Legal

Privacy Policy

How Remi collects, uses, shares and protects personal data across its network.

DOC REMI-LGL-PRIV-001 VER 1.0 EFFECTIVE 12 JUN 2026 SCOPE REMI GROUP & WEBSITES

Remi (“Remi”, “we”, “us”, “our”) provides borderless liquidity and settlement infrastructure: a technology orchestration layer that connects regulated network operators and licensed financial partners with the businesses that build on them. This Privacy Policy explains who we are, what personal data we process, why and on what legal basis, who we share it with, how we protect it, and the rights and choices available to you.

Remi is a technology company. We are not a bank and we are not a licensed payment, money-services, or virtual-asset service provider. We do not hold, custody, or transmit customer funds or digital assets. Regulated financial services accessed through our network are provided by separately licensed partners under their own terms and privacy notices.

01 Who we are and the scope of this policy

Remi operates through a group of affiliated entities in the countries where we provide our services. The Remi entity responsible for your personal data (the “controller”) depends on how you interact with us and on where the relevant entity is established. If you are unsure which entity is responsible for your data, contact us using the details in Section 15 and we will confirm.

This policy applies to personal data we process when you:

  • visit or interact with our websites at remi.ae and related Remi web properties (the “Sites”);
  • contact us, submit an enquiry, or correspond with our team;
  • represent a business that applies to join, integrates with, or uses the Remi network as a Network Operator or Network Participant; or
  • have personal data routed through the Remi network by a Network Operator that uses our services (subject to the allocation of roles in Section 2).

This policy does not cover:

  • the independent processing carried out by Licensed Partners (banks, payment institutions, exchange houses, virtual-asset service providers, and other regulated entities), who act as separate controllers under their own privacy notices;
  • the processing that Network Operators carry out as controllers in respect of their own customers and end users; or
  • third-party websites or services we link to.

Because our services are provided to businesses, the Sites and the Remi network are intended for business and professional users, and not for consumers acting in a personal capacity.

02 Our role: controller, processor, and the network

Data-protection law distinguishes between a “controller” (who decides why and how personal data is processed) and a “processor” (who processes data on a controller’s instructions). Remi’s role depends on the context:

  • Website visitors and business contacts. When you browse our Sites, contact us, or engage with us as a prospective or actual business partner, Remi is the controller of your personal data.
  • Network Operators and their representatives. When a business applies to join or uses the network, Remi is the controller of the onboarding, due-diligence, account, and relationship data we process about that business and its authorised representatives.
  • End-user and transaction data routed through the network. When a Network Operator uses our services to route instructions and data relating to its own customers and recipients (“End Users”), the Network Operator is the controller of that personal data, and Remi processes it to provide the orchestration service. As set out in our Network Terms of Use, Remi and the Network Operator each act as independent controllers in respect of the processing they carry out for their own purposes, except where the parties have expressly agreed in writing that Remi acts as processor under a data-processing agreement. The Network Operator is responsible for establishing a lawful basis for sharing End-User data with Remi and Licensed Partners, and for providing all required notices and obtaining any required consents.
  • Licensed Partners. Banks and other licensed institutions that deliver regulated services through the network are independent controllers of the personal data they process to meet their own legal and regulatory obligations.

03 Personal data we collect

The categories of personal data we process depend on your relationship with us.

3.1  Information you provide to us

  • Contact and enquiry data: your name, business email address, company name, job title, telephone number, country, the type of enquiry (for example, general enquiry, becoming a Network Participant, or becoming a Network Operator), and the content of any message you send us through our contact form or by email.
  • Business onboarding and due-diligence data: where you represent a business that applies to join the network, information about the business and the individuals connected to it — including corporate identity and registration details, ownership and control structure, ultimate beneficial owners, directors and authorised representatives, regulatory and licensing status, and supporting documentation — that we or a Licensed Partner require to meet “know-your-business” (KYB), anti-money-laundering, sanctions, and onboarding requirements.
  • Account and credential data: details used to create and manage access to our platform, developer portal, and APIs, including the names and contact details of authorised representatives and the API credentials issued to your organisation.
  • Communications: records of your correspondence and interactions with us, including support requests and feedback.

3.2  Information processed through the network on behalf of Network Operators

Where a Network Operator uses our services, we process personal data contained in the instructions and data it routes through the network. Depending on the services used (Liquidity-, Remittance-, and Crypto-as-a-Service), this may include sender and beneficiary identity details, recipient and payout information, transaction details (such as amounts, currencies, quotes, references, and status), and, for digital-asset flows, wallet addresses, blockchain transaction references, and the results of address-screening and risk checks. We process this data to orchestrate, route, audit, and report on transactions. The Network Operator determines what data is submitted and is the controller of it (see Section 2).

3.3  Information we collect automatically

  • Technical data: IP address, browser and device type, operating system, language settings, and similar information collected automatically by our hosting and security layers when you use the Sites or our services.
  • Usage and log data: pages viewed, approximate region, referring pages, and interactions with the Sites, collected through privacy-respecting analytics to help us understand and improve them.
  • Audit and security logs: access to, and changes affecting, our systems and personal data are logged and auditable as part of our security and compliance controls.
  • Cookies and similar technologies: see Section 11.

We do not intentionally collect special categories of personal data through the Sites, and we do not knowingly collect personal data from children (see Section 12).

04 How and why we use personal data

We use personal data for the following purposes:

  • to respond to your enquiries and route you to the right operator, participant, or partner conversation;
  • to evaluate, onboard, and administer Network Operators and Network Participants, including KYB, due-diligence, sanctions, and eligibility checks (whether performed by us or by a Licensed Partner);
  • to provide, operate, orchestrate, secure, maintain, and improve the Remi network, our Sites, APIs, and related services — including authentication, access management, transaction routing, eventing, reconciliation, reporting, and analytics;
  • to communicate with you about your relationship with us, including service, technical, security, and administrative messages;
  • to send you relevant business communications and updates where permitted, from which you can opt out at any time (see Section 13);
  • to detect, investigate, and prevent fraud, financial crime, security incidents, and misuse of our services;
  • to comply with the legal, regulatory, and compliance obligations of our group and our Licensed Partners, and to establish, exercise, or defend legal claims; and
  • to support corporate transactions such as financing, audit, reorganisation, merger, or acquisition.

05 Legal bases for processing

Where data-protection law requires a legal basis to process personal data, we rely on one or more of the following:

  • Performance of a contract (or steps taken at your request before entering into one) — for example, to respond to your enquiry, onboard your organisation, or provide our services.
  • Legitimate interests — for example, to operate, secure, and improve our Sites and services, to manage and grow our business relationships, to send business-to-business communications, and to prevent fraud and misuse, provided these interests are not overridden by your interests or fundamental rights.
  • Compliance with a legal obligation — for example, to meet anti-money-laundering, sanctions, tax, accounting, and other regulatory requirements applicable to us and our group.
  • Consent — for example, for certain cookies and analytics, or where we otherwise ask for it. Where we rely on consent, you may withdraw it at any time without affecting processing carried out before withdrawal.

Where we process End-User data routed through the network, the relevant Network Operator is responsible for establishing the lawful basis for that processing and for providing the notices and obtaining any consents required (see Section 2).

06 How we share personal data

We do not sell personal data. We share it only as described below:

  • Service providers and processors acting on our behalf — for example, cloud hosting, infrastructure, email, customer-relationship, security, and analytics providers — who are bound by contract to process personal data only on our instructions and to protect it.
  • Licensed Partners and Network Operators — where you ask us to connect you, or where it is necessary to route an instruction or deliver a service through the network, we share relevant data with the regulated partners and operators involved in that flow, each of which is responsible for its own processing.
  • Within the Remi group — between the entities listed in Section 1, for the purposes described in this policy and under appropriate intra-group arrangements.
  • Professional advisers and auditors — such as our lawyers, accountants, and auditors, where necessary.
  • Authorities and to meet legal obligations — regulators, law-enforcement, courts, and other authorities where required or permitted by law, or to protect our rights, our users, or the integrity of the network.
  • In connection with a corporate transaction — such as a financing, merger, acquisition, or sale of assets, subject to appropriate confidentiality and data-protection safeguards.

07 International transfers

Remi operates across multiple jurisdictions, and our service providers and group entities may be located in countries other than your own. As a result, your personal data may be transferred to, stored in, or accessed from countries whose data-protection laws differ from those where you are located.

Where we transfer personal data across borders, we apply the safeguards required by applicable law. These may include transferring to countries or organisations recognised as providing an adequate level of protection, or putting in place approved contractual protections (for example, standard contractual clauses) or other mechanisms recognised under applicable data-protection law. You may contact us for more information about the safeguards we use.

08 Data retention

We keep personal data only for as long as necessary for the purposes set out in this policy — including to provide our services, maintain our business relationships, meet our legal, regulatory, accounting, and reporting obligations, and establish, exercise, or defend legal claims.

Retention periods vary by data type and context. For example, business and contact records are generally kept for the duration of our relationship and for a reasonable period afterwards, while records held to meet anti-money-laundering, sanctions, and other regulatory obligations are typically retained for the minimum periods required by applicable law (commonly several years after the end of the relevant relationship or transaction). When personal data is no longer required, we securely delete or anonymise it.

09 How we protect personal data

We apply organisational and technical security measures designed to protect personal data against unauthorised access, loss, misuse, or alteration. These include encryption of data in transit and at rest, access controls and the principle of least privilege, network and application security controls, segregation of environments, and continuous monitoring. Access to, and changes affecting, personal data are logged and auditable.

Our infrastructure is built and operated to recognised industry standards, and we maintain certifications including ISO/IEC 27001 and SOC 2. You can find more information about our security and compliance posture in our Trust Center at trustcenter.remi.ae. No method of transmission or storage is completely secure, but we work to protect personal data and to respond appropriately to any security incident, including notifying affected parties and authorities where required by law.

10 Your rights and choices

Subject to your jurisdiction and applicable law, you may have some or all of the following rights in relation to your personal data:

  • to access the personal data we hold about you and obtain information about how we process it;
  • to request correction of inaccurate or incomplete data;
  • to request erasure of your data in certain circumstances;
  • to object to, or request restriction of, certain processing;
  • to request the portability of data you provided to us, in a structured, commonly used, machine-readable format;
  • to withdraw consent where we rely on it; and
  • to opt out of direct marketing at any time.

How to exercise your rights

To make a request, contact us using the details in Section 15. We may need to verify your identity and may ask for additional information, and we will respond within the time required by applicable law. There is normally no charge, although we may charge a reasonable fee or decline a request that is manifestly unfounded or excessive, to the extent permitted by law. If your personal data was provided to us by a Network Operator, or is otherwise controlled by another party, we may direct your request to — or ask you to contact — the relevant controller.

Complaints and supervisory authorities

If you have a concern about how we handle your personal data, please contact us first so that we can try to resolve it. Depending on the data-protection laws that apply to you, you may also have the right to lodge a complaint with your local data-protection or supervisory authority.

11 Cookies and similar technologies

We use a minimal set of cookies and similar technologies on our Sites:

  • Essential cookies, which are always on and necessary for the Sites to function (for example, to remember your privacy preferences and to handle forms and security);
  • Analytics cookies, which help us understand how the Sites are used so that we can improve them; and
  • Advertising cookies, which may be used to measure and improve the relevance of marketing.

Non-essential cookies are off by default and are set only with your consent. You can manage your preferences through our cookie settings and through your browser controls; disabling some cookies may affect how the Sites function.

12 Children’s data

Our Sites and services are intended for businesses and professional users and are not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps to delete it.

13 Marketing and communications

Where permitted, we may send you business communications about Remi’s products, services, and events. You can opt out at any time by using the unsubscribe link in our emails or by contacting us. We will still send you the non-promotional messages necessary to manage our relationship, such as service, security, and administrative notices.

14 Changes to this policy

We may update this policy from time to time to reflect changes to our services, technology, or legal obligations. When we do, we will revise the “effective” date shown above, and we may highlight material changes on this page or notify you by other appropriate means. We encourage you to review this policy periodically.

15 Contact us

If you have questions about this policy or wish to exercise your rights, please contact us:

Remi
Email: hello@remi.ae

The Remi group entity responsible for your personal data — and its registered contact details — depend on where that entity is established. Contact us at the email above and we will identify the responsible entity and route your request accordingly.

This Privacy Policy should be read together with our Network Terms of Use.

Prighter privacy compliance certificate