Rampnow is fully GDPR-compliant as an EU-based VASP with operations in Poland and Germany. All customer data is handled according to Articles 5–32 of GDPR.
Data Protection Principles
Rampnow enforces:
- Lawfulness, fairness, transparency
- Purpose limitation: Data used only for KYC/AML/payment execution
- Data minimization: Only necessary data collected
- Accuracy: Identity information verified via KYC
- Storage limitation: Retention aligned with AMLD6
- Integrity & confidentiality: Encryption at rest and in transit
User Rights
Customers may request:
- Access to personal data
- Correction of inaccuracies
- Restriction of processing
- Transportability
- Deletion (where AML regulations allow)
Some data cannot be deleted due to AML recordkeeping obligations (typically 5–10 years depending on jurisdiction).
Data Storage & Transfers
- Data stored in EU data centers (AWS Frankfurt / AWS Stockholm)
- No unauthorized third-country transfers
- Sub-processors are GDPR-audited
- Data encrypted with AES-256 and TLS 1.2+
KYC Provider Compliance
Sumsub is fully certified under:
- ISO/IEC 27001
- GDPR
- FINMA, FCA, MAS frameworks
All document images are encrypted and stored inside the EU. 
