Warning: My GDPR data deletion request was denied by Curve (a fintech) because they consider a rejected applicant a "relationship" and kept my data for 10 years.
Just a heads-up for anyone considering signing up for Curve.
I recently applied for a Curve account. My application was rejected. I then submitted a Right to Erasure (Right to be Forgotten) request under the GDPR, asking them to delete my personal data.
Curve has now formally refused. Their final response claims they are required to retain my personal data (including application details) for a full 10 years under anti-money laundering (AML) regulations. Their justification? They consider the period from a rejected application as part of "the applicant’s relationship with Curve."
I am not and never was a customer. No account was opened, no services were used, and no transactions occurred. Yet they insist they have a legal obligation to keep my data for a decade. My complaint to their internal team was denied, and they've pointed me to the Financial Ombudsman Service (UK) and the Bank of Lithuania (EEA) for further escalation.
This seems like a grossly disproportionate interpretation of data retention laws and a misuse of the GDPR's exceptions for legal compliance. Be very careful before giving this company your personal data. A rejected application can apparently tie up your personal information for a decade, regardless of your consent.
I'm now proceeding with my complaint to the ICO (UK) and the relevant authorities.