Forms first. Product detail stays out of the way.
Privacy center
Name, email address, phone number, country, profile edits, and policy acknowledgements.
Used to open the account shell, contact the customer, protect access, and keep a record of which SmartRemit notices were accepted.
Required for account administration, contract performance, and operational/legal record keeping.
Held for the active account lifecycle and then reviewed for deletion or anonymisation when no legal hold still applies.
KYC profile fields, verification evidence metadata, review outcomes, sanctions/AML screening posture, and reviewer notes.
Used to satisfy customer due-diligence, transfer eligibility, fraud review, and compliance obligations for a regulated remittance product.
Required for legal and regulatory compliance plus fraud-control duties.
Kept according to verification, compliance, and audit retention needs even if the customer later asks for deletion.
Passwords, MFA enrollment state, sessions, remembered devices, login attempts, IP/device/location signals, and security events.
Used to secure sign-in, detect unusual activity, step up verification when risk rises, and support incident investigations.
Required for service security, fraud prevention, and account protection.
Minimised after review windows expire, but some audit traces may remain as security evidence.
Quotes, transfers, bill payments, beneficiaries, funding accounts, transaction history, and operational references.
Used to deliver money movement, reconcile balances, resolve disputes, investigate exceptions, and satisfy AML/audit obligations.
Required to operate the regulated financial service and satisfy financial-recordkeeping rules.
Often retained for the required regulatory or dispute window before any further minimisation or anonymisation can be considered.
Support tickets, case notes, privacy-erasure requests, policy decisions, and closeout evidence.
Used to investigate issues, manage deletion reviews truthfully, and show what SmartRemit decided and why.
Required for customer support, operational accountability, and compliance explainability.
Minimum closeout evidence may remain even after profile fields are removed or anonymised.
Keep available to the customer and reviewers while the deletion case is assessed.
Delete or anonymise once legal-hold checks clear and the approved review says those fields can be removed.
These are usually the first customer-facing fields that can be minimised after offboarding, but the exact action still depends on the approved review outcome.
Do not revoke automatically at the moment of request; SmartRemit should schedule auth cleanup deliberately once the review reaches the approved offboarding stage.
Disable future sign-in, revoke tokens, and remove remembered-device trust as part of the approved authentication cleanup step.
Authentication cleanup is operationally separate from legal retention of financial or audit evidence.
Treat as retained evidence during review.
Retain, restrict, or anonymise only within the legal/compliance matrix; do not promise immediate automatic purge.
Regulated remittance activity may need retention for AML, reconciliation, disputes, chargebacks, or audits.
Keep available to reviewers and case owners.
Retain the minimum closeout evidence showing what was deleted, anonymised, retained, and why.
SmartRemit still needs explainability and proof of the action taken on the deletion request.