Privacy

Privacy Policy

Last updated · May 6, 2026

Victoi, Inc. (“Victoi,” “we,” “us,” or “our”) provides a financial-services and communications platform that includes the Victoi website, the Victoi mobile application, and related products such as wallet and balance services, payment cards, peer-to-peer transfers, stock and prediction-market trading, tokenized stock representations, crypto-asset address management, travel booking, group savings (Jangi), messaging, calling, events and ticketing, surveys, and fundraising (collectively, the “Services”).

This Privacy Policy describes the personal information we collect, how we use and share it, the legal bases on which we rely, and the rights and choices available to you. It applies globally, with jurisdiction-specific sections for residents of the United States, the European Economic Area (“EEA”), and the United Kingdom (“UK”).

1. Overview & scope

This Policy applies to personal information we process in connection with the Services, whether you access them through our website at victoi.io, the Victoi mobile application on iOS or Android, our application programming interfaces (“APIs”), or any other channel that links to or references this Policy. It does not apply to third-party products, websites, or services that integrate with or are accessed through the Services and are governed by their own privacy policies.

If you are an employee, contractor, job applicant, or vendor representative, our processing of your personal information is described in a separate notice provided to you in that context.

2. Who we are

The data controller responsible for personal information processed under this Policy is Victoi, Inc., a Delaware corporation. For privacy questions, requests, or complaints, contact us at privacy@victoi.com. For other legal notices, contact legal@victoi.com.

Where another Victoi affiliate or partner acts as a controller or joint controller for a specific Service (for example, a regulated payments or banking partner that issues a card, custodies funds, executes a securities transaction, or processes a prediction-market contract), we will identify that party at the point of collection or in the disclosures below and route your request appropriately.

3. Information we collect

The categories of personal information we collect depend on which Services you use and how you interact with us. The categories described below correspond to those defined under the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), and to the categories of personal data recognized under the EU and UK General Data Protection Regulation (“GDPR”).

3.1 Identifiers

Name, date of birth, postal address, email address, telephone number, account username, IP address, device identifiers (such as advertising IDs and installation IDs), Apple ID or Google account identifiers (when used to sign in), and unique customer numbers.

3.2 Government-issued identification & financial identifiers

Passport, national ID, driver’s license, residence permit, or other government-issued document (including identifier numbers, country of issuance, expiration date, and front and back images); tax-identification numbers (for example, U.S. Social Security Number where required); and bank-account, payment-card, and crypto wallet-address information that you add for transfers, deposits, and withdrawals.

3.3 Biometric information & characteristics

Selfies, liveness-check video frames, and the face-template embeddings we generate from your identity document and selfie for the purpose of confirming that the person in front of the camera is the person on the document. See section 8 for details.

3.4 Commercial information & transactions

Records of payments, transfers, deposits, withdrawals, card transactions, securities orders and positions, prediction-market positions, tokenized-asset positions, crypto activity associated with addresses you submit, travel bookings (including passenger details, itinerary, seat and ancillary selections), event tickets, fundraising contributions, Jangi (rotating-savings) contributions and loans, fees, balances, statements, refunds, and disputes.

3.5 Internet, application & network activity

Pages and screens viewed, features used, in-app actions, search queries, session duration, clicks and taps, error and crash logs, performance metrics, push-notification engagement, time-zone, language preference, browser type, operating system, app version, network type, and carrier.

3.6 Geolocation

Approximate location derived from IP address, and, with your permission, more precise location from the device. See section 9.

3.7 Audio, electronic, visual, and similar information

The content of messages, calls, and media you send through the Services (text, photos, videos, documents, voice notes, voice and video call streams), call metadata (participants, time, duration), call-quality metrics, and content you upload to events, fundraisers, surveys, or Jangi groups.

3.8 Professional, employment, or accreditation information

Where required for a specific feature (for example, to confirm investor eligibility, or to verify a business or organizer account), employment, occupation, source-of-funds, source-of- wealth, and accreditation information that you provide.

3.9 Inferences

Inferences we draw from the categories above for fraud detection, service personalization, risk scoring, and product recommendations, including risk and trust signals derived from device, behavior, and transaction patterns.

3.10 Sensitive personal information (CPRA) / special-category data (GDPR)

We process the following categories that are designated “sensitive” under the CPRA or “special-category” data under GDPR:

  • government-issued identification numbers (e.g., Social Security Number, passport, driver’s license);
  • account log-in credentials in combination with security or access codes;
  • precise geolocation (when you grant the permission);
  • the contents of messages, calls, and media that are not directed to Victoi;
  • biometric information (face embeddings) processed for identity verification, where required by anti-money-laundering and counter-terrorism-financing laws.

We use sensitive personal information only for the purposes described in this Policy and do not use or disclose it to infer characteristics about you. California residents may have the right to limit our use of sensitive personal information; see section 18.

4. Sources of personal information

We collect personal information from the following sources:

  • Directly from you, when you create an account, complete identity verification, fund or use the Services, communicate with us, or submit content;
  • Automatically from your devices, when you install or open the app or visit our website, including through cookies and similar technologies (see Cookie Policy);
  • From other users, when they send you funds, a message, a call, an event invite, a fundraising request, or add you as a beneficiary or contact;
  • From service providers and partners, including identity-verification and KYC vendors, payment processors, card issuers, banking partners, exchanges and broker-dealers executing your trades, prediction-market operators, travel-supply aggregators, anti-fraud providers, sanctions and politically-exposed-person screening providers, public registries and government databases, and credit-reference and adverse-media databases;
  • From publicly available sources, including business registers, sanctions lists, court records, and public social-media profiles you have made public.

5. How we use information

We use personal information for the following purposes:

5.1 Providing and operating the Services

  • creating and maintaining your account and authenticating you;
  • opening, funding, and operating wallets, balances, and cards;
  • processing peer-to-peer transfers, mobile-money transactions (including via partners such as Orange Money, MTN, Airtel, Vodacom, Wave, M-Pesa, and similar networks), card payments, cash flows, and beneficiary management;
  • executing and recording stock orders, prediction-market contracts, tokenized-stock representations, and other investment-related activity;
  • enabling crypto-address management for receiving and sending supported assets to addresses you submit;
  • searching, booking, modifying, and managing flights, hotels, seats, and ancillaries through our travel partners;
  • enabling messaging, voice and video calls, group calls, broadcast lists, file sharing, event creation, ticketing, surveys, fundraising, and Jangi (rotating-savings) circles;
  • delivering customer support and responding to your communications.

5.2 Compliance, risk, and fraud prevention

  • performing customer due diligence, identity verification, sanctions screening, politically- exposed-person screening, and ongoing monitoring as required by anti-money-laundering, counter-terrorism-financing, and sanctions laws;
  • detecting, investigating, and preventing fraud, abuse, money laundering, market manipulation, security incidents, and other illegal or unauthorized activity (including velocity, device, behavioral, IP, and VPN-detection signals);
  • enforcing our Terms of Service, Acceptable Use Policy, and other policies;
  • complying with court orders, lawful requests, and other legal obligations.

5.3 Personalization & service improvement

  • tailoring content, lists, and recommendations within the Services;
  • diagnosing technical issues, debugging, and improving features and performance;
  • conducting research, analytics, and product development on aggregated or de-identified data.

5.4 Communications

  • sending operational and transactional notices (e.g., security alerts, transaction confirmations, statements, dispute updates, KYC requests, policy changes);
  • sending marketing communications where permitted, with the ability to opt out;
  • responding to your inquiries and supporting your use of the Services.

5.5 Legal claims, audits, and corporate transactions

  • establishing, exercising, or defending legal claims;
  • complying with regulatory examinations, audits, and reporting obligations;
  • evaluating, negotiating, and completing corporate transactions such as financings, mergers, acquisitions, reorganizations, or sales of assets, in which personal information may be one of the assets transferred.

If you are in the EEA or UK, we rely on the following legal bases under Articles 6 and 9 of the GDPR / UK GDPR:

  • Performance of a contract. To provide the Services you have requested, including opening and operating your account, processing transactions, executing trades, completing bookings, and providing support.
  • Compliance with a legal obligation. To meet anti-money-laundering, counter-terrorism-financing, sanctions, tax, accounting, payments, securities, consumer- protection, and other regulatory obligations.
  • Legitimate interests. To detect and prevent fraud, secure the Services, improve features, conduct research and analytics, communicate with you about the Services, and pursue legal claims, where those interests are not overridden by your rights.
  • Consent. Where required by law, including for marketing communications by electronic means in certain jurisdictions, optional cookies and similar technologies, access to your camera, microphone, photo library, contacts, and precise location, and for processing biometric data for identity verification. You may withdraw consent at any time.
  • Substantial public interest / preventing crime. For processing sensitive data (including biometric and identity-document data) as part of customer due diligence required by anti-money-laundering and counter-terrorism-financing laws.

7. Identity verification & KYC

To open and operate certain accounts and to comply with applicable laws, we are required to verify your identity. Through our identity-verification pipeline, we collect:

  • your full legal name, date of birth, residential address, and tax-identification number;
  • a photograph of a government-issued identity document (front, and where applicable back), plus extracted document data such as document number, country of issuance, and expiration date;
  • a selfie or short live video, from which we generate face-template embeddings used to compare against the photograph on the identity document;
  • screening results against sanctions lists, politically-exposed-person registries, and adverse-media databases;
  • for higher-risk activity, source-of-funds and source-of-wealth information, occupation, employer, and supporting documentation.

For full details of what we collect, why, and how long we retain it, see our KYC / AML Policy.

8. Biometric information

We use biometric information solely to verify that the person opening or operating an account is the same person depicted on the identity document submitted, and to deter impersonation and fraud. Biometric processing consists of:

  • capture of liveness-check frames or a short video during onboarding;
  • generation of mathematical face-template embeddings from your selfie and your identity document;
  • comparison of those embeddings to determine match likelihood;
  • retention of the match decision, supporting evidence, and underlying images and embeddings for the period required to comply with anti-money-laundering and recordkeeping laws (see section 15).

Where the law in your jurisdiction (for example, Illinois’ BIPA, Texas’ CUBI, or Washington’s biometric statute) requires written notice and consent before collecting biometric identifiers, we provide that notice and obtain your consent at the point of collection. We do not sell biometric identifiers, and we do not use them for any purpose other than identity verification, fraud prevention, and compliance.

Device-level biometric authentication (Face ID, Touch ID, Android biometric prompt) is handled entirely by your device’s operating system. Victoi never receives or stores your device fingerprint, face geometry, or any biometric template used to unlock your device.

9. Location data

With your permission, the Victoi mobile app collects approximate or precise location from your device for purposes such as:

  • determining whether a Service is available in your jurisdiction;
  • detecting suspicious account activity, impossible-travel patterns, and account-takeover attempts;
  • presenting nearby content (for example, in travel search);
  • complying with sanctions and other geographic restrictions.

We may collect location even when the app is not in use, where you grant background-location permission, in order to support security signals tied to ongoing activity (for example, tap-to- pay sessions or active calls). You can change location permissions in your device settings at any time.

10. Contacts & address book

With your permission, the app reads your device contacts so that you can quickly find friends and family already on Victoi, add beneficiaries for transfers, and start chats or calls. We process contacts to:

  • match phone numbers and email addresses to existing Victoi accounts;
  • let you select recipients for transfers, messages, calls, group invites, or surveys;
  • maintain your saved beneficiary list.

We do not use your contacts to send marketing messages to people who are not Victoi users without their consent. You can withdraw contacts permission in your device settings; if you do, contact-discovery features will stop working.

11. Messages, calls & user content

The Services include messaging, voice and video calls (one-to-one and group), broadcast lists, file sharing, surveys, fundraising posts, and Jangi-group activity. We process the content and metadata of those communications to deliver them, store them for your access, support media playback and call setup (including via our calling provider, LiveKit), enforce our policies, respond to lawful requests, and improve reliability.

We do not use the content of your private messages, calls, or files for advertising. Where we offer end-to-end encryption for specific surfaces, we describe that in the Service itself.

12. How we share information

We share personal information with:

  • Other users— when you send or receive a transfer, a message, a call, an event ticket, a Jangi contribution, or other interaction, the relevant counterparty receives information necessary to complete that interaction (for example, your name, username, transaction details, and message content).
  • Service providers and processors— vendors who process information on our behalf for hosting, identity verification, KYC, sanctions screening, fraud prevention, card issuing and processing, payment processing, banking and treasury, securities and prediction-market execution and clearing, market data, travel supply, messaging, calling, push notifications, analytics, crash reporting, customer support, and email/SMS delivery (see section 13).
  • Banking, payments, and trading partners— including card issuers, processors, acquirers, ACH and SWIFT counterparties, mobile-money operators, prediction- market venues, broker-dealers, exchanges, custodians, and travel suppliers, as needed to complete the transaction or service you have requested.
  • Professional advisers— auditors, lawyers, accountants, consultants, and insurers acting under duties of confidentiality.
  • Government, regulatory, and law-enforcement authorities— where required to comply with applicable law, court order, or valid legal process, or to protect our rights, the rights of our users, or public safety.
  • Acquirers, financers, and successors— in connection with a financing, merger, acquisition, reorganization, sale of assets, bankruptcy, or similar transaction or proceeding, subject to confidentiality obligations.
  • With your direction or consent— with anyone else when you direct us to share or post information.

13. Service providers (illustrative list)

The following categories of service providers process personal information on our behalf. The list is illustrative and may change; we keep an internal sub-processor list and will provide it on request to enterprise or regulated counterparties.

CategoryExamples
Identity verification & KYC orchestrationBridge (compliance & KYC orchestration); document-scanning and on-device ML face-detection libraries
Card issuing & payment processingStripe (card processing & tokenization); regulated card-issuing partners; ACH and SWIFT counterparties
Mobile money & payment networksOnafriq, Orange Money, MTN, Airtel, Vodacom, Wave, M-Pesa, Telebirr, EcoCash, and similar regional operators
Trading, market data & prediction marketsPolygon.io (market data); broker-dealers, custodians, and prediction-market venues that execute and clear your orders
Travel supplyDuffel (flight and hotel aggregation and ticketing)
Calling & communicationsLiveKit (real-time voice and video); Firebase Cloud Messaging and Apple Push Notification service (push); Twilio (SMS & calling), email-delivery providers
Analytics, logging & crash reportingSentry (error and crash reporting, with PII scrubbing)
Authentication & sign-inApple Sign-In; Google Sign-In; Firebase Authentication
Cloud infrastructure & storageHosting providers, content-delivery networks, secrets-management and database services
Customer support & ticketingHelp-desk and ticketing platforms used by our support team

14. International data transfers

Victoi is headquartered in the United States, and personal information we process may be transferred to, stored in, and processed in the United States and in other countries where we or our service providers operate. Privacy laws in those countries may differ from those in your country.

Where we transfer personal information from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), supplementary measures where necessary, and, where lawful, your explicit consent or the necessity of the transfer for the performance of your contract with us. You may request a copy of the safeguards we have put in place by contacting us.

15. Data retention

We retain personal information for as long as needed to provide the Services and for legitimate business or legal purposes. The exact retention period depends on the type of information and the legal obligations that apply:

  • Account, profile, and contact data— for as long as your account is open, plus a reasonable period afterwards for legal, accounting, audit, dispute-resolution, and security purposes.
  • KYC, identity-verification, and AML records— typically retained for at least five (5) years after the end of the customer relationship or the completion of an occasional transaction, in accordance with applicable anti-money-laundering and counter-terrorism-financing recordkeeping requirements (longer where local law requires, for example seven (7) years in certain jurisdictions, or where ordered by a regulator or court).
  • Transaction records— payments, transfers, card activity, securities orders, prediction-market positions, tokenized-asset positions, travel bookings, Jangi contributions, fundraising donations, event tickets, and related records are retained for at least the period required by financial-recordkeeping, tax, and consumer-protection laws (typically five (5) to seven (7) years from the date of the transaction).
  • Communications— messages, calls, and content you send through the Services are retained until you (or, where applicable, your counterparty) delete them, or until your account is closed, subject to legal-hold and law-enforcement-request obligations.
  • Server and security logs, fraud signals, and device telemetry— generally retained for up to twenty-four (24) months, longer where needed for security or legal investigation.
  • Marketing preferences and opt-out records— retained indefinitely so that we can honor your preferences.

When we no longer have a legitimate need to process personal information, we delete or anonymize it, or, where deletion is not possible (for example, because the information is stored in backups), we securely store it and isolate it from any further processing until deletion is possible.

16. Security

We maintain technical, organizational, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These include encryption in transit and at rest, access controls and least-privilege access, secure software development practices, secure storage of credentials in your device’s secure-enclave or keystore, hardware-based key management, network segmentation, vulnerability management, logging and monitoring, employee training, and incident-response planning. No security program, however, is perfect, and we cannot guarantee absolute security. You are responsible for keeping your account credentials and devices secure.

17. Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict our processing of your personal information, to opt out of certain disclosures, and to lodge a complaint with a supervisory authority. The sections below describe rights specific to U.S. state residents and to EEA / UK residents. To submit a request, email privacy@victoi.com from the email address associated with your Victoi account, or use the in-app privacy controls where available. We will verify your identity using the information already in our records before fulfilling a request.

We will not discriminate or retaliate against you for exercising any of your privacy rights. You may use an authorized agent to submit a request on your behalf, subject to verification.

18. Notice for U.S. state residents

18.1 California (CCPA / CPRA)

If you are a California resident, you have the following rights, subject to verification and applicable exceptions:

  • Right to know the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes for collection, and the categories of third parties to whom we disclosed it;
  • Right to delete personal information we have collected from you, subject to exceptions including those for completing transactions, complying with legal obligations, detecting fraud, and protecting our security;
  • Right to correct inaccurate personal information;
  • Right to opt out of sale or sharingof personal information. We do not sell personal information for monetary consideration. We may “share” personal information with advertising and analytics partners as that term is defined under the CPRA (cross-context behavioral advertising); you can opt out by adjusting cookie preferences (see our Cookie Policy) and by sending Global Privacy Control signals, which we honor;
  • Right to limit use of sensitive personal information, except where the use is necessary to provide the Services, comply with the law, prevent fraud or security incidents, or as otherwise permitted by the CPRA;
  • Right to non-discrimination for exercising your rights;
  • Right to opt out of automated decision-making in the limited circumstances described in section 22.

Categories of personal information collected, sold, shared, and disclosed for a business purpose in the preceding twelve (12) months are summarized in section 3 and section 12. We do not knowingly sell or share the personal information of California residents under sixteen (16) years of age.

18.2 Other U.S. states

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Florida, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Rhode Island, Kentucky, and other states with comprehensive privacy laws have analogous rights, which may include rights to access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale of personal information, and certain types of profiling. To exercise these rights, contact privacy@victoi.com.

18.3 Appeals

If we deny your request, you may appeal by replying to our denial or contacting privacy@victoi.comwith the subject line “Privacy Appeal.” If your appeal is denied, you may contact your state attorney general.

19. EEA and UK rights (GDPR)

If you are in the EEA or UK, you have the following rights under the GDPR / UK GDPR:

  • access to your personal data and a copy of it;
  • rectification of inaccurate or incomplete data;
  • erasure (the “right to be forgotten”), subject to legal exceptions;
  • restriction of processing in certain circumstances;
  • data portability for data you provided to us and that we process by automated means;
  • objection to processing based on legitimate interests, including profiling;
  • objection to direct marketing (including profiling for direct marketing) at any time;
  • not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, except as permitted by law (see section 22);
  • withdrawal of consent at any time, where we rely on consent;
  • to lodge a complaint with your local data-protection supervisory authority, including the UK Information Commissioner’s Office, the Irish Data Protection Commission, or another EEA authority of your habitual residence, place of work, or place of the alleged infringement.

20. Children

The Services are not directed to children, and we do not knowingly collect personal information from anyone under the age of 18 (or the higher minimum age required in your jurisdiction). If we learn that we have collected personal information from a child without verified parental or guardian consent where required, we will delete it. If you believe a child has provided us with personal information, contact privacy@victoi.com.

21. Marketing & preferences

Where permitted by law, we may send you marketing communications about Victoi products, promotions, and announcements by email, push notification, or SMS. You can opt out at any time by:

  • using the unsubscribe link in any marketing email;
  • replying STOP to any marketing SMS;
  • turning off marketing notifications in the app under Settings › Notifications;
  • contacting privacy@victoi.com.

We will continue to send you transactional and operational notices that are necessary to provide the Services (for example, security alerts, transaction confirmations, statements, KYC requests, and policy updates), and you cannot opt out of those.

22. Automated decision-making & profiling

We use automated processing, including profiling, in connection with identity verification, sanctions screening, transaction-monitoring, fraud and risk scoring, and eligibility determinations. In some cases, that processing may produce a legal or similarly significant effect on you (for example, declining to open an account, blocking a transaction, suspending an account, or limiting features).

Where required by law, we will inform you of the automated decision, the logic involved, and the significance and likely consequences, and you may request human review, express your point of view, and contest the decision by contacting privacy@victoi.com.

23. Cookies & similar technologies

Our website and certain Services use cookies, software development kits, pixels, mobile identifiers, and similar technologies. Detailed information about the categories of cookies we use, their purposes, and how to manage your preferences is set out in our Cookie Policy.

24. Third-party links and integrations

The Services may include links to third-party websites, apps, or services, and may embed third-party content. We are not responsible for the privacy practices of those third parties, and your use of them is governed by their own terms and privacy policies. Crypto wallets, public-blockchain networks, and on-chain explorers are operated by third parties (or no party at all) and are public by design; once you broadcast a transaction or share an address, the associated information may be permanent and visible to anyone.

25. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will notify you through the Services or by other means before the change becomes effective, where required by law. The “Last updated” date at the top indicates when the Policy was last revised. Your continued use of the Services after the effective date constitutes your acceptance of the updated Policy.

26. Contact us

For questions or to exercise your privacy rights, contact privacy@victoi.com. For other legal notices, contact legal@victoi.com.

← Back to home·PrivacyTermsCookiesAcceptable UseKYC / AMLE-Sign Consent