Last updated: September 25, 2025

Privacy Policy

We are committed to protecting the privacy of users of our digital asset platform. This Privacy Policy describes how we collect, use, store and protect your personal data, in compliance with applicable legal and regulatory framework.

1. Data Controller

The services provided through our platform (https://www.depa.finance) or by other means, such as email are  operated by the following entities (together, “Depa”):

  • Plenifi Payments Ltd.., a Money Services Business registered in Ontario Canada], with registered office at 80 Birmingham Street, Unit C6, Etobicoke, Ontario, M8V 3W6, Canada.

  • Depa US, Inc., a Money Services Business registered in Delaware, United States, with registered office at 1111B South Governors Avenue STE 40095 Dover, DE, 19904 US.

These entities are the primary controllers of your personal data, depending on your country of residence and the services you use.

For users located in the European Union or the European Economic Area (hereinafter, “EEA”), the representative in the EU pursuant to Article 27 GDPR is:

  • Hold the Lab Holding S.L., with registered office at 10 Alvaro de Bazan St, 46010, Valencia, Spain.

Hold the Lab Holding S.L. also acts as the parent company of the group, supervising compliance with European data protection regulations.

2. Group Affiliates and Data Sharing

As part of an international financial group, your personal data may be shared between the entities listed above (“Depa Group”) for legitimate business purposes, including customer support, risk management, fraud prevention, compliance with regulatory obligations, and consolidated reporting.

Such intra-group data sharing is carried out under strict confidentiality and data protection agreements, ensuring that all entities adhere to the same level of protection and safeguards.

Contact us:

2. Data Collected

We collect the following personal data:

  • Identification data: first name, last name, ID, postal address, email address, telephone number.
  • Financial Data: Bank account information, cryptocurrency wallets, or payment card data (without storing full card data) to process transactions.
  • KYC/AML data: Identity verification documents, proof of address and other data required to comply with anti-money laundering regulations.
  • Usage data and metadata: Information about your interaction with the platform, including IP addresses, browser, operating system, cookies and other browsing metadata.
  • Selection process data: Professional area, name, surname, telephone, email, CV, cover letter and other data associated with recruitment processes.
  • Connection data: Name, surname, ID, contact address, email, telephone and other data necessary for the provision of platform services, including APIs, according to the specific terms.

3. Purposes of Processing

We process your personal data for the following purposes:

  • Commercial contact and website forms: They are incorporated into the specific automated files of users of the services of Depa. The collection and automated processing of personal data is intended to respond to requests for information that the interested party has made by any means about the products and services offered, establish and maintain business relationships and the performance of tasks of information, training, advice and other activities of Depa. These data will only be transferred to those entities that are necessary for the sole purpose of complying with the aforementioned purpose.
  • Account registration and management: create and manage your account on the platform.
  • Transaction processing: Facilitate the purchase, sale or exchange of cryptoassets, including card payments through collaborating entities, which hold the relevant licenses to do so.
  • Regulatory compliance: To perform identity checks (KYC) and transaction monitoring for the prevention of money laundering and terrorist financing and all applicable anti-corruption and whistleblower protection laws.
  • Contractual counterparties: the existing legal or contractual relationship necessary for the provision of the service, as well as the legitimate interest for the development of commercial relations.
  • Customer service: Respond to your inquiries and requests.
  • Promotional communications: Send newsletters, invitations to events, promotions or other commercial communications, with your explicit consent, which you can revoke at any time through the cancellation link in the emails or by contacting info@depa.finance.  
  • Social networks: The personal data you provide or enable to social networks to become a follower of them are intended to establish and maintain business relationships organically and through advertising on different platforms.
  • Service improvement: To analyze the use of the platform to improve its functionality and user experience, using navigation metadata for behavioral analysis and troubleshooting. This data will be treated in a pseudonymized manner, and the user will only be identified at the user's express request for the resolution of a failure in the platform. 
  • Selection processes: Evaluate candidacies and verify references for hiring.
  • Complaints channel: Manage complaints received.
  • API Services: Provide cryptoasset integration services through the API, in accordance with the applicable terms.

4. Legal Basis for Processing

We process your personal data on the following legal bases:

  • Consent: for promotional communications, promotional services and certain non-essential data processing. Consent is free, specific, informed and unambiguous, accepted by a clear affirmative statement or action, such as ticking a box. If you do not provide your data or you do so incorrectly or incompletely, we will not be able to fulfill your request.
  • Execution of a contract: To manage your account, process transactions, evaluate applications and provide API services.
  • Compliance with legal obligations: To comply with anti-money laundering regulations and guidance and all applicable laws regarding privacy and the protection of personal information.
  • Legitimate interest: to improve the security and functionality of the platform (for example, through navigation metadata), provided that your rights and freedoms do not prevail.

5. Data Recipients

Your personal data will not be shared with third parties, except:

  • Legal obligations: with competent authorities (e.g., tax authorities, financial intelligence units, police authorities and security forces) to comply with money laundering prevention regulations or legal investigations.
  • Service providers: Companies providing services (e.g. payment processors, KYC providers, reference checking companies for selection processes), under confidentiality agreements and complying with the data protection restrictions. We are not responsible for non-compliance with the data protection by users who include personal data on shared hosting servers.
  • International transfers: In the event of transfers, we ensure compliance with and applicable privacy laws. We adopt recognized safeguards such as contractual clauses, organizational policies, and adherence to frameworks approved by the data protection authorities. This includes compliance with data transfer agreements and standards that ensure an adequate level of protection of personal information in accordance with privacy regulations,  including the Data Privacy Framework for transfers to the USA.

6. Retention Periods

WeWe retain your personal data only for as long as necessary to fulfill the purposes described, in compliance with applicable laws where our group of companies operates, including those relevant to our data controllers in Canada (e.g., PIPEDA, FINTRAC, PCMLTFA, CRA), the United States (e.g., BSA/AML, CCPA, SOX, IRS), and Europe/Spain (e.g., GDPR, LOPDGDD, EU AML Directive, Spanish Commercial Code). Retention periods are determined by the strictest applicable requirements to ensure data minimization while meeting legal obligations for audits, investigations, tax, and security purposes. Periods may vary by jurisdiction and are the maximum required:

  • Account and Transaction Data: Retained for the duration of your account and thereafter as follows:
    • In Canada: Up to 6 years after account closure, in accordance with Canada Revenue Agency (CRA), FINTRAC, and anti-money laundering regulations.
    • In the US: Up to 7 years after account closure, consistent with IRS tax requirements and Sarbanes-Oxley Act (SOX) for audit records.
    • In the EEA: Up to 6 years after account closure, as required by the Spanish Commercial Code for accounting purposes and GDPR storage limitation principles.
  • KYC/AML Data: Retained after the end of the business relationship as follows:
    • - In Canada: For 5 years, in accordance with FINTRAC and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).
    • In the US: For 5 years, under the Bank Secrecy Act (BSA) and related AML regulations; may extend to 10 years for OFAC sanctions compliance records.
    • In the EEA: For 5 years, as mandated by the EU AML Directive, with potential extension to 10 years under justified circumstances per GDPR and LOPDGDD.
  • Contact and Promotional Data: Retained until you withdraw your consent or request deletion, subject to the following minimums where applicable:
    • In Canada: As required by PIPEDA, with no fixed maximum beyond necessity, but typically until consent is withdrawn.
    • In the US: Up to 2 years for marketing purposes under CCPA data minimization, or until opt-out.
    • In the EEA: Until consent is withdrawn, in line with GDPR and LOPDGDD, with no longer than necessary for the purpose.
  • Usage and Metadata Data: Retained unless a longer period is needed for legal or security reasons:
    • In Canada: For 1 year under PIPEDA principles, extendable for audits or investigations.
    • In the US: For 1-2 years typically, aligned with CCPA and general privacy practices, or up to 7 years if tied to audits under SOX.
    • In the EEA: For the shortest time necessary under GDPR storage limitation, often 1-2 years for metadata, unless justified longer (e.g., up to 2 years for telecom data in some contexts).
  • Recruitment Process Data: Kept until the data subject requests deletion or during applicable legal retention periods:
    • In Canada: For 36 months (3 years) after employment ends or process concludes, per federal labor standards.
    • - In the US: For 1 year for applicants under EEOC rules, or up to 3-7 years if tied to tax/employment records.
    • In the EEA: For 3 years after the end of the recruitment process or employment relationship, as per Spanish labor laws and GDPR, to allow for potential claims.
  • Affiliate/Referred Program Data: Retained according to the specific terms of each program, with the following guidelines:
    • In Canada: For 5 years if involving financial transactions, per FINTRAC, or as long as necessary under PIPEDA.
    • In the US: Up to 5-7 years for financial affiliate data under BSA/SOX, or until program terms end.
    • In the EEA: As long as necessary under GDPR, typically 5-6 years if financial, aligned with accounting requirements.
  • API Services Data:  Retained for the duration of the service and thereafter as follows:
    • In Canada: Up to 5 years after termination, consistent with FINTRAC and PIPEDA.
    • In the US: Up to 5 years post-termination under BSA, or 7 years for audit-related data under SOX.
    • In the EEA: Up to 5-6 years after termination, per GDPR and Spanish Commercial Code if involving transactions.
  • Legal Liabilities: Data will be retained as required to meet any legal obligations and for audit, investigation, or enforcement purposes by government authorities:
    • In Canada: Up to 7 years for audits and complaints, or longer as needed under CRA/FINTRAC.
    • In the US: Up to 7 years under SOX for audit records, or 10 years for OFAC-related investigations.
    • In the EEA: Up to 10 years for certain audits or legal claims under GDPR/LOPDGDD and civil prescription periods.

7. User Rights

According to the data protection legislation, you have the following rights:

  • Access: Know what personal data we process and how.
  • Rectification: Correct inaccurate or incomplete data.
  • Deletion: Request the deletion of your data when it is no longer necessary.
  • Limitation: Restrict the processing of your data in certain cases.
  • Portability: Receive your data in a structured format or request its transfer to another data controller.
  • Opposition: Oppose the processing of your data for reasons related to your particular situation, including promotional communications.

To exercise these rights, please refer to “Contact us” section. We will respond within a maximum period of one month, extendable to two months in complex cases. 

If you are a resident in Canada, you may file a complaint with the Office of the Privacy Commissioner (“OPC”)if you believe your privacy rights have been violated. Complaints can be submitted by mail or through the OPC’s online forms, and you have the right to authorize another person to file a complaint on your behalf.

If you are a resident in the United States, you may file a complaint with the Consumer Financial Protection Bureau (“CFPB”) if you believe your privacy rights have been violated in connection with financial products or services. Complaints can be submitted online through the CFPB's portal, by mail, or by phone, and you have the right to authorize another person, such as a representative or attorney, to file a complaint on your behalf by providing signed written authorization.

If you are a resident in the EEA, you can contact Hodl the Lab Holding S.L. as the representative in the EU. You may file a complaint with the Spanish Data Protection Agency ("AEPD") (www.aepd.es) if you believe your rights have been violated.

8. Data Security

We adopt technical and organizational measures to ensure the security of your personal data, including:

  • Encryption: Data in transit and at rest are encrypted with SSL protocols and other cryptographic methods.
  • Access controls: Restricted access through two-factor authentication (2FA) for employees and users.
  • Audits: Regular audits to detect vulnerabilities, aligned with standards such as PCI DSS.
  • Continuous monitoring: Detection of unauthorized access with instant notifications by email or other means. We employ machine learning algorithms to detect suspicious transactions.
  • Secure storage: Digital assets and their keys are stored under cryptographic keys in distributed systems to protect them from centralized cyber attacks and ensure continuity of access to assets with Multi-Party Computation ("MPC") technology that distributes private keys among several parties, eliminating the risk of a single entity having complete control over assets, Hardware Security Module ("HSM") ensuring secure storage of cryptographic keys in specialized devices and Trusted Execution Environment ("TEE") to execute cryptographic operations in secure and isolated environments.
  • Threshold Recovery: In the event of a key loss, the Threshold Recovery method enables the secure recovery of assets through the collaboration of several entities without compromising security.
  • Custody of fiat funds: fiat funds are deposited in segregated accounts, managed by an entity licensed for payment activities guaranteeing 100% availability.
  • Tools: we apply tools and DPIA templates to ensure proactive compliance with the data protection legislation.
  • Data accuracy: The data collected are those strictly necessary to respond to the request, which the Interested Party voluntarily communicates. Refusal to provide mandatory data will result in the non-provision of the service. Optional data are provided for the optimization of services. If third party data is provided, the Interested Party is responsible for obtaining an informed consent with the content of this privacy policy. We are not responsible for any information shared by Stakeholders. The user declares that the information provided is truthful and undertakes to keep it updated.
  • Supervisory procedures: We cooperate with the OPC in remote inspections and apply proportionality criteria to minor infractions.
  • Backup copies: We make backup copies of the content hosted on the servers, however, we are not responsible for the accidental loss or deletion of data by users. Similarly, we do not guarantee full replacement of data deleted by users, as such data may have been deleted and/or modified during the period of time since the last backup. The services offered, except for specific backup services, do not include the replacement of the contents kept in the backups made by Depa, when such loss is attributable to the user; in this case, a fee will be determined according to the complexity and volume of the recovery, always with the prior acceptance by the user. The replacement of deleted data is only included in the price of the service when the loss of content is due to causes attributable to Depa.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance the user experience and analyze platform usage, including metadata such as browser, operating system and IP. You can manage your cookie preferences in the platform settings. See our Cookie Policy at https://www.depa.finance/cookie-policy for more details.

10. RPAA and AML/KYC Compliance

As a cryptoasset service provider ("VASP"), we implement Retail Payment Activities Act (“RPAA”), in particular in Know Your Customer ("KYC") and Anti-Money Laundering ("AML") policies:

  • We verify the identity of all users through official documents and transactional pattern analysis.
  • We monitor transactions for suspicious activity, using data analysis and checks against blacklists (e.g. OFAC).
  • We inform the relevant authorities in case of indications of money laundering or terrorist financing.
  • We maintain a zero-tolerance Anti-Fraud Policy, available at https://www.depa.finance/fraud-policy, with an operational Anti-Fraud Department that investigates and protects the confidentiality of investigations.

11. Changes to Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in regulations or in our services. Updates will be posted on https://www.depa.finance/privacy-policy, and users will be notified by email or through the platform in the event of significant changes.

12. Contact

If you have any questions about this Privacy Policy or the treatment of your data, please contact us at:

Contact form: https://www.depa.finance/contact

Build your first integration today.

Get started with Depa® today.

Depa lets you integrate digital finance into your fiat operations with just one API.

Ask us
Products
Ledger
Flows
Transaction Monitoring
On/Off-Ramp
Wallets
Products
Accounts
Liquidity
KYC, KYB & AML
Open Architecture
Company
About us
Contact us
Careers
Resources
API Docs
Blog

Copyright © 2025 HODL THE LAB Holding, S.L. All rights reserved. Services for Non-US residents are provided under terms of service with Plenifi Payments Ltd. Plenifi Payments Ltd is registered with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) as an MSB, and registered with the Central Bank of Canada as a PSP. Corporation number: 1001101225. Depa is not a bank.

Services provided to US residents are provided under terms of service with Depa US, Inc.
Payment services may be provided by licensed financial institutions. Service availability and transaction limits may vary by region and partner institution.

Cookie Policy
Privacy Policy
Legal Notice
Help and Support