1. Introduction

Covent Garden FX Ltd ("we", "us", "our") is committed to protecting your personal data and ensuring compliance with GDPR and relevant UK privacy laws. This policy outlines how we collect, use, store, and share your data, including your rights and how you can exercise them.

Contact Information:

• Company Name: Covent Garden FX Ltd
• Address: 30 Jubilee Market Hall, Covent Garden, London, WC2E 8BE
• Email: [email protected]
• Phone: 0207 240 9921

2. Types of Data We Process/Collect

• Identification Data: Name, address, date of birth, nationality, passport/driving license number.
• Contact Data: Address, phone number, email.
• Financial Data: Payment details (debit card, bank transfer, Vyne), transaction history.
• AML/KYC Data: Shared with LexisNexis for identity verification and fraud prevention, which may include a soft credit check. LexisNexis is GDPR compliant, and their privacy policy can be accessed here.
• Usage Data: Browser type, website interaction, IP address.
• Communication Data: Emails, phone calls, and WhatsApp messages.

3. Purpose of Data Processing

We process personal data for:

• Service Provision: Fulfilling orders (currency exchange, buybacks), and customer enquiries.
• Compliance with Legal Obligations: AML/KYC checks, fraud prevention, and regulatory reporting.
• Communication: Email, phone, and WhatsApp (if consented), including transactional and marketing messages (marketing only with explicit consent).
• Marketing: Email marketing upon consent, with the option to opt-out via email at any time.

4. Legal Basis for Processing

We process your data based on:

• Contractual Obligations: Processing transactions or orders.
• Consent: For marketing and WhatsApp communications.
• Legal Obligations: Compliance with AML/KYC laws and fraud prevention.
• Legitimate Interests: Providing customer service and improving our website through analytics.

5. Third-Party Data Sharing

We share your data with:

• Payment Providers: Vyne and other payment processors for handling transactions.
• AML/KYC Providers: LexisNexis for identity verification, with your data processed as per their GDPR-compliant policies.
• Analytics Providers: Google Analytics, Hotjar, and Smartlook for performance tracking. These providers may process data outside the UK/EU, but appropriate safeguards (Standard Contractual Clauses) are in place.
• Law Enforcement and Regulatory Authorities: When required by law for compliance with regulatory requirements (e.g., HMRC, AML obligations).

6. Retention Period

We retain personal data:

• Legal and regulatory purposes: A minimum of five (5) years after the end of a transaction or business relationship, as required by AML and HMRC regulations.
• Marketing and communications: Until consent is withdrawn or deletion is requested.
• Dispute resolution or legal claims: As needed for legal or regulatory obligations.

7. International Data Transfers

We do not directly transfer data outside the UK/EU. However, our analytics providers (Google Analytics, Hotjar, Smartlook) may process data abroad. We implement safeguards like Standard Contractual Clauses to ensure your data is protected.

8. Cookies and Tracking

Our website uses cookies and similar technologies to improve user experience, track performance, and analyse user behaviour. Cookies are small text files stored on your device when you visit our website. We use both first-party and third-party cookies for purposes such as:

• Analytics: Google Analytics to track website usage.
• Marketing: Facebook and Google Ads tracking pixels.
• Functionality: To remember your preferences and provide a better service.

9. Data Security

We protect your personal data through:

• Encryption: Data is encrypted in transit and at rest.
• Access Control: Only authorised personnel have access to personal data.
• Monitoring: Regular audits and monitoring to prevent unauthorised access or breaches.

10. Your Rights

You have the following rights:

• Access: Request a copy of the data we hold about you.
• Rectification: Correct inaccuracies in your data.
• Erasure: Request deletion, except where we must retain data for legal reasons (e.g., AML).
• Restriction: Request restricted processing under specific circumstances.
• Portability: Receive your data in a structured, machine-readable format.
• Objection: Object to processing for marketing or specific purposes.

You can exercise these rights by contacting [email protected]. We will respond within 30 days.

11. WhatsApp Communication

We use WhatsApp for service-related enquiries and updates. You can opt out of WhatsApp communication at any time by contacting us. WhatsApp’s data processing is governed by their privacy policy which may be accessed from their website.

12. Data Breach Notifications

In case of a data breach that poses a risk to your rights and freedoms, we will notify both you and the ICO within 72 hours.

13. Updates to This Policy

We may update this policy periodically to reflect changes in our practices or legal obligations. Updated versions will be posted on our website. It is recommended to review this policy regularly for updates.