Version: 1.1
Effective date: March 28, 2026
Controller: Lafitech UG (Rampa)
Contact: hello@rampa.cash
Registered address: Arnulfstr. 171, 80634 Munich, Germany
Supervisory authority: You may lodge complaints with your local authority or the competent authority in Germany.
Changes vs. v1.0 (September 25, 2025): Section 2 updated (Earn balances / Yield added); Section 4 updated (RebelFi added as independent controller, Sumsub clarified); Section 6 updated with 10-year AML/KYC retention clause; new Section 6b added (Android permissions); new Annex A (Data Safety table for Google Play).
1) Scope
This notice covers personal data processed when you use rampa.cash and the Rampa app.
2) What data we process
We design for data minimization. Depending on your use:
• Account & app telemetry (pseudonymous): app/device identifiers, IP-derived country (for geo-blocking), session logs, settings, crash logs.
• Wallet data: public keys, transaction metadata (hashes, amounts, token mints), risk screening results (e.g., sanctions exposure scores).
• Earn / Yield data: USDC balances deposited in the Earn feature, accrued yield amounts, and deposit/withdrawal history. This data is processed jointly with RebelFi (rebelfi.io) as required to deliver the service.
• Support communications: messages and contact details you provide.
• Website analytics (minimal): aggregated usage; we avoid third-party advertising cookies.
We do not store your private keys or seed phrases. We do not retain identity documents collected by on/off-ramp or card issuers.
3) Why we process data (GDPR Art. 6)
•Provide and secure the app (Art. 6(1)(b) contract; Art. 6(1)(f) legitimate interests for security/fraud prevention).
• Compliance and risk controls (Art. 6(1)(c) legal obligation; Art. 6(1)(f) legitimate interests), including geo-blocking, sanctions/PEP screening, velocity limits, and responding to lawful requests.
• Deliver the Earn / Yield feature (Art. 6(1)(b) contract), including sharing data with RebelFi.
• Product analytics & improvement (Art. 6(1)(f) legitimate interests), using aggregated or pseudonymous data.
• Communications (Art. 6(1)(b)/(f)) when you contact us.
Where required (e.g., certain cookies or marketing), we will seek consent (Art. 6(1)(a)).
4) Who receives data
Processors (under DPAs): hosting/ops providers, error telemetry, encrypted key-infra provider Para, analytics tooling, and security vendors.
Independent controllers (separate policies):
• Transak — fiat on/off-ramp KYC/AML and payments.
• Sumsub — identity verification (KYC/AML). Manages government-issued ID documents, facial biometrics, and liveness check metadata on behalf of Rampa.
• RebelFi (rebelfi.io) — DeFi infrastructure provider for the Earn / Yield feature. Receives Earn balance and transaction data necessary to allocate and track USDC positions in DeFi protocols.
• Issuer/EMI — if you opt into the card program.
• Jupiter / DEXes — when you execute swaps.
• Blockchain analytics provider — sanctions/exposure screening.
• Law enforcement or competent authorities where legally required.
5) International transfers
Where data is transferred outside the EEA/UK, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) and risk assessments.
6) Retention
Operational logs: typically 30–90 days.
Risk/decision records: typically ≥ 5 years or as required by law/partners.
Support records: for as long as needed to address your request and meet legal obligations.
AML/KYC statutory retention — 10 years (NEW)
Rampa is a regulated financial infrastructure platform. To comply with global Anti-Money Laundering (AML), Counter-Terrorism Financing (CTF), and Know Your Customer (KYC) regulations—including the EU AMLD6 and Mexico’s LFPIORPI—we are legally required to retain core user data for a period of ten (10) years following the termination of a business relationship or the completion of a transaction.
This data includes, but is not limited to:
• Identity verification records: managed through our compliance partner Sumsub, including government IDs, facial images (biometrics), and liveness check metadata.
• Financial transaction history: records of all cross-border remittances and stablecoin interactions.
• Earn / Yield records: deposit, withdrawal, and yield history processed through RebelFi.
• Device identifiers: used for fraud prevention and secure wallet (MPC) management.
While users may request the closure of their account and the deletion of non-essential data (such as marketing preferences), Rampa and its authorized partners cannot delete core financial or identity records until the statutory 10-year retention period has expired. This retention is a mandatory requirement for maintaining our financial licenses and ensuring the security of the global financial system.
Account closure will disable your wallet, but financial records will be retained for 10 years as required by law.
6b) Android app permissions
For Android 13+ (API 33) devices, Rampa requests only the granular media permissions required for each use case, rather than the broad READ_EXTERNAL_STORAGE permission:
• READ_MEDIA_IMAGES — to access photos for KYC document uploads.
• READ_MEDIA_VIDEO — to access videos for the liveness verification check.
We do not use READ_EXTERNAL_STORAGE on API 33+ devices. This approach minimizes the privacy footprint of the app and aligns with Google Play’s data safety requirements.
7) Your rights
Subject to legal limits, you have the right to access, rectify, erase, restrict, object, and data portability. You can also withdraw consent where processing is based on consent.
Contact:hello@rampa.cash. You may also complain to your supervisory authority.
Note: erasure requests for data subject to 10-year statutory retention (Section 6) can only be fulfilled after the retention period expires.
8) Cookies & tracking
We aim to use essential cookies only on the website (e.g., to serve pages securely). No third-party advertising cookies. If we introduce optional analytics cookies, we will present a consent banner.
9) Intellectual property
The app, website, logos, and content are owned by Lafitech or our licensors. You receive a limited, revocable license to use the app as provided and per these Terms.
10) Children
Rampa is for adults (18+) and is not intended for children.
11) Changes to this privacy notice
We may update this privacy notice and will post the updated version with a new effective date. Material changes will be highlighted in-app or on our site.
12) Contact
Questions? Contact us at hello@rampa.cash
Annex A — Data Safety Table (Google Play)
The following table reflects our data safety declaration for the Google Play Console: