Why you should read this.

This is the Privacy Policy of CTC to you, where we explain how we collect, use, share and protect your personal data.

This is why it is important that you read this Privacy Policy along with any other contract you might have signed with us as a client or business partner and which might clarify or supplement this Privacy Policy.

Who are we

The Trefi Platform, both its public and private environments, is managed by Capital Tool Company Agency Services B.V. (“CTC”). This means that any personal data received from you, either because you are our client or partner or because you visit our websites (notably, or, will be processed by CTC and/or its subsidiaries which, in turn, makes us responsible for the use and protection of this personal data.
At the same time, this makes you, the Data Subject and makes us the Data Controller, using the terminology of the GDPR. Being a Data Controller essentially means that we determine how and why your data is processed.
Our details, should you require the formal details of your Controller are:

Capital Tool Company Agency Services B.V.
Karspeldreef 14-4
1101CK Amsterdam
the Netherlands
Phone: +31 85 87 712 59

Collecting your personal data

The personal data we collect or receive about you depends on the CTC services you use and/or you request from us. Sometimes you provide us with the data directly, like when you become our client or request information from us and other times we collect or maintain data automatically by the use you make of the website(s) and/or Trefi Platform.

We may also collect personal data from public sources or registers, from our partners and professional service providers or from (third party) organisations, if this is adequate and relevant, under our legitimate business interest, in order to evaluate suitability of product for you or to check your identity and interest in accordance with regulations like anti money laundering, trust regulations and others.

If you provide us with personal data about other businesses (which include personal data) or individuals, or if others give us your data, we will only use that information for the specific purpose for which it was provided to us by you. By submitting any personal data, you confirm that we have the right to process it on your behalf in accordance with this Privacy Policy and that you will delete it when you do not need it anymore.

What types of personal data we collect

The personal data we maintain is mainly the following:

  • Identity and contact details (e.g. name, surname, email address, phone number)
  • Financial & commercial information of your business or company, and which could include personal data (such as that related to company directors, freelancers or corporate emails containing personal identity)
  • Data that identify or could identify you (e.g. login information, browser type) once you proceed to sign up
  • Data on how you use the Trefi website and the Trefi platform (e.g. level of service, response times), which might include your IP address, location, business preferences etc).

How we use your personal data

We may process your personal data:

  • To provide the service you’ve contracted with us and address you as required
  • To maintain and improve the performance of the Trefi platform, understanding how you use the platform, testing proposed developments and responding to your queries about our platform or services
  • To be able to provide client support and respond to any questions or concerns you may have about using our network, products or services
  • To process payment information
  • To carry out research and statistical analysis including to monitor how customers use our platform and services
  • To prevent and detect fraud or other crimes, trace or recover debts
  • To monitor compliance with our procedures and our terms & conditions: we might monitor for breaches of terms and conditions or of those relating to our intellectual property.

Lawful bases for processing your personal data

The GDPR only allows us to process your data for certain purposes and under certain conditions. That’s why we only process personal data where we have at least one lawful basis for doing so. The lawful bases for processing are the following a) having your Subject’s consent; (b) being necessary for the performance of a contract with you; (c) being necessary for compliance with a legal obligation; (d) being necessary in order to protect your vital interests; (e) being necessary for the public interest or in the exercise of official authority; or (f) being necessary for the Controller’s or recipient’s legitimate interests, except where overridden by your interests as Data Subject.
CTC process data under the following lawful bases:

  • Your consent – This is where you have given us explicit permission to process personal information for a given purpose. For example, if you complete one of our website forms or request information from us. In this scenario, you also have the right to withdraw this consent at any time.
  • Legitimate interest – This is where we have a legitimate interest, as a business, to process personal data. For instance, in case of a breach of our policies or when we need to collect personal data in order to enforce claims arising from defaults etc.
  • Contractual requirement – This is where we have to process personal data to meet our contractual obligations or services requested from us under legal agreements or because you have asked us to take the required steps to enter into a contract.
  • Legal obligation – This is where we have to process personal data in order to comply with the law, such as anti-money laundering obligations (AML).

Who we share your personal data with

We only disclose and share personal data in order to provide the services requested or when we need to rely for certain services on third parties which ensure adequate levels of compliance, security and business expertise. In general, these are:

  • Companies in the CTC Group, in order to render or improve our services partners or professional service providers involved in delivering the services you’ve requested.
  • Credit reference, fraud prevention, credit scoring agencies, debt collection agencies or other debt recovery organisations, if reasonable for the purpose of protecting us or interests of our clients.
  • Law enforcement agencies, regulatory organisations, courts or other public authorities if we have to, or are authorised to by law, in order to enforce our rights or those of our clients or partners.

All of the above might have their own responsibilities in determining the extent of personal data and processing required to do the work so might also operate as Controllers of your data.

  • Other Professional Service Providers, who help to support our business and improve our products. These providers are engaged to perform services for and on behalf of CTC and can only access or use your personal data under our instruction including Cloud/Data Storage facilities, Administration/Payroll or Corporate Service Providers (in some circumstances).

Social Network and Third-Party Login

Our website(s) may allow you to log in using a social network or other third-party account such as “Log in with Linkedin.” Logging into one of our sites with your social network or other third-party account may allow us to gather information that you give us permission to access from that social network or third party. The login feature always redirects users to the authentication provider so no personal data is transferred from us to the social network or third party. The social network or third party may however automatically collect information about you, such as your IP address or place cookies from that third party. Please be aware that the functionality of and your use of the login is governed by the privacy policy and terms of the party that provided the login functionality.

How we keep your personal data secure

We have appropriate technical and organizational security measures in place to help ensure that your personal data is protected against unauthorised or accidental access, use, alteration, or loss. For example:

  • We have information security management framework developed in accordance with the ISO 27001:2013:2005 which contains best practices for information security management. These provide a comprehensive set of security controls relating to the availability, integrity, encryption and confidentiality of electronic data, in which a balanced (effective and efficient) system of coherent measures is developed with the aim of protecting IT processes and data from internal and external threats.
  • We have specialized IT and security officers who take, review and improve our security measures on an ongoing basis
  • Our data centres follow strict security measures as per the Telecommunications Industry Association (TIA) standards
  • Our employees are being trained in what the GDPR means and are bound by strict confidentiality clauses
  • We apply continuous audit practices

If we have a contract with another organisation to provide us with services on our behalf to process your personal data, we’ll make sure they have appropriate security measures and only process your data in the way we’ve authorised them to unless they have to comply with the law in a supplementary manner. In any case, organisations shall not be entitled to use your personal information for their own purposes.

Please be aware that communications over the internet aren’t secure unless they’ve been encrypted. We can’t accept responsibility for any unauthorised access or loss of personal information that’s beyond our control.

You need to help us keep data safe and we ask you to treat tokens, passwords, etc. confidentially and with the utmost care and communicate any data breach as soon as you become aware.

How long we retain your personal data

We understand that your personal data, insofar as it is not anonymized or processed solely for archiving purposes you request, in the public interest, or scientific, historical, or statistical purposes, should not be retained for longer than necessary in relation to the purpose for which it was processed. Moreover, we understand that your right to be forgotten might mean that we erase your personal data even sooner than would otherwise be the case.

At CTC we retain your personal data for as long as you are a client of ours or of one of our partners. Otherwise, your personal data is deleted (i) on your request or (ii) when we decide that it is no longer necessary for the purpose for which it was collected (usually reviewed on an annual basis).

If you are our client, you may also delete your personal information by logging on and closing your account. This will include personal data about other individuals you have entered. You can only delete the data if you have no outstanding legal or contractual obligation under the terms and conditions of the platform.

Nevertheless, you should be aware that it is sometimes necessary for us to keep your personal information for longer periods of time, such as, for example, if there is a legal requirement to retain it or a legitimate business interest.

Yes, we use cookies

A cookie is a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when you access a website. It allows the website to recognise your device and store some information about you or your device.

Some of these cookies collect information required in order for the website to work properly. Therefore, if you do not allow these cookies, or disable them via your browser, some parts of the website may not work properly, such as login in or sending forms. We use session cookies (transient cookies) in our website which we consider to be strictly necessary cookies under our legitimate interest to provide you with a functioning website. The session cookie is erased when you close your browser and we typically do not collect personal data from your computer. They typically store session identification information that does not personally identify you.

We also use the cookies of Google Analytics which allows to us to see information on the activities of visitors to our website and users of our service, including statistics such page views, source and time spent on the website. The information is anonymized. These are analytical cookies.

We do not use cookies to track you.

These are your privacy rights

The GDPR grants data subjects a wide array of rights to help them exercise control over their personal data. These are the following:

  • Right to access your personal data: you can access your data at any time to get a copy of the personal information we hold about you, unless your request proves to be manifestly unfounded or excessive.
  • Right to rectify your personal data: if you think we’re holding inaccurate or outdated data about you, can do it directly if you have an account with us.
  • Right to block or object to processing being carried out in certain circumstances (such if you believe your rights should override our legitimate interest)
  • Right to port your personal data to another service: you are entitled to obtain any personal data we might have on you in a digital format. We can also transfer this data directly to another controller. We can do this if the lawful basis for processing was consent or the performance of a contract.
  • Right to be forgotten by us: you can ask for your data to be deleted in certain circumstances (e.g. by withdrawing your consent, no legal obligation on our part), by using the delete functionality.
  • Right to opt-out of marketing communications: you can object to your data being processed for direct marketing purposes at any time. You can choose to opt out of all marketing communications by unsubscribing completely or just from receiving marketing messages in a particular way (email, call, SMS, post etc) This includes the automated processing of your personal data, including for profiling purposes.
  • Right to complain about us to the data supervisory authority if we fail to deliver: for example, via this contact information related to the authority in the relevant country you are in. In the Netherlands, for example, this would be or Germany

Third Party Sites

Our website(s) may contain links to third party websites which are not subject to this Privacy Policy. We are not responsible for their content, processing of personal data, or security practices.

Where is your personal data stored

The bulk of the personal data we collect is processed in our secure hosting facility.

All data, including personal data, is stored in our servers, including our third-party (back-up) servers in the United Kingdom and the EU-located datacenters or MS Cloud.
At this point in time we do not transfer personal data to recipients outside the European Economic Area (EEA), unless by your action (like sending an invoices outside the EU). Should that be the case in the future, we will inform you sufficiently and make sure that we rely on adequacy decisions, EU standard contractual clauses or other EU approved mechanisms for such transfers.

Changes to this Privacy Policy

It is possible that in the future we have to change or extend certain aspects of this Privacy Policy. The reasons could be several. For example, it could be because we, as CTC, make certain changes to the way we conduct our business which require changes to the way we collect data. It could also be as a result of more detailed guidance from policy makers, court decisions or information law experts on how we should operate data protection policies. You should be mindful that the GDPR is a new instrument which, though directly enforceable across the EU member states, also require a certain number of supplementary clarifications through domestic implementation (in the Netherlands or other EU member states where CTC might operate or have business interests) but also insights on interpretation and enforcement. Further, the EU is in the process of replacing the e-privacy Directive with a new e-Privacy Regulation to sit alongside the GDPR and this might impact some aspects of our processing or our treatment of cookies when it comes into force.

Any changes we may make to this Privacy Policy will be posted on the platform and website at least 30 days prior to implementation to give you the chance to read and accept the changes. If changes are significant, we may choose to notify you by e-mail or to clearly indicate to you on the platform and website that the policy has been updated.

We will also offer you the possibility to reject the updated Privacy Policy which would unfortunately mean that you no longer would like to remain a client of CTC.

Complaints, Questions and Suggestions

Thank you for getting this far. We have aimed to make this information easily accessible and easy to understand. If, however, you still have any outstanding questions, any suggestions or any queries in regards to the collection and processing of your personal data please contact us directly at or through the support functionality in our product.

CTC is committed to working with our clients and data protection authorities to resolve any concern you might have in this regard. And please remember that data protection is an ongoing process so, even if we will duly notify you of any changes that have an impact on you as a Data Subject, please don’t be a stranger to this site.