Important Notice: This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you visit our websites, use our mobile apps, communicate with us, or otherwise interact with any services, pages, features, or content that link to this Policy (collectively, the “Services”).
We designed this notice to be concise and readable. If you have any questions, contact us at privacy@bleap.finance.
Capitalised terms shall have the meanings assigned to them in these Terms, unless the context requires otherwise.
“Personal data” means any information relating to an identified or identifiable natural person.
“Controller” means the entity that determines the purposes and means of processing personal data.
“Processor” means a service provider that processes personal data on our behalf and according to our instructions.
“EEA/UK” means the European Economic Area and the United Kingdom.
“KYC/AML” means know‑your‑customer and anti‑money‑laundering compliance checks.
This Policy applies to the Services operated by Bleap Ltd, company incorporated in England and Wales with company number 14918472 and registered office at 9th Floor, 107 Cheapside, London, United Kingdom, EC2V 6DN, and all its subsidiaries (the “Bleap Group”) and covers visitors, applicants, individual customers, and representatives of institutional customers who interact with us online or offline.
If you are reading a translated version, the English version controls to the extent of any conflict, unless local law provides otherwise.
The controller of your personal data is: Bleap Ltd, a company incorporated in England and Wales with company number 14918472 and registered office at 9th Floor, 107 Cheapside, London, United Kingdom, EC2V 6DN.
Email: privacy@bleap.finance
Postal address: Bleap Ltd, 9th Floor, 107 Cheapside, London, United Kingdom, EC2V 6DN
Data Protection Officer: dpo@bleap.finance
The Bleap Group is established in the UK via Bleap Ltd and in the EEA via Bleap Finance Sp. z o.o. (Poland).
Current primary entities are:
The Bleap Group may share personal data within the group to operate, support, and improve the Services, consistent with this Policy and applicable law. In limited cases (for example, group-wide login, risk, or compliance functions), entities may act as joint controllers. Where joint controllership applies, your primary contact is the operating entity serving you; Bleap Ltd coordinates group compliance and can help route requests.
Where we jointly determine purposes and means, for example, group-wide identity verification or risk functions, Bleap Ltd and Bleap Finance Sp. z o.o. act as joint controllers. We have Art. 26 arrangement allocating responsibilities, including a primary contact point for data-subject rights. Your primary contact remains the operating entity serving you, and you may exercise your rights under Section 11 with either entity.
We collect personal data in three main ways: (i) you provide it, (ii) we collect it automatically, and (iii) we receive it from other sources.
We do not intentionally collect special categories of data (e.g., health, religion) outside of EIDV biometrics for identity verification where permitted and necessary. We do not intend to collect information from children (see Section 12).
We only process personal data where we have a lawful basis. The table below summarises the main purposes, typical data categories, and the legal basis we rely on. Where data is needed to comply with law or to perform a contract, failure to provide it may mean we cannot offer certain Services.
We have conducted Legitimate Interests Assessments and you may object to processing based on our legitimate interests (see Section 11).
If you do not provide mandatory KYC data, we cannot provide regulated services.
Where permitted by law, we may generate a biometric template from your selfie (and, if applicable, a short liveness video) to compare with your identity document solely to verify your identity and to prevent fraud.
We apply strict safeguards, role-based access, encryption, separate storage of biometric templates, purpose limitation, and minimal retention (biometric templates are not used for any other purpose and are deleted once any legally required retention window ends; see Section 7). We do not use biometric data for profiling or marketing. Our legal basis for other KYC data remains Art. 6(1)(c) GDPR (AML/CTF obligations).
We use Sumsub as our processor for identity verification. Where any international access occurs, we rely on the EU Standard Contractual Clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum (IDTA), supported by transfer impact assessments (TIAs) and supplementary measures; copies of the relevant safeguards are available on request. Sumsub acts only on our documented instructions and may not use biometric data for its own purposes.
We use automated tools to assess risks (e.g., sanctions hits, document fraud, transaction patterns). These tools may affect access to certain features or trigger holds or enhanced checks. You have the right to request human review, express your viewpoint, and contest a decision where required by law.
AML/fraud screening may involve processing data relating to criminal convictions or offences (or inferring risk of offences) under Art. 10 GDPR . We process such data only where authorised by EU or applicable Member-State law, with appropriate safeguards, and solely for AML/CTF, sanctions compliance, fraud prevention, and related legal obligations.
We share personal data only as described below and with appropriate safeguards. We do not sell your personal data.
We operate globally. If we transfer personal data outside your country (including from the EEA/UK to countries without an adequacy decision), we use approved safeguards:
We retain personal data only as long as necessary for the purposes set out above, to meet legal, accounting, or reporting requirements, and to defend or establish legal claims. Typical periods (subject to applicable law):
When retention ends, we will delete or irreversibly anonymise the data, unless a longer period is required by law or needed for legal claims.
We implement administrative, technical, and physical safeguards appropriate to the nature of the data and risks, including encryption in transit and at rest, access controls, segregation of environments, monitoring and logging, employee training, and incident response. No system is perfectly secure; however, we maintain and regularly review our security programme. Where required by law, we will notify you and regulators of data breaches. We also conduct vendor due diligence and restrict employee access to personal data on a need-to-know basis.
You are responsible for maintaining the confidentiality of your account credentials and for promptly notifying us of any suspected unauthorised access or use.
We use essential cookies to make the Services work and non-essential cookies (e.g., analytics, advertising) with your consent. You can manage or withdraw cookie consent at any time via Cookie Settings in our banner, or through your browser settings.
Our website cookie settings applies opt-in for all non-essential cookies in the EEA/UK, remembers your granular choices for at least 6 months, and provides an always-available Cookie Settings link in the footer to change or withdraw consent at any time.
Where used, SDKs, local storage, and similar identifiers are treated in line with this section and our Cookie Policy. See our Cookie Policy for the current list of cookies, vendors, purposes, and retention periods. We currently do not respond to “Do Not Track” signals. In supported regions, we honour Global Privacy Control (GPC) signals for opt-outs related to targeted advertising where applicable.
Public blockchains are public and immutable. Transactions (including amounts, timestamps, wallet addresses, and other metadata) may be permanently viewable by anyone. If you link a wallet to your identity, your on-chain activity may become personal data. Consider this when sharing addresses or using the Services. We may analyse public blockchain data to help detect and prevent fraud, comply with laws, and improve the Services.
We cannot remove or alter data recorded on public blockchains. Where legally required, we can delete or de-link our off-chain records that associate you with a wallet address.
Depending on your location, you may have the following rights, subject to legal limits:
We may need to verify your identity before acting on a request; we’ll only ask for what’s strictly necessary.
Email privacy@bleap.finance. We respond within one month of receiving your request. We may extend by up to two additional months where requests are complex or numerous, and will inform you of any extension. You may lodge a complaint with your supervisory authority, including UODO (Poland), or your local EEA authority.
You can opt out of marketing emails at any time by using the unsubscribe link in our messages or by contacting us. You may still receive essential service communications.
Where applicable, you can opt out via the cookie banner settings.
Our Services are not intended for individuals under 18. We do not knowingly collect personal data from children. If we learn that we have collected such data, we will delete it and take steps to close the account. If you are under 18 years of age, please do not provide any information or engage in any activity within the scope of our services.
The Services may link to third-party websites, apps, or integrations. Their privacy practices are governed by their own policies. We are not responsible for the privacy, security, or content of those third-party services. Review their policies before sharing personal data with them.
We may update this Policy from time to time. If we make material changes (such as new purposes, new controller information, or changes to how you exercise your rights), we will notify you in advance via email, in-app notice, or banner.
The Effective Date at the top shows when this Policy was last updated. We maintain prior versions upon request.
