Security & Privacy Policy

1. Who We Are

CastleFX is a brand and platform operated by Castle Currency Management, Inc. (“CCM,” “we,” “us,” or “our”). CCM is incorporated in the State of Texas and provides currency strategy services, consulting, educational content, currency risk management resources, customer support, website operations, and related business services. CCM also facilitates access to and supports currency exchange and global payment transaction services on behalf of its clients.

Currency exchange, payment, settlement, compliance, and related transaction services are executed through regulated third-party service providers, including Corpay. CCM manages client relationships, provides strategy guidance, supports clients through the transaction process, and liaises with service providers on behalf of clients. Trade execution, fund movement, settlement, and regulatory compliance activities are performed by the applicable regulated service provider. CCM supports clients throughout the process and acts as the primary relationship manager for CastleFX clients.

Castle Currency Exchange Inc. (“CCFX”) is a separate legal entity under common ownership that operates independently in Canada. CCFX is not a division, subsidiary, or agent of CCM. Certain Canadian referral, white-label, and legacy customer relationships are managed directly by CCFX. CCM provides certain services to CCFX under a separate services agreement.

This Security & Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit castlefx.com or use our services. By using the CastleFX website or services, you consent to the practices described in this policy. If you do not agree with these practices, please do not use our website or services.

Customer information may be shared with regulated service providers for identity verification, compliance, transaction processing, settlement, and regulatory reporting purposes.

2. Information We Collect

We collect information in several ways depending on how you interact with us.

Business Information:

• Company name, business address, and registration documents
• Ownership and director information
• Banking and payment details required to process currency transactions
• Transaction history

Personal Information:

• Name, address, telephone number, and email address
• Date of birth where required for identity verification
• Government-issued identification
• Beneficial ownership information and compliance documentation
• Communications you send us via our contact form, email, or phone
• Registration details for workshops, webinars, or consulting sessions
• Subscription preferences and service configuration settings

Technical Information:

• IP address, browser type, and operating system
• Pages visited, time spent on pages, and referring URLs
• Device identifiers and approximate geographic location (country/region level)
• Login history and platform activity logs
• Cookies and similar tracking technologies (see Section 10)

Transaction Information:

• Payment details, currency transactions, and beneficiary information
• Funding account information and settlement details

3. How We Use Your Information

We use the information we collect for the following purposes:

• To open and maintain accounts and verify customer identity
• To provide currency exchange, payment processing, and advisory services you have requested
• To deliver currency strategy subscription content, rate alerts, and educational materials
• To manage your account, process transactions, and communicate account-related updates
• To respond to your inquiries, support requests, or feedback
• To process payments for subscriptions and consulting services via our payment processor (Stripe)
• To schedule and deliver booked consulting appointments and workshops
• To meet anti-money laundering and know-your-customer requirements
• To improve our website, services, and communications based on usage analytics
• To send you relevant service announcements and, with your consent, marketing communications
• To comply with applicable legal, regulatory, and reporting obligations
• To detect, investigate, and prevent fraudulent transactions or other prohibited activities
• To administer strategy subscriptions, alert services, workshops, consulting engagements, and other CastleFX services.

We do not sell your personal information to third parties for their own marketing purposes.

4. Regulatory and Compliance

CCM is committed to complying with applicable anti-fraud, anti-money laundering (AML), know-your-customer (KYC), sanctions screening, and regulatory requirements in the jurisdictions in which it operates. CCM ensures that transaction services are provided exclusively through regulated service providers that are themselves subject to applicable AML, KYC, sanctions screening, and financial regulatory requirements.

To satisfy these obligations, CCM and its authorized regulated service providers may collect, verify, monitor, and retain customer information, beneficial ownership information, identification documents, transaction information, and other compliance-related records.

CastleFX may request additional information at any time to satisfy regulatory, compliance, fraud prevention, risk management, or transaction monitoring requirements. Failure to provide requested information may result in delays, restrictions, suspension, or termination of services.

Certain information may be shared with authorized regulated service providers involved in identity verification, compliance screening, transaction processing, settlement, and regulatory reporting.

5. Sharing Your Information

We do not sell, rent, or trade your personal information. We may share your information with the following categories of parties only as necessary to deliver our services or meet our obligations:

• Transaction Service Providers: Currency exchange, payment, settlement, and related transaction services are executed through regulated third-party service providers, including Corpay. These service providers receive only the information necessary to complete your transactions and fulfill their regulatory requirements.
• Technology Providers: CCM utilizes third-party technology, hosting, infrastructure, security, and support providers to operate portions of the CastleFX platform. Such providers may have limited access to information solely as necessary to perform their contracted services and are required to maintain appropriate confidentiality and security safeguards.
• Payment Processor: Stripe, Inc. processes subscription and consulting payments on our behalf. Stripe maintains its own privacy and security practices; we do not store full payment card details on our servers.
• Scheduling Services: Calendly may receive your name and email address when you book a consultation or free currency review.
• Form and Communication Services: Web3Forms processes form submissions from our website and may temporarily store submission data to deliver it to us.
• Legal and Regulatory Authorities: Information may be disclosed when required by law enforcement agencies, regulatory authorities, court orders, government agencies, or anti-money laundering investigations.
• Professional Advisors: Lawyers, accountants, and auditors who are bound by confidentiality obligations.
• Business Transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction.

All third-party service providers are contractually required to handle your information securely and in a manner consistent with this policy.

6. Security Measures

Protecting your information is a fundamental part of how we operate. We implement industry-standard safeguards appropriate to the sensitivity of the information we hold, including:

• Encryption in transit: All data transmitted between your browser and our website is encrypted using TLS (Transport Layer Security / HTTPS)
• Access controls: Access to personal and transaction data is restricted to authorized personnel on a need-to-know basis, with role-based access controls and authentication requirements
• Secure payment processing: Payment card data is handled exclusively by Stripe, a PCI DSS-compliant processor. We do not store, process, or transmit cardholder data on our own systems.
• Form protection: Our web forms use hCaptcha to prevent automated abuse and spam submissions
• Monitoring: We maintain logs and monitoring to detect unauthorized access or suspicious activity
• Vendor security reviews: Third-party providers with access to customer information are subject to security and confidentiality reviews
• Staff training: Personnel who handle personal information receive privacy and security training

While we take reasonable measures to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, and you use our website and services at your own risk with respect to internet-based threats.

7. Hosting and Infrastructure

CastleFX utilizes Microsoft Azure cloud infrastructure, operated on our behalf by authorized technology service providers, to host and support portions of our systems. Authorized third-party technology providers may access information solely as necessary to:

• Maintain systems and provide technical support
• Improve security and perform backups
• Support business continuity and disaster recovery

All such providers are subject to contractual confidentiality and security obligations.

8. Data Retention

CastleFX retains information only as long as necessary to deliver services, meet regulatory requirements, resolve disputes, enforce agreements, and maintain required business records. Certain records may be retained longer where required by applicable law.

• Account and transaction records: Retained for a minimum of five years from the date of the last transaction, or longer where required by applicable law or regulation
• Active account data: Retained for the duration of your relationship with CastleFX and for a reasonable period thereafter to handle any disputes or follow-up inquiries
• Contact and inquiry records: Retained for up to three years unless you request deletion and there is no legal basis requiring continued retention
• Website analytics data: Aggregated and anonymized data may be retained indefinitely; identifiable log data is typically retained for up to 12 months

When retention periods expire, information is securely deleted or anonymized.

9. Your Privacy Rights

Subject to applicable legal limitations, you have the following rights with respect to your personal information:

• Access: You may request a copy of the personal information we hold about you
• Correction: You may request that we correct inaccurate or incomplete information
• Deletion: You may request deletion of your information where legally permitted. Certain information cannot be deleted where retention is required by applicable law or regulation.
• Withdrawal of consent: Where processing is based on your consent, you may withdraw it at any time. This will not affect the lawfulness of processing prior to withdrawal.
• Unsubscribe: You may opt out of marketing communications at any time by clicking the unsubscribe link in any email or contacting us directly

To exercise any of these rights, please contact us using the details in Section 16.

10. Cookies and Tracking

Our website uses cookies and similar technologies to improve your browsing experience and help us understand how the site is used.

Types of cookies we use:

• Essential cookies: Required for basic website functionality, navigation, and security. These cannot be disabled.
• Analytics cookies: Help us understand how visitors interact with our website (e.g., pages visited, time on site). Data is aggregated and used only to improve the site.
• Third-party cookies: Services embedded on our site, including TradingView charts, the Calendly scheduling widget, and hCaptcha, may set their own cookies governed by their respective privacy policies.

You can control cookies through your browser settings. Disabling certain cookies may affect website functionality. We do not use cookies to deliver targeted advertising.

11. Third-Party Services

Our website integrates services provided by third parties. When you interact with these services, their own privacy policies apply:

• TradingView — live currency chart widgets embedded on our Live Charts page
• Calendly — appointment scheduling for free currency reviews and consulting sessions
• Stripe — payment processing for subscriptions and consulting services
• Web3Forms — web form submission handling
• hCaptcha — bot and spam protection on contact and registration forms
• Google Fonts — typography resources loaded from Google servers
• Google Analytics — website traffic and visitor analytics

We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before using those services.

12. Children’s Privacy

CastleFX services are intended for businesses and adults. We do not knowingly collect personal information from individuals under the age of 18. If you believe we have inadvertently collected information from a minor, please contact us immediately and we will take appropriate steps to delete it.

13. Cross-Border Data Transfers

Because CastleFX supports international payment and currency services, information may be processed and stored in jurisdictions outside your country of residence, including the United States and Canada. When your information is transferred across borders, it may be subject to the laws of those jurisdictions.

We take steps to ensure that third parties receiving your data provide a comparable level of protection, including through contractual safeguards. By using our services, you acknowledge and consent to such transfers where necessary to provide services.

14. Email Communications

CastleFX may send account notifications, transaction confirmations, security alerts, service updates, educational materials, and currency strategy subscriptions. You may opt out of marketing communications at any time. Certain operational and regulatory communications cannot be opted out of while maintaining an active account.

Where you have provided consent, CastleFX may also send SMS messages relating to strategy alerts, account notifications, service updates, and other operational communications.

15. Changes to This Policy

We may update this Security & Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will update the “Last updated” date at the top of this page.

We encourage you to review this policy periodically. Your continued use of the CastleFX website or services following any update constitutes your acceptance of the revised policy.

16. Contact Us

If you have questions, concerns, or requests related to this Security & Privacy Policy or how we handle your personal information, please contact our Privacy Officer:

• Castle Currency Management, Inc.
• Email: info@castlefx.com
• Phone: 888-956-2423

For Terms of Use, please see our Terms of Use page.