Legal

Privacy Policy

Last updated: 2026-06-16

1. Who we are

Range is the platform for companies operating across stablecoins and fiat rails. The Range service, including the websites range.org, app.range.org, explorer.money and docs.range.org, is operated by Scanworks Labs AG (trading as “Range”), Grafenaustrasse 5, 6300 Zug, Switzerland.

In this Privacy Policy, “Range”, “we”, “us” and “our” refer to Scanworks Labs AG. For the personal data described in this policy, Scanworks Labs AG acts as the data controller under the Swiss Federal Act on Data Protection (FADP), and, where applicable, the EU General Data Protection Regulation (GDPR) and the United Kingdom General Data Protection Regulation (UK GDPR).

Where Range processes personal data on behalf of an enterprise customer (for example, data about that customer’s end users, counterparties, or transactions ingested through our platform), Range acts as a processor, and the enterprise customer is the controller. Those activities are governed by the Range Data Processing Agreement (DPA), available on request, which supersedes this policy to the extent of any conflict.

2. Scope of this policy

This Privacy Policy applies to personal data we collect when you:

  • visit our websites or marketing properties;
  • request a demo, sign up for an account, or use the Range platform;
  • connect a wallet, custodian, exchange, bank account or other data source through our integrations;
  • contact our sales, support, security or compliance teams;
  • attend a Range event, webinar or roundtable, or subscribe to Range communications;
  • are referenced, screened, or analyzed within the Range platform as part of a customer’s legitimate compliance, fraud, sanctions, or risk monitoring activity (see Section 7).

This policy does not apply to:

  • third-party websites, services, or integrations you choose to connect, which are governed by their own privacy policies;
  • anonymized or aggregated information that no longer identifies you;
  • processing carried out by our enterprise customers as controllers using Range as a processor, which is governed by their own privacy notices and our DPA.

3. Personal data we collect

We collect the categories of personal data set out below. Not every category applies to every individual.

3.1 Information you provide

  • Account and contact information. Name, email address, business phone number, employer, role or job title, and account credentials (passwords are stored salted and hashed, never in plaintext).
  • Identity verification information. Where required to grant platform access or comply with law, government-issued identifiers, proof of address, beneficial-ownership information, and similar know-your-customer (KYC) and know-your-business (KYB) data.
  • Communications. Messages you send us by email, support ticket, web form, chat, or during sales, onboarding or support calls, including attachments or recordings (with notice).
  • Event and marketing engagement. Registration details for Range events, content downloads, and survey responses.

3.2 Information generated by your use of the service

  • Service usage data. Accounts and wallets you connect, transactions and counterparties surfaced by the platform, configuration choices, rules, alerts, cases, comments, audit-log events, and API calls.
  • Device and technical data. IP address, device type, operating system, browser type and version, language, time zone, referring URLs, pages viewed, session duration, and similar telemetry.
  • Cookies and similar technologies. See Section 6 and our Cookie Policy at /cookie-policy.

3.3 Information from third parties and integrations

  • Financial connectivity data (Plaid and similar providers). When you connect a bank account through Plaid or an equivalent provider, the provider shares the data you authorize, including account identifiers, balances, and transaction history. Plaid’s handling of your data is governed by its own privacy policy at plaid.com/legal.
  • Onchain data. When you or your organization connects a wallet, custodian, or exchange account, Range reads publicly observable onchain activity for the connected addresses and, where applicable, account-level data made available by your custodian or exchange API.
  • Compliance and risk data sources. Sanctions lists, politically-exposed-person lists, adverse-media data, blockchain analytics signals, and equivalent reference data drawn from public, government, and licensed third-party sources (including, where applicable, BYO-API-key integrations with providers such as Chainalysis, TRM, or Elliptic that the customer brings to the platform).
  • Marketing and enrichment data. Business contact information from licensed business-data providers, used to inform outreach and validate accounts.
  • Lead capture and CRM (HubSpot). When you submit a form on our marketing site, request a demo, or subscribe to Range communications, our customer relationship management provider HubSpot processes your contact details, marketing-engagement data (such as email opens and clicks), and similar information on our behalf. Range’s HubSpot data is processed in HubSpot’s European Union data region.
  • Demo scheduling (Calendly). When you book time with our team, Calendly processes the name, email and any details you enter to schedule the meeting. Calendly’s handling of your data is governed by its privacy policy at calendly.com/legal.
  • Event registrations (Luma). Where you register for a Range event through our Luma event pages, Luma collects your name, email and any optional fields on the registration form and shares them with Range. Luma’s handling of your data as an independent controller is governed by its privacy policy at lu.ma/privacy.

3.4 Risk and security data

Range processes information on wallets, addresses, transactions, counterparties, and activity patterns that may be associated with fraud, money laundering, sanctions evasion, terrorist financing, theft, scams, market abuse, or other illicit or high-risk conduct. This data, which may incidentally include personal data, is treated as a distinct category for the purposes of this policy and is subject to the safeguards and limitations described in Section 7.

4. How we use personal data, and our legal bases

We use the personal data described above for the following purposes. The legal basis for each purpose under the GDPR, UK GDPR, and FADP is shown alongside it.

PurposeLegal basis
Providing, operating, securing and improving the Range platform and websitesContract (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR); FADP Art. 31
Authenticating users, managing accounts, and preventing unauthorized accessContract; legitimate interests in platform security
Detecting, investigating and preventing fraud, abuse, security incidents, and prohibited useLegitimate interests; legal obligation where applicable (Art. 6(1)(c) and (f) GDPR)
Processing risk, sanctions, AML/CFT and counterparty intelligence within the platform (see Section 7)Legitimate interests of Range, our customers, and third parties protected by financial-crime controls; compliance with legal obligations
Communicating with you about your account, security notices, and service changesContract; legitimate interests
Sending marketing communications about Range products, content and events, where permittedConsent (Art. 6(1)(a) GDPR) where required, otherwise legitimate interests; you can opt out at any time
Hosting events, webinars and roundtablesContract; legitimate interests
Complying with legal, regulatory, audit and tax obligations, and lawful requests from authoritiesLegal obligation; legitimate interests
Establishing, exercising and defending legal claimsLegitimate interests; legal obligation
Generating aggregated and de-identified analytics to inform product development and benchmarkingLegitimate interests

Where we rely on legitimate interests, we have carried out a balancing assessment and concluded that those interests are not overridden by the rights and freedoms of the individuals concerned. You can request more information using the contact details in Section 14.

We do not sell personal information. We do share certain online identifiers, such as cookie IDs, device identifiers and IP-derived signals, with LinkedIn and X (Twitter) — and with Google where we run paid campaigns — when you visit our marketing websites, so we can measure the performance of our advertising and retarget visitors with Range ads. Under the California Privacy Rights Act (CPRA) and equivalent US state laws, this activity is treated as “sharing” of personal information for cross-context behavioral advertising. You can opt out at any time using the cookie banner, the “Cookie preferences” link in the footer, or a Global Privacy Control (GPC) signal. See Section 6 and our Cookie Policy.

5. Automated processing and profiling

Range uses rules, models, heuristics and machine-assisted scoring to surface risk signals, route alerts, deduplicate counterparties, and prioritize cases. These outputs are designed to support human review by trained compliance, risk or operations staff at our customers. We do not use solely automated decision-making that produces legal or similarly significant effects on you within the meaning of Art. 22 GDPR. Where a customer configures auto-actions (for example, auto-blocking a transaction) within their own workflow, that decision is made and controlled by the customer as controller.

6. Cookies and similar technologies

Our websites use cookies, pixels, local storage and similar technologies to operate the site, remember your preferences, secure your session, and measure how the site and our marketing are used. Categories include strictly necessary, analytics and product (including Google Analytics and Microsoft Clarity), advertising and measurement (including the LinkedIn Insight Tag and the X (Twitter) Pixel), and functional. We also use cookieless Vercel Analytics and Speed Insights for aggregate, privacy-friendly usage and performance metrics.

A full description of each cookie, its provider, purpose and duration, together with the controls available to you, is in our Cookie Policy at /cookie-policy. You can accept all non-essential cookies or choose which categories to allow through the cookie banner, the “Cookie preferences” link in each site’s footer, and your browser settings. Non-essential categories are off until you turn them on. We honor opt-out choices made through our banner and recognized Global Privacy Control (GPC) signals. Disabling certain cookies may degrade site functionality.

7. Risk and security data, and limits on individual rights

Range exists in part to help regulated financial institutions detect and prevent financial crime, including fraud, sanctions evasion, money laundering, terrorist financing, theft and scams. To do that, Range and our customers process information about wallets, addresses, counterparties, transactions and behavioral patterns that may indicate high risk or illicit activity. This information may, in some cases, constitute personal data.

We process risk and security data on the basis of:

  • our and our customers’ legitimate interests in preventing and detecting crime and protecting the integrity of the financial system, recognized under Recital 47 GDPR and equivalent guidance under the Swiss FADP;
  • compliance with legal obligations applicable to Range and our customers under anti-money-laundering, counter-terrorist-financing, sanctions, market-integrity and consumer-protection laws;
  • the substantial public interest in the prevention and detection of unlawful acts, including under Art. 9(2)(g) GDPR where any special-category data is incidentally processed.

The following limitations apply to requests relating to risk and security data. They exist to prevent the misuse of data-subject rights as a tool to defeat lawful financial-crime controls or to gain intelligence about detection capabilities.

  • Identity verification. Before acting on any such request, we verify the requester’s identity by proportionate means. We will not act where we cannot reasonably verify that the requester is the data subject or an authorized representative. Data-subject rights attach to natural persons, not legal entities.
  • Erasure and restriction (Art. 17 and 18 GDPR; equivalent FADP rights). We may refuse, in whole or part, where processing is necessary for compliance with a legal obligation; for the establishment, exercise or defense of legal claims; for reasons of substantial public interest, including the prevention, investigation, detection or prosecution of criminal offenses; or to ensure security and to detect or prevent fraud, sanctions evasion, money laundering, terrorist financing, market abuse, theft or scams.
  • Objection (Art. 21 GDPR). Where processing is based on legitimate interests, you may object. We will stop unless we demonstrate compelling legitimate grounds that override your interests, or unless processing is necessary for legal claims. Financial-crime prevention and platform security will generally meet that test.
  • Access (Art. 15 GDPR). We respond to verified access requests, but may redact or withhold information where disclosure would harm the rights of others; reveal the existence, content or methodology of a suspicious-activity report, fraud investigation, sanctions result, or law-enforcement inquiry (including “tipping-off” prohibitions); or compromise investigative, security or compliance procedures.
  • Where Range acts as a processor. For risk and security data processed on behalf of a customer, the customer is the controller; requests should be directed to them, and Range supports the customer under the DPA. We do not act unilaterally on such data.
  • Abuse of rights. Manifestly unfounded or excessive requests, including repeat requests, may be refused or charged a reasonable fee, as permitted by Art. 12(5) GDPR and equivalent FADP provisions.

We document our handling of every request related to risk and security data and retain the underlying assessment for audit and regulatory inquiries.

8. How we share personal data

We share personal data only where necessary to operate Range, to meet a legal obligation, or with your direction. Categories of recipients:

  • Service providers and sub-processors. Cloud infrastructure and website hosting (Vercel); customer relationship management, lead capture and marketing email (HubSpot, in its EU data region); meeting scheduling (Calendly); event hosting and registration (Luma); analytics (Google Analytics, Microsoft Clarity, and cookieless Vercel Analytics and Speed Insights); advertising measurement (LinkedIn and X); customer support, error monitoring, identity verification, payment processing, and similar providers acting on our behalf under written contracts. A current sub-processor list is available on request and, for enterprise customers, through the DPA.
  • Integration partners you authorize. Custodians, exchanges, banks (via Plaid), accounting tools, and compliance vendors you connect to your Range workspace, only for the data flows you enable. We feed enriched onchain data into your existing systems where you have authorized that flow.
  • Customers and their authorized users. Where you interact with Range as a customer’s contact, that customer and its authorized users may see information related to the interaction.
  • Professional advisers. Auditors, lawyers, bankers, insurers and other advisers under duties of confidentiality.
  • Law enforcement, regulators, and authorities. Where legally required, where we believe in good faith that disclosure is necessary to comply with legal process, or to protect the rights, property or safety of Range, our customers, our users, or the public, including for fraud-prevention and security purposes.
  • Corporate transactions. A successor or counterparty in a financing, merger, acquisition, reorganization, insolvency, or sale of assets, subject to appropriate confidentiality protections.

9. International transfers

Range is established in Switzerland. Personal data may be processed in Switzerland, the European Economic Area (EEA), the United Kingdom, the United States, and other jurisdictions where we, our group companies, or our service providers operate.

Where personal data is transferred to a country without an adequacy decision, we put in place appropriate safeguards, including the European Commission’s Standard Contractual Clauses (supplemented for Switzerland per FDPIC guidance and for the UK with the ICO International Data Transfer Addendum); additional technical, contractual and organizational measures where required following a transfer impact assessment; and, where relevant, certification under the EU-US, UK Extension, or Swiss-US Data Privacy Framework for recipients that have self-certified. A copy of the relevant safeguards is available on request.

10. Data retention

We keep personal data only as long as necessary to fulfill the purposes for which it was collected, including providing the service, complying with legal, accounting, tax, or reporting obligations, resolving disputes, and enforcing our agreements. Typical retention periods:

  • Account data: for the duration of the account, plus a reasonable archive period, typically up to 7 years to support legal, audit and tax obligations.
  • Service usage and audit-log data: as required by applicable record-keeping rules and customer commitments, typically up to 7 years.
  • Risk and security data, including alerts, cases, suspicious-activity records and supporting evidence: as long as necessary to support financial-crime, sanctions and security obligations and related investigations or claims. Retention under AML/CFT law is typically a minimum of 5 years from the end of the business relationship or the relevant transaction, and may be longer where a matter remains under review.
  • Marketing data: until you opt out or object, after which we keep a suppression record to honor your opt-out.
  • Cookies and similar technologies: as set out in our Cookie Policy.

When the applicable retention period ends, we delete or irreversibly de-identify the data, unless a longer period is required by law or to defend a legal claim.

11. Your rights

Subject to applicable law and the limits in Section 7, you have the following rights:

  • Access. Confirmation of whether we process your personal data, and a copy of it.
  • Rectification. Correction of inaccurate or incomplete data.
  • Erasure. Deletion of your data (“right to be forgotten”).
  • Restriction. Limiting how we process your data.
  • Objection. Objecting to processing based on legitimate interests, including direct marketing.
  • Portability. Receiving your data in a structured, commonly used, machine-readable format.
  • Withdraw consent. Where processing is based on consent, withdrawing it at any time without affecting prior processing.
  • Lodge a complaint with a supervisory authority (see Section 14).

To exercise any of these rights, contact us at privacy@range.org. We respond within the time required by applicable law, typically within one month under the GDPR and UK GDPR, and 30 days under the CCPA/CPRA. We may need to verify your identity, and may extend the period for complex or multiple requests. You will not be discriminated against for exercising any of these rights.

12. Security

Range maintains an information security program designed to protect personal data against unauthorized access, alteration, disclosure or destruction. Controls include encryption in transit (TLS) and at rest; role-based access and least-privilege provisioning; multi-factor authentication for staff access to production; continuous logging, monitoring and alerting; regular vulnerability scanning, penetration testing and third-party reviews; a documented incident-response program and vendor risk management; and background checks for personnel with access to production data, where lawful.

No security program can guarantee absolute security. Where required by law and our contracts, we notify affected individuals, customers, and supervisory authorities of personal-data breaches within the required time frames. Read more about our security measures at /security.

13. Children

Range is a business-to-business platform directed to financial institutions and their staff. It is not directed to individuals under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact privacy@range.org and we will delete it.

14. Contact, supervisory authorities, and representatives

Range / Scanworks Labs AG, Grafenaustrasse 5, 6300 Zug, Switzerland. Email: privacy@range.org. You can contact our Data Protection Officer at the same address.

Swiss FADP. The competent supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Switzerland.

EU GDPR. [Range’s EU representative under Art. 27 GDPR, where appointed, will be listed here.] You also have the right to lodge a complaint with the supervisory authority in your EU member state of residence, place of work, or place of the alleged infringement.

UK GDPR. [Range’s UK representative under Art. 27 UK GDPR, where appointed, will be listed here.] You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.

15. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with a revised date and, where appropriate, communicated to account holders by email or through the Range platform. We encourage you to review this policy periodically.

Annex A — California (CCPA/CPRA)

This Annex provides additional information for California residents under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”).

  • Categories collected (past 12 months). Identifiers; commercial information; internet or other electronic network activity; approximate geolocation derived from IP; professional or employment-related information; and inferences drawn from the above. Sensitive personal information may include account log-in credentials and, where collected for verification, government identifiers.
  • Sources. You; your employer; your use of our websites and platform; integration partners you authorize; and public and licensed third-party data providers (including for risk, sanctions, and counterparty intelligence).
  • Purposes and recipients. As set out in Sections 4 and 8.
  • Sale or sharing. We do not sell personal information. We do share personal information for cross-context behavioral advertising: when you visit our marketing websites, the LinkedIn Insight Tag and the X (Twitter) Pixel (and Google tags where we run campaigns) collect online identifiers that let those platforms measure our campaigns and serve Range ads. We have not had actual knowledge of selling or sharing the personal information of consumers under 16.
  • Your right to opt out. Use the cookie banner, the “Cookie preferences” link in the footer, or a Global Privacy Control (GPC) signal from your browser, which we recognize as a valid opt-out for that device and browser.
  • Your CCPA/CPRA rights. Right to know, delete, correct, opt out of sale/sharing (we share but do not sell), limit use of sensitive personal information (we do not use it beyond permitted purposes), and non-discrimination. To exercise these, contact privacy@range.org; you may use an authorized agent with proof of authorization.

Annex B — Other US states

Range provides residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon and other US states with comprehensive consumer-privacy laws the rights granted under those laws, including access, correction, deletion, portability, and opting out of targeted advertising, sale, and certain profiling. Range does not sell personal data and does not conduct profiling that produces legal or similarly significant effects without human review. To exercise your rights, contact privacy@range.org. You may appeal a decision by replying to our response with “Appeal” in the subject line.

Annex C — UK GDPR

For individuals in the United Kingdom, references in this policy to the GDPR should be read as references to the UK GDPR and the Data Protection Act 2018, and references to EU supervisory authorities should be read as references to the UK Information Commissioner’s Office (ICO).

Annex D — Swiss FADP

For individuals in Switzerland, this policy is issued under the Swiss Federal Act on Data Protection (FADP) of 25 September 2020. References to GDPR Articles should be read together with the equivalent FADP provisions, including Art. 6 (principles), Art. 19–21 (information duties), Art. 25–29 (rights of access, rectification, restriction and objection), Art. 31 (justifications for processing without consent, including overriding interests in fraud prevention, security and compliance), and Art. 16–18 (cross-border disclosures and safeguards). The competent supervisory authority is the Swiss FDPIC.

This Privacy Policy is provided for transparency and does not create contractual rights or obligations beyond those required by applicable data protection law. It has been prepared by Range and is not a substitute for legal advice.