This Privacy Policy applies to Personal Data processed by Codego Group LTD ("Codego", "we", "us") in connection with the corporate website at codegotech.com (the "Website"). It is addressed primarily to business representatives, prospects, and other professional contacts who interact with the Website or correspond with us. Codego Group LTD is registered in Malta and operates as a Banking-as-a-Service infrastructure provider; it is not a consumer-facing bank. This document is issued in compliance with Regulation (EU) 2016/679 ("GDPR") and Directive 2002/58/EC ("ePrivacy Directive") as transposed into Maltese law. Questions about this Policy should be directed to banking@codegotech.com. A separate privacy notice governs Personal Data processed in the context of contracted BaaS services.
The Data Controller for Personal Data collected through the Website is:
Codego Group LTD
Registered in Malta
Website: codegotech.com
Email: banking@codegotech.com
Codego Group LTD is the legal entity that owns and operates the codegotech.com domain. It is the parent entity of the Codego corporate group, which also includes Codego Europe SIA (a Latvian entity currently undergoing electronic-money institution licence onboarding) and Codego SRL (an authorised agent for the distribution of electronic-money services). The group holds a National Bank of Belgium electronic-money distribution licence with EU passporting rights and operates across twelve countries spanning the European Union, the Middle East and North Africa, and South-East Asia.
For the purpose of this Privacy Policy, references to "Codego", "we", "us" or "our" refer solely to Codego Group LTD acting as Controller in respect of the Website. Where other group entities independently process Personal Data as separate Controllers, they will provide their own notices as required by Articles 13 and 14 GDPR.
Data Protection enquiries: Codego has not appointed a Data Protection Officer (DPO) as, following assessment, it does not meet the mandatory thresholds set out in Article 37 GDPR in respect of its Website processing activities. All data protection enquiries, rights requests and complaints may be directed to: banking@codegotech.com. We will acknowledge receipt within five business days and respond substantively within one calendar month as required by Article 12(3) GDPR.
We collect only the Personal Data that is necessary for the specific purposes described in Section 04 of this Policy. The categories of Personal Data we process in connection with the Website are as follows:
2.1 Identification and contact data
When you complete a contact form, request a demonstration, or otherwise correspond with us, we collect your full name, business email address, company name, job title, telephone number (where provided), and the content of your communication. This information is provided directly by you.
2.2 Business relationship data
In the context of B2B onboarding enquiries, we may collect additional information about your organisation, including jurisdiction of incorporation, intended use case, and preliminary details relevant to KYC/KYB compliance obligations. Such data may be provided by you directly or sourced from publicly available commercial registers and due-diligence databases in accordance with applicable anti-money-laundering legislation.
2.3 Technical and usage data
When you visit the Website, our infrastructure (including Cloudflare CDN and our analytics tools) automatically collects certain technical data, including your IP address (truncated or pseudonymised where applicable), browser type and version, operating system, referring URL, pages visited, session duration, and timestamps. This data is collected in part through cookies and similar tracking technologies (see Section 05).
2.4 Communication content via live chat
If you initiate a live-chat session through Tawk.to, we collect the transcript of that conversation, together with any contact details you choose to provide within the chat. Tawk.to processes this data as a Processor on our behalf under a data-processing agreement.
2.5 Consent records
Where we rely on your consent as a lawful basis (for example, for marketing communications or non-essential cookies), we maintain records of when and how consent was given, including the mechanism used, as required by Article 7(1) GDPR.
We do not collect special-category Personal Data (Article 9 GDPR) through the Website, and we do not knowingly collect Personal Data from individuals under the age of eighteen.
Every instance of processing carried out by Codego in connection with the Website rests on one of the lawful bases set out in Article 6 GDPR. The applicable bases are identified below by reference to the purpose for which data is processed.
Article 6(1)(a) — Consent: We rely on consent where we send direct marketing communications by email (including newsletters and product updates), and where we set non-essential cookies (analytics and chat-session cookies) on your device. Consent is obtained through an affirmative act prior to the relevant processing commencing. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal (see Section 09).
Article 6(1)(b) — Performance of a contract or pre-contractual steps: Where you have requested information about our services with a view to entering into a commercial agreement, or where a contractual relationship already exists, we process the Personal Data necessary to respond to your request and to take the pre-contractual steps you have asked for. This includes responding to detailed product enquiries, sending service proposals, and conducting preliminary KYB/KYC checks required before we can enter into a BaaS services agreement.
Article 6(1)(c) — Legal obligation: Where we are required to retain or disclose Personal Data to comply with a mandatory legal obligation under EU or Maltese law — including obligations arising under anti-money-laundering legislation, tax law, or regulatory reporting requirements — we process the relevant data on this basis.
Article 6(1)(f) — Legitimate interests: We process technical and usage data for the purposes of website security, fraud prevention, network integrity, and to understand how the Website is used so that we can improve its content and functionality. Our legitimate interests in protecting our systems and improving the user experience are not overridden by your interests or fundamental rights, given the business-to-business context of this Website, the limited sensitivity of the data concerned, and the technical and organisational safeguards in place. You retain the right to object to processing on this basis (see Section 09).
Where we rely on legitimate interests under Article 6(1)(f), we have carried out a balancing test. Summaries of our legitimate-interests assessments are available on written request submitted to banking@codegotech.com.
We process your Personal Data for the following specific, explicit and legitimate purposes as required by Article 5(1)(b) GDPR:
4.1 Responding to enquiries and correspondence: We use your identification and contact data to respond to questions, requests for information, and demonstration requests submitted through the Website or by direct email. The lawful basis is Article 6(1)(b) (pre-contractual steps) or Article 6(1)(f) (legitimate interest in responding to general business enquiries) as appropriate.
4.2 B2B commercial onboarding: Where your enquiry develops into a prospective commercial relationship, we process the relevant organisational and KYB data to conduct due-diligence checks and negotiate service terms. The primary basis is Article 6(1)(b); compliance-related processing is supported by Article 6(1)(c).
4.3 Marketing communications: With your prior consent (Article 6(1)(a)), we may send you commercial communications about Codego products, services, industry updates, and events. Each marketing email includes an unsubscribe mechanism. Withdrawal of consent does not affect the legality of messages sent prior to withdrawal.
4.4 Website analytics and performance: We use Google Analytics 4 ("GA4") and Cloudflare analytics to understand aggregate usage patterns, identify technical issues, and improve the Website. Analytics cookies are set only where consent has been obtained. The lawful bases are Article 6(1)(a) (cookies) and Article 6(1)(f) (server-level aggregated data).
4.5 Website security and fraud prevention: Cloudflare services (including Cloudflare Turnstile bot-detection) process technical data to protect the Website against unauthorised access, distributed denial-of-service attacks, and abusive automated traffic. The lawful basis is Article 6(1)(f).
4.6 Legal compliance and record-keeping: We retain certain records as required by applicable law and regulatory guidance, including correspondence records relevant to anti-money-laundering compliance. The lawful basis is Article 6(1)(c).
We do not use Personal Data collected through this Website to make automated decisions that produce legal or similarly significant effects on individuals (see Section 10).
In accordance with Article 5(3) of the ePrivacy Directive (as transposed into Maltese law), we will not store or access information on your device through cookies unless those cookies are strictly necessary for the provision of a service you have requested, or unless you have given your prior consent.
The table below describes the cookies set or accessed by this Website:
| Cookie / Technology | Provider | Category | Purpose | Retention | Consent required |
|---|---|---|---|---|---|
| Language preference cookie | Codego (first-party) | Strictly necessary / functional | Stores your selected language to maintain it across page loads | Session or up to 12 months | No |
| _ga, _ga_* (GA4) | Google Ireland Limited | Analytics | Distinguishes unique users and sessions; measures page interactions | Up to 26 months | Yes |
| Tawk.to session cookies (__tawkuuid, TawkConnectionTime, etc.) | Tawk.to Inc. | Functional / live chat | Maintains chat session continuity; identifies returning visitors within a chat session | Session / up to 6 months | Yes |
| Cloudflare Turnstile (_cf_bm, cf_clearance) | Cloudflare, Inc. | Strictly necessary / security | Bot-detection and CAPTCHA challenge; protects forms and the Website from automated abuse | Session / up to 30 minutes | No (security) |
We do not sell Personal Data. We share Personal Data only where necessary for the purposes described in Section 04, or where we are required to do so by law. The categories of recipients are as follows:
6.1 Technology and infrastructure providers (Processors): We engage third-party service providers who process Personal Data on our behalf under written data-processing agreements meeting the requirements of Article 28 GDPR. These include:
— Cloudflare, Inc. — Content delivery network, DDoS protection, and Turnstile bot-detection services.
— Google Ireland Limited — Google Analytics 4 for website analytics.
— Tawk.to Inc. — Live-chat platform.
— Cloud hosting and email infrastructure providers engaged to host and operate the Website and our business communications systems.
6.2 KYC/KYB and compliance partners: In the context of B2B onboarding, we may share relevant business-contact and organisational data with specialist due-diligence and identity-verification providers to fulfil our anti-money-laundering and know-your-business obligations. These providers act as Processors or, in some cases, as independent Controllers where they have their own regulatory obligations.
6.3 Professional advisers: We may share Personal Data with our legal advisers, auditors, and accountants where necessary for the provision of professional services, subject to professional duties of confidentiality.
6.4 Regulatory and law-enforcement authorities: We will disclose Personal Data to competent authorities where we are legally obliged to do so under EU or Maltese law, including in response to lawful requests from supervisory, law-enforcement, or judicial bodies.
6.5 Group entities: We may share Personal Data within the Codego group (including Codego Europe SIA and Codego SRL) where necessary for the administration of business enquiries or for internal operational purposes. All intra-group transfers are governed by appropriate safeguards.
We do not disclose Personal Data to third parties for their own direct-marketing purposes.
Codego Group LTD is established in Malta, an EU Member State. Some of the third-party Processors and recipients described in Section 06 are located outside the European Economic Area ("EEA"), or process Personal Data on infrastructure located outside the EEA. Where Personal Data is transferred to a country or territory not subject to an adequacy decision under Article 45 GDPR, we ensure that appropriate safeguards are in place in accordance with Chapter V GDPR.
Cloudflare, Inc. (United States): Cloudflare operates a global network and may process Personal Data on servers located outside the EEA, including in the United States. Transfers are governed by Standard Contractual Clauses ("SCCs") adopted pursuant to European Commission Implementing Decision (EU) 2021/914, as supplemented by Cloudflare's data-processing addendum. Cloudflare also participates in the EU–US Data Privacy Framework, in respect of which the European Commission adopted an adequacy decision on 10 July 2023 (Decision (EU) 2023/1795).
Google Ireland Limited / Google LLC (GA4): Google Analytics 4 is contracted through Google Ireland Limited (EEA entity). To the extent that data is processed by Google LLC in the United States, transfers are governed by SCCs and the EU–US Data Privacy Framework adequacy decision referenced above. We have enabled IP anonymisation within GA4 and have configured data-retention settings to a maximum of 26 months.
Tawk.to Inc. (United States): Live-chat transcripts and session data may be processed on servers operated by or on behalf of Tawk.to Inc. outside the EEA. Transfers are governed by SCCs incorporated into Tawk.to's data-processing agreement.
You may request a copy of the relevant SCCs or a summary of the transfer impact assessments carried out in respect of any of the above transfers by contacting banking@codegotech.com. We will provide this information in accordance with Article 15(3) GDPR, subject to any applicable commercial confidentiality redactions that do not prejudice the substance of the safeguards.
We retain Personal Data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law, in accordance with the storage-limitation principle in Article 5(1)(e) GDPR. Our standard retention periods for Website-related processing are as follows:
Enquiry and correspondence data (contact-form submissions, email correspondence, live-chat transcripts): retained for 24 months from the date of last contact, unless the enquiry develops into a contractual relationship, in which case the retention period applicable to contract records applies.
Website analytics data (GA4): data-retention within GA4 is configured to a maximum of 26 months, after which user-level and event-level data is automatically deleted by Google. Aggregated, non-identifiable reports may be retained indefinitely.
Cookie consent records: retained for 36 months from the date of consent to enable us to demonstrate compliance with Article 7(1) GDPR.
Marketing mailing list data: retained for the duration of the subscription and for 12 months following unsubscription, to maintain a record of consent and to honour suppression lists.
B2B onboarding and KYB data: retained for a minimum of five years from the end of the business relationship, or longer where required by applicable anti-money-laundering legislation or regulatory obligations.
Security and access logs (Cloudflare, server logs): retained for up to 90 days for security-incident investigation purposes, after which they are deleted or anonymised.
At the end of the applicable retention period, Personal Data is securely deleted or anonymised. Where anonymisation is not technically practicable within the relevant timeframe, data is restricted from active processing until deletion is completed. Retention schedules are reviewed annually and updated where necessary to reflect changes in legal requirements or operational needs.
As a data subject under GDPR, you have the following rights in relation to the Personal Data we hold about you. These rights apply to the extent and subject to the conditions set out in Articles 15–22 GDPR and any applicable restrictions under Maltese law.
Right of access (Article 15 GDPR): You have the right to obtain confirmation of whether we process Personal Data about you and, if so, to receive a copy of that data together with information about the purposes, categories, recipients, and retention periods applicable.
Right to rectification (Article 16 GDPR): You have the right to require us to correct inaccurate Personal Data and to complete incomplete data without undue delay.
Right to erasure (Article 17 GDPR): You have the right to request the deletion of your Personal Data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent and no other lawful basis applies, where you object successfully under Article 21, or where the data has been unlawfully processed. This right is subject to exceptions, including where retention is required by legal obligation.
Right to restriction of processing (Article 18 GDPR): You have the right to request that we restrict the processing of your Personal Data in certain circumstances — for example, while the accuracy of data is contested, or while an objection is being assessed.
Right to data portability (Article 20 GDPR): Where processing is based on consent or contract and is carried out by automated means, you have the right to receive the Personal Data you provided to us in a structured, commonly used, machine-readable format, and to transmit it to another controller.
Right to object (Article 21 GDPR): You have the right to object at any time to processing of your Personal Data based on Article 6(1)(f) (legitimate interests), including profiling based on that provision. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for legal claims. You may also object at any time to the use of your Personal Data for direct-marketing purposes; if you do so, we will cease processing for that purpose without further assessment.
Right to withdraw consent (Article 7(3) GDPR): Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. You may withdraw consent for marketing emails by using the unsubscribe link in any marketing communication, or by contacting banking@codegotech.com. You may withdraw cookie consent through the Website's consent-management mechanism or your browser settings.
How to exercise your rights: Submit a written request to banking@codegotech.com with sufficient information to identify you and specify the right(s) you wish to exercise. We will respond within one calendar month of receipt (Article 12(3) GDPR). This period may be extended by a further two months where requests are complex or numerous, in which case we will inform you within the initial one-month period. We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive (Article 12(5) GDPR).
Article 22 GDPR confers rights on data subjects in relation to decisions based solely on automated processing — including profiling — that produce legal effects or similarly significant effects on them.
Codego does not carry out any automated decision-making in respect of Website visitors, enquirers, or business contacts that produces legal effects or effects of similarly significant consequence. In particular:
— We do not use automated scoring or profiling to determine whether to respond to, accept, or decline a business enquiry.
— We do not use GA4 data or other Website-analytics data to make individual decisions with legal or equivalent effects.
— We do not operate algorithmic credit-scoring or risk-assessment processes affecting any individual in the context of Website interactions.
The Cloudflare Turnstile mechanism performs automated analysis of device and behavioural signals to distinguish human users from automated bots. Where the mechanism determines that a request is likely automated, it may require completion of an additional challenge or decline to submit a form on behalf of that request. This process does not amount to a decision with legal or similarly significant effects on a natural person within the meaning of Article 22 GDPR; it is a security control directed at automated agents rather than at individual data subjects. However, if you believe you have been incorrectly identified as automated traffic and have been unable to contact us as a result, please email banking@codegotech.com and we will address your enquiry directly.
Should Codego introduce any automated decision-making processes of the kind described in Article 22 GDPR in the future, this Policy will be updated accordingly prior to such processing commencing, and the relevant data subjects will be informed as required by Article 13 or 14 GDPR.
In accordance with Article 32 GDPR, we have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk of our processing activities. These measures take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of natural persons.
Our security measures include, without limitation:
— Encryption of data in transit using TLS (Transport Layer Security) across all Website communications.
— Cloudflare CDN and DDoS-mitigation services protecting the Website's availability and integrity.
— Cloudflare Turnstile for protection of web forms against automated abuse.
— Access controls and authentication requirements restricting access to Personal Data to authorised personnel on a need-to-know basis.
— Payment Card Industry Data Security Standard Level 1 certification (2025), evidencing the maturity of our information security management framework in the context of our broader BaaS operations.
— Regular review of access rights and logging of access to systems processing Personal Data.
— Data-processing agreements with all third-party Processors, incorporating Article 32 obligations.
In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Information and Data Protection Commissioner ("IDPC") within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to individuals, we will also notify the affected data subjects without undue delay as required by Article 34 GDPR.
Contacting us about this Policy:
Any questions, concerns, or requests relating to this Privacy Policy or the exercise of your data-subject rights should be directed to:
Codego Group LTD — Data Protection Enquiries
Email: banking@codegotech.com
Website: codegotech.com
Please mark correspondence "Data Protection — Privacy Policy" to ensure prompt routing. As noted in Section 01, Codego has not appointed a mandatory DPO; banking@codegotech.com is the designated point of contact for all data-protection matters relating to the Website.
Right to lodge a complaint with a supervisory authority:
Without prejudice to any other administrative or judicial remedy, you have the right under Article 77 GDPR to lodge a complaint with a competent data-protection supervisory authority if you consider that the processing of your Personal Data infringes the GDPR. The supervisory authority with jurisdiction in respect of Codego Group LTD as a Maltese-established Controller is:
Information and Data Protection Commissioner (IDPC)
Level 2, Airways House, High Street, Sliema SLM 1549, Malta
Website: https://idpc.org.mt
Email: idpc.info@idpc.org.mt
You may also lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement within the EU/EEA, in accordance with Article 77(1) GDPR.
Updates to this Policy:
We review this Privacy Policy at least annually and whenever there is a material change to our processing activities, applicable law, or regulatory guidance. When we make material changes, we will update the "Last reviewed" date at the top of this page and, where the changes are significant, we will take reasonable steps to bring them to your attention — for example, by placing a notice on the Website or contacting you directly where we hold your email address for communication purposes. Your continued use of the Website after the effective date of any update constitutes acknowledgement of the revised Policy. We encourage you to review this page periodically.
This Privacy Policy was last reviewed on 5 May 2026.