Yellow Card (referred to as "Yellow Card," "we," "us," or "our") is committed to protecting the privacy and confidentiality of the personal data of our users, including individuals and businesses. This Privacy Policy outlines how we collect, use, store, share, and protect your information when you access or use the Yellow Card Site (www.yellowcard.io), the Treasury Portal, any Yellow Card API (directly or through third-party applications), or any other Yellow Card product or service (collectively, "Yellow Card Services").
This Privacy Policy forms an integral part of the relevant Yellow Card Service Agreement (“Agreement”) that applies to you. Terms defined in the Agreement apply equally herein unless otherwise indicated.
1. Our Commitment to Privacy
At Yellow Card, we understand the importance of privacy and the safeguarding of information, particularly “Personal Data”, which refers to any data that is related to an identified or identifiable natural or legal person (also known as a data subject), or, solely in jurisdictions where Applicable Law expressly so requires, a juristic person. Protecting the privacy and confidentiality of Personal Data is a core principle of our business operations. We only collect information that is necessary for the provision of our services and in accordance with applicable data protection laws.
2. Scope of this Policy
This Policy applies to all users globally, including business entities, their authorized representatives, and any individuals whose Personal Data is processed in connection with the provision of Yellow Card Services.
Data Controller: Yellow Card acts as the Data Controller for information processed to perform our Agreements, manage accounts, and satisfy regulatory obligations such as KYC/KYB and AML screening.
Data Processor: In B2B2C contexts where a Business Client uses Yellow Card’s API to service their own end-users, Yellow Card acts as a Data Processor and shall process Personal Data according to documented instructions from the Controller. In such cases, processing is governed by this Policy and a specific Data Processing Addendum (DPA) executed with the Business Client
Operating Entities: The specific entity responsible for your data depends on your jurisdiction, including but not limited to Yellow Card Financial Nigeria Ltd (Nigeria), Yellow Card Financial South Africa (Pty) Ltd (South Africa), Yellow Card Botswana (Pty) Ltd, and Afritech Services Sp. z. o.o (Poland/Europe)
While this Privacy Policy applies to all users globally, certain provisions are specific to your location and are detailed in the policies below:
If you live in the European Region, Afritech Services Sp. z. o.o processes your personal data under this Privacy Policy.
If you live in Nigeria, Yellow Card Financial Nigeria Ltd processes your personal data in line with this Privacy Policy.
If you live in South Africa, Yellow Card Financial South Africa (Pty) Ltd processes your personal data in line with this Privacy Policy.
3. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We encourage you to review it periodically. If we make a material change, we will notify you by email or by means of a prominent notice on the Yellow Card Site prior to the change becoming effective. The "Effective Date" at the top of this Privacy Policy will be revised to indicate the updated version.
By using and/or continuing to use the Yellow Card Services, you signify your understanding and agreement to the policies, practices, and any subsequent changes outlined in this Privacy Policy. Notwithstanding the foregoing, where your Personal Data is processed under GDPR and the legal basis is either Consent or Legitimate Interest, we will obtain fresh consent or carry out a documented legitimate interest assessment before applying any material change to the purposes for which your data is processed.
4. Information We Collect
We collect various types of information to provide and improve our Services, ensure security, and comply with legal obligations.
4.1 Information You Provide
We collect information necessary to provide institutional-grade financial services,maintain platform security, and fulfil applicable due diligence and regulatory obligations.
Identity & Professional Information: Full name, email, phone number, date of birth, physical address, and government-issued identification (including national identity document type, document number, and issue date). For Treasury Portal users, we also collect professional titles and authorization levels.
Business & KYB Information: For institutional accounts, we collect legal name, trading name (if different from legal name), registration details, registration number, formation/incorporation date, entity type, tax identification numbers, industry classification, certificates of incorporation, memoranda of incorporation (MOI), company type and legal structure, shareholder registers, proof of registered business address, AML/compliance questionnaire responses, applicable regulatory certifications or licences, beneficial ownership (UBO) information, and documentation for authorized representatives.
Ownership & Corporate Structure Information: For business clients, we collect information on the ultimate beneficial owners (UBOs) and controlling persons of the entity, including their full name, date of birth, nationality, residential address, identity document details, ownership percentage, and role within the company (e.g. sole director, shareholder, authorised representative). We also collect and verify the corporate ownership chart and shareholder register
Financial & Wallet Data: Bank account numbers, routing numbers, IBANs, the name and jurisdiction of the company's bank, and linked payment method details. This includes generated USD Stablecoin wallet addresses and multi-currency fiat balances (e.g., USD, NGN, ZAR), as well as the fiat currencies and stablecoins the client intends to trade.
Transaction & Audit Data: Full details of payments, currency conversions, expected monthly trading volumes, and Request for Quote (RFQ) history. We maintain a filterable Audit Trail that records the "Requestor Name" for every action taken within the Treasury Portal to ensure institutional accountability.
Priority Markets & Jurisdictional Intent: We collect information on the geographic markets and jurisdictions in which a client intends to transact, including the specific countries and counterparty regions relevant to their business activities, and confirmation of whether any business is conducted with counterparties in sanctioned or high-risk jurisdictions
Technical & API Usage Data: Precise geolocation (with permission) for address verification, IP addresses, device identifiers, API call logs, and browser metadata collected via cookies and tracking pixels.
Communication Information: Information you provide when you communicate with us through customer support, surveys, or other channels.
Failure to provide required information may limit or prevent your access to certain Yellow Card Services.
4.2 Information Collected Automatically
When you use Yellow Card Services in accordance with the Agreement, we automatically collect data about your device and how you interact with our platform:
Device and Usage Information: Information about the device you use to access Yellow Card Services, including language, type of device, operating system, and other device identifiers. We also log information about your activity on Yellow Card Services, such as access times, pages viewed, other pages visited, and IP address.
Cookies and Tracking Technologies: Like most websites and applications, we use cookies and similar tracking technologies (e.g web beacons, pixels) to collect information. Cookies are small data files placed on your computer or other devices that allow us to identify you as a Yellow Card customer and customize the Yellow Card experience.
Consent Management: We use a Consent Tool to manage your privacy choices and comply with global privacy rules. This tool, which you can access anytime via the floating cookie icon on our website, allows you to change or withdraw your consent.
Your experience with the Consent Tool depends on your location:
In specific regions (like the EU, UK, Brazil, Canada, Australia, South Africa, China, and Nigeria): We will ask you to explicitly click to accept non-essential tracking before it starts. All non-essential tracking is blocked by default.
In all other regions: Tracking is enabled by default. However, you can easily opt out of non-essential tracking at any time using the floating cookie icon (Universal Preference Centre).
Universal Preference Centre: All users, regardless of location, can update or withdraw their preferences dynamically via a floating cookie icon on the site.
Specific Tracking Mechanisms: We use several specific tracking mechanisms to enhance our services and marketing efforts:
Session Recording & Heatmaps : We use session replay tools (such as Microsoft Clarity) to record clicks, mouse movements, and scrolling activity to improve platform usability. These tools are configured to mask keystrokes and sensitive personal data before the data is transmitted to us.
B2B Lead Profiling & Scoring: For B2B clients, we connect your past website browsing history and referral source (like a link from Google or LinkedIn) with your CRM profile once you fill out a form. This helps our Sales team understand your interest and score you as a potential lead.
First-Touch Attribution Cookie (orig_config): We deploy a custom, persistent cookie that lasts for 180 days. Its sole function is to capture and store the external referring URL (e.g., a Google search or a LinkedIn post) that first brought the user to Yellow Card, allowing us to accurately attribute B2B acquisition costs.
Note on Personal Data: Cookies are considered Personal Data only when linked with other identifying information provided by the user while using the service. Restricting cookies may negatively impact the functionality and continuity of our services.
4.3 Information We Collect From Other Sources
We may obtain information about you from third-party services and public databases. This includes, but is not limited to:
Identity Verification and Fraud Prevention Services: Non-public personal information from identity verification sources or public databases to help us verify your identity, prevent fraud, and comply with "Know Your Customer" (KYC) and Anti-Money Laundering (AML) obligations. For institutional and business clients, this also includes Know Your Business (KYB) verification data from corporate registries, company secretarial databases, and public regulatory databases, as well as information from licensed third-party KYB providers such as AiPrise. This may include company reports sourced from commercial registry data providers (such as Windeed), document integrity and forensic analysis outputs, risk scoring results, automated decisioning outcomes, and metadata analysis of submitted documentation used to detect tampering or fraud. A current list of our sub-processors is maintained and made available to Business Clients upon request.
Third-Party Analytics and Advertising Partners: We use various third-party advertising tools (including LinkedIn Insight Tag, Twitter / X Pixel, Google Ads & Google Analytics 4, and Meta/Facebook Pixel) to measure our advertising effectiveness and target relevant users.
Offline Conversion Tracking: In addition to browser-based tracking, we also utilize Server-Side Conversions APIs (CAPI). When a B2B lead progresses through our sales funnel (e.g., moves from a prospect to a qualified lead), we automatically send this event data directly from our CRM to advertising partners like Meta (Facebook) and LinkedIn. The data transmitted consists of securely hashed (cryptographically scrambled) personal identifiers (specifically email addresses and phone numbers) alongside the conversion event or pipeline stage. These ad networks use this hashed data to match the lead to their user profiles, allowing us to accurately measure our Return on Ad Spend (ROAS) for offline sales, suppress existing leads from seeing new acquisition ads, and build "lookalike" audiences of similar B2B prospects. Because this data transfer happens back-end (server-to-server), standard browser ad-blockers cannot prevent it. If you wish to opt-out of offline conversion syncing, you can withdraw your advertising consent via our Universal Preference Centre or by contacting our Data Privacy Officer.
5. Purposes of Processing and Legal Basis
The information we collect is used for various purposes, primarily to provide, maintain, and improve our Services, ensure security, and comply with legal obligations. We process Personal Data under the following frameworks:
Contractual Necessity: To provide the Treasury Portal, facilitate fiat-to-stablecoin conversions, and execute cross-border settlements as per the Agreement.
Legal Obligation: To perform mandatory Anti-Money Laundering (AML), Counter-Terrorism Financing (CTF), and "Know Your Customer/Business" (KYC/KYB) screenings.
Legitimate interest: To ensure the proper administration, development, and security of Yellow Card Services; and to manage B2B commercial interests, specifically through lead profiling and scoring for client acquisition and cost attribution. You may object to this processing at any time by contacting our Data Protection Officer.
Consent: Where required by applicable law, we will obtain your specific, informed, and unambiguous consent before processing your personal data for purposes such as sending direct marketing communications and promotional offers or deploying non-essential tracking technologies like cookies. You have the right to withdraw your consent at any time via the Universal Preference Centre on the Yellow Card Site or by contacting our Data Protection Officer
Security & Fraud Prevention: To detect and prevent unauthorized access, "structuring" of transactions, or other criminal activities.
Operational Communication: To provide updates on changes in terms, conditions and policies, real-time transaction visibility, settlement confirmations, and responses to RFQs submitted to the Trading Team.
Business Operations & Analytics: For internal business purposes, including data analysis, audits, developing and improving products and services, enhancing Yellow Card Site and Services, identifying usage trends, and determining the effectiveness of promotional campaigns.
Marketing & Promotional Offers: To send direct marketing and promotional offers on behalf of Yellow Card, its partners, and associates, including via SMS and email, where you have provided your consent. You can withdraw your consent at any time. We respect your marketing preferences in accordance with applicable laws, such as the opt-out provisions and the requirements for valid consent.
6. Data Sharing and Disclosure
Yellow Card may share the information we collect from you with carefully selected third parties to perform tasks necessary for delivering certain services to you, as part of our efforts to prevent and investigate fraud or other criminal activities, or where legally required. These third parties will be contractually obligated to safeguard your data in accordance with our Privacy Policy and applicable data protection laws:
Service Partners: Financial institutions, banking partners, and liquidity providers necessary to move funds across borders and execute trades. Entities performing financial, legal, or technical audits of Yellow Card's operations, legal services, marketing, payment processing, cloud storage, IT services and other services on our behalf. This may include services related to the analysis and improvement of the Yellow Card Site and Services experience.
Identity Verifiers: Third-party services used to confirm the validity of KYB/KYC documentation and perform sanctions screening. By using Yellow Card Site and Services, you understand that these service providers may retain and use your information to perform services for Yellow Card and improve their own services, solely related to identity verification and fraud prevention services.
Corporate Transactions: In the event of an investment, merger, acquisition, or other purchase of Yellow Card's assets by another company, that company will have access to the information you have provided to Yellow Card. In the event of an acquisition, we will require that the new entity follow the procedures of this Privacy Policy and notify you of any such change in the applicable policy.
Yellow Card Affiliates: Subsidiaries and entities under Yellow Card's control for centralized compliance and global treasury operations.
Law Enforcement: When compelled by subpoena, court order, or legal procedure, or when necessary to prevent physical harm or financial loss.
Within Yellow Card, access to information is limited to only Yellow Card Employees who require such information for matters related to compliance, customer support, and verification.
7. Transborder Data Transfers
As our Services facilitate emerging market fiat-to-USD transfers, data may be moved outside your country of residence.
Safeguards: We ensure transfers are lawful by utilizing Standard Contractual Clauses (SCCs), adequacy decisions, binding corporate rules, or other transfer mechanisms recognised as lawful under Applicable Data Protection Law in the relevant jurisdiction in addition to commercially reasonable security measures to protect data in third countries.
Consent: By using Yellow Card Services, you acknowledge and accept that your data may be stored or processed in jurisdictions with different data protection laws than your own.
8. Protection & Storage of Information
The protection and security of your personal information are important to us. Yellow Card employs appropriate technical and organisational measures to protect your information, including any non-public personal information that can be used to identify you, such as your government-issued ID number. To ensure the integrity, confidentiality, and availability of our Services, particularly those provided via the Treasury Portal and Yellow Card API, Yellow Card implements the following high-level security controls:
Authentication and Access Control: Access to the Treasury Portal is secured by mandatory Multi-Factor Authentication (MFA). API access is secured using industry-standard cryptographic key management and requires the use of API keys and/or tokens. Access to all systems is granted strictly on a "least privilege" and "need-to-know" basis.
Encryption: Personal Data and Transaction Data are protected by encryption in transit (using TLS 1.2 or higher) and at rest (using industry-standard encryption algorithms) within Yellow Card’s processing environment.
Testing and Review: Yellow Card conducts regular security assessments, vulnerability scans, and independent third-party penetration testing of its Services, including the Yellow Card Site, Treasury Portal, and API, to identify and remediate potential security risks.
Change Management: All changes to the production environment, including changes to the API and Treasury Portal functionality, are subject to a formal change management process that includes security review, testing, and approval.
These measures are designed to limit access to your information to employees who have a legitimate business need to know, thereby reducing the risks of alteration, disclosure, loss, misuse, and unauthorized access. All of our procedural safeguards are designed to comply with generally accepted standards, applicable laws and regulations.
Yellow Card will store and protect your information securely during and after the life of your Yellow Card account in compliance with our legal obligations and policies. If you have any questions or concerns about our security measures, you may contact us through our Support Page
9. Data Retention and Deletion
We retain information only as long as necessary for service delivery and legal compliance.
Regulatory Retention: To meet financial record-keeping obligations, account information and transaction logs (including Audit Trails) are generally retained for a minimum of five (5) years after an account is closed. Yellow Card will not retain Personal Data beyond the period reasonably necessary for the purpose for which it was collected.
Ongoing Necessity: Data may be held longer if required for an ongoing investigation, resolution of a dispute, court case, or to prevent fraud.
Deletion Requests: Users may request account deletion via the Data Subject Access Request Form, subject to the aforementioned legal retention requirements.
Upon the expiration or termination of the relevant Yellow Card Service Agreement where Yellow Card acts as a Data Processor, Yellow Card shall, at the written direction of the Business Client (Data Controller), subject to the regulatory retention requirements, securely delete all of the Business Client’s end-users' Personal Data, or return such data to the Business Client. Yellow Card shall notify in writing to the Business Client that all copies of the data have been deleted, unless legal obligations require continued storage.
10. Data Incident Reporting
Yellow Card maintains a Security Incident Response Plan and commits to the following procedures in the event of a Personal Data Breach:
Notification to Client: As a Controller Yellow Card will notify the affected Data Subjects, where the breach poses a high risk to the rights and freedoms of the affected individuals, we will also notify the affected Data Subjects, in accordance with applicable data protection laws.
As a Data Processor, Yellow Card shall notify the affected Business Client (Data Controller) of any confirmed or reasonably suspected Personal Data Breach affecting their end-user data without undue delay and no later than 48 (Forty-eight) hours after becoming aware of it.
Content of Notification: The notification will, to the extent possible, describe:
The nature of the Personal Data Breach, including the categories and approximate number of data subjects and data records concerned.
The likely consequences of the Personal Data Breach.
The measures taken or proposed to be taken by Yellow Card to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
Information Gathering: Where Yellow Card operates as the Data Processor, We will cooperate fully with the Client to investigate the breach and provide necessary information to assist the Client in meeting its regulatory notification obligations to supervisory authorities and data subjects.
11. Rights of the Data Subject
Regarding the personal data we collect about you, as a data subject, you have the following rights, subject to applicable laws and certain limitations:
Right to be informed: To be informed about the purposes for which your personal information would be used.
Right of access: To access your personal information in our custody. This includes the right to request access as provided under applicable data protection laws.
Right to object: To object to the processing of all or part of your personal information (e.g., for direct marketing).
Right to rectification: To correct any inaccurate or misleading information.
Right to data portability: To request the transfer of your personal data to another controller, where technically feasible.
Right to withdraw consent: To withdraw your consent at any time where processing is based on consent.
Right to erasure ("Right to be forgotten"): To request the deletion of your personal information, especially if it is no longer necessary for the purposes for which it was collected or if you withdraw consent and there is no other legal ground for processing. This right may be subject to exceptions, such as those related to legal obligations under applicable data protection laws
Right to restriction of processing: To request the restriction of processing of your personal data in certain circumstances.
To exercise any of these rights, please contact our Data Protection Officer at [email protected]. or use the Data Subject Access Request Form. We will respond to your request within one (1) month of receipt, or such shorter period as required by Applicable Law. For complex requests, this period may be extended, provided we inform you of the extension within the initial one-month period, as permitted by law
12. Privacy of Children Under 18
You must be at least eighteen (18) years old to use the Yellow Card Services. By using our Services, you confirm that you are at least eighteen (18) years old. Yellow Card does not knowingly or intentionally collect any information from or about any individual under the age of 18.
Contact Us
Yellow Card has appointed a data protection officer with whom users may contact regarding the protection of their personal data. Please contact our Data Protection Officer directly by sending an email to [email protected] with any questions or concerns regarding this Privacy Policy.