“The issue of privacy is not for us simply a matter of business practice. It’s fundamental to human dignity” Gerald Levin
In this Policy, references to Privalgo or “we”, “us”, or “our” are references to Privalgo Limited. Our registered office is at 25 Eastcheap, London, EC3M 1DE. We are an electronic money institution authorised under the Electronic Money Regulations 2011. We are supervised by the Financial Conduct Authority (“FCA”) and are registered with the Information Commissioner’s Office (“ICO”).
The Types of Personal Data We Process?
Expanding on what we have said above, Personal Data is any information that can be used to identify you or that can be linked to you and which we have in our possession or control. Due to the nature of the services we provide, the types of personal data we process can be exceptionally varied. It may include:
The information you provide to us:
- Personal details (e.g. your name, date of birth, gender and employment details)
- Contact details (e.g. your address, email, landline number and mobile number)
- Information about your identity (e.g. your nationality, passport information, drivers licence and National Insurance number)
- Your bank details (e.g. your account name, number and sort code)
- Details of other trades you may have with other foreign exchange providers and which you provide us with or input into our system for comparison purposes
Information we collect about you:
- Transactional information (e.g. details about your accounts, trades executed by you, payments made to and from your accounts but also information in relation to suspicious and unusual activities)
- Communication records (e.g. emails and records of telephone conversations)
- Publicly available information (e.g. information made available on websites such as Linkedin)
- Information from investigatory agencies (e.g. anti-money laundering reports, credit reports, external intelligence reports and other due diligence reports)
- Risk rating information (e.g. credit risk rating and transactional behaviour)
In some very limited circumstances, we may collect and/or process special categories of Personal Data. This could include information about your health, racial or ethnic origin, religious, philosophical or political beliefs, trade union membership, sex life or sexual orientation, genetic information or biometric data. In such circumstances, we take particular care to only process such data in accordance with strict legal parameters.
How We Collect Personal Data?
At various different stages in our interaction with you or in relation to our dealings with you, we may collect Personal Data. These can include:
- When you register with us online, subscribe to our services, fill in forms (whether physically or on our website), by corresponding with us (by telephone or email), or in any documents you provide us with
- From feedback provided by you in relation to our services and/or website
- From various third parties including
- Our partners (e.g. individuals or companies who introduce you to us)
- Our clients (e.g. if you are a third party payee and we are making a payment to you)
- Credit reference agencies (e.g. Equifax and Experian)
- Fraud prevention agencies (g. Cifas)
- Identity verification agencies (g. GBGroup)
- Government and law enforcement agencies (e.g. Companies House, HMRC and NCA)
How We Use Personal Data?
We use it to:
- Provide foreign exchange and related services to you or our client
- Engage in marketing and business development activity in relation to our services
- Discharge our legal and regulatory obligations
- Establish, exercise or defend our legal rights or for the purpose of legal proceedings
- Record and monitor your use of our websites or our other online services for business purposes which may include analysis of usage, measurement of site performance and generation of marketing reports
- Share with our professional advisors
- Share with a prospective buyer or seller in the event that we buy or sell any business or assets, or substantially all of our assets are acquired by a third party
- Undertake legitimate business interests, such as business research and analysis, managing the operation of our websites and our business
- Look into any complaints or queries you may have
- Prevent and respond to actual or potential fraud or illegal activities
We should also mention that we may, at times, collate, process and share any statistics based on an aggregation of information held by us provided that neither you nor any individual is identified from the resulting analysis and the collation, processing and dissemination of such information is permitted by law.
The basis for Processing Personal Data?
Now for the legal bit. We will only process your Personal Data where we have a lawful basis for doing so. Our lawful basis will be one of more or the following:
- Consent – if we have obtained your consent to use your Personal Data. You can withdraw your consent by contacting us at any time
- Performance of a contract – we may need to collect and use your Personal Data for the performance of a contract to which you are a party or in order to take steps at your request prior to entering a contract
- Legitimate interest – we may use your Personal Data as is necessary for the purposes of pursuing our legitimate interests (this includes carrying out the business of providing foreign exchange and related services and pursuing our general business interests)
- Compliance with law or regulation – we may use your Personal Data as is necessary to comply with applicable law/regulation
Sharing Information with Third Parties
In providing services to our clients and in complying with our legal obligations, we may share your Personal Data, insofar as we are permitted by law to do so, with the following:
- Third party agents/suppliers or contractors, bound by obligations of confidentiality, in connection with the processing of your Personal Data for the purposes described in this Policy. This may include IT service providers (e.g. providers of software as a service, data room and server providers and communications service providers)
- Third parties relevant to the services we provide which may include our counterparties, other professional advisers, service providers, regulators, authorities, governmental institutions and stock exchanges; and/or
- A designated third party to the extent that we are required by law, regulation or court order to disclose your Personal Data
Transfers to EEA
We may be required to transfer Personal Data to other countries outside the European Economic Area (“EEA”) (e.g. when reporting to foreign authorities). In these cases, we will ensure our actions comply with the data security standards set out in GDPR. We will also take all reasonable steps to ensure that your Personal Data is stored securely and is not passed on or sold to a third party for marketing purposes.
Where the Personal Data is transferred to and stored at a destination outside the EEA, it may be processed by staff operating outside the EEA who work for one of our suppliers. Such staff may be engaged in, among other things, the provision of support services. By submitting your Personal Data you agree to this transfer, storing or processing. We will take reasonable steps to ensure that your Personal Data is treated securely and in accordance with this Policy.
Transmission and Keeping Your Information Safe
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal Data, we cannot guarantee the security of your Personal Data transmitted to our website. Any transmission by you of your Personal Data is made at your own risk.
Once we have received your Personal Data, we will use strict procedures and security features, in line with the standards set out in the GDPR, to try to prevent unauthorised access.
How Long We Keep your Information
Whenever we collect your Personal Data, we will only keep it for as long as necessary for the purpose for which it was collected. This will vary and depend principally on:
- The purpose for which we are using your Personal Data. For example, if we collect your Personal Data so that we can provide foreign exchange services to you, we will keep your Personal Data for as long as we continue to do so; and
- Legal obligations – the laws and regulations to which we are subject, set minimum periods for which we have to keep your Personal Data. Again, by way of example, the Money Laundering Regulations 2017 and the Companies Act 2006, required us to hold your Personal Data up to a maximum of 6 years after our business relationship with you ends
In all cases, at the end of the relevant retention period, your Personal Data will either be deleted or anonymised to ensure that it can no longer identify you.
What Are Your Rights?
You have certain rights in relation to your Personal Data and we will use our best endeavours to respect any requests from you to exercise them.
You may request access to your Personal Data by sending us a Subject Access Request (SAR). Once we have confirmed your identity, we will comply with your SAR free of charge within 30 days, unless we deem the request to be unfounded or excessive. In this case, we will contact you and explain why we have decided not to action your request.
You may request that we correct the Personal Data we hold on you when it is incorrect, out of date, or incomplete.
You may request that we destroy, delete or discontinue using your Personal Data when it is no longer necessary for the purpose we originally collected it (subject always to our legal or regulatory right to retain your Personal Data (explained above)).
You may request that we stop processing your Personal Data when you contest its accuracy or the lawfulness of the processing.
Whenever you have given us your consent to use your Personal Data, you have the right to change your mind at any time and withdraw your consent.
In cases where we are processing your information on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual circumstances. We will do so unless we believe we have a legitimate overriding reason to continue processing your information.
You have the right to stop our use of your information for direct marketing activities. To do so, all you need do is log on to Your Account and reset your marketing preferences.
Submitting a request
You can request to exercise these rights at any time by contacting us at firstname.lastname@example.org
To protect the confidentiality of your information, we will always ask you to verify your identity before proceeding with any request you have made. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
If we choose not to action your request we will explain to you the reasons for our refusal.