Privacy Policy

Introduction
This Privacy Policy was initially established on 12 May 2015, with some updates made over time to improve our services. The most recent update occurred on 15 November 2024, which reflects a change in our hosting partner from SiteGround to Vultr. Our goal is to be transparent and provide clear information regarding how we process and use your personal data.

What Types of Data We Collect
We collect four categories of data:

1. Data about your visit to our website
2. Data about your interactions with us via email, contact form, and telephone
3. Data about the orders you place
4. Data related to the processing and fulfillment of your orders

We will explain each of these data types in more detail below. For each type of data, we will answer the following six questions:

1. What data do we collect?
2. What is the legal basis for processing this data?
3. Will we share the data with any third parties?
4. How do we use the data?
5. How long do we store the data?
6. What rights do I have regarding my data?

1. Data About Your Visit to Our Website

1a. What Data Do We Collect?
To monitor and report on website traffic, we use Google Analytics, a web analytics service provided by Google. No personal information is stored in Google Analytics or shared with Google. We have taken the following measures to ensure this:

• No personally identifiable information is included in page titles, URLs, event actions, or other dimensions.
• We have enabled IP anonymization in Google Analytics.
• We do not use remarketing or advertising reporting features.
• We do not use demographics and interest reports.
• We do not use the Google Analytics User-ID feature or any pseudonym identifiers.

Our website is hosted by Vultr, a leading web hosting service provider. Vultr stores IP addresses, visited pages, and timestamps in their server logs.

When you visit our website for the first time, a notification will appear informing you of how we use non-invasive cookies to enhance your experience. If you accept the use of cookies, we will store small pieces of data (cookies) on your device during your visit. The cookies we use are intended to make your experience on our website more convenient and user-friendly. For example, a cookie may be used to remember your preferred payout currency. We do not store any personally identifiable information in cookies, nor do any third parties we work with.

The following plugins and applications may store cookies on your device once consent has been granted:

• Google Analytics: A web analytics service by Google
• WooCommerce: A plugin for e-commerce on WordPress websites, by Automattic
• WordPress: A content management system by Automattic
• WPML: A translation plugin for multilingual websites on WordPress
• Cookie Consent Plugin: A plugin that displays the cookie consent notice and remembers your choice
• HubSpot: A CRM software plugin for managing customers

1b. What Is the Legal Basis for Processing This Data?
No personal information is stored or shared in Google Analytics, so no consent is required for this tracking.
Storing IP addresses, visited pages, and timestamps in server logs is a standard practice to prevent fraud. As a registered bureau de change, we must have systems in place to prevent fraud, money laundering, and other financial crimes. This is in our legitimate interest, and as such, consent is not required.

Before we store cookies on your device, we will request your consent. If you choose to opt out, we will not place cookies on your device, although this may affect certain basic functions of our website.

1c. Will We Share the Data with Any Third Parties?
The tracking data is shared with Google Analytics, which is owned by Google, a data processor. None of the data shared with Google contains personal information. You can learn more about Google’s data processing practices here.

For server logs, the data processor is Vultr. You can read more about Vultr’s data processing practices here.

The third parties that store cookies on your device can access the content of these cookies. We require these third parties to be fully compliant with data protection laws. You can find more information about how they comply with privacy regulations:

• Google Analytics: Google Privacy Policy
• WooCommerce: Automattic’s GDPR Compliance
• WordPress: Automattic’s GDPR Compliance
• WPML: WPML Privacy Policy
• Cookie Consent Plugin: Automattic’s GDPR Compliance
• HubSpot: HubSpot Cookie Policy

We do not share data regarding your visit with any other third parties.

1d. How Do We Use the Data?
We use the tracking data in Google Analytics to analyze website traffic and understand how visitors interact with our site. This helps us optimize our website to improve user experience.

We use IP addresses, visited pages, and timestamps stored in server logs for the following purposes:

• To identify attempts to split transactions into smaller amounts to bypass customer due diligence checks.
• To protect our website from hackers, scammers, and spammers.

The cookies stored by third parties we work with help ensure the proper functioning of their plugins or services. The types and purposes of these cookies are explained in detail here:

• Google Analytics: Cookie Usage
• WooCommerce: WooCommerce Cookies
• WordPress: WordPress Cookies
• WPML: WPML Cookies
• HubSpot: HubSpot Cookies

1e. How Long Do We Store the Data?
Google Analytics retains user-level and event-level data for up to 14 months. After this, data is automatically deleted on a monthly basis. Server logs stored by Vultr are kept for six months, after which they are automatically deleted.

For more details about cookie storage duration, please refer to the following:

• Google Analytics: Cookie Usage
• WooCommerce: Cookies are stored for 24-48 hours, depending on the type.
• WordPress: WordPress Cookies
• WPML: WPML Cookies
• HubSpot: HubSpot Cookies

1f. What Rights Do I Have Regarding My Data?
You have the right to access, update, or delete your data. Regarding Google Analytics data: Since no personal information is stored or shared with Google, it is not possible for us to access, update, or delete your data. We only see aggregated values and cannot identify which data is yours. However, you can opt out of Google Analytics tracking by installing the free Google Analytics Opt-out Browser Add-on: Google Opt-out.

Regarding server logs: To prevent fraud, we store server logs for six months. After this period, the logs are deleted automatically. It is not possible to change or delete data from the logs during this time. However, you can request access to your data in the server logs. Please contact us if you would like to request access.

Regarding cookies: You have the right to change your consent for cookies at any time. To do so, you can:

• Delete your cookies: How to Delete Cookies

2. Data About Your Interactions with Us via Email, Contact Form, and Telephone

2a. What Data Do We Collect?
When you contact us via email, the contact form on our website, or by telephone, we collect and retain certain data.

• Email: If you contact us via email, we receive the following information:
  • Your email address and any additional email addresses in the “TO” or “CC” fields.
  • The display name that email recipients see, which is typically your first and last name.
  • The content in the email subject line, body, and any attachments.
  • The email header, including the timestamp and your IP address. For more information on email headers, please refer to this link.
  This information is stored in our webmail client, Zoho Mail.
• Contact Form: If you contact us via the form on our “Contact Us” page, we collect the following data:
  • Your name and email address as provided in the form fields.
  • The subject and message you submitted. Contact form submissions are converted into emails using the WordPress plugin Contact Form 7 and stored in Zoho Mail.
• Telephone: If you call us by phone or leave a voicemail, we collect:
  • Your telephone number, unless withheld.
  • The date, time, and length of your call, which is stored in the call log.
  • The information you provide during the call. We do not record calls, but may take notes on paper during the conversation.
• Text Messages: If you send us a text message, we collect:
  • Your telephone number, unless withheld.
  • The content of your text message and any attachments. This data is stored on the mobile phone we use to receive calls.

2b. What Is the Legal Basis for Processing This Data?
When customers contact us via email, contact form, or telephone, they expect us to receive and respond to their inquiries. The information we collect, such as email addresses and telephone numbers, is necessary for this purpose.

For messages sent through the contact form on our website, we will request your consent prior to submission via our third-party plugin, Contact Form 7.

Our internal email retention and deletion policy ensures that we adhere to principles of data minimization and storage limitation.

2c. Will We Share the Data with Any Third Parties?
Emails are stored in our webmail client, Zoho Mail, which is our chosen email hosting provider. Zoho Mail has been selected for its enhanced data security and integrity. Zoho Mail is fully compliant with data protection standards: Zoho Mail GDPR Compliance.

Messages sent via the contact form are converted into emails by the WordPress plugin Contact Form 7. We only collect essential data through Contact Form 7, including your name, email address, subject line, and message content. You can find more about Contact Form 7’s data protection measures here.

Our calls and text messages are managed by BT. You can read more about BT’s data protection practices here.

We will not share data about your interactions with us via email, contact form, or telephone with any other third parties unless we are legally required to do so. This could include situations where we are approached by authorities like HMRC or law enforcement services.

We will never share your data with third parties for marketing purposes.

2d. How Do We Use the Data?
The data we collect through email, contact form, and phone interactions is used to respond to your inquiries and assist with exchanging your leftover currency.

We will not use this contact data for marketing purposes, nor will we send unsolicited messages or make unsolicited calls.

2e. How Long Do We Store the Data?
Our internal email retention and deletion policy ensures we comply with principles of data minimization and storage limitation. Emails are categorized and stored only as long as necessary. If your interaction involves a currency exchange, we are required to keep the data for five years.

Voice messages are deleted weekly. Call logs and text messages are deleted monthly.
If we take notes on paper during a call or voice message, we ensure that these are securely discarded immediately after use. We use Shred-it for secure document disposal: Shred-it Services.

2f. What Rights Do I Have Regarding My Data?
You have the right to access your data. Please contact us if you would like to receive a list of the information we store about your interactions with us via email, contact form, or telephone.

If the data about your interactions with us is incorrect or incomplete, you have the right to request corrections.

If your interaction did not involve a currency exchange, you may request that we delete the data related to your email, contact form, or telephone communication. However, if the interaction involved a currency exchange, we are legally required to retain this information for five years due to anti-money laundering regulations. As such, data related to such interactions cannot be deleted before this period concludes.

3. Data About the Order(s) You Create

3a. What Data Do We Collect?
When you create an online order to exchange and receive payment for your leftover currency, we collect the following information via the form on our website:

• Preferred payout currency (GBP, USD, EUR)
• Content of online wallet: quantity, buy rate, and value for each banknote/coin
• Title (optional)
• First name
• Last name
• Address
• Email address
• Phone number (optional)
• Order notes: any additional information provided in the text field (optional)
• Preferred payout method (direct bank transfer/cheque/paypal/donate to charity)
• Payment details:
  • If the payout method is direct bank transfer: bank account details
  • If the payout method is cheque: full name of the payee
  • If the payout method is PayPal: email address for PayPal
  • If the payout method is a donation to charity: selected charity to receive the donation
• Confirmation that terms and conditions have been read and accepted (Y/N)
• Option to receive reminder email (Y/N)
• Option to receive an invitation to review our service (Y/N)
• Timestamp when the order was submitted
• Unique reference number generated when the order was submitted

Creating an Account:
During the order creation process, you have the option to create an account. By creating an account, you can log in for future orders and avoid re-entering your details. Creating an account is entirely optional. If you create an account, we will collect the following additional information:

• Username: This will be your email address
• Orders created by you
• Lifetime order value

3b. What Is the Legal Basis for Processing This Data?
We collect this data to fulfill your order. By creating an order, you indicate that you intend to exchange the currency in your online wallet and receive payment through your preferred method.

The collected data allows us to process your transaction, send you payment for your leftover currency, and update you on the status of your order. We may also need to contact you if we have any questions.

Creating an account is optional, as noted during the order creation process. If you choose to create an account, the legal basis for processing the account-related data is consent.

3c. Will We Share the Data with Any Third Parties?
When an order is created, a confirmation email is generated by the WooCommerce plugin, called ‘PDF Invoice,’ which is part of Automattic. The confirmation email contains details, including bank account information, with sensitive information like bank account numbers replaced by Xs, showing only the last three digits of your account number. A copy of the confirmation email is sent to Leftover Currency to notify us of your order creation. These emails are stored in our webmail client, Zoho Mail, which we have selected for its enhanced data integrity and security. Zoho Mail is fully compliant with data protection standards: Zoho GDPR Compliance.

3d. How Do We Use the Data?
The data you provide during the order creation process is used to fulfill your order. We only collect the necessary information to complete the transaction. Additionally, we use this data to contact you if we have any questions or updates regarding your order.

We will not contact you about anything unrelated to your order(s).

3e. How Long Do We Store the Data?
We store the data about your order for the following periods:

• Five years if we receive your currency: As your transaction involves currency exchange, it is subject to money laundering regulations (MLR). Under MLR, we are required to retain customer data for five years.
• Three months if you do not send us the currency: If you decide not to send us the currency or if you forget to send it, we will delete your order data after three months.

If you send the currency, this means your transaction is regulated under anti-money laundering laws, and the data will be kept for five years. However, if you don’t send the currency, we will delete the data after three months.

3f. What Rights Do I Have Regarding My Data?
You have the right to access and/or modify the data related to the order(s) you created. If you wish to access or amend your order data, please contact us. You also have the right to request the deletion of your data.

We will delete your order data upon request unless we have already received your currency. In that case, we are legally required to store your data for five years under money laundering regulations.

You also have the right to request the deletion of your account. If we have received currency for one or more of your orders, we will need to retain your data for five years due to money laundering regulations, even if you request account deletion.

4. Data About the Processing and Fulfillment of Your Order(s)

4a. What Data Do We Collect?
When we process and fulfill your order(s), we collect the following data:

• Current and previous order statuses, with timestamps indicating when the order status was updated (e.g., awaiting currency, processing, completed, order discrepancy, on hold)
• Name(s) of the Leftover Currency staff processing your order(s)
• Any messages sent by Leftover Currency staff regarding your order(s)
• Results of the currency count, along with a description of any discrepancies if applicable
• Tracking and delivery status information if a tracked delivery method was used
• Customs-related information if your items passed through customs
• Any information included with your order or packaging (e.g., a cover letter or return address)
• Outcome of the search for linked transactions: total combined value of linked transactions over 6 months
• If your payment method is bank transfer and your bank account is outside the UK, we may request your date of birth, but only if the receiving bank requires it to process the payment.

Paper PDF Exchange Form:
If you fill out a paper PDF exchange form instead of using the online wallet, we will collect the following data when your letter/parcel arrives at our office:

• Preferred payout currency
• Amount per currency, in banknotes and coins
• Title
• First name
• Last name
• Address
• Email address
• Preferred payout method (direct bank transfer, cheque, PayPal, or donate to charity)
• Payment details:
  • If payout method is direct bank transfer: bank account details
  • If payout method is cheque: full name of payee
  • If payout method is PayPal: PayPal email address
• Date of signing
• Signature

For Orders Over £1000 GBP, $1000 USD, or €1000 EUR (within 6 months):
For orders with a combined value over £1000 GBP, $1000 USD, or €1000 EUR, we may also collect the following data for additional due diligence:

• Scans or photocopies of forms of ID and proof of address
• Information about the true beneficiary of the funds
• Information about the origin of the funds
• Information about people or organizations linked to the beneficiary
• Information about whether the beneficiary is a politically exposed person (PEP) or on a target/financial sanctions list
• Outcome of (advanced) due diligence checks

Reminder Emails:
If we haven’t received the currency within 9 days of creating an order, we may send a reminder email. We will only send a reminder email if you have consented to this during the order creation process. The data we collect for reminder emails includes:

• Customer name
• Purchased (Y/N)
• Mailing list (Y/N)
• Email statistics: sent, opened, and clicked links
• Total orders placed
• Last order date
• Lifetime value

Review Invitations:
If you indicated that you would like to review our service, we will send you an email with a link to Trustpilot, where you can leave a review. If you leave a review, we collect the following data:

• Star rating (1-5)
• Alias name of reviewer
• Review content
• Reference number of your order

4b. What Is the Legal Basis for Processing This Data?
We are legally required to retain data about the processing and fulfillment of your order(s) under the Money Laundering Regulations 2017 (Money Laundering Regulations 2017).

• The legal basis for collecting data related to reminder emails is your consent. When you create an order, you choose whether or not to receive a reminder email.
• The legal basis for collecting review data is also your consent. When you create an order, you can choose whether to receive an invitation to review our service.

4c. Will We Share the Data with Any Third Parties?
We may share your data with the following third parties, as required by law or to complete your transaction:

• HMRC and Law Enforcement Agencies: We are obligated to comply with the Money Laundering Regulations 2017 and will share data with HMRC or law enforcement agencies if required.
• Due Diligence Checks: For performing due diligence checks, we use GBG ID3global (GBG Privacy Policy) and, for enhanced checks, we use Compliance Assist Limited (Compliance Assist Privacy Policy).
• Payment Providers: To process your payment, we share relevant data with payment providers:
  • Bank Transfers: We share the following details with our bank and the receiving bank: account holder’s name, account number, sort code, and order value.
  • Cheques: We share the payee’s name and order value with our bank and the receiving bank.
  • PayPal Payments: We share the PayPal email address and order value with PayPal (PayPal Privacy Policy).
  • International Bank Transfers: We use Transferwise (Transferwise Privacy Policy) and GlobalWebPay (GlobalWebPay Privacy Policy) to process international payments, sharing the account holder’s name, address, date of birth (if required), bank name, account information (e.g., IBAN, SWIFT, BSB), reason for payment, and order value.
• Trustpilot: If you consent to receiving an invitation to review our service on Trustpilot, we will share the following data with Trustpilot: first name, last name, email address, and reference number. Trustpilot Privacy Policy.

4d. How Do We Use the Data?
We use the data to:

• Process and fulfill your order
• Ensure compliance with legal and accounting obligations
• Conduct due diligence checks as required by law
• Collect feedback via reviews to improve our services and customer experience
• Help Trustpilot calculate our trustscore, allowing customers to compare reviews across websites

4e. How Long Do We Store the Data?
We are legally required to retain data about the processing and fulfillment of your order(s) for five years. After this period, we will delete the data on a monthly basis, including both online and offline (paper) data. We use Shred It (Shred It Services) for secure disposal of paper records.

• Review Data: Reviews are retained by Trustpilot until the reviewer deletes their account or requests deletion of the review. How to delete or edit your review on Trustpilot.

4f. What Rights Do I Have Regarding My Data?
You have the following rights regarding your data:

• Access and Amend: You have the right to access and update the data we hold about the processing and fulfillment of your order. Please contact us if you wish to do so.
• Review Data: You have the right to amend or delete your review on Trustpilot. How to edit or delete your review on Trustpilot.
• Consent Changes: You can modify or withdraw your consent to receive reminder emails or review invitations at any time. To do so, please contact us.

Let’s swap these old bills!