- How we obtain your personal information
- What personal information do we collect?
- Why do we collect your data?
- Legal basis for processing your personal information
- How do we keep your data safe and secure?
- How long do we keep your personal information?
- Who do we share your information with?
- Where do we store your personal information?
- Automated decision making
- Third party websites
- What are your rights?
Who are Kixy?
1.2. Kixy is the “data controller” of any personal information that you provide to us or which we receive in relation to your use of our Service and you are the “data subject”. This means that Kixy determines the purposes and means of processing your personal information, while respecting rights concerning your privacy.
1.5. Please note that our Service is not intended for children. We do not knowingly collect or maintain the personal information of children under the age of 18. If you are under the age of 18, please do not attempt to access our Service. We will take appropriate steps to delete the personal information of persons under the age of 18.
How to contact us
1.7. You can also contact us to inform us of any changes to the personal information we hold about you. This will help us ensure that our records are accurate and up to date.
2. How we obtain your personal information
2.1. We will collect, use, store and transfer different kinds of information that you provide to us when you:
Apply for an e-money account.
Use any of our services.
Make an enquiry, provide feedback, make a complaint or contact us over the phone, by email or other means.
Report a problem with our Site or our App.
Interact with our social media accounts which may include Twitter, Facebook and Instagram.
Use our Site and our App generally. This means that we will collect certain information about how you use our Site and our App and the device that you use to access our Site and our App, even where you have not created an account or logged in. This information may include login data, IP address, operating system, and any actions on our Site and our App, and may be collected by a third-party analytics service provider on our behalf and/or may be collected using cookies or similar technologies. For more information on cookies and similar technologies please refer to our Cookies Policy.
3. What personal information do we collect?
3.1. Like most companies, we collect various types of data about our customers and users of our Site and our App. Some of it may be considered personal information, which means information that makes you directly or indirectly identifiable as an individual.
3.2. We may collect and use the following data:
Identity and contact data. This includes basic personal information, such as names, address, date of birth, phone number, e-mail address and other contact details you may provide to us.
KYC and CDD data. If you sign up for an E-money account with us we will need to collect certain information from you in order to comply with our Know Your Customer ("KYC") and Client Due Diligence ("CDD") obligations, such as proof of your identity (e.g. passport, driving licence, national ID card or residence permit), proof of your address (e.g. utility bill or bank statement), your image in photo or video form and additional details on source of funds (e.g. payslip, credit card statement, tax rebate receipt or bank loan agreement).
Payment and transaction information. As a regulated financial institution, we are bound by the legal requirement to collect, verify and record certain data about your transactions including recipients of your transactions.
Site and App usage data. This includes information about your interactions with our Service, such as login data, IP address, page views, searches, and other actions on our Site and our App.
Technical data. For example, your geographical location, information about the device you use to access the Service such as your hardware model, mobile network information and unique device identifiers.
Marketing and communications data.
This includes your preferences in receiving marketing from us and our third parties and your communication preferences.
3.3. In certain circumstances, we will receive information about you from other third parties, such as:
Service providers. We may collect personal information from banks and payment service providers used to transfer money to us, our Site developers, App developers, IT support providers, customer service support providers and marketing services providers.
Third party providers. When you ask us to, we will collect personal data from accounts you hold with third party banks so that you can see everything in one place.
Publicly available sources. We may use publicly available sources, for example, credit reference agencies, to carry out identity, credit and compliance checks.
Other third parties. We might also receive information about you from third parties if you have indicated to such third party that you would like to hear from us. If you log into your customer account using your Facebook or Google profiles, we will receive access to your Facebook and Google profiles (as applicable), including your profile picture, associated email address and contact list.
4. Why do we collect your data?
4.1. We use your information in the following ways:
To provide access to our Service. We collect your data to provide you with access to our Service in a convenient and optimal manner and to personalize and improve our Service for you.
Transactional purposes. We need to collect data in order to process your transactions.
Regulatory purposes. As regulated financial institutions, both Kixy and our partners (including TPL) are required to conduct KYC and CDD checks to comply with our legal and regulatory requirements. These include our requirements under Anti Money Laundering and Counter Terrorist Financing legislation. All of this helps us keep our Service safe and secure.
User and customer support. In order to provide user or customer service and support, we share your information with our Site developers, App developers, IT support providers, payment services provider and security providers as necessary to provide the relevant support.
Marketing purposes. We may process your personal information to provide you with certain types of marketing communication that we believe will be relevant and of interest to you and where we have your consent or it is in our legitimate interests (for more information on our legitimate interests, please see Section 5.3 below). We will always endeavour to make these communications relevant and unobtrusive, and you are able to object to marketing communication from us at any time.
Research and analytical purposes. We may collect and analyse data such as Site visit logs in order to help us to understand how you use our Service so that we can improve the quality of our Service, marketing, customer relationships and experiences.
4.2. You do not have to disclose any of the above information to us. However, if you choose to withhold certain information, we may not be able to provide you with our Service.
5. Legal basis for processing your personal information
5.1. We will only process your personal information where we have a legal basis to do so. The legal basis will depend on the purposes for which we have collected, and use, your personal information.
5.2. In almost every case the legal basis will be one of the following:
Performance of your contract with us and the provision of our Service.
Your consent (where we request it).
Our legitimate interests or the legitimate interests of a third party (where appropriate).
Where we need to comply with a legal or regulatory obligation.
5.3. Where we use your information for our legitimate interests (or that of a third party), we make sure that we take into account any potential impact that such use may have on you. Our legitimate interests (or those of a third party) do not automatically override yours and we will not use your information if we believe your interests should override ours, unless we have other grounds to do so (such as your consent or a legal obligation). You can object to data processing based on our legitimate interest at any time by contacting us at privacy@Kixy.com or by changing the settings on your Kixy account.
5.4. Where we collect any personal data which can be categorised as "special category" personal data (for example, biometric data obtained from images or videos you upload as part of our KYC and identity checks) we will, in addition to the legal basis described in Section 5.2 above, always obtain your explicit consent (which you are free to withdraw at any time although this may affect our ability to offer you our Service).
6. How do we keep your data safe and secure?
6.1. We have put in place appropriate security measures to prevent your personal information from being accidentally destroyed, lost, used or accessed in an unauthorised way.
7. How long do we keep your personal information?
7.1. Depending on what purpose your personal information is used for, the length of time we keep it may vary. Either way, we will only hold your information for as long as it is necessary to serve the purpose it is used for, taking into account the amount, nature and sensitivity of the information.
7.2. Please note that we are legally required to keep information obtained for KYC, CDD and security purposes (including transaction records and our communications with you) for at least five years after the most recent transaction.
8. Who do we share your information with?
8.1. We may share your personal information with certain third parties in order to allow us to provide our Service and other services to you, enforce our rights or to comply with applicable laws including our legal and regulatory obligations. We will never sell your personal information to other organisations.
8.2. Third parties with whom we may share your personal information include:
Our service providers. Third party service providers, including partners and intermediaries, we work with to deliver our Service, who are acting as processors and provide us with:
development and hosting services;
IT, system administration and security services; and
marketing and advertising services.
Regulators and governmental bodies. Regulators, governmental bodies and other authorities acting as processors or separate controllers who require reporting of processing activities in certain circumstances, for example, for the purposes of security, taxation and criminal investigations.
Marketing partners. Any selected third party that you consent to our sharing your information with for marketing purposes.
Prospective sellers and buyers of our business. If we sell or buy any business or assets, we may be obliged to share your personal information with the prospective seller or buyer.
Other third parties (including professional advisers). Any other third parties (including legal or other advisors, regulatory authorities, courts, law enforcement agencies and government agencies) where necessary to enable us to enforce our legal rights, or to protect the rights, property or safety of our employees or where such disclosure may be permitted or required by law.
8.3. We require all third parties to respect the security of your personal information and to treat it in accordance with the law.
9. Where do we store your personal information?
9.1. We work with partners who help us to complete your transactions and may be based outside of the United Kingdom ("UK") or the European Economic Area ("EEA"). This means that the personal information that we collect from you may be transferred to, and stored at, a destination outside of the UK or the EEA, including countries, which have less strict, or no data protection laws, when compared to those in the UK or Europe.
10. Automated decision making
10.1. Automated decision making refers to a decision which is taken solely on the basis of automated processing of your personal information. This means processing using, for example, software code or an algorithm, which does not require human intervention.
10.2. We may use automated decision making where it is necessary for entering into or to perform a contract with you and appropriate measures are in place to safeguard your rights; or, in limited circumstances, with your explicit consent. For example, we may use automated decision making to:
carry out anti-money laundering and sanctions checks including identity and address checks; and
to monitor your account to detect fraud and financial crime.
The results of any check may affect the type of products or services we can offer you.
10.3. You have certain rights in respect of automated decision making, where that decision has significant effects on you, including where it produces a legal effect on you. Please refer to Section 12 for more information about your rights.
11. Third party websites
12. What are your rights?
12.1. Data protection laws give you a number of important rights in relation to your personal information, which are listed below. There are certain exceptions where these rights may be superseded by laws and other requirements applicable to regulated financial institutions like Kixy. An example of this would be the obligatory retention period (see Section 7.2), which supersedes the right to data erasure.
12.2 Subject to certain legal conditions, your rights include:
Information. The right to be informed about how we use your personal information.
Access. The right to request, free of charge, details of and access to a copy of the personal information that we hold about you, usually within a month of asking for it, and to use it for your own purposes.
Portability. The right, in certain circumstances, to ask us to provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic form.
Rectification. The right to correct, amend or update your personal information if it is wrong, incomplete or has changed (this can usually be done using the settings provided on your account).
Erasure. The right to ask us to remove the personal information we hold about you from our records where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for keeping it. This includes the "right to be forgotten" i.e. the right to request erasure of any links to your personal information, or of any copy or replication of any public personal information.
Restriction. The right to ask us to stop processing your personal information where you have asked for it to be erased or where you have objected to our use of it.
Objection. The right to object to our processing of your personal information where we are relying on a legitimate interest (or those of a third party) and you believe that our legitimate interest might infringe upon your rights. You can also object to our use of your personal information for direct marketing purposes.
Exercising your rights
12.5. Please also note that we may ask for proof of your identity. This is a security measure to ensure that we do not disclose personal information to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
12.6. We will try to respond to all legitimate requests within one month. Sometimes it may take us longer if your request is complex or you have made several requests. In this case, we will notify you and keep you updated.
12.7. Please also be aware that not all of those rights are absolute and there may be circumstances in which we will not fully comply with your request because of a specified legal ground or exemption.
12.8. If you are not happy with how we have handled your personal information, you can submit a complaint to our Compliance Officer using the contact details set out at Section 1.7 above.
12.9. You have the right to submit a complaint to the Information Commissioner’s Office ("ICO"), the UK supervisory authority for data protection issues (www.ico.org.uk), as well as the relevant authority in your country of work or residence, if you are not satisfied with our Data Protection Officer’s response, do not believe we have handled your request to exercise your rights in an appropriate manner or if you believe that we are not processing your personal information in a lawful way.
12.10. If you would like to read more about your rights in relation to your personal information, please refer to the ICO's website.
This policy explains when and why we collect Personal Data (as defined in General Data Protection Regulation) about you, how we use it, the conditions under which we may disclose it to others and how we keep it secure.
TPL is committed to safeguarding the privacy of your information. By “your data”, "your personal data”, and “your information” we mean any personal data about you which you or third parties provide to us.
We may change this Policy from time to time so please check this page regularly to ensure that you’re happy with any changes.
Who are we?
Transact Payments Limited (“TPL”, “we”, “our” or “us”) is the issuer of your card and is the Data Controller for the personal data which you provide to us in relation to the card only. TPL is an e-money institution, authorisedand regulated by the Gibraltar Financial Services Commission. Our registered office address is 6.20 World Trade Center, 6 Bayside Road, Gibraltar, GX11 1AA and our registered company number is 108217.
Kixy Ltd (‘Kixy’) is the Program Manager for your card program and is the Data Controller for any personal data which you provide in relation to the program but which is not related to the card. Kixy Ltd is a company incorporated and registered in England and Wales under company number 11201126 with its registered office located at 40 Gracechurch Street, London EC3V 0BT, United Kingdom.
How do we collect your personal data?
We collect information from you when you apply online or via a mobile application for a payments card which is issued by us. We also collect information when you use your card to make transactions. We also obtain information from third parties (such as fraud prevention agencies) who may check your personal data against any information listed on an Electoral Register and/or other databases.
On what legal basis do we process your personal data?
Your provision of your personal data and our processing of that data is necessary for each of us to carry out our obligations under the contract (known as the Cardholder Agreement or Cardholder Terms & Conditions or similar) which we enter into when you sign up for our payment services. At times, the processing may be necessary so that we can take certain steps, at your request, prior to entering into that contract, such as verifying your details or eligibility for the payment services. If you fail to provide the personal data which we request, we cannot enter into a contract to provide payment services to you or will take steps to terminate any contract which we have entered into with you.
We may also process your personal data to comply with our legal or regulatory obligations.
We, or a third party, may have a legitimate interest to process your personal data, for example:
To analyse and improve the security of our business;
To anonymise personal data and subsequently use anonymized information.
What type of personal data is collected from you?
When you apply for a card, we, or our partners on our behalf, collect the following information from you: full name, physical address, email address, mobile phone number, phone number, date of birth, gender, login details, IP address, identity and address verification documents.
When you use your card to make transactions, we store that transactional and financial information. This includes the date, amount, currency, card number, card name, account balances and name of the merchant, creditor or supplier (for example a supermarket or retailer). We also collect information relating to the payments which are made to/from your account.
How is your personal data used?
We use your personal data to:
set up your account, including processing your application for a card, creating your account, verifying your identity and printing your card.
maintain and administer your account, including processing your financial payments, processing the correspondence between us, monitoring your account for fraud and providing a secure internet environment for the transmission of our services.
comply with our regulatory requirements, including anti-money laundering obligations.
improve our services, including creating anonymous data from your personal data for analytical use, including for the purposes of training, testing and system development.
Who do we share your information with?
When we use third party service providers, we have a contract in place that requires them to keep your information secure and confidential.
We pass your information to the following categories of entity:
identity verification agencies to undertake required verification, regulatory and fraud prevention checks;
information security services organisations, web application hosting providers, mail support providers, network backup service providers and software/platform developers;
document destruction providers;
Mastercard, Visa, digital payment service providers or any third parties involved in processing the financial transactions that you make;
anyone to whom we lawfully transfer or may transfer our rights and duties under this agreement;
any third party as a result of any restructure, sale or acquisition of TPL or any associated entity, provided that any recipient uses your information for the same purposes as it was originally supplied to us and/or used by us.
regulatory and law enforcement authorities, whether they are outside or inside of the EEA, where the law requires us to do so.
Sending personal data overseas
To deliver services to you, it is sometimes necessary for us to share your Personal Data outside the European Economic Area (EEA), e.g.:
with service providers located outside the EEA;
if you are based outside the EEA;
where there is an international dimension to the services we are providing to you.
These transfers are subject to special rules under European and Gibraltar data protection law.
These non-EEA countries do not have the same data protection laws as Gibraltar and EEA. We will, however, ensure the transfer complies with data protection law and all Personal Data will be secure. We will send your data to countries where the European Commission has made an adequacy decision, meaning that it has ruled that the legislative framework in the country provides an adequate level of data protection for your Personal Data. You can find out more about Adequacy decisions.
Where we send your data to a country where the European Commission has not made an adequacy decision, our standard practice is to use standard data protection contract clauses that have been approved by the European Commission. To obtain a copy of those clauses, please go to the European Commission’s website.
If you would like further information please contact our Data Protection Officer on the details below.
How long do we store your personal data?
We will store your information for a period of five years after our business relationship ends in order that we can comply with our obligations under applicable legislation such as anti-money laundering and anti-fraud regulations. If any changes to applicable legislation require us to retain your data for a longer period of time, we shall retain it for that period. We will not retain your data for longer than is necessary.
Your rights regarding your personal data?
You have certain rights regarding the personal data which we process:
You may request a copy of some or all of it.
You may ask us to rectify any data which we hold which you believe to be inaccurate.
You may ask us to erase your personal data.
You may ask us to restrict the processing of your personal data.
You may object to the processing of your personal data.
You may ask for the right to data portability.
If you would like us to carry out any of the above, please email the Data Protection Officer at DPO@transactpaymentsltd.com.
How is your information protected?
We implement security policies and technical measures in order to secure your personal data and take steps to protect it from unauthorised access, use or disclosure.
While we strive to protect your Personal Data, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
We hope that our Data Protection Officer can resolve any query or concern you may raise about our use of your Personal Data.
The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in Gibraltar is the Gibraltar Regulatory Authority. Their contact details are as follows:
Gibraltar Regulatory Authority,
2nd floor, Eurotowers 4, 1 Europort Road, Gibraltar.
(+350) 20074636/(+350) 20072166 firstname.lastname@example.org
How to contact us