Privacy
Policy.

We collect personal data that you provide directly when creating an account, completing identity verification, or using our services. This includes:

• Identity information — full name, date of birth, nationality, government-issued identification documents, and biometric data collected during liveness verification.
• Contact details — email address, telephone number, and residential address.
• Financial information — bank account details, transaction history, investment holdings, and source of funds declarations.
• Technical data — IP address, browser type, device identifiers, and usage patterns collected automatically when you access our platform.

We may also receive information from third-party sources, including credit reference agencies, fraud prevention services, and publicly available registers, in connection with our regulatory obligations.

We process your personal data for the following purposes:

• Account administration — to create, maintain, and secure your account, and to communicate with you about your account activity.
• Regulatory compliance — to fulfil our obligations under anti-money laundering (AML), know-your-customer (KYC), and counter-terrorist financing (CTF) regulations.
• Service delivery — to process investments, manage loan applications, execute transactions, and administer your portfolio.
• Risk management — to detect and prevent fraud, assess creditworthiness, and manage platform risk.
• Platform improvement — to analyse usage patterns, improve our services, and develop new features.

We rely on contractual necessity, legal obligation, legitimate interest, and — where required — your explicit consent as lawful bases for processing under UK GDPR.

We do not sell your personal data to third parties. We share information only in the following circumstances:

• Partner banks — to facilitate fund transfers and withdrawals through our partner banking infrastructure.
• Regulatory authorities — when required by law or in response to lawful requests from the FCA, HMRC, or other competent authorities.
• Service providers — identity verification providers, cloud infrastructure operators, and payment processors who act as data processors under written agreements.
• Legal proceedings — where necessary to establish, exercise, or defend legal claims.

All third-party processors are contractually bound to process data only on our instructions and to maintain appropriate security measures.

We retain your personal data for as long as necessary to provide our services and fulfil our legal obligations:

• Active accounts — data is retained for the duration of the customer relationship plus any statutory retention period.
• AML/KYC records — retained for a minimum of 5 years after the business relationship ends, in accordance with the Money Laundering Regulations 2017.
• Transaction records — retained for 7 years in accordance with financial record-keeping requirements.
• Technical logs — retained for 12 months, then anonymised or deleted.

Under UK GDPR, you have the following rights in relation to your personal data:

To exercise any of these rights, contact our Data Protection Officer at privacy@crestrockfinance.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

We use cookies and similar technologies to operate and improve our platform. Essential cookies are required for core functionality, including authentication and security. Analytics and optional cookies are only set with your consent.

For full details on the cookies we use and how to manage your preferences, see our Cookie Policy.

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us: