Privacy Policy
Updated: June 2026
3Degrees ("we", "our", "us") respects your privacy and is committed to protecting personal data in accordance with the UK GDPR, EU GDPR, and other applicable data protection laws. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you visit www.3degrees.co or use our services.
1. Data Controller
The data controller responsible for your personal data is:
3 Degrees Technologies Inc.
Email: privacy@3degrees.co
Website: https://www.3degrees.co
2. Personal Data We Collect
We collect the following categories of personal data in the course of providing our payment infrastructure services:
Beneficiary data (provided by our clients for payment execution)
Full name
Address
Date of birth
National identification number
Email address
Phone number
Bank account details (IBAN, sort code, account number, bank name, routing code)
Client and account data
IP address
Contact name and email
Company information
API keys (stored hashed)
User credentials
Technical data
IP address
Browser type and version
Device information
Website usage data
Transaction data
Payment amounts, currencies, and references
Payout summaries and statuses
3. Lawful Basis for Processing
We process personal data under the following lawful bases:
Contract: processing is necessary to perform our payment infrastructure services under the service agreement with our clients. This covers payment execution, FX quoting, and account management.
Legal obligation: we are required by financial regulations (anti-money laundering, know-your-customer, financial record-keeping) to collect, verify, and retain certain personal data for a minimum of 7 years.
Legitimate interest: For operational security, system monitoring, fraud prevention, and improving our services. We do not process personal data for profiling, advertising, or marketing purposes.
Consent: for non-essential analytics cookies and similar tracking technologies on our website. Analytics cookies are only set after you have given explicit opt-in consent via our cookie banner. You may withdraw consent at any time.
Consent is not the lawful basis for any core processing activity: Centro is a B2B payment infrastructure platform; all core processing is driven by contractual and regulatory obligation. Consent applies only to optional website analytics.
4. How We Use Personal Data
We use personal data to:
Execute cross-border payments on behalf of our clients
Verify beneficiary identities for AML/KYC compliance
Maintain transaction records for financial audit and regulatory purposes
Monitor and secure our systems against fraud and unauthorised access
Respond to support requests and data subject access requests
5. Data Sharing
We share personal data only with third parties that enable us to deliver our services. These fall into the following categories:
Payment and financial service providers
We work with regulated payment institutions and foreign‑exchange partners to execute international payments. These providers receive only the beneficiary information necessary to process the transaction (such as name, account details, and address). Depending on the service, they may act as independent controllers or data processors.
Technology, infrastructure, and operational service providers
We use trusted third‑party providers for secure cloud hosting, authentication, communication, and internal operations. These providers process data strictly on our behalf and in accordance with our instructions.
Legal, regulatory, and compliance partners
Where required, we may share data with auditors, regulators, or compliance service providers to meet our legal obligations.
We do not sell personal data, and we do not share it with third parties for their own marketing purposes.
6. International Data Transfers
Our primary infrastructure is hosted in a secure cloud environment located in the European Union (Ireland). We also operate a flexible infrastructure model that allows us to serve clients in the United States, the United Kingdom, and the European Economic Area. Depending on a client’s location and service requirements, their data may be processed in the region most appropriate for delivering the service.
When personal data is transferred across borders, including transfers from or to the United States, the United Kingdom, or the EEA, we apply appropriate safeguards to ensure an equivalent level of protection. These may include:
Standard Contractual Clauses (SCCs)
Adequacy decisions
Contractual, organisational, and technical safeguards that meet applicable legal requirements
Some of our payment and financial service partners may process data in jurisdictions that do not have the same data‑protection laws as the UK, EU, or US. Where this occurs, we assess and document the relevant transfer mechanisms and ensure they remain compliant with applicable regulations.
For more information about cross‑border transfers or specific service providers, you may contact us at privacy@3degrees.co
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, regulatory, and operational requirements.
Beneficiary personal information is retained for seven years from the date of the last transaction. This includes details such as name, address, and account information, and is required for financial record‑keeping, anti‑money laundering, and know‑your‑customer obligations.
Account details, including IBANs and other payment identifiers, are also retained for seven years from the last transaction for the same regulatory reasons.
Transaction event history is retained for seven years from the date of each event to comply with financial record‑keeping and audit requirements.
Payout summaries are retained for seven years from the payout date to meet financial and regulatory obligations.
Quote requests are retained for 90 days from creation, as there is no financial record‑keeping requirement once the quote expires.
Client credentials are retained for the duration of the service agreement in order to provide the contracted services.
Application logs are retained for between 30 and 90 days, depending on the log type, for operational and security purposes.
After the retention period expires, data is deleted or anonymised. Transaction records are retained for 7 years as required by applicable financial regulations, even if you close your account.
8. Your Data Protection Rights
Under GDPR, you have the right to:
Access your personal data
Correct inaccurate information
Request deletion of your data
Restrict or object to processing
Request data portability
Withdraw consent at any time
Limitation on erasure: The right to erasure does not apply where we are required to retain data for compliance with legal obligations, including financial record-keeping under anti-money laundering and know-your-customer regulations. Transaction-related data (beneficiary records, account details, payment history) is retained for 7 years regardless of erasure requests.
To exercise these rights, contact: privacy@3degrees.co
9. Data Deletion Requests
You may request deletion of your personal data at any time using our Data Deletion Request form:
https://www.3degrees.co/data-deletion
All requests are logged, tracked, and processed in accordance with applicable data protection regulations.
10. Security
We implement technical and organisational safeguards to protect personal data, including:
We implement technical and organisational safeguards to protect personal data, including:
Encryption at rest (AES-256) and in transit (TLS)
Access controls and tenant isolation
Network isolation (VPC, security groups)
Monitoring, logging, and alerting
Regular security assessments
11. Cookies and Analytics
We use cookies on our website. Some are strictly necessary for the site to function; others (analytics cookies) are optional and require your consent.
Strictly necessary cookies: required for the website to function (e.g. session management, security). These do not require consent.
Analytics cookies: help us understand how visitors use our website (e.g. page views, traffic sources, device types). These are only set after you have given explicit opt-in consent via our cookie banner. You may withdraw consent at any time by adjusting your cookie preferences.
We do not use advertising or marketing cookies.
11. Updates to This Policy
We may update this Privacy Policy periodically. Updated versions will be published on this page with the revised date. Material changes to our data processing activities will be reflected within 30 days.
Prior versions of this policy are retained for audit purposes.
12. Contact
For privacy-related enquiries:
