Digital Finance (Bahamas) Ltd., operating under the CiNKO brand ("CiNKO," "we," "us," or "our"), is committed to protecting the privacy and security of personal data processed in connection with our enterprise platform. This Enterprise Privacy Policy ("Policy") explains how we collect, use, store, and share personal data when providing services to business customers ("Customer," "you," or "your") who integrate with the CiNKO platform via APIs, SDKs, and other developer tools.
CiNKO is a company duly registered under the laws of the Commonwealth of The Bahamas and is regulated by the Securities Commission of The Bahamas ("SCB") under the Digital Assets and Registered Exchanges Act, 2020, as amended (the "DARE Act").
This Policy should be read in conjunction with the Enterprise Terms of Service and any applicable Data Processing Agreement ("DPA"). Capitalized terms not defined herein have the meanings assigned in the Enterprise Terms of Service.
The allocation of data protection roles depends on the category of personal data being processed:
| Data Category | CiNKO's Role | Customer's Role |
|---|---|---|
| Customer business contact information (names, emails, phone numbers of authorized representatives) | Controller | Data subject / provider |
| Customer account and billing data | Controller | Data subject / provider |
| End User personal data processed through the Platform on Customer's behalf | Processor | Controller |
| End User KYC/AML data where CiNKO performs due diligence as required by law | Controller (regulatory obligation) | Provider / co-controller where applicable |
| API logs, webhook metadata, and developer analytics | Controller | Provider |
| Transaction data subject to AML recordkeeping requirements | Controller (regulatory obligation) | Controller (for its own compliance) |
Where Customer acts as the data controller, Customer is responsible for:
Where CiNKO acts as a data processor on Customer's behalf, CiNKO shall:
We collect information about Customer's business, including:
We automatically collect technical data in connection with Customer's use of our APIs and Platform:
We process transaction data as necessary to provide the Services, including:
When Customer uses our Platform to serve its End Users, we may process End User personal data on Customer's behalf, including:
The specific categories of End User data processed depend on the Services used and Customer's integration configuration.
We use Customer and End User data to:
We process data to comply with legal and regulatory obligations, including:
We process data to detect, prevent, and investigate fraud, security incidents, and unauthorized access, including monitoring API usage patterns, detecting anomalous transactions, and conducting security audits.
We use aggregated and anonymized data to analyze platform performance, usage patterns, and service quality. We may use API usage analytics to improve documentation, identify common integration issues, and enhance developer tools. Analytics data is not used to identify individual End Users.
We use Customer contact information to communicate about service updates, security notifications, compliance requirements, billing matters, and product announcements. Customer may opt out of non-essential communications at any time.
We engage trusted third-party subprocessors to provide components of the Services. Subprocessors are bound by data processing agreements with obligations no less protective than those in this Policy. Current categories of subprocessors include:
A list of current subprocessors is available upon request. CiNKO shall notify Customer of any material changes to its subprocessor list in accordance with the DPA, providing Customer with an opportunity to object.
We may disclose personal data to comply with applicable laws, regulations, judicial proceedings, or government requests. This includes disclosures to the SCB, financial intelligence units, tax authorities, law enforcement agencies, and courts as required by the DARE Act and other applicable legislation.
We may share information with affiliates and strategic partners solely to the extent necessary to provide the Services, process transactions, or fulfill regulatory obligations. Partners and affiliates are subject to appropriate confidentiality and data protection obligations.
In the event of a merger, acquisition, restructuring, or sale of assets, Customer Data may be transferred as part of the transaction. CiNKO shall notify Customer of any such transfer and ensure that the receiving entity assumes equivalent data protection obligations.
Where CiNKO processes personal data as a processor on Customer's behalf, the processing is governed by the DPA (or, where no separate DPA has been executed, by the provisions of this Section 6). The scope, duration, nature, and purpose of processing, as well as the categories of personal data and data subjects, shall be as described in this Policy and the applicable Order Form.
CiNKO shall process End User personal data only on Customer's documented instructions, unless processing is required by applicable law. Customer's instructions are documented through this Agreement, the DPA, API configurations, and Customer's use of the Platform.
CiNKO implements and maintains appropriate technical and organizational security measures, including:
CiNKO shall notify Customer without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach affecting End User data processed on Customer's behalf. Notification shall include:
CiNKO shall assist Customer in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, portability, restriction, and objection) through appropriate technical and organizational measures. CiNKO shall promptly notify Customer if it receives a request directly from a data subject, unless prohibited by law.
CiNKO shall make available to Customer, upon reasonable request and subject to confidentiality obligations, information necessary to demonstrate compliance with data processing obligations. CiNKO shall allow and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer, subject to reasonable advance notice and scope limitations.
CiNKO operates globally and Customer Data may be transferred to, stored in, or processed in jurisdictions outside of Customer's country of establishment. Such transfers may be necessary to provide the Services, comply with regulatory requirements, or engage subprocessors.
Where personal data is transferred to a jurisdiction that does not provide an adequate level of data protection, CiNKO shall implement appropriate safeguards, which may include:
CiNKO shall cooperate with Customer in conducting transfer impact assessments where required and shall implement supplementary measures as necessary to ensure appropriate protections for transferred data.
CiNKO's primary processing locations include The Bahamas, the United States, and other jurisdictions where our infrastructure providers and subprocessors operate. Details of specific jurisdictions for each subprocessor category are available upon request.
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and enforce our agreements. Specific retention periods include:
| Data Category | Retention Period | Basis |
|---|---|---|
| Customer account and business contact data | Duration of Agreement + 7 years | Contractual obligation, regulatory compliance |
| Transaction records | Minimum 5 years from transaction date | DARE Act, AML recordkeeping requirements |
| KYC/CDD documentation | Minimum 5 years after end of business relationship | DARE Act, AML recordkeeping requirements |
| API logs and technical data | 12 months (rolling) | Operational, security, and debugging purposes |
| Webhook delivery logs | 90 days (rolling) | Operational support and troubleshooting |
| Billing and invoicing records | Duration of Agreement + 7 years | Tax and financial recordkeeping |
| End User data (processed as processor) | As instructed by Customer, subject to legal minimums | Customer instructions, applicable law |
Upon termination of the Agreement and expiration of the wind-down period, CiNKO shall, at Customer's election, return or securely delete End User personal data processed on Customer's behalf, except where retention is required by applicable law. CiNKO shall provide written confirmation of deletion upon request.
Transactions executed on blockchain networks result in data being recorded on a decentralized, immutable ledger. This data may include wallet addresses, transaction amounts, timestamps, and transaction hashes. Once confirmed on a blockchain, this data cannot be modified, rectified, or deleted by CiNKO or any other party.
The immutable nature of blockchain data may limit the exercise of certain data protection rights, including the right to erasure and rectification, with respect to on-chain data. CiNKO implements appropriate measures to minimize the personal data recorded on-chain and maintains off-chain records that can be modified in accordance with data subject requests.
CiNKO maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of Customer Data and End User data. The program includes:
Customer is responsible for maintaining the security of its own systems, API Credentials, and integration implementations. Customer shall:
With respect to personal data for which CiNKO acts as a controller (e.g., Customer business contact information, account data), Customer's authorized representatives may:
End User data subject requests should be directed to Customer as the data controller. CiNKO shall assist Customer in responding to such requests in accordance with the DPA and applicable law. Where CiNKO receives a data subject request directly from an End User, CiNKO shall promptly redirect the request to Customer unless prohibited by law.
To exercise data protection rights, contact us at [email protected]. We will respond to requests within the timeframes required by applicable law.
CiNKO may update this Policy from time to time to reflect changes in our practices, Services, or applicable law. We shall notify Customer of material changes at least thirty (30) days before they take effect, via email to Customer's designated contact or through the Platform dashboard. Continued use of the Services after the effective date of changes constitutes acceptance.
For questions, requests, or concerns regarding this Enterprise Privacy Policy or CiNKO's data processing practices, please contact:
Digital Finance (Bahamas) Ltd.
Operating as CiNKO
Email: [email protected]
General inquiries: [email protected]