02 / Global Legal Layer
Global Privacy Policy
Important Notice
Goat Finance operates as a multilateral organization through separate legal entities, shared policies, shared systems, shared operational resources, shared compliance functions and global governance standards.
Goat Finance is not a single legal entity. The Goat Finance entity responsible for your personal data may depend on the onboarding phase, product, service, contracting entity, jurisdiction, partner framework, service route and the specific purpose for which the data is processed.
This Global Privacy Policy explains, at a general level, how Goat Finance collects, uses, verifies, shares, transfers, stores, protects and otherwise processes personal data across its multilateral organization.
This Global Privacy Policy must be read together with:
the applicable Phase 1 Privacy Notice;
the applicable entity Privacy Notice;
any product-specific privacy notice or service-specific privacy disclosure;
any partner-related privacy or data-sharing disclosure;
any privacy information presented during onboarding, product activation, transaction processing or customer communications.
This Global Privacy Policy is the general privacy framework. It does not replace the specific privacy notices or disclosures that may apply to a particular onboarding phase, Goat Finance entity, product, service, jurisdiction or partner-supported route.
1. Who We Are
For the purposes of this Global Privacy Policy, “Goat Finance”, “we”, “us” or “our” means the Goat Finance multilateral organization and, where applicable, the specific Goat Finance legal entity responsible for the relevant processing activity.
The current principal operating entities are:
Goat Finance SAGL, Switzerland; and
Goat Finance LLC, United States.
Additional Goat Finance entities may be added to the organization from time to time.
The relevant controller will be identified in the applicable privacy notice, onboarding flow, entity terms, product terms, handoff notice, customer profile, transaction confirmation or other communication provided to you.
2. How This Policy Works
This Global Privacy Policy provides the general privacy framework for Goat Finance.
It explains:
how Goat Finance is organized from a privacy perspective;
how Phase 1 and Phase 2 onboarding work;
how data controllers are allocated;
how personal data is handed over from one controller to another;
what categories of personal data Goat Finance may process;
why Goat Finance may process personal data;
how Goat Finance may share personal data internally;
how Goat Finance may share personal data with providers, partners and authorities;
how Goat Finance uses shared resources while preserving entity-level responsibility;
how international transfers may occur;
how long personal data may be retained;
what privacy rights may apply;
how Goat Finance manages jurisdiction-aware website and onboarding controls;
how to contact Goat Finance about privacy matters.
3. Goat Finance’s Privacy Governance Model
Goat Finance applies a layered privacy governance model.
At a high level:
Global Privacy Policy explains the organization-wide privacy framework.
Phase 1 Privacy Notices explain the pre-onboarding, eligibility and routing process.
Entity Privacy Notices explain how a specific Goat Finance entity processes personal data when it becomes responsible for Phase 2 onboarding, service provision or customer relationship management.
Product-specific privacy notices or service-specific disclosures explain how personal data is used or shared for a specific product, service, partner-supported feature or transaction route.
Partner disclosures explain partner-specific processing or data-sharing requirements where applicable.
Goat Finance maintains internal controls designed to support appropriate controller allocation, need-to-know access, privacy notice delivery, data sharing, international transfer assessment, retention, recordkeeping and controller handoff between onboarding phases.
4. Phase-Based Privacy Model
Goat Finance uses a phase-based onboarding and privacy model.
4.1 Phase 1 — Pre-Onboarding, Eligibility, Screening and Routing
Phase 1 is the global pre-onboarding, initial screening, eligibility assessment, KYC initiation and routing phase.
Unless otherwise stated in the applicable Phase 1 Privacy Notice, Goat Finance SAGL acts as the controller for Phase 1 processing.
During Phase 1, Goat Finance may process personal data to:
receive your initial request;
identify you or your business;
understand the product or service you are requesting;
perform initial sanctions, jurisdiction, industry, occupation and risk screening;
assess whether you fall within Goat Finance’s risk appetite and eligibility criteria;
determine whether any Goat Finance entity may provide the requested product or service;
determine the relevant contracting entity, service route or partner-supported route;
determine whether additional documents, enhanced due diligence or partner review may be required;
prepare the handoff to the relevant Phase 2 controller.
Completion of Phase 1 does not create a customer relationship, account, right to transact or entitlement to any Goat Finance product or service.
4.2 Phase 2 — Product-Specific Onboarding and Service Delivery
Phase 2 begins when you are routed to the relevant Goat Finance entity for product-specific onboarding, service activation, transaction review, customer relationship management or partner-supported processing.
The Phase 2 controller will generally be the Goat Finance entity that contracts with you, provides the relevant service, arranges the relevant product route or determines the purposes and essential means of the relevant processing.
The applicable Phase 2 controller will be communicated to you before service activation, transaction execution, account opening or partner-supported product activation.
Phase 2 processing may include:
product-specific KYC/KYB;
customer due diligence;
enhanced due diligence;
source of funds and source of wealth review;
sanctions, PEP and adverse media screening;
fraud prevention;
transaction monitoring;
wallet and blockchain analytics screening;
payment, banking or settlement review;
partner onboarding or partner approval;
account, product or service activation;
customer support;
complaints handling;
recordkeeping;
audit;
legal, regulatory, tax, compliance and reporting obligations.
5. Controller Allocation
The controller of your personal data depends on the processing phase, entity, product, service, route and purpose.
At a general level:
| Processing Activity / Route | General Controller |
|---|---|
| Phase 1 global pre-onboarding, eligibility, screening and routing | Goat Finance SAGL |
| Phase 2 routed to Goat Finance SAGL | Goat Finance SAGL |
| Phase 2 routed to Goat Finance LLC | Goat Finance LLC |
| Multi-product or dual-entity scenario | Controller determined per product and per entity |
| Partner-supported service | Relevant Goat Finance entity and partner role as described in the applicable product notice, disclosure or partner documentation |
A Goat Finance entity is not automatically a controller merely because it belongs to the Goat Finance organization, employs a person involved in the process, pays for a tool, hosts a system, provides technical support or has technical access to personal data.
Controller allocation is determined based on the actual purposes and essential means of the processing.
Where two or more entities jointly determine the purposes and essential means of a specific processing activity, those entities may act as joint controllers. Where this applies, the essence of the joint controller arrangement will be made available in the applicable privacy notice or disclosure.
6. Handoff Between Controllers
Where a case moves from Phase 1 to Phase 2, Goat Finance may transfer or make available relevant personal data from the Phase 1 controller to the Phase 2 controller.
This handoff may include:
identity and contact information;
onboarding form responses;
jurisdictional information;
product or service request information;
KYC/KYB information already collected;
screening results;
risk classification;
documents uploaded during Phase 1;
eligibility assessment results;
routing decision;
notes necessary to continue onboarding;
records of notices, terms or disclosures shown during Phase 1.
Before or during Phase 2, the relevant Phase 2 controller will provide or make available the applicable entity Privacy Notice and, where relevant, product-specific privacy or partner data-sharing disclosures.
The Phase 2 controller may request additional personal data, documents or confirmations beyond those collected during Phase 1.
7. Jurisdiction-Aware Website and Onboarding Controls
Goat Finance may process limited technical, location, declared-jurisdiction and website-interaction data to implement jurisdiction-aware website, onboarding and product-information controls.
This may include:
IP address;
approximate location derived from IP address;
browser language or locale;
country selected or declared by you;
country of residence;
country of incorporation;
product-interest selection;
product pages viewed;
legal notices, warnings or pop-ups shown to you;
timestamps and version records;
device and user agent information;
whether you acknowledged a jurisdictional notice;
onboarding route and eligibility outcome.
Goat Finance may use this information to:
avoid displaying product information that may not be appropriate for your jurisdiction;
comply with financial promotion, reverse solicitation, marketing, licensing, regulatory perimeter and product-availability controls;
determine whether you should be directed to a general information page, an eligibility assessment, a specific Goat Finance entity, a restricted flow or a blocked flow;
keep evidence of the notices, product information and legal documents shown to you;
support legal, compliance, audit and risk management controls.
This processing is designed to support Goat Finance’s compliance framework and does not, by itself, determine whether you are eligible for any product or service.
8. Personal Data We May Collect
Depending on your interaction with Goat Finance, we may collect the following categories of personal data.
8.1 Identity and Contact Data
This may include:
full name;
date of birth;
place of birth;
nationality;
country of residence;
residential address;
email address;
telephone number;
identity document details;
tax identification information;
government identification numbers;
signature;
selfie, liveness check or biometric verification data where required by the onboarding process.
8.2 Business and KYB Data
For legal entities, this may include:
company name;
registration number;
registered office;
principal place of business;
company formation documents;
constitutional documents;
ownership structure;
shareholder information;
beneficial ownership information;
directors, officers, signatories and authorized representatives;
business model;
industry and occupation information;
licenses and registrations;
tax status;
financial statements;
invoices, contracts or business evidence.
8.3 Financial, Wallet and Transaction Data
This may include:
bank account details;
payment account details;
wallet addresses;
blockchain transaction data;
source of funds;
source of wealth;
income, revenue or asset information;
expected transaction volume;
transaction history;
payment references;
settlement information;
transaction purpose;
counterparty information;
invoices, contracts or supporting documents.
8.4 Compliance, Risk and Screening Data
This may include:
sanctions screening results;
politically exposed person screening results;
adverse media screening results;
fraud risk indicators;
transaction monitoring alerts;
blockchain analytics results;
wallet risk scores;
jurisdictional risk assessment;
industry or occupation risk assessment;
internal risk rating;
enhanced due diligence information;
compliance notes;
regulatory, partner or law enforcement correspondence, where applicable.
8.5 Technical, Device, Website and Usage Data
This may include:
IP address;
device identifiers;
browser type;
operating system;
login data;
cookies and similar technologies;
user agent;
session data;
platform activity;
website page views;
product page interactions;
security logs;
access logs;
communication metadata.
8.6 Communications and Relationship Data
This may include:
emails;
support requests;
chat messages;
platform messages;
forms submitted by you;
call notes;
meeting notes;
transaction instructions;
complaints;
customer support records;
records of terms accepted;
records of privacy notices, disclosures or warnings shown or acknowledged.
9. Sources of Personal Data
We may collect personal data from:
you directly;
your authorized representative;
your employer or company;
beneficial owners, directors, officers, controllers, shareholders or business representatives;
onboarding forms;
KYC/KYB providers;
identity verification providers;
sanctions screening providers;
politically exposed person and adverse media providers;
blockchain analytics providers;
fraud prevention providers;
payment providers;
banking partners;
liquidity providers;
settlement providers;
partner-supported service providers;
public registries;
company registries;
public websites and databases;
government, regulatory, court or law enforcement sources;
business partners, introducers or referral sources;
internal Goat Finance systems, records and shared operational resources.
10. Why We Process Personal Data
Goat Finance may process personal data for the purposes described below.
10.1 Onboarding, Eligibility and Routing
We may process personal data to:
receive your application or request;
verify your identity or business;
assess eligibility;
determine whether Goat Finance can support the requested product or service;
determine the applicable contracting entity;
determine the applicable controller;
determine the applicable partner route;
assess jurisdictional, product, customer, industry, occupation and risk eligibility;
conduct Phase 1 to Phase 2 handoff;
provide the appropriate terms, privacy notices and disclosures.
10.2 Compliance, KYC, KYB, AML/CFT and Sanctions
We may process personal data to:
comply with anti-money laundering requirements;
comply with counter-terrorist financing requirements;
comply with sanctions, asset-freezing and restricted-party controls;
verify identity and beneficial ownership;
understand source of funds and source of wealth;
conduct PEP and adverse media screening;
monitor transactions;
investigate alerts;
detect suspicious activity;
respond to regulator, bank, partner, court or law enforcement requests;
maintain compliance records.
10.3 Product and Service Provision
We may process personal data to:
provide requested and approved products or services;
process transaction instructions;
execute or settle approved transactions;
support payment or settlement flows;
support partner-enabled service routes;
provide platform or portal access;
communicate with you;
provide customer support;
manage disputes, complaints or investigations;
manage service status.
10.4 Risk, Fraud and Security
We may process personal data to:
detect fraud;
prevent unauthorized access;
protect accounts and systems;
investigate suspicious activity;
monitor wallets and counterparties;
identify transaction anomalies;
prevent misuse of Goat Finance services;
protect Goat Finance, customers, partners and the financial system;
maintain cybersecurity and operational resilience.
10.5 Website, Jurisdiction and Reverse-Solicitation Controls
We may process personal data to:
identify your approximate location or declared jurisdiction;
apply jurisdiction-aware content controls;
avoid showing product content where it may not be appropriate;
manage financial promotion, reverse solicitation, licensing and product-availability controls;
record which notices, warnings, pop-ups, terms or disclosures were shown to you;
support legal, compliance, audit and risk evidence.
10.6 Legal, Regulatory, Audit and Governance
We may process personal data to:
comply with applicable laws and regulations;
comply with court orders, regulator requests or law enforcement requests;
maintain records;
conduct audits;
manage internal governance;
comply with contractual obligations;
manage legal claims;
enforce terms, policies and controls;
implement global governance, routing, access, transfer and privacy control frameworks.
10.7 Communications and Relationship Management
We may process personal data to:
respond to inquiries;
send service notices;
send legal, privacy or policy updates;
provide transaction confirmations;
manage customer relationships;
conduct customer support;
handle complaints.
10.8 Marketing
Where permitted by applicable law, we may process limited personal data to send marketing, product updates, educational materials or commercial communications.
Where consent is required, we will request consent separately.
You may opt out of marketing communications where required or permitted by applicable law.
Goat Finance may restrict or suppress marketing or product communications in certain jurisdictions to support compliance with applicable financial promotion, reverse solicitation, licensing or product-availability controls.
11. Legal Bases and Lawful Grounds
The legal basis or lawful ground for processing depends on the jurisdiction, processing activity and applicable law.
Where EU GDPR or UK GDPR applies, we may rely on one or more of the following legal bases:
performance of a contract;
steps taken before entering into a contract;
compliance with legal obligations;
legitimate interests;
consent, where required;
substantial public interest or other applicable grounds for sensitive data, where relevant;
establishment, exercise or defense of legal claims.
Where Swiss data protection law applies, we process personal data in accordance with applicable Swiss privacy principles, including transparency, proportionality, purpose limitation, security, accuracy and lawful disclosure requirements.
Where U.S. privacy laws apply, we process personal information for the purposes disclosed in this Global Privacy Policy, the applicable entity Privacy Notice, any U.S. privacy notice or module, and any product-specific notice or service-specific disclosure.
Where we rely on consent for optional processing, consent will be requested separately and may be withdrawn according to the process described in the applicable notice.
We do not rely on blanket mandatory consent where processing is necessary for onboarding, eligibility, compliance screening, AML/CFT controls, sanctions screening, service provision, transaction monitoring, fraud prevention, legal obligations, legitimate operational purposes, jurisdiction-aware website controls or risk management.
12. Special Category Data, Sensitive Data and Criminal-Offence Related Data
Goat Finance does not intentionally seek to collect sensitive or special category data unless it is necessary, permitted or required for identity verification, onboarding, KYC/KYB, AML/CFT, sanctions screening, fraud prevention, regulatory compliance, legal claims, security or product-specific requirements.
Depending on the jurisdiction, this may include:
biometric data used for identity verification, selfie checks or liveness checks;
politically exposed person information;
adverse media information;
criminal-offence related information or allegations;
sanctions-related information;
sensitive personal information under applicable U.S. privacy laws.
Where EU GDPR or UK GDPR applies, Goat Finance processes special category data or criminal-offence related data only where an applicable legal basis and condition permit such processing.
Where Swiss law applies, Goat Finance processes sensitive personal data only where permitted and subject to appropriate safeguards.
Where U.S. privacy laws apply, Goat Finance does not use sensitive personal information to infer characteristics unless stated in a specific notice and permitted by applicable law.
13. How We Share Personal Data Within Goat Finance
Goat Finance operates through separate entities, shared systems, shared personnel, shared compliance functions, shared technology and shared operational resources.
Goat Finance may share personal data within its multilateral organization where necessary for:
onboarding;
eligibility assessment;
routing;
Phase 1 to Phase 2 handoff;
customer due diligence;
enhanced due diligence;
sanctions screening;
transaction monitoring;
fraud prevention;
customer support;
technology operations;
security;
payment or settlement support;
CRM;
audit;
reporting;
legal and regulatory compliance;
governance;
service administration;
recordkeeping;
internal controls.
Personal data is not made available to all Goat Finance entities by default.
Access is granted on a need-to-know basis, taking into account:
the relevant product or service;
the relevant Goat Finance entity;
the relevant processing phase;
the role of the person requesting access;
the purpose of access;
case assignment;
applicable law;
transfer requirements;
security controls;
the applicable access matrix or equivalent internal control.
The use of shared resources does not automatically change controller status.
14. How We Share Personal Data With Third Parties
We may share personal data with third parties where necessary or permitted for the purposes described in this Global Privacy Policy, the applicable entity Privacy Notice, product-specific privacy notice, partner disclosure or service-specific data-sharing section.
Third parties may include:
KYC/KYB providers;
identity verification providers;
sanctions screening providers;
PEP and adverse media providers;
blockchain analytics providers;
fraud prevention providers;
banks;
payment providers;
settlement providers;
e-money institutions;
liquidity providers;
exchanges or execution providers;
custodians or custody-connected providers, where applicable;
technology providers;
cloud providers;
CRM providers;
communication providers;
customer support tools;
professional advisers;
auditors;
insurers;
regulators;
law enforcement authorities;
courts;
tax authorities;
government authorities;
business partners, introducers or referral sources;
commercial partner, where the commercial partner-supported route applies;
other partners or service providers required to provide, review, approve, monitor or support the relevant product or service.
We may also share personal data where necessary to:
comply with legal obligations;
respond to lawful requests;
enforce our terms;
protect Goat Finance’s rights;
investigate fraud or misconduct;
prevent financial crime;
protect customers, partners and the public;
support audits, examinations or regulatory reviews;
complete a corporate transaction, restructuring, merger, acquisition, sale, financing or transfer of business assets, where legally permitted.
Product-specific privacy notices or service-specific data-sharing disclosures will describe partner-specific sharing where required or appropriate.
15. Partner-Supported Services
Some Goat Finance services may be supported by banking, payment, settlement, liquidity, infrastructure, compliance, KYC/KYB, blockchain analytics, technology or other partners.
Where a partner-supported service applies, Goat Finance may share personal data with the relevant partner and its service providers where necessary to:
review eligibility;
conduct onboarding;
verify identity or business information;
conduct due diligence;
conduct sanctions, fraud, AML/CFT or risk review;
open, support or administer the relevant product or service;
process payments, settlements or transactions;
monitor transactions;
manage partner risk;
respond to partner, regulator, court or law enforcement requests;
suspend, restrict or terminate the service.
Partner-supported services may involve partners acting as processors, independent controllers, joint controllers or regulated providers, depending on the facts and the applicable partner framework.
The applicable product-specific privacy notice, partner disclosure or service-specific data-sharing section will provide additional information where relevant.
16. International Transfers
Goat Finance operates internationally. Your personal data may be processed in, accessed from or transferred to countries other than the country where you are located.
International transfers may occur because:
Goat Finance entities are located in different countries;
shared personnel or global roles may support operations from different locations;
vendors and service providers may operate internationally;
cloud, CRM, communication, KYC/KYB, blockchain analytics, payment, banking, partner and compliance systems may involve cross-border access;
applicable partners or providers may be located outside your jurisdiction.
Where required by applicable law, Goat Finance will use appropriate safeguards for international transfers.
These may include:
adequacy decisions;
standard contractual clauses;
UK international transfer mechanisms;
Swiss-recognized transfer safeguards;
contractual safeguards;
technical and organizational measures;
access restrictions;
minimization;
encryption;
pseudonymization;
transfer assessments;
other lawful mechanisms.
Where a specific transfer route applies to your product, onboarding route, partner-supported service or contracting entity, additional information may be provided in the applicable entity Privacy Notice, product-specific privacy notice or service-specific disclosure.
17. Retention
Goat Finance retains personal data for as long as necessary for the purposes described in this Global Privacy Policy, the applicable privacy notice or as required or permitted by law, regulation, contractual obligation, audit requirement, dispute resolution, AML/CFT recordkeeping, tax, accounting, security, partner requirement or compliance obligation.
Retention periods may vary depending on:
the type of personal data;
the product or service;
the relevant Goat Finance entity;
the relevant jurisdiction;
whether you become a customer;
whether your application is rejected, declined or incomplete;
AML/CFT and sanctions obligations;
legal limitation periods;
regulatory expectations;
partner requirements;
audit and governance requirements;
whether there is an ongoing dispute, investigation, review, legal hold or regulatory inquiry.
Unless a shorter or longer period applies under applicable law or a specific retention notice, onboarding, customer due diligence and transaction records may generally be retained for up to 10 years after the end of the relationship or the relevant decision, subject to applicable legal requirements and documented exceptions.
Where your application does not proceed to Phase 2, the relevant Phase 1 controller may retain your data in accordance with the applicable retention period for rejected, incomplete or declined applications.
18. Security
Goat Finance uses technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, disclosure or destruction.
These measures may include:
access controls;
role-based permissions;
system-level restrictions;
need-to-know access;
authentication controls;
logging and monitoring;
encryption where appropriate;
segregation of data where appropriate;
vendor due diligence;
internal governance controls;
incident escalation procedures;
audit and review controls;
transfer controls;
data minimization controls;
secure document handling procedures.
No system or method of transmission is completely secure. Goat Finance cannot guarantee absolute security, but it takes reasonable steps designed to protect personal data according to the nature of the data and the processing activity.
19. Automated Screening, Profiling and Risk Assessment
Goat Finance may use automated or semi-automated tools to support:
onboarding;
identity verification;
document verification;
liveness checks;
sanctions screening;
PEP screening;
adverse media screening;
fraud prevention;
transaction monitoring;
blockchain analytics;
wallet screening;
risk scoring;
eligibility assessment;
routing;
jurisdiction-aware website controls;
product-availability controls.
These tools may help identify:
identity verification issues;
sanctions exposure;
prohibited jurisdictions;
prohibited industries;
prohibited occupations;
wallet risk;
transaction risk;
fraud indicators;
adverse media;
inconsistencies in onboarding information;
product route mismatches;
jurisdictional restrictions.
Decisions may be reviewed by authorized personnel where required or appropriate.
Where applicable law gives you rights regarding automated decision-making or profiling, those rights will be described in the relevant entity Privacy Notice, product-specific privacy notice or jurisdiction-specific notice.
20. Your Privacy Rights
Depending on your jurisdiction and applicable law, you may have rights in relation to your personal data.
These may include:
the right to access personal data;
the right to receive information about processing;
the right to correct inaccurate personal data;
the right to request deletion;
the right to restrict processing;
the right to object to processing;
the right to data portability;
the right to withdraw consent where processing is based on consent;
the right to lodge a complaint with a supervisory authority;
the right to appeal or challenge certain decisions, where applicable;
the right to opt out of certain uses, where applicable under U.S. state privacy law;
the right not to be discriminated against for exercising applicable privacy rights.
These rights may be subject to limitations, including where processing is required or permitted for AML/CFT, sanctions, fraud prevention, regulatory compliance, legal claims, recordkeeping, security, tax, audit, partner requirements, transaction monitoring or other lawful purposes.
To exercise your rights, contact:
We may need to verify your identity before responding to your request.
The applicable entity Privacy Notice may provide additional entity-specific or jurisdiction-specific rights information and contact details.
21. U.S. Privacy Framework
Where U.S. privacy laws apply, Goat Finance may process personal information for the purposes disclosed in this Global Privacy Policy, the applicable entity Privacy Notice, any product-specific privacy notice and any notice at collection.
Depending on the applicable U.S. state law, personal information may include:
identifiers;
contact information;
government identification information;
financial information;
commercial information;
internet or network activity information;
approximate geolocation information;
professional or employment information;
business representative information;
sensitive personal information where required for compliance, identity verification, sanctions screening, security, legal obligations or service provision;
inferences used for risk, fraud or eligibility assessment;
communications and support information.
Goat Finance does not sell personal information for money.
Unless a specific notice states otherwise, Goat Finance does not share personal information for cross-context behavioral advertising as those terms may be defined under applicable U.S. state privacy laws.
Where applicable, U.S. residents may have rights to know, access, delete, correct, obtain a portable copy, opt out, limit certain uses of sensitive personal information, appeal a privacy rights decision and not be discriminated against for exercising applicable privacy rights.
Additional U.S.-specific disclosures may be provided in the applicable entity Privacy Notice or notice at collection.
22. Cookies and Similar Technologies
Goat Finance may use cookies, pixels, tags, analytics tools and similar technologies on its website, platform and communications.
These technologies may be used for:
website functionality;
security;
authentication;
analytics;
user experience;
fraud prevention;
preference management;
compliance;
jurisdiction-aware content controls;
product-availability controls;
marketing, where permitted.
Further information is available in the Goat Finance Cookie Policy
23. Children
Goat Finance services are not intended for children.
Goat Finance does not knowingly provide financial services to minors.
If you believe that a child has provided personal data to Goat Finance, please contact:
24. Notice Delivery and Evidence
Goat Finance may record evidence that privacy notices, product notices, service disclosures, partner disclosures, pop-ups or jurisdictional warnings were made available to you.
This may include:
document name;
document version;
date and time;
user ID;
customer ID;
IP address;
user agent;
country detected;
country declared;
onboarding route;
product route;
notice text shown;
acknowledgement records;
session information;
communication channel.
This information may be used for legal, compliance, audit, risk, dispute-resolution, regulatory and recordkeeping purposes.
25. Updates to This Global Privacy Policy
Goat Finance may update this Global Privacy Policy from time to time.
Updates may be made to reflect:
changes in law;
regulatory requirements;
new products or services;
changes in Goat Finance’s structure;
new entities;
changes in partners or vendors;
changes in systems;
operational changes;
security or compliance requirements;
updates to onboarding, routing or privacy governance controls.
The updated version will be published on https://goatfinance.io and will indicate the effective date.
Where required by law, Goat Finance will provide additional notice of material changes.
26. Contact
For privacy questions, requests or complaints, contact:
Goat Finance Privacy Contact
Email: [email protected]
Where applicable, the relevant entity Privacy Notice may identify additional entity-specific, jurisdiction-specific, representative, supervisory authority or complaint contact details.
Schedule 1
Layered Privacy Notice Framework
1. Purpose of this Schedule
This Schedule explains how Goat Finance uses layered privacy notices to avoid unnecessary duplication while providing the information required for each phase, entity, product, service, jurisdiction and partner-supported route.
2. Global Privacy Policy
The Global Privacy Policy explains the organization-wide privacy framework, including:
multilateral structure;
Phase 1 and Phase 2 model;
controller allocation;
controller handoff;
shared resources;
intragroup access;
general categories of personal data;
general purposes of processing;
general sharing;
international transfers;
retention;
rights;
security;
jurisdiction-aware website controls.
3. Phase 1 Privacy Notices
Phase 1 Privacy Notices explain the processing that occurs during pre-onboarding, eligibility, screening and routing.
There may be separate Phase 1 Privacy Notices for:
EU/EEA individuals;
United Kingdom individuals;
Rest of World individuals.
4. Entity Privacy Notices
Entity Privacy Notices explain how a specific Goat Finance entity processes personal data when it becomes responsible for Phase 2 onboarding, service provision, transaction review, compliance monitoring or customer relationship management.
Entity Privacy Notices may include:
Goat Finance SAGL Privacy Notice;
Goat Finance LLC Privacy Notice;
notices for any additional Goat Finance entity added in the future.
5. Product-Specific Privacy Notices and Service-Specific Disclosures
Product-specific privacy notices or service-specific privacy sections explain how personal data is processed or shared for a specific product, service, partner-supported feature or transaction route.
These may be provided as:
a standalone product-specific privacy notice;
a service-specific privacy and partner data-sharing section inside Product Terms;
a product disclosure;
a partner-related privacy disclosure;
an onboarding notice.
6. No Unnecessary Duplication
Goat Finance may avoid repeating the same information in every privacy notice.
Where a specific notice incorporates this Global Privacy Policy by reference, the specific notice will focus on what is specific to the relevant phase, entity, product, jurisdiction or partner route.
Schedule 2
Phase-Based Privacy Model and Controller Handoff
1. Phase 1
Phase 1 is the global pre-onboarding, eligibility, initial screening, KYC initiation and routing phase.
Unless otherwise stated in the applicable Phase 1 Privacy Notice, Goat Finance SAGL acts as the controller for Phase 1 processing.
Phase 1 may involve:
intake forms;
identity and contact collection;
preliminary profile assessment;
initial KYC steps;
sanctions screening;
prohibited jurisdiction screening;
prohibited activity screening;
preliminary risk assessment;
product eligibility assessment;
partner route assessment;
routing to the relevant Phase 2 entity.
Phase 1 does not create a customer relationship.
2. Phase 2
Phase 2 is the product-specific onboarding, service activation and customer relationship phase.
The Phase 2 controller is the Goat Finance entity responsible for the relevant product, service or customer relationship.
Phase 2 may involve:
additional KYC or KYB;
customer due diligence;
enhanced due diligence;
source of funds and source of wealth review;
product-specific data collection;
partner-specific data collection;
service activation;
transaction monitoring;
ongoing compliance;
customer support;
complaints handling;
recordkeeping.
3. Handoff From Phase 1 to Phase 2
The handoff from Phase 1 to Phase 2 occurs when Goat Finance determines the relevant service entity and product route.
Before or during Phase 2, the customer should be shown or sent:
the identity of the Phase 2 controller;
the applicable entity Privacy Notice;
the applicable product-specific privacy notice or service-specific privacy disclosure;
the applicable terms and conditions;
the applicable product disclosure;
any partner-related disclosure, where applicable.
4. Multi-Product Scenarios
If the same customer requests or uses more than one product, different Goat Finance entities may be responsible for different products.
In that case, controller allocation will be determined per product and per entity.
Approval for one product does not imply approval for another product.
Schedule 3
Controller and Entity Routing Overview
1. Purpose
This Schedule provides a high-level overview of how Goat Finance allocates controller responsibility.
It does not replace the applicable privacy notice provided during onboarding or service activation.
2. General Controller Routing Table
| Processing Activity / Route | General Controller |
|---|---|
| Phase 1 pre-onboarding, eligibility, screening and routing | Goat Finance SAGL |
| Phase 2 routed to Goat Finance SAGL | Goat Finance SAGL |
| Phase 2 routed to Goat Finance LLC | Goat Finance LLC |
| Partner-supported services | Relevant Goat Finance entity and partner role as described in the applicable product notice, disclosure or partner documentation |
| Partner-enabled financial infrastructure | Relevant Goat Finance entity and partner route, as described in signed documentation and applicable privacy notice or disclosure |
| Multi-product / dual-entity scenario | Controller determined per product and per entity |
3. No Default Whole-Group Controller
Goat Finance does not treat all group entities as controllers merely because they belong to the Goat Finance organization.
A Goat Finance entity is treated as controller only where it determines the purposes and essential means of the relevant processing activity.
Access to personal data is not granted to all Goat Finance entities by default.
4. Joint Controllership
Joint controllership may apply only where two or more entities jointly determine the purposes and essential means of the same processing activity.
Where joint controllership applies, the essence of the relevant arrangement will be made available in the applicable notice or disclosure.
Schedule 4
Shared Resources, Intragroup Access and International Transfers
1. Purpose
This Schedule explains how Goat Finance uses shared resources while preserving entity responsibility, local legal obligations and need-to-know access.
2. Shared Resources
Goat Finance may use shared resources across the multilateral organization, including:
shared personnel;
shared compliance functions;
shared technology;
shared onboarding systems;
shared KYC/KYB tools;
shared CRM tools;
shared communication tools;
shared document repositories;
shared customer support;
shared transaction monitoring tools;
shared blockchain analytics tools;
shared audit and governance resources.
The use of shared resources does not automatically change controller status.
3. Need-to-Know Access
Access to personal data is granted only where relevant and proportionate.
Factors considered may include:
role;
product;
entity;
phase;
case assignment;
compliance purpose;
operational need;
legal requirement;
partner requirement;
security requirement.
Default access by all Goat Finance entities or all personnel is not permitted.
4. Intragroup Disclosures
Personal data may be shared between Goat Finance entities where necessary for:
Phase 1 intake and routing;
Phase 2 onboarding;
product-specific service delivery;
compliance review;
transaction monitoring;
fraud prevention;
customer support;
legal or regulatory compliance;
internal governance;
audit;
reporting;
security.
5. International Transfers
Where personal data is transferred or accessed across borders, Goat Finance applies a route-based transfer governance model.
Where required, transfers are subject to:
transfer route assessment;
transfer mechanism identification;
contractual safeguards;
supplementary technical and organizational measures;
access restrictions;
ongoing review.
6. Providers and Partners
Where third-party providers or partners process personal data, Goat Finance seeks to ensure that appropriate contractual, technical, organizational and legal controls are in place, where required.
Partner-specific processing will be described in the relevant product notice, product disclosure or service-specific privacy section.
Schedule 5
Jurisdiction-Aware Website and Reverse-Solicitation Controls
1. Purpose
This Schedule explains why Goat Finance may process limited technical, location, declared-jurisdiction and website-interaction data to support jurisdiction-aware website controls, product-availability controls, financial promotion controls and reverse-solicitation controls.
2. Data Used for These Controls
Goat Finance may process:
IP address;
approximate location derived from IP address;
browser language or locale;
country selected or declared by you;
country of residence;
country of incorporation;
product-interest selection;
product pages viewed;
legal warnings, notices or pop-ups shown;
acknowledgement records;
timestamps;
user agent;
onboarding route;
product route;
eligibility outcome.
3. Purposes
Goat Finance may use this data to:
avoid displaying product information where it may not be appropriate;
apply safe-mode or restricted-mode website content;
route users to general information instead of product-specific content;
provide jurisdictional notices;
support financial promotion and reverse-solicitation controls;
evidence what content, notices and disclosures were shown to a specific user;
support compliance, legal, audit and risk management.
4. Limitations
These controls are not a guarantee of eligibility.
A user’s location, country selection, IP address or acknowledgement of a notice does not by itself create a right to any product or service.
Product availability is determined through onboarding, eligibility assessment, contracting entity allocation, partner approval and applicable law.
Schedule 6
Legal and Jurisdictional Privacy Framework
1. Purpose
This Schedule provides a high-level explanation of the legal privacy frameworks that Goat Finance may consider.
Specific entity Privacy Notices or product-specific notices may provide additional details.
2. EU/EEA and UK Privacy Framework
Where EU GDPR or UK GDPR applies, Goat Finance will provide privacy information intended to explain, as applicable:
controller identity;
purposes of processing;
legal bases;
categories of personal data;
recipients or categories of recipients;
international transfers;
retention;
rights;
complaint channels;
automated decision-making or profiling information where required;
whether data provision is required and the consequences of not providing it, where relevant.
3. Swiss Privacy Framework
Where Swiss data protection law applies, Goat Finance will process personal data in accordance with Swiss privacy principles, including:
transparency;
fairness;
proportionality;
purpose limitation;
accuracy;
security;
data subject rights;
lawful disclosure;
appropriate safeguards for international transfers.
The applicable entity Privacy Notice may identify the relevant controller, contact details, purposes, recipients or recipient categories, international disclosures and other information required under Swiss law.
4. U.S. Privacy Framework
Where U.S. privacy laws apply, Goat Finance may provide additional information through an entity Privacy Notice, U.S. privacy notice or notice at collection.
This may include:
categories of personal information collected;
sources of personal information;
purposes of processing;
categories of recipients;
sensitive personal information;
sale, sharing or targeted advertising disclosures;
retention information;
consumer rights;
methods for submitting requests;
authorized agent process, where applicable;
non-discrimination language.
Recommended Short Website Footer Notice
Goat Finance operates as a multilateral organization through separate legal entities. The Goat Finance entity responsible for your personal data depends on the onboarding phase, product, contracting entity, jurisdiction, partner framework and service route applicable to you. Please read this Global Privacy Policy together with the specific Phase 1 Privacy Notice, entity Privacy Notice and product-specific privacy disclosure presented to you during onboarding or service activation.