Privacy Policy

1. Introduction

AYBANK INC (License No. 2779) is authorized and regulated by the Financial Services Unit of the Commonwealth of Dominica and is headquartered at 2nd Floor, 38 King George V Street, Roseau, Commonwealth of Dominica. AYBANK INC is registered in the Commonwealth of Dominica under Company No. 2025/C0125.

The Bank takes the privacy and security of your personal information seriously. This Privacy Policy explains how the Bank collects, uses, discloses, shares, stores, protects, and retains personal data in the course of providing banking, payment, card, account, compliance, identity verification, mobile application, website, and financial technology services.

By using our services, website, mobile application, online platforms, or customer support channels, you acknowledge that you have read and understood this Privacy Policy and that your personal data may be processed as described in this Privacy Policy, subject to applicable law.

2. Personal Data We Collect

The Bank may collect and process various categories of personal data from different sources to provide regulated banking and financial services, protect customers, comply with legal obligations, and prevent fraud and financial crime.

2.1. Categories of Personal Data

·       Identifying information: name, physical address, email address, telephone number, date of birth, nationality, tax identification number, occupation, and government-issued identification numbers, such as passport number or national ID number.

·       Financial information: bank account details, credit or debit card information, transaction data, account balances, payment history, source of funds, source of wealth, expected account activity, beneficiary information, and payment instructions.

·       Employment and business information: job title, employer or company name, business address, business activity, annual income, corporate ownership, directorship, authorized representative information, and information about beneficial owners, directors, officers, shareholders, controllers, and signatories.

·       Electronic and network information: IP address, device information, device identifiers, operating system, browser type, app version, network data, session data, login history, authentication events, log data, security signals, and device integrity information.

·       Location information: approximate location, IP-based location, country, region, city, transaction location, login location, and precise location where enabled by your device settings and where required for compliance, security, fraud prevention, or geo-restriction purposes.

·       Communications information: email address, telephone number, support tickets, email correspondence with AYBANK, call or chat records where applicable, push notification tokens, SMS delivery metadata, OTP records, transactional notification records, and service communication history.

·       Diagnostics and performance data: crash logs, app performance data, error reports, latency information, feature usage, system logs, device performance data, application stability data, and diagnostic records used to maintain secure and reliable services.

·       Sensitive personal data: where required for legal compliance, identity verification, anti-money laundering, fraud prevention, or account security, the Bank may collect sensitive information such as copies of identification documents, biometric data, face data, liveness verification data, sanctions or PEP screening results, adverse media results, and information about an individual’s financial status.

·       Other personal data: any additional personal data you provide, such as information collected through client surveys, feedback forms, onboarding forms, account applications, regulatory declarations, or customer support interactions.

2.2. Data Collection Circumstances

·       Account opening: when you apply for an account or service, we collect personal data necessary to process your application, verify your identity, assess eligibility, conduct KYC/KYB checks, and comply with AML/CTF obligations.

·       Corporate account opening: when a company or other legal entity opens an account, the Bank collects personal data for the company’s beneficial owners, directors, officers, shareholders, controllers, authorized representatives, and signatories.

·       Biometric and liveness verification: when identity verification is required, you may be asked to provide a selfie, facial image, liveness video, or biometric verification data to confirm that you are a real person and that your face matches the identity document submitted.

·       Ongoing compliance: throughout the client relationship, the Bank may require updated information to meet legal and regulatory requirements, including proof of address, source of funds, source of wealth, transaction explanations, sanctions screening, PEP screening, adverse media checks, and enhanced due diligence.

·       Website and mobile application use: when you use our website, mobile application, online banking, card services, payment services, or account access features, we may automatically collect device, log, security, diagnostic, performance, usage, and location information.

·       Customer support and inquiries: when you contact customer service or support, we collect your name, contact information, account reference, details of your inquiry, communications with AYBANK, and information needed to resolve your request.

·       Surveys and feedback: if you choose to participate in a Bank survey or feedback program, we collect any personal data you provide to help improve our services. Participation is voluntary and you may opt out at any time.

2.3. Sources of Personal Data

·       Directly from you: data you provide when you open an account, apply for a service, complete onboarding, submit identity documents, complete liveness checks, make transactions, or communicate with the Bank.

·       Third-party service providers: data from providers that perform services for the Bank, including identity verification, KYC/KYB, AML/CTF screening, sanctions screening, fraud prevention, card processing, payments, analytics, diagnostics, cloud hosting, communications, or customer support services.

·       Public sources: information available in public records, corporate registries, sanctions lists, PEP databases, adverse media sources, court records, regulatory notices, or public registers used for identity verification, due diligence, and risk assessment.

·       Website and mobile applications: information collected automatically when you use our website, mobile application, online banking, account access, payment, card, or digital service features.

·       Government and regulatory authorities: data obtained from government, regulatory, law enforcement, tax, sanctions, or competent authorities where required or permitted by law.

2.4. Face Data and Biometric Verification Data

For identity verification, fraud prevention, account security, and compliance purposes, AYBANK may collect or process face data and biometric verification data during onboarding, account recovery, enhanced due diligence, or high-risk verification events.

Face data may include a selfie image, facial image, liveness video, face scan, face geometry, biometric template or mathematical representation generated from a facial image, and the comparison result confirming whether the face matches the identity document provided. The exact data collected may depend on the verification method, customer jurisdiction, product, risk profile, and third-party identity verification provider used.

AYBANK uses face data only for the following purposes:

·       verifying that the person opening or accessing an account is the real individual shown on the submitted identity document;

·       performing liveness checks to detect spoofing, masks, screen replays, deepfakes, synthetic identities, or other impersonation attempts;

·       preventing identity fraud, account takeover, unauthorized access, duplicate accounts, and financial crime;

·       conducting KYC/KYB, AML/CTF, sanctions, PEP, fraud prevention, and enhanced due diligence controls;

·       supporting account recovery, step-up authentication, or high-risk transaction verification where required;

·       maintaining audit evidence of identity verification outcomes required by law, regulation, audit, investigation, dispute resolution, or competent authority.

AYBANK does not use face data for advertising, marketing profiling, sale to third parties, unrelated analytics, or any purpose unrelated to identity verification, security, compliance, fraud prevention, or regulated financial services.

Face data may be processed by AYBANK and by authorized identity verification, KYC/KYB, biometric verification, fraud prevention, cloud hosting, security, and compliance service providers acting on AYBANK’s instructions. These providers are required to apply appropriate confidentiality, information security, access control, retention, and data protection safeguards.

Face data may be stored in secure systems operated by AYBANK or its authorized service providers. Depending on the provider and technical architecture, storage may occur in secure cloud infrastructure located outside the Commonwealth of Dominica, subject to contractual, technical, and organizational safeguards described in this Privacy Policy.

Raw selfie images, facial images, liveness videos, face scans, and biometric templates are retained only for as long as necessary for identity verification, security review, fraud prevention, legal compliance, audit evidence, dispute resolution, or regulatory purposes. AYBANK retains identity verification records, verification results, KYC/KYB evidence, and related compliance records for a minimum of seven (7) years after account closure, last activity, or the end of the customer relationship, or longer where required by law, regulation, investigation, audit, dispute, or competent authority. Where a third-party identity verification provider retains face data on AYBANK’s behalf, such retention is governed by AYBANK’s instructions, contractual safeguards, provider retention settings, and applicable law.

You may decline to provide face data; however, AYBANK may be unable to open, maintain, recover, or secure your account, or provide regulated services, where biometric or liveness verification is required for identity verification, compliance, fraud prevention, or account security.

2.5. Mobile App and Website Data Collection

When you use AYBANK’s mobile application, we may collect technical, device, diagnostic, security, usage, communication, and location-related information required to operate the application securely and to comply with banking, payment, AML/CTF, fraud prevention, sanctions, and geo-restriction obligations.

·       device identifiers, device ID, advertising ID where applicable, application instance ID, operating system, device model, language, time zone, IP address, network information, login and session information, and security event data;

·       crash logs, performance data, diagnostics, application errors, latency, app version, feature usage, system performance information, and service availability information;

·       approximate or precise location information where permitted by your device settings and where required for security, fraud prevention, AML/CTF controls, sanctions compliance, jurisdiction restrictions, transaction verification, or account protection;

·       authentication and notification data, including OTP delivery status, push notification tokens, SMS verification metadata, and transactional communication records;

·       customer support communications that you send to us, including emails, forms, chat messages, support tickets, and call-related information where applicable.

AYBANK does not collect mobile application data for purposes unrelated to providing, securing, monitoring, improving, or complying with legal obligations connected to our regulated services.

2.6. Location Data

AYBANK may collect and process approximate or precise location data when you use our mobile application, website, cards, payment services, account access features, or transaction services. Location data may be collected directly from your device where you have granted permission, or indirectly through IP address, device settings, network information, card transaction location, payment metadata, or login activity.

Location data may be used to verify whether you are accessing AYBANK services from a permitted jurisdiction; prevent fraud, account takeover, unauthorized access, identity misuse, and suspicious activity; apply AML/CTF, sanctions, and geo-restriction controls; detect unusual login or transaction patterns; secure card, payment, wallet, and account activity; support regulatory reporting, audit, and risk-management obligations; and provide location-based security alerts or transaction notifications.

Precise location data is collected only where necessary, proportionate, permitted by applicable law, and enabled through your device or application permissions. You may disable location permissions through your device settings; however, disabling location access may limit access to certain services or require additional verification where location data is needed for compliance, security, fraud prevention, or jurisdiction-control purposes. AYBANK does not sell precise location data.

2.7. Device Identifiers, Security Data, Diagnostics and Performance Data

AYBANK may collect device identifiers and technical information to protect customer accounts, maintain platform integrity, prevent fraud, and comply with financial crime controls. This includes device IDs, device fingerprinting signals, IP address, operating system, browser type, app version, network information, login records, session identifiers, authentication events, and security-risk indicators.

We use this information for fraud prevention, account security, session integrity, authentication controls, detection of unauthorized access or device compromise, AML/CTF monitoring, sanctions and transaction-monitoring risk controls, suspicious device or payment behavior detection, prevention of service misuse, audit trails, regulatory records, and service reliability.

AYBANK may also collect crash logs, diagnostic information, and performance analytics from the website and mobile application. This information helps us identify technical errors, fix bugs, improve application stability, monitor service availability, and enhance user experience. Diagnostic and performance data is not used to access private user content stored on a device.

2.8. Email, SMS, OTP and Communications Data

AYBANK may process email addresses, telephone numbers, SMS delivery metadata, OTP verification records, transactional notifications, push notification tokens, support communications, and customer service correspondence for account security, authentication, customer support, regulatory communication, and transaction-related notices.

AYBANK uses email and SMS communications for one-time passwords, verification codes, authentication messages, transaction confirmations, account activity alerts, security alerts, service updates, customer support responses, legally required notices, account statements, compliance requests, and operational communications.

AYBANK does not access, read, scan, or collect the contents of your personal email inbox, SMS inbox, private messages, contacts, or unrelated communications stored on your device. Any email, SMS, chat, or support message processed by AYBANK is limited to communications sent to or from AYBANK, transactional messages generated by AYBANK, or verification and notification records required to operate and secure the service.

2.9. Contacts and Address Book

AYBANK does not access, upload, or process your device contact list or address book unless a specific feature clearly requests such permission and you provide explicit consent. If contact access is ever requested, AYBANK will explain the purpose at the time of collection and will use such data only for the stated purpose.

3. How We Use Personal Data

The Bank processes personal data for legitimate business purposes, including:

·       Account management and services: to open and maintain accounts, process transactions, issue statements, provide cards, payment services, online banking, customer support, and other banking services you request.

·       Customer communication: to communicate with you regarding your account and services, including transaction alerts, notices, updates, confirmations, security alerts, support responses, and legal or regulatory communications.

·       Identity verification and due diligence: to verify your identity, authenticate documents, conduct liveness checks, compare face data with identity documents, perform background checks, and complete KYC/KYB, AML/CTF, sanctions, PEP, adverse media, and fraud prevention checks.

·       Compliance and legal obligations: to comply with applicable laws and regulations of Dominica and any other applicable jurisdiction, including reporting requirements, record-keeping obligations, sanctions obligations, suspicious activity reviews, regulatory audits, and lawful requests.

·       Security and fraud prevention: to monitor accounts, devices, sessions, location indicators, transactions, counterparties, beneficiaries, and account activity for suspicious, unauthorized, prohibited, or fraudulent behavior.

·       Geo-restriction and sanctions controls: to determine whether services may lawfully be provided in a jurisdiction, restrict access from prohibited jurisdictions, screen transactions and counterparties, and comply with sanctions requirements.

·       Device/session risk monitoring: to identify unusual login patterns, device changes, account takeover risk, compromised credentials, suspicious technical behavior, or abnormal transaction activity.

·       Business operations and analytics: to conduct internal functions such as auditing, accounting, reconciliation, quality assurance, reporting, operational analysis, business planning, and record-keeping. Aggregated or pseudonymized data may be used for statistical analysis without directly identifying individual clients.

·       Diagnostics and service improvement: to diagnose technical issues, repair bugs, monitor crash events, improve app performance, maintain service availability, and enhance security and user experience.

·       Marketing and promotions: to send information about new products, services, promotions, or events that may be of interest to you, subject to consent where required. You may opt out of marketing communications at any time.

·       Legal processes and dispute resolution: to comply with subpoenas, court orders, regulatory requests, law enforcement requests, audits, investigations, complaints, disputes, and to establish, exercise, or defend legal rights.

4. Automated Processing and Profiling

The Bank may use automated methods to analyze or make decisions based on personal data, subject to appropriate controls and human oversight where required.

Service customization: We may analyze anonymized or pseudonymized data about transaction history and usage patterns to provide personalized information about our services. This automated processing is intended to enhance customer experience and does not adversely affect your rights.

Identity verification and fraud detection: The Bank and its service providers may use automated systems and algorithms to authenticate identity documents, perform facial comparison, conduct liveness detection, identify suspected document tampering, detect duplicate or synthetic identities, and flag unusual transaction behavior. These automated checks are used to enhance security and compliance and do not make final account decisions without appropriate review where required.

Automated customer support: Certain routine inquiries or requests may be initially handled by automated systems, such as chatbots or interactive voice response. You may request assistance from a Bank representative.

5. Legal Basis for Processing Personal Data

·       Contractual necessity: processing necessary to perform our contract with you, such as opening an account, processing a transaction, providing a card, or delivering a requested service.

·       Legal and regulatory compliance: processing necessary to comply with laws and regulations, including identity verification, AML/CTF, sanctions screening, transaction monitoring, record retention, regulatory reporting, tax obligations, and audit requirements.

·       Legitimate interests: processing necessary for the Bank’s legitimate business interests, provided those interests do not override your privacy rights, including protecting systems, preventing fraud, verifying identity, improving services, securing accounts, and safeguarding legal rights.

·       Consent: in limited cases, such as optional marketing, optional device permissions, precise location access where required by applicable law, or certain optional services, we rely on consent. You may withdraw consent at any time, subject to legal, regulatory, security, or contractual restrictions.

6. Data Protection Principles

·       Lawfulness, fairness, and transparency: personal data is processed lawfully, fairly, and transparently in accordance with this Privacy Policy.

·       Purpose limitation: personal data is collected only for specific, explicit, and legitimate purposes and is not used for incompatible purposes.

·       Data minimization: AYBANK collects and retains only personal data that is necessary, proportionate, and relevant for the stated purposes.

·       Accuracy: AYBANK takes reasonable steps to ensure that personal data is accurate, complete, and up to date. You should notify us when your information changes.

·       Storage limitation: personal data is retained only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal, regulatory, audit, security, dispute-resolution, or fraud-prevention obligations.

·       Integrity and confidentiality: AYBANK implements appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

·       Accountability: AYBANK is responsible for complying with these principles and maintaining records, controls, and governance to demonstrate compliance.

7. Your Rights

Subject to applicable law, you may have the following rights with respect to your personal data:

·       Right to access: request confirmation of whether AYBANK holds your personal data and obtain a copy of that data.

·       Right to correction: request that AYBANK correct or update inaccurate or incomplete personal data.

·       Right to erasure: request deletion of personal data when it is no longer needed and no legal obligation requires retention. AYBANK may refuse or delay deletion where retention is required for AML/CTF, sanctions, tax, accounting, audit, legal, fraud prevention, dispute-resolution, or regulatory purposes.

·       Right to restrict processing: request a temporary restriction on processing, for example while disputed data accuracy is verified.

·       Right to object: object to processing based on legitimate interests. AYBANK will cease processing for that purpose unless it demonstrates compelling lawful grounds for continuing.

·       Right to data portability: to the extent applicable, request that AYBANK provide personal data in a structured, machine-readable format where processing is based on consent or contract and carried out by automated means.

·       Right to withdraw consent: withdraw consent where processing is based on consent. Withdrawal does not affect processing that occurred before withdrawal and may not affect processing required for legal, regulatory, compliance, security, or contractual purposes.

·       Right to account closure or deletion request: request closure of an account or deletion of data through available channels, subject to settlement of outstanding obligations and mandatory retention requirements.

8. International Data Transfers

AYBANK INC may process and store personal data on servers located outside the Commonwealth of Dominica, including through cloud service providers, identity verification providers, payment partners, card partners, compliance vendors, support providers, analytics providers, or affiliates in other countries. When personal data is transferred outside Dominica, the Bank ensures that appropriate safeguards are in place.

Such safeguards may include adequacy assessments, contractual clauses, data processing agreements, confidentiality obligations, security requirements, access controls, encryption, organizational policies, and vendor due diligence. In all cases, the Bank uses technical and organizational measures to protect personal data in transit and storage, regardless of location.

8.1. Third-Party Service Providers and Processors

AYBANK may share personal data with carefully selected third-party service providers, processors, banking partners, payment partners, card program partners, technology providers, and compliance vendors where necessary to provide services, meet legal obligations, prevent fraud, verify identity, or operate securely.

These providers may include the following categories:

·       KYC, KYB, identity verification, biometric verification, face matching, liveness check, document verification, and customer onboarding providers;

·       AML/CTF, sanctions screening, PEP screening, adverse media, transaction monitoring, blockchain analytics, fraud detection, device intelligence, location-risk, and financial crime prevention providers;

·       cloud hosting, infrastructure, cybersecurity, database, storage, disaster recovery, network, and IT service providers;

·       payment processors, correspondent banks, banking-as-a-service providers, card issuers, card processors, card networks, payment networks, settlement partners, liquidity providers, and other financial institution partners;

·       analytics, crash reporting, diagnostics, application performance monitoring, and platform reliability providers;

·       customer support, communications, email, SMS, OTP, push notification, ticketing, and CRM providers;

·       legal, audit, accounting, compliance, regulatory reporting, tax, and professional advisers;

·       regulators, law enforcement bodies, courts, government agencies, tax authorities, and competent authorities where required or permitted by law.

Third-party service providers are permitted to process personal data only for authorized purposes and are required to apply appropriate confidentiality, security, access control, retention, and data protection safeguards. AYBANK does not sell customer personal data, biometric data, face data, precise location data, or communications data to third parties.

9. Data Security

The Bank is committed to safeguarding personal data. We have implemented security measures including:

·       Access controls: access to personal data is restricted to authorized personnel and service providers with a legitimate business need. Access privileges are regularly reviewed.

·       Encryption: personal data transmitted between you and the Bank’s online services is protected by encryption. Sensitive data stored by the Bank or authorized providers is protected using appropriate security measures.

·       Network and system security: the Bank uses firewalls, intrusion detection and prevention systems, anti-malware software, monitoring, vulnerability management, and security controls to protect systems and data.

·       Physical security: offices, data centers, and infrastructure are protected with appropriate physical security controls.

·       Data backups and disaster recovery: the Bank maintains backups and disaster recovery plans to restore data and operations in the event of an incident.

·       Employee training and policies: employees receive privacy and security training and are subject to confidentiality obligations and policies governing personal data.

·       Third-party security: the Bank conducts due diligence on service providers and requires appropriate contractual and technical safeguards for personal data processing.

10. Data Retention

AYBANK INC is required by law, regulation, banking standards, AML/CTF rules, tax obligations, audit requirements, dispute-resolution needs, and financial crime prevention obligations to retain certain customer, account, transaction, KYC/KYB, device, security, location, communication, biometric, identity verification, and compliance records.

Unless a longer period is required by law, regulatory authority, court order, contractual obligation, audit requirement, dispute, investigation, sanctions matter, suspicious activity review, or legitimate business need, AYBANK retains customer account information, transaction records, KYC/KYB documentation, identity verification records, biometric verification records, AML/CTF records, communications, device and security logs, location-risk indicators, and related compliance records for a minimum of seven (7) years following account closure, last transaction, last activity, or the end of the customer relationship, whichever is later.

Raw face images, liveness videos, face scans, and biometric templates are retained only for as long as necessary for identity verification, fraud prevention, account security, compliance review, audit evidence, dispute resolution, investigation, or regulatory obligations. Verification results and related compliance evidence may be retained for the minimum seven-year period described above, or longer where required by law or competent authority.

If you request deletion of your personal data, AYBANK will comply where legally and operationally possible. However, deletion requests may be refused or delayed where AYBANK must retain data to comply with AML/CTF, sanctions, tax, accounting, banking, regulatory, legal, audit, dispute-resolution, fraud prevention, or law-enforcement obligations.

After the applicable retention period expires, AYBANK will securely delete, anonymize, archive, or restrict access to personal data in accordance with its internal data-retention and information-security procedures.

10.1. Account Deletion and Regulatory Retention

Customers may request account closure or deletion of personal data by contacting AYBANK through the contact details stated in this Privacy Policy or through available account management tools.

Where an account-deletion request is received, AYBANK may close or deactivate the account where permitted; disable access to services after outstanding obligations are resolved; delete data that is no longer required; and retain records required for AML/CTF, sanctions, fraud prevention, tax, accounting, audit, legal, regulatory, or dispute-resolution purposes.

Account deletion does not automatically remove records that AYBANK is legally required or permitted to retain as a regulated financial institution.

11. Changes to this Privacy Policy

The Bank reserves the right to amend or update this Privacy Policy at any time. When changes are made, AYBANK will update the “Last updated” date at the top of this document. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by sending a notification, such as an email or in-app notice. You are encouraged to review this Privacy Policy periodically to stay informed about how we protect your information.

12. Contact Information

If you have questions or concerns about this Privacy Policy or wish to exercise your data protection rights, please contact AYBANK:

·       Company: AYBANK INC (Dominica)

·       Address: 2nd Floor, 38 King George V Street, Roseau, Commonwealth of Dominica

·       Email: info@aybank.com

·       Phone: +1 767 285 0736

We will respond to your inquiry in accordance with applicable laws and regulatory requirements.