Banqker - Sharia Compliant Banking

Privacy Policy

1. Introduction

1.1 Purpose and Objective of this Policy

This Privacy Policy (“Policy”) is issued by Banqker (hereinafter referred to as “Banqker”, “we”, “our”, or “us”) in compliance with the applicable data protection and privacy laws, including but not limited to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or GDPR), as well as any other applicable local privacy legislations in the jurisdictions in which Banqker operates.

The purpose of this Policy is to provide transparency regarding how Banqker collects, uses, stores, discloses, transfers, and protects personal data obtained from individuals interacting with its digital platforms, services, or otherwise engaging with Banqker in any capacity.

This Policy also sets out the rights of individuals in relation to their personal data and outlines the mechanisms Banqker has implemented to uphold and respect those rights. It forms part of Banqker’s wider commitment to ensure data privacy, accountability, and trust.

1.2 Scope and Territorial Applicability

This Policy applies to all personal data processed by Banqker through its websites (including https://banqker.com), mobile applications, APIs, customer support channels, or in connection with any other digital or offline offering made available by Banqker (collectively referred to as the “Services”).

This Policy applies to the processing of personal data of:

Natural persons who use Banqker’s educational and gamified financial literacy tools, including but not limited to students, teachers, school administrators, and parents;
Representatives of educational institutions or entities engaging with Banqker;
Website visitors and users of the Banqker platform, irrespective of their geographic location.

However, this Policy does not apply to jurisdictions where Banqker does not operate or offer services, including the United States of America, and should not be interpreted as compliance with any U.S.-specific privacy legislation (e.g., CCPA, COPPA).

To the extent Banqker expands its operations into additional jurisdictions, this Policy may be supplemented or amended with jurisdiction-specific annexures or disclosures, which shall form an integral part hereof.

1.3 Definitions and Interpretative Clauses

Unless otherwise stated in this Policy, the terms used herein shall have the meanings ascribed to them under the GDPR. For ease of reference, certain key terms are defined below:

“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier.
“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
“Controller” means the natural or legal person which determines the purposes and means of the processing of personal data.
“Processor” means any natural or legal person who processes personal data on behalf of the Controller.
“Applicable Laws” means the GDPR and all other relevant international, regional, or domestic data protection and privacy laws, regulations, rules, or guidelines, as amended from time to time.
“Consent” means any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

All headings used herein are for convenience only and shall not affect the interpretation of this Policy. Singular includes plural and vice versa unless the context requires otherwise.

1.4 Acknowledgment and Consent to Processing

By accessing or using any of Banqker’s Services, or by otherwise submitting personal data to us, you acknowledge that you have read and understood the terms of this Privacy Policy. Where required under Applicable Laws, your express consent to specific processing activities shall be obtained prior to such processing.

In certain circumstances, your use of the Services may be subject to the express consent of a legal guardian, parent, or educational institution, especially in cases involving minors or children below the age of lawful consent in the relevant jurisdiction (as further detailed in Section 10 below).

Where your consent is the legal basis for processing, you may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Such withdrawal can be effected by contacting us via the communication channels outlined in Section 16 of this Policy.

Use of Banqker’s Services shall be construed as agreement to the terms set forth in this Policy, unless such use is expressly restricted or refused under the exercise of applicable data subject rights.

2. Identity of the Data Controller

2.1 Legal Entity Details

For the purposes of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection laws, the entity that determines the purposes and means of processing your personal data in relation to the Services is Caiz Trade s.r.o., operating under the brand name Banqker, a private limited company incorporated under the laws of the Slovak Republic, having its registered office at Mostová 185/2, Bratislava - mestská časť Staré Mesto 811 02, bearing Company Registration Number: 54 086 043.

Banqker is a commercial brand of Caiz Trade s.r.o. and, for the purposes of this Privacy Policy, Caiz Trade s.r.o. shall be referred to as the “Data Controller”, responsible for the collection, use, storage, and protection of your personal data as defined under Article 4(7) of the GDPR.

Where Caiz Trade s.r.o. operates through affiliated entities, brands, or branches in other jurisdictions, such entities may act as joint controllers or processors, depending on the operational structure. In such instances, appropriate joint controllership arrangements or data processing agreements shall be executed in accordance with Articles 26 and 28 of the GDPR, respectively.

2.2 Data Protection Officer (DPO) Details

Banqker has appointed a Data Protection Officer (“DPO”) pursuant to Article 37 of the GDPR to oversee our compliance with data protection laws, act as the primary point of contact for supervisory authorities, and serve as a resource for data subjects seeking clarification on data processing activities.

The contact details of our designated DPO are as follows:

Email: dpo@banqker.com

The DPO may be contacted for any issues relating to the processing of your personal data, including the exercise of your rights under this Policy. All communications with the DPO shall be treated confidentially, and your identity shall be protected where feasible and legally permissible.

3. Categories of Personal Data Processed

Banqker processes various categories of personal data in the course of providing its Services, including data that is (i) voluntarily submitted by users, (ii) collected automatically during use of our platform, and (iii) obtained through institutional or third-party integrations. All data processing is undertaken strictly in accordance with the principles of lawfulness, fairness, transparency, data minimisation, and purpose limitation under the General Data Protection Regulation (GDPR) and other applicable data protection laws.

3.1 Data Voluntarily Submitted by Users

Banqker collects and processes personal data that you or your affiliated institution voluntarily submit to us in connection with the use of our platform. This includes, but is not limited to:

(a) Registration and Profile Information

When users create or are assigned accounts on Banqker’s platform—whether as students, teachers, parents, or school administrators—we may collect the following information:

Full name (first name and surname)
Email address
Username and password (encrypted)
Year level or grade of the student
School name or institution ID (if applicable)
Gender and date of birth (only where relevant for age-specific platform content or compliance with child data regulations)
Country and preferred language

In the case of students, such data may be submitted either by the educational institution or teacher administering the program or by the student themselves (with appropriate consent mechanisms in place).

(b) Communication Records and Feedback

We may collect data arising from your interactions with us or with other users within the platform environment, including:

Email or in-platform messages exchanged with Banqker’s support team
Responses to surveys, polls, or feedback forms
Participation in discussion boards, educational games, or simulation-based exercises
Submission of queries, complaints, or support tickets

Such information is used for service provision, user engagement analysis, customer support, and platform improvement initiatives.

3.2 Data Collected Automatically

Banqker may automatically collect certain information about your device and usage of the platform to ensure operational functionality, platform security, and user experience optimisation. This includes:

(a) IP Address, Device Data, and Browser Type

We may collect data such as:

Your device’s Internet Protocol (IP) address
Device operating system and version
Browser type, version, and settings
Device identifiers (such as UUID or IMEI, where relevant)
Screen resolution and interface language

This information is used for system diagnostics, analytics, fraud detection, localisation, and compatibility optimisation.

(b) Usage and Access Logs

We maintain records of users’ interactions with our platform, including:

Dates and times of logins and logouts
Pages visited, features accessed, and session duration
Clickstream data and navigation paths
Error logs and crash reports

This data allows Banqker to monitor platform performance, identify misuse, and improve user engagement flows.

(c) Cookie Data and Other Tracking Tools

Banqker uses cookies and similar tracking technologies (such as pixels and local storage objects) in accordance with our Cookie Policy to:

Authenticate user sessions
Maintain user preferences and settings
Analyse traffic patterns and usage trends
Deliver or suppress notifications and messages

Where required under applicable laws (e.g., ePrivacy Directive and GDPR), we obtain user consent before deploying non-essential cookies.

You may manage or revoke your cookie preferences at any time via the cookie consent banner or your browser settings.

4. Legal Grounds for Processing Personal Data

Banqker processes personal data only where there is a lawful basis for doing so under Article 6(1) of the General Data Protection Regulation (GDPR). Depending on the context in which personal data is collected and the nature of the relationship with the data subject, one or more of the following legal grounds may apply.

We ensure that all processing activities are carried out lawfully, fairly, and transparently, and only for the purposes explicitly described in this Policy.

4.1 Processing Based on Consent

Where required, Banqker processes personal data on the basis of the data subject’s freely given, specific, informed, and unambiguous consent, in accordance with Article 6(1)(a) GDPR.

Consent is sought:

When a user voluntarily registers and provides personal information not strictly necessary for the performance of a contract;
When cookies or other non-essential tracking technologies are deployed (subject to the user’s preferences via the cookie consent mechanism);
When students or parents/guardians are asked to participate in optional surveys, testimonials, or marketing communications;
When a school or educational institution transfers student data to Banqker for platform access, subject to requisite consents from parents or legal guardians in the case of minors.

Where processing is based on consent, data subjects have the right to withdraw their consent at any time, without affecting the lawfulness of any processing carried out prior to such withdrawal. Withdrawal of consent may, however, limit or restrict access to certain functionalities of the Services.

4.2 Processing Necessary for Performance of a Contract

In accordance with Article 6(1)(b) GDPR, Banqker processes personal data that is necessary to enter into or perform a contract with a user or institutional client (e.g., a school or educational authority).

This legal basis also applies where data processing is required prior to entering into a contract, such as user registration or onboarding facilitated by a school administrator.

4.3 Processing to Comply with Legal Obligations

Banqker may process personal data as required for compliance with a legal obligation to which it is subject, in accordance with Article 6(1)(c) GDPR.

This includes, without limitation:

Compliance with accounting, tax, corporate governance, or education-sector regulatory obligations;
Responding to lawful data access or disclosure requests from competent authorities;
Retaining records for statutory retention periods mandated under applicable EU or local laws;
Enforcing rights or responding to legal claims, including cooperating with supervisory authorities, courts, or other public bodies.

Processing under this ground is non-negotiable and continues irrespective of the user’s preferences, to the extent required by law.

4.4 Processing Based on Legitimate Interests

Pursuant to Article 6(1)(f) GDPR, Banqker may process personal data where it is necessary for the legitimate interests pursued by Banqker or a third party, provided such interests are not overridden by the fundamental rights and freedoms of the data subject.

Our legitimate interests may include:

Improving and optimizing platform performance, features, and content;
Preventing misuse, fraud, or unauthorised access to the platform;
Conducting aggregated analytics to better understand user engagement (without profiling or decision-making that produces legal effects);
Maintaining security of systems, networks, and personnel;
Facilitating internal administrative purposes, including intra-group data transfers;
Where a school engages us on behalf of its students and faculty, ensuring consistent delivery of educational outcomes.

Before relying on this ground, Banqker conducts a legitimate interests assessment (LIA) to ensure that such processing is proportionate, expected, and does not infringe upon the privacy rights of data subjects.

Data subjects retain the right to object to processing based on legitimate interests, subject to the conditions laid down under Article 21 GDPR.

4.5 Processing for the Protection of Vital Interests (where applicable)

Under exceptional circumstances, Banqker may process personal data pursuant to Article 6(1)(d) GDPR when it is necessary to protect the vital interests of the data subject or another natural person.

This legal basis is typically invoked only in emergency scenarios, such as:

Where Banqker becomes aware of a safety risk or imminent threat to a child user during use of the Services, and intervention or reporting is required;
Where health or safeguarding concerns are raised, and action must be taken without undue delay in coordination with an institutional authority or guardian.

Processing under this ground is rare and applied only where no other legal basis is reasonably available, and only to the minimum extent necessary.

5. Purposes of Processing

Banqker processes personal data only for specified, explicit, and legitimate purposes as permitted under Article 5(1)(b) of the General Data Protection Regulation (GDPR). We do not process data in a manner that is incompatible with these purposes, nor do we use your data for any unrelated secondary purpose without providing you prior notice and, where required, obtaining your consent. Outlined below are the key purposes for which we collect and process personal data:

5.1 Enabling User Communications and Notifications

We process data to facilitate communication between Banqker and its users, including:

Sending essential service-related messages such as login credentials, account status updates, password resets, and security alerts;
Providing transactional communications, confirmations, or reminders (e.g., scheduled simulations, user invitations, data usage disclosures);
Allowing users to interact with each other or with educators where peer-to-peer functionality is embedded in the platform;
Enabling school administrators to monitor activity and manage accounts at an institutional level.

Such processing is necessary to ensure smooth, informed usage of the platform and may rely on contractual necessity or legitimate interest depending on context.

5.2 Conducting Research, Analytics and Service Improvements

We process anonymised, pseudonymised, or identifiable user data to:

Evaluate how different categories of users engage with platform features;
Generate insights for improving the design, delivery, and educational efficacy of our services;
Conduct user experience testing, performance benchmarking, and feature deployment analysis;
Train machine learning or recommendation engines, solely in aggregate form and without profiling individuals in a manner that produces legal or similarly significant effects.

Where feasible, data used for analytics is aggregated or pseudonymised to ensure privacy preservation. In certain cases, explicit consent may be requested for participation in non-essential research activities or case studies.

5.3 Platform Security, Error Detection and Fraud Prevention

We process data for the protection of Banqker’s infrastructure, systems, and users, including:

Monitoring usage patterns for signs of misuse, unauthorised access, or breach attempts;
Detecting anomalies in login locations, session durations, or attempted data scraping;
Managing log files and backend diagnostics for error detection and remediation;
Implementing anti-fraud protocols, spam detection, and access control measures.

Such processing is based on our legitimate interests in ensuring the integrity and continuity of our Services and the safety of user information.

5.4 Marketing, Promotional and Engagement Activities (where permitted)

Where permitted by applicable law, and subject to user preferences and explicit consent where required, we may process data to:

Share updates about new features, educational content, or improvements to the platform;
Send invitations to participate in webinars, product launches, or community events;
Circulate newsletters, case studies, and thought leadership relevant to financial education;
Conduct satisfaction surveys or request testimonials for use on our website and publications.

You may opt-out of receiving marketing communications at any time by using the unsubscribe link in our emails or contacting us directly. We do not engage in third-party advertising or behavioural tracking across non-affiliated websites.

5.5 Compliance with Applicable Law and Regulatory Requirements

We process personal data where necessary to fulfil our obligations under applicable laws, regulations, and statutory directives, including:

Responding to lawful requests from regulators, law enforcement agencies, or courts;
Retaining data for audit, taxation, and corporate governance purposes;
Ensuring compliance with child protection and education-sector guidelines as required by local authorities;
Addressing complaints, disputes, or requests relating to data subject rights.

In these instances, processing is grounded in our legal obligations under the law, and such processing may continue irrespective of a user’s consent or preference.

6. Disclosure and Transfer of Personal Data

Banqker shall not sell, rent, or otherwise commercially exploit personal data for purposes unrelated to the provision of its Services. However, in the ordinary course of business and strictly in accordance with applicable data protection laws, personal data may be disclosed to specific third parties or transferred across jurisdictions under controlled and legally compliant circumstances, as detailed below.

All such disclosures are conducted under lawful bases, accompanied by appropriate contractual safeguards, including Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) where applicable, to ensure ongoing confidentiality, integrity, and availability of personal data.

6.1 Intra-Group Transfers within Banqker Group Entities

Where Banqker operates through multiple affiliated entities, subsidiaries, or regional branches (collectively, the “Banqker Group”), personal data may be transferred internally for legitimate business purposes, including:

Centralised customer relationship management and user authentication;
Coordinated service provision and technical support across jurisdictions;
Product development, data analytics, and infrastructure administration;
Group-level legal compliance, audit, and corporate governance.

Such intra-group transfers are performed on the basis of legitimate interests and are governed by intercompany data transfer agreements, which ensure equivalent levels of protection in accordance with Articles 44–46 of the GDPR.

6.2 Disclosures to External Service Providers

Banqker may engage vetted third-party vendors and service providers to perform specific functions on its behalf (“Processors”), such as:

Cloud hosting, storage, and computing infrastructure;
Customer support ticketing and communication tools;
Payment gateway integration (if applicable);
Identity verification and security monitoring;
Learning analytics or reporting dashboards.

These third parties are granted access to personal data strictly on a need-to-know basis and are contractually bound under Article 28 GDPR to:

Act solely under Banqker’s documented instructions;
Implement appropriate technical and organisational measures (TOMs);
Not sub-process without authorisation;
Delete or return personal data upon termination of services.

A current list of categories of processors (not including names, to preserve commercial confidentiality) may be requested by contacting Banqker’s DPO.

6.3 Disclosures Mandated by Law or Legal Process

Banqker may disclose personal data to competent public authorities, courts, regulatory bodies, or law enforcement agencies where such disclosure is required under applicable laws, regulations, or pursuant to a lawful order or subpoena.

Such disclosures may be made:

In response to a lawful data access request (e.g., from a Data Protection Authority);
To comply with obligations under child protection or education regulations;
In connection with the prevention, detection, or investigation of crime, fraud, or cyber incidents;
For the establishment, exercise, or defence of legal claims.

Where permitted by law, Banqker shall use its reasonable endeavours to notify affected data subjects of such disclosure.

7. Cross-Border Transfers of Personal Data

In the course of providing our Services, Banqker may transfer personal data to recipients located outside the European Economic Area (EEA). Such transfers may occur to other entities within the Banqker Group, to third-party service providers, or to other authorised recipients operating in jurisdictions that do not offer an equivalent level of data protection as that guaranteed under the GDPR.

Banqker takes all necessary and legally mandated steps to ensure that personal data transferred outside the EEA is afforded a level of protection essentially equivalent to that within the EEA, and that such transfers comply with Chapter V of the GDPR.

We implement one or more of the mechanisms described below depending on the destination country and the nature of the data transfer.

7.1 Transfers to Countries Offering Adequate Protection (Article 45 GDPR)

Where personal data is transferred to a country that the European Commission has determined offers an adequate level of data protection under Article 45(1) GDPR, such transfers may take place without any further specific authorisationor additional safeguards.

7.2 Transfers Subject to Appropriate Safeguards (Article 46 GDPR)

In the absence of an adequacy decision, Banqker ensures that cross-border data transfers are carried out using appropriate safeguards, as prescribed under Article 46 GDPR. These safeguards include:

(a) Standard Contractual Clauses (SCCs)

Where personal data is transferred to third countries, Banqker enters into European Commission-approved Standard Contractual Clauses with the data recipient. These clauses impose direct obligations on the data importer and provide enforceable rights for data subjects.

In addition to executing SCCs, Banqker conducts Transfer Impact Assessments (TIAs) to evaluate the legal environment of the recipient country and, where required, implements supplementary technical and organisational measures to mitigate risks, in accordance with the guidance issued by the European Data Protection Board (EDPB).

(b) Binding Corporate Rules (BCRs)

Where personal data is transferred intra-group across Banqker’s affiliated entities located outside the EEA, such transfers may be governed by Binding Corporate Rules, which are approved by a competent supervisory authority under Article 47 GDPR.

These BCRs provide a group-wide framework ensuring that all Banqker affiliates apply consistent, enforceable privacy standards and respect data subjects' rights regardless of location.

Banqker shall make the relevant portions of its SCCs or BCRs available to data subjects upon written request, subject to redaction of confidential business information.

7.3 Derogations for Specific Situations (Article 49 GDPR)

In exceptional cases where neither an adequacy decision nor appropriate safeguards are in place, Banqker may rely on the derogations set out in Article 49 GDPR to lawfully transfer personal data, including:

Explicit consent of the data subject to the proposed transfer, having been informed of the potential risks due to absence of adequate protection measures;
Performance of a contract between the data subject and Banqker, or the implementation of pre-contractual measures taken at the data subject’s request;
Conclusion or performance of a contract in the interest of the data subject between Banqker and a third party;
Important reasons of public interest, as recognised under EU or Member State law;
Establishment, exercise or defence of legal claims;
Protection of vital interests of the data subject or another person, where the data subject is physically or legally incapable of giving consent.

Reliance on these derogations is strictly interpreted and shall occur only where the transfer is occasional and necessary in the specific context.

8. Data Retention and Deletion

Banqker shall not retain personal data in perpetuity. In accordance with Article 5(1)(e) of the General Data Protection Regulation (GDPR), personal data shall be retained only for as long as necessary to fulfil the specific purposes for which it was collected, or to comply with legal, regulatory, or contractual obligations. Once the retention period has lapsed, Banqker shall either delete, anonymise, or securely archive the data, in line with the principles of data minimisation and storage limitation.

8.1 Retention Periods by Data Category

Banqker applies differentiated retention schedules depending on the nature of the data collected and the legal or operational purpose of the processing. Indicative retention periods include:

Account and Profile Information (Students, Teachers, Parents): Retained for the duration of the account's active use and up to 24 months after inactivity, unless earlier deletion is requested by the data subject or institution.
Institutional Account and Administrator Data: Retained for the entire duration of the contractual relationship with the institution, and for seven (7) years thereafter for purposes of legal and financial record-keeping.
Usage Data, Logs, and Analytics: Retained in identifiable form for up to 12 months, after which it may be aggregated or anonymised for statistical or research purposes.
Communication Records (e.g., support tickets, emails): Retained for a maximum of 36 months for customer service audits and dispute resolution, unless required to be preserved longer under applicable law.
Marketing Preferences and Consent Records: Retained for as long as the individual is subscribed, and for five (5) years thereafter as proof of lawful consent in the event of regulatory review.
Cookies and Tracking Technologies: Retention varies by cookie type and is governed by our Cookie Policy; typically, session cookies expire upon browser closure, while persistent cookies may remain for up to 12 months, subject to user preference management.

Banqker may further specify retention timelines in contractual agreements with educational institutions, in which case such contractual provisions will prevail, subject to GDPR compliance.

8.2 Criteria for Determining Retention Schedules

In establishing appropriate retention durations, Banqker considers the following factors:

The original purpose for which the personal data was collected;
The legal basis relied upon for processing (e.g., consent, contract, legal obligation)
The type, sensitivity, and volume of the data in question;
Whether there is a legal or regulatory obligation (e.g., tax, audit, child protection laws) to retain certain records;
The existence of ongoing legal claims, disputes, or internal investigations that may require retention;
The relationship with the user or institution, including active vs. inactive status;
Industry best practices for educational data management, particularly involving minors.

Banqker reviews and updates its retention policy periodically to ensure continued alignment with legal requirements and practical necessity.

8.3 Data Anonymization and Secure Disposal Practices

Where personal data no longer serves a lawful purpose or the applicable retention period has expired, Banqker undertakes one of the following irreversible actions:

Deletion: Data is permanently erased from all primary and backup systems using industry-standard wiping techniques, including overwriting and cryptographic erasure.
Anonymization: Data is transformed in such a way that it can no longer be used to identify a natural person, directly or indirectly. Anonymised data is excluded from the scope of the GDPR and may be retained indefinitely for research, statistical, or product improvement purposes.
Restricted Archiving: In rare cases where deletion is not feasible due to technical constraints or legal requirements, data is moved to a restricted access archive with usage strictly limited to audit or litigation defence purposes. Access to such archives is tightly controlled and logged.

Banqker also ensures that third-party processors and sub-processors comply with equivalent deletion and disposal obligations under their respective data processing agreements.

9. Rights of Data Subjects (Pursuant to Chapter III, GDPR)

In accordance with Chapter III of the General Data Protection Regulation (GDPR), all individuals whose personal data is processed by Banqker (“Data Subjects”) are entitled to a set of clearly defined rights. Banqker recognises and upholds these rights and provides transparent mechanisms for their exercise.

To exercise any of the rights outlined below, Data Subjects may contact Banqker via the communication channels provided in Section 16 of this Privacy Policy. Banqker shall respond without undue delay and, in any event, within one (1) month of receipt of a valid request. This period may be extended by two (2) additional months where necessary, taking into account the complexity and number of the requests, in which case Banqker will inform the data subject of the extension and reasons for the delay.

9.1 Right of Access (Article 15)

Data Subjects have the right to obtain confirmation as to whether or not personal data concerning them is being processed by Banqker, and, where that is the case, to access the following:

The categories of personal data concerned;
The purposes of the processing;
The recipients or categories of recipients to whom the data has been or will be disclosed;
The envisaged period for which the data will be stored;
The existence of rights to rectification, erasure, restriction, or objection;
The right to lodge a complaint with a supervisory authority;
Where the personal data is not collected directly from the Data Subject, any available information as to its source;
The existence of automated decision-making, including profiling.

Banqker may charge a reasonable administrative fee or decline requests that are manifestly unfounded or excessive, particularly if repetitive.

9.2 Right to Rectification (Article 16)

Data Subjects have the right to request the correction or completion of inaccurate or incomplete personal data held by Banqker. Upon verification, Banqker will promptly rectify the data without undue delay. In the case of data submitted via a school or institutional partner, Banqker may require institutional confirmation prior to modifying such records.

9.3 Right to Erasure (‘Right to be Forgotten’) (Article 17)

Data Subjects have the right to request the erasure of their personal data without undue delay, where one of the following grounds applies:

The data is no longer necessary in relation to the purposes for which it was collected;
The Data Subject withdraws consent (where consent was the legal basis for processing);
The Data Subject objects to the processing and there are no overriding legitimate grounds;
The personal data has been unlawfully processed;
Erasure is required to comply with a legal obligation under EU or Member State law;
The data was collected in relation to the offer of information society services to a child.

This right may be limited where processing is necessary for:

Compliance with a legal obligation;
The establishment, exercise, or defence of legal claims;
Archiving purposes in the public interest, scientific or historical research, or statistical purposes, under appropriate safeguards.

9.4 Right to Restriction of Processing (Article 18)

Data Subjects may request the restriction of processing of their personal data where:

The accuracy of the data is contested (for a period enabling verification);
Processing is unlawful and the Data Subject opposes erasure;
Banqker no longer needs the data, but the Data Subject requires it for legal claims;
The Data Subject has objected to processing pending verification of legitimate grounds.

While restriction is in effect, Banqker may store the data but shall not process it further except with the Data Subject’s consent or for legal claims or public interest purposes.

9.5 Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, the Data Subject has the right to receive the personal data provided to Banqker:

In a structured, commonly used, and machine-readable format; and
To have it transmitted directly to another controller, where technically feasible.

This right does not apply to processing carried out in the public interest or in the exercise of official authority.

9.6 Right to Object to Processing (Article 21)

Data Subjects have the right to object at any time to the processing of personal data based on Banqker’s legitimate interests or for direct marketing purposes, including profiling related to such marketing.

Where an objection is raised:

Banqker shall cease processing the personal data unless it demonstrates compelling legitimate grounds which override the interests, rights, and freedoms of the Data Subject, or where processing is necessary for the establishment, exercise, or defence of legal claims.
If the objection relates to direct marketing, Banqker shall immediately cease such processing.

9.7 Right Not to Be Subject to Automated Decision-Making (Article 22)

Data Subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant consequences.

Banqker does not engage in automated decision-making that has legal or similarly significant effects on individuals. Should such functionality be introduced in future (e.g., for educational evaluations or gamification scoring), appropriate safeguards, including human intervention, shall be provided, and data subjects shall be duly notified and afforded rights to contest the decision.

9.8 Right to Lodge Complaint with Supervisory Authority (Article 77)

Data Subjects who believe that the processing of their personal data infringes the GDPR have the right to lodge a complaint with a competent supervisory authority, in particular:

In the Member State of their habitual residence, or
In the place of the alleged infringement.

While Banqker encourages Data Subjects to contact its Data Protection Officer in the first instance to resolve any issues amicably, Data Subjects retain the unconditional right to approach their national data protection authority at any time.

10. Processing of Children’s Personal Data

Banqker recognises that its Services are intended, in part, for use by minors—particularly students in primary and secondary educational institutions. Consequently, the processing of children’s personal data is governed by enhanced legal standards under Article 8 of the General Data Protection Regulation (GDPR) and related local laws implementing child-specific privacy protections.

Banqker adopts a privacy-by-design and privacy-by-default approach when dealing with the data of children and implements additional safeguards to protect the rights and freedoms of underage users.

10.1 Applicability of Article 8 GDPR and Local Implementing Laws

Pursuant to Article 8(1) GDPR, where the legal basis for processing a child’s personal data is consent, such consent shall only be lawful if:

The child is at least the age defined by the GDPR or relevant Member State law (which may vary but shall not be lower than 13 years); and
If the child is below the applicable minimum age, consent must be given or authorised by the holder of parental responsibility over the child.

Different Member States have enacted domestic laws setting minimum age thresholds for valid child consent—typically ranging from 13 to 16 years. Banqker shall comply with the applicable age thresholds depending on the jurisdiction in which the child resides or where the Services are being accessed.

Where local laws impose stricter standards (e.g., education laws or sector-specific codes), such rules shall take precedence, and Banqker will incorporate them into its processing framework.

10.2 Minimum Age for Consent and Role of Educational Institutions

Banqker does not knowingly allow children under the applicable age threshold to register for its Services in their individual capacity without proper consent from a parent or legal guardian.

However, where Banqker’s Services are provided under a school or institutional license, the processing of students’ personal data may be legitimised under alternative legal bases such as:

Performance of a contract with the educational institution (Article 6(1)(b));
Legitimate interest in delivering educational functionality in collaboration with the school (Article 6(1)(f));
Legal obligation to support mandated educational services or child protection norms (Article 6(1)(c)).

In such cases, the educational institution is responsible for ensuring that:

It has a valid legal basis for sharing student data with Banqker;
It has obtained necessary parental or guardian consents where applicable;
It communicates Banqker’s role as a processor or co-controller to its students and staff, as per applicable law.

Banqker shall rely on the school’s representations in this regard and may enter into a Data Processing Agreement (DPA)with the institution to formalise these roles.

10.3 Parental Consent and Controls

Where Banqker requires verifiable parental consent (typically in cases of direct-to-child services), it implements the following:

A robust consent mechanism that seeks explicit approval from the person with parental responsibility;
Confirmation of age during account creation and verification of consent before activation;
Transparent notices explaining how the child’s data will be used, their rights, and how parents can intervene;
Tools for parents or guardians to review, correct, or request deletion of their child’s data.

Parents or legal guardians may withdraw consent at any time, in which case Banqker shall promptly delete or restrict further processing of the child’s personal data, unless retention is required for compliance with applicable legal obligations.

Banqker will never condition participation in educational content on a child’s disclosure of more personal data than is reasonably necessary for the functionality in question.

10.4 Data Minimization and Additional Safeguards for Minors

Consistent with the principle of data minimisation under Article 5(1)(c) GDPR, Banqker:

Collects only such personal data from children that is strictly necessary for the provision of educational functionality;
Avoids the collection of sensitive personal data (e.g., racial or ethnic origin, political opinions, religious beliefs, biometric or health data) unless explicitly required and lawfully justified;
Applies role-based access controls to ensure that only authorised personnel can access children’s data;
Implements technical safeguards including encryption, pseudonymisation, and secure cloud storage within EEA-compliant data centres;
Performs impact assessments (Data Protection Impact Assessments, or DPIAs) where a processing activity is likely to result in high risk to the rights of child users;
Ensures no child profiling or automated decision-making is conducted that produces legal or similarly significant effects.

Banqker also provides age-appropriate explanations of this Privacy Policy and the rights of young users where applicable, in line with its obligation to promote transparency and accessibility under Article 12(1) GDPR.

11. Data Security Measures

Banqker is committed to protecting the confidentiality, integrity, and availability of personal data in its custody. We implement a combination of technical, organisational, legal, and procedural controls to ensure that all personal data processed by or on behalf of Banqker is secure and safeguarded from unauthorised access, accidental loss, unlawful processing, destruction, alteration, or disclosure.

Our approach to security is guided by the principle of data protection by design and by default (Article 25 GDPR), and is reviewed periodically to remain aligned with evolving best practices and regulatory expectations.

11.1 Technical and Organisational Measures Implemented

Banqker has implemented the following technical and organisational measures (TOMs), as required under Article 32 GDPR:

Firewalls and Network Security: Use of firewall protection, secure network segmentation, and intrusion prevention systems to monitor and control incoming and outgoing traffic.
Secure Hosting Infrastructure: Deployment of industry-grade servers hosted within GDPR-compliant data centres located in the European Economic Area (EEA) or in jurisdictions with adequate protection.
Access Control Policies: Strict, role-based access to personal data with user authentication protocols, including multi-factor authentication (MFA) for internal systems.
Secure Software Development Lifecycle (SSDLC): Security testing integrated into the development and deployment lifecycle to prevent code vulnerabilities.
Vendor Security Assurance: All third-party processors undergo security due diligence and must contractually adhere to minimum TOMs as a condition of engagement.
Audit Trails and Logging: Monitoring and logging of system access, data changes, and administrator activities for accountability and incident detection.

11.2 Encryption, Pseudonymisation and Access Controls

To ensure personal data is protected both at rest and in transit, Banqker employs:

Encryption:

TLS (Transport Layer Security) encryption for all data transmitted between client browsers and Banqker servers.
AES-256 encryption for stored data and backups, including encryption key rotation and access monitoring.

Pseudonymisation:

Pseudonymisation techniques are used where possible, particularly in research, analytics, or testing environments, to reduce the risk of re-identification.

Granular Access Controls:

Access to personal data is restricted to authorised personnel on a least privilege basis.
Access permissions are regularly reviewed, and accounts are promptly deactivated upon termination of employment or contract.
Administrative access is logged and subject to periodic audit.

These measures are designed to protect against both external threats (e.g., cyber-attacks) and internal risks (e.g., negligent access, insider misuse).

11.3 Breach Notification Protocols under Articles 33 and 34 GDPR

Banqker has established and maintains a formal Personal Data Breach Response Plan, compliant with Articles 33 and 34 GDPR, including the following elements:

Detection and Classification: Real-time monitoring for suspicious activity, with thresholds for triggering investigation.
Internal Notification: Escalation protocols to notify senior leadership, security personnel, and the Data Protection Officer (DPO) immediately upon confirmation of a breach.
Regulatory Notification: Where a breach is likely to result in a risk to the rights and freedoms of data subjects, Banqker shall notify the competent supervisory authority within 72 hours of becoming aware of the breach.
Communication to Data Subjects: If the breach is likely to result in a high risk, affected individuals shall be notified without undue delay, using clear and plain language to explain the nature of the breach and remedial measures being taken.
Post-Breach Assessment: Documentation of the breach, root cause analysis, corrective actions, and preventive strategies to avoid recurrence.

Banqker maintains a Breach Register as part of its accountability obligations under Article 33(5).

11.4 Internal Training and Compliance Monitoring

Banqker recognises that human error and lack of awareness are common causes of data incidents. Accordingly, we invest in robust internal training and oversight measures, including:

Mandatory Training:

All employees, contractors, and platform administrators receive data protection and security trainingduring onboarding and at regular intervals thereafter.
Specialised training is provided for high-risk roles (e.g., developers, system admins, DPO liaison staff).

Policy Governance:

Banqker maintains and enforces internal policies covering data protection, acceptable use, mobile device usage, and secure coding practices.

Compliance Monitoring:

Periodic internal audits and risk assessments are conducted to test and improve controls.
The DPO regularly reviews data processing activities, logs, vendor compliance, and user complaints to identify areas for improvement.

Disciplinary Action:

Breaches of data protection policies by personnel are subject to disciplinary procedures, up to and including termination of contract or employment.

13. Third-Party Content and External Links

Banqker’s platform may include content, tools, features, or links that originate from or redirect to third-party sources. While these integrations may enhance user experience, Banqker does not own or control such external environments and therefore disclaims responsibility for their data practices.

Users are encouraged to exercise discretion and review the privacy policies and terms of use of all third-party websites or tools accessed through Banqker’s Services.

13.1 Embedded Content from Third Parties

Banqker may incorporate embedded content from third-party platforms into its website or user dashboards. This may include, but is not limited to:

Educational videos (e.g., embedded YouTube or Vimeo content);
Interactive quizzes or learning modules powered by third-party tools;
Calendar widgets, maps, or external plug-ins;
Embedded survey tools or form builders (e.g., Typeform, Google Forms).

Such content behaves in the same way as if the user had visited the third-party website directly. These third parties may collect personal data through cookies, pixels, or other tracking technologies, including:

IP address;
Browser type and version;
Device type;
User interactions (e.g., video views, form completions).

Banqker does not control the data collected through such embedded content and is not responsible for how third parties use this information. Users are encouraged to consult the privacy policies of the relevant third-party providers before engaging with embedded content.

13.2 Interaction with External Platforms

Banqker may offer users the ability to:

Log in or authenticate using third-party credentials (e.g., “Sign in with Google”);
Access educational tools or dashboards hosted by third-party providers through single sign-on (SSO) mechanisms;
Share achievements, feedback, or classroom content on permitted third-party collaboration tools (e.g., Microsoft Teams, Google Classroom, or Zoom).

Where such functionality is used:

Banqker may share limited personal data (e.g., name, email address, login timestamp) with the third-party platform strictly for authentication or interoperability;
Data exchanged via APIs or integrations shall be limited to the minimum necessary and governed by data sharing or processing agreements, where applicable;
Banqker does not authorise third parties to use user data for independent marketing, profiling, or unrelated commercial purposes.

Banqker assumes no responsibility for how third-party platforms process personal data once it is transferred out of Banqker’s control.

13.3 Liability Disclaimer for External Websites

The Banqker website and associated Services may contain links or references to third-party websites, mobile applications, or content over which Banqker exercises no editorial or operational control. Such links are provided for convenience only, and do not constitute endorsement, sponsorship, or affiliation. Accordingly:

Banqker makes no representations or warranties regarding the security, accuracy, legality, or content of any external website or resource;
Users access such websites at their own risk, and any personal data submitted to or collected by third-party websites shall be governed solely by the respective privacy policies of those sites;
Banqker shall not be liable for any damages, data loss, or privacy breaches resulting from the use of external links or third-party services.

Users are strongly advised to review the privacy and cookie policies of external websites before interacting with them or submitting any personal data.

14. Amendments to this Privacy Policy

Banqker reserves the right to modify, update, or revise this Privacy Policy at any time, to reflect changes in applicable laws, regulatory requirements, business practices, technological advancements, or the scope and nature of our Services. All changes are made in accordance with the principles of transparency and accountability under the General Data Protection Regulation (GDPR).

We encourage all users and institutional partners to review this Policy regularly to remain informed about how we collect, use, store, and protect personal data.

14.1 Right to Modify and Update

Banqker may, at its sole discretion and without prior notice (unless legally required), amend this Privacy Policy from time to time. Amendments may include, but are not limited to:

Updates to legal bases or data processing purposes;
Changes to third-party data processors or cross-border transfer mechanisms;
Adjustments in retention practices or user rights implementation;
Expansions in geographic scope or platform functionality that impact data processing.

All modifications shall take effect immediately upon publication of the revised version, unless a later effective date is expressly stated.

Where changes are material or impact the rights of data subjects, Banqker will explicitly communicate such amendments as described in Clause 14.3 below.

Continued use of the Services following the effective date of any such changes shall constitute acknowledgment and acceptance of the amended terms, subject always to applicable law.

14.2 Version Control and Change Log

To ensure full transparency and auditability, Banqker maintains a version-controlled history of this Privacy Policy. Each version is assigned a unique reference number and date of issue, enabling users and regulators to track:

The nature and scope of amendments;
The rationale for changes where relevant;
The effective date of implementation.

A summary of material changes will be included in a “Change Log” annexed to the Policy or published via a dedicated update page accessible on Banqker’s website.

Users may request archived versions of the Policy by contacting Banqker’s Data Protection Officer (DPO) at dpo@banqker.com.

14.3 Notification of Substantive Changes

Where amendments are deemed material in nature—for example, involving:

New categories of personal data being collected;
Introduction of automated decision-making or profiling;
Expansion into new jurisdictions with different privacy requirements;
Change in the identity of the Data Controller;

Banqker shall provide advance notice through one or more of the following mechanisms:

Direct email communication to registered users and institutional contacts (where available);
Prominent banner or pop-up notifications within the user interface;
Public notice published on Banqker’s official website and/or platform dashboard.

Such notifications will include:

A summary of the changes;
The effective date of the amended Policy;
Instructions on how users may exercise their rights or withdraw consent, if applicable.

In jurisdictions where renewed consent is required (e.g., for new data uses or changes in lawful basis), Banqker shall seek fresh, affirmative opt-in before proceeding with the revised processing activity.

15. Dispute Resolution And Governing Law

In the event of a dispute, claim, or controversy arising from this Privacy Policy, Banqker has established a structured resolution framework as specified in its Terms of Use, which is incorporated by reference in the present Privacy Policy.