STRK — Privacy Policy
Last Updated: February 2026
1. Introduction
This Privacy Policy explains how Empyrean Cards - IT Solutions Unipessoal Lda ("STRK," "we," "us," or "our") collects, uses, stores, shares, and protects your personal data when you use the STRK platform, including the website (strk.com), the STRK application on iOS, Android, and web (app.strk.com), and all related services (together, the "Services").
We are committed to protecting your privacy and handling your personal data transparently. This policy is written in plain English so you can understand exactly what happens with your information.
Data Controller: Empyrean Cards - IT Solutions Unipessoal Lda Rua do Miradouro, nº 19, Belém, Lisboa, 1400-250, Portugal NIPC: 509 731 813 Email: privacy@strk.com
2. Legal Framework
We process your personal data in accordance with:
- General Data Protection Regulation (EU) 2016/679 ("GDPR")
- UK Data Protection Act 2018 and UK GDPR
- Portuguese Data Protection Law (Lei n.º 58/2019)
- ePrivacy Directive 2002/58/EC (as implemented in applicable jurisdictions)
- Other applicable data protection laws in jurisdictions where we operate
3. What Personal Data We Collect
3.1 Data you provide to us
| Category | Examples |
|---|---|
| Identity data | Full name, date of birth, nationality, gender, tax identification number |
| Contact data | Email address, phone number, residential address |
| Identification documents | Passport, national ID card, driving licence, proof of address |
| Financial data | Source of funds, employment status, purpose of account |
| Account data | @username, password (hashed), account preferences, currency selections |
| Communication data | Messages to our support team, feedback, complaint details |
3.2 Data collected automatically
| Category | Examples |
|---|---|
| Device data | Device type, model, operating system, unique device identifiers |
| Usage data | Features used, pages visited, actions taken in the App, session duration |
| Technical data | IP address, browser type and version, time zone, language settings |
| Location data | Approximate location derived from IP address (we do not use GPS unless you consent) |
| Log data | Access times, error logs, crash reports |
3.3 Data from third parties
| Source | Data | Purpose |
|---|---|---|
| Identity verification provider (SumSub) | Verification results, document authenticity checks, biometric comparison data | KYC compliance |
| Equals Money PLC | Transaction data, account details, card usage data | Payment services |
| Safeheron | Wallet addresses, cryptoasset balances, transaction records | Crypto custody |
| 28 STRK Limited / Regulated Partners | KYC information, Crypto Card transaction data, card status | Crypto Card services, regulatory compliance |
| Blockchain analytics providers | Transaction risk scores, wallet association data | AML/CTF compliance |
| Credit reference agencies | Credit reference data (soft check only) | Identity verification |
3.4 Special categories of data
We do not intentionally collect special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation). If we receive such data incidentally (for example, through identity documents), we process it only to the extent strictly necessary for legal compliance (e.g., KYC) and delete or anonymise it when no longer needed.
3.5 Biometric data
If you enable biometric login (Face ID, Touch ID, fingerprint), the biometric data is processed and stored locally on your device by your device's operating system. We do not receive, store, or have access to your biometric data. We only receive a confirmation from your device that biometric authentication was successful.
During identity verification (KYC), our third-party provider (SumSub) may process facial biometric data for the purpose of comparing your face to your identity document. This data is processed by SumSub under their own privacy policy, with your explicit consent, and is not retained by STRK.
4. How and Why We Use Your Data
4.1 Lawful bases for processing
We process your personal data only when we have a lawful basis to do so. The table below sets out each purpose and its corresponding lawful basis:
| Purpose | Lawful Basis | Details |
|---|---|---|
| Account creation and management | Contract | Necessary to provide the Services you signed up for |
| Identity verification (KYC) | Legal obligation | Required by AML/CTF regulations |
| Transaction monitoring | Legal obligation | Required by AML/CTF regulations |
| Providing payment services | Contract | Necessary to execute your payment instructions |
| Providing cryptoasset services | Contract | Necessary to facilitate your crypto transactions |
| Fraud detection and prevention | Legitimate interest / Legal obligation | Protecting you and us from financial crime |
| Customer support | Contract | Responding to your requests and resolving issues |
| Service improvement and analytics | Legitimate interest | Improving the App, website, and Services for all users |
| Marketing communications (with consent) | Consent | Sending promotional emails, push notifications (opt-in only) |
| Tax reporting (CRS, FATCA) | Legal obligation | Required by tax reporting regulations |
| Compliance with legal requests | Legal obligation | Responding to court orders, regulatory requests |
| Security (access logs, fraud alerts) | Legitimate interest | Maintaining the security of our platform |
4.2 Legitimate interests
Where we rely on legitimate interest as a lawful basis, we have conducted a balancing assessment to ensure that our interests do not override your fundamental rights and freedoms. You can request information about these assessments by contacting us at privacy@strk.com.
5. Who We Share Your Data With
5.1 Service providers and regulated partners
We share your personal data with third parties only when necessary to provide the Services or comply with legal obligations. We do not sell your personal data.
| Recipient | What We Share | Why |
|---|---|---|
| Equals Money PLC (FCA No. 488396) | Identity data, financial data, transaction data | Payment services, safeguarding, regulatory compliance |
| Equals Money International Limited (FRN 900493) | Identity data, card data | Card issuance |
| Safeheron (Singapore) | Account identifiers, wallet data, transaction instructions | Cryptoasset custody |
| 28 STRK Limited / Regulated Partners (Hong Kong) | Identity data, KYC information, card data, transaction data | Crypto Card issuance, regulatory compliance |
| SumSub | Identity documents, facial data (with consent) | KYC verification |
| Blockchain analytics providers | Wallet addresses, transaction hashes | AML/CTF compliance |
| Cloud hosting provider | All data (encrypted at rest) | Infrastructure and hosting |
| Customer support tools | Communication data, account identifiers | Support ticket management |
| Analytics providers | Anonymised/pseudonymised usage data | Service improvement |
5.2 Legal and regulatory disclosures
We may disclose your personal data to:
- law enforcement agencies, courts, or regulators when required by law or in response to a valid legal request;
- tax authorities under CRS, FATCA, or other automatic exchange of information (AEOI) frameworks;
- the Financial Conduct Authority (FCA) or other financial regulators; and
- professional advisers (lawyers, auditors, accountants) under obligations of confidentiality.
5.3 Business transfers
If STRK (or any part of our business) is acquired by or merged with another company, your personal data may be transferred to the new owner. We will notify you before any such transfer and give you the opportunity to exercise your rights.
6. International Data Transfers
Your personal data may be transferred to, stored in, and processed in countries outside the European Economic Area (EEA), including:
| Country | Recipient | Safeguard |
|---|---|---|
| United Kingdom | Equals Money PLC, Equals Money International Limited | UK adequacy decision |
| Singapore | Safeheron | Standard Contractual Clauses (SCCs) approved by the European Commission |
| Hong Kong | 28 STRK Limited, Regulated Partners | Standard Contractual Clauses (SCCs) |
| Other countries (as needed) | Sub-processors | SCCs and/or adequacy decisions as applicable |
Where we rely on Standard Contractual Clauses, we have assessed the legal framework of the recipient country and, where necessary, implemented supplementary measures (such as encryption) to ensure an adequate level of protection.
7. How Long We Keep Your Data
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:
| Data Category | Retention Period | Reason |
|---|---|---|
| Identity and KYC data | 5 years after account closure | AML/CTF legal requirements |
| Transaction records | 5 years after the transaction | AML/CTF and tax reporting requirements |
| Communication records | 3 years after resolution | Regulatory and dispute resolution requirements |
| Marketing consent records | Until consent is withdrawn + 1 year | Evidence of consent |
| Technical and usage logs | 12 months | Security and service improvement |
| Account data | Duration of account + 5 years | Regulatory requirements |
After the applicable retention period, your data will be securely deleted or irreversibly anonymised.
8. Your Rights
Under the GDPR and applicable data protection laws, you have the following rights:
| Right | What It Means |
|---|---|
| Access | You can request a copy of the personal data we hold about you. |
| Rectification | You can ask us to correct inaccurate or incomplete data. |
| Erasure ("right to be forgotten") | You can ask us to delete your data, subject to legal retention obligations. |
| Restriction of processing | You can ask us to restrict processing of your data in certain circumstances. |
| Data portability | You can request your data in a structured, commonly used, machine-readable format. |
| Objection | You can object to processing based on legitimate interest. We will cease processing unless we have compelling legitimate grounds. |
| Withdraw consent | Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing. |
| Lodge a complaint | You have the right to lodge a complaint with a supervisory authority (see Section 8.2). |
8.1 How to exercise your rights
Contact us at:
- Email: privacy@strk.com
- In-app: Through the support section of the STRK App
- Post: Data Protection, Empyrean Cards - IT Solutions Unipessoal Lda, Rua do Miradouro, nº 19, Belém, Lisboa, 1400-250, Portugal
We will respond to your request within 30 days (extendable by up to 60 additional days for complex requests, with prior notice). We may ask you to verify your identity before processing your request.
8.2 Supervisory authorities
You have the right to lodge a complaint with a supervisory authority. Relevant authorities include:
- Portugal: Comissão Nacional de Proteção de Dados (CNPD) — www.cnpd.pt
- Your country of residence: The data protection authority in the EEA/UK member state where you reside.
9. Data Security
We implement technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption: TLS 1.3 for data in transit; AES encryption for data at rest.
- Access controls: Role-based access, principle of least privilege, multi-factor authentication for staff access.
- Infrastructure security: Hosted on ISO 27001 and SOC 2 certified infrastructure.
- Monitoring: Real-time intrusion detection, anomaly monitoring, and security alerting.
- Incident response: Documented data breach response procedures, including notification to affected individuals and supervisory authorities within 72 hours (as required by GDPR).
- Employee training: Regular data protection training for all staff with access to personal data.
- Vendor security: All third-party processors are assessed for security and data protection compliance before engagement and on an ongoing basis.
10. Automated Decision-Making and Profiling
10.1 Fraud detection
We use automated systems for fraud detection and transaction monitoring. These systems may flag suspicious transactions based on patterns, amounts, frequencies, or other risk indicators. Flagged transactions may be temporarily held or blocked.
If a decision is made solely by automated means that significantly affects you, you have the right to request human review. Contact us at support@strk.com.
10.2 KYC screening
Identity verification includes automated document checks and sanctions screening. Where automated checks result in a negative outcome, the result is reviewed by a human before any final decision is made.
11. Children's Data
The Services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will delete it promptly.
12. Third-Party Links
The STRK website and App may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before providing any personal data.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or through the App at least 30 days before the changes take effect. The "Last Updated" date at the top of this policy indicates when the most recent changes were made.
Your continued use of the Services after changes take effect constitutes acceptance of the updated policy.
14. Contact Us
If you have any questions about this Privacy Policy or our data protection practices, please contact us:
- Data Protection Contact: privacy@strk.com
- Post: Data Protection, Empyrean Cards - IT Solutions Unipessoal Lda, Rua do Miradouro, nº 19, Belém, Lisboa, 1400-250, Portugal
15. Regulatory Disclosures
Empyrean Cards - IT Solutions Unipessoal Lda is in partnership with Equals Group PLC (Registered in England & Wales No. 08922461). Equals Money PLC is part of Equals Group PLC. Registered Office: 3rd Floor, Vintners' Place, 68 Upper Thames St, London, EC4V 3BJ. Equals Money PLC is authorised by the Financial Conduct Authority to provide payment services (FCA No. 488396).
Your funds are safeguarded in accordance with the FCA's safeguarding requirements for e-money and payment services. This means your money is held in segregated bank accounts and protected in case of insolvency. Please note: your funds are not covered by the Financial Services Compensation Scheme (FSCS).
STRK is operated by Empyrean Cards - IT Solutions Unipessoal Lda. Rua do Miradouro, nº 19, Belém, Lisboa, 1400-250, Portugal. NIPC: 509 731 813.
Crypto cards are issued by 28 STRK Limited (二十八視野有限公司). Business Registration Number: 78831699. Registered Address: Unit S-V, R18, 6/F, Valiant Industrial Centre, Nos 2-12 Au Pui Wan Street, Fo Tan, Hong Kong.
© 2026 Empyrean Cards - IT Solutions Unipessoal Lda. All rights reserved.