Privacy Policy

General.

This notice applies to the companies within the Intercash Group of Companies hereinafter referred to as "the Company". The Company is committed to protecting privacy and Personal Information disclosed as a result of using the Companies products and/or services. The Company will take all appropriate steps to ensure that Personal Information is treated securely and will be collected, used, stored and disclosed in accordance with this policy.

The main activity of the Company as the program manager is outsourcing the processing of payment card and cardholder data. As the program manager, the Company is aware that The Payment Card Industry Data Security Standard (PCI DSS) provides specific guidance on the security for the confidentiality and protection of sensitive information. The Company ensures that the processor who stores, processes and transmits cardholder data as part of their daily operations is aware that compliance to this standard is a requirement and is certified accordingly.

The Company undertakes all reasonable measures necessary to remain in compliance with GDPR guidelines. The Company retains all client records for a period of five (5) years as it maintains that doing so is in the public interest in terms of anti-money laundering and anti- terrorist financing initiatives. The Company is obliged by the European Union Fourth Anti- Money Laundering Directive (Chapter V, Article 40, Section 1) to maintain all client records for five years after a business relationship ceases. GDPR Recital 19 makes allowances for data retention in the interest of anti-money laundering.

GDPR Data Protection Principles stipulate that data should be:

Processed in a lawful, fair and transparent manner
collected only for specific, explicit and limited purposes
collected adequately, and be relevant and not excessive
accurate and kept up-to-date
kept for no longer than necessary
handled with appropriate security and confidentiality

Definitions.

“Personal Information” : information that relates to an identifiable living individual, and is held either on computer or in other electronic form that is processed automatically, or in a paper filing system arranged by reference to individuals or criteria relating to them (e.g., date of birth) to facilitate access to information relating to particular individuals.
“Non-Personal Information” : information that does not enable a specific individual to be identified, either directly or indirectly.
“Process” : to collect, store, analyze, use, disclose, delete or do absolutely anything else with personal data (and processing and processed should be read accordingly)
“DPO” : Refers to Data Protection Officer. This is the persona appointed by the Company, responsible for overseeing the data and privacy regime of the Company.
“Company” : Refers to the companies within The Intercash Group

Collecting Information.

The Company collects Personal and Non-Personal Information.

Non-Personal Information is information that does not enable a specific individual to be identified, either directly or indirectly. The Company may collect, store, and use such Non- Personal Information for any reasonable business purpose such as the use of aggregated transactional information for commercial purposes, trend analysis, and the use of data analytics to obtain learnings and insight around payment transaction patterns and usage.

Additional Personal Information collected by the Company may include:

Names including first name and family name
Date of birth
Email address
Billing address
Nationality and country of residence
Identification documentation such as Passport, or driver’s license
Documentation relating to proof of address including utility bill or other statements
Payment card information such as card number, CVV, card expiry date, and cardbalances
Historical transactions
Account preferences
Technical information, including the Internet protocol (IP) address used to connect yourcomputer or device to the Internet, your login information, and browser type and version
Any other information you may provide in the context of using the products and services

Monitoring.
The Company may monitor or record telephone calls, emails, web chat or other communications with you for regulatory, security, quality assurance or training purposes.

The company will monitor account usage for the purposes of fraud detection and anti-money laundering.

Use of Cookies, Advertising, and Tracking Technologies

Company uses cookies, pixels, and similar tracking technologies to collect information about how users interact with its websites and digital platforms.

This may include information such as IP address, browser type, device information, pages visited, time spent on pages, and referring URLs. This data is used to improve website functionality, analyze performance, and support marketing and advertising activities.

The Company uses third-party advertising and analytics services, including services provided by Google and LinkedIn.

Advertising and Remarketing

The Company may use advertising platforms such as Google Ads and LinkedIn Ads to display advertisements to users who have previously visited its website.

These platforms use cookies and tracking technologies, including the Google Ads tag and LinkedIn Insight Tag, to collect information about user behaviour and interactions. This allows the Company to deliver relevant advertisements across third-party websites and platforms.

Conversion Tracking

The Company uses conversion tracking tools to measure the effectiveness of its advertising campaigns.

When users complete specific actions on the website, such as submitting a form, this information may be shared with advertising partners, including Google and LinkedIn, in an aggregated and/or anonymized format.

Sharing of Information with Advertising Partners

Information collected through tracking technologies may be shared with third-party service providers, including advertising partners such as Google and LinkedIn. These providers may use the information to:

Deliver advertisements
Measure campaign performance
Provide insights into user engagement

These providers may combine this data with other information they have collected independently, in accordance with their own privacy policies.

User Choices and Opt-Out Options

Users can control how their data is used for advertising purposes by:

Adjusting ad personalization settings within their accounts with Google and LinkedIn
Disabling cookies through their browser settings

Please note that restricting cookies may impact certain website functionality.

Cookies and Consent

Where required by applicable law, the Company obtains user consent before placing non-essential cookies on a device.

Upon visiting the website, users are presented with a cookie consent banner that allows them to accept or manage their preferences. Users may update or withdraw their consent at any time through available settings or their browser.

The use/disclosure of your Information.

The use of collected information.

The Company may use the collected information for the following purposes:

To provide the products and/or services
To improve and enhance the Company’s offerings, including without limitation to optimizing the websites, consumer portals, products and services
To manage and enforce the Company’s rights, terms of use or any other contracts, including to manage a dispute, or investigate and resolve complaints
To prevent and/or detect fraud, financial crime, manage risk and to better protect the Companys interests, the customers and the integrity of the financial system. The Companny participates in anti-fraud initiatives, which involve assessing individuals and monitoring transactions and/or locations, to detect patterns which may require investigation
To make contact regarding the account, or to alert of potential problems, or new offers
To comply with local and national laws
To comply with requests from law enforcement and regulatory authorities on public interest grounds or from commercial organisations with whom there has or has been dealings with, to establish, exercise or defend legal claims, or to protect clients vital interests or those of other persons involved
To comply with card scheme rules or any terms of business

The disclosure of collected information.

The Company may disclose the collected information for the following purposes:

Within the Company’s group of subsidiaries to help provide services and for the Company’s own internal customer relationship management, analytical and reporting purposes;
Fraud prevention agencies as described above, including Action Fraud, Financial Fraud Action and the Financial Fraud Bureau and other organisations who assist the Comapny in managing fraud and business risk;
Where services are provided through third parties such as Banks and other organisations, the Company may be required to disclose such information (including any ‘know your customer’ and ‘source of wealth’ information) with such organisations in order to assist their own regulatory obligations or risk assessments;
Third Party Service Providers, including suppliers who assist the Company with the provision of services, including processing and fulfilling orders, processing payments, security, sector and fraud risk, identity verification, and marketing, market research and survey activities carried out on behalf of the Company;
In order to prevent and/or detect fraud, financial crime, manage risk and to better protect the Company and its customers, it may be necessary to Process and disclose sensitive
Personal Information (sometimes known as special category personal data) including biometric data to third parties who assist in managing such risks, including identity verification;
Where the Company is required or permitted to do so by law, the Company may be required by law to pass such information to regulatory authorities and law enforcement bodies worldwide. Such disclosures may also include requests from governmental or public authorities, or with commercial organisations with whom there has been dealings and who are seeking to mitigate fraud or credit risk, or non-compliance with terms of business, or for the purposes of litigation or legal process, national security or where the Company deems it in the national or public interest or otherwise lawful to do so

The Company does not disclose information which could identify you personally, to anyone except as described in this notice, as permitted or required by law, and/or for the purposes described in this notice.

How we keep your Personal Information secure.

The Company has implemented various technical, physical, and organizational measures designed to secure all personal information from accidental loss and from unauthorizes access, use, alteration and disclosure. These measures include:

An appointed Chief Information Security Officer to oversee, implement and enforce Information security
An appointed Chief Privacy Officer to oversee, implement and enforce Privacy security
Continuous testing, assessing, and monitoring of system vulnerability
Information security risk management policies and procedures
Incident response plans
Access controls on information systems, designed to authenticate users and permit access only to authorised individuals
Restricted access of all physical locations containing any Personal Information to authorized individuals
Multifactor authentication for all individuals accessing information systems
Secure development practices for in-house developed applications
Performing information security due diligence on any third-party service provider
Performing internal security awareness training

The individual end-user of the Company service is also responsible for the safety and security of their information. Password and/or access codes must be kept confidential. Password and/or access codes must not be shared with anyone. You must ensure that there is no unauthorised use of your password and access code. The Company will act upon instructions and information received from any person that enters your user ID and password and you understand that you are fully responsible for all use and any actions that may take place during the use of your account, unless otherwise mandated by law.

How long we retain your personal information.

If you use the services provided by the Company, the Company will retain your Personal Information as long as necessary to provide you with the services of your choice and any linked legitimate business purpose. That would generally mean we retain your Personal Information as long as you are our customer and for a period of time afterwards.

We will retain Personal Information as evidence of our dealings with you (including whether there were any or no financial transactions), to manage any queries or disputes, including to defend or initiate any legal claims.

The Company retains all client records for a period of five (5) years following a break in service as it maintains that doing so is in the public interest in terms of anti-money laundering and anti- terrorist financing initiatives. The Company is obliged by the European Union Fourth Anti- Money Laundering Directive (Chapter V, Article 40, Section 1) to maintain all client records for five years after a business relationship ceases. GDPR Recital 19 makes allowances for data retention in the interest of anti-money laundering.

Your Data Protection rights.

You have many rights that you may be able to exercise in relation to your personal information. These rights may apply under a number of different regulations, for example, the General Data Protection Regulation (GDPR) which is generally applicable to EEA residents. If you wish you can access, correct, or update your Personal Information. In certain circumstances, you can also ask us to delete your Personal Information, object to its processing or temporarily restrict its processing while exercising your other rights.

As per GDPR, when you give us consent to use your Personal Information, you can withdraw it any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Information conducted on lawful processing grounds other than consent. You always have the right to complain to a data protection authority about our collection and use of your Personal Information.

Roles and responsibilities.

The Company carries the overall responsibility for ensuring compliance with this Data Protection Policy. However, all employees who Process personal data in the course of their employment are also responsible for ensuring compliance with the Data Protection Policy.

The Company will provide support, assistance, advice and training to all relevant teams and departments to ensure they are in a position to comply with the policy.

All employees of the Company must:

Complete relevant training and awareness exercises provided by the Company to support compliance with this policy;
Take all necessary steps to ensure that no breach of information security results from their actions;
Report all suspected and actual security breaches to their head of department, who must in turn report the incident immediately to the Chief Information security Officer, so that appropriate actions can be taken to minimise harm

The role of the Data Protection Officer (DPO):

Inform and advise the Company and employees how to be GDPR compliant and how to comply with other data protection laws
Manage internal policies and ensuring the Company is following them thoroughly
Raise awareness and organize employee trainings for those involved with data processing activities
Give advice to the Company about the application of the data protection rules
Introduce security and data protection improvements
Monitor compliance with GDPR or other data processing laws
Cooperate with the supervisory authority

Intercash Card-Issuing Process

Privacy Policy