Privacy Policy and Data Protection Notice
Blue Bank International N.V.
Mobile Banking Application & Digital Services
Effective Date: April 2026
1. Introduction and Scope
This Privacy Policy and Data Protection Notice (hereinafter referred to as this “Policy”) describes how Blue Bank International N.V., a banking institution duly licensed and regulated by the Centrale Bank van Curacao en Sint Maarten (“CBCS”), with its registered office in Curacao (hereinafter referred to as “Blue Bank International,” “we,” “us,” or “our”), collects, uses, processes, stores, shares, protects, and disposes of personal data and information obtained through or in connection with our mobile banking application (the “App”), our website, our digital banking services, and any related platforms, channels, or communication mediums operated by or on behalf of Blue Bank International (collectively, the “Services”).
This Policy is provided to inform you about how your personal data is processed in accordance with applicable data protection laws, including the Landsverordening bescherming persoonsgegevens (LBP), referenced below. Certain processing activities described herein are based on legal and regulatory obligations and do not rely on your consent. If you do not agree to this Policy in its entirety, you must immediately cease all use of the App and our Services. Your continued use of the App or Services following any modifications to this Policy shall constitute your acceptance of such modifications.
This Policy applies to all Users of the App and Services regardless of your country of residence, including but not limited to account holders, authorized signatories, beneficial owners, prospective clients who initiate but do not complete the account opening process, and any individual who interacts with our digital channels. This Policy supplements and should be read in conjunction with our Terms of Service and any other agreements or disclosures provided to you in connection with our Services.
Blue Bank International reserves the right, at its sole and absolute discretion, to amend, modify, update, or replace this Policy at any time and for any reason, with or without prior notice. Any changes to this Policy will be effective immediately upon posting of the revised Policy within the App or on our website, unless otherwise stated. It is your sole responsibility to review this Policy periodically to remain informed of any updates. We will make reasonable efforts to notify you of material changes through in-app notifications, email, or other appropriate means, but our failure to do so shall not invalidate or otherwise affect the enforceability of the revised Policy.
2. Governing Legal Framework
Blue Bank International is established in Curacao and is primarily governed by the laws of Curacao. The processing of your personal data is conducted in accordance with the following legal and regulatory framework:
2.1 Landsverordening bescherming persoonsgegevens (LBP)
The National Ordinance on the Protection of Personal Data (Landsverordening bescherming persoonsgegevens, National Gazette 2010, Consolidated text no. 84), effective since October 1, 2013, is the primary data protection law applicable to Blue Bank International. The LBP establishes the foundational principles governing the processing of personal data in Curacao, including requirements of purpose limitation, data minimization, accuracy, transparency, and lawful processing. The LBP provides that personal data may only be processed where there is a valid legal basis, such as the unambiguous consent of the data subject, the necessity of processing for the performance of a contract, compliance with a statutory obligation, the protection of the vital interests of the data subject, or the pursuit of a legitimate interest of the data controller. The LBP further regulates the processing of special categories of personal data (including data concerning religion, race, political views, health, sexual life, and trade union membership), the rights of data subjects (including the right of access, correction, and deletion), the transfer of personal data to countries outside the Kingdom of the Netherlands, and liability for damages arising from non-compliant processing. Blue Bank International processes all personal data in full compliance with the LBP and the principles of proportionality and subsidiarity prescribed thereunder.
2.2 Applicability of the European Union General Data Protection Regulation (GDPR)
Blue Bank International services clients from jurisdictions around the world, including the European Union (“EU”) and European Economic Area (“EEA”). The GDPR (Regulation (EU) 2016/679) may apply to our processing of personal data where we offer goods or services to individuals in the EU/EEA or where we monitor the behavior of individuals within the EU/EEA. Where the GDPR applies to our processing of your personal data, we will comply with the GDPR’s requirements in addition to our obligations under the LBP, including but not limited to the GDPR’s provisions on lawful processing, data subject rights, data protection impact assessments, data breach notification, and international data transfers. Where any provision of this Policy is inconsistent with the GDPR as it applies to you, the GDPR shall prevail to the extent of the inconsistency.
2.3 Other Applicable Data Protection Laws
Blue Bank International acknowledges that Users may reside in jurisdictions with their own data protection laws, including but not limited to: Brazil’s Lei Geral de Protecao de Dados (LGPD); Colombia’s Ley 1581 de 2012 (Ley de Proteccion de Datos Personales) and its implementing Decree 1377 of 2013; the United States’ California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA); and any other national, state, or provincial data protection legislation applicable by reason of your residence, nationality, or the nature of the Services provided to you. Where we are required by such laws to provide you with additional rights, disclosures, or protections beyond those set forth in this Policy, we will comply with those requirements. Nothing in this Policy is intended to limit or restrict any rights you may have under the data protection laws of your country of residence.
2.4 Banking and Financial Regulatory Framework
In addition to data protection legislation, our processing of personal data is also subject to the banking and financial crime prevention regulatory framework applicable to Blue Bank International, including: the CBCS National Ordinance on the Identification of Services (Landsverordening identificatie bij dienstverlening, “NOIS”) and all related CBCS Provisions and Guidelines for the Detection and Deterrence of Money Laundering and Terrorist Financing; the Financial Action Task Force (“FATF”) Recommendations; the U.S. Foreign Account Tax Compliance Act (“FATCA”); the Organisation for Economic Co-operation and Development Common Reporting Standard (“CRS”); and all other applicable laws, regulations, directives, and guidelines of Curacao and any other jurisdiction in which we operate or provide Services. Where our banking and financial crime prevention obligations require us to collect, process, or retain personal data in a manner that exceeds or differs from what would otherwise be required under data protection law alone, the banking and financial regulatory requirements shall prevail.
3. Data Controller and Contact Information
Blue Bank International N.V., registered in Curacao, is the data controller (in the terminology of the LBP, the “responsible party”; in the terminology of the GDPR, the “controller”) responsible for the processing of your personal data as described in this Policy. For all privacy-related inquiries and data subject rights requests, please contact: privacy@bluebankinternational.com. We will endeavor to respond to all legitimate inquiries within a reasonable timeframe. For Users to whom the GDPR applies, we will respond to data subject rights requests within one (1) month, extendable by a further two (2) months where the complexity or volume of requests so requires, in accordance with Article 12(3) of the GDPR.
4. Categories of Personal Data Collected
In the course of providing our Services, we collect, receive, and process various categories of personal data. The specific data collected may vary depending on the nature of your relationship with us, the Services you use, the products you apply for, and the requirements of applicable law. The categories of personal data we may collect include, but are not limited to, the following:
4.1 Information You Provide to Us
4.1.1 Identity and Verification Data
We collect your full legal name, date of birth, place of birth, nationality, country of residence, gender, tax residency information, tax identification number, and any other information required to establish and verify your identity. As part of our KYC and AML obligations under the NOIS and CBCS guidelines, we collect copies or digital scans of government-issued identification documents, including but not limited to passports, national identity cards, driver’s licenses, and residence permits. We also collect facial biometric data through automated selfie-based liveness verification checks performed by our third-party identity verification provider, Sumsub. Biometric data used for identity verification is processed with appropriate safeguards. Where applicable, such data may be subject to enhanced protection requirements under international data protection frameworks such as the GDPR. This biometric data is used solely for the purpose of verifying that the person submitting identity documents is the same individual depicted therein, and for preventing identity fraud.
4.1.2 Contact Information
We collect your email address, telephone number (including mobile number), residential address, mailing address, and any other contact details you provide to us. This information is used for account administration, delivery of transactional notifications, security alerts, one-time passwords (“OTPs”), and other communications necessary for the operation of your account and the provision of our Services.
4.1.3 Financial and Transactional Data
We collect and process data related to your financial transactions, including but not limited to account balances, transaction histories, payment instructions, beneficiary details, source of funds information, source of wealth declarations, and any other financial data generated through your use of our Services. We may also collect information about your accounts held at other financial institutions when you use account linking or verification features provided through third-party services such as Plaid or Belvo.
4.1.4 Communication Data
We may collect and retain records of your communications with us, including but not limited to emails, in-app messages, WhatsApp messages (through our Respond.io integration), telephone call recordings (where permitted by applicable law and disclosed at the time of the call), and any other correspondence. We retain these records for quality assurance, training, dispute resolution, regulatory compliance, and evidentiary purposes.
4.2 Information Collected Automatically
4.2.1 Device and Technical Data
When you access the App, we automatically collect certain technical information about your device and connection, including but not limited to your device type, model, and manufacturer; operating system type and version; unique device identifiers (such as IMEI, MAC address, or advertising identifiers where applicable); Internet Protocol (“IP”) address; browser type and version (if applicable); screen resolution; language settings; time zone; and mobile network information. We use this data for security purposes, fraud detection, session management, and to ensure the proper functioning of the App.
4.2.2 Approximate Location Data
We collect approximate geographic location information derived from your IP address. We do not collect precise GPS location data. Approximate location data is used for fraud detection and prevention, risk scoring, regulatory compliance, and to identify potentially unauthorized access to your account from unusual or high-risk jurisdictions.
4.2.3 Usage and Behavioral Data
We may collect information about how you interact with the App, including pages or screens viewed, features used, actions taken, time spent on specific sections, and navigation patterns. This data is collected in aggregated or anonymized form where possible and is used to improve the functionality, performance, and user experience of our Services.
4.2.4 Diagnostic and Performance Data
We collect crash reports, error logs, and application performance data through our third-party crash reporting service, Sentry. This diagnostic data may include device information, operating system version, application state at the time of the crash, and stack traces. Sentry is configured to minimize the collection of personally identifiable information; however, certain device-level identifiers may be included in crash reports for the purpose of identifying and resolving technical issues.
4.3 On-Device Biometric Authentication
The App supports on-device biometric authentication, including fingerprint recognition and facial recognition (Face ID or equivalent), for the purpose of authenticating your identity when accessing the App. This biometric data is processed and stored exclusively within the secure enclave of your mobile device and is never transmitted to, accessed by, or stored on Blue Bank International’s servers or any third-party servers. Blue Bank International does not have access to, and does not collect or process, your on-device biometric authentication data. Your use of on-device biometric authentication is entirely voluntary and subject to the terms and conditions of your device manufacturer.
4.4 Information We Receive from Third-Party Sources
In addition to the data you provide directly and the data we collect automatically, we also receive personal data about you from third-party sources. We do this to fulfill our regulatory obligations under the NOIS and CBCS guidelines, to verify the accuracy of information you have provided, to assess and manage risk, and to protect against fraud and financial crime. In accordance with Article 24 of the LBP, we inform you of the following categories of third-party sources from which we may receive your personal data:
4.4.1 Sanctions, PEP, and Adverse Media Databases
We receive screening results, risk indicators, and match data from LSEG World-Check and Qual-ID, and from ComplyAdvantage, which provide information on whether you appear on sanctions lists (including but not limited to OFAC, EU, UN, and HMT sanctions lists), whether you are or have been a Politically Exposed Person (“PEP”), and whether there is adverse media coverage associated with your name. These screening checks are performed at the time of onboarding and on an ongoing periodic basis throughout the duration of our relationship, as required by the NOIS and CBCS guidelines.
4.4.2 Fraud Prevention and Device Intelligence Services
We receive device fingerprinting results, fraud risk scores, behavioral analytics data, and synthetic identity indicators from Sardine and/or Seon. These services analyze your device characteristics, IP address, and behavioral patterns to generate risk assessments that help us detect and prevent fraudulent activity.
4.4.3 Identity Verification Services
We receive verification results, document authentication scores, liveness detection outcomes, and facial match confidence scores from Sumsub.
4.4.4 External Account Verification Services
If you elect to use account linking or external account verification features, we receive tokenized account data, account ownership confirmation, and balance information from Plaid and/or Belvo, as authorized by you.
4.4.5 Blockchain Analytics Services
For Users who engage in transactions involving digital assets, we receive wallet risk scores, transaction risk indicators, and compliance screening results from Chainalysis.
4.4.6 Publicly Available Sources
We may collect information from publicly available sources, including government registers, corporate registries, court records, media publications, and publicly accessible databases, for the purpose of conducting enhanced due diligence and fulfilling our regulatory obligations.
5. Legal Basis for Processing Your Personal Data
Under the LBP, personal data may only be processed where the responsible party has a valid legal basis for doing so. Where the GDPR applies to our processing of your personal data, the GDPR’s legal bases under Article 6 (and, for special categories of data, Article 9) apply in addition. The following sets forth the legal bases upon which we rely:
5.1 Consent (LBP Article 8(a); GDPR Article 6(1)(a))
We process certain personal data on the basis of your unambiguous consent, as required by the LBP, or your freely given, specific, informed, and unambiguous consent, as required by the GDPR where applicable. This includes consent for facial biometric liveness verification during onboarding and consent for any optional data processing activities beyond what is strictly necessary for the provision of our Services. You have the right to withdraw your consent at any time by contacting us at privacy@bluebankinternational.com or through the privacy settings in the App. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal and shall not affect processing that is based on a legal basis other than consent.
5.2 Contractual Necessity (LBP Article 8(b); GDPR Article 6(1)(b))
We process your personal data where it is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract. This includes processing necessary to open and maintain your account, execute transactions, process payments and transfers, generate account statements, and deliver the core banking functions you have requested.
5.3 Legal and Regulatory Obligations (LBP Article 8(c); GDPR Article 6(1)(c))
We process your personal data where it is necessary for compliance with a legal or regulatory obligation to which Blue Bank International is subject. This is the legal basis for the majority of our KYC, AML, CTF, sanctions screening, FATCA, and CRS processing activities. The specific legal obligations include those arising under the NOIS, the CBCS Provisions and Guidelines, FATF Recommendations, FATCA, CRS, and all other applicable financial regulatory requirements.
5.4 Legitimate Interests (LBP Article 8(f); GDPR Article 6(1)(f))
We process your personal data where it is necessary for the legitimate interests pursued by Blue Bank International or a third party, provided that such interests are not overridden by your fundamental rights and freedoms. In accordance with the LBP’s requirements of proportionality and subsidiarity, and the GDPR’s balancing test where applicable, we conduct a careful assessment in each case. The legitimate interests upon which we rely include: fraud detection and prevention; protection of the security and integrity of our systems; improvement and optimization of the App and Services; internal research and analytics using aggregated or anonymized data; establishment, exercise, or defense of legal claims; and ensuring the efficient operation of our business.
5.5 Vital Interests (LBP Article 8(d); GDPR Article 6(1)(d))
In rare and exceptional circumstances, we may process your personal data where it is necessary to protect your vital interests or the vital interests of another natural person, for example in the context of preventing financial fraud that could cause you severe financial harm.
5.6 Substantial Public Interest (GDPR Article 9(2)(g), where applicable)
Where the GDPR applies, we may process special categories of personal data where it is necessary for reasons of substantial public interest, specifically in connection with the prevention, detection, and investigation of financial crime, money laundering, terrorist financing, and sanctions evasion.
6. Purposes of Data Processing
We process your personal data for the following purposes, each of which is supported by one or more of the legal bases described in Section 5:
6.1 Account Opening, Identity Verification, and Onboarding
We process your identity, contact, and financial data to evaluate your application, verify your identity in compliance with the NOIS, assess your risk profile through our tiered due diligence framework (Simplified Due Diligence, Customer Due Diligence, or Enhanced Due Diligence, as applicable), perform sanctions screening, PEP checks, and adverse media screening, and determine your eligibility for our Services. Legal bases: Legal obligation (NOIS); contractual necessity; legitimate interests.
6.2 Provision and Administration of Services
We process your personal data to open and maintain your account, execute transactions, process payments and transfers across multiple payment rails (including RippleNet, SWIFT, local ACH networks, and Anchorage Digital), generate account statements, and otherwise provide the Services you have requested. Legal bases: Contractual necessity; legal obligation.
6.3 Security, Fraud Prevention, and Risk Management
We process your personal, device, behavioral, and location data to detect, prevent, investigate, and report fraudulent, unauthorized, or suspicious activity, to protect the security of our systems, and to perform ongoing risk assessments and transaction monitoring. Legal bases: Legal obligation; legitimate interests.
6.4 Regulatory Reporting and Compliance
We process your personal data to comply with applicable laws and regulations, including the filing of suspicious activity reports, currency transaction reports, FATCA and CRS reporting, and responses to lawful requests from competent authorities. Legal basis: Legal obligation.
6.5 Communications and Notifications
We process your contact data to send you transactional notifications, security-related communications (OTPs, login alerts, fraud warnings), and service-related updates. These communications are delivered through push notifications, SMS (via Twilio), email, and WhatsApp Business (via Respond.io). Transactional and security-related communications are essential to the operation and security of your account and cannot be opted out of while your account remains active. Legal bases: Contractual necessity; legal obligation; legitimate interests.
6.6 Service Improvement and Analytics
We may process aggregated and anonymized data derived from your use of the App and Services for the purpose of understanding usage patterns, improving the functionality and user experience of our Services, and conducting internal research. Where we use data for these purposes, we take reasonable measures to ensure that individual Users cannot be re-identified. Legal basis: Legitimate interests.
7. Automated Decision-Making and Profiling
While providing our Services and fulfilling our regulatory obligations, Blue Bank International uses automated systems, algorithms, risk models, and artificial intelligence technologies to process your personal data and make decisions about you. Some of these decisions may be made without initial human involvement. We use such automated processing for the efficient, consistent, and fair operation of our Services.
No decision producing legal or similarly significant effects on you is based solely on automated processing without appropriate safeguards. Where automated systems are used to restrict or suspend access for security or fraud prevention purposes, such measures are temporary and subject to review by qualified personnel.
7.1 Onboarding and Risk Scoring
During the account opening process, we use automated risk scoring models that evaluate information you provide, information obtained from third-party sources (sanctions databases, PEP lists, adverse media, device intelligence), and other relevant factors to generate a weighted risk score. This risk score determines the tier of due diligence applied to your account and may influence whether your application is approved, declined, or escalated for manual review. Factors considered include your country of residence and nationality, occupation and source of funds, sanctions and PEP screening results, device risk indicators, and any other factors prescribed by applicable law or our internal risk policies.
7.2 Transaction Monitoring
We use automated transaction monitoring systems to analyze your transaction patterns, detect anomalies, and identify potentially suspicious activity. These systems apply rule-based and algorithmic models to evaluate transaction amount, frequency, destination, counterparty risk, and deviation from historical patterns. Flagged transactions may be escalated for manual review by our compliance team.
7.3 Fraud Detection
We use automated fraud detection tools, including device fingerprinting, behavioral analytics, and real-time risk scoring provided by Sardine and/or Seon, to identify and prevent fraudulent activity. These systems may automatically restrict, suspend, or block access to your account or specific transactions where the fraud risk score exceeds our defined thresholds, pending manual review.
7.4 Payment Routing
We use automated systems to determine the optimal payment rail for each transaction based on destination, currency, amount, speed requirements, cost, and rail availability. These routing decisions do not produce legal effects or significantly affect you beyond the selection of the technical mechanism by which your payment is processed.
7.5 Your Rights Regarding Automated Decisions
Under the LBP, you have the right not to be subject to a decision which produces legal effects concerning you or which significantly affects you, if that decision is based solely on the automated processing of personal data intended to evaluate certain personal aspects relating to you, except where such decision is taken in the course of entering into or performing a contract, is authorized by law, or is based on your explicit consent. Where the GDPR applies to you, you have the additional rights set forth in Article 22 of the GDPR. In all cases, where an automated decision significantly affects you, you have the right to: (a) request meaningful information about the logic involved, the significance of the processing, and its envisaged consequences; (b) request human review by a qualified member of our team; (c) express your point of view and provide additional information; and (d) contest the outcome. To exercise these rights, please contact us at privacy@bluebankinternational.com. We may not disclose the full details of our automated decision-making logic where doing so would compromise our fraud prevention capabilities, reveal proprietary methodologies, or conflict with applicable law.
8. Third-Party Data Sharing and Disclosure
Blue Bank International does not sell, rent, lease, or trade your personal data to any third party for commercial, marketing, or advertising purposes. We do not engage in data brokerage. We share your personal data only with the categories of recipients described below, only to the extent necessary for the purposes described in this Policy, and only where adequate safeguards are in place.
8.1 Identity Verification and KYC Providers
We share your identity and verification data with Sumsub for identity verification, document authentication, and liveness detection. We share your name, date of birth, and nationality with LSEG (London Stock Exchange Group) for sanctions screening, PEP checks, and adverse media screening through their World-Check and Qual-ID products.
8.2 AML and Compliance Providers
We share your name and transaction data with ComplyAdvantage for AML transaction monitoring and risk scoring. We share device identifiers, IP addresses, and behavioral signals with Sardine and/or Seon for fraud risk scoring.
8.3 Core Banking and Operational Partners
We share your full client profile, transaction data, and account data with Capital Banking Solutions (“CBS”), our core banking system provider, for ledger management, transaction processing, account administration, and customer relationship management.
8.4 Payment and Transfer Rail Providers
We may share transaction data and beneficiary information with RippleNet, SWIFT, Anchorage Digital Bank, and local ACH networks, as applicable based on the destination, currency, and nature of the transaction.
8.5 Account Linking and Verification Providers
If you elect to use account linking features, we share tokenized account credentials and account data with Plaid and/or Belvo.
8.6 Blockchain Analytics
For digital asset transactions, we share wallet addresses and transaction hashes with Chainalysis for blockchain compliance screening.
8.7 Communication Service Providers
We share your phone number and message content with Twilio for SMS delivery. We use Respond.io as our messaging integration layer for WhatsApp Business client communications.
8.8 Crash Reporting
We share device information and crash log data with Sentry. Sentry does not receive your name, email address, financial data, or other directly identifying personal information.
8.9 Fraud Prevention Agencies and Consequences of Fraud
We may share your personal data with fraud prevention agencies. If you provide false or inaccurate information and we suspect or identify fraud, we will record this and may share the information with fraud prevention agencies and other financial institutions. If fraud is detected, you may be refused certain services, financial products, or employment by us or by other organizations that access information held by fraud prevention agencies. You have a right to request details of the fraud prevention agencies with which we share data.
8.10 Affiliated Entities
We may share your personal data with our affiliated entities, including our sister institution Coltefinanciera in Colombia, for the purposes described in this Policy, including risk management, regulatory compliance, and the provision of Services. Where data is shared with Coltefinanciera or other Colombian entities, such sharing is conducted in compliance with Colombia’s Ley 1581 de 2012 and Decree 1377 of 2013, including requirements for data transfer authorizations and the national data registry (Registro Nacional de Bases de Datos) where applicable.
8.11 Regulatory, Legal, and Law Enforcement Disclosures
We may disclose your personal data to the CBCS, the Financial Intelligence Unit of Curacao, tax authorities, law enforcement agencies, courts, and other governmental bodies where required or permitted by applicable law, including for the prevention, detection, investigation, or prosecution of criminal offenses or fraud.
8.12 Corporate Transactions
In the event of a merger, acquisition, reorganization, sale of assets, or other corporate transaction, your personal data may be transferred to the acquiring entity, subject to equivalent protections.
All third-party service providers are bound by data processing agreements and contractual obligations to implement appropriate technical and organizational measures to protect your data, in accordance with Article 13 of the LBP and, where the GDPR applies, Article 28 of the GDPR.
9. International Data Transfers
Your personal data may be transferred to, stored in, and processed in countries other than Curacao. Our third-party service providers and partners operate in various jurisdictions around the world.
9.1 Transfers Within the Kingdom of the Netherlands
Under the LBP, the transfer of personal data within the Kingdom of the Netherlands (which includes Curacao, Aruba, Sint Maarten, and the Netherlands) is not subject to additional restrictions, as these jurisdictions are treated as a single territory for the purpose of cross-border transfer rules.
9.2 Transfers to Countries Outside the Kingdom
The LBP permits the transfer of personal data to countries outside the Kingdom of the Netherlands only where: (a) the receiving country ensures an adequate level of data protection; (b) appropriate safeguards are in place, such as binding corporate rules or contractual clauses; (c) you have given your explicit consent to the transfer; or (d) the transfer is necessary for the performance of a contract between you and Blue Bank International, or for the implementation of pre-contractual measures taken in response to your request. Blue Bank International has assessed its third-party service providers and has implemented contractual safeguards, including data processing agreements with appropriate data protection clauses, to ensure that your personal data receives an adequate level of protection when transferred outside the Kingdom. We implement contractual safeguards, including data processing agreements and, where applicable, standard contractual clauses or equivalent mechanisms, to ensure an adequate level of protection.
9.3 GDPR Transfer Requirements
Where the GDPR applies to our processing of your personal data, we will comply with the GDPR’s requirements for international data transfers under Chapter V (Articles 44-50), including the use of standard contractual clauses approved by the European Commission, adequacy decisions, or other recognized transfer mechanisms. Curacao has not been the subject of an adequacy decision by the European Commission; accordingly, where we transfer personal data of EU/EEA residents to Curacao or to other jurisdictions that are not subject to an adequacy decision, we rely on standard contractual clauses or other appropriate safeguards as required by the GDPR.
By using the App and our Services, you acknowledge that your personal data may be transferred to jurisdictions outside your country of residence, including jurisdictions that may have data protection laws that differ from those in your country. Where required by applicable law, we will obtain your explicit consent before such transfers.
10. Data Not Collected or Used
For the avoidance of doubt, Blue Bank International does not collect, process, or use the following: precise GPS location data; health, fitness, or medical data; data from your contacts list, calendar, or call logs; microphone or camera access beyond the specific KYC identity verification at onboarding; browsing history or search history; data from children under 18; advertising identifiers, tracking pixels, ad networks, or any data for behavioral advertising or cross-device tracking.
11. Data Retention
We retain your personal data for as long as is necessary to fulfill the purposes for which it was collected, to provide our Services, to comply with our legal and regulatory obligations, to resolve disputes, and to enforce our agreements. In accordance with the LBP’s principle that personal data shall not be kept in a form that enables identification of the data subject for any longer than is necessary for the realization of the purposes for which they were gathered, we apply the following retention framework:
KYC documentation, transaction records, and other regulatory-required records are retained for a minimum period of five (5) years following the termination of the business relationship, or for such longer period as required by applicable law. Under the NOIS and CBCS guidelines, certain records may be required to be retained for up to ten (10) years or longer. FATCA and CRS records are retained for the periods prescribed by those regimes. Diagnostic and performance data (crash reports) are retained for a maximum of ninety (90) days. Communication records (support interactions) are retained for three (3) years from the date of the communication, unless a longer period is required for regulatory or legal purposes.
Upon expiration of the applicable retention period, your personal data will be securely deleted or irreversibly anonymized. During any retention period following account closure, retained data is stored securely with restricted access controls and is accessed only for the specific regulatory, legal, or compliance purposes for which it is retained.
12. Data Security
In accordance with Article 13 of the LBP, which requires the responsible party to execute appropriate technical and organizational measures to secure personal data against loss or any form of unlawful processing, Blue Bank International implements and maintains the following safeguards: encryption of data in transit using TLS 1.2 or higher; encryption of sensitive data at rest using AES-256; secure session management with automatic timeout and token-based authentication; multi-factor authentication for sensitive operations; device fingerprinting and behavioral analytics for fraud detection; role-based access controls and the principle of least privilege; regular penetration testing, vulnerability assessments, and security audits in compliance with CBCS requirements; incident response procedures and business continuity planning; and physical security measures for our data centers and office facilities.
NOTWITHSTANDING THE FOREGOING, NO METHOD OF TRANSMISSION OVER THE INTERNET, NO METHOD OF ELECTRONIC STORAGE, AND NO SECURITY SYSTEM IS COMPLETELY IMPENETRABLE OR CAN BE GUARANTEED TO BE ONE HUNDRED PERCENT (100%) SECURE. While we strive to use commercially reasonable and industry-standard means to protect your personal data, Blue Bank International cannot and does not guarantee that your personal data will be absolutely secure. You acknowledge and agree that you transmit your personal data to us at your own risk, and that Blue Bank International shall not be liable for any unauthorized access that occurs despite our implementation of reasonable security measures, except to the extent that such liability cannot be excluded under applicable law.
12.1 Data Breach Notification
The LBP does not impose a mandatory data breach notification requirement. However, as a matter of best practice and in recognition of international standards, Blue Bank International has voluntarily adopted a data breach notification policy. We maintain internal procedures to assess, document, and respond to data breaches in accordance with applicable regulatory expectations and industry standards. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay by the means most likely to reach you (which may include email, push notification, in-app notification, or SMS), unless such notification is subject to an exception under applicable law (for example, where notification would jeopardize an ongoing law enforcement investigation). Where the GDPR applies, we will comply with the GDPR’s mandatory breach notification requirements under Articles 33 and 34, including notification to the competent EU/EEA supervisory authority within seventy-two (72) hours of becoming aware of the breach and notification to affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
13. Your Rights
You have certain rights with respect to your personal data. The specific rights available to you depend on the legal framework applicable to our processing of your data. The following sets forth the rights available under the LBP, the GDPR (where applicable), and other applicable laws:
13.1 Right of Access (LBP Articles 27-28; GDPR Article 15)
You have the right to request confirmation of whether we are processing your personal data and, if so, to request access to that data together with information about the purposes of processing, the categories of data concerned, the recipients, and the retention period. Under the LBP, we may decline to provide personal data linked to an ongoing criminal or fraud investigation, or data that would reveal the personal data of another individual.
13.2 Right to Rectification (LBP Article 28; GDPR Article 16)
You have the right to request the correction, completion, or deletion of inaccurate or incomplete personal data.
13.3 Right to Erasure (LBP Article 28; GDPR Article 17)
You have the right to request the deletion of your personal data where the data is no longer necessary, you withdraw consent, or the data has been unlawfully processed. This right is subject to significant limitations in the context of regulated financial services: we are required by the NOIS, CBCS guidelines, FATCA, CRS, and other applicable laws to retain certain categories of data for the minimum prescribed periods, even after you close your account. Upon receiving a verified deletion request, we will deactivate your account and remove data from active systems to the extent permissible, retain required data securely for the prescribed period, and provide you with confirmation of the actions taken.
13.4 Right to Data Portability (GDPR Article 20, where applicable)
Where the GDPR applies to you, you have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as CSV or JSON) and to request transmission to another controller, where technically feasible and where processing is based on consent or contract and carried out by automated means. The LBP does not provide a standalone right to data portability; however, as a matter of best practice, we will accommodate reasonable portability requests from all Users.
13.5 Right to Restriction of Processing (GDPR Article 18, where applicable)
Where the GDPR applies, you have the right to request restriction of processing in certain circumstances, including where you contest accuracy, where processing is unlawful, or where you have objected to processing pending verification.
13.6 Right to Object (LBP Article 32; GDPR Article 21)
Under the LBP, you have the right to object to the processing of your personal data on compelling and legitimate grounds relating to your particular situation, except where the processing is based on a legal obligation or contractual necessity. Under the GDPR, you have the right to object to processing based on legitimate interests, including profiling, at any time. Upon receiving your objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for legal claims.
13.7 Right Regarding Automated Decision-Making
As described in Section 7.5, you have the right to request human review of automated decisions that significantly affect you, to express your point of view, and to contest the outcome.
13.8 Right Not to be Discriminated Against
Blue Bank International will not discriminate against you in any way for exercising your data protection rights. The exercise of your rights will not affect the quality, pricing, or availability of our Services, except to the extent that we are unable to provide certain Services without the personal data you have requested be deleted.
To exercise any of these rights, you may submit a request through the App’s support channel, via WhatsApp through Respond.io, or by contacting us at privacy@bluebankinternational.com. We will verify your identity before processing any request. Under the LBP, there is no prescribed timeframe for responding to data subject requests; however, as a matter of best practice, we commit to responding within four (4) weeks, in line with applicable data protection requirements in Curacao. Where the GDPR applies, we will respond within one (1) month, extendable by two (2) additional months for complex requests, and will inform you of any extension within the initial one-month period.
We reserve the right to deny or limit requests where complying would violate applicable law, interfere with regulatory or law enforcement proceedings, compromise security, or be frivolous or made in bad faith.
14. Notification Preferences and Marketing Communications
Blue Bank International does not engage in direct marketing, behavioral advertising, or promotion of third-party products through the App. We do not send marketing emails, promotional push notifications, or unsolicited commercial communications unless you have explicitly opted in.
Transactional and security-related notifications (transaction confirmations, OTPs, login alerts, fraud warnings, service updates, regulatory disclosures) are essential to the operation and security of your account and cannot be opted out of. You may manage push notification preferences through your device settings; disabling push notifications will not affect SMS or email communications. If you disable push notifications, you are responsible for regularly monitoring your account.
If Blue Bank International introduces optional marketing communications in the future, we will obtain your express opt-in consent before sending any such communications, and you will be able to opt out at any time.
15. Children’s Privacy
The App and our Services are intended exclusively for individuals who are at least eighteen (18) years of age. We do not knowingly collect personal data from individuals under eighteen (18). All prospective account holders must undergo identity verification confirming they are at least eighteen. If we become aware that personal data has been collected from a minor, we will promptly delete such data. If you believe we may have collected data from a minor, please contact us at privacy@bluebankinternational.com.
16. Cookies and Tracking Technologies
The App does not use cookies. We do not use advertising trackers, advertising identifiers, pixel tags, or similar tracking technologies for advertising, marketing, behavioral profiling, or cross-site tracking. We do not participate in any advertising networks. The only tracking-adjacent technologies used in the App are those necessary for fraud detection (device fingerprinting via Sardine/Seon), crash reporting (Sentry), and session management. If our website uses cookies, a separate Cookie Policy will be published on the website.
17. Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, INCLUDING BUT NOT LIMITED TO THE LBP’S LIABILITY PROVISIONS, BLUE BANK INTERNATIONAL, ITS DIRECTORS, OFFICERS, EMPLOYEES, AGENTS, AFFILIATES, SUBSIDIARIES (INCLUDING COLTEFINANCIERA), SUCCESSORS, AND ASSIGNS (COLLECTIVELY, THE “BLUE BANK PARTIES”) SHALL NOT BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS, LOSS OF REVENUE, LOSS OF DATA, LOSS OF BUSINESS OPPORTUNITY, LOSS OF GOODWILL, OR ANY OTHER INTANGIBLE LOSSES, ARISING OUT OF OR IN CONNECTION WITH: (I) ANY UNAUTHORIZED ACCESS TO, USE OF, OR ALTERATION OF YOUR PERSONAL DATA; (II) ANY INTERRUPTION, SUSPENSION, OR TERMINATION OF YOUR ACCESS TO THE APP OR SERVICES; (III) ANY BUGS, VIRUSES, TROJAN HORSES, OR SIMILAR HARMFUL CODE; (IV) ANY ERRORS, INACCURACIES, OR OMISSIONS IN ANY PERSONAL DATA; (V) ANY ACTIONS OR OMISSIONS OF THIRD-PARTY SERVICE PROVIDERS, DATA PROCESSORS, OR FRAUD PREVENTION AGENCIES; (VI) ANY DECISIONS MADE BY AUTOMATED SYSTEMS, ALGORITHMS, OR RISK MODELS; OR (VII) ANY OTHER MATTER RELATING TO THIS POLICY OR THE PROCESSING OF YOUR PERSONAL DATA, WHETHER BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER LEGAL THEORY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
IN NO EVENT SHALL THE AGGREGATE LIABILITY OF THE BLUE BANK PARTIES EXCEED THE GREATER OF: (A) THE TOTAL FEES PAID BY YOU DURING THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM; OR (B) ONE HUNDRED UNITED STATES DOLLARS (USD $100.00). THIS LIMITATION SHALL APPLY TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW AND SHALL SURVIVE TERMINATION. NOTHING IN THIS SECTION SHALL LIMIT LIABILITY THAT CANNOT BE EXCLUDED UNDER APPLICABLE LAW, INCLUDING LIABILITY FOR DAMAGES ARISING FROM PROCESSING THAT IS IN CONFLICT WITH THE LBP AS PROVIDED UNDER ARTICLE 39 OF THE LBP, OR LIABILITY UNDER THE GDPR WHERE APPLICABLE.
18. Indemnification
You agree to indemnify, defend, and hold harmless the Blue Bank Parties from and against any and all claims, demands, losses, damages, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or in connection with: (a) your use of the App or Services; (b) your breach of this Policy or any of our agreements; (c) your violation of any applicable law or the rights of any third party; (d) any information you provide that is inaccurate, incomplete, misleading, or fraudulent; (e) any unauthorized use of your account resulting from your failure to maintain the confidentiality of your credentials; or (f) any claim by a third party arising from the information you have provided or from your use of the Services.
19. Disclaimer of Warranties
THE APP, THE SERVICES, AND ALL DATA PROCESSING DESCRIBED IN THIS POLICY ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE BLUE BANK PARTIES DISCLAIM ALL WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, ACCURACY, RELIABILITY, AND COMPLETENESS. BLUE BANK INTERNATIONAL DOES NOT WARRANT THAT: (I) THE APP OR SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR SECURE; (II) DEFECTS WILL BE CORRECTED; (III) AUTOMATED DECISION-MAKING OR RISK SCORING WILL BE ACCURATE OR ERROR-FREE; OR (IV) SECURITY MEASURES WILL PREVENT ALL UNAUTHORIZED ACCESS.
20. Governing Law and Dispute Resolution
This Policy shall be governed by and construed in accordance with the laws of Curacao, including the LBP, without regard to conflict of laws principles. Any dispute arising out of or in connection with this Policy shall be submitted to the exclusive jurisdiction of the Court of First Instance of Curacao (Gerecht in eerste aanleg van Curacao). You irrevocably waive any objection to the venue or jurisdiction of such court.
Notwithstanding the foregoing, Blue Bank International reserves the right to seek injunctive or other equitable relief in any court of competent jurisdiction. Furthermore, nothing in this section shall limit your right to bring proceedings before the courts of your country of residence where such right is granted by applicable law, including under the GDPR.
21. Complaints and Supervisory Authority
If you are dissatisfied with how Blue Bank International has processed your personal data or handled a data rights request, we encourage you to first contact our Data Privacy Officer at privacy@bluebankinternational.com so that we may attempt to resolve your concern directly.
21.1 Curacao Supervisory Authority
The supervisory authority responsible for overseeing compliance with the LBP in Curacao is the Personal Data Protection Board (College Bescherming Persoonsgegevens), established pursuant to Article 42 of the LBP. You have the right to lodge a complaint with the Personal Data Protection Board if you believe that our processing of your personal data violates the LBP. You may lodge a complaint with the competent supervisory authority in Curacao. We will update this Policy if and when the Board’s operational status changes.
21.2 EU/EEA Supervisory Authorities
If you are located in the EU or EEA and the GDPR applies to our processing of your personal data, you have the right to lodge a complaint with the data protection supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
21.3 Other Jurisdictions
If you reside in a jurisdiction with a data protection authority empowered to receive complaints (such as Brazil’s Autoridade Nacional de Protecao de Dados (ANPD), Colombia’s Superintendencia de Industria y Comercio (SIC), or any other competent authority), you have the right to lodge a complaint with that authority in accordance with the procedures established under the applicable law of your jurisdiction.
You also have the right to seek a judicial remedy if you believe that your rights under applicable data protection law have been infringed. Under Article 39 of the LBP, if you suffer harm as a result of acts that are in conflict with the provisions of the LBP, you are entitled to fair compensation from the responsible party.
22. Severability
If any provision of this Policy is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such invalidity shall not affect the remaining provisions, which shall remain in full force and effect. The invalid provision shall be deemed modified to the minimum extent necessary to make it valid while preserving its original intent.
23. Entire Agreement and Waiver
This Policy, together with our Terms of Service and any other agreements incorporated by reference, constitutes the entire agreement between you and Blue Bank International with respect to the subject matter hereof. No waiver by Blue Bank International of any provision shall be deemed a continuing waiver, and our failure to assert any right shall not constitute a waiver of such right.
24. Assignment
You may not assign your rights or obligations under this Policy without our prior written consent. Blue Bank International may freely assign its rights and obligations, including to affiliated entities, successor entities, or acquirers in connection with any corporate transaction. Any attempted assignment by you in violation of this section shall be null and void.
25. Force Majeure
Blue Bank International shall not be liable for any failure or delay in performing its obligations under this Policy resulting from causes beyond our reasonable control, including but not limited to acts of God, natural disasters, pandemics, war, terrorism, government actions, sanctions, embargoes, power failures, telecommunications failures, internet disruptions, cyberattacks, data breaches caused by third parties, failure or unavailability of third-party service providers (including Sumsub, LSEG, ComplyAdvantage, Sardine, Seon, Plaid, Belvo, Chainalysis, CBS, RippleNet, SWIFT, Anchorage Digital, Twilio, Respond.io, and Sentry), changes in applicable law, or any other force majeure event.
26. Contact Information
If you have any questions, concerns, or complaints about this Policy, please contact us at:
Blue Bank International N.V.
Attn: Operations
Curacao
Email: info@bluebankinternational.com
Email: privacy@bluebankinternational.com
WhatsApp: +599 9 685 5783
We will acknowledge receipt of your communication within five (5) business days and will endeavor to address your inquiry within four (4) weeks, in line with applicable data protection requirements in Curacao. Where the GDPR applies, we will comply with the response timeframes prescribed by the GDPR (one month, extendable by two additional months for complex requests).
End of Privacy Policy and Data Protection Notice. Effective April 2026 — Blue Bank International N.V.
