Privacy Policy

Last updated: January 2025

What data we collect

Capital Path collects the information you provide through the case intake form: name, email address, phone number, financial loss details, platform information, incident date, and any supporting notes you supply. We also collect technical data at the point of submission: IP address, user agent, referrer URL, and UTM attribution parameters.

Legal basis for processing

Case submission data is processed on the basis of your explicit consent (GDPR Article 6(1)(a)) and our legitimate interest in preventing and investigating financial crime (GDPR Article 6(1)(f)). You may withdraw consent at any time; however, where data is required for ongoing proceedings, the right to erasure is limited by legal obligation.

Data retention

Case data is retained for 7 years following case closure, in alignment with international AML record-keeping requirements. Technical metadata is retained for 12 months. You may request deletion of data not subject to legal retention obligations by contacting our Data Protection Officer.

Cross-border data transfers

Capital Path operates internationally. Where personal data is transferred outside your jurisdiction, we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism. Transfers to partner FIUs are governed by the relevant MOU, which includes data protection obligations.

Your rights

You have the right to access, correct, or request deletion of your personal data (subject to legal retention obligations). You also have the right to lodge a complaint with your national data protection authority. To exercise any of these rights, contact our Data Protection Officer at dpo@cappath.org.

Contact

Data Protection Officer: dpo@cappath.org. Capital Path · cappath.org.