Privacy Policy
Version 1.0 · Last updated: 24 June 2026
This Privacy Policy explains how we handle personal data in connection with the Sternexus website and platform. We are committed to a privacy-first approach and to processing personal data lawfully, fairly and transparently.
Sternexus is a financial technology platform operated by Sterling Quantum SL. Sternexus is not a bank, electronic money institution, payment institution or investment adviser, and does not hold client funds. Regulated financial services are provided by authorised partner institutions where applicable.
1. Who we are (data controller)
The controller of personal data processed through this website and platform is Sterling Quantum SL(CIF B22535934), 112 Tinerfe el Grande 34, Adeje, 38670, Santa Cruz de Tenerife, Spain.
- Privacy contact: privacy@sternexus.com
- Data Protection Officer: we have not appointed a DPO at this time. Until a DPO is appointed, our privacy contact above handles data-protection requests and enquiries.
Where regulated onboarding or payment services are performed by authorised partner institutions, those partners may act as independent controllers for the personal data they process under their own licences and privacy notices. We will identify the relevant partner where applicable.
2. Who this applies to
Sternexus is a business-to-business platform intended for corporate users aged 18 or over acting in a business capacity. The platform is not directed to consumers or to children. We process personal data of individuals such as authorised representatives, directors, beneficial owners and contacts of corporate customers and prospective customers, and of website visitors.
3. Personal data we collect
- Account registration data — name, work email, role, company, and access credentials.
- Company / KYB information — corporate details, registration data, ownership and control structure.
- Identity verification information — identity and verification data for authorised representatives and beneficial owners (collected by us and/or via authorised partners under a hybrid model).
- Contact details — email, phone and business contact information.
- Usage and analytics data — interactions with the platform and website (subject to your cookie choices; see our Cookie Policy).
- Security logs — authentication events, access logs and device/security signals used for fraud prevention.
- Technical data — IP address, browser and device information.
- Cookies and similar technologies — as described in our Cookie Policy.
- Communications — messages, support requests and related correspondence.
- Compliance records — source-of-funds evidence, approvals, screening results and audit records.
4. Why we use personal data, and our legal bases
Under the EU/UK GDPR we rely on the following legal bases:
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Operating and providing the platform and accounts | Performance of a contract (6(1)(b)) |
| Security, fraud prevention and platform integrity | Legitimate interests (6(1)(f)) |
| Compliance, KYB/KYC, sanctions and AML obligations | Legal obligation (6(1)(c)); substantial public interest where special-category/criminal data applies |
| Customer support and communications | Contract (6(1)(b)) / legitimate interests (6(1)(f)) |
| Service improvement and analytics | Consent (6(1)(a)) for non-essential analytics; otherwise legitimate interests |
| Marketing communications | Consent (6(1)(a)) where required; legitimate interests for existing B2B relationships, subject to opt-out |
| Meeting legal and regulatory obligations | Legal obligation (6(1)(c)) |
5. Automated processing and AI features
Sternexus offers, and may further develop, compliance-intelligence features that use AI to assist with the analysis, organisation, extraction and risk review of uploaded documents, transaction information, compliance evidence and corporate information. AI does not make final compliance decisions. Outputs are decision-support only; final decisions remain subject to human review and to the requirements of the relevant authorised partner institutions. We do not use these features to make decisions producing legal or similarly significant effects about an individual solely by automated means without a lawful basis and appropriate safeguards.
6. Who we share data with
- Authorised partner institutions — for regulated onboarding, accounts and payments (which may act as independent controllers).
- Service providers (processors) acting on our instructions, including cloud hosting, customer-relationship-management providers, support tooling, communications/email providers and, where enabled with consent, analytics/performance providers.
- Professional advisers, auditors and authorities where required by law or to establish, exercise or defend legal claims.
We do not sell personal data. We require processors to provide appropriate safeguards under a written data-processing agreement.
7. International transfers
Our primary data hosting is Microsoft Azure in the EU region. Some processing may take place outside the EEA/UK through approved sub-processors. Where it does, we rely on appropriate transfer mechanisms, including European Commission/UK adequacy decisions, Standard Contractual Clauses (and the UK International Data Transfer Addendum), and any additional safeguards required by law.
8. Data retention
We keep personal data only for as long as necessary for the purposes set out above. We apply the following conservative retention guidelines:
| Category | Indicative retention |
|---|---|
| Website enquiries | Up to 24 months after the last interaction, unless a longer period is legally required. |
| User account records | For the duration of the account relationship, plus any applicable statutory periods. |
| Compliance / KYB / transaction-evidence records | Up to 10 years where required for AML, regulatory, dispute-prevention or other legal obligations. |
| Security logs | Normally 12–24 months, unless an investigation or security requirement requires longer. |
| Marketing data | Until you unsubscribe or withdraw consent. |
Actual retention periods may vary depending on applicable laws and the requirements of partner institutions. When personal data is no longer required, we securely delete or anonymise it.
9. How we protect data
We apply technical and organisational measures appropriate to the risk, including encryption in transit, access controls, audit logging, separation of public and internal services, and security monitoring. No method of transmission or storage is completely secure, but we work to protect personal data and to respond to incidents.
10. Your rights
Subject to applicable law, you may have the right to:
- access the personal data we hold about you;
- request correction of inaccurate or incomplete data;
- request deletion (“right to be forgotten”), subject to legal retention obligations;
- restrict or object to certain processing, including processing based on legitimate interests and direct marketing;
- data portability;
- withdraw consent at any time, without affecting prior lawful processing;
- lodge a complaint with a supervisory authority.
To exercise any right, contact privacy@sternexus.com. We will respond within the timeframes required by applicable law. You can also complain to the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD) or to the supervisory authority in your country.
11. Regional privacy rights
EU / EEA
You have the rights described above under the EU GDPR, and may complain to your local supervisory authority or the AEPD.
United Kingdom
If the UK GDPR and Data Protection Act 2018 apply to you, you have equivalent rights and may complain to the UK Information Commissioner’s Office (ICO).
United States
Depending on your state (including California under the CCPA/CPRA, and Colorado, Connecticut, Virginia and Utah), you may have rights to know/access, delete and correct personal information, to data portability, and to opt out of the “sale” or “sharing” of personal information and of targeted advertising and certain profiling. We do not sell personal information and do not use it for cross-context behavioural advertising. California residents may also be entitled to non-discrimination for exercising their rights. To exercise these rights, contact privacy@sternexus.com.
Canada
If PIPEDA applies, you may access and correct your personal information and may complain to the Office of the Privacy Commissioner of Canada (OPC).
12. Marketing and communications
Where we send marketing communications, we do so only with a lawful basis (consent where required, or legitimate interests for existing business relationships). Every marketing email includes an unsubscribe option, and you can opt out at any time by contacting us or using the unsubscribe link.
13. Cookies
We use cookies and similar technologies as described in our Cookie Policy. Non-essential cookies are not set until you consent, and you can change your choices at any time.
14. Children
The platform is for business users aged 18+ and is not directed to children. We do not knowingly process the personal data of children.
15. Changes to this policy
We may update this Privacy Policy from time to time. We will revise the “last updated” date and, where changes are material, take additional steps to notify you.
16. Contact
Questions or requests: privacy@sternexus.com, or write to Sterling Quantum SL, 112 Tinerfe el Grande 34, Adeje, 38670, Santa Cruz de Tenerife, Spain.
Versioning & changes
This document is version 1.0, last updated 24 June 2026. We may update it from time to time. When we do, we will revise the version number and date shown above, and for material changes we will provide additional notice where appropriate. Your continued use after changes take effect constitutes acceptance.