Select location and language to see content relevant to your location.
Confirm

Get a ZEN card
in the app.

Do it easily in our app.
Your virtual card will be ready instantly.

Scan to get the app

Privacy Policy

Download in PDF

1. INTRODUCTION

ZEN.COM (“ZEN”, “we”, “us”, “our”) is committed to ensuring the protection of personal data in accordance with applicable data protection laws and financial regulatory requirements.

This Privacy Policy applies to all personal data processed in connection with:

  • ZEN’s payment and financial services
  • Mobile applications and websites
  • Customer onboarding processes (including incomplete or rejected applications)
  • Customer Support interactions
  • Website usage and tracking technologies

ZEN processes personal data in accordance with:

  • Regulation (EU) 2016/679 (EU General Data Protection Regulation – GDPR)
  • United Kingdom GDPR and the Data Protection Act 2018
  • Singapore Personal Data Protection Act (PDPA)
  • Applicable financial services and Anti Money Laundering and Counter Terrorist Financing (AML/CTF) regulations

This Privacy Policy shall be considered in conjunction with the Terms and Conditions applicable to each operating jurisdiction.

2. DATA CONTROLLERS AND SUPERVISORY AUTHORITIES

The relevant ZEN entity acting as Data Controller depends on the Legal Entity providing the service:

Jurisdiction Legal Entity Supervisory Authority
European Union (EU) UAB ZEN.COM
Konstitucijos av. 18B
LT-09308
Vilnius – Lithuania		 State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija – VDAI)
L. Sapiegos str. 17 LT-10312 Vilnius – Lithuania
Email: [email protected]
Website: https://vdai.lrv.lt/en/
United Kingdom (UK) ZEN-UK Limited
344-354, Gray’s Inn Road
WC1X 8BP
London – United Kingdom		 Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
Email: [email protected]
Website: https://ico.org.uk/
Singapore (SG) ZEN.COM PTE LTD
100 Tras Street 079027
Singapore		 Personal Data Protection Commission (PDPC)
10 Pasir Panjang Road, #03-01 Mapletree Business City, Singapore 117438
Email: [email protected]
Website: https://www.pdpc.gov.sg/complaints-and-reviews

3. CATEGORIES OF DATA SUBJECTS

ZEN processes personal data relating to (i) Customers, (ii) Prospective customers, (iii) Website users and (iv) Individuals representing merchants and business partners.

4. WHAT DATA IS COLLECTED?

Depending on your country of residence, we may collect, use, store, process and transfer the following data about you. Personal data or personal information means any information from which an individual can be identified. It does not include data where an individuals’ identity has been removed (anonymous data) or any data on a legal entity. ZEN processes the following categories of personal data:

Identity/Verification data
  • Title, First name and Surname
  • Date of birth
  • Nationality
  • Country of birth
  • Address
  • ID document.
  • Biometric verification data
Contact data
  • Residential address
  • Email address
  • Telephone number (s)
Financial data
  • Account details
  • Payment transactions
  • Card data (tokenised)
Compliance & Risk data
  • AML/KYC screening results
  • Fraud risk indicators
  • Sanctions and politically exposed person (PEP) status
Profile data
  • Username
  • Products used by you
  • Occupation
  • Occupation address
  • Feedback and survey responses
Marketing data
  • Preferences for receiving marketing communications from us or from our third parties.
Technical data
  • The internet protocol (IP) address used to connect your computer to the internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, cookies and tracking identifiers, browsing behaviour and analytics data.
Usage data
  • Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our sites (including date and time), device identifiers and log files.
Customer Support data
  • Communications, chat interactions and support tickets.

5. HOW DOES ZEN COLLECT DATA?

Direct
Interactions
  • Website
  • Zen App usage
  • Provision of services (e.g. Information relating to beneficiaries, shareholders, trustees and directors and accounts held by other financial institutions)

You must obtain appropriate consent before disclosing such information to us.
Third Parties
or Publicly
Available
Information
  • Business partners, sub-contractors, service providers, merchants.
  • Registers held by governmental agencies
  • Compliance and regulatory requirements (e.g. Know Your Customer checks).
  • Banks and other financial institutions during payment operations.
  • Publicly available sources such as social media websites, news websites and company registers worldwide.
  • Cookies and tracking technologies.

We ensure full compliance with regulations irrespective of how we obtain any information.

6. PURPOSES OF PROCESSING AND LEGAL BASIS

ZEN processes personal data for the following purposes:

Purpose Reason Legal Basis
Contractual
  • Account creation
  • Payment processing
  • Transaction execution
 Performance of the contract.
Regulatory Compliance (AML/CTF)
  • Identity verification
  • Transaction monitoring
  • Reporting to authorities
 Compliance with regulatory and legal obligations.
Fraud Prevention and Risk Management
  • Fraud detection systems
  • Behavioural analysis
  • Transaction risk scoring
 Fulfilment of legitimate interests and compliance with regulatory and legal obligations.
Onboarding Assessment
  • Assess eligibility
  • Detect fraud attempts
  • Comply with regulatory obligations

Data may be retained even if onboarding is not completed or is rejected.

 Compliance with regulatory and legal obligations and fulfilment of legitimate interests.
Customer Support
  • Responding requests
  • Handling complaints
 Performance of the contract and fulfilment of legitimate interests.
Website Operation and Analytics
  • Website functionality
 Consent and fulfilment of legitimate interests.
Marketing and Personalization
  • Service-related communications
  • Marketing communications

Marketing communications are not a condition for the provision of ZEN’s core services.

 Performance of the contract.
Consent or where permitted, based on ZEN’s legitimate interests, subject to your right to Object.

When you are an existing client, we will only contact you with information about services similar to those which were the subject of a previous sale or negotiations of a sale to you. When you are a new customer, we will only contact you if you have consented to such. ZEN will also review ‘Do Not Call’ registers to ensure numbers that are listed are not contacted.

ZEN will retain your marketing preferences until you withdraw consent, or for a period of up to 24 months from your last interaction, after which consent may be refreshed or marketing communications discontinued.

You may withdraw this consent at any time by using the links provided at the bottom of marketing emails from us, or by contacting our DPO. This will only affect the way we use personal information when the basis for doing so is your consent.

7. AUTOMATED DECISION-MAKING

ZEN uses automated systems for:

  • Assess transaction risks
  • Detect fraud and financial crime
  • Support onboarding decisions

These processes may result in:

  • Refusal of transactions
  • Account restrictions
  • Onboarding rejection

Data subjects have the right to:

  1. Request human intervention
  2. Express their point of view
  3. Contest decisions

8. DOES ZEN SHARE MY PERSONAL DATA?

Internal Third
Parties
  • Member of our companies, entities, representative offices, our subsidiaries, our ultimate holding company and its subsidiaries.
External Third
Parties
  • Payment networks (Visa, Mastercard)
  • Financial Institutions
  • Business partners, suppliers and subcontractors for the performance of any contract we enter into with them or you.
  • IT, cloud, analytics and search engine providers.
  • Identity verification services (e.g. Veriff /Idenfy).
  • Police and law enforcement agencies, where required to do so by law.
  • Where under a duty to disclose or share your personal data in order to comply with any legal obligation.

9. WHERE IS MY DATA STORED AND TRANSFERRED?

Due to the global nature of ZEN’s operations and the use of shared infrastructure (including centralised back-office systems, payment processing platforms, fraud monitoring tools and customer support systems), personal data may be transferred to and accessed from jurisdictions outside the country in which it was originally collected.

Such transfers may include:

  • Transfers between ZEN group entities located in the European Union, United Kingdom and Singapore.
  • Transfers to third-party service providers (e.g. cloud providers, fraud detection platforms, payment processors).
  • Remote access to data by authorised personnel located in other jurisdictions.

Where personal data is transferred outside the European Economic Area (EEA), the United Kingdom or Singapore, ZEN ensures that appropriate safeguards are implemented to ensure an adequate level of protection.

These safeguards include:

  • European Union:
    o Standard Contractual Clauses (SCCs) approved by the European Commission
    o Transfers to jurisdictions subject to an adequacy decision
  • United Kingdom:
    o International Data Transfer Agreement (IDTA)
    o UK Addendum to EU Standard Contractual Clauses
    o UK adequacy regulations
  • Singapore:
    o Contractual and organisational measures ensuring a standard of protection comparable to the PDPA

ZEN also conducts transfer risk assessments where required to evaluate risks associated with international transfers, including access by public authorities in third countries.

10. HOW LONG DO YOU KEEP MY DATA?

ZEN retains personal data only for as long as necessary to fulfil the purposes for which it was collected, including compliance with legal, regulatory, accounting and reporting obligations.

Given ZEN’s status as a regulated financial institution, retention periods are primarily determined by AML/CTF, financial services and regulatory requirements.

10.1. Customers

Data Type Retention Period
Transaction Data 8 years following the completion of the transaction.
Account Data Throughout the duration of the business relationship and up to 8 years after termination.
Know Your Customer and Identification Data 8 years after the end of the business relationship.
Marketing Communications 24 months since last interaction.

10.2 Applicants

  • Personal data of individuals who did not complete onboarding may be retained for up to 12 months.
  • Personal data of individuals that were rejected during onboarding may be retained for up to 8 years, for the purposes of fraud prevention and compliance with AML/CTF obligations.

10.3 Website Users

Cookies and tracking data are retained for up to 24 months, depending on the type of cookie.

10.4 Customer Support Data

Customer communications and support tickets are retained for up to 8 years.

10.5 Post-Retention Handling

At the end of the retention period, personal data is securely deleted, or anonymised, or blocked/restricted (where retention is required for legal claims or regulatory purposes).

11. WHAT RIGHTS DO I HAVE?

Right to be Informed You have the right to be informed about the collection and use of your personal data.
Right of Access You have the right to access your personal data. This is commonly referred to as a Data Subject Access Request.
Right to Data Portability You have the right to ask for the personal information you have made available to us to be transferred to you or a third-party in machine readable format, where this right is provided under appliable data protection laws. This right may not apply in all jurisdictions and may be subject to legal limitations or exemptions.
Right to Restrict Processing You have the right to request the restriction or suppression of your personal data. Note that this is not an absolute right ad only applies in certain circumstances.
Right to Rectification You have a right to request that we correct your personal information where it is inaccurate, incomplete or out of date. We will comply with your request within one month of receiving it, unless we do not feel it is appropriate to us to do so in which case we will let you know why.
Right to Object You have the right to object to the processing of your personal in certain circumstances. You have the absolute right to stop your data from being used for direct marketing.
Right to Erasure (subject to legal and regulatory obligations) You have the right to request that any Personal Data that we hold about you is erased once it is no longer required for the purposes for which it was collected. The right to erasure is also known as ‘the right to be forgotten’.
Rights related to Automated Decision-Making including Profiling If a fully automated decision is made on your account, you have the right to request that this decision be reviewed by a person and present any evidence that you believe supports your challenge of the decision.

ZEN will respond:

  • Within 1 month under GDPR and UK GDPR (extendable where permitted)
  • Within 30 days under the Singapore PDPA

ZEN may request additional information to verify the identity of the requester before processing the request.

Individuals have the right to lodge a complaint with:

  • State Data Protection Inspectorate (VDAI) for residents in the EU
  • Information Commissioner’s Office (ICO) for residents in the United Kingdom
  • Personal Data Protection Commission (PDPC) for residents in Singapore

12. HOW DO YOU KEEP MY DATA SAFE?

At ZEN, safeguarding your personal data is of the upmost importance. We have implemented a comprehensive range of security measures to protect the confidentiality, integrity and availability of your information in order to keep your information safe against unauthorised access, use or disclosure through security controls such as encryption and access controls.

Personal data is classified and handled in accordance with ZEN’s internal Information Classification and Handling Standard. Access to personal data is limited to authorised personnel on a need-to-know basis.

If required by the applicable data protection laws, we will notify you of any data breach that is likely to result in significant harm or impact to you.

13. COOKIES

We follow the “Express Consent” basis for processing cookies. The first time you visit our sites we will inform you of the cookies we use and you will be given the option to consent for us to use cookies. Some cookies are strictly necessary for the operation of our sites. For users in the United Kingdom, cookie practices comply with PECR.

Our third parties may also receive data about you if you visit other websites using our cookies, over which we have no control since these websites have their own privacy notices and we do not accept any responsibility or liability for such.

Users may manage or withdraw their consent through cookie preference tools.

For more information you can read our Cookies Policy.

14. IDENTITY VERIFICATION AND DATA DISCLOSURE CONTROLS

To protect personal data and prevent unauthorised access, ZEN applies strict identity verification procedures before disclosing personal data. This includes:

  • Authentication through secure login mechanisms
  • Verification via one-time links or codes
  • Validation of registered contact details
  • Additional verification steps for sensitive requests

Customer support personnel are prohibited from disclosing personal data unless identity has been properly verified. Failure to follow verification procedures may result in disciplinary action and may constitute a personal data breach.

15. HOW CAN I CONTACT ZEN?

If you have any questions regarding this Privacy Policy, including any requests to exercise your personal data rights, you can do so by using the details below:

  • By email at [email protected] to the attention of our DPO.
  • By writing to us at our registered office in the jurisdictions that apply to you (see section 2 of this Policy).

16. UPDATES TO THIS PRIVACY POLICY

ZEN may update this Privacy Policy from time to time to reflect changes in legal or regulatory requirements, changes in services or processing activities and/or improvements to privacy practices.

Where required, ZEN will notify users of material changes through appropriate channels (e.g. email, App notifications, website notices).