Legal

Privacy Policy

ARIDANG OÜ · Last updated: June 2026 · Effective date: June 2026

Contents

  1. Who we are
  2. Data we collect
  3. How we use your data
  4. Legal basis for processing
  5. Sharing your data
  6. International transfers
  7. Data retention
  8. Cookies
  9. Your rights
  10. Security
  11. Changes to this policy
  12. Contact us

1.Who we are

ARIDANG OÜ ("ARIDANG", "we", "us", "our") is a company registered in Estonia. We operate the website at aridang.com and the online banking portal at online.aridang.ee.

Payment services accessible through our platform are provided by Gemba Finance Ltd, authorised and regulated by the Financial Conduct Authority as an Electronic Money Institution (FRN: 804853).

For the purposes of EU data protection law, ARIDANG OÜ is the data controller in respect of personal data processed through our website and client onboarding. Gemba Finance Ltd is an independent data controller in respect of data processed in connection with the provision of regulated payment services.

2.Data we collect

We collect personal data in the following categories:

  • Identity data: full name, date of birth, nationality, government-issued ID details (passport, national ID card).
  • Contact data: email address, phone number, registered business address, correspondence address.
  • Business data: company name, registration number, registered address, nature of business, ownership structure, UBO information.
  • Financial data: bank account details, transaction history, source of funds documentation.
  • Compliance data: PEP status, sanctions screening results, adverse media checks, risk classification.
  • Technical data: IP address, browser type, device identifiers, pages visited, session duration, login timestamps.
  • Communications data: records of correspondence with our support team, emails, and call notes.

3.How we use your data

We use your personal data to:

  • Process your account application and carry out identity verification (KYB/KYC).
  • Provide, maintain, and improve our services.
  • Process payments and maintain transaction records.
  • Comply with anti-money laundering (AML) and counter-terrorism financing (CTF) obligations.
  • Conduct ongoing transaction monitoring and risk assessments.
  • Communicate with you about your account, including service notices and support responses.
  • Detect and prevent fraud, security incidents, and misuse of our platform.
  • Comply with legal and regulatory obligations including reporting to financial authorities.
  • Improve our website through aggregated analytics (no individual profiling for marketing).

4.Legal basis for processing

Under GDPR, we rely on the following legal bases:

  • Contract: processing necessary to enter into or perform the account agreement with you.
  • Legal obligation: compliance with AML, CTF, PSD2, and other applicable financial regulations.
  • Legitimate interests: fraud prevention, network security, improving our services, and business communications — where our interests do not override your rights.
  • Consent: for optional marketing communications and non-essential cookies, where we have obtained your explicit consent.

5.Sharing your data

We share personal data only where necessary, with:

  • Gemba Finance Ltd — our regulated payment services partner, who processes data as an independent data controller under their own privacy policy.
  • Identity verification providers — third-party KYC/KYB platforms used for document verification and biometric checks.
  • Sanctions and PEP screening providers — to fulfil AML obligations.
  • Financial Intelligence Units and regulators — where required by law (e.g., suspicious transaction reports).
  • Correspondent banks and payment network operators — to process your transactions.
  • IT infrastructure and cloud service providers — under data processing agreements with appropriate safeguards.
  • Professional advisers — legal counsel, auditors, and accountants where necessary and under confidentiality obligations.

We do not sell personal data to third parties, and we do not share data for third-party advertising purposes.

6.International transfers

Some of our service providers are located outside the European Economic Area (EEA). When we transfer personal data internationally, we ensure appropriate safeguards are in place, such as:

  • EU Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Transfers to countries with an EU adequacy decision.
  • Binding corporate rules where applicable.

You may request details of the specific safeguards applied to any transfer by contacting us at the address below.

7.Data retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, including for legal and regulatory compliance. In practice:

  • Account and transaction data is retained for a minimum of 5 years from the end of the business relationship, as required under AML regulations.
  • KYC and identity verification records are retained for 5 years from the date of verification or the end of the relationship, whichever is later.
  • Website analytics data is retained for up to 24 months.
  • Support communications are retained for 3 years from the date of the last interaction.

After the applicable retention period, data is securely deleted or anonymised.

8.Cookies

Our website uses cookies and similar technologies. We use:

  • Strictly necessary cookies: essential for the website to function. No consent required.
  • Analytics cookies: help us understand how visitors use our site (e.g., Google Analytics). We anonymise IP addresses. Consent required.
  • Preference cookies: remember your settings (e.g., language). Consent required.

You can manage or withdraw cookie consent at any time through your browser settings or our cookie preference centre.

9.Your rights

Under GDPR, you have the following rights regarding your personal data:

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure: request deletion of your data where there is no lawful reason for us to continue processing it.
  • Right to restrict processing: request that we limit how we use your data in certain circumstances.
  • Right to data portability: receive your data in a structured, machine-readable format and transfer it to another controller.
  • Right to object: object to processing based on legitimate interests or for direct marketing purposes.
  • Rights related to automated decision-making: not be subject to solely automated decisions that significantly affect you, without human review.

To exercise any of these rights, please contact us at info@aridang.eu. We will respond within 30 days. You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (aki.ee) or the supervisory authority in your country of residence.

10.Security

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include encryption in transit and at rest, access controls, regular security assessments, and staff training.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify you directly.

11.Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to you via email or a prominent notice on our website at least 14 days before taking effect. The date at the top of this document reflects the most recent revision.

12.Contact us

Data Controller
ARIDANG OÜ
Registered in Estonia
Email: info@aridang.eu

Payment Services Data Controller
Gemba Finance Ltd · Level 39, 1 Canada Square, Canary Wharf, London, E14 5AB, UK
Payment services provided by Gemba Finance Ltd · FCA Authorised (FRN 804853)