Manor FX Privacy Policy

This privacy policy explains who we are, what data we collect and how we process your data. It also explains how you can access, update and delete your data, and how to amend your communication preferences. Finally this privacy policy explains the measures we have taken to protect your data. 

Introduction

It is our aim to be transparent and to provide accessible information about how we process and use your personal data, in line with the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 1998 (DPA).

Who we are

Manor FX is a trading name of Leftover Currency Limited, company number 09026053 registered in England and Wales. Our registered office address is Unit 1 Portland Business Centre, Manor House Lane, Datchet, Berkshire SL3 9EG, United Kingdom.

How to contact us

You can contact us via email on hi@manorfx.com or by telephone: 0800 030 9499 is our freephone number. Our office hours are from Monday to Friday 9am to 5pm GMT and Saturday from 10am to 5pm.

What types of data do we collect

We collect four types of data:

  1. Data about your visit(s) to our website
  2. Data about your interactions with us via email and telephone
  3. Data about the order(s) you create
  4. Data about the processing and fulfillment of your order(s)

In what follows we will discuss these four data types in more detail. For each data type we will answer these six questions:

  1. What data do we collect?
  2. What is the legal basis for processing this data?
  3. Will we share the data with any third parties?
  4. How do we use the data?
  5. How long do we store the data?
  6. What rights do I have regarding my data?

We aim to answer these questions in clear and plain language. However if anything is unclear, please do not hesitate to contact us.

1. Data about your visit(s) to our website

1a. What data do we collect?

To track and report on website traffic, we use Google Analytics, a web analytics service offered by Google. No personal information is stored in Google Analytics or shared with Google. We have taken the following measures to ensure this:

  • No personally identifiable information is present in page titles, URLs, event actions or other dimensions.
  • We have enabled the feature to anonymise IP addresses in Google Analytics.
  • We no not use remarketing or advertising reporting features. 
  • We do not use demographics and interest reports.
  • We do not use the Google Analytics User-ID feature or any pseudonym identifiers.

Our website is hosted by Vultr, a global cloud hosting service provider. Vultr collects data about your website visit(s), including your IP address, visited pages with a timestamp, browser type, operating system and other data. A full list of the information that Vultr collects can be found here: https://www.vultr.com/legal/gdpr/

When you visit our website for the first time, a message will appear about how we use non invasive cookies to improve your experience. When you accept the use of cookies, we will store small pieces of data, known as cookies, on your device during your visit. The cookies we use are designed to make your visit to our website easier and more user friendly. We don’t store any personally identifiable information in cookies, nor do the third parties we work with. The following plugins and applications can store cookies on your device when consent has been granted:

  • Google Analytics: a web analytics service by Google
  • Vultr: our hosting provider
  • WooCommerce: a plugin for e-commerce on WordPress websites, by Automattic
  • WordPress: a blogging and website content management system, by Automattic
  • GDPR cookie consent: the plugin that triggers the cookie consent notice and remembers your choice, by WordPress

1b. What is the legal basis for processing this data?

For tracking and reporting website traffic, no personal information is stored or shared. Therefore no consent is required.

Storing IP addresses, visited pages and a timestamp in a server log is a common practice designed to prevent fraud. As a registered bureau de change we are required to have processes in place to prevent fraud, money laundering and terrorist financing from occurring. This is a legitimate interest and therefore no consent is required.

Before storing cookies on your device we will seek your consent for this.  If you want to opt out click here and follow the guide on how to allow, delete or reject cookies for your specific browser. This may affect the basic functionality of our website. 

1c. Will we share the data with any third parties?

Tracking data is shared with Google Analytics, owned by Google, who is the data processor. None of the data shared with Google contains personal information. This page shows Google’s actions to comply with EU GDPR: https://privacy.google.com/businesses/compliance/

For server logs our data processor is Vultr. This page explains Vultr’s actions to comply with EU GDPR: https://www.vultr.com/legal/gdpr/

The third parties that store cookies on your device have access to the content of these cookies. We require the third parties that store cookies on your device to be fully compliant with EU GDPR. Here is more information about how they comply with EU GDPR:

We do not share data about your visit to any other third parties.

1d. How do we use the data?

We use the tracking data in Google Analytics to monitor website traffic and to understand how our visitors interact with the website. Based on these findings we optimise our website, making it more user friendly.

We use the IP addresses, visited pages and timestamp stored in server logs for the following purposes:

  • To identify linked transactions that have been deliberately broken into smaller transactions to avoid customer due diligence checks.
  • To protect our website against hackers, scammers and spammers.

The cookies stored by third parties we work with serve to make the plugin or functionality work. The types and purposes of cookies stored are explained in detail here:

 1e. How long do we store the data?

Google Analytics retains user-level and event-level data associated with cookies for 14 months. After this, data is deleted automatically on a monthly basis. Server logs on Vultr are kept for up to 6 months, after which they are deleted automatically. Information about how long each cookie is stored for can be found here:

1f. What rights do I have regarding my data?

Under the rules of EU GDPR you have the right to access, update and delete your data. Regarding Google Analytics data: No personal information is stored in Google Analytics or shared with Google. For this reason it is not possible to access, update or delete your data since we only see aggregated values and we cannot identify which data is yours. It is however possible to opt out from Google Analytics tracking. If you do so, Google Analytics will not include your session data in our website traffic reports. To do so, you need to install the free Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout

Regarding cookies: You have the right at any time to change your consent for cookies. Here’s how to do this:

  1. Delete your cookies: https://www.pcworld.com/article/242939/how_to_delete_cookies.html
  2. Follow the guide here on how to reject cookies

Regarding server logs: For the purpose of preventing fraud we need to store the server logs for 6 months, after which they will be automatically deleted. It is not possible to change or delete server log data prior to the 6 months period ending. It is however possible to request to access your data in the server logs. Please contact us if you would like to do so.

2. Data about your interactions with us via email and telephone

2a. What data do we collect?

When you choose to contact us via email or by telephone, we receive and retain data.

If you contact us via email, we receive the following data:

  • Your email address and any extra email addresses included in the TO or CC fields
  • The display name that email recipients see. In most cases this is your first name and last name.
  • The content in the email subject line, body and any attachments
  • The email header, including timestamp and your IP address. For more information about what an email header is, please read this: https://whatismyipaddress.com/email-header

This information is received and stored in our webmail clients Gmail, part of G Suite, developed by Google, and Zoho Mail. 

If you call us by telephone, or leave a voice message, we receive the following data:

  • Your telephone number, unless you withhold it.
  • The date, time and length of your call. This information is stored in the call log.
  • The information you provide us during the call. We do not record calls. We may take down information on a piece of paper during the call.

If you send us a text message, we receive the following data:

  • Your telephone number, unless you withhold it.
  • The content of your text message and any attachments.

This data is held on the mobile phone device we use to receive calls.

2b. What is the legal basis for processing this data?

When customers contact us via email or by telephone, they expect that we receive the message and send a reply. The information we collect, such as email addresses and telephone numbers, serves this purpose.

Our internal email retention and deletion policy ensures that we comply with the EU GDPR’s data minimisation and storage limitation principles.

2c. Will we share the data with any third parties?

Emails are stored in our webmail clients Gmail and Zoho Mail. We have selected Gmail and Zoho Mail as our preferred email hosting providers because of their enhanced data integrity and security. Zoho Mail is fully compliant with the EU GDPR: https://www.zoho.com/gdpr.html, as is Google: https://cloud.google.com/security/gdpr/ 

Our calls and text messages are delivered by BT. This document describes the actions that BT has taken to be compliant with EU GDPR: https://business.bt.com/gdpr-information/

We will not share data about your interactions with us via email and telephone to any other third parties, except if we are legally required to do so. Examples in which we may have to share your data include when we are approached by HMRC or law enforcement services.

We will never share your data with third parties for marketing purposes.

2d. How do we use the data?

The data we collect by interacting with our customers via email and phone is used to answer our customers’ queries and to help them to buy or sell travel money. .

We will never use the collected contact data for marketing purposes. We will never use our customer’s contact details to send unsolicited messages or make unsolicited calls.

2e. How long do we store the data?

Our internal email retention and deletion policy ensures that we comply with the EU GDPR’s data minimisation and storage limitation principles. We categorise emails into groups and have a policy in place to only store emails for as long as necessary. If your interaction with us involves money exchange, we are legally required to store the data for five years.

Voice messages are deleted weekly. Call logs and text messages are deleted on a monthly basis. If, during a call or while listening to your voice message, we write down personal information on a post-it or a piece of paper, we will make sure to discard of it safely directly after. We use the services of Shred it for secure shredding services: https://www.shredit.co.uk/en-gb/home

2f. What rights to I have regarding my data?

You have the right to access your data: Contact us to receive a list of the information we store about your interactions with us via email and telephone. You have the right to request a change to your data if you believe that the data about your interactions with us via email and telephone is not correct or incomplete.

If your interaction with us does not involve money exchange, you can ask us to delete the data about your interactions with us via email and telephone. If your interaction with us does involve money exchange: Under anti-money laundering regulations we are legally required to keep records of interactions with our customers for five years. For this reason it is not possible to request us to delete the data about your interactions with us via email and telephone, prior to the completion of this five-year period. 

3. Data about the order(s) you create

3a. What data do we collect?

When you create an online order to buy or sell travel money, we collect the following data:

  • Amount(s) per currency purchased or sold
  • Exchange rate(s) applied 
  • Order total
  • Delivery method selected: Collection or home/office delivery
  • Delivery date
  • Delivery address
  • First name
  • Last name
  • Date of birth
  • Home address
  • Email address
  • IP address
  • Phone number (optional)
  • Payment method
  • For payments by bank transfer: bank account owner
  • If the bank account owner is a third party: reason why the payment is made from this account
  • For orders where the customer sells travel money and receives payment by bank transfer: bank account holder, account number, sort code, bank name
  • Read and accepted terms and conditions (Y/N)
  • Read and accepted privacy policy (Y/N)
  • Time stamp when order was submitted
  • Unique reference number generated when order was submitted

In addition, we may collect the following data for due diligence purposes, to comply with anti-money laundering regulations: 

  • image of picture ID (such as passport, driving license, national ID card)
  • Image of proof of address
  • Image of proof of funds
  • Job title
  • Name of employer
  • Information about reasons for transaction
  • Information about source of funds
  • Linked transactions

3b. What is the legal basis for processing this data?

All of the information collected is required to fulfil your order and to comply with legal obligations under anti-money laundering regulations. 

3c. Will we share the data with any third parties?

We don’t share data about the orders you create with any third parties. The only exception is if we are asked to share data with HMRC or law enforcement agencies. In that case we will comply, as we are required to do under anti-money laundering regulations.

When an order is created, a receipt is generated by the plugin ‘PDF invoice’, developed by WooCommerce, part of Automattic. We don’t share the order data with Automattic, but we use their plugin to create the receipt. Any bank account information is replaced by Xs, so that only the last three digits of an account number are shown. Automattic is compliant with EU GDPR as described here: https://automattic.com/automattic-and-the-general-data-protection-regulation-gdpr/

When the receipt is created, we email it to you and we email a copy to ourselves. Emails are sent and stored in our email clients Gmail and Zoho Mail. We don’t share order data with Google and Zoho Mail, but we use their applications to send and store the emails. Zoho Mail is compliant with EU GDPR as described here: https://www.zoho.com/gdpr.html. Google is compliant with EU GDPR as described here: https://cloud.google.com/security/gdpr/

3d. How do we use the data?

The data about the order(s) you create is used to fulfill your order(s). We have taken care to only collect data that is necessary to fulfill your order, while complying with our legal obligations under anti-money laundering regulations.

We may contact you if we need extra information to fulfil your order(s), or to update you about the progress of your order(s). We will not contact you about anything that is not related to your order(s).

3e. How long do we store the data?

The data about the order(s) you create is stored for:

  • Five years if you complete your order. This is the case if we
    • receive your payment (if you buy currency)
    • receive your currency (if you sell currency)
  • Three months if you don’t complete your order. 

When you complete your order, anti-money laundering regulations (MLR) apply. Under MLR we are required to keep customer data for five years. This is explained in more detail in the next part ‘Data about the processing and fulfillment of your order(s)’.

3f. What rights to I have regarding my data?

You have the right to access and/or change your data. If you want to access and or change the data about the order(s) you created please contact us. You have the right to ask us to delete your data. We will delete your order when you ask us to delete it, except when you have completed your order(s), in which case we need to store your data for five years under anti-money laundering regulations.

4. Data about the processing and fulfilment of your order(s)

4a. What data do we collect?

When we process your orders we collect the following data:

  • Data about status updates for your order, these statuses reflect whether payment for your order has been received/sent, whether due diligence has been completed, whether the order has been dispatched/received, whether it was cancelled/refunded/put on hold. Each of the status updates has a time stamp and the name of the staff member that made the status update. 
  • Messages left by staff regarding the processing and fulfillment of your order
  • If you sold us currency: results of the count of the currency, and a description of any discrepancies if there are any
  • Tracking and delivery information
  • Data about payments received by bank transfer: sort code, account number, reference, time stamp, account holder name

In addition, we may collect the following data for due diligence purposes, to comply with anti-money laundering regulations: 

  • Further (enhanced) due diligence information, cross-checking and adding to the information you provided

4b. What is the legal basis for processing this data?

We are legally required to keep data about the processing and fulfillment of your order(s) under the Money Laundering Regulations: https://www.gov.uk/guidance/money-laundering-regulations-your-responsibilities

4c. Will we share the data with any third parties?

When we are asked to share data with HMRC or law enforcement agencies, we will comply, as we are required to do under the Money Laundering Regulations.

For performing due diligence checks we use a tool called GBG ID3global by identity data intelligence firm GBG: https://www.gbgplc.com/uk/what-we-do/supporting-gdpr/  For enhanced due diligence checks we may also use the services of Compliance Assist Limited: https://www.complianceassist.co.uk/privacy-policy.

If you sold us currency: In order to send you payment via bank transfer we need to share the following information with our bank, BFC bank: account holder’s name, account number, sort code, order value, reference. We may also share data with BFC bank if their compliancy team has labelled a transaction as possibly suspicious and asked us for more information. BFC’s bank privacy policy can be found here: https://www.bfcbank.co.uk/privacy-policy/

4d. How do we use the data?

We use the data to help us process and fulfill your order, and for compliancy and accounting purposes.

4e. How long do we store the data?

We are legally required to store information about processing and fulfillment of your order(s) for a period of five years. After five years we will delete the data on a monthly basis. We will delete all electronic data, as well as offline data (e.g. on paper). For destroying offline data we use the services of Shred it: https://www.shredit.co.uk/en-gb/home

4f. What rights do I have regarding my data?

You have the right to access your data. If you want to access the data about the processing and fulfillment of order(s) then please contact us. If the data is not accurate then you have the right to update your data.

Your rights

Under the Data Protection Act 1998, you have rights as an individual which you can exercise in relation to the information we hold about you. You can read more about these rights here – https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/

Complaints and concerns

We do our best to meet the highest standards when collecting and processing your personal data. However if you want to file a complaint or report a concern, you can do so on the website of the Information Commissioner’s Office (ICO) https://ico.org.uk/concerns

Leftover Currency Limited is an organisation that processes personal information and is therefore required to pay an annual fee to the ICO. You can find Leftover Currency Limited on the online register of fee payers here: https://ico.org.uk/about-the-ico/what-we-do/register-of-fee-payers/

External links

On occasion we include links to third parties on our website. Although we carefully select any external links on our website, where we provide an external link it does not mean that we endorse or approve that site’s Privacy Policy. Customers should review any external site’s Privacy Policy before providing any personal data. 

Latest update

This Privacy Policy was last updated on 19 September 2019.