Legal and compliance

Privacy Policy

This international notice explains how Northline handles personal data throughout application, verification, account use, payments, lending, support, and closure.

This master notice is designed for international deployment. Before launch in a new country, complete the local legal-basis, retention, regulator, representative, cookie, credit-reference, and biometric disclosures required there.

Who this notice applies to

This notice applies to applicants, customers, beneficial owners, authorized representatives, beneficiaries, payees, website visitors, support contacts, and other individuals whose data is processed in connection with Northline. Workforce and supplier personnel may receive separate notices.

Controller and contact details

Northline, registered at replace-with-registered-office-address, is the controller unless a product notice identifies another controller, joint controller, or independent regulated Provider. Contact privacy@northline.example.com. Data protection contact: replace-with-data-protection-contact. EU representative: replace-with-EU-representative-or-not-applicable. UK representative: replace-with-UK-representative-or-not-applicable.

Data categories we collect

We may process identity, age, image, signature, address, contact, nationality, residence, immigration, tax, occupation, employment, income, household, affordability, source-of-funds, source-of-wealth, beneficial-ownership, account-purpose, property, collateral, credit, bank, card, beneficiary, payment, loan, transaction, support, complaint, device, network, session, authentication, cookie, communication, location, fraud, sanctions, risk, and audit data.

Documents and potentially sensitive data

Documents may include identity records, proof of address, bank statements, payslips, employment records, tax information, company records, property evidence, collateral statements, and signatures. Where lawful and necessary, checks may reveal biometric identifiers, political exposure, criminal allegations or convictions, health-related accessibility needs, or other specially protected data. Such data receives additional legal and access controls.

Sources of personal data

Data comes from you; your use of the Services; authorized representatives; linked customer-management records; banks, payment and card Providers; identity and verification vendors; credit-reference and fraud-prevention agencies; sanctions, PEP, adverse-media, corporate, property, and public-record sources; regulators and authorities; counterparties; and devices or networks used to access the Services.

Purposes and lawful bases

We process data to take steps before a contract and perform account, payment, card, lending, support, and security obligations; comply with anti-money-laundering, sanctions, tax, consumer-credit, recordkeeping, and regulatory law; protect vital interests where relevant; and establish, exercise, or defend legal claims.

Legitimate interests may include secure operations, fraud prevention, service administration, network protection, product improvement, complaints, business continuity, and corporate transactions, balanced against individual rights. Consent is used where required and may be withdrawn prospectively.

Identity verification and financial-crime prevention

We use identity, document, device, account-purpose, ownership, source, transaction, sanctions, PEP, and risk information to verify customers and prevent fraud, money laundering, terrorist financing, sanctions evasion, exploitation, and account takeover. Providers may retain fraud-prevention records and may lawfully use them to protect other organizations and customers.

Credit, affordability, and profiling

Loan review may use income, expenses, debts, household data, credit information, fraud indicators, collateral, and eligibility rules. Risk scores and profiles may support human review, monitoring, limits, or requests for evidence. A regulated credit disclosure will identify any credit-reference agency, material profiling, automated decision, principal factors, consequences, and legally available right to human intervention or challenge.

Automated decision-making

Northline does not rely on a solely automated final lending approval in the current manual-review workflow. If a future decision produces legal or similarly significant effects without meaningful human involvement, the applicable notice will explain the logic and consequences in understandable terms and provide safeguards required by law.

Biometrics and identity technology

Where an identity Provider uses facial comparison, liveness testing, or other biometric processing, the relevant notice will identify the Provider, purpose, legal basis, retention, alternatives where required, and whether biometric templates are created. Biometric processing will not be enabled in a jurisdiction without the required assessment, contract, notice, and consent or other valid legal basis.

Recipients of personal data

Data may be shared as necessary with banks, payment institutions, card issuers, lenders, custodians, identity vendors, credit-reference agencies, sanctions and fraud services, communications and hosting vendors, document storage, analytics, professional advisers, auditors, insurers, debt recovery, customer support, regulators, ombudsman bodies, courts, law enforcement, tax authorities, and parties to a lawful corporate transaction.

Independent controllers and provider notices

Certain regulated Providers and fraud, credit, tax, or government bodies process data as independent controllers under their own legal duties. Their privacy notices and retention rules may apply. Northline will identify material Providers at or before service activation where law requires.

International data transfers

When data is transferred across borders, we use a legally recognized mechanism appropriate to the origin jurisdiction, such as an adequacy decision, approved standard contractual clauses, the UK International Data Transfer Agreement or Addendum, binding corporate rules, approved certification, consent in limited circumstances, or another statutory exception. We assess supplementary technical, contractual, and organizational safeguards where required.

Retention

Application and KYC records are generally retained for the legally required financial-crime period after rejection, closure, or the end of the relationship. Contract, transaction, payment, card, loan, tax, and accounting records are retained for applicable limitation, regulatory, and reporting periods. Security logs are retained according to risk and investigation needs. Unverified draft data is removed earlier where no legal purpose remains.

Legal holds, complaints, fraud investigations, litigation, or regulatory directions may extend a period. Data is securely deleted, destroyed, or irreversibly anonymized when no longer required. A jurisdiction-specific retention schedule will be maintained before regulated launch.

Security and confidentiality

Controls include encryption in transit and for sensitive stored documents and secrets, private file storage, least-privilege access, server-side authorization, secure cookies, password hashing, multi-factor authentication, session controls, rate limiting, staff network restrictions, audit trails, backups, monitoring, secure development, vendor review, incident response, and access recertification. No organization can promise absolute security.

Your privacy rights

Depending on applicable law, you may request access, correction, deletion, restriction, portability, objection, withdrawal of consent, information about data sharing, or review of certain automated decisions. You may also complain to a supervisory authority. Rights may be limited by identity verification, financial-crime restrictions, legal privilege, fraud prevention, recordkeeping, claims, or the rights of others.

How to exercise rights

Send a request to privacy@northline.example.com. Describe the request and relevant Account. We may verify identity and authority, clarify scope, and use any lawful extension for complex requests. We do not discriminate for exercising a privacy right. Authorized-agent requests must include valid authority and may require direct identity confirmation.

European Economic Area and United Kingdom

Individuals covered by the GDPR or UK GDPR may complain to the authority where they live, work, or believe an infringement occurred. The configured lead authority is replace-with-competent-data-protection-authority. Rights include those described above, subject to Articles 12–23 and applicable national law. Objections to direct marketing are honored without balancing interests.

United States state privacy disclosures

Where a comprehensive U.S. state privacy law applies, residents may have rights to know, access, correct, delete, obtain a portable copy, opt out of targeted advertising, sale, certain sharing, or qualifying profiling, and appeal a refusal. Northline does not currently sell personal information for money or share it for cross-context behavioral advertising. Financial data may be partly exempt where governed by sector-specific law.

Cookies and similar technologies

Strictly necessary storage supports authentication, security, fraud prevention, language, and service operation. Non-essential analytics, advertising, or personalization technologies require the notice and consent applicable in the visitor’s jurisdiction. Browser controls may affect functionality. A cookie inventory and consent manager must be published before non-essential tracking is enabled.

Marketing and communications

Service, contractual, fraud, security, and regulatory communications may be required and cannot always be opted out of while an Account remains open. Marketing is sent only under an appropriate legal basis and includes an unsubscribe method. Withdrawing marketing consent does not affect prior lawful processing.

Call, chat, and support records

Support messages and, where lawful, calls may be recorded to authenticate requests, resolve issues, detect fraud, train authorized personnel, evidence instructions, and satisfy legal duties. Recording notices and consent are provided where required. Access is restricted and retention is proportionate to purpose and law.

Children and vulnerable customers

Northline individual accounts are not intended for anyone under 18, and we do not knowingly open such accounts. We may process accessibility or vulnerability information when necessary to provide support, protect vital interests, comply with law, or with valid consent. Access is limited to personnel who need it.

Data accuracy and third-party information

You must keep information accurate and avoid uploading unnecessary third-party data. If you provide information about another person, you must have authority and provide any required notice. We may ask you to correct or refresh records and may restrict Services while material discrepancies are resolved.

Security incidents and breach notification

Suspected incidents are investigated, contained, documented, and assessed for risk. We notify competent authorities, affected individuals, Providers, and other parties within legally required periods where notification thresholds are met. Security messages will explain recommended protective action and will never ask for a password or full one-time code.

Third-party links and services

External websites, wallets, merchants, social networks, and independently controlled services have their own privacy practices. A link or integration does not make Northline responsible for their processing. Review the relevant notice before providing data or authorizing access.

Changes to this notice

We may update this notice for legal, regulatory, Provider, technology, or service changes. Material changes will receive additional notice where required. The effective date and document version identify the current publication. Processing remains subject to the notice and law applicable at the relevant time.

Contact and complaints

Contact privacy@northline.example.com or write to replace-with-registered-office-address. You may complain to replace-with-competent-data-protection-authority or another competent authority. A privacy complaint does not prevent you from using other legal or regulatory remedies.