This Privacy Policy explains what personal data we collect, why, how we protect it, who we share it with, and the rights you have. It should be read together with our Cookie Policy and Terms of Service.
1. Data controllers
Your personal data is jointly processed by:
- Alevia Nova Ltd (England and Wales, no. 16601692) — for the Kudu™ technology platform
- Financial Digital Technology (FIDITECH) SAS (Côte d'Ivoire, RCCM CI-ABJ-03-2023-B16-00079) — for agent-network operations in West Africa
Where a licensed Partner (for example an on-ramp provider, a money-transfer partner or an exchange bureau) processes your data to deliver its own regulated service, it acts as an independent controller under its own privacy policy.
Contact for data matters: our contact form.
2. Data we collect
Identification data
- Name, date of birth, nationality and residential address
- Email address and phone number
- Identity documents (for example a passport or ID card) and, where required, a selfie and a short liveness check used for biometric identity verification
- For business users: company details and documents for business verification (KYB), and details of directors or beneficial owners
Financial and transaction data
- Transaction history (transfers, top-up, cash-out, escrow and group buying)
- Wallet addresses and on-chain settlement references
- Payment details and, where applicable, source-of-funds or source-of-wealth information and supporting documents that we or a licensed crypto-asset service provider (CASP) partner may request
Usage and technical data
- IP address, device and browser type
- App and site interactions (aggregated, privacy-friendly analytics)
- Approximate location, where you enable it
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Account creation and management | Performance of contract |
| Transfers, escrow and transactions | Performance of contract |
| Identity verification (KYC / KYB / AML) | Legal obligation |
| Biometric liveness / face-match for identity | Legal obligation and explicit consent |
| Fraud and financial-crime prevention | Legal obligation / legitimate interest |
| Transaction monitoring and auditability | Legal obligation |
| Marketing communications | Consent |
| Service improvement and security | Legitimate interest |
4. Traceability, monitoring and automated checks
To meet our anti-financial-crime obligations and keep the Platform safe, transactions are monitored and screened, including automated checks against sanctions and watchlists and automated risk scoring for fraud. These checks may flag a transaction for manual review, delay it, or require additional verification.
Identity verification can include automated document checks and a biometric liveness and face-match step. Where we use artificial intelligence — for example to help detect fraud or to prepare a case for a reviewer — it is hosted in the European Union and only ever assists a human: the AI never makes a decision on its own, and any outcome that affects you is prepared for, and made or confirmed by, a person.
5. Who we share data with
We share only what is necessary, with:
- Licensed Partners — on-ramp providers (e.g. Transak), money-transfer/payout partners (e.g. MoneyGram) and MiCA-authorised CASPs, to deliver a service you have requested
- Exchange-bureau network — independent, licensed bureaux in Côte d'Ivoire, Benin and the DRC, for cash-out
- Logistics partners — e.g. Sendcloud, to ship physical goods for group buys and deals (recipient name and delivery address only)
- Verification and fraud-prevention providers — for KYC, sanctions screening and fraud checks
- Hosting and infrastructure providers — including Scaleway (France)
- Competent authorities — where required by law (anti-money-laundering, counter-terrorist-financing, court orders)
We do not sell your personal data. A current list of the main sub-processors we use is available on request via our contact form.
6. International transfers
Kudu operates across Europe and Africa, so your data may be transferred to and processed in countries outside your own. When we transfer personal data internationally, we rely on appropriate safeguards — for example an adequacy decision, or the UK/EU Standard Contractual Clauses with additional measures where needed — so that your data keeps an equivalent level of protection. A copy of the relevant safeguard is available on request.
7. Data retention
- Account data — for the duration of the relationship, then up to 5 years after closure
- KYC data — 5 years after the end of the business relationship (AML obligation)
- Transaction data — 5 years (accounting and tax obligations)
- Usage / analytics data — up to 13 months
8. Your rights
UK and EU users
Under the UK GDPR (supervised by the ICO) and the GDPR (with data hosted in France within scope of the CNIL), you have the rights to:
- Access your personal data and receive a copy
- Rectify inaccurate data
- Erase data ("right to be forgotten"), where no legal retention duty applies
- Restrict or object to processing, including profiling
- Data portability
- Withdraw consent at any time
- Lodge a complaint with the ICO (UK) or the CNIL (France) or your local authority
Some rights are limited where we must retain data to meet legal obligations (for example AML records). We respond within one month.
Côte d'Ivoire users
Under Law No. 2013-450 on the protection of personal data, supervised by the ARTCI, you have rights of access, rectification, deletion and objection.
Benin users
Under Law No. 2009-09 and the Digital Code (Law No. 2017-20), supervised by the APDP, you have similar rights of access, rectification and deletion.
Democratic Republic of the Congo users
Under Ordinance-Law No. 23/010 establishing the Digital Code, supervised by the ARPD, you have personal-data protection rights.
9. Marketing and your choices
We send marketing only with your consent. You can withdraw consent at any time — use the unsubscribe link in any email, adjust your notification settings, or use our contact form. Withdrawing marketing consent does not affect service messages we must send to operate your account.
10. Children
Kudu is not intended for anyone under 18. We do not knowingly collect data from minors, and we will delete such data if we become aware of it.
11. Security
- Encryption of data in transit (TLS) and at rest
- High-availability infrastructure hosted by Scaleway (France)
- Strict access controls and strong authentication
- Monitoring, logging and intrusion detection
12. Data breaches
If a personal-data breach is likely to result in a risk to your rights, we will notify the competent supervisory authority within the legal deadline (72 hours under the GDPR/UK GDPR) and inform you without undue delay where the risk is high.
13. Cookies
kudu.cash uses only strictly necessary cookies and privacy-friendly, cookieless analytics. We do not use advertising or third-party tracking cookies. Full details are in our Cookie Policy.
14. Contact
To exercise your rights or ask a question about your data:
- Contact: Contact form

