Privacy Policy

Last updated: March 12, 2026

1. Data Controller

The entity responsible for the processing of your personal data (Data Controller) is:

Company: Fivo S.L. (in formation)

Status: In formation

Email: support@fivo.finance

Website: fivo.finance

2. Introduction

Fivo S.L. ("we", "us", "our") operates the fivo.finance website and payment processing services. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) and Ley Orgánica 3/2018, de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD).

3. Information We Collect

Account information: When you register as a merchant, we collect your name, email address, and password (stored as a bcrypt hash).

Billing data: Before your first withdrawal, we collect your business type, fiscal name, tax identification number (NIF/CIF/VAT), address, city, postal code, and country. This data is required for invoice generation and tax compliance.

Payment data: We process transaction information including wallet addresses, payment amounts, blockchain networks, and transaction hashes. We do not store private keys.

Device information: We collect IP addresses and user agent strings to detect new device logins and protect your account. This data is stored as a SHA-256 hash.

Compliance data: We collect your declared country of operation, your sanctions compliance declaration (including the date it was made), and IP-derived geolocation data. This information is used exclusively for sanctions compliance and geographic restriction enforcement.

Usage data: We collect analytics on how you interact with our dashboard, including pages visited and features used.

4. Legal Basis for Processing

Under the GDPR, we process your personal data based on the following legal grounds:

  • Contract execution (Art. 6.1.b GDPR): Account information, billing data, and payment data are necessary to provide you with our payment processing services.
  • Legitimate interest (Art. 6.1.f GDPR): Device information is processed to protect the security of your account and prevent unauthorized access.
  • Legal obligation (Art. 6.1.c GDPR): Compliance data and geolocation data are processed to fulfill our obligations under OFAC and EU economic sanctions regulations, and billing data is retained for tax compliance.
  • Consent (Art. 6.1.a GDPR): Analytics cookies and newsletter subscriptions are activated only with your explicit consent. You may withdraw consent at any time.

5. How We Use Your Information

  • To provide and maintain our payment processing services
  • To process transactions and send related notifications
  • To generate invoices for withdrawal transactions
  • To verify your identity and protect against fraud
  • To send security alerts (new device logins, withdrawal confirmations)
  • To send product updates if you subscribe to our newsletter (opt-in only)
  • To comply with legal obligations

6. Third-Party Services

We use the following third-party services to operate our platform:

  • Circle Internet Financial, Programmable Wallets for payment processing and fund custody (Circle is the custodian of merchant funds. Fivo does not hold or control cryptoassets)
  • Alchemy, Blockchain RPC infrastructure
  • Postmark, Transactional email delivery
  • Twilio, SMS-based two-factor authentication
  • Google Analytics, Anonymous site usage analytics (with user consent)
  • MaxMind, GeoLite2 geolocation database for sanctions compliance
  • ipapi.co, Fallback IP geolocation API for sanctions compliance
  • Cloudflare R2, Cloud storage for invoice PDF documents
  • Vercel, Website hosting
  • Railway, Backend hosting

Each third-party service has its own privacy policy governing their use of your data.

Fivo may share your personal data with regulatory authorities, law enforcement, or financial regulators when required by law or in response to a lawful request related to sanctions compliance or fraud investigations.

7. Geolocation Data

Fivo uses MaxMind GeoLite2, a geolocation database, to determine the approximate country of origin of incoming connections based on IP addresses. As a secondary fallback, we may use the ipapi.co API for the same purpose.

This geolocation data is used exclusively for compliance with OFAC and EU economic sanctions and for enforcing geographic restrictions on the Service, as described in our Terms of Service. Fivo does not use geolocation data for advertising, profiling, or any purpose other than sanctions compliance.

IP-based geolocation is inherently approximate and may not accurately reflect your actual physical location. If you believe your access has been incorrectly restricted, you may contact us at support@fivo.finance.

8. Data Security

We implement industry-standard security measures including encrypted connections (HTTPS), hashed passwords (bcrypt), encrypted sensitive data (AES-256), httpOnly cookies for authentication, and two-factor authentication. API keys are shown only once and stored as bcrypt hashes. Webhook secrets are encrypted at rest.

9. Data Retention

We retain your data for the following periods:

  • Account data: Retained while your account is active and for 30 days after a deletion request to allow recovery.
  • Transaction records and invoices: Retained for 5 years after the transaction date, as required by Spanish tax and commercial law (Ley General Tributaria, Código de Comercio).
  • Billing data: Retained for 5 years after the last invoice, as required for tax compliance.
  • Device information (hashed): Retained while your account is active.
  • Password reset tokens: Expire and are deleted after 1 hour.
  • Refresh tokens: Expire and are deleted after 7 days.
  • Audit logs: Retained for 5 years for regulatory compliance.

You can request account deletion by contacting us. Certain data may be retained beyond your request where required by law.

10. Your Rights

Under the GDPR and LOPDGDD, you have the right to:

  • Access the personal data we hold about you (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of your data, where applicable (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability in a structured, machine-readable format (Art. 20 GDPR)
  • Object to processing based on legitimate interest (Art. 21 GDPR)
  • Withdraw consent at any time for consent-based processing (Art. 7.3 GDPR)

To exercise any of these rights, send a request to support@fivo.finance including your full name and the email address associated with your account. We will respond within one month.

If you believe your data protection rights have been violated, you have the right to file a complaint with the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.

11. Applicable Legislation

This Privacy Policy is governed by the following regulations:

  • Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR)
  • Ley Orgánica 3/2018, de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD)
  • Ley 34/2002, de Servicios de la Sociedad de la Información y de Comercio Electrónico (LSSI-CE)

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at support@fivo.finance.