Back to Home
Effective Date: January 2026

Privacy Policy

We collect only what we need, protect what we hold, and respect your right to control your personal data — in compliance with US privacy law and the UK/EU General Data Protection Regulation.

Contents
  1. Introduction
  2. Data Controller
  3. Information We Collect
  4. How We Use Your Information
  5. Data Sharing and International Transfers
  6. Data Retention
  7. Cookies and Tracking Technologies
  8. Security Measures
  9. Your Rights
  10. Contact Us
01 / Introduction

Who we are and why this matters

Rhofin Inc. ("we," "us," or "our") is a Delaware corporation building API-driven middleware for institutional trade finance. We are committed to protecting your privacy and ensuring the security of your personal data in compliance with applicable US state privacy laws and the UK and EU General Data Protection Regulation (UK GDPR and EU GDPR respectively), together referred to in this policy as "GDPR" except where a distinction is necessary.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, how long we retain it, and what rights you have in relation to it. It applies to all individuals who interact with our website, request a briefing, or express interest in the Rhofin platform.

Following the United Kingdom's departure from the European Union, the UK operates its own data protection framework under the UK GDPR and the Data Protection Act 2018. Where this policy refers to "GDPR," it covers both regimes unless otherwise stated. Individuals in the UK may exercise their rights under UK GDPR and direct complaints to the Information Commissioner's Office (ICO). Individuals in the EEA may exercise their rights under EU GDPR and direct complaints to their local supervisory authority.

We do not sell your personal data. We do not engage in behavioural advertising or targeted advertising based on your personal data. We collect only the minimum information necessary to operate our platform and communicate with you.

02 / Data Controller

Who is responsible for your data

The data controller responsible for your information is Rhofin Inc., a Delaware corporation incorporated in the United States. As data controller, we determine the purposes and means of processing your personal data and are accountable for its protection under applicable law.

Rhofin Inc. is not currently required to appoint a Data Protection Officer (DPO) under Article 37 EU GDPR or the equivalent UK GDPR provision, as our processing activities do not fall within the categories mandating a DPO. We have nonetheless designated a responsible point of contact for all data protection matters.

As a US-based controller offering services to individuals in the European Economic Area and the United Kingdom, we are subject to Article 27 EU GDPR and the equivalent UK GDPR obligation to designate a representative in those territories. We are in the process of formalising this designation and will update this policy upon completion. In the interim, enquiries from EEA and UK residents may be directed to our contact below.

For any privacy enquiries, to exercise your rights, or to raise a concern, please contact our designated data protection contact at compliance@rhofin.com. We aim to respond to all privacy requests within the timeframes set out in Section 9 of this policy.

03 / Information We Collect

What we collect and why

We collect only the minimum data necessary to provide our services and manage our waitlist. The categories of data we process are:

Identity and Contact
First name, last name, email address, and company name — provided voluntarily when you submit a briefing request, expression of interest, or contact form. Under CCPA/CPRA, this constitutes "identifiers" and "professional or employment-related information."
Technical Data
IP address, browser type, device information, operating system, and interaction data collected automatically via standard web server logs to ensure site security, stability, and performance. Under CCPA/CPRA, this may constitute "internet or other electronic network activity information."
Communication Data
Records of correspondence when you contact us by email, including your message content, to enable us to respond accurately and maintain records of our interactions.
Cookie and Usage Data
Information about how you navigate our website, collected via cookies and similar technologies. Please see Section 7 (Cookies and Tracking Technologies) for full details.

We do not collect special categories of personal data (under GDPR) or sensitive personal information (under CCPA/CPRA) through this website. This includes financial account details, government identifiers, biometric data, health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or precise geolocation data. Any data provided to us through the Rhofin platform in a future commercial context will be governed by a separate Data Processing Agreement.

04 / How We Use Your Information

Lawful purposes for processing

We process your data strictly for the following lawful purposes. Under EU/UK GDPR, each processing activity must have a valid legal basis under Article 6. Under US state laws (including CCPA/CPRA, VCDPA, and equivalent statutes), processing must be disclosed and limited to stated purposes.

Service Provision
To manage your position on our priority waitlist, respond to briefing requests, and provide access to the Rhofin platform when it becomes available. GDPR lawful basis: Performance of a pre-contractual measure taken at your request (Article 6(1)(b)), or our legitimate interests in operating our business (Article 6(1)(f)).
Communication
To send you product updates, launch notifications, and relevant institutional insights. Where such communications are marketing in nature, we will only send them where you have expressly consented. Transactional communications (e.g., confirmations of your waitlist submission) are sent on the basis of legitimate interests or pre-contractual steps. GDPR lawful basis: Consent (Article 6(1)(a)) for marketing; legitimate interests (Article 6(1)(f)) for transactional communications. You may withdraw consent at any time.
Legal Compliance
To comply with applicable legal and regulatory obligations, enforce our terms of service, and prevent, detect, and investigate fraud or other unlawful activity. GDPR lawful basis: Legal obligation (Article 6(1)(c)) or legitimate interests (Article 6(1)(f)).
Site Security
To monitor and protect the security and integrity of our website and infrastructure. GDPR lawful basis: Legitimate interests (Article 6(1)(f)) in maintaining a secure and operational website.

Automated decision-making: We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you, as described in Article 22 EU/UK GDPR or equivalent US state law provisions.

No sale or sharing for advertising: We do not sell your personal data to third parties. We do not share your personal data with third parties for the purpose of cross-context behavioural advertising, as defined under CCPA/CPRA.

05 / Data Sharing and International Transfers

Who we share data with

Your data is processed primarily in the United States by Rhofin Inc. We do not sell your personal data to third parties under any circumstances. We do not share your personal data for the purpose of targeted advertising.

We may share data with a limited number of trusted third-party service providers solely for the purpose of operating our platform. These providers are contractually bound to process your data only on our instructions and in accordance with applicable privacy law. Categories of third-party processors may include:

  • Cloud infrastructure and hosting providers
  • Email delivery service providers
  • Website analytics providers (where applicable)
  • Security monitoring and fraud prevention services

We do not permit our service providers to use your personal data for their own purposes. We maintain written data processing agreements with all third-party processors in accordance with Article 28 EU/UK GDPR.

We may also disclose personal data where required to do so by law, regulation, court order, or governmental authority, or where necessary to protect the rights, property, or safety of Rhofin, our users, or the public.

For data originating from the United Kingdom or the European Economic Area (EEA), we ensure appropriate safeguards are in place for any international transfer to the United States or other third countries. Our primary transfer mechanism is Standard Contractual Clauses (SCCs) as approved by the European Commission (for EU transfers) and adopted under the UK GDPR framework (for UK transfers), supplemented where appropriate by technical and organisational measures including encryption and access controls. We do not rely on transfer mechanisms that have been suspended, invalidated, or found inadequate by the relevant supervisory authority.

We do not transfer your data to any country that does not provide an adequate level of protection without first ensuring that appropriate contractual or legal safeguards are in place, in accordance with Articles 44-49 EU GDPR and the equivalent UK GDPR provisions.

06 / Data Retention

How long we keep your data

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

Waitlist and Contact Data
Retained for the duration of your waitlist status and for a period of 24 months thereafter, unless you request earlier deletion or withdraw your consent. If the Rhofin platform is launched and you become a customer, your data will be subject to a separate data processing agreement with its own retention terms.
Communication Records
Email correspondence and enquiry records are retained for up to 36 months from the date of last contact, to allow us to respond to follow-up enquiries and maintain business continuity.
Technical and Server Log Data
IP addresses and web server logs are retained for up to 12 months, after which they are deleted or anonymised. Anonymised aggregated analytics data may be retained indefinitely as it no longer constitutes personal data.
Legal and Compliance Records
Records retained for legal, regulatory, or compliance purposes (including records of consent) will be kept for the period required by applicable law, which may be up to 6 years in certain jurisdictions.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised in accordance with our internal data management procedures. You may request early deletion of your personal data at any time by exercising your right to erasure (see Section 9 below), subject to any overriding legal obligation to retain it.

07 / Cookies and Tracking Technologies

How we use cookies

Our website uses cookies and similar tracking technologies to operate correctly and to understand how visitors use our site. A cookie is a small text file placed on your device when you visit a website.

Under EU/UK GDPR and the UK Privacy and Electronic Communications Regulations (PECR), we are required to obtain your consent before placing non-essential cookies on your device. We use the following categories of cookies:

Strictly Necessary
These cookies are essential for the website to function and cannot be disabled. They do not require your consent and are placed on the basis of our legitimate interest in maintaining a functional, secure website. They do not store any personally identifiable information.
Analytics and Performance
Where used, these cookies help us understand how visitors interact with our website by collecting information in aggregate form. They are only placed with your prior consent. You may withdraw consent at any time via our cookie preferences tool or your browser settings.
Functional
These cookies enable enhanced functionality and personalisation (such as remembering your preferences). They are only placed with your prior consent.

We do not place advertising, marketing, or cross-site tracking cookies. You may control cookie settings through our cookie consent tool, your browser settings, or third-party tools such as the Digital Advertising Alliance opt-out platform (for US residents) or the Your Online Choices tool (for UK/EU residents). Please note that disabling certain cookies may affect the functionality of this website.

We do not use cookies or tracking technologies to build advertising profiles or to share your browsing behaviour with third-party advertisers.

08 / Security Measures

How we protect your data

We implement appropriate technical and organisational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, in accordance with Article 32 EU/UK GDPR and applicable US security standards. Our measures include:

  • Encryption of data in transit using industry-standard TLS protocols
  • Encryption of data at rest on our servers and cloud infrastructure
  • Access controls limiting data access to authorised personnel on a need-to-know basis
  • Regular review of our information security policies and procedures
  • Use of reputable, security-accredited cloud infrastructure and service providers
  • Contractual obligations on all third-party processors to maintain appropriate security standards

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (the ICO in the UK, the relevant EU supervisory authority in the EEA) within 72 hours of becoming aware of the breach, as required by Article 33 EU/UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with Article 34 EU/UK GDPR.

Please note that no method of transmission over the internet and no method of electronic storage is 100% secure. While we use commercially reasonable means to protect your personal data, we cannot guarantee its absolute security.

09 / Your Rights

Control over your personal data

Depending on your jurisdiction, you have the following rights regarding your personal data. To exercise any of these rights, email us at compliance@rhofin.com. We will acknowledge your request promptly and respond within the timeframes set out below. We may ask you to verify your identity before processing your request.

Right of Access (GDPR / CCPA)
You may request a copy of all personal data we hold about you, including information on how it is being processed, the categories of data held, the purposes of processing, and any third parties with whom it has been shared. Under CCPA/CPRA, this is your "right to know."
Right to Rectification (GDPR)
You may ask us to correct any inaccurate or incomplete personal data we hold about you. We will make corrections promptly and without undue delay, and notify any third-party processors who have received the inaccurate data.
Right to Erasure / Right to Delete (GDPR / CCPA)
You may request the deletion of your personal data. We will comply unless we are required by law to retain it, or have a legitimate overriding interest in doing so (for example, for the establishment, exercise, or defence of legal claims). Under CCPA/CPRA, this is your "right to delete."
Right to Restrict Processing (GDPR)
You may ask us to suspend processing of your data in certain circumstances — for example, while a correction request is being verified, or where you have objected to processing and we are considering that objection.
Right to Data Portability (GDPR)
Where processing is based on your consent or a contract, and is carried out by automated means, you may request your data in a structured, commonly used, machine-readable format (such as CSV or JSON), and request that we transmit it to another controller where technically feasible.
Right to Object (GDPR)
You may object at any time to processing based on legitimate interests (Article 6(1)(f)) or for direct marketing purposes. Where you object to processing for direct marketing, we will cease such processing immediately. For other legitimate interest processing, we will cease unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right to Withdraw Consent (GDPR)
Where processing is based on your consent, you have the right to withdraw that consent at any time without detriment. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. You may withdraw consent by emailing us or by using the unsubscribe link in any marketing communication we send.
Right to Opt-Out of Sale or Sharing (CCPA/CPRA)
California residents have the right to opt out of the sale or sharing of their personal information. We do not sell or share personal information for targeted advertising purposes; however, you may direct any such request to us at compliance@rhofin.com and we will confirm our practices in writing.
Right to Non-Discrimination (CCPA/CPRA)
California residents have the right not to receive discriminatory treatment for exercising their privacy rights. We will not deny services, charge different prices, or provide a different quality of service as a result of you exercising any right under CCPA/CPRA.
Rights Related to Automated Decision-Making (GDPR / US State Laws)
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. As stated in Section 4, we do not engage in such processing. This right is preserved in the event our practices change in the future.

Response timeframes: For requests under EU/UK GDPR, we will respond within one calendar month of receipt, extendable by a further two months where necessary due to complexity or volume of requests, with notice provided to you. For requests under CCPA/CPRA, we will respond within 45 days of receipt, extendable by a further 45 days where necessary. We will not charge a fee for responding to your request unless it is manifestly unfounded or excessive.

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your relevant supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. In the EU, this is your local data protection authority. In the US, California residents may contact the California Privacy Protection Agency (CPPA) or the California Attorney General's office. Residents of other US states may contact their respective state Attorney General. We nonetheless encourage you to contact us first so that we may address your concern directly.

10 / Contact Us

Get in touch about your data

For any privacy-related enquiry, to exercise your rights, or if you have a concern about how we handle personal data, please reach out to us directly. We take all privacy requests seriously and will respond within the applicable statutory timeframe.

Entity Rhofin Inc.
Address 221 W 9th St #180, Wilmington, DE 19801, USA
Email compliance@rhofin.com
Response Within one calendar month (GDPR) or 45 days (CCPA/CPRA) of receipt

This policy was last reviewed and updated in January 2026. We reserve the right to amend this policy at any time. Material changes will be notified to you by email where we hold your contact details, or by a prominent notice on this page. Continued use of our website following notice of a material change constitutes your acknowledgement of the updated policy.

Back to top