LEGAL
Privacy Policy
Last Updated :
This Privacy Policy describes how Apocor collects, uses, shares, and protects information about you, and the rights and choices you have over that information. In this policy, “Apocor,” “we,” “our,” and “us” refer to Apocor, Inc., a Delaware corporation, together with its affiliates, subsidiaries, successors, and assigns, and “you” refers to the individual interacting with us.
By visiting our Sites or by applying for, accessing, or using the Services, you confirm that you have read and agree to this Privacy Policy, including our collection, use, and sharing of information as described here. If you do not agree, please notify us in writing at privacy@apocor.ai, close any Apocor account you hold, delete cookies stored on your devices, and stop using the Services.
This policy applies to the Apocor website at https://www.apocor.ai (including its subdomains and mobile applications) (the “Sites”) and to any use of the Services as defined in your applicable agreement with us. Capitalized terms not defined here have the meaning given to them in that agreement or in any accompanying terms (including, where applicable, the Cardholder Terms, Authorized User Agreement, and any platform or dashboard agreement). This policy does not apply to any website or service operated by a third party.
Our role with partner data. Apocor primarily provides financial infrastructure to other businesses (our “Partners”) — wallets, exchanges, fintechs, platforms, and enterprises. Where we handle personal information on behalf of a Partner (for example, transaction data tied to a Partner-branded card or wallet), we act as a service provider / processor, and the Partner is the controller responsible for its own privacy notices, consents, and for answering your requests. If you interact with a Partner that uses our Services and you contact us about that data, we will generally direct you to the relevant Partner, who is best placed to assist.
Changes to this policy. We may update this Privacy Policy from time to time. For material changes that affect how we use your personal information, we will provide notice by email (where we have one for you) or by a prominent notice on our Sites at least 30 days before the changes take effect. Your continued use of the Services after the effective date means you accept the updated policy.
1. Introduction
In short, this Privacy Policy explains what information we collect, how and why we use it, who we share it with, and the choices you can make about how your information is handled.
2. Information We Collect
A. Information you provide to us
We collect information when you use or interact with our Sites or Services. This may include:
Personal Information — information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular individual, device, or household. Examples include:
First and last name
Email address
Phone number
Date of birth
Government identifiers such as a national ID / Social Security number, driver’s license, or passport, where needed to open or verify an account
Postal address
Wallet address(es) and on-chain identifiers
Sensitive Personal Information. Some information we collect is treated as “sensitive” under applicable privacy laws, including:
Government-issued identification numbers (national ID / Social Security number, driver’s license number, passport number)
Financial account login credentials
Precise geolocation data
Biometric information (facial-geometry scans used for identity verification)
We use Sensitive Personal Information only as reasonably necessary to provide the Services — for example, identity verification, fraud prevention, and regulatory compliance. To ask us to limit our use of your Sensitive Personal Information, contact privacy@apocor.ai.
Company Information — information relating to or identifying a business that uses the Services. Examples include:
Company name
Company address
Formation or incorporation documents
Company jurisdiction
Company tax identification number
Company registration number
Beneficial owners
Settlement and wallet addresses
B. Information we collect automatically
We, our vendors, and our service providers may automatically collect information when you use the Sites or Services — for example, to prevent fraud or to improve our products and user experience. This can include:
Your browser type
Your device type or operating system
Your device’s location and other information your device sends
Your device’s IP address
C. Information about your use of the Services
We may collect or have access to transactional information about your use of the Services, which can include:
Amount, type, and size of transactions, and purchase details
Date and time of transactions
Merchants where you transacted using an Apocor-powered card
Repayment and settlement history
Financial data, including stablecoin balances and on-chain activity associated with your account
D. Tracking and cookie data
Like many online services, we may use cookies and similar technologies to collect information about you. Third parties may also place cookies on your device to collect device identifiers, IP address, and information about how you interact with the Sites and Services. Cookies are small pieces of data placed on your device when you visit the Sites or use the Services. Examples include:
Session cookies — help us recognize users who visit our Sites.
Preference cookies — help us remember settings and choices.
Security cookies — help us detect and prevent fraud.
You can decide whether to accept cookies through your browser settings. Most browsers let you turn off cookies, which will stop new cookies from being accepted. If you do not accept cookies, some parts of the Sites may not work properly.
E. Information we collect from third parties
We may supplement the information you give us with information from third parties such as credit bureaus, data providers, fraud-detection services, blockchain analytics providers, and analytics vendors. Some of these third parties obtain your information through your use of the Sites or Services; others may already hold your information and share it with us.
We do not control third parties’ tracking technologies or how they use the data they collect. If you have questions about an advertisement or other targeted content, contact the responsible provider directly. For ways to opt out of targeted advertising, see “Choices About Your Personal Information.”
3. How and Why We Use Information
We collect and use information for the business and commercial purposes described in this policy, including to:
Assess eligibility — verify your identity and assess your eligibility to use the Services.
Operate our business — maintain your account, provide and improve the Services, and build new products and features such as Apocor Pay, Apocor Direct, Apocor Accept, Apocor Cards, and Apocor Intelligence Commerce.
Communicate with you — provide customer support and, where permitted, send you information about our products and services.
Comply with our obligations — meet legal, regulatory, contractual, and audit requirements, including KYC/AML and sanctions obligations.
Protect against fraud and abuse — detect and prevent fraudulent or unauthorized transactions, policy or terms violations, and threats of harm.
Where you have given us a way to contact you (directly or through a Partner), we may communicate with you about your use of the Services and, where permitted, send promotional messages. We may also receive a confirmation when you open an email from us, which helps us improve the Services. You can opt out of promotional messages at any time — see “Choices About Your Personal Information.”
4. Sharing Information
We share the information we collect, including information that identifies you, in line with this policy. The categories of parties we share with include:
Service providers, vendors, and advisors
We share Personal Information or Company Information with the following categories of third parties:
Category | Purpose |
Card network partners (Visa, Mastercard) | Transaction processing, authorization, tokenization, and fraud prevention |
Banking partners and BIN sponsors | Account services, card issuance, settlement, and regulatory compliance |
Identity verification provider (Sumsub) | KYC/AML verification and biometric matching |
Blockchain analytics providers | Sanctions screening, on-chain risk assessment, and fraud monitoring |
Analytics providers | Site analytics and service improvement |
Cloud infrastructure providers | Data storage and processing |
AML and fraud-prevention services | Transaction monitoring and risk assessment |
All service providers are contractually required to use personal information only for specified purposes and to maintain appropriate security measures.
Biometric Information Notice
Notice of biometric data collection. To verify your identity, Apocor (through our identity-verification provider, Sumsub) collects biometric identifiers — specifically, facial-geometry scans derived from your driver’s license and/or passport photo — which are matched against a live image you provide.
Purpose. We collect biometric information to verify your identity, prevent fraud, and meet Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements.
Storage and transmission. Biometric data is collected and processed by Sumsub, our third-party identity-verification provider, using industry-standard encryption, and may be transmitted to Sumsub’s secure servers for processing.
Retention. We retain biometric data only as long as needed to satisfy the purpose of collection, and in any event no later than three (3) years after your last interaction with Apocor, except where a longer period is required to comply with federal anti-money-laundering and customer-identification requirements, including the Bank Secrecy Act.
Consent. By proceeding with identity verification, you give your written consent to the collection, use, storage, and transmission of your biometric information as described here. You may withdraw consent at any time by contacting privacy@apocor.ai; however, withdrawing consent may prevent us from verifying you and may result in account closure.
Written policy. Apocor’s full biometric data retention and destruction policy is available on request at privacy@apocor.ai.
Other recipients
We may also share information with:
Our affiliates, for everyday business purposes.
Our financing partners, such as sources of debt or equity capital.
Issuers and program managers of your Apocor-powered card.
Merchants and businesses with whom you transact or use your Apocor-powered card.
A counterparty in a partnership, financing, or potential acquisition, as part of due diligence — provided they agree to use the information only for that purpose.
Regulators, government agencies, courts, and law enforcement, as required by law or to protect our legal rights.
In a merger, acquisition, or sale or transfer of all or part of our assets, your information may be transferred to a buyer or successor. In that case, we may be unable to control how that party later uses or transfers the information.
Processing on behalf of business partners
When Apocor provides services to business Partners (such as fintechs, platforms, wallets, and enterprises), we process personal information on their behalf as a service provider, only as directed by the Partner and in line with our contract. Our Partners are responsible for providing privacy notices to their end users and obtaining any required consents.
5. Aggregated or Anonymized Information
We may share aggregated or anonymized information with third parties at any time and without restriction, provided the information cannot reasonably be linked back to an identifiable person.
6. Analytics and Advertising
We may use analytics and similar services to understand how people access and use the Services, improve functionality, measure performance, and enhance the user experience. These services may use cookies, pixels, software development kits (SDKs), and similar technologies to collect information about your interactions with the Services.
We may also use tracking technologies in our Services and in advertisements shown on other websites or services. These technologies may collect information over time and across services or devices for purposes such as measuring campaign effectiveness, analyzing trends, preventing fraud, and delivering relevant content. Certain third parties that provide analytics or advertising services process information under their own privacy notices, which we do not control. We encourage you to review their policies to understand how they handle your information.
7. Safeguarding Information
Data security. We maintain reasonable administrative, technical, and physical safeguards appropriate to the nature of the information we handle, and our security program is designed to align with recognized industry standards. Because card payments are processed through Visa Pay’s tokenized infrastructure, Apocor does not store raw payment card numbers, which reduces the amount of sensitive card data in our environment. Security measures include:
AES-256 encryption for data at rest
TLS 1.3 encryption for data in transit
Tokenization of sensitive payment data to minimize exposure
Access controls and multi-factor authentication
Regular security assessments
Employee security training
Despite these measures, no method of internet transmission is 100% secure. The security of your information also depends on you: where you hold a password for any part of the Services, keep it confidential and do not share it. Please notify us immediately if you believe your information with Apocor has been compromised.
8. Retention of Information
We keep your information as long as needed to provide the Services, comply with our legal obligations, or protect our or others’ interests. Although requirements vary by jurisdiction, our internal retention policies consider:
When the information was collected or created
Whether it is still necessary to provide you the Services
Whether we must hold it to meet legal obligations, including AML/KYC and other financial-regulatory requirements
Whether it is subject to legal-preservation (litigation hold) requirements
We may retain pseudonymized information and user identifiers to understand usage patterns and improve the Services, and we may retain certain data for fraud-prevention purposes, which is a permitted business purpose under applicable privacy laws.
EEA, UK, and Switzerland. We retain personal data no longer than necessary for the purposes for which it was collected, unless a longer period is required or permitted by law.
9. Children’s Privacy
Our Services are not directed to anyone under 18, and we do not knowingly collect personal information from anyone under 18. If you are under 18, do not use the Services or provide any personal information. If we receive signals indicating a user is a minor, we will apply heightened protections. If you believe we have collected information from a minor, contact us immediately at privacy@apocor.ai.
10. Do Not Track and Global Privacy Control
Our Sites do not currently respond to “Do Not Track” browser signals. We do honor Global Privacy Control (GPC) signals as a valid request to opt out of the sale or sharing of your personal information under applicable law. To learn more about GPC, visit https://globalprivacycontrol.org.
11. Company Account
If your card or account is provided through a business (a “Company Administrator”), that business is responsible for the account and the cards associated with it. The Company Administrator may grant, restrict, suspend, or terminate your access to or use of the card or account.
12. Privacy Rights and Jurisdiction-Specific Information
Because Apocor primarily provides financial infrastructure to Partners, how you exercise your privacy rights depends on the nature of the data and our relationship with you:
We act as a “business” or “controller” only for information we collect directly from you — for example, when you visit our Sites, contact support, or provide biometric data for identity verification that we initiate.
We act as a “service provider” or “processor” for much of the information we process on behalf of Partners (for example, transaction data on a Partner-branded card). In those cases, the Partner is the controller responsible for managing your data and fulfilling your requests.
Use the table below to decide where to send requests about your information:
Data type | Primary controller | Who to contact |
Transaction history and card limits | Your Partner / fintech | Contact the app or company where you signed up |
Identity verification (KYC) | Apocor | privacy@apocor.ai |
Biometric data | Apocor | privacy@apocor.ai |
Site cookies / analytics | Apocor | privacy@apocor.ai |
Information we collect may be transferred to, stored, and processed by us, our affiliates, and other third parties outside the EEA, the UK, and Switzerland — including in the United States and other countries — where data-protection rules may differ from those where you live. For transfers from the EEA, UK, or Switzerland, we put in place appropriate safeguards, including European Commission Standard Contractual Clauses and the UK International Data Transfer Agreement. Partners transferring personal information from these regions can request a copy of our Data Processing Addendum at privacy@apocor.ai.
U.S. state privacy rights
This section applies to residents of states with comprehensive privacy laws (including California, Colorado, Connecticut, Indiana, Kentucky, Maryland, Oregon, Rhode Island, Texas, Utah, and Virginia). Specific rights vary by state.
Your rights. Subject to legal exceptions and our role as a service provider, you may have the right to know/access, delete, and correct your personal information, and to opt out of the sale or sharing of your data. We do not discriminate against you for exercising these rights.
Where to direct your request. If your request relates to card transactions, account settings in a Partner app, or usage history, contact the relevant Partner directly; as a service provider, we will refer such requests to the appropriate Partner. If your request relates to identity verification (KYC), biometric data, or your direct interactions with our Sites, email privacy@apocor.ai.
California “Shine the Light.” California residents may request once per calendar year a list of the categories of personal information (if any) we disclosed to third parties for their direct-marketing purposes in the prior year. Send requests to privacy@apocor.ai.
Global Privacy Control. We honor GPC signals as a valid opt-out of targeted advertising and data sharing on our Sites.
Sensitive data. We do not “sell” sensitive personal information such as biometric data or precise geolocation.
Brazil (LGPD)
If you are a resident of Brazil, you have rights under the General Data Protection Law (LGPD).
Operating under a Partner license: where Services in Brazil are offered through a locally licensed Partner, that Partner is the controller for the regulated activity, and rights requests about that activity should be directed to the Partner.
As a processor: for information we process at a Partner’s direction, the Partner is the controller responsible for your rights (including confirmation of processing, access, and portability). Direct those requests to the Partner.
As a controller: for identity verification and biometric data, you may exercise your rights (access, correction, and consent withdrawal) by emailing privacy@apocor.ai.
International transfers: transfers from Brazil to the U.S. are protected by ANPD-recognized Standard Contractual Clauses.
Brazil DPO (Encarregado): you may contact our data protection officer for purposes of Brazilian law at privacy@apocor.ai.
EEA, UK, and Switzerland (GDPR / UK GDPR)
Operating under a Partner license: where Services in the EEA, UK, or Switzerland are offered through a locally licensed Partner, that Partner acts as the controller for the regulated activity, and you should direct rights requests about that activity to the Partner.
Processor status: for most Services, Apocor, Inc. acts as a processor on behalf of our B2B Partners; requests about transaction data or account management should go to the Partner (the controller).
Controller status: Apocor acts as a controller for identity verification, fraud prevention, and biometric data collection. For these, you may exercise your rights to access, rectification, erasure, and portability by contacting privacy@apocor.ai.
Data protection officer and EU/UK representation: for data-protection matters where Apocor is the controller, and for any Article 27 representation enquiries, contact privacy@apocor.ai.
International transfers: we rely on Standard Contractual Clauses and the UK IDTA as our primary transfer mechanism to the U.S.
13. Choices About Your Personal Information
We aim to give you meaningful choices about the information you share with us:
Tracking technologies and advertising. You can set your browser to refuse some or all cookies, or to alert you when cookies are sent. If you disable cookies, some parts of the Sites may not function properly.
Your opt-out options:
Marketing communications: email privacy@apocor.ai to opt out, or click “unsubscribe” in any promotional email.
Text messaging: reply “STOP” to any text message you receive.
Push notifications: opt out through your device settings.
Sharing with non-affiliated third parties (GLBA): you may opt out of our sharing your non-public personal information with non-affiliated third parties for their marketing by emailing privacy@apocor.ai.
Targeted advertising: opt out by enabling Global Privacy Control in your browser or by contacting privacy@apocor.ai.
We do not control third parties’ collection or use of your information for interest-based advertising, but many of them offer their own opt-outs. You can opt out of targeted ads from members of the Network Advertising Initiative at https://optout.networkadvertising.org.
14. Contact Us
If you have questions about this Privacy Policy, our data practices, or our compliance with applicable law, contact us at privacy@apocor.ai or by mail at Apocor, Inc., 45 Rockefeller Plaza, Suite 2000, New York, NY 10111, United States.
15. Automated Decision-Making and AI
We use automated technology to:
Identify potential fraud in transactions
Determine eligibility for the Services
Verify your identity using biometric matching
You have the right to request information about the logic involved in automated decisions that significantly affect you, and to request human review of those decisions. To exercise these rights, contact privacy@apocor.ai.
16. Data Portability and Open Banking
We support your right to control and move your financial data, consistent with applicable open-banking and data-portability frameworks (including CFPB Rule 1033 in the U.S., PSD3/PSR in the EU, and Open Finance mandates in Brazil). We do not use “screen scraping” (collecting your login credentials to access your accounts). If you authorize a third party to access your Apocor account data, we will share only the data reasonably necessary for the requested service, through secure APIs.
17. Fintech and Stablecoin Disclosures
As a provider of stablecoin-powered payment infrastructure, Apocor operates at the intersection of traditional finance and digital assets. Please review the following:
Immutable blockchain records and deletion rights. Apocor settles transactions natively on multiple blockchain networks, including Ethereum and other EVM-compatible networks (such as Polygon and Avalanche) and Solana, and supports stablecoins including USDC, USDG, EURC, and PYUSD. While we do not publish your legal name or contact details to these public ledgers, your wallet address and transaction details (amount, asset type, and timestamp) are recorded permanently on-chain. Because blockchains are immutable, we cannot delete or change information once it is broadcast to a network. If you exercise a “right to delete,” we will delete your data from our internal systems, but the on-chain history tied to your wallet address will remain public.
Travel Rule compliance. We may be subject to the FATF “Travel Rule” and similar local rules (such as the U.S. Bank Secrecy Act and the EU Transfer of Funds Regulation). When you send or receive stablecoins to or from an Apocor-powered account or card, we may be legally required to collect and transmit certain information — including your name, address, and account identifier — to the receiving financial institution or Virtual Asset Service Provider (VASP). Transactions involving self-custodial wallets may require additional ownership verification.
Custody and asset segregation. Apocor supports both custodial and non-custodial wallet spending. For our self-custody integration, Apocor does not store or have access to your private keys or recovery phrases — you are solely responsible for the security of those credentials. Any stablecoin collateral or funds held within our infrastructure are segregated from our corporate operating funds in line with applicable financial standards.
Third-party blockchain analytics. We may share your transaction data and wallet addresses with third-party blockchain-analytics providers to perform sanctions screening, anti-fraud monitoring, and risk assessment, so that on-chain activity can be checked against global regulatory requirements.
Appendix: Financial Privacy Notice (Gramm-Leach-Bliley Act)
FACTS | What does Apocor do with your personal information? |
Why? | Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. |
What? | The types of personal information we collect and share depend on the product or service you have with us. This can include Social Security number, account balances, transaction history, and payment history. |
How? | All financial companies need to share customers’ personal information to run their everyday business. Below we list the reasons financial companies can share, whether Apocor shares, and whether you can limit that sharing. |
Reasons we can share your personal information | Does Apocor share? | Can you limit? |
For our everyday business purposes (processing transactions, maintaining accounts, responding to court orders) | Yes | No |
For our marketing purposes (offering our products and services to you) | Yes | Yes |
For joint marketing with other financial companies | Yes | Yes |
For our affiliates’ everyday business purposes (creditworthiness, transactions) | Yes | No |
For non-affiliates to market to you | No | We don’t share |
To limit our sharing: email privacy@apocor.ai.
This Privacy Policy describes how Apocor collects, uses, shares, and protects information about you, and the rights and choices you have over that information. In this policy, “Apocor,” “we,” “our,” and “us” refer to Apocor, Inc., a Delaware corporation, together with its affiliates, subsidiaries, successors, and assigns, and “you” refers to the individual interacting with us.
By visiting our Sites or by applying for, accessing, or using the Services, you confirm that you have read and agree to this Privacy Policy, including our collection, use, and sharing of information as described here. If you do not agree, please notify us in writing at privacy@apocor.ai, close any Apocor account you hold, delete cookies stored on your devices, and stop using the Services.
This policy applies to the Apocor website at https://www.apocor.ai (including its subdomains and mobile applications) (the “Sites”) and to any use of the Services as defined in your applicable agreement with us. Capitalized terms not defined here have the meaning given to them in that agreement or in any accompanying terms (including, where applicable, the Cardholder Terms, Authorized User Agreement, and any platform or dashboard agreement). This policy does not apply to any website or service operated by a third party.
Our role with partner data. Apocor primarily provides financial infrastructure to other businesses (our “Partners”) — wallets, exchanges, fintechs, platforms, and enterprises. Where we handle personal information on behalf of a Partner (for example, transaction data tied to a Partner-branded card or wallet), we act as a service provider / processor, and the Partner is the controller responsible for its own privacy notices, consents, and for answering your requests. If you interact with a Partner that uses our Services and you contact us about that data, we will generally direct you to the relevant Partner, who is best placed to assist.
Changes to this policy. We may update this Privacy Policy from time to time. For material changes that affect how we use your personal information, we will provide notice by email (where we have one for you) or by a prominent notice on our Sites at least 30 days before the changes take effect. Your continued use of the Services after the effective date means you accept the updated policy.
1. Introduction
In short, this Privacy Policy explains what information we collect, how and why we use it, who we share it with, and the choices you can make about how your information is handled.
2. Information We Collect
A. Information you provide to us
We collect information when you use or interact with our Sites or Services. This may include:
Personal Information — information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular individual, device, or household. Examples include:
First and last name
Email address
Phone number
Date of birth
Government identifiers such as a national ID / Social Security number, driver’s license, or passport, where needed to open or verify an account
Postal address
Wallet address(es) and on-chain identifiers
Sensitive Personal Information. Some information we collect is treated as “sensitive” under applicable privacy laws, including:
Government-issued identification numbers (national ID / Social Security number, driver’s license number, passport number)
Financial account login credentials
Precise geolocation data
Biometric information (facial-geometry scans used for identity verification)
We use Sensitive Personal Information only as reasonably necessary to provide the Services — for example, identity verification, fraud prevention, and regulatory compliance. To ask us to limit our use of your Sensitive Personal Information, contact privacy@apocor.ai.
Company Information — information relating to or identifying a business that uses the Services. Examples include:
Company name
Company address
Formation or incorporation documents
Company jurisdiction
Company tax identification number
Company registration number
Beneficial owners
Settlement and wallet addresses
B. Information we collect automatically
We, our vendors, and our service providers may automatically collect information when you use the Sites or Services — for example, to prevent fraud or to improve our products and user experience. This can include:
Your browser type
Your device type or operating system
Your device’s location and other information your device sends
Your device’s IP address
C. Information about your use of the Services
We may collect or have access to transactional information about your use of the Services, which can include:
Amount, type, and size of transactions, and purchase details
Date and time of transactions
Merchants where you transacted using an Apocor-powered card
Repayment and settlement history
Financial data, including stablecoin balances and on-chain activity associated with your account
D. Tracking and cookie data
Like many online services, we may use cookies and similar technologies to collect information about you. Third parties may also place cookies on your device to collect device identifiers, IP address, and information about how you interact with the Sites and Services. Cookies are small pieces of data placed on your device when you visit the Sites or use the Services. Examples include:
Session cookies — help us recognize users who visit our Sites.
Preference cookies — help us remember settings and choices.
Security cookies — help us detect and prevent fraud.
You can decide whether to accept cookies through your browser settings. Most browsers let you turn off cookies, which will stop new cookies from being accepted. If you do not accept cookies, some parts of the Sites may not work properly.
E. Information we collect from third parties
We may supplement the information you give us with information from third parties such as credit bureaus, data providers, fraud-detection services, blockchain analytics providers, and analytics vendors. Some of these third parties obtain your information through your use of the Sites or Services; others may already hold your information and share it with us.
We do not control third parties’ tracking technologies or how they use the data they collect. If you have questions about an advertisement or other targeted content, contact the responsible provider directly. For ways to opt out of targeted advertising, see “Choices About Your Personal Information.”
3. How and Why We Use Information
We collect and use information for the business and commercial purposes described in this policy, including to:
Assess eligibility — verify your identity and assess your eligibility to use the Services.
Operate our business — maintain your account, provide and improve the Services, and build new products and features such as Apocor Pay, Apocor Direct, Apocor Accept, Apocor Cards, and Apocor Intelligence Commerce.
Communicate with you — provide customer support and, where permitted, send you information about our products and services.
Comply with our obligations — meet legal, regulatory, contractual, and audit requirements, including KYC/AML and sanctions obligations.
Protect against fraud and abuse — detect and prevent fraudulent or unauthorized transactions, policy or terms violations, and threats of harm.
Where you have given us a way to contact you (directly or through a Partner), we may communicate with you about your use of the Services and, where permitted, send promotional messages. We may also receive a confirmation when you open an email from us, which helps us improve the Services. You can opt out of promotional messages at any time — see “Choices About Your Personal Information.”
4. Sharing Information
We share the information we collect, including information that identifies you, in line with this policy. The categories of parties we share with include:
Service providers, vendors, and advisors
We share Personal Information or Company Information with the following categories of third parties:
Category | Purpose |
Card network partners (Visa, Mastercard) | Transaction processing, authorization, tokenization, and fraud prevention |
Banking partners and BIN sponsors | Account services, card issuance, settlement, and regulatory compliance |
Identity verification provider (Sumsub) | KYC/AML verification and biometric matching |
Blockchain analytics providers | Sanctions screening, on-chain risk assessment, and fraud monitoring |
Analytics providers | Site analytics and service improvement |
Cloud infrastructure providers | Data storage and processing |
AML and fraud-prevention services | Transaction monitoring and risk assessment |
All service providers are contractually required to use personal information only for specified purposes and to maintain appropriate security measures.
Biometric Information Notice
Notice of biometric data collection. To verify your identity, Apocor (through our identity-verification provider, Sumsub) collects biometric identifiers — specifically, facial-geometry scans derived from your driver’s license and/or passport photo — which are matched against a live image you provide.
Purpose. We collect biometric information to verify your identity, prevent fraud, and meet Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements.
Storage and transmission. Biometric data is collected and processed by Sumsub, our third-party identity-verification provider, using industry-standard encryption, and may be transmitted to Sumsub’s secure servers for processing.
Retention. We retain biometric data only as long as needed to satisfy the purpose of collection, and in any event no later than three (3) years after your last interaction with Apocor, except where a longer period is required to comply with federal anti-money-laundering and customer-identification requirements, including the Bank Secrecy Act.
Consent. By proceeding with identity verification, you give your written consent to the collection, use, storage, and transmission of your biometric information as described here. You may withdraw consent at any time by contacting privacy@apocor.ai; however, withdrawing consent may prevent us from verifying you and may result in account closure.
Written policy. Apocor’s full biometric data retention and destruction policy is available on request at privacy@apocor.ai.
Other recipients
We may also share information with:
Our affiliates, for everyday business purposes.
Our financing partners, such as sources of debt or equity capital.
Issuers and program managers of your Apocor-powered card.
Merchants and businesses with whom you transact or use your Apocor-powered card.
A counterparty in a partnership, financing, or potential acquisition, as part of due diligence — provided they agree to use the information only for that purpose.
Regulators, government agencies, courts, and law enforcement, as required by law or to protect our legal rights.
In a merger, acquisition, or sale or transfer of all or part of our assets, your information may be transferred to a buyer or successor. In that case, we may be unable to control how that party later uses or transfers the information.
Processing on behalf of business partners
When Apocor provides services to business Partners (such as fintechs, platforms, wallets, and enterprises), we process personal information on their behalf as a service provider, only as directed by the Partner and in line with our contract. Our Partners are responsible for providing privacy notices to their end users and obtaining any required consents.
5. Aggregated or Anonymized Information
We may share aggregated or anonymized information with third parties at any time and without restriction, provided the information cannot reasonably be linked back to an identifiable person.
6. Analytics and Advertising
We may use analytics and similar services to understand how people access and use the Services, improve functionality, measure performance, and enhance the user experience. These services may use cookies, pixels, software development kits (SDKs), and similar technologies to collect information about your interactions with the Services.
We may also use tracking technologies in our Services and in advertisements shown on other websites or services. These technologies may collect information over time and across services or devices for purposes such as measuring campaign effectiveness, analyzing trends, preventing fraud, and delivering relevant content. Certain third parties that provide analytics or advertising services process information under their own privacy notices, which we do not control. We encourage you to review their policies to understand how they handle your information.
7. Safeguarding Information
Data security. We maintain reasonable administrative, technical, and physical safeguards appropriate to the nature of the information we handle, and our security program is designed to align with recognized industry standards. Because card payments are processed through Visa Pay’s tokenized infrastructure, Apocor does not store raw payment card numbers, which reduces the amount of sensitive card data in our environment. Security measures include:
AES-256 encryption for data at rest
TLS 1.3 encryption for data in transit
Tokenization of sensitive payment data to minimize exposure
Access controls and multi-factor authentication
Regular security assessments
Employee security training
Despite these measures, no method of internet transmission is 100% secure. The security of your information also depends on you: where you hold a password for any part of the Services, keep it confidential and do not share it. Please notify us immediately if you believe your information with Apocor has been compromised.
8. Retention of Information
We keep your information as long as needed to provide the Services, comply with our legal obligations, or protect our or others’ interests. Although requirements vary by jurisdiction, our internal retention policies consider:
When the information was collected or created
Whether it is still necessary to provide you the Services
Whether we must hold it to meet legal obligations, including AML/KYC and other financial-regulatory requirements
Whether it is subject to legal-preservation (litigation hold) requirements
We may retain pseudonymized information and user identifiers to understand usage patterns and improve the Services, and we may retain certain data for fraud-prevention purposes, which is a permitted business purpose under applicable privacy laws.
EEA, UK, and Switzerland. We retain personal data no longer than necessary for the purposes for which it was collected, unless a longer period is required or permitted by law.
9. Children’s Privacy
Our Services are not directed to anyone under 18, and we do not knowingly collect personal information from anyone under 18. If you are under 18, do not use the Services or provide any personal information. If we receive signals indicating a user is a minor, we will apply heightened protections. If you believe we have collected information from a minor, contact us immediately at privacy@apocor.ai.
10. Do Not Track and Global Privacy Control
Our Sites do not currently respond to “Do Not Track” browser signals. We do honor Global Privacy Control (GPC) signals as a valid request to opt out of the sale or sharing of your personal information under applicable law. To learn more about GPC, visit https://globalprivacycontrol.org.
11. Company Account
If your card or account is provided through a business (a “Company Administrator”), that business is responsible for the account and the cards associated with it. The Company Administrator may grant, restrict, suspend, or terminate your access to or use of the card or account.
12. Privacy Rights and Jurisdiction-Specific Information
Because Apocor primarily provides financial infrastructure to Partners, how you exercise your privacy rights depends on the nature of the data and our relationship with you:
We act as a “business” or “controller” only for information we collect directly from you — for example, when you visit our Sites, contact support, or provide biometric data for identity verification that we initiate.
We act as a “service provider” or “processor” for much of the information we process on behalf of Partners (for example, transaction data on a Partner-branded card). In those cases, the Partner is the controller responsible for managing your data and fulfilling your requests.
Use the table below to decide where to send requests about your information:
Data type | Primary controller | Who to contact |
Transaction history and card limits | Your Partner / fintech | Contact the app or company where you signed up |
Identity verification (KYC) | Apocor | privacy@apocor.ai |
Biometric data | Apocor | privacy@apocor.ai |
Site cookies / analytics | Apocor | privacy@apocor.ai |
Information we collect may be transferred to, stored, and processed by us, our affiliates, and other third parties outside the EEA, the UK, and Switzerland — including in the United States and other countries — where data-protection rules may differ from those where you live. For transfers from the EEA, UK, or Switzerland, we put in place appropriate safeguards, including European Commission Standard Contractual Clauses and the UK International Data Transfer Agreement. Partners transferring personal information from these regions can request a copy of our Data Processing Addendum at privacy@apocor.ai.
U.S. state privacy rights
This section applies to residents of states with comprehensive privacy laws (including California, Colorado, Connecticut, Indiana, Kentucky, Maryland, Oregon, Rhode Island, Texas, Utah, and Virginia). Specific rights vary by state.
Your rights. Subject to legal exceptions and our role as a service provider, you may have the right to know/access, delete, and correct your personal information, and to opt out of the sale or sharing of your data. We do not discriminate against you for exercising these rights.
Where to direct your request. If your request relates to card transactions, account settings in a Partner app, or usage history, contact the relevant Partner directly; as a service provider, we will refer such requests to the appropriate Partner. If your request relates to identity verification (KYC), biometric data, or your direct interactions with our Sites, email privacy@apocor.ai.
California “Shine the Light.” California residents may request once per calendar year a list of the categories of personal information (if any) we disclosed to third parties for their direct-marketing purposes in the prior year. Send requests to privacy@apocor.ai.
Global Privacy Control. We honor GPC signals as a valid opt-out of targeted advertising and data sharing on our Sites.
Sensitive data. We do not “sell” sensitive personal information such as biometric data or precise geolocation.
Brazil (LGPD)
If you are a resident of Brazil, you have rights under the General Data Protection Law (LGPD).
Operating under a Partner license: where Services in Brazil are offered through a locally licensed Partner, that Partner is the controller for the regulated activity, and rights requests about that activity should be directed to the Partner.
As a processor: for information we process at a Partner’s direction, the Partner is the controller responsible for your rights (including confirmation of processing, access, and portability). Direct those requests to the Partner.
As a controller: for identity verification and biometric data, you may exercise your rights (access, correction, and consent withdrawal) by emailing privacy@apocor.ai.
International transfers: transfers from Brazil to the U.S. are protected by ANPD-recognized Standard Contractual Clauses.
Brazil DPO (Encarregado): you may contact our data protection officer for purposes of Brazilian law at privacy@apocor.ai.
EEA, UK, and Switzerland (GDPR / UK GDPR)
Operating under a Partner license: where Services in the EEA, UK, or Switzerland are offered through a locally licensed Partner, that Partner acts as the controller for the regulated activity, and you should direct rights requests about that activity to the Partner.
Processor status: for most Services, Apocor, Inc. acts as a processor on behalf of our B2B Partners; requests about transaction data or account management should go to the Partner (the controller).
Controller status: Apocor acts as a controller for identity verification, fraud prevention, and biometric data collection. For these, you may exercise your rights to access, rectification, erasure, and portability by contacting privacy@apocor.ai.
Data protection officer and EU/UK representation: for data-protection matters where Apocor is the controller, and for any Article 27 representation enquiries, contact privacy@apocor.ai.
International transfers: we rely on Standard Contractual Clauses and the UK IDTA as our primary transfer mechanism to the U.S.
13. Choices About Your Personal Information
We aim to give you meaningful choices about the information you share with us:
Tracking technologies and advertising. You can set your browser to refuse some or all cookies, or to alert you when cookies are sent. If you disable cookies, some parts of the Sites may not function properly.
Your opt-out options:
Marketing communications: email privacy@apocor.ai to opt out, or click “unsubscribe” in any promotional email.
Text messaging: reply “STOP” to any text message you receive.
Push notifications: opt out through your device settings.
Sharing with non-affiliated third parties (GLBA): you may opt out of our sharing your non-public personal information with non-affiliated third parties for their marketing by emailing privacy@apocor.ai.
Targeted advertising: opt out by enabling Global Privacy Control in your browser or by contacting privacy@apocor.ai.
We do not control third parties’ collection or use of your information for interest-based advertising, but many of them offer their own opt-outs. You can opt out of targeted ads from members of the Network Advertising Initiative at https://optout.networkadvertising.org.
14. Contact Us
If you have questions about this Privacy Policy, our data practices, or our compliance with applicable law, contact us at privacy@apocor.ai or by mail at Apocor, Inc., 45 Rockefeller Plaza, Suite 2000, New York, NY 10111, United States.
15. Automated Decision-Making and AI
We use automated technology to:
Identify potential fraud in transactions
Determine eligibility for the Services
Verify your identity using biometric matching
You have the right to request information about the logic involved in automated decisions that significantly affect you, and to request human review of those decisions. To exercise these rights, contact privacy@apocor.ai.
16. Data Portability and Open Banking
We support your right to control and move your financial data, consistent with applicable open-banking and data-portability frameworks (including CFPB Rule 1033 in the U.S., PSD3/PSR in the EU, and Open Finance mandates in Brazil). We do not use “screen scraping” (collecting your login credentials to access your accounts). If you authorize a third party to access your Apocor account data, we will share only the data reasonably necessary for the requested service, through secure APIs.
17. Fintech and Stablecoin Disclosures
As a provider of stablecoin-powered payment infrastructure, Apocor operates at the intersection of traditional finance and digital assets. Please review the following:
Immutable blockchain records and deletion rights. Apocor settles transactions natively on multiple blockchain networks, including Ethereum and other EVM-compatible networks (such as Polygon and Avalanche) and Solana, and supports stablecoins including USDC, USDG, EURC, and PYUSD. While we do not publish your legal name or contact details to these public ledgers, your wallet address and transaction details (amount, asset type, and timestamp) are recorded permanently on-chain. Because blockchains are immutable, we cannot delete or change information once it is broadcast to a network. If you exercise a “right to delete,” we will delete your data from our internal systems, but the on-chain history tied to your wallet address will remain public.
Travel Rule compliance. We may be subject to the FATF “Travel Rule” and similar local rules (such as the U.S. Bank Secrecy Act and the EU Transfer of Funds Regulation). When you send or receive stablecoins to or from an Apocor-powered account or card, we may be legally required to collect and transmit certain information — including your name, address, and account identifier — to the receiving financial institution or Virtual Asset Service Provider (VASP). Transactions involving self-custodial wallets may require additional ownership verification.
Custody and asset segregation. Apocor supports both custodial and non-custodial wallet spending. For our self-custody integration, Apocor does not store or have access to your private keys or recovery phrases — you are solely responsible for the security of those credentials. Any stablecoin collateral or funds held within our infrastructure are segregated from our corporate operating funds in line with applicable financial standards.
Third-party blockchain analytics. We may share your transaction data and wallet addresses with third-party blockchain-analytics providers to perform sanctions screening, anti-fraud monitoring, and risk assessment, so that on-chain activity can be checked against global regulatory requirements.
Appendix: Financial Privacy Notice (Gramm-Leach-Bliley Act)
FACTS | What does Apocor do with your personal information? |
Why? | Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. |
What? | The types of personal information we collect and share depend on the product or service you have with us. This can include Social Security number, account balances, transaction history, and payment history. |
How? | All financial companies need to share customers’ personal information to run their everyday business. Below we list the reasons financial companies can share, whether Apocor shares, and whether you can limit that sharing. |
Reasons we can share your personal information | Does Apocor share? | Can you limit? |
For our everyday business purposes (processing transactions, maintaining accounts, responding to court orders) | Yes | No |
For our marketing purposes (offering our products and services to you) | Yes | Yes |
For joint marketing with other financial companies | Yes | Yes |
For our affiliates’ everyday business purposes (creditworthiness, transactions) | Yes | No |
For non-affiliates to market to you | No | We don’t share |
To limit our sharing: email privacy@apocor.ai.