Privacy Policy
1st.finance — operated by MBZF Holdings.
Effective date: 01.06.2026. Last updated: 12.06.2026.
1. Introduction
This Privacy Policy explains how MBZF Holdings ("MBZF Holdings", "we", "us", or "our") collects, uses, shares, and protects your personal data when you use the 1st.finance website, applications, and services (the "Platform").
MBZF Holdings is the data controller in respect of the personal data described in this Policy. We are a company registered in the Republic of Cyprus, with its registered office at Avlonos 1, Maria House, Nicosia, Cyprus.
We process personal data in accordance with the EU General Data Protection Regulation ("GDPR"), Cyprus data-protection law, and other applicable laws. Please read this Policy together with our Terms of Service and Risk Disclosure.
2. Personal data we collect
2.1 Information you provide
- Identity and contact data: name, email address, phone number, date of birth, nationality, residential address, and country.
- Verification data (KYC/KYB): identity documents (e.g. passport, national ID), proof of address, photographs or selfies, and, for business accounts, company documents and beneficial-ownership information.
- Financial and transactional data: wallet activity, deposits, withdrawals, trades, holdings, bank-account and wire details, and funding sources.
- Account and profile data: username, settings, preferences, communication preferences, and security settings (including two-factor authentication).
- Communications: correspondence with our support and compliance teams, and applications you submit (including partner/representative applications).
2.2 Information we collect automatically
- Device and technical data: IP address, device identifiers, browser type, operating system, and language.
- Usage data: pages viewed, features used, actions taken, and timestamps.
- Cookies and similar technologies: as described in Section 9.
2.3 Information from third parties
- Verification and compliance providers: identity-verification, sanctions-screening, and AML/CTF data.
- Blockchain data: publicly available on-chain transaction information associated with addresses you use.
- Payment and banking partners: confirmation and details of wire transfers and other funding.
3. How we use your personal data and legal bases
We process your personal data on the following legal bases under the GDPR:
| Purpose | Legal basis |
|---|---|
| Creating and administering your Account; providing the Services | Performance of a contract (Art. 6(1)(b)) |
| Processing deposits, withdrawals, trades, and transactions | Performance of a contract (Art. 6(1)(b)) |
| Identity verification (KYC/KYB), AML/CTF, sanctions screening, fraud prevention | Legal obligation (Art. 6(1)(c)); legitimate interests (Art. 6(1)(f)) |
| Security, monitoring, and protecting the Platform and users | Legitimate interests (Art. 6(1)(f)) |
| Customer support and communications | Performance of a contract; legitimate interests |
| Service improvement, analytics, and product development | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) or legitimate interests, as applicable |
| Complying with legal, regulatory, tax, and accounting obligations | Legal obligation (Art. 6(1)(c)) |
| Establishing, exercising, or defending legal claims | Legitimate interests (Art. 6(1)(f)) |
Where we rely on legitimate interests, we balance those interests against your rights and freedoms. Where we rely on consent, you may withdraw it at any time without affecting prior processing.
Identity documents may include data treated as sensitive; we process such data only where permitted by law, including for compliance and fraud-prevention purposes.
4. How we share your personal data
We may share your personal data with:
- Service providers and processors who support our operations (e.g. identity-verification, cloud-hosting, analytics, communications, and customer-support providers), under appropriate data-processing agreements;
- Payment, banking, and custody partners to process funding, withdrawals, and asset handling;
- Regulators, law-enforcement, courts, and competent authorities, where required by law or to comply with our legal and AML/CTF obligations;
- Professional advisers (e.g. lawyers, auditors, accountants);
- Parties to a corporate transaction, such as a merger, acquisition, financing, or reorganization, subject to appropriate confidentiality;
- Other parties with your consent or at your direction.
We do not sell your personal data.
5. International transfers
Your personal data may be transferred to, and processed in, countries outside the European Economic Area ("EEA"). Where we transfer personal data outside the EEA, we implement appropriate safeguards, such as the European Commission's Standard Contractual Clauses or transfers to jurisdictions benefiting from an adequacy decision, to ensure your data receives an equivalent level of protection. You may request information about these safeguards using the contact details below.
6. Data retention
We retain personal data for as long as necessary to fulfil the purposes for which it was collected, including to provide the Services and to comply with legal, regulatory, tax, and accounting obligations. In particular, AML/CTF and financial records are typically retained for the period required by applicable law (which may be several years after the end of our relationship). When data is no longer required, we securely delete or anonymize it.
7. Your rights
Subject to applicable law and certain conditions and exemptions, you have the following rights regarding your personal data:
- Access — to obtain a copy of the personal data we hold about you;
- Rectification — to correct inaccurate or incomplete data;
- Erasure — to request deletion of your data in certain circumstances;
- Restriction — to request that we limit processing in certain circumstances;
- Portability — to receive certain data in a structured, machine-readable format;
- Objection — to object to processing based on legitimate interests, and to direct marketing at any time;
- Withdraw consent — where processing is based on consent;
- Lodge a complaint — with the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus, or your local supervisory authority.
Please note that some rights are limited where we are required to retain or process data for legal or regulatory reasons (for example, AML/CTF obligations may prevent deletion of certain records).
To exercise your rights, contact us at hq@1st.finance. We may need to verify your identity before responding, and we will respond within the timeframes required by law.
8. Data security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, misuse, or alteration. These include access controls, authentication measures, encryption in transit, monitoring, and internal policies. However, no system is completely secure, and we cannot guarantee absolute security. You are responsible for protecting your Account credentials and for enabling available security features such as two-factor authentication.
9. Cookies and similar technologies
We use cookies and similar technologies to operate the Platform, remember your preferences, maintain security, and analyze usage. Some cookies are strictly necessary for the Platform to function; others require your consent. You can manage non-essential cookies through our cookie settings or your browser. Disabling certain cookies may affect functionality. For more detail, see our Cookie Notice, if published separately.
10. Marketing communications
Where permitted, we may send you service-related and marketing communications. You can opt out of marketing at any time using the unsubscribe link in our emails or by contacting us. Service-related communications necessary for the operation of your Account may still be sent.
11. Children
The Platform is not intended for, and we do not knowingly collect personal data from, individuals under 18 years of age. If we become aware that we have collected such data, we will take steps to delete it.
12. Automated decision-making
Certain compliance and fraud-prevention processes may involve automated checks (for example, sanctions screening or risk scoring). Where a decision producing legal or similarly significant effects is based solely on automated processing, we will provide appropriate safeguards, including, where required, the ability to request human review.
13. Changes to this Policy
We may update this Privacy Policy from time to time. We will publish the updated version on the Platform and update the "Last updated" date. Where changes are material, we will take reasonable steps to notify you.
14. Contact us
For any questions, requests, or complaints regarding this Privacy Policy or your personal data, contact:
MBZF Holdings — Data Protection
Avlonos 1, Maria House, Nicosia, Cyprus
Email: hq@1st.finance
You also have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus (www.dataprotection.gov.cy) or your local data-protection authority.