Privacy Policy

At Norxio, your privacy is important to us. This Privacy Policy explains how we collect, use, store, and protect personal and business information when you access our website, apply for or use our platform, interact with any of our services.

Norxio provides business-focused cross-border payment and treasury services, including multi-currency business accounts, international payments, foreign exchange, invoicing, trade-document workflows, and related operational tools. This Privacy Policy applies to information processed in connection with those activities.

By using Norxio, you acknowledge the practices described in this Privacy Policy.

We collect information needed to provide, secure, and improve our services, comply with legal and regulatory obligations, and communicate with users and business contacts.

We collect information you provide directly, such as when you:

• Create an account or begin an onboarding application
• Submit company, director, beneficial owner, or authorised user details
• Complete identity or business verification steps
• Add payment beneficiaries, suppliers, customers, or bank account details
• Create, upload, send, or manage invoices and trade-related documents
• Contact support, book a demo, submit a form, or communicate with us
• Opt in to receive SMS, email, or other communications from Norxio

This may include your name, business email address, mobile number, job title, company details, identity verification information, payment details, and other information reasonably necessary to operate your account or provide our services.

We also collect information automatically when you use Norxio. This may include technical and usage data such as IP address, device type, browser information, operating system, login activity, usage logs, security events, cookies or similar identifiers, API activity, and interactions with our website and platform. These details help us maintain security, monitor performance, prevent misuse, and improve reliability.

In some cases, we receive information from third parties, such as identity verification providers, business verification providers, payment partners, banking partners, compliance screening providers, fraud prevention vendors, analytics providers, communications providers, professional advisers, and publicly available or official sources. This helps us verify users and businesses, process payments, prevent fraud, conduct sanctions and risk screening, and comply with legal requirements.

Categories of Personal Data

The personal data we collect may include:

Identity Data: Full name, date of birth, nationality, government-issued identification details, verification status, selfie or liveness-check results where used during identity verification, role within a business, authorised signatory status, and other identity information required for onboarding or compliance.

Contact Data: Residential address where required for verification, business address, billing address, email address, telephone number, mobile number, and business contact information.

Business and Corporate Data: Company name, company registration number, tax or business registration information where required, business activities, ownership structure, directors, beneficial owners, authorised users, website information, and information used to assess eligibility for Norxio services.

Financial Data: Bank account details, account holder details, payment account details, settlement instructions, source-of-funds or source-of-wealth information where required, and information needed to process payments and comply with financial crime controls.

Transaction Data: Payment amounts, currencies, dates and times, sender and recipient information, beneficiary details, invoice references, payment purpose information, payment status, refund or reversal information, and records relating to services requested or used.

Invoice, Supplier, and Trade Document Data: Information contained in invoices, trade documents, payment supporting documents, supplier or customer records, and related workflow materials uploaded to or generated through Norxio. These documents may contain personal data such as names, contact details, addresses, signatures, and business identifiers.

Technical Data: IP address, device identifiers, browser type and version, time zone settings, approximate location inferred from device or IP information, operating system, authentication data, login events, system logs, and API usage data.

Usage Data: Information about how you use our website, onboarding journey, platform, APIs, and services, including pages visited, features used, workflow steps completed, and navigation patterns.

Communications Data: Customer support interactions, inquiry history, service notices, feedback, email preferences, marketing preferences, and records of communications with Norxio.

SMS Privacy and Consent

Norxio does not sell, rent, or share mobile phone numbers, SMS opt-in data, text messaging consent, or text messaging originator data with third parties or affiliates for their marketing or promotional purposes.

All categories of data sharing described in this Privacy Policy exclude mobile information, SMS opt-in data, and messaging consent. This information will not be shared with any third party for marketing or promotional purposes.

Norxio may use service providers to help deliver SMS messages, manage opt-outs, prevent fraud, secure accounts, and support service-related communications. These providers are only permitted to process SMS-related data on Norxio’s behalf and are not permitted to use it for their own marketing or promotional purposes.

Special Categories of Personal Data

We do not seek to collect special category personal data unless it is necessary for a specific lawful purpose, such as identity verification, fraud prevention, or compliance with legal and regulatory obligations.

Where relevant, this may include:

Biometric or Verification Data: Some identity verification processes may involve selfie checks, facial matching, liveness detection, or other biometric-style verification carried out by specialist identity verification providers. Depending on the process used, Norxio may receive verification results, flags, or supporting information needed to complete onboarding and compliance checks.

Criminal Convictions and Related Screening Data: Where permitted or required by law, Norxio or its compliance partners may process information relevant to sanctions screening, politically exposed person screening, fraud prevention, adverse media review, or criminal financial risk assessment.

We process this information only where necessary and lawful, including where required for substantial public interest reasons, financial crime prevention, legal compliance, or with explicit consent where applicable.

We do not intentionally collect sensitive personal data such as race or ethnicity, religious or philosophical beliefs, trade union membership, health information, sex life, or sexual orientation unless it is voluntarily provided to us in a context where we have a lawful basis to process it.

We use personal data to provide and improve our services, meet contractual obligations, comply with legal and regulatory requirements, operate a secure payments platform, and pursue legitimate business interests such as fraud prevention, customer support, and service improvement.

Legal Basis for Processing

We process your personal data based on one or more of the following legal grounds:

Performance of Contract: Processing necessary to provide Norxio services, administer accounts, process payments, support invoicing and document workflows, provide customer support, or take steps at your request before entering into a contract.

Legitimate Interests: Processing necessary for our legitimate business interests or those of a third party, except where such interests are overridden by your rights and freedoms. This may include fraud prevention, security monitoring, product improvement, business administration, analytics, and certain business-to-business communications.

Legal Obligation: Processing necessary to comply with applicable laws and regulatory requirements, including anti-money laundering, counter-terrorist financing, sanctions, fraud prevention, tax, record keeping, regulatory reporting, and other obligations that may apply to Norxio or its regulated partners.

Consent: Where you have given clear consent for a specific purpose, such as certain marketing communications or optional SMS communications. You may withdraw consent at any time, subject to any processing that remains necessary under another lawful basis.

Purposes of Processing

• We use personal data for the following purposes:
• To provide, maintain, and improve our website, onboarding experience, platform, APIs, and services
• To open, administer, and secure business user accounts
• To process international payments, foreign exchange transactions, account activity, and related settlement operations
• To create, send, receive, store, and manage invoices and trade-related documents
• To maintain supplier, beneficiary, customer, and payment records within the platform
• To verify identities, businesses, beneficial owners, directors, authorised users, and payment beneficiaries where required
• To conduct customer due diligence, know-your-customer checks, know-your-business checks, sanctions screening, anti-money laundering monitoring, counter-terrorist financing controls, fraud prevention, and risk assessments
• To communicate with you about applications, onboarding, account activity, payments, transactions, service updates, security alerts, verification steps, and support matters
• To send account-related or service-related emails and text messages where appropriate
• To send marketing communications where permitted by law and, where required, with your consent
• To provide customer support and respond to inquiries
• To detect, investigate, and prevent fraud, abuse, suspicious activity, unauthorised access, or security incidents
• To maintain audit trails, compliance records, operational logs, and internal reporting
• To analyze usage patterns, improve user experience, and develop platform functionality
• To enforce our terms, protect our rights, and resolve disputes
• To comply with legal, regulatory, law enforcement, or court requirements

SMS and Mobile Communications

Norxio may use SMS or other mobile messaging to send account-related, security-related, verification-related, onboarding-related, or service-related communications. Where applicable and where you have opted in, Norxio may also send consent-based informational or marketing text messages.

Message frequency may vary depending on your interactions with Norxio, the status of your account, and the services you use. Message and data rates may apply. You may opt out of recurring SMS messages at any time by replying STOP to a message where that functionality is available. You may also request help by replying HELP where supported or by contacting Norxio directly.

Norxio does not sell, rent, or share mobile information, text messaging originator opt-in data, or messaging consent with third parties or affiliates for their marketing or promotional purposes.

We may share personal data with:

Norxio Group Companies: Entities within the Norxio group, where applicable, for operational, administrative, support, risk, and reporting purposes.

Service Providers: Third-party vendors that provide cloud infrastructure, hosting, cybersecurity, analytics, customer support, document generation, communications, email delivery, SMS delivery, identity verification, compliance tooling, and other operational services.

Financial Institutions and Payment Partners: Banks, payment service providers, foreign exchange partners, settlement providers, correspondent institutions, and other financial counterparties involved in delivering account, payment, and foreign exchange services.

Compliance Partners: Identity verification providers, business verification providers, sanctions and politically exposed person screening services, fraud prevention providers, adverse media tools, and other compliance support providers.

Professional Advisers: Lawyers, accountants, auditors, insurers, consultants, and other advisers who assist with legal, tax, accounting, compliance, insurance, or commercial matters.

Regulators and Authorities: Regulatory bodies, supervisory authorities, law enforcement agencies, courts, government bodies, tax authorities, and other public authorities where required or permitted by law.

Business Transferees: Potential buyers, investors, financing partners, acquirers, or successors in connection with a proposed or completed merger, acquisition, investment, financing, restructuring, or sale of assets, subject to appropriate confidentiality and data protection safeguards where required.

Other Users or Counterparties: Where necessary to complete a transaction, share invoice information, facilitate a workflow, manage a payment beneficiary, or provide services requested by you or your organisation.

Important SMS Privacy Statement: No mobile information, SMS opt-in data, or messaging consent will be shared with third parties or affiliates for marketing or promotional purposes. This does not restrict sharing with service providers that support message delivery, platform operations, fraud prevention, security, or legal compliance, provided they are not permitted to use that data for their own marketing purposes.

Note: We do not sell your personal data. We do not permit third parties to use your personal data for their own independent marketing purposes unless you have separately and explicitly agreed to that relationship.

We take data security seriously and implement technical and organisational measures designed to protect personal data against unauthorised access, loss, destruction, alteration, misuse, or disclosure.

Our Security Measures

Our controls may include:

• Encryption of data in transit and, where appropriate, at rest
• Access controls and role-based permissions
• Authentication and account security controls
• Security monitoring, logging, and incident detection
• Segregation of duties and least-privilege access principles
• Vendor due diligence and contractual safeguards
• Employee confidentiality and data protection obligations
• Backup, resilience, and disaster recovery measures
• Vulnerability management and periodic security review activities

No method of transmission or storage is completely secure. While we work to protect personal data, we cannot guarantee absolute security. Where required by applicable law, we will notify affected individuals, regulators, or other authorities of personal data breaches.

We retain personal data only for as long as reasonably necessary for the purposes for which it was collected, including to provide services, maintain business and compliance records, satisfy legal or regulatory obligations, resolve disputes, enforce agreements, and support audit requirements.

Retention Periods by Jurisdiction

Retention periods may vary depending on the type of information, the services used, the jurisdictions involved, and the legal or regulatory requirements that apply to Norxio or its partners.

United Kingdom

• Financial and transaction records: generally up to 6 years after the relevant relationship, transaction, or accounting period, unless a longer retention period is required or justified
• Customer due diligence and AML/KYC records: generally 5 years after the business relationship ends or an occasional transaction is completed, subject to applicable legal requirements and permitted extensions where relevant

United States

• Financial, compliance, and transaction records: retained for the period required under applicable federal, state, and partner obligations, which may commonly range from 5 to 7 years depending on the record type and service model

Canada

• Financial, compliance, and transaction records: retained for the period required under applicable federal, provincial, and partner obligations, which may include 5-year or 6-year recordkeeping requirements depending on the record type

Other Jurisdictions

• Retention periods will be determined by applicable local laws, financial crime requirements, contractual obligations, and legitimate business needs

Where more than one retention obligation applies, we may retain data for the longest applicable period where lawful and necessary. After the relevant retention period expires, data will be securely deleted, anonymised, or otherwise handled in accordance with applicable law.

Depending on your location and the privacy laws that apply, you may have certain rights regarding your personal data.

Rights for All Users

These rights may include:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Correction: Request correction of inaccurate or incomplete personal data
• Right to Erasure: Request deletion of your personal data, subject to legal, regulatory, and record keeping requirements
• Right to Restriction: Request restriction of processing in certain circumstances
• Right to Object: Object to certain processing based on legitimate interests or to direct marketing
• Right to Data Portability: Receive certain personal data in a structured, commonly used, machine-readable format where applicable
• Right to Withdraw Consent: Withdraw consent where processing is based on consent

Additional Rights for Specific Jurisdictions

European Union and United Kingdom (GDPR / UK GDPR):

• Right to lodge a complaint with your local data protection authority
• Right to object to certain processing activities
• Right to withdraw consent at any time where processing is based on consent

United States (State Privacy Laws):

Depending on the state law that applies, you may have rights to:

• Know what personal information is collected, used, disclosed, or shared
• Request deletion or correction of certain personal information
• Opt out of certain processing, where applicable
• Exercise privacy rights without unlawful discrimination

Norxio does not sell personal data and does not share mobile opt-in data or SMS consent for third-party marketing or promotional purposes.

Canada:

• Right to request access to personal information held about you
• Right to challenge accuracy and completeness
• Right to withdraw consent for certain processing, subject to legal and contractual limits

How to Exercise Your Rights

To exercise any applicable privacy right, please contact us at [email protected]. We may need to verify your identity before processing your request. We will respond within the timeframes required by applicable law.

Norxio may process personal data in countries other than the country where you are located, including where our service providers, compliance partners, payment partners, or infrastructure providers operate. These countries may have data protection laws that differ from those in your jurisdiction.

Where required, we use appropriate safeguards for international transfers of personal data, which may include adequacy decisions, standard contractual clauses, contractual protections, or other lawful transfer mechanisms recognised under applicable data protection law.

Our website, platform, or communications may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of third parties that operate independently from Norxio. We encourage you to review the privacy policies of any third-party services before providing them with personal information.

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how we handle personal data, please contact us:

General Privacy Inquiries
Email: [email protected]
Website: https://www.norxio.com/legal/privacy-policies

We would appreciate the opportunity to address your concerns before you contact a supervisory authority. Please contact us first where appropriate. However, you may have the right to lodge a complaint with a competent privacy or data protection authority if you are not satisfied with our response.

Examples may include:

• United Kingdom: Information Commissioner’s Office (ICO)
• European Union / Ireland: Data Protection Commission (DPC) or your local supervisory authority
• United States: Your State Attorney General or relevant state privacy authority, where applicable
• Canada: Office of the Privacy Commissioner of Canada or the relevant provincial authority, where applicable.