Effective Date: 22 April 2020

Last Modified: 30 July 2024

1. Introduction

This privacy notice aims to give you information on how CSL (collectively referred to as ‘’CSL’’, ‘’the Company’’, ‘’we’’, ‘’us’’ in this privacy notice) deals with the data collected or processed during its business operations. This personal data may be obtained through the provision of our services in accordance with our terms and conditions, through our clients and potential client’s use of the website (https://www.currencysolutions.com/) or through other direct communications between us and our clients or potential clients or through third parties.

Reading this privacy notice will help you understand your privacy rights and choices and let you know how we look after your personal data when you visit our website and when you use our services and tell you about your privacy rights and how the law protects you.

Our website and services are not intended for children, and we do not knowingly collect data from individuals under 18 years of age. By using our services, you confirm that you are at least 18 years old.

If we become aware that we have collected personal information from a user under 18, we will take appropriate steps to close the account and promptly delete the data from our records.

It is important that you read this Privacy Policy alongside our Terms and Conditions and any other privacy or fair processing notices we provide when collecting or processing your personal data. This ensures you fully understand how and why we use your data.

This Privacy Policy supplements other policies and does not override them.

For ease of navigation, this policy is provided in a layered format, allowing you to click through to specific sections below. Please refer to the Glossary for explanations of key terms used in this notice.

2. Scope

Currency Solutions Limited, incorporated under the Laws of England and Wales, is the Controller of the personal data we collect from you.

We have appointed a Data Protection Officer (‘’DPO’’) who is responsible for overseeing questions, inquiries or concerns related to this privacy policy or the processing of your Personal Data. . If you have any questions about this Privacy Policy, including any requests on how to exercise your legal rights, please contact the DPO using the details set out below.

Our full details are:

Full name of legal entity:Currency Solutions Limited
Name or title of DPOIliana Keli
Email address:privacy@currencysolutions.com
Postal address:Unit A, 4th Floor Hobbs Court, 2 Jacob Street, London, SE1 2BG
Telephone number:+44(0) 20 7740 0000

How to complain:

If you have any concerns about how we handle your personal information or believe we are processing it unlawfully, you can contact us at privacy@currencysolutions.com or complaints@currencysolutions.com

You also have the right to lodge a complaint with the relevant data protection authority:

● In the United Kingdom, you can contact the Information Commissioner's Office (ICO), the UK’s supervisory authority for data protection.

● If you are a resident of Cyprus, you can reach out to the Office of the Commissioner for Personal Data Protection, the data protection authority in the Republic of Cyprus.

We encourage you to reach out to us first so we can address your concerns.

UK's independent data protection authority:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

ICO Website: https://www.ico.org.uk

Cyprus independent data protection authority:

Office of the Commissioner for Personal Data Protection.

Office Address: Kypranoros 15, Nicosia 1061, Cyprus Postal Address: P.O. Box 23378, 1682, Nicosia, Cyprus

Tel: +357 22818456 Fax: +357 22304565

Email: commissioner@dataprotection.gov.cy

Website: https://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/home_el/home_el?opendocument

3 Procedure

3.1. Changes to the privacy policy and your duty to inform us of changes

We may update this privacy policy from time to time to reflect changes in our practices or for other operational, legal or regulatory reasons. This version was last updated in July 2024. Prior versions can be obtained by contacting us. We encourage you to review this privacy policy frequently to be informed of how we are protecting your information.

It is important that the personal data we hold about you is accurate, complete, and up to date. Please inform us promptly of any changes to your personal data during your relationship with us.

3.2. Third-party links

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.

We do not control these third-party websites and are not responsible for their privacy statements.

When you leave our website, we encourage you to read the privacy policy of every website you visit.

3.3. The data we collect about you

Personal data or personal information means any information that can be used to identify a living person. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Identity Data means first name, maiden name, last name or similar identifier, marital status, title, date of birth, gender and any government issued identification numbers (e.g. passport number, driver’s licence number or national ID).

Contact Data means residential address, email address, telephone numbers (mobile, work, and/or home) and social media handles.

Financial Data means bank account details, transaction history and details, information about income, expenses or creditworthiness.

Transaction Data means details about payments to and from you and details of contracts you have entered into.

Usage Data means information about how you use our website, products and services, e.g. browsing history or interactions with our website, application or service, IP address, browser type, operating system.

Marketing and Communications Data means your preferences in receiving marketing from us and your communication preferences , responses to marketing campaigns, feedback, survey responses and reviews, communication preferences, such as opt-in or opt-out choices, contact history regarding promotions, newsletters or customer service inquiries.

We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

We generally do not collect health data as part of our core operations. However, there are some specific situations where such data might be collected or processed, often related to regulatory compliance, risk management, or in very specific customer contexts such as:

Special Needs for Services: We may collect health data in specific instances where a client requires accommodations for health-related reasons. For example, if a person has a disability or health condition that affects their ability to use certain services, the company might collect relevant information to accommodate their needs.

Vulnerable Clients Economic Well-Being: We can process health data, without consent, where consent cannot be obtained for the reasons listed below:

(a) the customer cannot give consent, or

(b) where the controller cannot be able to obtain consent, or

(c) where obtaining consent would prejudice the provision of protection to that customer, and where

(d) a customer at ‘economic risk’ is defined in relation to individuals who cannot protect their economic well-being due to their physical or mental injury, illness or disability.

Employee Health Data: Currency Solutions Limited , like any other employer, might collect health data for employees, such as for health insurance or workplace accommodations. However, this would typically be handled separately under employment-related privacy regulations.

3.4. Third Party Providers & Sub-Processors

To provide our services, we may share your personal data with carefully selected third-party providers. These providers assist us in areas such as payment processing, identity verification, IT infrastructure, and analytics. We ensure that all third parties we work with comply with applicable data protection laws and maintain appropriate security measures.

We may engage third-party providers for the following purposes:

Payment Processing Providers – to facilitate secure transactions.

Cloud & Hosting Services – to store and process data securely.

Identity Verification & Compliance Services – to comply with regulatory requirements.

Customer Support & Communication Platforms – to provide assistance and improve user experience.

Analytics & Marketing Providers – to optimise our services and deliver relevant communications.

Some of these providers may be located outside the EEA. In such cases, we implement appropriate safeguards, such as Standard Contractual Clauses (SCCs) or adequacy decisions, to ensure your data remains protected.

For more information on our data-sharing practices or to request a list of our current third-party providers, please contact us at privacy@currencysolutions.com.

3.5. If you fail to provide personal data

If we are required by law to collect personal data—such as to comply with GDPR, AML, KYC, or tax reporting obligations—or if it is necessary under the terms of a contract with you, and you fail to provide the requested data, we may be unable to:

● Meet our regulatory obligations, which could put us at risk of non-compliance.

● Perform our contractual duties, such as executing payments or processing transactions.

● Provide certain services to you.

As a result, you may lose access to our services, and we may need to terminate our contract with you. If this occurs, we will notify you at the time.

4. Controls and Evidence

4.1. How is your personal data collected?

We use different methods to collect data from and about you including through:

  • (a) Direct interactions. You may give us your Identity Data, Contact Data, Financial Data and Transaction Data and Marketing and Communications Data by filling in forms or by corresponding with us via our website or by post, phone, email or otherwise.
  • (b) Automated technologies or interactions. As you interact with our website, we may automatically collect Usage Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.
  • (c) Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources as set out below:
    • (i) Identity Data, Contact Data, Financial Data and Transaction Data from our client who shares your personal data with us so that (a) you can use our services on their behalf; and (b) they can pay money to you (for example, for payment for goods and/or services if you are their supplier);
    • (ii) Usage Data from analytics providers such as Google;
    • (iii) Identity Data, Contact Data and Financial Data from electronic identity verification providers or credit check providers such as SmartSearch based inside the EU; and Veriphy based inside the EU.
    • (iv) Identity Data and Contact Data from publicly availably sources such as Companies House and the Electoral Register based inside the EU.

4.2. How we use your personal data

We will only use your personal data when the law allows us to and we have a valid legal reason to do so. Most commonly, we will use your personal data in the following circumstances:

  • (a) where we need to perform the contract we are about to enter into or have entered into with you;
  • (b) where it is necessary for our Legitimate Interests (or those of a third party) and your interests and fundamental rights do not override those interests; and
  • (c) where we need to comply with a legal or regulatory obligation.

Please see paragraph 4.3 (purposes for which we will use your personal data) to find out more about the types of lawful basis that we will rely on to process your personal data.

Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us using the details set out in paragraph 2.

4.3. Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and the lawful bases we rely on for processing this information under the UK General Data Protection Regulation (UK GDPR). We have also identified what our Legitimate Interests are where appropriate.

Note that we may use more than one lawful grounds to process your data, depending on the specific purpose of processing. Please contact us using the details set out in paragraph 2. if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/ActivityType of dataLawful basis for processing including basis of Legitimate Interest
To register you or your employer / company as a new client(a) Identity Data
(b) Contact Data
Performance of a contract with your employer / company
To process and deliver the services including:
(a) Manage payments, fees and charges
(b) Collect and recover money owed to us
The use of our services, including money transfers, may be subject to Know Your Client (KYC) and Anti-Money Laundering (AML) requirements. These regulations require us to collect and process specific information related to each transaction, including identity verification details and the source of funds.
To comply with these obligations, we may ask you to provide additional information, such as scans or images of identification documents (e.g., ID card, passport, Certificate of Incorporation (COI)).
By using our services, you represent and warrant that all information you provide is accurate, truthful, and not misleading.
(a) Identity Data
(b) Contact Data
(c) Financial Data
(d) Transaction Data
(a) Performance of a contract with you
(b) Necessary for our Legitimate Interests (to recover debts due to us)
We will retain your data, analyze it, store it in our systems, use it for valuation purposes, and maintain records of our interactions with you.
Additionally, we may transfer and share this data with official authorities or other entities involved in the transaction, in compliance with AML/KYC regulations.
To execute payments on your behalf (send money to beneficiaries) and sell currency to fulfil contracts entered into between us and a client(a) Identity Data
(b) Contact Data
(c) Financial Data
(d) Transaction Data
(a) Performance of a contract with you.
(b) Necessary for our Legitimate Interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(c) Necessary to comply with a legal obligation including Regulation (EU) 2015/847 on information accompanying transfers of funds (commonly referred to as the revised wire transfer regulation).
To provide support for individuals with a particular disability or medical condition(a) Health DataThe processing of health data without consent is allowed under substantial public interest conditions and specific substantial public interest conditions.
To manage our relationship with you which will include:
(a) notifying you about changes to our terms and conditions or privacy policy
(b) asking you to leave a review or take a survey
(a) Identity Data
(b) Contact Data
(c) Usage Data
(d) Marketing and Communications Data
(a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
(c) Necessary for our Legitimate Interests (to keep our records updated and to study how clients use our services)
As a customer, we will send invoices and essential service-related materials using the contact details you provided during registration,such as email, SMS, or other approved communication channels. Marketing content will only be sent where permitted by law or with your explicit consent, which you can withdraw at any time.... Further, we may send promotional and marketing emails and messages to you, to the extent we are allowed to do so under the applicable Law.(a) Identity Data
(b) Contact Data
(c) Usage Data
(d) Marketing and Communications Data
(a) Performance of a contract with you
(b) Necessary for our Legitimate Interests (to study how clients use our services, to develop them and grow our business)
(c) In certain cases, we will only use your data for promotional purposes with your explicit consent. You may withdraw your consent at any time by contacting us or by unsubscribing through the designated option in our marketing messages.
We process this data based on our legitimate interest.
You may opt out at any time by clicking the “unsubscribe” link in our emails or by contacting us directly.
However, certain essential communications, such as invoices, will continue to be sent as they are necessary for our services.
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)(a) Identity Data
(b) Contact Data
(c) Usage Data
(a) Necessary for our Legitimate Interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you(a) Identity Data
(b) Contact Data
(c) Usage Data
(d) Marketing and Communications Data
Necessary for our Legitimate Interests (to study how clients use our services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing, client relationships and experiences(a) Usage DataNecessary for our Legitimate Interests (to define types of clients for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that may be of interest to you(a) Identity Data
(b) Contact Data
(c) Usage Data
(d) Marketing & Communications Data
Necessary for our Legitimate Interests (to develop our products/services and grow our business)
To send you a seasonal card or gift.(a) Identity Data
(b) Contact Data
(c) Marketing & Communications Data
Necessary for our Legitimate Interests (to develop our products/services and grow our business)
If you apply for a job with us, we will collect the CV you upload, including your name, email address, If you apply for a job with us, we will collect the CV you upload, including your name, email address, phone number, education, skills, employment history, and photo (if provided).
Where permitted or required by law, we may also process diversity and inclusion data related to your application, such as ethnicity, gender, or disability status.
Additionally, we may gather further information from public sources, online platforms, references, and former employers, which may be combined with the data you provide.
(a) Identity Data
(b) Contact Data
(c) Recruitment Data
(d) Employment Data
(e) Diversity and Inclusion data
(f) Health Data
We will process your data as part of our recruitment and screening process to assess your suitability for a position within the company.
Additionally, we may process your information to comply with corporate governance, legal, and regulatory requirements.
Once the recruitment process is complete, we will retain your data for internal record-keeping, including for potential legal defense against future claims.
If you are hired, your recruitment data may also be used for employment and corporate management purposes.
We will store, analyse, and maintain your data in our systems, use it to contact you regarding further recruitment steps (such as interviews), and keep records of our interactions.
We process this data based on our legitimate interest.
In certain cases, such as when we request health-related information or diversity and inclusion data, we will process your data based on your explicit consent, which you may withdraw at any time by contacting us.
We retain your data for record-keeping purposes and to protect against potential legal claims, in line with our legitimate interest.
If you are hired, your recruitment data may be retained as part of your employee record.

4.4 Marketing

We are committed to offering you control over how your personal data is used, especially in relation to marketing and advertising. We may use the personal data you provide to:

● Send you promotional emails, newsletters, and other marketing communications that we believe may be of interest to you.

● Keep you informed about new products, services, special offers, or events that are relevant to your preferences.

● Personalise your experience on our website and services to deliver tailored recommendations.

You have the right to opt out of receiving marketing communications at any time by contacting us or using the unsubscribe option in our messages.

4.5 Third-party marketing

We do not share, sell or rent your personal data to third parties for their own marketing purposes unless we have obtained your explicit consent.

However, we may share your personal data with trusted third-party partners who assist us in delivering marketing campaigns (e.g., email marketing platforms, advertising networks). These partners are contractually obligated to safeguard your data and use it only for the purpose of providing services to us.

We will get your express opt-in consent before we share your personal data with any company outside the CSL group of companies for marketing purposes.

4.6 Opting out

You have the right to opt out of receiving marketing communications at any time. To do so, you can:

Click the “Unsubscribe” link included in our marketing emails. Update your communication preferences in your account settings. Contact us directly at privacy@currencysolutions.com If you opt out of marketing communications, we will cease sending you marketing materials, but you may still receive non-promotional communications related to your account, transactions, or legal obligations. We will process all opt-out requests promptly, but it may take up to 7 (seven) days for certain preferences to be fully updated.

4.7 Cookies

We use cookies to enhance your experience while interacting with our website and utilising the services provided. We may use the following types of cookies:

● Essential Cookies: These are necessary for the website to function properly.

● Functional Cookies: These cookies help save your preferences, such as language or other display settings.

● Session Cookies: These support the website’s functionality during your browsing session and are deleted once you close your browser.

● Tageting Cookies: These cookies collect information to improve our services and deliver targeted advertisements that we believe are relevant to you (e.g., Google’s cookies).

● Analytics Cookies: These cookies gather aggregated and statistical data to help us improve and develop our services (e.g., Google Analytics).

Please be aware that the data collected via cookies may be linked and combined with other data, including Personal Data.

Additionally, cookies may be collected through third-party services, such as Google, Facebook, LinkedIn, etc. In these cases, your Personal Data may be transferred to these third parties, who may combine it with other information they hold about you. This data is processed and controlled by those third parties in accordance with their own terms and conditions and any direct accounts or subscriptions you have with them.

For more information about the cookies we use, please see https://www.currencysolutions.com/cookies-policy .

4.8 Change of purpose

We will only use your personal data for the purposes for which we collected or received it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us using the details set out in paragraph 2.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

5 Procedures Supporting this Procedure

5.1 Disclosures of your personal data

We may have to share your personal data with the parties set out below for the purposes set out in the table in paragraph 4.3 (purposes for which we will use your personal data) above.

(a) External Third Parties as set out in paragraph 6 (Glossary).

(b) Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

5.2 International transfers

At Currency Solutions Limited , we are committed to ensuring the security and confidentiality of your personal data. As part of our operations, your data may be transferred to, and processed in, countries outside of your own country, including countries that may not have the same level of data protection laws as those in your home country.

Some of our External Third Parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • (a) we will transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
  • (b) where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
  • (c) Where we use providers based in the United States, we may transfer data to them if they are certified under the EU-U.S. Data Privacy Framework, which ensures they provide an adequate level of protection for personal data shared between the EU and the U.S. For more information, please refer to the European Commission’s page on the EU-U.S. Data Privacy Framework.
  • (d) Where it is not possible to put the above arrangements in place, where necessary in order for us to comply with our contractual obligations to you where you have provided us and we have accepted payment instructions.

Safeguards for International Transfers

When transferring your personal data to countries outside of your home country, or the European Economic Area (EEA), we ensure that appropriate safeguards are in place to protect your data. These safeguards include:

Standard Contractual Clauses (SCCs): We may use legally-approved contractual agreements (e.g., SCCs) between us and our third-party service providers to ensure that your data is protected according to data protection laws.

Binding Corporate Rules (BCRs): For multinational companies, we may implement Binding Corporate Rules to protect data when it is transferred across borders within our corporate group.

Additionally, we may utilise other safeguards such as adequacy decisions (e.g., for countries recognised by the European Commission as providing an adequate level of protection) or, where applicable, the EU-U.S. Data Privacy Framework for transfers to the United States.

For more information on the specific safeguards we use when transferring your personal data outside the EEA, please feel free to contact us.

5.3 Data security

We have implemented appropriate and reasonable technical and organisational security measures designed to protect the security of any personal data we process and prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and the Financial Conduct Authority (‘’FCA’’) of a breach where we are legally required to do so.

5.4 Data retention

5.4.1 How long will you use my personal data for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

By law we have to keep basic information (including Identity Data, Contact Data, Financial Data and Transaction Data) about our clients, their directors, partners and ultimate beneficial owners and beneficiaries for five years after they cease being clients for the purpose of compliance with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

We may retain your personal data for extended periods in the following circumstances:

(i) where required by legal, regulatory, tax, or accounting obligations;

(ii) to maintain an accurate record of your interactions with us in case of any complaints or disputes;

(iii) if we reasonably anticipate potential litigation involving your personal data.

Please note that, unless required by applicable law, we reserve the right to delete or modify data from our systems at our discretion when we determine it is no longer necessary for these purposes, without prior notice to you.

5.4.2 Data Destruction and Disposal

Data are managed and disposed of, in a manner appropriate to the sensitivity of the information they contain. Before an official document is destroyed, written approval is given by the director or a senior officer of the Company or the DPO

When a document is destroyed, appropriate care is taken to ensure that all personal and confidential information contained therein is permanently and securely destroyed and can never be restored. The destruction of hard copy personal data and confidential financial records is conducted by shredding. Non-confidential records may be destroyed by recycling.

The destruction of electronic records is coordinated with the Head of IT & Head of Product Development.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Information we hold which is controlled by third-parties will be deleted in accordance with the agreement in place with that third party.

Information under our control which is held by third parties on our behalf must be destroyed in line with the Company’s data retention policy unless the agreement in place with that third-party states otherwise. Contracts in place with third parties, will include provisions requiring the deletion and destruction of information to make sure that unnecessary data is always deleted securely. Where the destruction is carried out by third parties, written verification of this destruction is obtained from the third party.

5.4.3 Your legal rights

Under certain circumstances, you have the following rights under data protection laws in relation to your personal data:

  • (a) Request to access: (commonly known as a "data subject access request"). You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information with. There are some exemptions which means you may not receive all the information you ask for.

  • (b) Right to rectification: This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. To exercise your right you should inform the Company that you are challenging the accuracy of your data and want it corrected. You should: a) state clearly what you believe is inaccurate or incomplete, b) explain how the Company should correct it, and c) where available, provide evidence of the inaccuracies.

  • (c) Right to erasure: You have the right to ask us to erase your personal Information in certain circumstances. You can exercise this right where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request for erasure.

  • (d) Right to object to processing: You have the right to object to the processing of your personal information at any time. This means that you can stop or prevent the Company from using your data. However, it only applies in certain circumstances, and they may not need to stop if the Company can give strong and legitimate reasons to continue using your data. An example of when you can exercise this right is when we are processing your personal data for direct marketing purposes. If you object, the organisation cannot refuse your objection and must stop using your data for direct marketing purposes. However, this does not automatically mean that the organisation needs to erase all your personal information. The Company may put you on a ‘suppression list’.

  • (e) Request restriction of processing: You have the right to ask us to restrict the processing of your personal Information in certain circumstances. You can ask the Company to temporarily limit the use of your data when we are considering: a) a challenge you have made to the accuracy of your data, or b) an objection you have made to the use of your data.

You may also ask the Company to limit the use of your data rather than delete it if: a) the Company processed your data unlawfully but you do not want it deleted, or b) the Company no longer needs your data but you want the Company to keep it in order to create, exercise or defend legal claims. If the Company believes that a request is, as the law states, “manifestly unfounded or excessive”,the Company can: a) request a reasonable fee to deal with the request, or b) refuse to deal with the request. In either case we will need to tell you and justify our decision.

  • (f) Right to data portability: You have the right to ask that we transfer the personal Information you gave to us to another organisation, or to you, in certain circumstances. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. The Company must do this if the transfer is, as the regulation says, ‘’technically feasible’’.

  • (g) Right to withdraw consent: You have the right to withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time. If you wish for a third party to act on your behalf and withdraw consent, you will need to demonstrate to the Company that the third party has the authority from you to do so.

If you wish to exercise any of the rights set out above, please contact us using the details set out in paragraph 2. You can request to exercise any of your rights above verbally or in writing. If you make a request, we have one month to respond to you

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

5.4.4 What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

5.4.5 Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

6.Security

We take extensive security measures to mitigate the risks of data damage, loss, unauthorised access, and misuse of personal data. Our practices for data collection, storage, and processing are designed with security tools to protect your personal data from unauthorised access, alteration, disclosure, or destruction. However, please be aware that no security system is entirely foolproof, and it is impossible to eliminate all potential threats to data and systems. As such, any processing of digital personal data carries inherent risks, and we cannot guarantee that our services and databases will be completely immune to incidents such as malfunctions, unauthorised access, malware attacks, or other forms of abuse and misuse.

7. Glossary

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

External Third Parties means:

  • (a) other payment service providers and intermediaries which we send money to complete a payment to comply with the Regulation (EU) 2015/847 on information accompanying transfers of funds (revised wire transfer regulation)
  • (b) professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based in the United Kingdom and outside UK who provide consultancy, banking, legal, insurance and accounting services; and other jurisdictions where necessary in specific circumstances.
  • (c) the FCA and HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.