. We recommend reviewing their privacy policies before providing them with data.
12. Changes to This Policy
We may update this Policy to reflect changes in our practices, operations, or applicable laws. We will notify you of significant changes by email or through a prominent notice on our website (www.turingfig.com) at least 30 days before they take effect. If you disagree with the changes, you may choose not to use our Services. Continued use after the effective date implies acceptance of the updated Policy.
13. Contact Us
Email: dataprotection@turingfig.com Address: Turing Financial Group, Paseo General Escalón 3675, Floor 21, Office 11, Millennium Plaza, San Salvador, El Salvador Data Protection Officer: dataprotection@turingfig.com14. Glossary
- GDPR: General Data Protection Regulation, European regulation protecting the personal data of EU residents.
- KYC/AML: Know Your Customer and Anti-Money Laundering processes to verify user identity and comply with regulations.
- Standard Contractual Clauses (SCCs): Legal agreements ensuring data protection in international transfers.
- Special Category Data: Sensitive information, such as health data, racial origins, religious beliefs, or criminal records, requiring additional protection.
- Anonymization: The process of transforming data so it cannot be linked to an individual.