Legal
Privacy Policy
How Gulf Token Innovation Ltd collects, uses, and protects your personal data across our asset tokenization, digital banking, and blockchain investment platform.
How Gulf Token Innovation Ltd collects, uses, and protects your personal data across our asset tokenization, digital banking, and blockchain investment platform.
This Privacy Policy explains how Gulf Token Innovation Ltd ("we", "us", "our", or "GulfToken"), a technology company registered in the Dubai International Financial Centre (DIFC) Innovation Hub, Dubai, United Arab Emirates, collects, uses, discloses, and protects your personal data when you use our platform, website, and related services.
Gulf Token Innovation Ltd is a private and independent company that develops, operates, and licences enterprise-grade technology for asset tokenization, digital banking, card programmes, and blockchain trading. We own and manage all intellectual property, platform operations, and investor-facing services.
We are committed to protecting your privacy and handling your personal data in accordance with applicable data protection legislation, including the DIFC Data Protection Law (DIFC Law No. 5 of 2020) and the EU General Data Protection Regulation (GDPR). Where our services are used by individuals in other jurisdictions, we also comply with locally applicable data protection requirements.
By accessing or using our platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use our services.
Last updated: February 2026
We collect different categories of personal data depending on how you interact with our platform. The data we collect falls into the following categories:
When you register for an account, complete identity verification (KYC), or interact with our services, we may collect:
Full legal name, date of birth, nationality, and country of residence; government-issued identification documents (passport, national identity card, driving licence); proof of address documentation (utility bills, bank statements); photographs, selfies, and biometric facial data for liveness verification; tax identification numbers and tax residency information; professional or accreditation status for qualified investor classification; and corporate entity information for institutional investors (registration documents, beneficial ownership, authorised signatories).
To facilitate transactions and comply with regulatory obligations, we collect: bank account details and IBAN numbers; payment card information (processed via PCI-DSS compliant providers); transaction history, including deposits, withdrawals, and investment activity; source of funds and source of wealth declarations; investment preferences, risk tolerance, and portfolio data; and wallet addresses for blockchain-based transactions.
When you access our platform, we automatically collect: IP address and approximate geolocation; browser type, version, and operating system; device identifiers and screen resolution; pages visited, features used, and session duration; referral source and navigation paths; and error logs and performance data.
We retain records of communications you have with us, including: support ticket content and correspondence; email communications; contact form submissions (processed through Formspree); notification preferences and delivery records; and feedback and survey responses.
We use the personal data we collect for the following purposes:
To create and manage your account; to process investment transactions, subscriptions, and redemptions; to facilitate token purchases, transfers, and custody operations; to operate digital banking features including card programmes, savings pots, and payment services; to generate account statements, tax reports, and portfolio summaries; and to provide customer support and respond to enquiries.
To conduct Know Your Customer (KYC) identity verification and ongoing due diligence; to perform Anti-Money Laundering (AML) screening and transaction monitoring; to execute sanctions screening against OFAC, UN, EU, and other applicable lists; to comply with Travel Rule obligations for virtual asset transfers; to file Suspicious Activity Reports (SARs) and Suspicious Transaction Reports (STRs) where required; to meet regulatory reporting obligations across applicable jurisdictions; and to maintain audit trails as required by financial regulators.
To analyse platform usage patterns and improve user experience; to monitor system performance, uptime, and reliability; to detect and prevent fraud, market abuse, and unauthorised access; to develop new features and services; and to conduct aggregated, anonymised statistical analysis.
To send transactional notifications (order confirmations, settlement updates, security alerts); to deliver regulatory and compliance notifications; to provide product updates and service announcements where you have opted in; and to respond to your enquiries and support requests.
We process your personal data on the following legal grounds, as applicable under the DIFC Data Protection Law and the GDPR:
Processing is necessary for the performance of our agreement with you, including account creation, transaction processing, investment management, card programme operation, and digital banking services.
Processing is necessary to comply with legal and regulatory obligations, including KYC/AML requirements, sanctions screening, tax reporting, Travel Rule compliance, regulatory reporting, and audit trail maintenance as required by applicable financial regulators and authorities.
Processing is necessary for our legitimate interests, provided these are not overridden by your rights and freedoms. This includes fraud detection and prevention, platform security monitoring, service improvement and analytics, and the protection of our legal rights. We conduct balancing assessments to ensure our legitimate interests do not unduly impact your privacy.
Where required, we obtain your explicit consent for specific processing activities, including marketing communications, the use of non-essential cookies and analytics tracking, and the processing of biometric data for identity verification. You may withdraw your consent at any time by contacting us or updating your preferences in your account settings. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
We do not sell your personal data. We share personal data only where necessary for the purposes described in this policy, and only with the following categories of recipients:
Personal data may be shared with our affiliated entities and regulated partners where necessary for the purposes of platform operation, regulatory compliance, and service delivery. This includes regulated financial service providers engaged to perform investor onboarding, custody, and token issuance activities on behalf of the Platform.
We engage trusted third-party service providers who process data on our behalf under contractual data processing agreements. These include:
Identity Verification: Sumsub - for KYC identity verification, document authentication, and liveness detection. Sumsub processes identification documents, facial biometrics, and proof of address data.
Digital Asset Custody: Fireblocks - for secure custody of digital assets using multi-party computation (MPC) technology. Fireblocks processes wallet addresses and transaction data.
Banking Services: Banking Circle and partner banking institutions - for fiat payment processing, account management, and settlement services. These providers process bank account details, payment instructions, and transaction records.
Travel Rule Compliance: Notabene - for virtual asset transfer compliance, processing originator and beneficiary information as required by FATF Travel Rule regulations.
Cloud Infrastructure: Amazon Web Services (AWS) - for hosting, data storage, and compute services. Data is processed in the EU (Frankfurt, eu-central-1 region).
Form Processing: Formspree - for processing contact form submissions from our website.
Analytics: Google Analytics 4 - for anonymised website usage analysis (see Section 10 for details).
We may disclose personal data to regulatory authorities, law enforcement agencies, or judicial bodies where required by law, regulation, or legal process. This includes Financial Intelligence Units (FIUs) in relation to suspicious activity reports; applicable financial regulators for compliance reporting; tax authorities under automatic exchange of information agreements (CRS, FATCA); and law enforcement agencies in response to valid legal requests or court orders.
Given the international nature of our services, your personal data may be transferred to and processed in jurisdictions outside your country of residence, including:
United Arab Emirates (DIFC): Gulf Token Innovation Ltd is based in the DIFC, which operates under the DIFC Data Protection Law providing a comprehensive data protection framework. Platform development, technology operations, and corporate administration are conducted from this location.
European Union: Our primary cloud infrastructure is hosted in AWS EU (Frankfurt). The EU provides strong data protection under the GDPR.
Where personal data is transferred to countries that do not provide an equivalent level of data protection, we implement appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission; contractual data processing agreements with all service providers; technical and organisational security measures; and ongoing monitoring of the data protection landscape in recipient countries.
We implement robust technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
Encryption of data in transit using TLS 1.2 and above; encryption of data at rest using AES-256 encryption; multi-party computation (MPC) custody for digital assets through Fireblocks; secure key management using AWS Key Management Service (KMS); multi-factor authentication (MFA) for all user accounts, supporting TOTP and SMS-based verification; automated vulnerability scanning and penetration testing; network segmentation and firewall protection; and intrusion detection and prevention systems.
Role-based access controls with maker-checker approval workflows; comprehensive audit trails for all data access and modifications, secured with cryptographic hash chains; regular security training for all personnel; data processing agreements with all third-party processors; incident response procedures and breach notification protocols; regular security assessments and compliance audits; and strict data minimisation practices, collecting only what is necessary for each purpose.
While we take all reasonable steps to protect your data, no method of electronic transmission or storage is completely secure. We encourage you to use strong passwords, enable multi-factor authentication, and exercise caution when sharing sensitive information.
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our retention periods are determined by:
KYC and AML records are retained for a minimum of five years following the termination of the business relationship, or longer where required by the relevant jurisdiction. Transaction records and financial data are retained for a minimum of seven years, in accordance with accounting and tax regulations. Suspicious Activity Reports and related investigation records are retained for a minimum of ten years. Audit trail records are retained for seven years in accordance with regulatory compliance requirements.
Active account data is retained for the duration of your relationship with us. Inactive account data is retained for the regulatory minimum period following account closure. Support ticket records are retained for three years following resolution. Website analytics data is retained in anonymised form for up to 26 months.
Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised. Anonymised data may be retained indefinitely for statistical and analytical purposes. Where deletion is technically impracticable (for example, data recorded on a blockchain ledger), we implement measures to restrict access and processing of such data.
Under applicable data protection legislation, you have the following rights with respect to your personal data. The availability of certain rights may vary depending on your jurisdiction and the legal basis for processing.
You have the right to request confirmation of whether we process your personal data and, where we do, to obtain a copy of that data along with information about how it is processed.
You have the right to request correction of inaccurate personal data and completion of incomplete personal data. You may update much of your information directly through your account settings.
You have the right to request deletion of your personal data in certain circumstances, including where the data is no longer necessary for its original purpose. Please note that we may be unable to comply with erasure requests where retention is required by law (for example, KYC/AML records during the regulatory retention period) or where the data is necessary for the establishment, exercise, or defence of legal claims.
You have the right to request that we restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or where you have objected to processing pending verification of our legitimate grounds.
Where processing is based on your consent or the performance of a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
You have the right to object to the processing of your personal data where processing is based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You have an absolute right to object to processing for direct marketing purposes at any time.
Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
To exercise any of these rights, please contact our Data Protection Officer at dpo@gulftoken.com or write to us at the address provided in Section 13. We will respond to your request within 30 days. We may need to verify your identity before processing your request. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority, including the DIFC Commissioner of Data Protection or your local data protection authority.
Our website and platform use cookies and similar tracking technologies. A cookie is a small text file stored on your device that helps us recognise your browser and remember certain information.
These cookies are strictly necessary for the operation of our platform and cannot be disabled. They include session cookies for maintaining your authenticated state; security cookies for preventing cross-site request forgery (CSRF) and ensuring secure transactions; and preference cookies for storing your language and display settings. Legal basis: legitimate interest and contractual necessity.
We use Google Analytics 4 (measurement ID: G-DM545BP85F) to understand how visitors interact with our website. Google Analytics collects anonymised data about page views, session duration, traffic sources, and user behaviour. IP addresses are anonymised before storage. You may opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on. Legal basis: consent.
Our contact forms use Google reCAPTCHA to prevent automated spam submissions. reCAPTCHA may set cookies and collect information about your browser and interaction patterns to distinguish human visitors from bots. This data is processed in accordance with Google's Privacy Policy. Legal basis: legitimate interest in preventing abuse.
You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling essential cookies may affect the functionality of our platform. For more information about managing cookies, visit www.allaboutcookies.org.
Our platform and services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you are under 18, please do not use our services or provide any personal information to us.
If we become aware that we have inadvertently collected personal data from a child under 18, we will take steps to delete that data promptly. If you believe that we may have collected information from a child, please contact us immediately at dpo@gulftoken.com.
We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make material changes, we will:
Update the "Last updated" date at the top of this policy; notify registered users via email or an in-platform notification; and where required by law, obtain your consent to the revised terms before continuing to process your data under the new policy.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of our services after any changes constitutes your acceptance of the updated policy.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us using the details below.
Gulf Token Innovation Ltd
Level 3, Innovation One
Dubai International Financial Centre (DIFC)
Dubai, United Arab Emirates
Phone: +971 50 345 2351
Email: info@gulftoken.com
Website: gulftoken.com
For data protection enquiries, rights requests, or complaints, please contact our Data Protection Officer:
Email: dpo@gulftoken.com
You may also contact the relevant supervisory authority if you have concerns about our data processing practices:
DIFC: Commissioner of Data Protection, Dubai International Financial Centre
EU: Your local data protection supervisory authority