ACTIVE ALERTS:3
CapPath

Data Protection

Last updated: January 2025

Data controller

Capital Path is the data controller for all personal data collected through this platform. Our Data Protection Officer can be reached at dpo@cappath.org. We are registered with the relevant supervisory authority in our operating jurisdiction.

Data we hold and why

We hold case intake data (name, contact details, financial loss particulars, incident description) for the purpose of assessing and investigating reported financial crimes. We hold technical submission metadata (IP address, user agent, timestamp) for fraud prevention and audit purposes. We hold correspondence data where you contact us directly.

Legal bases for processing

Case data: explicit consent (GDPR Art. 6(1)(a)) and legitimate interests in financial crime prevention (Art. 6(1)(f)). Technical metadata: legitimate interests in platform security and fraud prevention. Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

How long we keep your data

Case records are retained for 7 years following case closure, consistent with international AML record-keeping standards. Technical metadata is retained for 12 months. Correspondence is retained for 3 years unless it relates to an active case. Data subject to a legal hold may be retained beyond these periods.

Who we share data with

Partner FIUs and law enforcement authorities: under MOU, where relevant to an active investigation, subject to data minimisation and purpose limitation. Legal counsel and expert witnesses: under confidentiality agreement, as required for case conduct. Infrastructure providers: under data processing agreements, limited to what is necessary for platform operation. We do not sell, license, or share personal data with commercial third parties.

International transfers

Data shared with partner FIUs in non-EEA jurisdictions is transferred under Standard Contractual Clauses or equivalent safeguards. Where no adequate safeguards exist, transfers are limited to what is strictly necessary to support law enforcement cooperation and are documented accordingly.

Your rights

You have the right to: access a copy of your personal data; request correction of inaccurate data; request erasure (subject to legal retention obligations); object to processing on legitimate interests grounds; request restriction of processing; and data portability where technically feasible. To exercise any of these rights, contact dpo@cappath.org. You also have the right to lodge a complaint with your national supervisory authority.

Security

Capital Path implements technical and organisational measures appropriate to the sensitivity of the data we hold: encrypted transmission (TLS 1.3), access controls, audit logging, and regular security assessments. Case data is stored in encrypted form at rest. Access is restricted to personnel with a documented operational need.

Contact

Data Protection Officer: dpo@cappath.org. Capital Path · cappath.org. For complaints that cannot be resolved directly with us, you may contact your national data protection authority.