Last updated · 14 May 2026

Privacy
Policy.

How Kintro Ltd collects, uses and protects personal data.

00Version History

VersionDateAuthorChanges
1.0 14 May 2026 Munene Njogu (CTO) Initial Kintro Privacy Policy covering UK consumer and business users, e-money wallet, AISP, PISP and savings goals. Anchored on UK GDPR, Data Protection Act 2018, PECR and FCA Consumer Duty.

At a glance — the most important things to know

The headline points. The numbered sections below give the full detail.

  • Kintro Ltd is the data controller for your personal data when you use our Service — Section 1.
  • During alpha, an FCA-authorised Principal acts as joint controller for regulated payment activity — Section 11.
  • We collect identity, contact, financial, transactional, device and risk data — Section 4.
  • Open Banking access (AISP/PISP) only happens with your explicit consent and lasts up to 90 days — Section 10.
  • You have rights under UK GDPR including access, rectification, erasure and objection — Section 18.
  • For privacy questions, contact our Data Protection Lead at privacy@kintro.money.

01Introduction

This Privacy Policy explains how Kintro Ltd ("Kintro", "we", "us") collects, uses, shares and protects personal data when you use the Kintro mobile and web applications, our website at kintro.money, and any related services (together, the "Service").

Kintro Ltd is a company registered in England and Wales. Our registered address is held at Companies House. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Kintro Ltd is the data controller for the personal data described in this Policy, except where we act as a processor on behalf of a business customer (see Section 12).

During the alpha phase of the Service, Kintro operates as an agent of a regulated payment institution / electronic money institution authorised by the Financial Conduct Authority ("the Principal"). Where personal data is processed in connection with regulated payment services or the safeguarding of customer funds, the Principal is a joint or independent controller in respect of that processing. Section 11 explains how this works in practice.

If you have any questions about this Policy, or about how we handle your personal data, you can contact our Data Protection Lead at privacy@kintro.money.

02Scope and Audience

This Policy applies to personal data we process about:

  • Individual UK consumer customers who hold a Kintro e-money wallet, use the Open Banking account aggregation service, initiate payments from external accounts, or use any savings, goal or Group Wallet feature.
  • Authorised representatives, beneficial owners, signatories and other natural persons connected to business customers (sole traders, partnerships, limited companies, and not-for-profits) using Kintro on behalf of a business.
  • Visitors to our websites and prospective customers who interact with our marketing channels.
  • Applicants for employment and other contacts of Kintro Ltd.

This Policy does not cover the websites or services of third parties that you may reach via Kintro. Those services are governed by their own privacy notices.

03Key Definitions

UK GDPR
The UK General Data Protection Regulation as it forms part of UK domestic law under the European Union (Withdrawal) Act 2018.
DPA 2018
The Data Protection Act 2018.
PECR
The Privacy and Electronic Communications (EC Directive) Regulations 2003.
Personal Data
Any information relating to an identified or identifiable natural person.
Processing
Any operation performed on personal data, whether automated or not.
Controller
The party that determines the purposes and means of processing personal data.
Processor
A party that processes personal data on behalf of a controller.
AISP
Account Information Service Provider — a firm authorised under the Payment Services Regulations 2017 (PSR 2017) to access account information from your bank with your explicit consent.
PISP
Payment Initiation Service Provider — a firm authorised under PSR 2017 to initiate payments from your bank account at your request.
Principal
The FCA-authorised payment institution / electronic money institution under whose permissions Kintro operates as an agent during the alpha phase of the Service.
TPP
Third Party Provider used for Open Banking access — currently a regulated technical service provider engaged by Kintro.

04Personal Data We Collect

We collect the categories of personal data set out below. Not all categories will apply to every customer — what we collect depends on which parts of the Service you use.

4.1 Identity and contact data

  • Full legal name, date of birth, nationality, and any previous names.
  • Government-issued identifier (passport, driving licence or national identity card) and the associated biometric image used for liveness checks during onboarding.
  • Home address, residency status and proof-of-address documentation.
  • Email address, mobile phone number and preferred language.
  • For business customers: company registration number, registered office, trading name, sector classification (SIC), and details of directors, ultimate beneficial owners (UBOs) and authorised signatories.

4.2 Financial and transactional data

  • Bank account details and balances obtained via Open Banking (AISP) with your explicit consent.
  • Transactions you make or attempt to make using the Kintro e-money wallet, including amount, counterparty, currency, timestamp and reference.
  • Records of payments you initiate from your external bank accounts via our PISP service.
  • Goal and savings activity, including target amounts, contributions, withdrawals and Group Wallet membership.
  • Source of funds and source of wealth declarations where required for anti-money-laundering (AML) compliance.

4.3 Device, technical and usage data

  • Device identifiers, operating system, app version, hardware model, IP address, time zone, and approximate location derived from IP.
  • Authentication events, including biometric Strong Customer Authentication (SCA) outcomes (we do not receive or store the underlying biometric template — only the success/failure outcome from your device).
  • Logs of API calls, screens viewed, features used, and interactions with notifications and emails.
  • Cookie identifiers and similar technologies (see Section 17).

4.4 Communications and support data

  • Content of messages you send us through in-app chat, email, social media or telephone, including any attachments you provide.
  • Call recordings, where we tell you a call is being recorded, retained for quality and dispute-resolution purposes.
  • Feedback, survey responses, App Store / Play Store reviews you submit to us.

4.5 Risk, fraud and compliance data

  • Sanctions, politically exposed person (PEP) and adverse media screening results.
  • Fraud signals from device intelligence, behavioural analytics and counter-fraud bureaux.
  • Records of suspicious activity reviews and any Suspicious Activity Reports (SARs) submitted to the UK Financial Intelligence Unit.

05How We Collect Personal Data

We collect personal data:

  • Directly from you, when you register, complete identity verification, configure your account, make payments, contact us or interact with our marketing channels.
  • From your devices, automatically, when you use the Service.
  • From third parties acting on your instructions — for example your bank, via our regulated Open Banking TPP, when you grant AISP consent.
  • From third parties acting on our instructions — including KYC/identity verification providers, sanctions and PEP screening providers, fraud-prevention bureaux, and payment-processing partners (see Section 13 for the categories of recipient).
  • From publicly available sources — for example Companies House, the FCA Financial Services Register and public records — to verify information about you or your business.

06Purposes and Lawful Bases

We process personal data only where we have a lawful basis to do so under Article 6 of UK GDPR (and, for special category data, an additional condition under Article 9). The principal purposes for which we process personal data are set out in the table below, with the lawful basis we rely on.

PurposePersonal data usedLawful basis
Open and operate your Kintro account, including the e-money wallet, AISP and PISP services and savings features Identity, contact, financial, transactional and device data Performance of a contract with you (Art. 6(1)(b))
Verify your identity and prevent financial crime — including KYC, ongoing customer due diligence, AML, sanctions, PEP and fraud screening Identity, residence, biometric liveness, risk and compliance data Legal obligation (Art. 6(1)(c)) under the Money Laundering Regulations 2017 and PSR 2017; substantial public interest under Sch. 1 Part 2 DPA 2018 for any special category processing
Authenticate you and authorise payments via Strong Customer Authentication (SCA) under PSR 2017 reg. 100 Identity, device and authentication outcomes Legal obligation (Art. 6(1)(c)); performance of a contract (Art. 6(1)(b))
Provide Open Banking AISP and PISP services on your express consent Bank account information and payment instructions Performance of a contract (Art. 6(1)(b)); explicit consent for the AIS / PIS consent flow itself (PSR 2017 reg. 67 / 69)
Detect, investigate and prevent fraud, abuse and breaches of these terms All categories, focusing on transactional, device and risk data Legitimate interests (Art. 6(1)(f)) — protecting Kintro, our customers and the financial system; legal obligation in respect of mandatory reporting
Communicate with you about your account, including service updates, security alerts and changes to terms Identity, contact, transactional data Performance of a contract (Art. 6(1)(b)); legal obligation for regulated communications
Send marketing communications about Kintro products and services Contact data and engagement signals Consent (Art. 6(1)(a)) for prospects; soft-opt-in or legitimate interests for existing customers, with PECR rules applied (see Section 9)
Improve the Service, including bug fixing, feature analytics and customer research Device, usage and aggregated transactional data (pseudonymised where practical) Legitimate interests (Art. 6(1)(f)) — improving and developing a safe, useful service
Manage complaints, disputes, chargebacks and litigation, including reporting to the Financial Ombudsman Service Any category relevant to the matter Legitimate interests (Art. 6(1)(f)); legal obligation; establishment, exercise or defence of legal claims (Art. 9(2)(f) where relevant)
Comply with regulatory reporting obligations to the FCA, ICO, HMRC and other UK authorities Identity, transactional, compliance data Legal obligation (Art. 6(1)(c))
Recruit staff and manage contacts of the business Contact and CV data of applicants and contacts Legitimate interests (Art. 6(1)(f)); consent where required

07Special Category Data

We do not knowingly collect special category data (such as data revealing racial or ethnic origin, religious beliefs, health, or biometric data used for the purpose of uniquely identifying you) unless we have to in order to verify your identity or prevent financial crime.

Where identity verification involves a facial-recognition liveness check on your device, the biometric template stays on your device. We receive only a binary verification outcome and the captured image of your face. Where we process this image for the purpose of confirming your identity, we rely on the substantial public interest condition under paragraph 11 (preventing or detecting unlawful acts) or paragraph 14 (preventing fraud) of Schedule 1, Part 2 to the Data Protection Act 2018.

08Profiling and Automated Decisions

We use automated processing, including profiling, to detect and prevent fraud, screen customers against sanctions and PEP lists, and decide whether to approve or block specific transactions in real time. These checks may have a legal or similarly significant effect on you (for example, declining a payment or restricting your account) and are therefore covered by Article 22 UK GDPR.

We rely on the exception in Article 22(2)(b) — processing authorised by UK law that lays down suitable measures to safeguard your rights — because the underlying obligations come from the Money Laundering Regulations 2017, the PSR 2017 and sanctions law. We also rely on Article 22(2)(a) (necessary for entering into or performing a contract) where the decision is necessary to provide the regulated service you have asked for.

Where an automated decision has been made about you, you have the right to obtain human intervention, to express your point of view and to contest the decision. To exercise this right, contact privacy@kintro.money.

09Marketing and Electronic Communications

We will only send you electronic marketing in line with PECR and UK GDPR. For prospects, we rely on your consent. For existing customers, we may use the soft-opt-in to send marketing about similar Kintro products, and you can object at any time.

  • Every marketing email has an unsubscribe link.
  • You can manage marketing preferences in the Kintro app under Settings → Communications.
  • Service messages — for example, security alerts, regulatory notifications and operational status updates — are not marketing and you cannot opt out of them while your account is open.

10Open Banking: AISP and PISP Notices

10.1 Account Information Service (AISP)

When you connect a bank account to Kintro for account aggregation, we (or a regulated Third Party Provider acting on our behalf) access the information you authorise — typically account balances, transaction history and account holder name — for up to 90 days from the date of your consent, after which the consent must be renewed under PSR 2017 reg. 36.

You can revoke AISP consent at any time, either inside Kintro or by contacting your bank. Once revoked, we stop pulling fresh data from your bank, but data we have already received may be retained for the periods set out in Section 16.

10.2 Payment Initiation Service (PISP)

When you initiate a payment from an external bank account through Kintro, we collect only the data needed to construct and submit the payment instruction (payee account details, amount, currency, reference and your authentication). We do not store your bank login credentials and we do not access your account for any purpose other than initiating the payment you have asked for.

11Acting as an Agent of the Principal

During the alpha phase of the Service, Kintro operates as an agent of an FCA-authorised payment institution / electronic money institution. The Principal safeguards customer funds and holds the regulatory permissions for the regulated payment and e-money services you use through Kintro.

In practical terms, this means:

  • The Principal is a controller of personal data needed to discharge its regulatory obligations — including safeguarding records, fraud and financial-crime monitoring, FCA reporting under SUP 15.3 and PSR 2017 regs 99 and 100, and any matters that flow through the Principal's Resolution Pack under PS7/24.
  • Kintro and the Principal are joint controllers in respect of the payment services and e-money issuance you use, and have a written arrangement covering responsibility for data subject rights and notifications, as required by Article 26 UK GDPR. The essence of that arrangement is set out in Appendix C.
  • Kintro acts as a controller in its own right for the parts of the Service that are not regulated payment services — for example marketing, the product analytics we use to improve features, the Kintro website, and our internal HR processing.

You can exercise your data subject rights against either Kintro or the Principal in respect of jointly controlled processing. We will route your request to the right party and respond within the UK GDPR timescales.

12Acting as a Processor for Business Customers

Where a business customer uses Kintro to administer accounts, run payroll-style payments, or otherwise process personal data of its own employees, contractors or customers, the business customer is the controller of that personal data and Kintro acts as a processor on its behalf, governed by a written data processing agreement that meets Article 28 UK GDPR. Individuals whose personal data is processed by Kintro in that capacity should direct subject access and other rights requests to the business customer in the first instance.

13How We Share Personal Data

We share personal data only where we need to, and only with categories of recipient set out below:

Category of recipientWhy we shareCountry
The PrincipalSafeguarding, regulatory reporting, fraud and financial-crime monitoring, complaints handlingUnited Kingdom
Cloud infrastructure providers — Google Cloud PlatformHosting and operating the Service. Production data is processed in europe-west2 (London) with europe-west1 (Belgium) as the secondary region for resilience.United Kingdom; European Economic Area
Identity verification, sanctions and PEP screening providersKYC, AML and ongoing customer due diligenceUK; EEA; United States (under valid transfer mechanism)
Open Banking Third Party ProviderProviding the regulated AISP and PISP services on Kintro's behalfUnited Kingdom
Card schemes, payment processors and acquirersOperating top-ups and outbound paymentsUnited Kingdom; European Economic Area
Fraud-prevention bureauxDetection and prevention of fraud against Kintro and the wider financial systemUnited Kingdom
Customer support, communications and analytics platformsOperating in-app chat, email, push notifications and product analyticsUK; EEA; United States (under valid transfer mechanism)
Professional advisers (legal, audit, accounting, regulatory)Receiving professional advice, statutory audit and regulator-facing assurance workUnited Kingdom
Regulators and law enforcementWhere we are legally obliged or permitted to disclose — including the FCA, ICO, HMRC, the National Crime Agency and the policeUnited Kingdom
A buyer or successorIf Kintro is sold, restructured or merged, in which case we will take steps to ensure your personal data remains protectedDepends on transaction

A current list of the specific sub-processors we use is maintained at kintro.money/legal/sub-processors and is updated as it changes.

14International Transfers

We aim to keep personal data within the United Kingdom and the European Economic Area. Where we transfer personal data outside the UK, we use one of the following safeguards: an adequacy decision under Article 45 UK GDPR; the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses; or, in limited cases, an Article 49 derogation (for example, where the transfer is necessary to perform a contract you have asked us to provide).

If you want a copy of the transfer safeguards we rely on for a specific recipient, please contact privacy@kintro.money.

15How We Protect Personal Data

Kintro maintains an Information Security Management System aligned to ISO/IEC 27001:2022, the NCSC Cyber Assessment Framework and Cyber Essentials. The full control set is set out in KIN-SEC-001 (Information Security Policy). Specific measures relevant to your personal data include:

  • Encryption of personal data in transit using TLS 1.2 or above, and at rest in Cloud SQL and Cloud Storage using keys managed in Google Cloud KMS (FIPS 140-2 validated).
  • Strong Customer Authentication on financial actions, with biometric authentication anchored to the customer's device.
  • Cryptographic signing (HMAC-SHA256) of ledger entries to assure the integrity of payment and balance records.
  • Role-based access control, least-privilege provisioning and quarterly access reviews for staff.
  • 24/7 monitoring through Google Cloud Security Command Center and a documented incident management process aligned to KIN-SEC-002 (Incident Management Policy).
  • Business continuity and disaster recovery testing aligned to KIN-BCP-001 (Business Continuity and Disaster Recovery Policy).

16Retention

We keep personal data only for as long as we need it for the purpose it was collected, or as required by law. Default retention periods are:

Data categoryRetention periodReason
KYC, identity verification records and AML files5 years after the end of the customer relationship; longer if extended by lawMoney Laundering Regulations 2017 reg. 40
Transactional and payment records6 years after the transactionPSR 2017 and HMRC record-keeping obligations
Open Banking consent records5 years after the consent endsPSR 2017 reg. 67 / FCA evidence requirements
Complaints and dispute records6 years after the complaint is closedDISP 1.9 (FCA Handbook)
Marketing preferences and unsubscribesIndefinitely (suppression list)To honour your opt-out under PECR
Application logs and security audit trails13 monthsPCI / FCA expectations on monitoring; balanced against data minimisation
CCTV at office locations (if any)30 daysStandard ICO guidance
Recruitment data for unsuccessful applicants12 monthsTo answer follow-up questions and consider future roles

After the relevant retention period, we either delete the personal data or anonymise it so it can no longer be associated with you.

17Cookies and Similar Technologies

Our website and apps use cookies and similar technologies (SDKs, pixels, local storage) to keep you signed in, remember preferences, measure how the Service is used and prevent fraud. We classify these as strictly necessary, functional, analytics and marketing cookies.

Strictly necessary cookies are set without your consent because they are essential to deliver the Service. For all other categories, we obtain your consent through a PECR-compliant consent banner on first visit, and you can change your choices at any time at kintro.money/legal/cookies.

18Your Rights

Under UK GDPR you have the following rights, subject to limited exceptions:

  • Right to be informed (Articles 13–14).
  • Right of access (Article 15) — to obtain a copy of the personal data we hold about you.
  • Right to rectification (Article 16).
  • Right to erasure (Article 17) — in limited circumstances. We may need to retain information to meet legal obligations described in Section 16.
  • Right to restrict processing (Article 18).
  • Right to data portability (Article 20) for data you provided to us under contract or with consent.
  • Right to object (Article 21), including to direct marketing and to processing based on legitimate interests.
  • Rights related to automated decision-making and profiling (Article 22) — see Section 8.
  • Right to withdraw consent at any time, where consent is the lawful basis.

To exercise any of these rights, contact privacy@kintro.money. We will respond within one month of receiving your request, extendable by a further two months in complex cases (we will tell you if that applies).

19Children

The Kintro Service is not directed at children under 18 and we do not knowingly process personal data of children. If we become aware that we have collected personal data from a child without an appropriate basis, we will delete it. If you believe a child has provided us with personal data, please contact privacy@kintro.money.

20Changes to This Policy

We may update this Policy from time to time. Where the change affects you materially, we will give you notice (for example, through in-app messaging or by email) before it takes effect. The Document code, Version and Date on the title page indicate the current version. Older versions are available on request.

21How to Complain

If you are not happy with how we handle your personal data, please contact our Data Protection Lead at privacy@kintro.money first so we can try to put things right. You also have the right to complain to the UK Information Commissioner's Office (ICO):

  • Online: ico.org.uk/make-a-complaint
  • Telephone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

If your complaint relates to a regulated payment or e-money service, you may also be able to take it to the Financial Ombudsman Service. We explain how in our Terms and Conditions (KIN-LEG-001).

22Contact Us

Kintro Ltd

Data Protection Lead: privacy@kintro.money

General queries: hello@kintro.money

Postal address available on request.

AAppendix — Summary of Lawful Bases

Article 6 UK GDPR provides six lawful bases for processing personal data. Kintro relies on the bases shown in the table below; the relevant basis for each purpose is in Section 6.
BasisWhen we use it
Consent (6(1)(a))Marketing to prospects; Open Banking AISP / PISP consent flows; cookies that are not strictly necessary
Contract (6(1)(b))Operating your Kintro account and providing the services you have signed up for
Legal obligation (6(1)(c))KYC, AML, sanctions, SCA, FCA reporting, tax and accounting record-keeping
Vital interests (6(1)(d))Rarely — only in life-threatening situations such as preventing acute customer harm
Public task (6(1)(e))Not currently relied on
Legitimate interests (6(1)(f))Fraud prevention, product improvement, business administration, defence of legal claims

BAppendix — Categories of Personal Data

A consolidated view of the categories of personal data we process is given in Section 4. This appendix maps those categories to typical retention and sensitivity.
CategorySensitivityTypical retention
Identity and contactStandard5 years after relationship ends
Biometric liveness imagesSpecial category5 years after relationship ends
Financial and transactionalStandard6 years after transaction
Device, technical and usageStandard (pseudonymised where possible)13 months
Communications and supportStandard6 years after closure
Risk, fraud and complianceStandard / sensitive5–6 years

CAppendix — Essence of the Joint Controller Arrangement

Under Article 26 UK GDPR, joint controllers must agree, in a transparent manner, who is responsible for compliance with each obligation. The essence of the arrangement between Kintro and the Principal is:
  • Kintro is the first point of contact for customers and is responsible for providing information about the processing (this Policy).
  • Kintro handles individual rights requests for jointly controlled processing in the first instance, and consults the Principal where necessary.
  • The Principal is responsible for the underlying regulated activity, for safeguarding customer funds, and for filing regulatory reports with the FCA and other authorities.
  • Kintro and the Principal each maintain their own technical and organisational measures appropriate to the data they process, and notify the other promptly of any personal data breach affecting jointly controlled data.

DAppendix — Document Control

FieldValue
Document codeKIN-DPA-002
TitlePrivacy Policy
Version1.0
StatusDraft for Review
ClassificationPublic
OwnerMunene Njogu (CTO and acting Data Protection Lead)
Review cycleAnnually, or on any material change
Related documentsKIN-SEC-001 Information Security Policy; KIN-SEC-002 Incident Management Policy; KIN-BCP-001 Business Continuity and Disaster Recovery Policy; KIN-LEG-001 Terms and Conditions

Kintro Ltd · Registered in England and Wales · privacy@kintro.money

© 2026 Kintro Ltd. All rights reserved.