Corporate cards

Products

Features

Resources

Pricing

Sign in

Book a call

Sign in

Book a call

Legal

Privacy Policy

Effective Date: October 6,  2025 

1. Introduction 

This Privacy Policy (“Policy”) explains how Elibrium Inc. (“Elibrium”, “we”, “us”, or “our”) collects, uses, and discloses personal data when you use our platform [Platform URL], including our website and related services (collectively, the “Platform”). This Policy applies to personal data of all individuals who interact with us, including visitors to our website, representatives of our corporate clients, and individual end users such as cardholders using our services. 

Elibrium Inc. is a company incorporated in Wyoming, USA, with its principal business address at [Company Address]. For the purposes of applicable data protection laws – including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) – Elibrium acts as the “data controller” of the personal data described in this Policy. By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not access or use the Platform. 

2. Definitions 

For the purposes of this Policy, the following terms have the meanings set out below: 

  • Personal Data: Any information that relates to an identified or identifiable individual (this is equivalent to “personal information” under some laws). 

  • Services: The products and services provided by Elibrium, including the issuance and management of virtual payment cards, spend management tools, and use of the [Platform URL] website and dashboard. 

  • Client: An organization or business that enters into a contract with Elibrium to use our Services (for example, a corporate customer). 

  • Cardholder: An individual end user who is issued a payment card or is authorized to use the Services through a Client’s account (such as an employee or customer of a Client). 

  • User: Any individual who uses or accesses our Platform. This includes Clients (and their authorized representatives), Cardholders, and visitors to our website. 

  • GDPR: The EU General Data Protection Regulation 2016/679 (and applicable UK data protection laws mirroring the GDPR). 

  • CCPA: The California Consumer Privacy Act of 2018 (including amendments under the California Privacy Rights Act, collectively referred to as CCPA). 

3. Personal Data We Collect 

We collect various types of personal data from and about Users of our Platform. This includes: 

  • Information from Corporate Clients: When a Client organization registers for our Services or interacts with us, we collect personal data about the Client’s authorized representatives and contacts. This may include name, job title, business contact information (such as email address, phone number, and work address), and login credentials for the Platform. We may also collect additional business details and verification information, such as company registration details, tax identification number, and financial information (e.g. billing address and payment method) to facilitate payments or comply with Know-Your-Customer requirements. In certain cases, we might request personal identifiers (such as a government-issued ID or the last four digits of a Social Security Number) to verify the identity of a Client’s representative for compliance purposes. 

  • Information from Individual Cardholders: If you are a Cardholder using a virtual card or account provided through our Services (for example, an employee of a Client), we collect personal data necessary to issue and manage the card and account. This includes your name, contact details (such as email address and phone number), and in some cases date of birth or other identification information if required for identity verification. We also collect data related to your usage of the card and services, such as transaction details (purchase amounts, dates, merchant names, and locations), account balances, and spending history. If you contact us for support or to manage your card, we will collect any information you provide during those communications. 

  • Payment and Financial Information: In connection with our Services, we may collect financial information from both Clients and Cardholders. For example, Clients may provide funding account details (such as bank account numbers and routing information) or credit card information to fund transactions or pay fees. Cardholders may provide payment card details for authentication or linking external accounts. All payment information is handled with appropriate security and used only for the purposes of providing the Services (e.g. processing transactions, facilitating payouts, or billing). 

  • Website Usage Data: When you visit our website or use the Platform, we automatically collect certain technical and usage information through cookies and similar tracking technologies. This may include your device and browser information (such as IP address, device identifier, browser type, operating system, and hardware model), the pages or screens you view, how you interact with the Platform (e.g. features used, links clicked), the date and time of access, and the page you visited before navigating to our site. We may also derive coarse geographic location from your IP address (e.g. city or country). This data helps us understand how our Platform is used and improve its performance and usability. 

  • Information You Provide Voluntarily: We collect any personal data you choose to provide to us directly. For instance, if you fill out a form on our site (such as a “Contact Us” or demo request form), subscribe to a newsletter, or communicate with us via email or chat, you may provide your name, email, phone number, company name, and the content of your communication. We will retain such information and correspondence in order to address your inquiry and for our records. 

  • Information from Third Parties: We may receive personal data about you from other sources. For example, if you are a Cardholder, your employer or the Client organization may share your information with us in order to enroll you in the card program. We might also obtain information from identity verification services, credit bureaus, fraud-prevention agencies, or other business partners to supplement or verify the information you have provided. Additionally, for corporate due diligence and compliance, we may collect information from public databases or credit reference agencies about key contacts at Client organizations. We treat any such third-party data in accordance with this Privacy Policy and any applicable laws. 

4. Purposes of Processing Personal Data 

We process the personal data we collect for the following purposes, and only as permitted by applicable law: 

  • Providing and Improving Services: To provide our Services and operate the Platform’s core functionalities. We use personal data to set up and maintain User accounts, issue and manage virtual cards, process transactions and payments, and deliver the features and services that our Clients and Cardholders expect. This includes using data to troubleshoot issues, perform software updates, and improve the overall performance and development of our products and services. 

  • Communications and Customer Support: To communicate with you about your use of the Platform and Services. For example, we use contact information to send account confirmations, transaction alerts, security notifications (such as password changes or suspicious activity alerts), and information about updates or changes to our terms, fees, or policies. We also use personal data to respond to your inquiries, support requests, or feedback, and to provide customer service. 

  • Marketing and Promotional Purposes: To send promotional communications about new products, services, or special offers that may be relevant to our Clients or Users. For instance, if you are a business contact who has expressed interest in our Services, we may use your email address to send newsletters or marketing emails. We will only send you marketing communications in accordance with applicable law – for example, with your consent where required. You have the opportunity to opt out of such communications at any time (see Your Rights and Choices below). 

  • Compliance and Legal Obligations: To fulfill our legal, regulatory, and contractual obligations. As a financial technology service provider, we are required to collect and use certain personal data to comply with laws such as anti-money laundering (AML) and know-your-customer (KYC) regulations, tax laws, and accounting requirements. We may use personal data to verify identities, conduct due diligence checks, monitor transactions for fraud or illegal activity, maintain appropriate records, and report to government authorities as required by law. We also process personal data to enforce our agreements (for example, verifying compliance with our Program terms) and to defend our legal rights or protect the rights of others. 

  • Security and Fraud Prevention: To maintain the security of our Platform, Users, and business. Personal data may be used to detect and prevent fraudulent transactions, unauthorized account access, abuses of the Platform, network intrusions, and other security incidents. We monitor usage and communications for potential violations of our terms or policies, and we may use automated systems to flag suspicious behavior that requires further investigation. These activities are designed to protect all Users, and are conducted within the boundaries of applicable laws. 

  • Analytics and Personalization: To analyze trends, usage, and activities on our Platform in order to understand how our Services are used and to improve them. For example, we may use website usage data and feedback to debug issues, make informed decisions about new features, or optimize the user experience. We might also use certain data to personalize elements of the service for a User – such as remembering preferences or settings – to provide a more tailored experience. Any analytics performed on personal data is done in aggregate or in a manner that does not unduly impact your privacy, and we do not use personal data for automated profiling in any way that produces legal or similarly significant effects. 

  • Other Purposes with Consent: If we intend to process your personal data for a purpose that is materially different from the purposes listed above, we will provide you with information about the new purpose and, if required by law, obtain your consent. For example, if we ever wanted to use your personal data in a new marketing partnership or to publish a testimonial, we would seek your consent. You are free to withdraw any such consent at any time. 

5. Legal Bases for Processing 

When we process personal data of individuals in the European Economic Area (EEA), United Kingdom, or other regions with similar laws, we do so in reliance on one or more of the following legal bases, as permitted under GDPR and applicable law: 

  • Performance of a Contract: We process personal data where it is necessary to enter into or perform a contract with you or the organization you represent. This includes processing that enables us to provide the Services you request – for example, using personal data to set up accounts, issue cards, process transactions, and otherwise fulfill our contractual obligations to Clients and Cardholders. Without this information, we would not be able to provide the requested services. 

  • Legitimate Interests: We process personal data for our legitimate business interests in a manner that does not override your privacy rights. Our legitimate interests include maintaining and improving our Services, securing our Platform, preventing fraud, and communicating with our Clients about relevant products and services. For instance, we have a legitimate interest in analyzing how the Platform is used so we can improve functionality, and in sending product updates or offers to business contacts. When relying on this basis, we carefully consider your rights and expectations to ensure that we are not infringing on your privacy in an undue way. You have the right to object to processing based on our legitimate interests in certain cases (see Your Rights below). 

  • Consent: In certain situations, we rely on your consent to process personal data. For example, if you are an individual consumer, we will obtain your consent before sending you marketing emails that are not otherwise permitted by a legitimate interest exception. We also obtain consent for certain cookies or tracking technologies where required by law. When we process sensitive personal data (such as a Social Security number or driver’s license for identity verification), we may seek any necessary consents to handle that information. You have the right to withdraw your consent at any time. Note that withdrawing consent will not affect the lawfulness of any processing we conducted based on consent before its withdrawal. 

  • Legal Obligation: We process personal data to comply with our legal and regulatory obligations. This includes processing necessary to adhere to financial regulations, tax laws, court orders, subpoenas, or other legal processes. For example, we may retain transaction records and personal identification information for a certain period as mandated by AML laws or financial regulations, and we may disclose information to law enforcement or regulatory authorities if required by law. Processing under legal obligation is mandatory, and such requests are handled with care to ensure we only disclose what is necessary. 

(In rare instances, we may also process data to protect vital interests of an individual or for tasks carried out in the public interest, but these bases are not commonly applicable to our operations and are used only if relevant.) 

6. Data Sharing and Disclosure 

We do not sell your personal data to third parties for monetary compensation. However, in the course of providing our Services and running our business, we may share personal data with certain third parties under the circumstances described below. Whenever we share data, we do so in accordance with applicable privacy laws and with appropriate safeguards in place. The categories of recipients include: 

  • Service Providers (Processors): We share personal data with trusted third-party companies that perform services on our behalf to support the Platform and our operations. These service providers are bound by contractual obligations to process personal data only under our instructions and to protect it. Examples of such service providers include: cloud hosting and data storage providers; payment and banking partners (including the financial institutions that issue our cards or process transactions); identity verification and fraud prevention services; email and communication service providers; analytics providers; and professional advisors (such as auditors or legal counsel). For instance, we may share Cardholder information with our banking partner to facilitate card issuance and transaction processing, or provide account and transaction details to a cloud database service for secure storage. These third parties will only use your data as necessary to perform their functions and not for other purposes. 

  • Corporate Clients (for Cardholder data): If you are an individual Cardholder using our Services as part of a Client’s account (for example, you received a card through your employer or another organization), we may share certain information about your use of the Services with the relevant Client organization. This is necessary for the Client to manage its program and reconcile its records. For example, a corporate Client can access transaction details and spend reports for cards issued under its account (including transactions you make with your card). Similarly, if you report an issue or request support regarding your card, we might communicate necessary details to the Client’s administrators to help resolve the matter. Any such sharing with the Client is generally inherent in the service being provided to you and the Client, and the Client in turn is responsible for handling your personal data in accordance with its own privacy obligations. 

  • Affiliates: We may share personal data with our affiliate companies or subsidiaries (if any exist) to streamline business operations or for consistent servicing of your account. Any affiliate who receives your data will process it under the same conditions as set forth in this Policy. (Currently, Elibrium’s principal operations are under Elibrium Inc. in the US; if in the future we establish related entities, this Policy will be updated accordingly.) 

  • Business Partners and Integrations: In some cases, Elibrium may partner with other companies or offer integrations that you choose to use. If you explicitly opt in to such integration or partnership features, we might share certain data with the partner to fulfill the service. For example, if we offer an integration to export transaction data to a third-party accounting software and you choose to enable it, we will share the necessary transaction and account data with that third party at your direction. We will always make it clear at the time of such data sharing (through user interface or agreements) and obtain your consent if required. 

  • Legal Compliance and Protection: We may disclose personal data when we believe in good faith that such disclosure is necessary to comply with a legal obligation, regulatory requirement, or judicial order. This includes responding to lawful requests by public authorities, such as subpoenas, warrants, or court orders, and meeting national security or law enforcement requirements. We may also share information if necessary to exercise, establish, or defend our legal rights, or to protect the rights, property, or safety of Elibrium, our Users, or others. For example, we might disclose information to investigate or stop fraudulent activities, suspected illegal activities, security breaches, or violations of our agreements or policies. Such disclosures will be made in accordance with applicable laws, and we will limit the information shared to what is strictly required in the situation. 

  • Business Transfers: If Elibrium is involved in a merger, acquisition, investment due diligence, reorganization, bankruptcy, receivership, or sale of all or a portion of its assets, personal data may be disclosed to or transferred as part of that transaction. This means that your personal data could be transferred to a third-party successor or purchaser as one of our business assets. In such events, we will ensure that the receiving party agrees to protect personal data in a manner that is consistent with this Privacy Policy. We will provide notice to you (for example, via email or a prominent notice on our Platform) if your personal data becomes subject to a different privacy policy as a result of a business transaction. 

  • With Your Consent: Apart from the situations outlined above, we will share your personal data with third parties only when you direct us to or expressly consent to such sharing. For example, if you request that we share your information with a partner organization or you opt-in to a specific data- sharing program, we will share your data as instructed by you. In such cases, we will make clear at the time of obtaining your consent what data will be shared and with whom. You may revoke your consent at any time, and we will stop sharing your data from that point forward (note that this will not affect any sharing that took place prior to withdrawal). 

No Sale of Personal Data: Elibrium does not and will not sell personal data to third parties in exchange for monetary payment or other valuable consideration, as “sale” is defined under the CCPA and other laws. In the preceding 12 months, we have not sold any personal data of our Users. We also do not share personal data for targeted advertising purposes (sometimes referred to as “sharing” under the CCPA/CPRA). Any disclosures of personal data to third parties are limited to the purposes described above, which are primarily for business purposes on our behalf or at the User’s direction. 

7. Data Retention 

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with applicable legal and contractual obligations. Retention periods can vary depending on the type of data and the context in which it was collected: 

  • Account Data: For as long as you maintain an active account with us, we will retain the personal data associated with your account. This is necessary to provide you with the Services. If you are a Client, your organization’s account data will be kept throughout the duration of your contract with us (and for any renewal periods). If you are a Cardholder, your data will be retained while your card or account is active. If you or the Client choose to close an account or terminate services, we will initiate deletion or anonymization of personal data related to that account within a reasonable timeframe after closure. 

  • Transaction Records: We retain records of transactions, payments, and other financial data for a period of time required by law and our financial reporting obligations. Even after an account is closed or a card is deactivated, we may need to keep certain transaction details to comply with anti- fraud, audit, and regulatory requirements. For example, financial regulations and tax laws may require us to keep transaction and invoicing data for a minimum number of years (e.g. five to seven years, depending on jurisdiction). We securely store this information and restrict access to it in accordance with our data protection policies. 

  • Legal Compliance and Disputes: If we are under a legal obligation to retain data (for example, due to a subpoena, litigation hold, or government order), or if data is needed for dispute resolution or to enforce our agreements, we will retain the necessary data for as long as required to fulfill such purposes. This ensures that we have an accurate record of dealings and can defend our legal rights or manage any complaints or disputes that may arise. 

  • Marketing Data: If we have collected personal data for marketing purposes (such as an email address for a newsletter), we will retain such information until you opt out or unsubscribe from marketing communications. Upon opt-out, we will remove your contact information from our marketing list, but may retain a record of your opt-out request to ensure we honor it in the future. 

When the retention period for a certain piece of data expires, or if you request deletion and we have no lawful basis to retain it, we will either securely delete the personal data or anonymize it (so that it can no longer be associated with you). If complete deletion is not immediately feasible (for example, because the data is stored in secure backups), we will isolate the data from any further active use until deletion is possible. 

8. International Data Transfers 

Elibrium is based in the United States, and the personal data we collect is primarily stored and processed in the United States. However, depending on where you are located and the nature of the services we provide, your personal data may be transferred to, or accessed from, other countries. For instance, if you are in the European Union (EU) or United Kingdom (UK), your personal data will be transferred out of your home jurisdiction to our servers in the U.S. Additionally, we may utilize service providers or technical infrastructure in other regions (such as the European Union or Asia) to deliver our Services globally. 

Protection of International Transfers: When we transfer personal data from the EU/EEA, UK, or other regions with data transfer restrictions, we take steps to ensure that adequate safeguards are in place to protect the data. These safeguards may include: 

  • Entering into Standard Contractual Clauses (SCCs) or their UK equivalent with the receiving party, which are contracts approved by the European Commission (or relevant authority) to provide data protections equivalent to EU law. 

  • Ensuring the recipient is certified under an approved data protection framework (if applicable) or is subject to binding corporate rules that protect personal data. 

  • Relying on a data transfer mechanism that is recognized as adequate under applicable law, or obtaining your explicit consent for the transfer when legally required (with clear notice of any risks). 

You can contact us (see Contact Us below) for more information about the safeguards we have put in place for international data transfers. 

Your Consent to Transfers: By using our Platform or providing us with personal data, you understand that your data may be transferred to and processed in jurisdictions outside of your own. These jurisdictions may have different data protection laws than your country (and in some cases, may not be deemed to provide an adequate level of protection). In all such cases, we will protect your personal data as described in this Policy. If you do not want your data transferred to other countries, please do not use the Services or submit personal data to us. 

9. Your Rights and Choices 

You have various rights regarding your personal data, which may differ depending on your jurisdiction. Elibrium is committed to honoring the rights of individuals as required by applicable law. The following sections describe specific rights available to individuals in certain regions and how you can exercise them. 

9.1. Rights of Individuals in the EEA and UK 

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights with respect to your personal data, under the GDPR and UK data protection law: 

  • Right to Be Informed: You have the right to be provided with clear, transparent, and easily understandable information about how we use your personal data and your rights. This Privacy Policy is intended to provide you with such information. 

  • Right of Access: You have the right to request confirmation of whether we are processing your personal data, and if so, to request a copy of the personal data we hold about you, as well as information relating to how we use and share it. (This is sometimes called a “Data Subject Access Request.”) 

  • Right to Rectification: You have the right to request that we correct or update any inaccurate or incomplete personal data we hold about you. If any of your information has changed or you find that we have information that is incorrect, please notify us so we can update our records. 

  • Right to Erasure: You have the right to request the deletion of your personal data when certain conditions are met. This right is not absolute, but we will honor it to the extent required by law. For example, you can request erasure if the data is no longer necessary for the purposes for which it was collected, if you withdraw consent (and no other legal basis applies), or if you believe we have processed your data unlawfully. We may need to retain certain information if required by law or for legitimate business purposes (as described in Data Retention above), but will inform you if such exceptions apply. 

  • Right to Restrict Processing: You have the right to request that we limit the processing of your personal data under certain circumstances. This could apply, for instance, if you contest the accuracy of the data (for a period enabling us to verify it), or if you object to our processing based on legitimate interests (pending our assessment of whether we have compelling grounds to continue). When processing is restricted, we will still store your data, but not use it for the time being (unless for legal claims, with your consent, or for important public interest reasons). 

  • Right to Data Portability: You have the right to obtain a copy of certain personal data in a commonly used, machine-readable format, and to have that data transmitted to another controller, where technically feasible. This right applies to personal data that you have provided to us (i) which we process by automated means, and (ii) where the processing is based on your consent or the performance of a contract with you. We will provide the data in a structured format (typically CSV or JSON files) upon request. 

  • Right to Object: You have the right to object to our processing of your personal data when such processing is based on our legitimate interests. If you raise an objection, we will consider your request and stop processing the data in question unless we have a compelling legitimate basis to continue that overrides your interests, rights, and freedoms, or unless continuing to process is necessary for us to establish, exercise, or defend a legal claim. You also have an unconditional right to object to the processing of your personal data for direct marketing purposes at any time. If you object to or opt out of direct marketing, we will honor that request going forward. 

  • Right Not to be Subject to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significant effects concerning you, unless it is necessary for entering into or performing a contract, is authorized by law, or you have given your explicit consent. Elibrium’s standard practices do not involve fully automated decision-making that has significant impacts on individuals without human review. In any event, you are entitled to have any such automated decisions reviewed by a human, to express your point of view, and to contest the decision. 

  • Right to Complain: If you believe that our use of your personal data violates applicable law, you have the right to lodge a complaint with a supervisory authority, particularly in the EU/EEA country where you reside, work, or where the alleged infringement occurred. For example, if you are in the EU, you can contact the data protection authority in your country (a list of EU Data Protection Authorities can be found on the European Data Protection Board’s website). If you are in the UK, you can contact the Information Commissioner’s Office (ICO). We would, however, appreciate the chance to address your concerns directly before you approach a regulator, so we encourage you to contact us first with any complaint. 

  • Exercising Your Rights (EEA/UK): You may contact us at info@elibrium.io to make any request in relation to the rights listed above. We will respond to legitimate requests within the timeframe required by law (generally one month, with the possibility of extension by an additional two months for complex requests). We will not charge a fee to process your request, unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to respond. We may need to verify your identity before fulfilling your request (for example, by confirming that the email address from which you contact us matches the one we have on file, or by requesting additional information). This is to ensure that we do not disclose data to someone who is not entitled to receive it. Any information gathered for verification will be used only for that purpose. 

9.2. Rights of California Residents 

If you are a resident of California, you are entitled to certain rights with respect to your personal information under the CCPA (as amended by the CPRA, effective January 1, 2023). These rights (some of which overlap with those already described above) include: 

• Right to Know (Access): You have the right to request information about the personal information we have collected about you in the 12 months prior to your request. This includes the categories of personal information we collected, the categories of sources of that information, the business or commercial purposes for collecting (or selling/sharing, if applicable) the information, the categories of third parties to whom we disclosed the information, and the specific pieces of personal information we have about you. Essentially, you can request both a summary of our data practices regarding your information and a copy of the specific data we hold about you. 

• Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions. Once we receive and confirm a verifiable deletion request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. Common exceptions include situations where the information is necessary for us or our service providers to complete a transaction you requested, detect security incidents, comply with a legal obligation, or otherwise use the information internally in a lawful manner that is compatible with the context in which you provided it. We will inform you of any such exceptions that apply to your request. 

• Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you. Upon verifying the validity of a correction request, we will use commercially reasonable efforts to correct the information as you direct. If we cannot honor your request (for example, if we disagree that the information is inaccurate, or if it involves excessive effort), we will explain the reasons in our response. 

• Right to Opt Out of Sale or Sharing: You have the right to direct us not to sell your personal information to third parties, or to share it for cross-context behavioral advertising purposes. As noted above in this Policy, Elibrium does not sell personal information, and we do not share personal information for targeted advertising. Therefore, there is no need for you to submit a request to opt out of sales or sharing – we do not engage in those practices. If our practices change in the future, we will update this Policy and provide a mechanism for you to exercise this right. 

• Right to Limit Use of Sensitive Personal Information: The CCPA/CPRA grants California residents the right to limit a business’s use or disclosure of “sensitive personal information” (as defined by law) if it is used for purposes beyond those necessary to provide the services or goods requested. Sensitive personal information may include data such as government-issued identifiers (e.g., Social Security numbers), account credentials, precise geolocation, biometric data, and certain financial information. Elibrium only uses sensitive personal information for essential business purposes – for example, we may collect a government ID or Social Security number solely for identity verification as required by law, and we handle financial information (like payment card numbers) only as needed for transactions or compliance. We do not use or disclose sensitive personal information for any purposes that would trigger the right to limit under California law. Therefore, we do not offer a specific opt-out for limiting the use of sensitive information at this time. 

• Right of Non-Discrimination: You have the right not to receive discriminatory treatment from us for exercising any of your CCPA rights. This means we will not deny you services, charge you a different price, or provide a different level or quality of service just because you exercised your rights under the CCPA. However, please note that if the exercise of your rights renders us unable to provide you with certain services (for example, if you request deletion of all of your data, we may not be able to continue providing the Services to you), we will inform you of any such consequences. But we will not retaliate or impose unlawful penalties as a result of you choosing to exercise your privacy rights. 

Exercising Your California Rights: To exercise your rights to know, access, delete, or correct your personal information as a California resident, you (or your authorized representative) may submit a request to us by contacting info@elibrium.io. Please include “California Privacy Rights Request” in the subject line of your email and specify which right you seek to exercise. We will need to verify your identity (or authority, if through an agent) before processing the request, which may involve matching personal information you provide with our records or asking for additional verification information. For requests through an authorized agent, we will require proof of the agent’s registration with the California Secretary of State (if the agent is a business entity) or a valid power of attorney or signed authorization from you. 

We aim to respond to verifiable requests within 45 days as required by the CCPA. If we require more time (up to an additional 45 days, for a total of 90 days), we will inform you of the reason and extension in writing. Our response will explain the actions we took (or could not take) in response to your request. For access requests, we will provide the relevant information in a readily useable format, which may be electronic. For deletion requests, we will confirm once we have deleted the requested information (or, if an exception applies, we will explain what we could not delete and why). 

We do not charge a fee to process or respond to your verifiable consumer requests under the CCPA. If we determine that a request is excessive, repetitive, or manifestly unfounded, we may refuse it or charge a reasonable fee, as permitted by law; in such case we will explain our decision. 

9.3. Other Regions 

Individuals in other jurisdictions may have similar rights under local laws. For example, residents of certain Canadian provinces, Australia, New Zealand, Brazil, or other countries might have rights to access or correct their personal data. We will endeavor to honor all legitimate requests to exercise privacy rights in accordance with applicable law. If you are not sure of your rights or the applicable laws in your region, you can always contact us with your inquiry, and we will assist you to the extent possible. 

Your Choices (Marketing and Cookies): As described in this Policy, if you no longer wish to receive marketing communications from us, you can opt out at any time by clicking the “unsubscribe” link in an email or by contacting us at info@elibrium.io with your request. Even after you opt out of marketing, we may still send you non-promotional messages related to your account or transactions (such as service notifications or security alerts). 

For cookies and online tracking choices, see Cookies and Tracking Technologies below for information on how to adjust your preferences. 

10. Security Measures 

We take the security of personal data seriously and implement a range of technical and organizational measures to protect it. These measures are designed to prevent unauthorized access to or disclosure of personal data, and to safeguard against accidental loss, alteration, or destruction of information. Some of the key security practices we employ include: 

• Encryption: We use encryption protocols (such as TLS/SSL) to secure data in transit between your browser or device and our Platform. Sensitive data (for example, payment information and identification details) is also encrypted at rest in our databases or on our servers. 

• Access Controls: We restrict access to personal data to employees and service providers who have a need to know that information for a legitimate purpose. All such persons are subject to confidentiality obligations. We use role-based access controls, unique user accounts, and other authentication mechanisms to ensure that only authorized individuals can access sensitive systems. 

• Network and System Security: Our servers and infrastructure are protected by firewalls, intrusion detection systems, and monitoring solutions to guard against external threats. We regularly update and patch our systems and software to address security vulnerabilities. We also maintain backup and recovery procedures to prevent data loss. 

• Testing and Auditing: We conduct periodic security assessments, vulnerability scans, and penetration testing of our Platform and infrastructure. Any identified issues are promptly addressed. We also review our security policies and procedures regularly and update them as needed to adapt to new threats or changes in technology. 

Despite our efforts, no security measures are infallible. The Internet by its nature cannot be guaranteed to be 100% secure, and we cannot ensure or warrant the absolute security of any information you transmit to us. You are responsible for maintaining the security of your account credentials (username, password, and any other authentication information). If you believe that your account or information is no longer secure (for example, if you suspect your password has been compromised), please contact us immediately. We will work with you to mitigate any potential issues and can assist in changing passwords or taking other steps to protect your account. 

In the event of a data breach involving personal data, we have an incident response plan to promptly identify, contain, and investigate the incident. Where required by law, we will notify the affected individuals and relevant authorities of certain breaches. 

11. Cookies and Tracking Technologies 

Cookies and Similar Technologies: Our Platform uses cookies and similar tracking technologies to provide, customize, evaluate, improve, and secure our services. A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. Cookies serve a variety of functions, such as enabling you to log in, remembering your preferences, and understanding how you interact with our site. We may also use related technologies like pixel tags, web beacons, and local storage for similar purposes. 

Types of Cookies We Use: 

• Necessary Cookies: These cookies are essential for the operation of our website and Platform. They enable core functionality such as user authentication, account login, and navigation. Without these cookies, certain services or features (like accessing secure areas of the site or making transactions) may not be available or function correctly. 

• Functional Cookies: These cookies allow our site to remember choices you make (such as your preferred language or region, or other settings) and provide enhanced, more personalized features. They may also be used to provide services you have asked for, like live chat support or remembering form inputs. 

• Analytics Cookies: We use analytics and performance cookies to collect information about how Users interact with our Platform. This data helps us understand which pages are visited most often, how Users move through the site, and if they encounter errors. We typically use third-party analytics tools (such as Google Analytics or similar services) that set their own cookies to perform these functions. The information gathered may include metrics like page response times, download errors, and page engagement. We use this information in aggregate form (i.e., it does not directly identify you) to improve the Platform’s functionality and user experience. 

• Advertising Cookies: As of the Effective Date of this Policy, Elibrium does not display third-party ads on our Platform, and we do not use third-party advertising networks that track Users for advertising. If this changes in the future, we may use advertising or targeting cookies to deliver content that is more relevant to your interests. These cookies could remember that you have visited our site and may track your browsing activity across other sites. Any use of advertising cookies would be disclosed and would comply with applicable privacy laws (including obtaining consent where required). 

Third-Party Cookies: Some cookies on our site may be placed by third parties acting on our behalf (for example, service providers like analytics companies) or by third-party content embedded in our site (such as an embedded video player or social media sharing button). We do not permit third parties to collect personal data from our site for their own unrelated purposes, but please note that when you leave our site or interact with third-party content, those third parties may set their own cookies subject to their own privacy policies. 

Your Choices for Cookies: Most web browsers automatically accept cookies, but you have the ability to control cookies through your browser settings. You can typically modify your browser setting to decline cookies or alert you when cookies are being sent. For instance, you may refuse to accept browser cookies by activating the appropriate setting on your browser. You can also delete cookies that have already been set. Please be aware that if you disable or delete cookies, some parts of our Platform may not function properly. For example, you may not be able to log in, or your preferences might not be saved. 

If you use multiple devices (e.g., computer, smartphone, tablet) to access our Platform, you will need to ensure that each browser on each device is adjusted to your cookie preferences. 

Do-Not-Track Signals: “Do Not Track” (DNT) is a setting available in some web browsers that allows you to express a preference not to be tracked across websites. The Platform does not currently respond to DNT 

browser signals or similar mechanisms, due to the lack of a standard industry understanding of how to interpret them. We continue to monitor developments around DNT browser technology and the implementation of a consensus standard. In the meantime, you can use the range of other tools and settings described here to control the data collected by cookies and similar technologies. 

For more information about cookies and how to manage them, you can visit [Platform URL]’s cookie notice or the “Help” section of your browser. Additionally, if we use any analytics or advertising services, those providers may offer their own opt-out mechanisms (for example, Google Analytics offers a Browser Add-on to opt out of analytics tracking). You may also manage certain cookies (particularly for advertising) using industry-wide opt-out tools, such as the Network Advertising Initiative (NAI) or Digital Advertising Alliance (DAA) websites. (Note: We are not providing direct links here, in accordance with the request for no external hyperlinks.) 

12. Children’s Privacy 

Protecting the privacy of children is important to Elibrium. Our Platform is not directed to individuals under the age of 18, and we do not knowingly collect personal data from children under 13 years of age. If you are under 13, please do not attempt to use our Platform or send any personal information about yourself to us. If we learn that we have inadvertently collected personal information from a child under 13, we will take prompt steps to delete that information from our systems. 

If you are a parent or guardian and discover that a child under your care has provided personal information to Elibrium without your consent, please contact us at info@elibrium.io so that we can investigate and delete the child’s information as necessary. 

We understand that some teenagers under 18 may be authorized Cardholders (for example, a company might issue a spending card to an intern who is 16 or 17). In such cases, the registration is done through the supervising Client (e.g., the company) and not directly by the minor, and our services are provided to the Client for use by the authorized individual. Nonetheless, any personal data about individuals under 18 will be handled with additional care and security. If you are under 18, you should only use our Platform with the involvement and consent of a parent or legal guardian. 

13. Changes to this Privacy Policy 

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will post the updated Policy on the Platform and update the “Effective Date” at the top of the Policy. Any updated Privacy Policy will be effective when posted (or on a later date if specified in the update). 

If we make material changes to this Policy – for example, if we change the types of personal data we collect or how we use it – we will take reasonable steps to notify you in advance of such changes. This could include prominently posting a notice of the changes on our website, sending an email notification to the primary address associated with your account, or other appropriate means. We encourage you to review this Policy periodically to stay informed about our data practices and the ways you can help protect your privacy. 

Your continued use of the Platform or our Services after any changes to this Privacy Policy have been posted will constitute your acceptance of those changes, to the extent permitted by law. If you do not agree with any changes to the Policy, you should stop using the Platform and services and contact us if you wish to remove your personal data (to the extent allowable). 

14. Contact Us 

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below. We will do our best to address your inquiry promptly and thoroughly. 

• Email: info@elibrium.io
• Mail: 1603 Capitol Avenue, Suite 413A 3404, Cheyenne, WY 82001. USA (Attn: Privacy) 

Please feel free to reach out to us regarding any privacy-related issues, including: exercising your rights (as described in Section 9), requesting more information about our data handling practices, reporting a potential privacy or security incident, or asking questions about how to interpret this Policy. 

© 2025 - Elibrium Inc. – All Rights Reserved. 

info@elibrium.io

1603 Capitol Avenue, Suite 413A 3404, Cheyenne, WY 82001. USA

1603 Capitol Avenue, Suite 413A 3404, Cheyenne, WY 82001. USA

1603 Capitol Avenue, Suite 413A 3404, Cheyenne, WY 82001. USA

Office FR 412, 1 Phipp Street, London, EC2A 4PS. UK

Office FR 412, 1 Phipp Street, London, EC2A 4PS. UK

Office FR 412, 1 Phipp Street, London, EC2A 4PS. UK

Elibrium Inc. provides a Card issued by Sutton Bank, Member FDIC, pursuant to a license from Visa® U.S.A. Inc. Valid only in the US. Cards can be used everywhere Visa® debit cards are accepted. No ATM access. Visa® is a registered trademark of Visa U.S.A. Inc. All other trademarks and service marks belong to their respective owners.

Terms of Use ↗

Privacy Policy ↗

Terms of Use ↗

Pricing ↗

Card Program Terms ↗

Cardholder agreement ↗

eSign disclosure ↗

eSign disclosure ↗

© 2025 Elibrium Inc.