FeaturesHow it worksDevelopersUse casesPricing
Request early access
Back to home

Data Sharing Policy

Last updated: 2026-05-09
Version: 1.0

This policy describes what personal and business data Plirin shares with third-party service providers ("sub-processors"), why we share it, how long sub-processors retain it, and how you can exercise control over your data.

For the full list of sub-processors, see our Sub-Processor List.

1. Why we share data

Plirin is a cryptocurrency payment processing platform. To operate lawfully, we must verify the businesses we work with and screen them against sanctions lists. We rely on third-party service providers who specialize in these functions. We do not share your data for advertising or marketing purposes, and we do not sell your data to any party.

Data is shared only to the extent necessary to:

  • Verify your business identity (KYB).
  • Screen your business and its owners against international sanctions, PEP, and adverse media lists (AML).
  • Screen your payout wallet addresses against cryptocurrency sanctions and crime databases.
  • Deliver transactional emails (account notifications, verification links, compliance alerts).
  • Store encrypted compliance documents for regulatory recordkeeping.

2. What data we share and with whom

2.1 Shufti Pro (Identity Verification, AML Screening, Wallet Screening)

What is shared:

  • Business name, registration number, country, registered address
  • UBO first name, last name, date of birth, residential address
  • Payout wallet addresses and blockchain network
  • UBO identity documents (uploaded directly on Shufti's platform — Plirin does not receive raw documents)
  • UBO selfie/liveness video (for optional Fully Verified tier upgrade only)

Purpose: Business identity verification, AML sanctions/PEP/adverse media screening, cryptocurrency wallet OFAC compliance screening, and (optionally) UBO identity liveness verification for tier upgrade.

Frequency: At each KYB submission, at each wallet add, and weekly for re-screening of existing wallets.

Legal basis: Legal obligation (AML/KYC regulations); legitimate interest (fraud prevention and compliance).

Shufti Pro retention: Raw identity documents are retained by Shufti for approximately 90 days. Screening results are retained per Shufti's data retention policy.

Shufti Pro privacy policy: https://shuftipro.com/privacy-policy/
Shufti Pro location: Lithuania (EU); GDPR-compliant; Data Processing Agreement in place.

2.2 Amazon Web Services — S3 (Document Storage)

What is shared:

  • KYB verification documents downloaded from Shufti Pro after verification completes
  • These documents are encrypted at rest using AWS KMS before storage

Purpose: Long-term regulatory recordkeeping (FinCEN 5-7 year requirement for AML/KYB records).

Frequency: Once per merchant, triggered by the weekend backup worker after verification completes.

Legal basis: Legal obligation (FinCEN 31 CFR Part 1020 / 31 CFR Part 1010 AML recordkeeping rules).

Retention: 5-7 years from account closure or transaction date, per FinCEN requirements.

AWS location: US East-1 (N. Virginia). AWS is GDPR-compliant via Standard Contractual Clauses.
AWS privacy policy: https://aws.amazon.com/privacy/

2.3 Amazon Web Services — KMS (Encryption Key Management)

What is shared:

  • AWS KMS manages the encryption keys used to protect documents at rest in S3.
  • No personal data is sent to KMS directly — it manages keys only.

Purpose: Encryption key management for document storage security.

Legal basis: Security and data protection obligation.

AWS location: US East-1. Same AWS privacy and DPA as above.

2.4 Resend (Transactional Email)

What is shared:

  • Recipient email address
  • Email content (account notifications, KYB status updates, verification links, wallet compliance alerts)

Purpose: Delivery of transactional emails required for account management and compliance notifications (e.g., wallet compliance hold notice).

Frequency: As needed per account event.

Legal basis: Legitimate interest (account management); legal obligation (compliance notifications).

Retention: Email logs retained by Resend per their standard policy (30 days for email logs).

Resend location: United States. SOC 2 compliant; DPA available.
Resend privacy policy: https://resend.com/legal/privacy-policy

3. Data not shared

We do not share your data with:

  • Credit bureaus
  • Marketing or advertising platforms
  • Other merchants on Plirin
  • Data brokers
  • Any party not listed in this policy

4. International data transfers

Some sub-processors (specifically AWS S3/KMS in US-East-1) store data in the United States. If you are based in the EU/UK, these transfers are covered by Standard Contractual Clauses (SCCs) as approved by the European Commission.

5. Opt-out and data subject rights

You may exercise your rights over your personal data (access, correction, erasure, portability, objection) by contacting privacy@plirin.com. Note that data subject to legal retention obligations (AML/KYB records) cannot be erased until the retention period expires. See our Data Handling Policy for details.

To request removal from Shufti Pro's systems, you may also contact Shufti Pro directly at privacy@shuftipro.com.

6. Changes to this policy

We will post any updates to this page with a new "Last updated" date. Material changes will be notified by email at least 14 days before taking effect.

Contact

Questions about this policy: privacy@plirin.com
Data Protection Officer enquiries: dpo@plirin.com (or same address if not yet appointed)