Effective: 3 June 2019
Last Updated: 30 November 2020
Xe Privacy Notice Version 2.0
In this Privacy Notice we explain how we collect and use your personal information that we obtain when you use our services, visit or use our websites or mobile applications or otherwise interact with us, how we share your information and the steps we take to protect your information.
1. WHO WE ARE AND THE APPLICATION OF THIS PRIVACY NOTICE
This Privacy Notice applies to the Xe Group of companies, each trading as “Xe.com” or “Xe (“we”, “our” or “us”). The “Xe Group” refers to HiFX Europe Limited, Xe Europe B.V., HiFX Australia Pty Ltd, HiFX Limited, Xe Corporation Inc., HiFX Canada Inc. and Continental Exchange Solutions Inc. dba Xe (each trading as “Xe.com” or “Xe”), each being a wholly owned subsidiary of Euronet Worldwide, Inc. (“Euronet”). Further details on Euronet and the companies within Euronet are available at: http://www.euronetworldwide.com.
We are committed to the privacy and security of your personal data. This Privacy Notice describes how we collect and use personal data, in accordance with applicable law and our standards of ethical conduct.
HiFX Europe Limited trading as Xe with registered office at Maxis 1, Western Road, Bracknell, Berkshire, RG12 1RT, United Kingdom will be the “data controller” or “controller” in relation to any personal data provided to us directly via email, phone, and post or via xe.com (the “Website”), or the Xe mobile application (the “App”). This means that we are responsible for deciding how we will hold and use personal data about you.
The Euronet Group Data Protection Officer can be contacted:
- By email at: DPO@xe.com or DPO@euronetworldwide.com.
- By post to: Euronet Data Protection Officer, Calle Cantabria, 2 28108 Alcobendas, Madrid, Spain.
We encourage you to review and check the Website / App regularly for any updates to this Privacy Notice. We will publish the updated version on the Website / App and by continuing to deal with us, you accept this Privacy Notice as it applies from time to time.
2. DATA PROTECTION PRINCIPLES
“Personal data” means any information that enables us to identify you or the beneficiary of your transaction with us, directly or indirectly, such as name, email, address, telephone number, any form of identification number or one or more factors specific to your or your beneficiary’s identity.
We are committed to complying with applicable data protection laws and will ensure that personal data is:
- Used lawfully, fairly and in a transparent way;
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
- Relevant to the purposes we have told you about and limited only to those purposes;
- Accurate and kept up to date;
- Kept only as long as necessary for the purposes we have told you about;
- Kept securely.
3. WHAT PERSONAL DATA DO WE COLLECT AND HOW DO WE COLLECT IT?
PERSONAL DATA YOU GIVE US
We may collect personal data when you give it to us, including when you indicate that you would like to receive any of our Services, when you register with us, when you complete forms online, when you speak with us over the telephone, when you write to us, when you visit the Website or App and, in certain circumstances as set out in this Privacy Notice, when you have provided your information to a Xe Group company. We will also collect details of transactions you carry out through the Website or App and of the fulfilment of such transactions.
We may collect and process the following personal data:
- Personal details, such as data which may identify you, or the beneficiary of your transaction with us. This may include your name, title, residential and/or business address, email, telephone and other contact data, date of birth, gender, images, passport/visa details, signature, IP address and travel details (such as destination country or trip details) (“Identity Personal Data”).
- If you have provided your consent for us to collect such information and not withdrawn such consent, non-identifiable GPS-based location details whilst using the Website or App (“Location Data”).
- Information from which you may be indirectly identified, such as a client identification number or online identifier (“Indirectly Identifiable Personal Data”).
- Financial details, such as data relating to you and your beneficiary’s payment data and bank account obtained for the purposes of money transfers (“Transaction Personal Data”).
- Additional details requested by law enforcement or requested pursuant to our compliance procedures in connection with efforts to prevent money laundering, terrorist financing and criminal activity, such as relationship to the beneficiary of the transaction, the purpose of the transaction and proof of funds (“Compliance Personal Data”).
We may also receive information in connection with transactions you carry out on our Website, such as the last four digits of the payment card you used to make payment for the XECD service (as provided to us by the third party payment processor) (“Payment Data”).
COOKIES AND SIMILAR TECHNOLOGIES
When you use our website or app we collect information via cookies and similar technologies, including the IP address of visitors, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform. We may use this data for the following purposes:
- To measure the use of our Website / App and services, including number of visits, average time spent on a website, pages viewed, page interaction data (such as scrolling, clicks, and mouse-overs), etc., and to improve the content we offer;
- To administer the Website / App and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- As part of our efforts to keep the Website / App safe and secure.
Due to their core role of enhancing or enabling usability or site processes, disabling cookies may prevent you from using certain parts of our Website / App. It will also mean that some features on our Website or App will not function if you do not allow cookies.
4. HOW WE USE YOUR PERSONAL DATA
Personal data collected through our Website or App is typically stored and processed in Canada; however, in some instances, it may be transferred, stored, and/or processed outside of Canada (see section 5 for further details).
We have summarised below the ways in which we may use your personal data and our basis for such usage:
Whenever possible, we use data from which you cannot be identified directly (such as IP addresses and anonymous demographic and usage data) rather than personal data. This non-identifiable data may be used to tailor your experiences with the Services by showing content in which we think you will be interested and displaying content according to your preferences. Non-identifiable data may also be used to improve our internal processes or delivery of services.
We may use aggregate data for a variety of purposes, including analysing user behaviour and characteristics in order to measure interest in (and use of) the various portions and areas of the Services. We also may use the data collected to evaluate and improve the Services and analyse traffic to the Services.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such data without further notice to you.
How we use personal data
Our basis for using your personal data
Registration and Administration. We may use Identity Personal Data and/or Compliance Personal Data to enable you to register with us. Once your registration with us is complete, we may use Identity Personal Data and/or Compliance Personal data for the administration of your account, to contact you, to update our records about you, and to respond to and process your queries and requests.
Requesting access to tools and information. You may wish to have access to certain tools and information (such as XE Email Services or XECD) made available on Our Website / App, before or after you decide that you would like to register to use the Services, including our foreign exchange and payment service. We may collect and use Identity Personal Data as part of this access and use Identity Personal Data before or after you decide that you would like to register to use the Services, including our foreign exchange and payment service.
Supply of our Services. We may use Identity Personal Data, Transaction Personal Data and/ or Compliance Personal Data (and where it is collected, Payment Data) so that we can supply you with our Services which you use or have requested and to meet our contractual obligations to you.
Location. If you have given your consent for us to so and not withdrawn such consent, we may collect and use Location Data to provide you with a tailored experience on the Website or App related to your location, such as displaying the local currency in the relevant location.
Service communications. We may use Identity Personal Data and/or Transaction Personal Data to notify you about changes or developments relating to our Services which you used or have requested.
Compliance. We may use Identity Personal Data, Transaction Personal Data and/or Compliance Personal Data (and where it is collected, Payment Data) for compliance purposes, including the prevention and detection of crime, tax evasion or fraud.
Recording of telephone calls. We may monitor and record (via automated means or transcripts) our telephone calls with you (which may involve Identity Personal Data, Transaction Personal Data and/or Compliance Personal Data (and where it has been collected, Payment Data) and we may use any transcripts of these calls so we can be sure we understand the instructions you give us and so we have a clear record of our discussions with you.
Marketing. In certain circumstances, we may use your Identity Personal Data to contact you with marketing communications in relation to the Services or the services and products of Xe Group companies.
Profiling. Xe may combine Indirectly Identifiable Personal Data with other information generated during the use of our Services to create individual profiles for customers through automated processes.
5. IS DATA COLLECTED, SHARED WITH OR COLLECTED BY THIRD PARTIES?
We may share your personal data with other Xe Group Companies in order to enable or facilitate us to provide you with any of the Services you have requested, for our or an Xe Company’s compliance purposes and where you have consented and not withdrawn your consent, for the Xe Company’s direct marketing purposes (see section 11 below).
We may share your personal data with Euronet and affiliates in the Euronet Group (some of which are based in the European Economic Area (“EEA”) and some of which are based outside the EEA, for example in Canada and the United States – further details are set out at the end of this section 5) for the purposes, or to enable or facilitate the purposes, set out in section 4 and 11 of this Privacy Notice. This may include sharing your personal data within the Euronet Group for compliance purposes.
AGGREGATED STATISTICAL ANALYSIS
We may use statistical analysis of aggregate data to inform advertisers of aggregate user demographics and behaviour, as well as the number of users that have been exposed to or clicked on their advertising banners. We will provide only aggregate data from these analyses to third parties.
THIRD PARTY SERVICE PROVIDERS
We may share personal data we collect with third party service providers to manage, enable or facilitate certain aspects of the Services we provide and if we do so, we will have safeguards in place with such third party service providers requiring them to protect the personal data.
- Compliance verification service providers.
- Financial services providers, such as banks.
- Credit control or debt collection agencies.
- Communication fulfillment providers, to facilitate our communications with you.
- Fraud Prevention Agencies - As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct; or is inconsistent with your previous submissions; or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making.
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services you have requested, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you.
Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by visiting www.cifas.org.uk/fpn **or if you require any further details regarding the information above please contact us.
- Any other party authorized by you.
We use advertising services suppliers on our Website and App, who, along with their advertising partners, may collect and use personal data when you interact with our Website or App. Further details are set out at section 6 below.
We may transfer your personal data to a third party as a result of a sale, acquisition, merger, or reorganisation involving Euronet, a company within the Euronet Group, or any of their respective assets. In these circumstances, we will take reasonably appropriate steps to ensure that your information is properly protected.
LEGAL AND REGULATORY
We may also disclose your personal data in special cases if required or requested to do so by law, court order, or other governmental authority, or when we believe in good faith that disclosing this data is otherwise necessary or advisable, such as to identify, contact, or bring legal action against someone who may be causing injury to, or interfering with, our rights or property, our services, another user, or anyone else that could be harmed by such activities (for example, identify theft or fraud).
SHARING PERSONAL DATA
The nature of our products and services means that we may need to share your personal data with recipients based outside of the country you reside.
As explained above, we may share your personal data within the Euronet Group (including to Xe Companies), which may involve transferring your data outside of the UK. Where we do so, we will ensure a similar level of protection to that afforded in the UK; for example, on the basis the relevant recipient country (for example, Canada) has been deemed to provide an “adequate” level of protection for personal data or by contractual provisions that seek to ensure a level of protection and safeguarding of personal data.
It is important for you to note that the laws on holding data in the UK (or any other country in which we transfer, store or process your data) may be less stringent than the laws of your country, but Xe intends to adhere to the principles set forth in this Policy, unless otherwise required by applicable laws.
If we share personal data with third party service providers based outside of the UK or EEA we will ensure a level of protection and safeguarding of your personal data.
You may sometimes ask us about, or we may sometimes ask you if you are interested in, products or services which we are unable to provide but which someone else we know (a “Contact”) may be able to provide. We will never pass your information to a Contact unless you have asked us to do so. Please note that we are not responsible for and cannot be liable to you for any products or services of any Contact or any acts or omissions of any Contact.
In addition, where we have received your contact details and other personal data as a result of a referral, we may pass your personal data back to the relevant referrer for the specific purpose of commission reporting.
Advertisements that appear on the Website or App or otherwise in the Services are generally delivered (or "served") directly to you by third party advertisers. These third-party advertisers have no access to the information you have provided directly to Xe.
If you have provided your consent by accepting “Targeting Cookies” through the Website cookie consent manager or enabled “Targeting” and “Location” on the App, the advertisements that are served may be personalised to you.
ADVERTISING ON OUR WEBSITE
Advertisements on our Website and App may be served by third-party advertisers or their advertising partners.
- App: If you have provided your consent by enabling “Targeting” and “Location” for the App, third-party service providers will collect and use the personal data to serve you personalised advertising. Depending on where you live and your privacy choices on the App, the personal data collected in the App may include device identifiers and information, app usage information, (if you have enabled Location Services) geo-location, information about interests to make ads served more relevant and information about interactions with ads. Your device may be recognized over time and across apps.
- Cookies and Location Tracking: If you do not accept Targeting Cookies on the website, third party advertisers will not receive your IP address or download any cookies to your computer through the Website. However, advertisements that are not specific or personalised to your or your device may still be served to you on the Website. If you do not enable Targeting and Location for the App, you will not receive personalised advertisements and third-party service providers will not collect and use personal data for such purposes.
REMARKETING ON THE WEBSITE AND APP
7. HOW LONG IS YOUR PERSONAL DATA RETAINED?
Personal data is used for different purposes, and is subject to different standards and regulations. In general, personal data is retained Personal data is used for different purposes, and is subject to different standards and regulations. In general, personal data is retained for as long as necessary to provide you with services you request, to comply with applicable legal, accounting or reporting requirements, and to ensure that you have a reasonable opportunity to access the personal data.
To determine the appropriate retention period for personal data, we consider the applicable legal requirements, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means. For example:
- Legal and regulatory requirements. We will retain your personal data if required to comply with legal and regulatory obligations, compliance procedures and legal limitation periods. We will retain your personal data for a period after closure of your account with us or the last transaction we carried out for you.
- Customer service. If you provide us with your personal data but do not have an account with us, we will (subject to any legal or regulatory considerations) retain your personal data for as long as necessary to deal with your query (for example, to address your questions in the event of an unsuccessful application).
- Marketing. Personal data provided to us for marketing purposes may be retained until you opt out or until we become aware the data is inaccurate.
8. IS CORRESPONDENCE THAT YOU SEND TO US SAVED?
Yes. If you send us correspondence, including e-mails, we may retain such data along with any records of your account. We may also retain customer service correspondence and other correspondence involving you, us and any Xe Group Company, our partners, and our suppliers. We will retain these records in line with our retention policy.
9. DATA SECURITY
We are committed to maintaining the security of your personal data and have measures in place to protect against the loss, misuse, and alteration of the data under our control.
We employ modern and secure techniques to protect our systems from intrusion by unauthorised individuals, and we regularly upgrade our security as better methods become available.
Our datacentres and those of our partners utilise modern physical security measures to prevent unauthorised access to the facility. In addition, all personal data is stored in a secure location behind firewalls and other sophisticated security systems with limited (need-toknow) administrative access.
All our employees who have access to, or are associated with, the processing of personal data are contractually obligated to respect the confidentiality of your data and abide by the privacy standards we have established.
Please be aware that no security measures are perfect or impenetrable. Therefore, although we use industry standard practices to protect your privacy, we cannot (and do not) guarantee the absolute security of personal data.
The Website or App may offer chat rooms, forums, message boards, or news groups to users. It is important to remember that any information disclosed in these areas becomes public information. Accordingly, as with any public forum, you should exercise extreme caution when deciding whether to disclose your personal information.
10. DOES THIS PRIVACY NOTICE APPLY TO OTHER WEBSITES?
No. Our Website and App may contain links to other Internet websites. By clicking on a third party advertising banner or certain other links, you will be redirected to such third party websites.
We are not responsible for the privacy policies of other websites or services. You should make sure that you read and understand any applicable third-party privacy policies, and you should direct any questions or concerns to the relevant third party administrators or webmasters prior to providing any personal data.
We may permit third parties to offer subscription or registration-based services promoted through our own Services. In some instances, these other services may be co-branded or use Xe's trademarks under license; however, other’s services have their own respective privacy policies.
11. DIRECT MARKETING
We or an Xe Company may sometimes contact you (by email, SMS text, letter or phone) in order to provide targeted marketing about our Services or the services of another Xe Company or Euronet Group. Such marketing communications will only be sent to you if you gave your consent (when you registered for our Services or at another point) and you have not withdrawn such consent or if there is another basis to send such communications to you (for example, in certain circumstances, we may send marketing communications solely about our Services to existing customers using contact details we have obtained directly from the customer during the course of registration or the provision of our Services to them, provided they have not previously unsubscribed from such communications).
All marketing e-mails you receive from us will include specific instructions on how to unsubscribe and you may unsubscribe at any time.
Additionally, you can unsubscribe from marketing by contacting us in writing at our registered office at Maxis 1, Western Road, Bracknell, Berkshire, RG12 1RT, United Kingdom or email firstname.lastname@example.org or by amending your marketing preferences within your account.
You should note that we are opposed to third-party spam mail activities and do not participate in such mailings, nor do we release or authorise the use of customer personal data to third parties for such purposes.
Through automated processes we may create individual profiles for customers based on a combination of Indirectly Identifiable Personal Data and other information gathered through our customer’s interaction with our Services. We may use such profiles to better understand the ways in which you use our Services. In addition, we may send personalised communications to you based on a profile (including pricing offers in relation to the Services or the services and products of Xe Group, if we have a basis to send such communications in accordance with this Privacy Notice (see Section 11 above).
You have the right not to be subject to profiling, and you can exercise this right by contacting us in writing at email@example.com or DPO@xe.com.
13. WHAT ARE MY DATA PROTECTION RIGHTS?
In certain circumstances, and subject always to verification of your identity, you may request access to and have the opportunity to update and amend your personal data. You may also exercise any other rights you enjoy under applicable data protection laws.
Data subjects in the UK have the right to:
- Request access to any personal data we hold about them (“Subject Access Request”) as well as related data, including the purposes for processing the personal data, the recipients or categories of recipients with whom the personal data has been shared, where possible, the period for which the personal data will be stored, the source of the personal data, and the existence of any automated decision making;
- Obtain without undue delay the rectification of any inaccurate personal data we hold about them;
- Request that personal data held about them is deleted provided the personal data is not required by us, an Xe Company or the Euronet Group for compliance with a legal obligation under applicable law or for the establishment, exercise or defence of a legal claim;
- Under certain circumstances, prevent or restrict processing of their personal data, except to the extent processing is required for the establishment, exercise or defence of legal claims;
- Under certain circumstances, request transfer of personal data directly to a third party where this is technically feasible.
Where you believe that we have not complied with our obligations under this Privacy Notice or the applicable law, you may have the right to make a complaint to a relevant Data Protection Authority or through the courts. The Data Protection Authority in the UK is the Information Commissioner’s Office - https://ico.org.uk/
Although not required, we would encourage you to let us know about any complaint you might have and we will respond in line with our complaints procedure set out in section 14 of this Privacy Notice.
14. PRIVACY COMPLAINTS PROCEDURE
Where you believe that we have not complied with our obligations under this Privacy Notice, or the applicable law, you may have the right to make a complaint to a relevant Data Protection Authority or through the courts. Although not required, we would encourage you to let us know about any complaint you might have and Xe will respond in line with our complaints procedure – our contact details are set out in section 15 below.
We want to deal with your concerns fairly, effectively and promptly. However, some complaints are more complex than others and may take some time to investigate.
- We will acknowledge your complaint promptly after receiving it
- We will keep you informed throughout any investigation
In order to assist in the speedy resolution of any complaint you may have, it’s important that we understand your complaint fully. Sometimes this means we may ask you to address your concerns to us in writing. This can be either by email or post to the addresses in section 15 below. We have established internal procedures for investigating any complaint, which may also involve experienced members of staff from the Xe Group considering or investigation the complaint. Where appropriate, the complaint will be dealt with by someone who was not directly involved in the matter which is the subject of your complaint. The member of staff will either have authority to settle your complaint or will have ready access to someone who has the authority. Our response will fully address the subject matter of your complaint and, if appropriate, will offer redress. If you phone us during our investigation and the member of staff handling your complaint is not available, then another member of our team will try to assist you.
Unless applicable data protection laws require responses within shorter timescales, we will try to resolve any privacy complaints you have within 15 business days of receiving your complaint and in exceptional circumstances, within 35 business days (and we will let you know if this is the case).
As noted above, if you are not satisfied with our reply/outcome, or otherwise with the handling of the complaint, you may have the right to lodge a claim before a relevant Data Protection Authority or the courts.
15. CONTACT US
If you have any questions or concerns about this Privacy Notice or our data practices, please contact us in writing by email at DPO@xe.com or by post to Maxis 1, Western Road, Bracknell, Berkshire, RG12 1RT.