Privacy Policy

Last updated: 17 March 2026

1. Introduction

Nut Card ("we", "us", or "our") provides a platform that allows users to manage cards, make payments, and access related financial services (the "Services").

This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our websites, applications, products, and Services (collectively, the "Platform"). It also describes your rights and how you can exercise them.

By creating an account, accessing, or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

If you do not agree with this Privacy Policy, you should not use the Platform.

2. Who we are and how to contact us

The controller responsible for your personal data (i.e., the entity that determines the purposes and means of processing) will typically be the Nut Card entity identified in your account, onboarding documentation, or applicable contract (the "Nut Card Entity").

If you are unsure which Nut Card Entity is responsible for your data, or if you have any questions about this Privacy Policy, you can contact us at:

Email: privacy@hashgg.com

We may update these contact details in the Platform from time to time.

3. Scope and legal basis

This Privacy Policy applies to:

Platform users: individuals who register for or use a Nut Card account.
Organization users: individuals acting on behalf of organizations, such as admins, finance managers, or employees.
Visitors: individuals who visit our website or interact with us without creating an account.

Where required by applicable data protection laws (for example, the EU/EEA General Data Protection Regulation (GDPR) or the UK GDPR), we rely on one or more of the following legal bases to process your personal data:

Performance of a contract: when processing is necessary to provide the Services, manage your account, or perform our contractual obligations.
Legitimate interests: when processing is necessary for our legitimate business interests (for example, improving the Platform, preventing abuse, or defending legal claims) and does not override your rights and freedoms.
Legal obligations: when we are required to process data to comply with laws, regulations, or orders from competent authorities.
Consent: where you have given us consent for specific processing activities (for example, certain marketing communications). You may withdraw your consent at any time as described in this Privacy Policy.

4. Data we collect

The personal data we collect depends on how you interact with the Platform. We may collect the following categories of data.

4.1 Account and profile information

When you create or manage an account, we may collect:

Name, title, and contact details (such as email address, phone number, and mailing address).
Login credentials (such as username, password, and authentication tokens).
Organization information (such as company name, role, team, and organization slug).
Communication preferences and language settings.

4.2 Identity and verification information

When required for regulatory, compliance, or risk purposes (for example, "know your customer" (KYC) checks), we may collect:

Date of birth, nationality, and government-issued identification details (for example, ID or passport numbers), subject to applicable law.
Proof of address (for example, utility bills or bank statements).
Selfie images or similar identifiers used for identity verification.
Additional information requested by us or our partners to comply with anti-money laundering (AML), counter-terrorist financing (CTF), or sanctions screening obligations.

Where applicable, this information may be collected and verified by our third-party providers on our behalf.

4.3 Payment, card, and transaction data

When you use card or payment functionality, we may collect:

Card program and card identifier information (for example, last few digits of a card number, card type, issuing provider).
Transaction details (for example, amounts, currencies, timestamps, merchant information, and other metadata).
Funding source and asset information (for example, linked accounts, wallet identifiers, or supported digital assets).
Billing details (for example, billing address, tax information, or organization billing contacts).

We do not store full card numbers or sensitive authentication data where we rely on PCI-compliant payment processors or issuers. Such data is processed and stored by those third-party providers in accordance with their own policies.

4.4 Device and usage information

When you access the Platform, we automatically collect certain technical and usage data, such as:

Device identifiers, operating system, browser type and version, language, and time zone.
IP address, approximate location inferred from IP (city, region, or country).
Log data about your usage of the Platform (for example, login timestamps, pages viewed, clicks, and other activity events).
Information about performance, diagnostics, and errors (for example, crash logs and debugging data).

We may use cookies, local storage, and similar tracking technologies to collect some of this information, as explained in Section 10.

4.5 Communications and support

When you contact us or interact with our support channels, we may process:

Your contact details and authentication information.
Records of your communications with us (for example, emails, chat messages, and call summaries).
Feedback, survey responses, or other information you choose to provide.

4.6 Optional and inferred information

With your consent or based on our legitimate interests, we may also process:

Preferences about how you use the Platform (for example, default views, notification settings, or saved filters).
Inferences derived from your interaction with the Platform (for example, analytics segments for feature discovery or fraud risk scoring).

5. How we use your data

We use personal data for the following purposes:

5.1 To provide and operate the Platform

We process data to:

Create, maintain, and secure your account.
Provide card issuance, card management, payment, and transaction-related Services.
Process and settle payments, top-ups, withdrawals, and other financial operations.
Provide customer support, including troubleshooting, incident response, and service notifications.

5.2 To comply with legal and regulatory obligations

We process data to:

Perform KYC, AML, CTF, and sanctions screening obligations where required.
Maintain records for accounting, tax, audit, and regulatory reporting purposes.
Respond to lawful requests from authorities, regulators, or courts.

5.3 To protect the Platform and prevent abuse

We process data to:

Detect, prevent, and investigate fraud, unauthorized transactions, and other malicious or illegal activities.
Secure our infrastructure, prevent attacks, and monitor suspicious behavior.
Enforce our Terms and other agreements with you or your organization.

5.4 To improve and personalize the Platform

We process data to:

Operate analytics and usage monitoring to understand how the Platform is used.
Test new features, conduct A/B testing, and optimize user experience.
Personalize content and recommendations (for example, showing relevant features or documentation).

Where required by law, we use analytics in a way that is compatible with privacy requirements (for example, aggregating or pseudonymizing data where appropriate).

5.5 To communicate with you

We process data to:

Send transactional communications, such as security alerts, service updates, and account notices.
Provide onboarding materials, feature announcements, and product updates.
Send marketing communications, subject to your preferences and applicable law. Where required, we will ask for your consent before sending marketing emails and you can opt out at any time by following the unsubscribe instructions or by contacting us.

6. How we share your data

We may share your personal data with:

Service providers and processors: third parties that help us deliver the Platform (for example, cloud hosting providers, analytics vendors, email providers, and customer support tools). These providers are bound by contractual obligations to process data on our behalf and only as instructed.
Financial and payment partners: card issuers, banks, payment processors, and other regulated providers that are involved in issuing cards, processing payments, and performing compliance checks. These partners may act as independent controllers or joint controllers when required by law.
Organization administrators: if you use the Platform on behalf of an organization, certain information (for example, activity logs, user role information, and transaction summaries) may be visible to authorized organization administrators in accordance with the organization’s configuration.
Professional advisers: lawyers, auditors, insurers, and other professional advisers where necessary to protect our legal interests, manage risk, or obtain professional advice.
Authorities and regulators: law enforcement, regulatory bodies, and courts where we believe disclosure is necessary (i) to comply with applicable law or regulatory obligations, (ii) to respond to valid legal process or lawful requests, or (iii) to protect our rights, your safety, or the safety of others.
Corporate transactions: in connection with a merger, acquisition, restructuring, sale of assets, or similar transaction. In such cases, we will take steps to ensure appropriate confidentiality and continue to protect your data in accordance with this Privacy Policy.

We do not sell your personal data.

7. International data transfers

We may process and store your personal data in countries other than your country of residence. These countries may have data protection laws that differ from those in your jurisdiction.

Where we transfer personal data from the European Economic Area (EEA), the United Kingdom (UK), or other regions with similar transfer requirements, we rely on:

An adequacy decision of the European Commission or other relevant authority; or
Appropriate safeguards, such as standard contractual clauses approved by the European Commission or UK authorities, combined with additional technical and organizational measures where required.

You can contact us for more information about the specific safeguards used for international transfers.

8. Data retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, including:

For as long as you maintain an account with us.
For as long as we are required by applicable law (for example, financial, tax, and AML/CTF record-keeping periods).
For the period necessary to establish, exercise, or defend legal claims.

When we no longer need personal data for the purposes for which it was collected, we will either delete it, anonymize it, or, if that is not possible (for example, because it is stored in backup archives), we will securely store it and isolate it from further processing until deletion is possible.

9. Your rights

Depending on your location and subject to applicable law, you may have some or all of the following rights in relation to your personal data:

Access: the right to obtain confirmation as to whether we process your personal data and to receive a copy of that data.
Rectification: the right to request correction of inaccurate or incomplete data.
Erasure: the right to request deletion of your personal data in certain circumstances (for example, where the data is no longer necessary or where you withdraw consent and there is no other legal basis).
Restriction: the right to request that we restrict the processing of your personal data in certain circumstances.
Portability: the right to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another controller where technically feasible.
Objection: the right to object to processing based on our legitimate interests or for direct marketing purposes.
Withdraw consent: where processing is based on your consent, the right to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

You can exercise many of these rights directly through your account settings where available. Otherwise, you can contact us using the details in Section 2.

We may need to verify your identity before responding to your request. We may also be unable to comply with a request where we have compelling legitimate grounds or are legally required to retain certain data.

If you believe that we have not handled your personal data in accordance with applicable law, you also have the right to lodge a complaint with a competent supervisory authority. We encourage you to contact us first so we can address your concerns.

10. Cookies and similar technologies

We use cookies, local storage, and similar technologies to:

Keep you signed in and maintain your session.
Remember your preferences and settings.
Analyze usage of the Platform and measure performance.
Enhance security and detect abuse.

Where required by law, we will request your consent before setting certain non-essential cookies (for example, analytics or marketing cookies). You can manage your cookie preferences via your browser settings or applicable cookie controls provided in the Platform.

Disabling cookies may affect the functionality of some parts of the Platform.

11. Children’s privacy

The Platform is not intended for use by children under the age of 18, and we do not knowingly collect personal data from children under this age. If we become aware that we have collected personal data from a child in violation of this Policy, we will take reasonable steps to delete it.

If you believe that a child has provided us with personal data, please contact us using the details in Section 2.

12. Security

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

These measures may include:

Encryption in transit and at rest where appropriate.
Access controls, authentication, and authorization mechanisms.
Logging, monitoring, and intrusion detection.
Segregation of environments and least-privilege access.
Regular security testing and assessments.

However, no system can be guaranteed to be 100% secure. You are responsible for maintaining the confidentiality of your login credentials and for securing the devices you use to access the Platform. If you suspect any unauthorized access or activity, please notify us immediately.

13. Third-party services and links

The Platform may contain links to third-party websites, services, or applications that are not operated by us. Your use of those services is subject to their own privacy policies and terms, which may differ from ours.

We are not responsible for the privacy practices or content of third-party services. We encourage you to review their policies before providing personal data.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in technology, legal requirements, or our business operations.

When we make material changes, we will take appropriate steps to notify you (for example, by displaying a notice in the Platform, updating the "Last updated" date at the top of this page, or sending you an email notification, where required).

Your continued use of the Platform after the effective date of an updated Privacy Policy constitutes your acceptance of the revised Policy.

15. Contact and data protection inquiries

If you have any questions about this Privacy Policy, our data practices, or your rights, or if you wish to exercise your rights, please contact us at:

Email: privacy@hashgg.com

We will review and respond to your request in accordance with applicable data protection laws.