Privacy Policy — CurrencyCloud

CurrencyCloud collects personal information through various channels to provide and improve our services. When you visit our website, we automatically collect certain technical data including your IP address, browser type and version, operating system, referring URL, pages visited, time spent on each page, and other diagnostic data. When you create an account or request a consultation, we collect information you provide directly, such as your full name, email address, phone number, company name, job title, and business details. For clients using our payment platform, we may also collect financial information including bank account details, transaction history, and identity verification documents as required by applicable anti-money laundering regulations. We collect this data through website forms, API interactions, cookies and similar tracking technologies, email communications, and phone or video consultations. We only collect data that is necessary for the specific purposes outlined in this policy, and we apply the principle of data minimization in all our data collection practices.

We use the personal information we collect for several clearly defined purposes. First, we use your data to provide, maintain, and improve our payment infrastructure services — including processing transactions, managing accounts, performing FX conversions, and delivering customer support. Second, we use contact information to communicate with you about our services, respond to inquiries, send important service updates, and provide technical support. Third, we use aggregated and anonymized data for analytics purposes to understand how our platform is used, identify performance improvements, and develop new features. Fourth, we use your information to comply with our legal and regulatory obligations, including anti-money laundering screening, sanctions checks, and financial reporting requirements. We may also use your data to send marketing communications about our products and services, but only with your explicit consent and with the ability to opt out at any time. We do not sell your personal information to third parties, and we do not use your data for automated decision-making or profiling that would have a significant effect on you without your knowledge and consent.

CurrencyCloud stores your personal data on secure servers located in the United Kingdom, European Union, and United States, operated by reputable cloud infrastructure providers that maintain the highest security certifications including SOC 2 Type II and ISO 27001. We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations. For clients of our payment platform, we are required by financial regulations to retain certain transaction records and identity verification documents for a minimum period, which is typically 5-7 years after the end of the business relationship. Website visitor data collected through cookies and analytics is typically retained for up to 26 months. When data is no longer needed, we securely delete or anonymize it using industry-standard methods. We regularly review our data retention practices to ensure we are not holding personal information longer than necessary.

Depending on your jurisdiction, you may have a range of rights regarding your personal data. Under the UK GDPR, EU GDPR, and similar data protection laws, these rights typically include: the right to access your personal data and receive a copy of the information we hold about you; the right to rectification, allowing you to request correction of inaccurate or incomplete data; the right to erasure (also known as the 'right to be forgotten'), allowing you to request deletion of your personal data in certain circumstances; the right to restrict processing of your data; the right to data portability, allowing you to receive your data in a structured, machine-readable format; the right to object to processing of your data for certain purposes including direct marketing; and the right to withdraw consent at any time where processing is based on your consent. To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days and may ask you to verify your identity before processing your request. You also have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.

CurrencyCloud works with carefully selected third-party service providers to deliver our services effectively. These third parties may have access to your personal information only to the extent necessary to perform their specific functions on our behalf. Our third-party partners include cloud infrastructure providers (for hosting and data storage), payment processing partners (for executing international transactions), identity verification providers (for KYC and compliance checks), analytics providers (for website and platform analytics), email service providers (for communications), and customer support tools. We require all third-party service providers to enter into data processing agreements that obligate them to protect your data to the same standards we apply ourselves. We conduct regular due diligence on our third-party partners to ensure they maintain appropriate security measures and comply with applicable data protection laws. We do not share your personal data with third parties for their own marketing purposes without your explicit consent.

Protecting your personal information is a top priority at CurrencyCloud. We implement comprehensive technical and organizational security measures to safeguard your data against unauthorized access, alteration, disclosure, or destruction. Our security measures include encryption of data in transit using TLS 1.2+ and encryption of data at rest using AES-256; multi-factor authentication for all platform access; regular penetration testing and vulnerability assessments conducted by independent security firms; network segmentation and firewalls to isolate sensitive systems; continuous monitoring and logging of all system access and activities; employee security training and strict access controls based on the principle of least privilege; incident response procedures and a dedicated security team. CurrencyCloud maintains SOC 2 Type II certification and undergoes regular independent audits of our security controls. Despite our best efforts, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security. If we become aware of a data breach that affects your personal information, we will notify you and the relevant authorities in accordance with applicable laws.

CurrencyCloud's services are designed for businesses and are not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18 years of age. Our platform requires users to be legal adults and to represent a registered business entity. If we become aware that we have inadvertently collected personal information from a child under 18, we will take immediate steps to delete that information from our systems. If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately at [email protected] and we will promptly remove the data. We encourage parents and guardians to monitor their children's online activities and to help enforce this policy by instructing their children never to provide personal information through our website or services without parental permission.

CurrencyCloud reserves the right to update this Privacy Policy from time to time to reflect changes in our data practices, applicable laws, or our business operations. When we make material changes to this policy, we will notify you by posting the updated policy on our website with a revised 'last updated' date. For significant changes that materially affect how we process your personal information, we will provide additional notice through email or a prominent notice on our website prior to the changes taking effect. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of our website and services after any changes to this policy constitutes your acceptance of the updated terms. If you do not agree with the revised policy, you should discontinue use of our services and contact us to discuss the deletion of your personal data. Previous versions of this policy are available upon request by contacting [email protected].