Privacy Notice

Last updated: 1 April 2026
Contact: support@bultra.com
Registered Address: 9 Turkey Lane, St. George, Roseau, Commonwealth of Dominica

1. Data Controller

We, Vertex Capital Bank Limited dba as Bultra ("Vertex", "we" or "us") operates the website Bultra - Stablecoin-Powered Global Money Transfers (the "Website"). Unless otherwise stated in this Privacy Notice, we are the entity responsible for determining the purposes and means of processing your Personal Data.

This Privacy Notice explains what Personal Data we collect and how we use it. As a company established and operating in the Commonwealth of Dominica, our primary privacy and data‑handling obligations are guided by:

  • The Constitution of the Commonwealth of Dominica, which protects individuals' privacy rights, particularly regarding personal information and private life; and
  • Applicable sectoral laws and general principles of fair, lawful, and transparent processing recognised within Dominica, including practices reflected in the Government of Dominica's own privacy and security policies for online data handling.

While Dominica does not currently have a comprehensive data‑protection law, we voluntarily align our privacy practices with internationally recognised standards. In specific circumstances, such as where services are provided to individuals located in the European Union, the EU General Data Protection Regulation (the "GDPR") may apply on an extraterritorial basis. In such cases, we will process Personal Data in accordance with the GDPR's requirements.

2. Scope

This Privacy Notice outlines how your Personal Data is handled whenever you interact with our digital services. It applies to:

  • Your access to and use of the Website;
  • Your use of any Vertex Services, as defined in this Notice, whether accessed through browsers, mobile devices, applications, or integrated merchant environments.

This Privacy Notice governs the types of data we process, why we process it, and your rights in relation to that processing. It also explains how updates to this Notice will be communicated. We may revise this Notice by posting an updated version on the Website, including the effective date. Where changes are material, we will notify you by email.

Certain processing activities may be carried out by third-party service providers or partners involved in delivering the Vertex Services. Where such third parties act independently or jointly with us, their own privacy information also applies and should be reviewed alongside this Notice.

3. Definitions

As used in this Privacy Notice, the following terms have the meanings set out below:

"Digital Asset" means a digital representation of value (also referred to as "cryptocurrency," "virtual currency," "digital currency," "crypto token," "crypto asset," or "digital commodity"), such as bitcoin, XRP, or ether. Digital Assets are based on cryptographic protocols that may be:

  • Centralized or decentralized,
  • Closed or open-source, and
  • Used as a medium of exchange and/or store of value.

"Minor" means any natural person under the age of 18.

"Personal Data" or "your data" means any information relating to an identified or identifiable natural person. This includes, for example, your name, identification numbers, location data, online identifiers, or factors relating to your physical, economic, cultural, or social identity.

"Vertex Account" means a user-accessible account that enables you to view, manage, and track Digital Asset-related activity, including receiving payments, converting Digital Assets to fiat currency, issuing or managing invoices, processing refunds, and monitoring transaction status.

"Vertex Services" means all services provided by Vertex, including but not limited to:

  1. Vertex Billing, our merchant invoicing solution enabling businesses to accept Digital Asset payments and receive fiat currency;
  2. The provision of a secure operational environment for safeguarding client funds; and
  3. Access to and use of the Vertex Account.

Vertex Services also includes any features, functions, tools, platforms, or technologies accessible through the Website.

4. How We Protect your Personal Data

We take the protection of your Personal Data seriously and apply a combination of technical, organisational, and physical safeguards to reduce the risk of unauthorized access, alteration, disclosure, or destruction of the information we hold.

Our protective measures include:

  • Encrypted transmission, including the use of SSL protocols when you access the Website;
  • Optional two-factor authentication to enhance account security;
  • Regular review and improvement of our data-collection, storage, and processing practices;
  • Strict access controls, ensuring that only authorized Vertex personnel, affiliates, or subcontractors with a legitimate business need can access your Personal Data;
  • Employee training, emphasizing confidentiality, responsible data handling, and privacy obligations;
  • Physical, electronic, and procedural safeguards designed to prevent unauthorised access to our systems and facilities.

While we implement robust safeguards, it is important to note that no method of transmitting information over the internet is entirely secure. We therefore cannot guarantee the absolute security of any Personal Data transmitted to us. Any transmission of data to our systems is carried out at your own risk, though we will continue to apply reasonable measures to protect your information once received.

5. Personal Data We May Collect About You

5.1. Personal Data You Give Us

5.1.1. Data processing when contacting us

When you contact us through any communication channel (including email or web forms), we process the Personal Data you voluntarily provide—such as your name, email address, phone number, company name, and the content of your request. We also record the time at which your request is received.

We use this information to:

  • Respond to your inquiry;
  • Provide information about our services;
  • Assist with contract‑related matters;
  • Improve the quality and relevance of our services based on your feedback.

In the Commonwealth of Dominica, there is no comprehensive data‑protection statute, but privacy rights are recognised under the Constitution and informed by general principles of fair and transparent processing. If the GDPR applies due to your location or the nature of the interaction, the applicable legal basis would be:

  • Our legitimate interest in responding to your request (Article 6(1)(f)); or
  • The need to take steps at your request prior to entering into a contract (Article 6(1)(b)).

5.1.2. Data processing when creating a Vertex Account

To create a Vertex Account, we require certain information about you and the business you represent. This includes:

  • Company name and country of registration;
  • Default currency;
  • Your first and last name, username, email address, and password.

Mandatory fields are marked with an asterisk (*). If you do not provide the required information, some or all features of the Website and Vertex Services may not be available to you.

We use this data to:

  • Deliver and administer the Vertex Account;
  • Fulfil operational and contractual obligations;
  • Verify your identity;
  • Prevent fraud and maintain platform integrity;
  • Comply with applicable financial‑crime and anti‑money‑laundering obligations;
  • Communicate with you and secure your account credentials.

If the GDPR applies, the legal basis is:

  • Performance of a contract (Article 6(1)(b)); and
  • Our legitimate interests in fraud prevention, compliance, and efficient account management (Article 6(1)(f)).

5.1.3. Data processing during payment with Digital Assets

If you pay a merchant using Digital Assets processed through Vertex systems, we collect certain transaction‑related Personal Data necessary to facilitate the payment, including:

  • Wallet address;
  • Transaction amount and timestamp;
  • Technical identifiers required to link the payment to the correct merchant account;
  • Your full legal name, residential address (including country), email address, mobile number, and date of birth.

We never receive or store sensitive payment‑instrument data, such as private keys.

Third‑party service providers (such as liquidity providers or blockchain infrastructure partners) may independently process elements of this data. Their privacy practices apply separately and should be consulted directly.

We use a Digital Payment Service Provider located in the United Arab Emirates. Your Personal Data may be stored in systems under its control to complete Digital Asset conversions or settlements. In certain cases, the Digital Payment Service Provider may act as an independent controller and process data for its own purposes (e.g., analytics, marketing).

We may also collect additional information—for example, proof of address, source‑of‑funds documentation, or other financial‑crime‑related information—strictly to comply with anti‑money‑laundering (AML) and counter‑terrorist‑financing (CTF) obligations.

These obligations may arise from:

  • Dominican financial‑crime compliance requirements;
  • International AML standards applicable to regulated entities;
  • Other jurisdictional rules where relevant (e.g., EU or UK AML frameworks).

If the GDPR applies, the processing legal basis for these compliance activities is Article 6(1)(c) (legal obligation).

5.2. Personal Data We Receive From Other Sources

We may receive Personal Data about you from third parties we work with. Examples include:

  • Banks, which may send us identifying and financial information relating to payments you make;
  • Business partners, who may share your contact and financial information in connection with a service relationship;
  • Advertising networks, analytics tools, and search‑information providers, which may give us anonymised or de‑identified data (e.g., how you found our Website);
  • Credit reference agencies, which do not provide Personal Data directly but may be used to verify or corroborate information you have submitted.

These third parties may have their own privacy obligations based on their jurisdiction or regulatory environment, which you should review separately.

5.4. General Provisions

If, during your use of our services, you provide Personal Data relating to someone else, you confirm that:

  • You have obtained that person's informed consent to share their Personal Data with us; and
  • That person has agreed to our collection, use, and disclosure of their Personal Data as set out in this Privacy Notice.

6. Central Data Storage and Analysis in the CRM System

We maintain a central customer-management database in which we store and link the categories of Personal Data described in this Privacy Notice. This may include your contact information, account details, contractual records, and information about how you interact with our Website. Consolidating this information in a secure system enables us to manage customer relationships efficiently, respond to your requests accurately, and deliver the services you use.

We also analyse this data to improve and develop our services, understand user behaviour, and provide you with information or features that are most relevant to your needs. This may include the use of analytical tools that help us identify trends, anticipate service demand, or tailor communications based on your interaction patterns.

The Commonwealth of Dominica does not have a comprehensive data-protection statute governing CRM-related processing. We therefore carry out this activity in accordance with general principles of fairness, transparency, data minimisation, and responsible use, which reflect privacy practices recognised by the Government of Dominica and regional standards.

If the GDPR applies to specific processing (for example, where data subject rights arise based on your location or applicable EU law), our legal basis would be our legitimate interests in:

  • Efficiently managing user and account data (Article 6(1)(f)); and
  • Conducting service-development and marketing-related analytics designed to improve the user experience (Article 6(1)(f)).

7. Disclosure of Your Personal Data

Disclosure to Third Parties and Third‑Party Access

To deliver our services effectively, we work with a range of trusted third‑party service providers. When necessary, we may share your Personal Data with these entities, but only to the extent required for them to perform the services we rely on. This includes third parties mentioned throughout this Privacy Notice and additional providers such as:

  • Affiliates, business partners, service providers, and subcontractors involved in delivering, maintaining, or supporting our operations, including hosting and infrastructure services.
  • Analytics and search‑technology providers that help us improve and optimise the Website.
  • Group entities or subsidiaries supporting administrative, operational, or technical functions.

We may also disclose Personal Data in additional circumstances, including when:

  • We enter into a sale or acquisition of a business or assets, allowing the prospective buyer or seller to access relevant Personal Data so that contracted services can continue seamlessly.
  • We must comply with legal or regulatory obligations, including enforcing our Terms of Service or other agreements.
  • Disclosure is required to protect our rights, property, customers, or others, including fraud‑prevention and credit‑risk measures.
  • We conduct or support investigations into suspected fraud or unlawful activity.
  • We receive a lawful subpoena, warrant, court order, or other valid legal request.
  • Disclosure is needed to protect Vertex from financial or insurance risks, or to recover debts or address matters relating to insolvency.
  • We require information to maintain or develop customer relationships, services, or internal systems.

If you wish to obtain more detailed information about the third parties with whom your Personal Data has been shared, you may request this by contacting us at support@bultra.com.

7.2. Transfers of Personal Data to Third Countries

We may transfer your Personal Data to third parties located outside the Commonwealth of Dominica when necessary to facilitate the processing activities described in this Privacy Notice. Examples of such transfers appear in Sections 5, 6, and 11.

When transferring data internationally, we implement reasonable contractual, organisational, and technical safeguards to ensure that your Personal Data is handled responsibly and in accordance with the principles of fair and secure processing reflected in Dominica's constitutional privacy protections and recognised best‑practice standards.

If you would like additional information about the safeguards applied to international transfers, you may contact us using the details provided in Section 14.

8. Profiling and Automated Decision-Making

We may use certain elements of your Personal Data, such as your interaction patterns, country of residence, or transaction history, to better understand your needs and improve the relevance of the information we provide. For example, if you frequently transact using a particular Digital Asset, we may highlight features or updates that are likely to be useful to you. Where possible, we rely on anonymous or de-identified data to support these insights.

We may also use automated tools to streamline aspects of our operations, enhance your user experience, or support the detection and prevention of financial crime. Examples include:

  • Automated verification of identity documents;
  • Automated checks to validate information you provide;
  • Automated assessments designed to support fraud-prevention or compliance monitoring.

These automated processes do not produce decisions that have legal or similarly significant effects on you. They are designed to support efficient service delivery and uphold the security and integrity of our systems.

As Dominica does not have a comprehensive data-protection statute regulating profiling or automated decision-making, we apply internationally recognised best-practice standards, including transparency, proportionality, and safeguards to protect your privacy.

If the GDPR applies in specific circumstances due to your location or the nature of the processing, you may have the right to:

  • Request human review of an automated decision;
  • Express your point of view;
  • Contest an automated assessment.

Where consent is required for certain profiling or automated-processing activities, you may withdraw that consent at any time by contacting us using the details provided in this Privacy Notice.

9. Privacy When Using Digital Assets and Blockchains

When you transact using Digital Assets such as bitcoin, XRP, ether, or other blockchain-based tokens, certain transaction details may be recorded on a public blockchain. Public blockchains function as distributed ledgers designed to store information immutably across networks of independent computer systems. Information published to these networks may be publicly accessible, permanently stored, and capable of forensic analysis by third parties.

Public blockchain activity can, in some circumstances, lead to de-anonymisation, especially when blockchain data is matched with external information. As a result, details relating to your Digital Asset transactions may inadvertently reveal aspects of your financial activity.

Blockchains are decentralised systems that are not operated or controlled by Vertex or any of our affiliates. We therefore cannot erase, modify, or alter any Personal Data that becomes part of a blockchain record. Once recorded on such networks, information may remain permanently accessible according to the rules and technical structure of the particular blockchain.

10. Data Retention

We retain certain Personal Data and transactional information for as long as necessary to meet our legal, regulatory, and compliance obligations, including obligations relating to anti‑money‑laundering (AML), counter‑terrorist financing (CTF), fraud prevention, and financial‑record‑keeping requirements applicable to institutions operating in or from the Commonwealth of Dominica. These obligations may require the storage of data even after your Vertex Account has been closed.

Access to retained data is strictly limited. Personal Data stored for compliance purposes is only accessed internally on a need‑to‑know basis, and only where access is necessary for a legitimate operational, legal, or regulatory purpose.

We delete or anonymise Personal Data once it is no longer required under any applicable law, regulatory obligation, or legitimate business requirement in the jurisdictions in which we operate. Where no mandatory retention period applies, we retain Personal Data only for the duration necessary to fulfil the purposes described in this Privacy Notice.

11. Background Data Processing on Our Website (Revised, Dominica‑Focused)

11.1. Data Processing When Visiting Our Website (Log File Data)

When you access our Website, our hosting provider's servers automatically record certain technical information in log files. The following data may be collected and stored temporarily until it is automatically deleted:

  1. IP address of the device making the request
  2. Date and time of access
  3. Name and URL of the file or resource accessed
  4. Website or platform from which you were referred, including search terms where applicable
  5. Information about your operating system and browser (type, version, language settings)
  6. Device type, if you are accessing the Website from a mobile device
  7. City or region inferred from your IP address
  8. Name of your internet service provider

We process this information to:

  • Enable the technical operation and display of the Website;
  • Maintain long‑term security and system stability;
  • Diagnose errors and optimise performance;
  • Investigate suspected unauthorised or improper use.

If we detect or suspect a security incident affecting the Website or its infrastructure, we may analyse the IP address and related log data to identify, prevent, or respond to potential threats. Where necessary, this information may be used in civil or criminal proceedings.

If the GDPR applies due to your location or specific processing circumstances, the legal basis for this activity is our legitimate interest in ensuring the secure, reliable operation of the Website (Article 6(1)(f) GDPR).

In addition to the log data described above, certain location information may be collected through your device or application settings when you use features associated with Vertex Services. You may disable location sharing through your device settings. However, doing so may limit certain functionality, as some location‑based data is necessary for fraud monitoring, risk assessments, and compliance‑related requirements.

11.2. Google Fonts and Google Static

We use Google Fonts and Google Static to ensure our Website loads efficiently and displays correctly across different devices and browsers. These services are provided by:

  • Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland; and
  • Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

When you visit our Website, your browser may request fonts or static resources (such as stylesheets or scripts) directly from Google's servers. As a result, technical information—such as your IP address and browser details—may be transmitted to Google. In some cases, this may involve transfers of Personal Data to servers located outside the Commonwealth of Dominica, including to the United States.

If the GDPR applies, the legal basis for this processing is our legitimate interest in maintaining a functional, user‑friendly, and technically up‑to‑date Website (Article 6(1)(f) GDPR).

If you prefer that your data is not transmitted for these purposes, you may adjust your browser settings to block the retrieval of external fonts and resources. Doing so may affect the visual presentation or performance of the Website.

12. Your Rights

Although the Commonwealth of Dominica does not currently have a comprehensive data‑protection law establishing formal data‑subject rights, we voluntarily recognise a set of rights aligned with international best‑practice standards. In circumstances where the GDPR applies due to your location or the nature of the processing, these rights may also arise under EU law.

If the relevant legal requirements are met, you may exercise the following rights in relation to your Personal Data:

Right to Rectification

You may request that we correct any Personal Data we hold about you that is inaccurate, incomplete, or outdated.

Right to Erasure

You may ask us to delete your Personal Data where it is no longer required for the purposes for which it was collected, or where we are not legally obliged to retain it.

Right to Data Portability

You may request a copy of the Personal Data you have provided to us in a structured, commonly used, and machine‑readable format, free of charge.

Right to Restrict Processing

You may request that we limit the processing of your Personal Data in certain circumstances, such as where accuracy is contested or processing is unlawful.

Right to Object

You may object at any time to the processing of your Personal Data for specific purposes, including direct marketing.

Right to Withdraw Consent

Where we process your Personal Data based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Right of Access

Subject to applicable laws, you may request access to the Personal Data we hold about you. You may exercise this right by contacting us at info@vertex.com.

Right to Lodge a Complaint

If you believe your Personal Data has been handled improperly, you may lodge a complaint with an appropriate supervisory authority. Where no dedicated authority exists under Dominican law, you may raise your concerns directly with us, and we will address them promptly.

13. Protection of Minors

Vertex Services are not intended for use by individuals under the age of 18 ("Minors"), and we do not knowingly collect Personal Data from Minors. If we become aware that Personal Data has been collected from a Minor, we will take all appropriate and legally permissible steps to remove that information from our records. In such cases, the Minor will be required to close any Vertex Account, and continued use of Vertex Services will not be permitted.

If you are a parent or legal guardian and believe that a Minor has provided Personal Data to Vertex, please contact us at support@bultra.com. We will assist you in exercising any applicable rights and ensure that the Minor's information is removed in accordance with this Privacy Notice.

14. Contact

Any questions, comments, or requests regarding this Privacy Notice are welcome. You may contact us at support@bultra.com for any matter related to the processing of your Personal Data, including the exercise of any rights available to you under applicable laws or the voluntary rights we make available as described in this Notice.