Privacy Policy

The data controller responsible for your personal data is Cause Vision s.r.o., registered in Prague, Czech Republic under ID 17539013. We can be contacted at:

• Data protection enquiries: info@cause.vision
• Security disclosures: techsupport@cause.vision
• Postal: Cause Vision s.r.o., Prague, Czech Republic

For EU and UK residents, you may also contact your local supervisory authority. The Czech supervisory authority is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, "UOOU").

Identity data

Full legal name, date of birth, nationality, government-issued ID number, photograph/selfie (from KYC).

Contact data

Email address, phone number, postal address (for KYC and card delivery).

Account data

Username, password hash, two-factor secrets, security questions, authenticated devices.

Financial data

Wallet addresses, transaction history, on-chain transfers, fiat top-ups, card transactions, balances.

Verification data

ID document images, selfie/liveness video, proof of address, Sumsub applicant ID and verification outcome.

Source-of-funds data

Self-declared occupation, expected transaction volume, beneficial-ownership disclosures, supporting documents where requested.

Technical data

IP address, browser type and version, device identifier, OS, time zone, login timestamps, cookies.

Usage data

Pages viewed, features used, in-app behaviour, error logs, performance telemetry.

Communications

Messages exchanged with our support team or AI assistant, surveys, complaints.

Marketing preferences

Whether you've opted in or out of marketing channels and which categories.

You may withdraw any consent you have given at any time without affecting the lawfulness of processing carried out before withdrawal.

We use automated processes for parts of identity verification (operated by our KYC provider Sumsub), transaction-monitoring alerts, fraud-risk scoring, and sanctions screening. These processes may significantly affect you (for example, by delaying or blocking a transaction or by closing your account).

Where required by Article 22 GDPR you have the right to obtain human intervention, express your point of view, and contest the decision. Contact us at info@cause.vision to do so.

Sumsub (Sum and Substance Ltd)

Identity verification provider. Receives your ID documents and selfie to perform KYC. Returns a verification result and applicant ID.

Rain Cards

CauseCard issuer. Receives Identity, Contact, and Account data necessary to issue and operate the card. Rain is an independent controller for cardholder data.

Alchemy Pay

Fiat on/off-ramp processor. Receives Identity, Contact, and transaction data necessary to settle fiat top-ups and withdrawals.

Visa and acquiring banks

Card transaction processing — receive masked card number, merchant, amount, and FX data.

Cloud infrastructure providers

AWS (compute, storage), Vercel (web hosting), Cloudflare (CDN and bot mitigation). Processors acting on our instructions.

Analytics & telemetry

Aggregated, pseudonymised usage analytics. We do not sell personal data to analytics providers.

Tax authorities and regulators

Where required by FATCA, CRS, DAC8, CARF, AML laws, or by valid legal process.

Law enforcement

Where legally required (court order, subpoena, regulator demand). We assess the validity and scope of every request.

Affiliates and successors

Within the Cause group; on a sale/merger, to the acquiring entity, subject to equivalent or better protection.

We do not sell personal data to advertisers and we do not engage in cross-context behavioural advertising for the Services.

Cause Vision operates from Prague, with offices in Nairobi and Dubai, and uses cloud infrastructure that may store or process data in the EU, the UK, the United States, and other regions. Where personal data is transferred outside the European Economic Area or the UK, we rely on:

• European Commission adequacy decisions (where available);
• Standard Contractual Clauses (SCCs) approved by the European Commission;
• UK International Data Transfer Agreement / UK Addendum;
• Supplementary technical and organisational measures (encryption in transit and at rest, access controls) where required by case-law.

A copy of the relevant transfer mechanism for any specific transfer is available on request to info@cause.vision.

After applicable retention periods elapse we delete or irreversibly anonymise the data.

• Access — a copy of the personal data we hold about you.
• Rectification — correction of inaccurate or incomplete data.
• Erasure — deletion, subject to retention obligations (AML, tax).
• Restriction — temporary pause on certain processing while a dispute is resolved.
• Portability — a structured, machine-readable copy of data you have provided to us.
• Objection — to processing based on legitimate interest or for direct marketing.
• Withdraw consent — for any consent-based processing.
• Human review of automated decisions — as described in Section 4.
• Complaint to a supervisory authority — for example UOOU (Czech Republic), ICO (UK), or your local DPA in the EU.

California residents (CCPA/CPRA): you also have the right to know which categories of personal information we have collected and disclosed in the preceding 12 months, the right to opt out of "sale" or "sharing" (we do not engage in either as defined under CCPA/CPRA), the right to limit use of sensitive personal information, and the right not to be discriminated against for exercising your rights.

• TLS/SSL encryption in transit;
• Encryption at rest for production data stores;
• Multi-factor authentication for staff with access to systems;
• Principle-of-least-privilege access controls and access logging;
• Regular vulnerability scanning, penetration testing, and dependency auditing;
• Two-factor authentication available to all users (and required for sensitive actions);
• Hardware-backed key storage for custodial wallets where applicable;
• Breach response procedures with regulator notification within statutory deadlines (e.g. 72 hours under GDPR).

No system is perfectly secure. You can help by enabling 2FA, using a unique strong password, storing backup codes safely, and reporting suspicious activity at techsupport@cause.vision.

We use cookies and similar technologies for:

• Strictly necessary — session management, authentication, security (e.g. CSRF tokens). Not optional.
• Preference — language, currency, theme.
• Analytics — aggregated usage; only set with consent where required.
• Anti-bot — Cloudflare Turnstile token.

You can control non-essential cookies via the consent banner where it is presented and via your browser settings.

Identity-verification data may include biometric data (used to confirm a match between you and your ID photo) and is processed on the basis of explicit consent and substantial public interest (preventing money laundering and terrorist financing). Financial data is processed under contract performance and legal obligation. We apply enhanced safeguards for these categories including stricter access controls and shorter internal retention for raw biometric templates.

If you believe we have processed your personal data unlawfully, you can raise a complaint with us at info@cause.vision. You also have the right to lodge a complaint with your local supervisory authority. Our lead supervisory authority in the EU is the Czech Office for Personal Data Protection (UOOU). UK residents may contact the Information Commissioner's Office (ICO).