Privacy Policy

At WELF, safeguarding your privacy isn’t just a legal checkbox—it’s a core value that guides every product decision we make. We combine bank-grade security, world-class compliance, and a people-first mindset to ensure that your personal information stays exactly that—personal.

Our Promise

Data Portability

We tell you who we are, what data we collect, why we need it, and who we share it with— no hidden clauses.

Your Rights, Front & Centre

We tell you who we are, what data we collect, why we need it, and who we share it with— no hidden clauses.

Security by Design

Our infrastructure is built with zero-trust protocols, end-to-end encryption, and strict access controls. Every employee and partner signs strict NDAs and DPAs and passes rigorous background checks.

Global Compliance, One Standard

We follow the toughest rules on the planet—GDPR, UK GDPR, DIFC/ADGM, CCPA, PDPA, and more—so you enjoy the same high level of protection wherever you live.

Direct Human Support

Real privacy professionals (not bots) acknowledge every request within 72 hours. Our Data Protection Officer, Claude Luescher, is always just an email away at dpo@welf.com.

Read on to discover how our principles turn into everyday practices that respect your rights and protect your wealth.

WELF Privacy & Data Protection Policy Last updated: 8 April 2025

Who We Are

WFH Technologies LLC, trading as WELF, is the data controller responsible for your personal data.

WFH Technologies LLC Registered Address: One by Omniyat, Office 2504, Business Bay, Dubai, UAE Registration No: 2445118

WFH Technologies LLC (Branch) Registered Address: Oceania Business Plaza, Tower 1000, 21 st Floor, Office 21B, Punta Pacifica, Panama City, Panama Registration No: 155751153

For all services, WFH Technologies LLC acts as the Data Controller (or the equivalent “business”/“provider” under other laws). This means we decide why and how your personal data is processed—and we take that responsibility seriously.

How to Reach Us

Data Protection Officer: Claude Luescher Email: dpo@welf.com Address: DPO, WFH Technologies LLC, One by Omniyat, Office 2504, Business Bay, Dubai, UAE

We respond to privacy inquiries within 72 hours and resolve them within applicable legal timeframes (one month under GDPR, or 45 days under CCPA).

What Does this Policy Cover

Data laws differ worldwide. We apply the strictest standard applicable to give you uniform, highlevel protection, wherever you are. This Policy covers all websites, customer portals, mobile/desktop apps, APIs, and related services (collectively, “Services”) offered by WELF. It is crafted to comply with:

GDPR (EU/EEA & UK)
DIFC & ADGM Data Protection Regulations
Swiss FADP
CCPA/CPRA (California)
PIPEDA (Canada)
PDPA (Singapore)
Any stricter local rules where we operate.

Where local law provides stronger protection, we follow that higher standard—never the lowest common denominator.

Our platforms may include links to external websites that operate independently of WELF. While we aim to link only to trustworthy sources, we cannot be held responsible for their content, practices, or privacy policies. Always ensure the site is secure (look for the padlock in the URL bar). If in doubt, reach out to us before sharing any personal information.

Automated Decision-Making

At WELF, we do not rely solely on automated decision-making or profiling that significantly impacts you. Where technology is used to assess risk or eligibility, final decisions always include human oversight. Should this policy ever change, we will update you in advance.

Marketing and Communication

We respect your preferences when it comes to communication. If you choose not to receive marketing from WELF, you can opt out at any time using the unsubscribe link included in every message.

Information We Collect

We collect limited personal information—such as your name, contact details, device data, payment method, and on-site activity—to provide and improve our services.

This data is collected with your consent, and you can withdraw that consent at any time. We never share personally identifiable information with third parties unless required by law or for contract enforcement. We apply robust safeguards to ensure your data is treated with the highest level of confidentiality and care.

Data Collection

We collect only what is essential and relevant to your engagement with us, under the Legal Basis of GDPR Art. 6: 

Identification information, such as your full name, date of birth, national ID or passport number, and KYC documents. GDPR Art. 6: (b) Contract, (c) Legal obligation, (f) Legitimate interest
Contact information, including your email address, phone number, mailing address, and preferred language. GDPR Art. 6: (b) Contract, (f) Legitimate interest
Financial information, such as your bank account details, tokenized card data, and transaction history. GDPR Art. 6: (b) Contract, (c) Legal obligation
Professional information, including your job title, employer, and any relevant accreditations. GDPR Art. 6: (f) Legitimate interest
Usage and technical data, including your IP address, device identifiers, browser type, interaction logs, and cookies. GDPR Art. 6: (a) Consent, (f) Legitimate interest
Special category data, which we do not intentionally process, unless required for compliance (e.g., sanctions screening), in which case we rely on a lawful basis GDPR Art. 9 (2)(g) or (c).

How We Collect Data

Your data may come from: 

Directly from you (forms, onboarding, KYC, support tickets)
Technical sources (via cookies, SDKs, server logs, and similar technologies )
Verified third parties (Sumsub KYC, credit reference agencies, public registers)

Each method is designed to be transparent and proportionate.

Why We Process Your Data

We process your personal data only for legitimate, clearly defined purposes, always with your trust and security in mind: 

To verify your identity and comply with AML/CFT regulations during account creation and onboarding.
To deliver, maintain, and improve our services, ensuring the platform operates seamlessly and evolves with your needs.
To process transactions, detect fraud, and handle payments, enabling secure and compliant financial operations.
To provide timely and effective customer support, responding to inquiries and resolving issues with care and efficiency.
To send relevant updates, product news, and offers, based on your preferences and with your prior consent.
To meet regulatory obligations and conduct audits, including legal reporting, dispute resolution, and risk assessments.
To protect the platform and your account through security measures, including access controls, monitoring, and incident response.
To enhance user experience through analytics, using performance data and behavioral insights—always anonymized where possible.

At WELF, we never process your data without purpose, and we never sell it. Your trust is our most valuable asset.

Cookies & Similar Technologies

We use select cookies and tracking technologies to enhance your experience and improve our platform—never to exploit your data. 

Meta Pixel is used to track conversions and optimize advertising performance, with data retained for 90 days and requiring your consent. 
HubSpot enables CRM integration, chat functionality, and marketing automation, with data stored for up to 13 months and subject to your consent.
Google Analytics helps us understand how users interact with our platform (with IP anonymization enabled), retaining data for 26 months and requiring your consent.

You can withdraw or manage your cookie preferences at any time via the Cookie Settings panel—no questions asked, no barriers added.

Sharing is limited, transparent, and always under strict contracts to protect your data.  

Group Companies & Affiliates – only those who need data to perform services.
Service Providers – HubSpot (CRM), Microsoft 365 E5, Azure IAM, SendGrid (email), Sumsub (KYC). All operate under DPAs with the latest Standard Contractual Clauses.
Regulated Counterparties – banks, payment processors.
Authorities – only when legally compelled.
Professional Advisers – auditors, lawyers, insurers under confidentiality.

Every employee, contractor, and thirdparty partner signs a DPA and NDA and undergoes background checks. Privacy is baked into our supply chain.

International Data Transfers

Data sometimes travels globally. We ensure that, wherever it goes, it remains protected to EU equivalent standards.

We rely on Adequacy Decisions, SCCs/IDTA, Binding Corporate Rules, and strong encryption. Supplementary technical measures prevent unauthorised access even under foreign laws.

Data Security

We protect your data like it’s our own:

Zero-trust architecture with Azure IAM & Conditional Access
Encryption: TLS 1.3 in transit, AES256 at rest
Network & application firewalls (WAF, DDoS mitigation)
24/7 monitoring & SIEM
Annual penetration tests & DORA aligned incident response playbooks
Least privilege access enforced via RBAC
Mandatory staff training on GDPR, DORA, and security best practices.

Data Retention

We retain your personal data only for as long as necessary—no longer, no less—based on legal, regulatory, and operational requirements.

Identification and KYC data is retained for the lifetime of your account plus five years, to meet anti-money laundering, tax, and audit obligations.
Transaction and financial records are kept for the lifetime of your account plus five years, in accordance with regulatory standards.
Marketing preferences and related consent data are retained until you withdraw consent or for up to two years after your last interaction.
Technical logs are stored for up to two years to support platform security, performance monitoring, and analytics.
Data under legal hold is retained for as long as required to comply with investigations, litigation, or legal obligations.

All deletions are executed using secure industry-standard methods, including cryptographic erasure or secure wipe.

Automated Decision Making & Profiling

Your Rights, Clearly Explained

What are your rights?

You have full control over your personal data, and we are committed to making the exercise of your rights simple, respectful, and free of charge. 

Access – You can request a copy of the personal data we hold about you at any time.
Rectification – You can correct or update any inaccurate or incomplete information.
Erasure – You may ask us to delete your data when it’s no longer needed or if you withdraw consent.
Restriction – You can request a pause on processing while a concern or dispute is under review.
Data Portability – You can receive your data in a structured, machine-readable format for reuse or transfer.
Object – You can object to data processing based on legitimate interests or for direct marketing purposes.
Withdraw Consent – You can withdraw your consent at any time, without penalty or disruption.
Complain – You may lodge a complaint with your local supervisory authority if you believe your rights have been violated.

To exercise any of these rights, email us at privacy@welf.com or dpo@welf.com. We respond to all valid requests within the legal timeframe and always acknowledge them within 72 hours.

Supervisory Authorities

Independent regulators enforce your rights. You can escalate any concern to them at any time.

Our lead authority for EU matters is the Commission nationale pour la protection des données (CNPD), Luxembourg. Contact details are available on the CNPD website.

Children

We do not knowingly collect data from individuals under 18. If we learn otherwise, we act immediately to delete the data.

Changes to This Policy

Laws and technologies evolve. We keep you informed so you can make ongoing, informed decisions.

We will post any material changes at least 14 days before they take effect and notify registered users by email. Continued use after the effective date equals acceptance.

Questions?

If you have any questions, contact our Data Protection Officer at dpo@welf.com, or for privacy inquiries at privacy@welf.com

 This Privacy & Data Policy is part of our Terms and Conditions and Terms of Website Service.

PreviousLegal NextWELF Terms of Service

Last updated 18 hours ago