This Privacy Policy (“Policy”) explains how Cleff Inc., a Delaware corporation with its registered address at 8 The Green, Ste B, Dover, DE 19901 (“Cleff,” “we,” “us,” or “our”) collects, uses, shares, and protects personal data when you visit our website at usecleff.com (the “Site”), create an account, or use our payout orchestration platform, APIs, dashboard, and related services (collectively, the “Services”).
Cleff’s Services are business-to-business (B2B). Our direct customers are businesses and organizations that use the Cleff platform to disburse payments to their own recipients (“Beneficiaries”). This Policy covers personal data relating to: (i) authorized representatives, employees, and contractors of our business clients (“Client Personnel”); and (ii) Beneficiaries whose payment data is processed through our platform on behalf of our clients. It also covers personal data of visitors to our Site.
Please read this Policy carefully. If you have questions, contact us at support@usecleff.com.
1. Who This Policy Applies To
This Policy applies to three categories of people whose personal data Cleff processes:
- (a) Business Clients & Client Personnel. Representatives, officers, authorized users, and contractors of companies that have signed up for the Cleff platform. We collect and process personal data from these individuals to onboard and manage the client relationship, verify identity, and provide the Services.
- (b) Beneficiaries. Natural persons designated by our business clients to receive payouts disbursed through the Cleff platform. Cleff processes Beneficiary data (name, bank account details, and related payment information) on behalf of our clients as a data processor. Our clients are responsible for ensuring they have the legal basis to share Beneficiary data with us.
- (c) Website Visitors. Individuals who visit the Cleff website without creating an account. We collect limited technical data from website visitors as described in Section 4.
This Policy does not apply to third-party websites linked from our Site or to the data practices of our Bank Partner, Payment Infrastructure Partners, or other third-party service providers, each of which has its own privacy practices.
2. Data We Collect
Data You Give Us Directly
When you register for the Services, complete our onboarding process, submit transactions, or contact us, we collect:
- Identity & Contact Data— full name, job title, email address, phone number, business address, and government-issued identification documents where required for KYB/KYC.
- Business & Ownership Data— legal entity name, jurisdiction of incorporation, EIN or tax identification number, beneficial ownership information, and business documentation required by our Bank Partner.
- Financial Data— bank account numbers, routing numbers, wire transfer details, and payment method information for fee collection and platform funding.
- Account Credentials— username, password (stored in hashed form), and multi-factor authentication data.
- Beneficiary Payment Data— names, bank account details (account numbers, routing numbers, SWIFT/BIC codes, IBANs, local identifiers), amounts, and payment reference data for Beneficiaries designated by our clients. This data is provided to us by our business clients.
- Communications— emails, support tickets, and other correspondence you send to us.
Data We Collect Automatically
When you access our Site or platform, we automatically collect:
- Technical Data— IP address, browser type and version, operating system, device identifiers, time zone, and referral URLs.
- Usage Data— pages visited, features accessed, API call patterns, login timestamps, and session duration.
- Transaction Data— payout instructions submitted, transaction amounts, corridors used, status updates, and return data.
Data from Third Parties
We may receive personal data about you from:
- Identity & fraud verification providers— to verify the identity of Client Personnel during onboarding.
- Sanctions screening databases— OFAC, FATF, and other regulatory lists, to screen clients and Beneficiaries.
- Our Bank Partner— confirmation data, compliance flags, and account status information relevant to the Services.
- Our business clients— Beneficiary payment data submitted by clients for processing through the platform.
3. How We Use Personal Data
We process personal data only where we have a lawful basis to do so. The primary bases we rely on are: performance of a contract (providing the Services); compliance with a legal obligation; our legitimate interests (where those interests are not overridden by your rights); and, in limited circumstances, your consent.
| Purpose | Data Used | Lawful Basis |
|---|---|---|
| Onboarding and account creation | Identity, Contact, Business & Ownership, Financial | Performance of contract; legal obligation (KYB/KYC) |
| Providing the payout orchestration Services | Identity, Financial, Beneficiary Payment Data, Transaction Data | Performance of contract |
| Processing payout instructions on behalf of clients | Beneficiary Payment Data, Transaction Data | Performance of contract; legal obligation (BSA, NACHA) |
| Sanctions screening and compliance checks | Identity, Beneficiary Payment Data | Legal obligation (OFAC, BSA, NACHA) |
| Fee collection and billing | Financial, Transaction Data | Performance of contract; legitimate interests |
| Fraud detection and prevention | Identity, Technical, Usage, Transaction Data | Legitimate interests; legal obligation |
| Customer support and dispute resolution | Identity, Contact, Transaction Data | Performance of contract; legitimate interests |
| Security, system integrity, and incident response | Technical, Usage, Account Credentials | Legitimate interests; legal obligation |
| Compliance with regulatory requirements and legal process | All categories as required | Legal obligation |
| Improving and developing the Services (aggregated, de-identified) | Usage, Technical, Transaction Data (anonymized) | Legitimate interests |
| Sending service-related communications (not marketing) | Identity, Contact | Performance of contract; legitimate interests |
We do not use personal data for targeted advertising. We do not sell personal data to third parties. We do not use Beneficiary payment data for any purpose other than executing the payout instructions submitted by our clients.
6. International Data Transfers
Cleff is incorporated in the United States. Our platform infrastructure is hosted on cloud services with data centers in the United States. When we process personal data of individuals located in the European Economic Area (EEA), the United Kingdom, or other jurisdictions with data transfer restrictions, we ensure that appropriate safeguards are in place.
For transfers of personal data from the EEA or UK to the United States, we rely on the European Commission’s Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), as applicable. Where we transfer Beneficiary data to Payment Infrastructure Partners located outside the EEA or UK, those transfers are subject to equivalent contractual protections.
Cleff’s cross-border payout infrastructure routes payments to beneficiaries in more than 140 countries. When Beneficiary payment data is transmitted to our cross-border settlement partner for execution, it is transferred to the jurisdiction of the beneficiary’s financial institution. Our clients, as data controllers, are responsible for ensuring they have the legal basis for such international transfers under their applicable privacy law obligations.
7. Data Retention
We retain personal data only for as long as necessary for the purposes described in this Policy or as required by Applicable Law. The following retention periods apply:
| Data Category | Retention Period | Basis |
|---|---|---|
| KYB / KYC onboarding records (Client Personnel) | 5 years from end of client relationship | BSA Customer Due Diligence Rule; Bank Partner requirements |
| Beneficiary payment data and transaction records | 7 years from transaction date | NACHA Operating Rules; BSA record-retention requirements |
| ACH authorization records | 2 years from termination of authorization (minimum 7 years overall) | NACHA Operating Rules |
| Sanctions screening results | 5 years | BSA 31 CFR 1010.430 |
| Account credentials and access logs | Duration of account + 2 years | Security; legal obligation |
| Financial records and fee invoices | 7 years | Tax; contractual; legal obligation |
| Support communications | 3 years from resolution | Legitimate interests; dispute resolution |
| Website visitor technical data (cookies, logs) | Up to 13 months | Analytics; legitimate interests |
| Fraud screening metadata | 30–180 days | Fraud risk management |
When data is no longer required, we delete it securely or anonymize it in a manner that prevents re-identification. Some data may be retained longer where required by a legal hold, active dispute, or regulatory investigation.
8. Data Security
We maintain administrative, technical, and physical safeguards designed to protect personal data from unauthorized access, disclosure, alteration, or destruction. Our security measures include:
- Encryption at rest (AES-256) for all payment data, account credentials, and sensitive personal data.
- Encryption in transit (TLS 1.2 or higher with mutual authentication) for all data transmitted between Cleff and its clients, Bank Partner, and Payment Infrastructure Partners.
- Role-based access controls, least-privilege access, and multi-factor authentication for all systems containing personal data.
- Quarterly access reviews and immediate revocation on role change or termination.
- Security and application logging retained for a minimum of seven years in an immutable store.
- Annual penetration testing and vulnerability assessments.
- A documented incident response plan with defined notification timelines.
No security system is impenetrable. While we take reasonable steps to protect personal data, we cannot guarantee absolute security. You are responsible for securing your own account credentials and devices. If you suspect unauthorized access to your account, contact us immediately at support@usecleff.com.
9. Data Breach Notification
In the event of a security incident that results in unauthorized access to, or disclosure of, personal data, Cleff will take the following steps:
- Internal containment and investigation. We will promptly investigate the incident, contain the exposure, and assess the scope and nature of any affected data.
- Regulatory notification.Where required by Applicable Law, we will notify the appropriate regulatory authorities within the required timeframe. Under the FTC’s GLBA Safeguards Rule, we are required to notify the FTC no later than 30 days after discovery of a breach involving the personal information of 500 or more individuals. We will also notify our Bank Partner and any other affected payment infrastructure partners as required by our agreements with those parties.
- Individual notification.Where a breach is reasonably likely to result in harm to affected individuals, or where notification is required by applicable state or federal law, we will notify affected clients and, where appropriate, Beneficiaries. Notification will be provided by email to the address associated with the account, or by alternative means if email is unavailable, within the timeframe required by law (generally no more than 30–60 days depending on jurisdiction).
- Remediation. We will take reasonable steps to remediate the cause of the incident, enhance controls to prevent recurrence, and document the response in accordance with our incident response plan.
If you believe your account or personal data may have been compromised, please contact us immediately at support@usecleff.com or at the address in Section 16.
10. Your Privacy Rights
Rights for All Users
Depending on your location and the applicable privacy law, you may have the following rights with respect to your personal data:
- Access— request a copy of the personal data we hold about you.
- Rectification— request correction of inaccurate or incomplete personal data.
- Erasure— request deletion of your personal data where we no longer have a legitimate basis to retain it.
- Restriction— request that we restrict processing of your personal data in certain circumstances.
- Portability— receive your personal data in a structured, machine-readable format, where technically feasible.
- Objection— object to processing based on our legitimate interests.
- Withdraw Consent— where we rely on consent as the legal basis, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email support@usecleff.comwith “Privacy Request” in the subject line. We will verify your identity before processing any request and respond within the timeframe required by applicable law (generally one month, with an extension of up to two additional months for complex requests). We do not charge a fee for reasonable requests.
Note that some rights are subject to limitations. We may decline requests where fulfillment would conflict with our legal obligations — for example, we cannot delete transaction records that we are required to retain under the Bank Secrecy Act or NACHA Rules.
Beneficiary Data Requests
Beneficiaries whose payment data has been submitted to Cleff by one of our business clients should direct their privacy requests to that client in the first instance, as the client is the data controller for that data. Where a Beneficiary contacts us directly, we will forward the request to the relevant client and cooperate in its resolution.
11. GLBA / Regulation P — Financial Privacy Notice
Cleff is subject to the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations, including the FTC’s Privacy Rule (16 CFR Part 313) and Safeguards Rule (16 CFR Part 314).
Nonpublic Personal Information (NPI) We Collect
We collect NPI about our business clients and, where applicable, their authorized representatives. Categories of NPI collected include: name, address, and other contact information; government-issued identification; Social Security number or tax identification number (where required for business verification); bank account and routing numbers; and transaction and payment history. We do not collect NPI directly from Beneficiaries — Beneficiary data is provided to us by our business clients.
How We Share NPI
We do not share NPI with nonaffiliated third parties for their own marketing purposes. We share NPI only as permitted under the GLBA exceptions — including to process transactions, service accounts, comply with legal obligations, and respond to regulatory or law enforcement requests. All NPI sharing is subject to the terms described in Section 5 of this Policy.
Your Right to Opt Out
Under the GLBA, you have the right to opt out of certain sharing of your NPI with nonaffiliated third parties. Because Cleff does not share NPI with nonaffiliated third parties for their own use beyond the GLBA’s permitted exceptions, there is currently no opt-out right applicable to Cleff’s data sharing practices. If Cleff’s practices change in a way that creates an opt-out right, we will provide you with notice and a reasonable means to opt out before such sharing begins.
Annual Notice
Cleff qualifies for the exception to the GLBA annual privacy notice requirement because we do not share NPI with nonaffiliated third parties in ways that trigger opt-out rights, and we have not changed our privacy policies or practices since the last notice was provided. We will provide a revised notice if our practices change in a material way.
12. California Residents — CCPA / CPRA
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights regarding your personal information. The CPPA’s updated regulations effective January 1, 2026 are reflected in this section.
GLBA / CCPA Interaction
Much of the personal information Cleff collects from its business clients and processes in connection with payment services is subject to the GLBA and therefore exempt from the CCPA’s privacy requirements (though not from its data breach private right of action). The disclosures in this section apply to any personal information Cleff collects from California residents that is not subject to the GLBA exemption, including information collected from website visitors, marketing contacts, and B2B personnel data.
Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA: identifiers (name, email, IP address, government ID); commercial information (transaction records, fee history); financial information (bank account details); internet or other electronic network activity (usage data, access logs); and professional or employment-related information (job title, employer). We do not collect sensitive personal information beyond what is necessary for identity verification and payment processing.
We Do Not Sell or Share Personal Information
Cleff does not sell personal information. Cleff does not share personal information for cross-context behavioral advertising. We do not have actual knowledge that we sell or share personal information of consumers under 16 years of age.
Global Privacy Control
We recognize the Global Privacy Control (GPC) opt-out preference signal as a valid opt-out of the sale or sharing of personal information. If you access our Site with GPC enabled, we will honor that signal. Because we do not sell or share personal information for behavioral advertising, no further action is required on your part, but you may confirm the status of any opt-out request by contacting us at support@usecleff.com.
Your CCPA Rights
California residents have the right to: (i) know what personal information we have collected, used, disclosed, and sold — including information collected more than 12 months ago (except prior to January 1, 2022); (ii) delete personal information we have collected, subject to certain exceptions; (iii) correct inaccurate personal information; (iv) opt out of the sale or sharing of personal information (not applicable, as we do not sell or share); (v) limit the use of sensitive personal information (we use it only as necessary for the Services); and (vi) non-discrimination for exercising CCPA rights.
To submit a CCPA request — including a request for information collected prior to the past 12 months — email support@usecleff.comwith “CCPA Request” in the subject line and specify the date range for your request, or request all personal information collected since January 1, 2022. You may also submit a request on behalf of a minor child for whom you are a parent or legal guardian. We will verify your identity before processing the request and respond within 45 days, with a possible extension of 45 additional days for complex requests.
Cybersecurity Audits and Risk Assessments
Under the CPRA regulations effective January 1, 2026, businesses that engage in data processing activities that present significant risk to consumers’ privacy or security are required to conduct risk assessments and, depending on revenue thresholds, annual cybersecurity audits. Cleff conducts risk assessments of its data processing activities on an ongoing basis as part of its compliance program. To the extent these requirements apply based on Cleff’s size and data processing activities, Cleff will comply with all applicable submission and attestation deadlines established by the California Privacy Protection Agency.
Automated Decision-Making Technology (ADMT)
The CPRA regulations establish notice and opt-out requirements for businesses that use automated decision-making technology (ADMT) to make significant decisions about consumers, with compliance required beginning January 1, 2027. To the extent Cleff uses automated processing — such as fraud scoring or transaction risk decisioning — that constitutes ADMT under the regulations, we will provide required pre-use notices and opt-out mechanisms prior to the January 1, 2027 compliance deadline. We will update this Policy at that time with specific disclosures regarding any such use.
13. EEA & UK Residents — GDPR / UK GDPR
If you are located in the European Economic Area or the United Kingdom, the General Data Protection Regulation (GDPR) or UK GDPR applies to Cleff’s processing of your personal data.
Data Controller vs. Data Processor
For Client Personnel data, Cleff acts as a data controller — we determine the purposes and means of processing. For Beneficiary payment data submitted by our business clients, Cleff acts as a data processor on behalf of the client (the data controller). Our clients are responsible for ensuring they have a lawful basis for sharing Beneficiary data with us and for honoring Beneficiaries’ GDPR rights.
Legal Bases for Processing
We process personal data of EEA and UK individuals on the following legal bases: performance of a contract (providing the Services and executing payouts); compliance with a legal obligation (BSA, NACHA, sanctions screening, and applicable EU/UK regulatory requirements); our legitimate interests (fraud prevention, security, platform improvement); and, in limited circumstances, consent (marketing communications, where applicable).
Your GDPR Rights
In addition to the general rights described in Section 10, EEA and UK residents have the right to lodge a complaint with their local supervisory authority. In the EU, authority contact details are available at ec.europa.eu/justice/data-protection/bodies/authorities. In the UK, the relevant authority is the Information Commissioner’s Office at ico.org.uk. We would appreciate the opportunity to resolve your concern directly before you contact a supervisory authority — please contact us first at support@usecleff.com.
Data Protection Officer
Cleff does not currently meet the threshold requiring appointment of a formal Data Protection Officer. Privacy-related inquiries should be directed to support@usecleff.com.
14. Children's Privacy
The Services are not intended for, and we do not knowingly collect personal data from, individuals under 18 years of age. Our clients must ensure that any Beneficiaries they designate are at least 18 years old or that appropriate parental or guardian consent has been obtained. If we become aware that we have collected personal data from a minor without appropriate authorization, we will delete it promptly. If you believe we may have received data from a minor, contact us at support@usecleff.com.
15. Third-Party Links & Integrations
Our Site and platform may contain links to third-party websites or integrations with third-party tools. These third parties have their own privacy policies and we are not responsible for their data practices. Clicking a link to a third-party site takes you outside our environment and this Policy no longer applies. We encourage you to review the privacy policy of any third-party service you access.
16. Changes to This Policy
We review and update this Policy periodically. When we make material changes, we will notify you by: (i) posting the updated Policy on our Site with an updated “Last Updated” date; and (ii) sending an email notification to the contact address associated with your account at least 30 days before the change takes effect. Your continued use of the Services after the effective date of any update constitutes acceptance of the revised Policy. If you do not accept an update, you may close your account before the effective date in accordance with the Terms of Service.
Minor changes (such as clarifications, formatting corrections, or updates to contact information) may be made without prior notice.
17. Contact Us
If you have questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us:
- Email: support@usecleff.com (include “Privacy Request” in the subject line)
- Mail: Cleff Inc., 8 The Green, Ste B, Dover, DE 19901, United States
- Website: usecleff.com
We aim to respond to all privacy requests within one month. For requests from EEA or UK residents exercising GDPR rights, or California residents exercising CCPA rights, we will respond within the timelines required by the applicable law.
You have the right to file a complaint with your local data protection supervisory authority at any time. We ask that you contact us first so we have the opportunity to address your concern directly.