Privacy policy.

1. Introduction

This Privacy Policy explains how Toqen Ltd (“Toqen”, “we”, “us”, or “our”) collects, uses, stores and protects personal data. It is published in accordance with our obligations under the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), the Data Use and Access Act 2025 (DUAA) and other applicable data protection laws.

Toqen operates as a business-to-business financial technology and digital infrastructure provider. We do not target retail consumers and we do not knowingly process personal data of children. We primarily process personal data relating to corporate counterparties, professional and institutional investors, advisers, service providers, and other business contacts, together with personal data relating to individuals connected with those organisations (for example directors, beneficial owners, authorised signatories and employees).

This policy should be read together with any supplementary privacy notice we provide to you in a specific context, such as a recruitment notice or a contractual data processing notice.

2. Who we are and how to contact us

  • Data Controller: Toqen Ltd, a company incorporated in England and Wales (company number 16834052).

  • Registered office: 167–169 Great Portland Street, 5th Floor, London, W1W 5PF, United Kingdom.

  • ICO registration number: ZC091399.

  • Privacy contact: privacy@toqen.com.

We have not appointed a statutory Data Protection Officer because we are not required to do so under Article 37 UK GDPR. Privacy enquiries are handled by our designated privacy lead, who can be contacted at the address above.

Depending on the context in which personal data is processed, Toqen may act as a data controller, joint controller or data processor. Where we act as a processor on behalf of a client or counterparty, we process personal data in accordance with their documented instructions and applicable data processing agreements.

3. The personal data we collect

We collect and process the following categories of personal data:

  • Business and professional information: name, job title, employer, business contact details, corporate role or signing authority, professional background and credentials.

  • Compliance and due diligence information: identity verification data (includes first name, maiden name, last name, title), date of birth, nationality, residential or business address, government identifier numbers (where required), source of funds and source of wealth information, sanctions, politically exposed person and adverse media screening results, and regulatory correspondence.

  • Contact data includes email address and telephone numbers.

  • Technical and usage data: IP address,  login data, browser type and version, device identifiers, approximate location derived from IP address, and limited website usage data.

  • Communications data: emails, meeting notes, recorded calls (where you have been informed in advance), and other business correspondence.

  • Recruitment data: if you apply for a role with us, your CV, cover letter, references, interview notes, right-to-work documentation and, where relevant to the role, results of background checks.

  • Special category and criminal offence data: we may process limited health data (for example to make reasonable adjustments at interview) and criminal offence data (for example as part of anti-money laundering screening or fitness and propriety checks). This data is processed only where necessary and is subject to additional safeguards described in section 6.

  • Marketing and communications data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We do not provide consumer-facing services. Where we receive personal data about individuals other than our direct business contacts (for example individuals connected with our customers or counterparties), we rely on those organisations to inform the relevant individuals that their data has been shared with us.

4. How we collect personal data

We collect personal data:

  • directly from you, when you contact us, attend a meeting, apply for a role, or otherwise correspond with us;

  • from your employer or organisation, where you are a director, employee, beneficial owner, authorised signatory or other business contact;

  • from regulated identity verification, KYC, AML and sanctions screening providers;

  • from publicly available sources, such as Companies House, the FCA Register and other public registers and databases;

  • from our website and connected systems, through cookies to distinguish you from other users of our website, analogous technologies (see section 13);

  • from professional introducers, advisers and counterparties acting on your behalf or on behalf of your organisation; and

  • From third parties or publicly available sources. We may receive personal data about you from various third parties including Technical Data from analytics providers such as Google based outside the UK.

5. Lawful bases for processing

We process personal data under one or more of the following lawful bases set out in Article 6 UK GDPR:

  • Legitimate interests (Article 6(1)(f)): to operate, develop, market and protect our business, to engage with corporate counterparties and their representatives, to assess and manage risk, and to maintain the security of our systems. We have considered and balanced these interests against the rights of the individuals concerned and, where appropriate, document and review legitimate interest assessments (LIAs), taking into account the nature of the data, the reasonable expectations of individuals, and the potential impact of the processing.

  • Performance of a contract (Article 6(1)(b)): where processing is necessary to enter into or perform a contract with you or with your organisation.

  • Legal obligation (Article 6(1)(c)): where processing is necessary to comply with a legal or regulatory obligation, including obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, the Proceeds of Crime Act 2002, the Sanctions and Anti-Money Laundering Act 2018, and applicable financial services laws.

  • Consent (Article 6(1)(a)): where we have asked for and you have given consent, for example in relation to certain marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.

  • Where we process special category data, we additionally rely on the conditions in Article 9(2) UK GDPR and the corresponding conditions in Schedule 1 to the Data Protection Act 2018. The principal conditions we rely on are:

  • Article 9(2)(b) and Schedule 1, Part 1, paragraph 1 – employment, social security and social protection, in relation to staff and job applicants;

  • Article 9(2)(g) and Schedule 1, Part 2, paragraph 6 – statutory and government purposes; and

  • Article 9(2)(g) and Schedule 1, Part 2, paragraph 10 – preventing or detecting unlawful acts, including financial crime.

Criminal offence data is processed under Article 10 UK GDPR in reliance on the conditions in Schedule 1, Part 2, paragraphs 10 (preventing or detecting unlawful acts) and 12 (regulatory requirements relating to unlawful acts and dishonesty) to the Data Protection Act 2018. 

We maintain an Appropriate Policy Document in accordance with Schedule 1 of the Data Protection Act 2018, which sets out our procedures for securing compliance with the data protection principles and our policies on retention and erasure of such data.

Provision of personal data is, in some cases, a statutory or contractual requirement (for example, identity data we are required to collect under anti-money laundering regulations). Where this is the case, failure to provide that data may mean we cannot enter into or continue a business relationship with your organisation.

6. How we use personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances::

  • where we need to perform the contract, we are about to enter into or have entered into with you;

  • where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;

  • communicate with counterparties, advisers, investors and service providers in the ordinary course of business;

  • conduct customer and counterparty onboarding, due diligence and ongoing monitoring, including identity verification, KYC, sanctions and PEP screening, AML checks and fraud prevention;

  • support engagement with the Financial Conduct Authority and other regulators, including responding to information requests and submitting required reports;

  • manage and develop business relationships, including contract administration and dispute resolution;

  • process job applications and assess suitability for roles, including, where relevant, fitness and propriety assessments;

  • operate, secure, monitor and improve our systems, websites and services, including detecting and preventing security incidents and misuse;

  • comply with our legal, regulatory and tax obligations, and establish, exercise or defend legal claims;

  • process personal data associated with financial transactions and platform activity, including where required to support reconciliation, audit, compliance and reporting functions; and

  • generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.

7. Distributed ledger technology and digital assets

Toqen is developing infrastructure that may, in future, make use of distributed ledger technology (DLT). We are not currently processing personal data on any distributed ledger. When DLT-based features go live, we will design them so that personal data is held off-chain wherever possible, on-chain references are pseudonymised (for example through hashing), and individuals' rights under UK GDPR — including rectification and erasure — are designed to be supported, including where technically feasible, through off-chain controls and architecture. We will update this policy before any such processing begins.

8. Sharing personal data

We share personal data with the following categories of recipient:

  • Group companies: other entities within the Toqen group, where necessary for the purposes set out in this policy and subject to appropriate intra-group arrangements.

  • Identity verification, KYC, AML and sanctions screening providers: regulated third parties that support our compliance obligations.

  • Cloud hosting and IT service providers: providers of cloud infrastructure, software-as-a-service applications, communications, security monitoring and related IT services.

  • Professional advisers: legal, accounting, audit, tax, regulatory and other professional advisers.

  • Regulated counterparties and partners: including custodians, banks, payment service providers and other regulated firms involved in delivering our services.

  • Investors and prospective investors: including venture capital firms and other professional investors, where strictly necessary in connection with corporate finance, due diligence and reporting activities, on a need-to-know basis and subject to appropriate confidentiality obligations.

  • Regulators, courts and law enforcement: where required by law or where we consider it necessary to protect our rights, property or safety, or that of others.

  • Acquirers and business successors: in the context of a proposed or actual sale, merger, reorganisation, financing, or similar corporate transaction, we may disclose your personal data to the prospective seller or buyer of such business or assets.

  • Business partners, suppliers, and sub-contractors: for the performance of any contract we enter into with [them or] you, including without limitation any data processor we engage.

  • Analytics and search engine providers that assist us in the improvement and optimisation of our site.

  • In order to enforce or apply our Terms of Use or terms and conditions of supply and other agreements; or to protect the rights, property, or safety of Firm Name, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

We do not sell personal data, and we do not share personal data with third parties for their own marketing purposes.

9 Where we store your personal data

The data that we collect from you may be transferred to, and stored at, a destination outside the United Kingdom. It may also be processed by staff operating outside the UK who work for us or for one of our suppliers. Such staff maybe engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

All information you provide to us is stored on our secure servers. Any payment transfers will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential.  We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site: any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try and prevent unauthorised access.

10. International transfers

Personal data we process is primarily stored in the United Kingdom and the European Economic Area (EEA). However, certain of our service providers (in particular cloud hosting, IT and screening providers) may process personal data in, or access it from, jurisdictions outside the United Kingdom.

Where personal data is transferred to a country that has not been the subject of UK adequacy regulations, we put in place appropriate safeguards under Article 46 UK GDPR. These safeguards typically include:

  • the International Data Transfer Agreement (IDTA) issued by the Information Commissioner; or

  • the European Commission’s Standard Contractual Clauses, together with the UK International Data Transfer Addendum issued by the Information Commissioner.

Where required, we carry out and document a transfer risk assessment to ensure that the transferred data continues to receive a level of protection broadly equivalent to that provided under UK law. You can request a copy of the safeguards applicable to a specific transfer by contacting us at the address in section 2.

11. Data security

We apply technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include role-based access controls, multi-factor authentication, encryption of data in transit and, where appropriate, at rest, network and endpoint security controls, logging and monitoring, secure development practices, vendor due diligence and staff training.  These measures are reviewed periodically and are aligned, where appropriate, to recognised industry standards and risk-based security frameworks.

No system is completely secure. We will notify the Information Commissioner and, where required, affected individuals of any personal data breach in line with our obligations under UK GDPR.

12. Data retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. The principal retention periods we apply are set out below. Where multiple periods could apply, the longest applicable period is used.

  • Corporate, contractual and financial records: typically retained for 6 years from the end of the relevant financial year, to comply with tax and company law obligations.

  • AML, KYC and sanctions screening records: retained for 5 years from the end of the business relationship or occasional transaction, as required by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

  • Business communications: typically retained for up to 7 years, aligned with our wider records retention schedule and applicable regulatory record-keeping rules.

  • Website and technical data: retained for up to 13 months, unless required for longer to investigate a security incident or comply with a legal obligation.

  • Recruitment data – unsuccessful applicants: retained for up to 12 months after the recruitment decision, in case other suitable roles arise, unless you ask us to delete it sooner.

  • Recruitment data – successful applicants: incorporated into the employee record and retained for the duration of employment and for up to 6 years after termination.

  • Special category and criminal offence data: retained only for as long as strictly necessary for the relevant purpose, and reviewed in line with our Appropriate Policy Document.

At the end of the relevant retention period, personal data is securely deleted or anonymised.

13. Your rights

Subject to the conditions and exceptions in UK data protection law, you have the following rights in relation to your personal data:

  • the right to be informed about how we process your personal data;

  • the right of access to your personal data;

  • the right to rectification of inaccurate or incomplete personal data;

  • the right to erasure (“right to be forgotten”);

  • the right to restriction of processing;

  • the right to object to processing, including processing based on legitimate interests and processing for direct marketing purposes;

  • the right to data portability, where applicable; and

  • the right to withdraw consent, where processing is based on consent.

To exercise any of these rights, please contact us at privacy@toqen.com. We may need to verify your identity before responding. We will respond within one month of receipt of a valid request, although this period may be extended by up to a further two months where the request is complex or where we have received a number of requests from you.

 If an individual believes that their personal information has been used in a way that does not comply with the law, they have the right to make a complaint. We are required to support individuals in exercising this right and will take reasonable steps to facilitate the process, such as providing an accessible electronic complaints form. Upon receiving a complaint, we will acknowledge it within 30 days and will inform the complainant of the outcome without undue delay. While the complaint is being reviewed, we will take appropriate steps, including investigating the matter and keeping the complainant informed of progress.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone: 0303 123 1113. Website: ico.org.uk.

We would, however, appreciate the opportunity to address your concerns before you contact the ICO, so please consider contacting us first.

14. Cookies and similar technologies

Cookies are pieces of information that a website transfers to your computer’s hard disk for record-keeping purposes. Cookies can make the internet more useful by storing information about your preferences on a particular site, such as your personal preference pages.

The use of cookies is an industry standard, and most websites use them to provide useful features for their customers. Cookies in and of themselves do not personally identify users, although they do identify a user’s computer. Most browsers are initially set to accept cookies. Our website is currently intended to use only strictly necessary cookies, which do not require consent under PECR. If we introduce additional cookies or similar technologies (for example for analytics), we will update this policy and, where required, obtain your consent through a cookie banner before any non-essential cookies are set.

15. Marketing

We may send business-to-business marketing communications about our products and services to corporate contacts where we are permitted to do so under PECR and UK GDPR, including in reliance on the “soft opt-in” where available. You can object to receiving marketing communications at any time by following the unsubscribe link in any marketing email or by contacting us at privacy@toqen.com.

16. Changes to this policy

We may update this policy from time to time to reflect changes in our business, technology, or legal and regulatory requirements. The current version will always be available on our website, and the version history at the top of this document records material changes. Where changes are material, we will take reasonable steps to notify affected individuals.

This policy was last updated on 8 May 2026.