Privacy Policy

Who We Are

7T World LLC, a Delaware United States of America ("USA") limited liability company, and its subsidiaries, affiliates, and other entities under common control ("7T World", "we", "us", "our").

Registered Address: 8 The Green, Suite B, Dover, DE 19901-3618, USA

Physical Address: 1205 South Main Street, Kalispell, MT 59901, USA

Data Protection Officer / Privacy Officer: Anthony Serio — privacy@7tworld.com

7T World, a FinCEN-registered money services business, provides payment services to consumers. This Privacy Policy ("Policy") explains how we collect, use, share, and protect personal data in connection with our sites, products, services, and support. If you see capitalized terms we don't define here, they have the meanings in our Terms.

Scope

This Policy applies globally to personal data we process as a controller (e.g., site visitors, business contacts, consumers, KYC applicants). It does not cover data we process as a processor for enterprise clients under a data processing agreement. Where sector laws apply (e.g., GLBA for nonpublic personal information ("NPI") handled as a financial institution), those laws control, and some state privacy rights don't apply to that GLBA-covered data; non-GLBA personal data (like marketing analytics) may still be subject to state privacy laws.

What We Collect

• Identity/KYC: name, date of birth, nationality, government IDs, selfies/biometrics (if your consent is required, we'll ask), sanctions, PEPs and adverse-media results.
• Contact: email, phone, home address, business address, job title.
• Financials / transactions: bank details, financial statements, wallet addresses, on/off-ramp amounts, timestamps, counterparties (as needed for Bank Secrecy Act ("BSA")/anti-money laundering ("AML")/countering the financing of terrorism ("CFT")/countering proliferation financing ("CPF")/know your customer ("KYC")/customer due diligence ("CDD"), fraud prevention, financial crimes prevention (collectively referred to as "anti-financial crime" ("AFC"), and settlement).
• Device & usage: IP, device/OS, browser, pages viewed, referrers, SDK/telemetry, coarse location.
• Communications: support chats/emails/messages, call/video recordings (where permitted and disclosed).
• Inferences: risk scores and fraud indicators (never solely determinative for adverse action without a human in the loop where required by law).

Sources

You; your employer; our AFC vendors; screening providers such as sanctions, PEPs, adverse media, websites (collectively "Screening"); public databases; analytics tools; and financial rails/chain data needed to perform our services.

Why We Use Your Data (and Legal Bases Where Required)

• Provide services you/your company request; onboard you; process transactions; provide support (contract / legitimate interests).
• Compliance with AFC, Screening, and reporting obligations; detect / prevent fraud and abuse (legal obligation / public interest / legitimate interests).
• Security and service quality (threat detection, logs, testing) (legitimate interests / legal obligation).
• Marketing & communications to contacts (with consent where required; you can opt out anytime).
• Product analytics (aggregated / limited—see Cookies).

Cookies, Analytics & Opt-outs

We use essential cookies and limited analytics. In regions requiring consent (e.g., United Kingdom ("UK")/European Union ("EU")), we'll ask before setting non-essential cookies. Where laws require recognition of universal opt-out mechanisms (e.g., Colorado's UOOM/Global Privacy Control), we honor them. You can also set preferences in our banner and browser.

Automated Decision-Making

We use automated tools to flag potential fraud or Screening matches. A human reviews high-risk decisions before we deny onboarding or transactions, and you can request human review where your local law grants that right. (California is finalizing ADMT rules; we'll comply when they take effect.)

How We Share

• Service providers (AFC, Screening, hosting, security, analytics, communications, customer support).
• Financial institutions, payments, and blockchain infrastructure (to execute requested transactions).
• Affiliates (only as permitted by law).
• Regulators and law enforcement (when legally required).

We don't "sell" personal data, and we don't "share" it for cross-context behavioral advertising as those terms are defined in California law.

Retention

We keep personal data only as long as needed for the purposes above and to meet legal, accounting, and audit requirements (e.g., AFC, Screening retention). We'll then delete or de-identify it.

Your Rights

Depending on your location, you may have rights to access, correct, delete, receive a copy, object/opt-out (including targeted advertising or certain profiling), withdraw consent, or complain to a regulator. See Regional Supplements for details.

Security

We maintain an information security program appropriate to money services business operations (encryption, access controls, network monitoring, vendor due diligence, and incident response) and comply with the FTC Safeguards Rule where applicable.

Breach Notification

If a breach occurs, we'll notify you and/or regulators as required. See the Regional Supplements for timing specifics (EU 72 hours; Singapore "as soon as practicable" + within 3 days to PDPC; Australia OAIC assessment within 30 days; Hong Kong—notification recommended; GLBA to FTC within 30 days).

Children

Our services may involve students who are under the age of majority in their jurisdiction. We only collect and process personal data of minors with the verified consent of a parent or legal guardian, or where otherwise permitted by applicable law (for example, where processing is necessary to provide an educational or financial service requested by the parent/guardian). We do not knowingly allow minors to independently access or sign up for our services without such consent. If we discover we have collected personal data from a minor without appropriate consent, we will delete it promptly.

International Transfers

We may transfer personal data internationally. We use appropriate safeguards such as:

• EU→US: EU-US Data Privacy Framework ("DPF") where our U.S. entity is certified (and SCCs where needed). Notably, the DPF was upheld by the EU General Court on Sept 3, 2025.
• UK→US: UK-US Data Bridge (DPF UK Extension).
• Brazil: ANPD Standard Contractual Clauses—mandatory by Aug 23, 2025.
• China: PIPL mechanisms (security assessment, Standard Contract filing, or certification), noting the 2024 Provisions easing certain transfers.
• Singapore: PDPC Model Clauses / comparable safeguards.

Contact

Email: privacy@7tworld.com

DPO/Privacy Officer: Anthony Serio

Address: 1205 South Main Street, Kalispell, MT 59901, USA

Changes

We'll update this Policy when we change our practices or law requires. We'll post the new date at the top and, where required, notify you.

Regional Supplements (Alphabetized)

Australia

We comply with the Privacy Act 1988 and the Notifiable Data Breaches scheme (assess within 30 days whether an eligible breach occurred; notify OAIC/individuals if required). Parliament passed a first tranche of reforms in late 2024, most commencing in 2025, with further reforms flagged in 2025.

Brazil

We comply with LGPD. We appoint a DPO (encarregado) and implement lawful transfer mechanisms. ANPD SCCs are required for cross-border transfers by Aug 23, 2025 (or other approved mechanisms).

China (Mainland)

If PIPL applies to us extraterritorially, we appoint a China representative and use approved outbound transfer mechanisms (CAC Standard Contract filing, certification, or security assessment). In March 2024, CAC eased some cross-border rules (exemptions/higher thresholds, extended validity).

European Union / European Economic Area ("EEA")

Legal bases under GDPR (Art. 6). Rights include access, erasure, portability, and objection/restriction. Transfers rely on DPF and/or SCCs. DPO appointment where Art. 37 triggers are met.

Hong Kong

We comply with PDPO. No statutory breach notification yet (PCPD recommends notification; legislative proposals to make it mandatory are underway).

India

We comply with the Digital Personal Data Protection Act, 2023. As of Aug 2025, the Rules and enforcement mechanisms were still pending finalization; we will implement requests/consents, cross-border provisions, and grievance redressal as the regime comes into force.

Mexico

We comply with Mexico's new 2025 Federal Law on Protection of Personal Data Held by Private Parties (effective Mar 21, 2025), including its transfer rules and new supervisory authority alignment.

Singapore

We comply with PDPA, appoint a DPO, notify PDPC "as soon as practicable and in any event no later than 3 calendar days" after determining a notifiable breach, and use PDPC Model Clauses for transfers as applicable.

United Arab Emirates ("UAE")

We comply with the federal PDPL and, where applicable, DIFC or ADGM regimes for entities established there (each has its own rules on transfers, DPO, and DPIAs).

United Kingdom ("UK")

We comply with UK GDPR/PECR (cookie consent) and use the UK-US Data Bridge for transfers to certified U.S. recipients. DPO appointment follows UK GDPR Art. 37 logic.

United States of America ("USA")

Beyond GLBA, multiple state privacy laws may apply. We align to applicable state rights (access/deletion/correction/opt-out) and honor universal opt-out signals where required (e.g., Colorado). California's CPPA has finalized/near-final regulations on ADMT, cybersecurity audits, and risk assessments (moving through OAL review mid-/late-2025).

Other Regions

If we later launch in your country, we'll publish a country-specific notice or update this section to reflect local rights and requirements.

Data Privacy Framework ("DPF") Addendum

7T World LLC complies with the EU–US DPF and the UK Extension to the EU–US DPF as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that we adhere to the DPF Principles of:

• Notice
• Choice
• Accountability for Onward Transfer
• Security
• Data Integrity & Purpose Limitation
• Access
• Recourse, Enforcement & Liability

If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the DPF Principles shall govern.

Scope

This certification covers personal data we receive from the European Union ("EU"), European Economic Area ("EEA"), and the United Kingdom ("UK") in reliance on the DPF and its UK Extension.

Onward Transfers

We remain responsible for the processing of personal data we transfer to third parties under the DPF if they process such data in a manner inconsistent with the DPF Principles, unless we prove we are not responsible for the event giving rise to the damage.

Recourse, Enforcement, Liability

In compliance with the DPF, we commit to resolve complaints about our collection or use of your personal information. EU and UK individuals with inquiries or complaints should first contact us at:

Email: privacy@7tworld.com

Mail: 7T World LLC, 1205 South Main Street, Kalispell, MT 59901, USA

We have further committed to refer unresolved DPF complaints to an independent recourse mechanism: [insert provider once selected, e.g., BBB EU Privacy Shield, TRUSTe]. This service is provided free of charge.

7T World LLC is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). Under certain conditions, you may invoke binding arbitration.

To learn more about the DPF program, and to view our certification, please visit the USA Department of Commerce's DPF website at: https://www.dataprivacyframework.gov.