← Back to home

Privacy Policy

Last updated: 12 July 2026

This Privacy Policy describes the personal data that BabyFX FZ-LLC ("we", "us", "our", "BabyFX") collects from you, how we use it, who we share it with, how long we keep it, and the rights you can exercise. It applies to your use of BabyChain, BabyFX Pay, BabyWallet, our websites, our APIs, and any related product or service that links to this Policy (together, the "Services"). Capitalised terms not defined here have the meaning given in the UAE Personal Data Protection Law.

This Policy is governed by the United Arab Emirates Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, the "PDPL") and, where applicable, the data-protection regulations of the licensing authority that issued our commercial licence (currently the Dubai International Financial Centre, "DIFC").

1. Who is the Data Controller?

The data controller for the Services is:
BabyFX FZ-LLC
Registered office: Level 14, DIFC Innovation Hub, Gate Avenue South Zone, Dubai, United Arab Emirates
Commercial licence: DIFC FZ-LLC (pending issuance — placeholder shown until licence number is allocated)
Data Protection Officer: placeholder DPO
Email: dpo@babyfx.org

The data controller is the entity that determines the means and purposes of processing your personal data. If you are in the European Economic Area, the United Kingdom, or Switzerland, our EU/UK representative is appointed under Article 27 of the GDPR; contact details are available on request from the DPO.

2. What Personal Data Does BabyFX Collect and Process?

We collect only the personal data we need to operate the Services and meet our legal obligations. The categories below are the same ones used in our onboarding flows and our AML/CFT programme.

Information you give us at sign-up. Email address, mobile phone number, password (stored hashed), referral code (if you joined via a referral).

Identity-verification data (KYC / AML). Legal name, date of birth, nationality, residential address, government-issued ID number, a copy of the ID document, a selfie, and — for merchants and institutional clients — corporate documents (certificate of incorporation, board resolutions, beneficial-owner list).

On-chain transaction data. Wallet address, transaction hashes, balances, token-contract addresses, and the associated public ledger history. We do not collect names or email addresses from a wallet transaction.

Usage and device data. Device type, operating system, browser, screen resolution, pages visited, timestamps, and language preference. We collect this via first-party cookies and similar technologies when you have consented (where required).

Support correspondence. The content of your messages, the email address and any phone number you choose to provide, and any attachments you send.

Sanctions, PEP, and adverse-media screening data. We screen counterparties against UAE, UN, EU, UK, and US sanctions lists, as well as public PEP registers and adverse-media sources.

3. Which Legal Bases Are We Relying On?

We process personal data only when we have a lawful basis under Article 5 of the PDPL. The bases we rely on are:

  • Performance of a contract — to operate the Services you signed up for, process transactions, and provide customer support.
  • Compliance with a legal obligation — including AML/CFT obligations under UAE Federal Decree-Law No. 20 of 2018, sanctions screening, tax reporting, and responding to binding orders from UAE courts or regulators.
  • Legitimate interests — to keep the Services secure, prevent fraud and abuse, debug incidents, and improve product features. We balance these interests against your rights and do not rely on this basis where your fundamental rights override our interests.
  • Consent — for non-essential cookies, marketing communications, and any optional analytics. You can withdraw consent at any time without affecting prior processing.

4. Why Does BabyFX Process My Personal Data?

We use personal data to:

  • Deliver the Services. Open accounts, process transactions, render merchant settlements, and provide customer support.
  • Maintain safety, security, and integrity. Detect and prevent fraud, abuse, and unauthorised access; investigate security incidents; and protect users, employees, and counterparties.
  • Comply with law. Fulfill AML/CFT, sanctions-screening, tax, and reporting obligations, and respond to lawful requests from regulators and law enforcement.
  • Market our products (with consent). Send product updates, market-research surveys, and event invitations — only where you have opted in. You can opt out at any time.
  • Research and development. Improve the Services through aggregated, anonymised analytics and product experimentation.

5. Can Children Use the Services?

The Services are not directed at children under 18 (or the age of legal capacity in your jurisdiction, if higher). We do not knowingly collect personal data from anyone under that age. If you believe a child has provided us with personal data, contact the DPO and we will delete it.

6. What About Cookies and Other Identifiers?

We use first-party cookies and similar technologies to remember your session, remember your language preference, and measure aggregate traffic. We use only first-party analytics by default; any third-party tracking cookies stay off until you opt in via the in-app Cookie settings.

7. How and Why Do We Share Personal Data?

We do not sell personal data. We share data only as follows:

  • Internal groups and affiliates. Within BabyFX and any future affiliated entity, on a need-to-know basis.
  • Service providers. Vetted vendors that help us run the Services — cloud hosting, email delivery, KYC/AML verification, customer-support tooling, analytics. Each provider is bound by a written agreement that limits use to our documented instructions.
  • Regulators and law enforcement. Where required by UAE law, by a binding order, or to cooperate with a lawful investigation by the UAE Central Bank, the Securities and Commodities Authority, the Virtual Assets Regulatory Authority (VARA), the Financial Crimes Unit, or comparable authorities.
  • Counterparties in a dispute. In a dispute involving a specific on-chain transaction, we may share the data of the parties to that transaction with the relevant arbitrators (see the Terms of Service).
  • Corporate transactions. If BabyFX is involved in a merger, acquisition, or sale of assets, personal data may be disclosed to the prospective buyer under confidentiality.

8. How Secure is My Personal Data?

We protect personal data with administrative, technical, and physical safeguards designed for the sensitivity of the data, including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, mandatory MFA for staff, and quarterly access reviews. No system is perfectly secure; if a security incident affects your personal data, we follow the breach-notification procedure in Section 10.

9. What About Advertising?

We do not serve behavioural advertising on the Services. We may promote BabyFX's own products on our own surfaces. Where you arrived at BabyFX via a paid advertisement run by a third-party ad network, that network's basic click-through attribution is handled by the network — see their privacy policy for details.

10. International Transfers

We are headquartered in the United Arab Emirates and use service providers in multiple jurisdictions, including the European Union, the United Kingdom, the United States, and other countries with comparable data-protection regimes. Where personal data is transferred outside the UAE, we rely on one of the following safeguards:

  • An adequacy decision or equivalence finding issued by the UAE Data Office;
  • Standard contractual clauses approved by the UAE Data Office (or, for transfers out of the EEA, the EU Standard Contractual Clauses), paired with a transfer-impact assessment;
  • Your explicit consent, after we have explained the absence of an adequacy decision.

11. How Long Does BabyFX Keep My Personal Data?

We retain personal data for as long as needed for the purpose it was collected — including the lifetime of your account and any statutory period required by AML/CFT, tax, or corporate-law recordkeeping — after which it is deleted or irreversibly anonymised. Key retention windows:

  • Account and onboarding records. Duration of the relationship + 5 years post-closure (AML/CFT recordkeeping under Cabinet Decision No. 24 of 2022).
  • On-chain transaction logs (wallet address + txid). 7 years.
  • Web analytics (cookies). 13 months maximum.
  • Support correspondence. 3 years from last contact.
  • Job applications. 1 year from decision (longer for UAE nationals, where required by Emiratisation rules).

12. What Rights Do I Have?

Under the PDPL (and, where applicable, the EU GDPR for EEA residents), you have the following rights:

  • Access. Request a copy of the personal data we hold about you.
  • Correction. Ask us to fix any data that is inaccurate or incomplete.
  • Deletion ("right to be forgotten"). Ask us to delete your data, subject to legal retention obligations.
  • Restriction. Ask us to pause processing while a dispute is resolved.
  • Portability. Receive your data in a machine-readable format where technically feasible.
  • Objection. Object to processing based on legitimate interests, including direct marketing.
  • Withdrawal of consent. Where processing is based on consent, withdraw at any time without affecting prior lawful processing.
  • Complaint. Lodge a complaint with the UAE Data Office (uacd.gov.ae) or with the supervisory authority in your jurisdiction if you are in the EEA, the UK, or Switzerland.

To exercise any of these rights, email dpo@babyfx.org. We respond within 30 days. Where a request is complex or received from many data subjects, we may extend the response time by a further 30 days and will notify you of the extension.

13. Breach Notification

If a personal-data breach is likely to result in a risk to your rights and freedoms, we notify the UAE Data Office within 72 hours of becoming aware of the breach and notify affected users without undue delay. Notifications include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken to address it.

14. Updates to This Policy

We review this Policy at least annually. Material changes are announced by email and via an in-app banner at least 30 days before they take effect.

15. How Can You Contact BabyFX?

The fastest route for any privacy question is the DPO at dpo@babyfx.org. Postal correspondence to the registered office above is also accepted.

This Policy is governed by the laws of the United Arab Emirates, as applied in the DIFC. Any dispute that cannot be resolved informally is subject to the dispute-resolution clause in the BabyFX Terms of Service.


© 2026 BabyFX FZ-LLC. All rights reserved. DIFC commercial licence: pending. UAE PDPL Compliance Officer: DPO@babyfx.org.

Privacy Policy — BabyFX