Skip to content

Search

loading Loading

Introduction

This Privacy Policy was set up to be GDPR compliant on 24 May 2018. Since then we have made some small improvements, the latest one of which was on 1 November 2020, reflecting a change in our hosting partner, from SiteGround to Vultr. It is our aim to be transparent and to provide accessible information about how we process and use your personal data, in line with the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 1998 (DPA). Despite the fact that the United Kingdom has in the meantime exited the European Union on 31 January 2020, GDPR remains a part of British legislation and we will continue to comply with GDPR, as explained in this Privacy Policy. 

Who we are

We are Leftover Currency Limited, company number 09026053 registered in England and Wales. Our registered office address is Unit 1 Portland Business Centre, Manor House Lane, Datchet, Berkshire SL3 9EG, United Kingdom. 

How to contact us

You can contact us via email on [email protected] or by telephone: 0800 030 6855 is our toll-free for calls from the UK. For international calls our telephone number is 0044 333 939 8455. Our office hours are from Monday to Friday 9am to 5pm GMT.

What types of data we collect

We collect four types of data:

  1. Data about your visit to our website
  2. Data about your interactions with us via email, contact form and telephone
  3. Data about the order(s) you create
  4. Data about the processing and fulfillment of your order(s)

In what follows we will discuss these four data types in more detail. For each data type we will answer these six questions:

  1. What data do we collect?
  2. What is the legal basis for processing this data?
  3. Will we share the data with any third parties?
  4. How do we use the data?
  5. How long do we store the data?
  6. What rights do I have regarding my data?

We aim to answer these questions in clear and plain language. However if anything is unclear, please do not hesitate to contact us.

1. Data about your visit to our website

1a. What data do we collect?

To track and report on website traffic, we use Google Analytics, a web analytics service offered by Google. No personal information is stored in Google Analytics or shared with Google. We have taken the following measures to ensure this:

  • No personally identifiable information is present in page titles, URLs, event actions or other dimensions.
  • We have enabled the feature to anonymise IP addresses in Google Analytics.
  • We no not use remarketing or advertising reporting features.
  • We do not use demographics and interest reports.
  • We do not use the Google Analytics User-ID feature or any pseudonym identifiers.

Our website is hosted by Vultr, a leading web hosting service provider. Vultr stores IP addresses and visited pages with a timestamp in their server logs.  

When you visit our website for the first time, a message will appear about how we use non invasive cookies to improve your experience. When you accept the use of cookies we will store small pieces of data, known as cookies, on your device during your visit. The cookies we use are designed to make your visit to our website easier and more user friendly. For example a cookie is used to store your preferred payout currency. We don’t store any personally identifiable information in cookies, nor do the third parties we work with. The following plugins and applications can store cookies on your device when consent has been granted:

  • Google Analytics: a web analytics service by Google
  • WooCommerce: a plugin for e-commerce on WordPress websites, by Automattic
  • WordPress: a blogging and website content management system, by Automattic
  • WPML: a translation plugin to run multilingual websites on WordPress
  • GDPR cookie consent: the plugin that triggers the cookie consent notice and remembers your choice, by WordPress
  • • HubSpot: a CRM software plugin to manage customers.

1b. What is the legal basis for processing this data?

For tracking and reporting website traffic, no personal information is stored or shared. Therefore no consent is required.

Storing IP addresses, visited pages and a timestamp in a server log is a common practice designed to prevent fraud. As a registered bureau de change we are required to have processes in place to prevent fraud, money laundering and terrorist financing from occurring. This is a legitimate interest and therefore no consent is required.

Before storing cookies on your device we will seek your consent for this. If you opt out we will not place cookies on your device. This may affect the basic functionality of our website. 

1c. Will we share the data with any third parties?

Tracking data is shared with Google Analytics, owned by Google, who is the data processor. None of the data shared with Google contains personal information. This page shows Google’s actions to comply with EU GDPR: https://privacy.google.com/businesses/compliance/

For server logs our data processor is Vultr. This page explains Vultr’s actions to comply with EU GDPR: https://www.vultr.com/news/Vultr-is-GDPR-Ready/

The third parties that store cookies on your device have access to the content of these cookies. We require the third parties that store cookies on your device to be fully compliant with EU GDPR. Here is more information about how they comply with EU GDPR:

We do not share data about your visit to any other third parties.

1d. How do we use the data?

We use the tracking data in Google Analytics to monitor website traffic and to understand how our visitors interact with the website. Based on these findings we optimise our website so it becomes more user friendly.

We use the IP addresses, visited pages and timestamp stored in server logs for the following purposes:

  • To identify linked transactions that have been deliberately broken into smaller transactions to avoid customer due diligence checks.
  • To protect our website against hackers, scammers and spammers.

The cookies stored by third parties we work with serve to make the plugin or functionality work. The types and purposes of cookies stored are explained in detail here:

1e. How long do we store the data?

Google Analytics retains user-level and event-level data associated with cookies for 14 months. After this, data is deleted automatically on a monthly basis. Server logs on Vultr are kept for 6 months, after which they are deleted automatically. Information about how long each cookie is stored for can be found here:

1f. What rights do I have regarding my data?

Under the rules of EU GDPR you have the right to access, update and delete your data.Regarding Google Analytics data: No personal information is stored in Google Analytics or shared with Google. For this reason it is not possible to access, update or delete your data since we only see aggregated values and we cannot identify which data is yours. It is however possible to opt out from Google Analytics tracking. If you do so, Google Analytics will not include your visit data in our website traffic reports. To do so, you need to install the free Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptoutRegarding server logs: For the purpose of preventing fraud we need to store the server logs for 6 months, after which they will be automatically deleted. It is not possible to change or delete server log data prior to the 6 months period ending. It is however possible to request to access your data in the server logs. Please contact us if you would like to do so. Regarding cookies: You have the right at any time to change your consent for cookies. Here’s how to do this:

  1. Delete your cookies:https://www.pcworld.com/article/242939/how_to_delete_cookies.html
  2. Navigate to https://www.leftovercurrency.com/
  3. The cookie consent notice will appear again. You can either accept cookies or opt out.

2. Data about your interactions with us via email, contact form and telephone

2a. What data do we collect?

When you choose to contact us via email, the contact form on the website or by telephone, we receive and retain data.

If you contact us via email, we receive the following data:

  • Your email address and any extra email addresses included in the TO or CC fields
  • The display name that email recipients see. In most cases this is your first name and last name.
  • The content in the email subject line, body and any attachments
  • The email header, including timestamp and your IP address. For more information about what an email header is, please read this: https://whatismyipaddress.com/email-header

This information is received and stored in our webmail client Zoho Mail.

If you contact us via the contact form on our Contact Us page, we received the following data:

  • The name and email address you provided in the contact form fields.
  • The subject and message you provided.

Contact form submissions are converted to emails using the WordPress plugin Contact Form 7 and stored in our webmail client Zoho Mail.

If you call us by telephone, or leave a voice message, we receive the following data:

  • Your telephone number, unless you withhold it.
  • The date, time and length of your call. This information is stored in the call log.
  • The information you provide us during the call. We do not record calls. We may take down information on a piece of paper during the call.

If you send us a text message, we receive the following data:

  • Your telephone number, unless you withhold it.
  • The content of your text message and any attachments.

This data is held on the mobile phone device we use to receive calls.  

2b. What is the legal basis for processing this data?

When customers contact us via email, contact form message or by telephone, they expect us to receive the message and send a reply. The information we collect, such as email addresses and telephone numbers, serves this purpose.

For messages sent via the contact form on our website we will seek consent from the user prior to sending it via our third party plugin Contact Form 7.

Our internal email retention and deletion policy ensures that we comply with the EU GDPR’s data minimisation and storage limitation principles.

2c. Will we share the data with any third parties?

Emails are stored in our webmail client Zoho Mail. We have selected Zoho Mail as our preferred email hosting provider because of its enhanced data integrity and security. Zoho Mail is fully compliant with the EU GDPR: https://www.zoho.com/gdpr.html

Messages sent via the contact form are converted to emails by the WordPress plugin Contact Form 7. We only collect and share essential data with Contact Form 7: name, email address, subject line and message content. This article describes the steps taken by Contact Form 7 to be EU GDPR compliant: https://contactform7.com/2018/04/16/how-to-make-privacy-friendly-contact-forms/

Our calls and text messages are delivered by BT. This document describes the actions that BT has taken to be compliant with EU GDPR: https://business.bt.com/gdpr-information/

We will not share data about your interactions with us via email, contact form and telephone to any other third parties, except if we are legally required to do so. Examples in which we may have to share your data include when we are approached by HMRC or law enforcement services.

We will never share your data with third parties for marketing purposes.

2d. How do we use the data?

The data we collect by interacting with our customers via email, contact form and phone is used to answer our customers’ queries and to help them with exchanging their leftover currency.

We will never use the collected contact data for marketing purposes. We will never use our customer’s contact details to send unsolicited messages or make unsolicited calls.

2e. How long do we store the data?

Our internal email retention and deletion policy ensures that we comply with the EU GDPR’s data minimisation and storage limitation principles. We categorise emails into groups and have a policy in place to only store emails for as long as necessary. If your interaction with us involves money exchange, we are legally required to keep the data for five years.Voice messages are deleted weekly. Call logs and text messages are deleted on a monthly basis.If, during a call or while listening to your voice message, we write down personal information on a post-it or a piece of paper, we will make sure to discard of it safely directly after. We use the services of Shred it for secure shredding services: https://www.shredit.co.uk/en-gb/home

2f. What rights do I have regarding my data?

You have the right to access your data: Contact us to receive a list of the information we store about your interactions with us via email, contact form and telephone. You have the right to request a change to your data if you believe that the data about your interactions with us via email, contact form and telephone is not correct or incomplete. If your interaction with us does not involve money exchange, you can ask us to delete the data about your interactions with us via email, contact form and telephone. If your interaction with us involves money exchange: Under anti-money laundering regulations we are legally required to keep records of interactions with our customers for five years. For this reason it is not possible to request us to delete the data about your interactions with us via email, contact form and telephone, prior to the completion of this five-year period.

3. Data about the order(s) you create

3a. What data do we collect?

When you create an online order to exchange and receive payment for your leftover currency, we collect data via the form on our website. The data we collect is the following:

  • Preferred payout currency (GBP, USD, EUR)
  • Content of online wallet: quantity, buy rate and value for each banknote/coin
  • Title (optional)
  • First name
  • Last name
  • Address
  • Email address
  • Phone number (optional)
  • Order notes: any extra information supplied in the text field (optional)
  • Preferred payout method (direct bank transfer/cheque/paypal/donate to charity)
  • Payment details:
    • If payout method is direct bank transfer: bank account details
    • If payout method is cheque: full name of payee
    • If payout method is paypal: email address for paypal
    • If payout method is donate to charity: selected charity to receive donation
  • Read and accepted terms and conditions (Y/N)
  • Would like to receive reminder email (Y/N)
  • Would like to receive an invitation to review our service (Y/N)
  • Time stamp when order was submitted
  • Unique reference number generated when order was submitted

During the order creation process you have the option to create an account. By creating an account you can log in next time when you create an order, and you don’t need to fill in all your details again. Creating an account is optional. If you create an account we collect the following data, in addition to the data collected for the order(s) you submitted:

  • Username: this is your email address
  • Orders created by user
  • Lifetime order value of user

3b. What is the legal basis for processing this data?

We collect this data to be able to fulfill the order. When you create an order, you indicate that you intend to exchange the currency in your online wallet, and that you would like to receive payment by your preferred payment method.

The collected data allows us to send you the payment for your leftover currency. It also allows us to update you regarding the status of your order, and to contact you if we have any questions.

Creating an account is optional, as indicated during the order creation process. You don’t have to create an account if you don’t want to. The legal basis for information on an account level is consent.

3c. Will we share the data with any third parties?

When an order is created, a confirmation email is generated by the WooCommerce plugin called ‘PDF invoice’, part of Automattic. In the confirmation email, bank account information is replaced by Xs, so that only the last three digits of an account number are shown. A copy of the confirmation email is sent to Leftover Currency, to inform us of the creation of your order. Emails are stored in our webmail client Zoho Mail. We have selected Zoho Mail as our preferred email hosting provider because of its enhanced data integrity and security. Zoho Mail is fully compliant with the EU GDPR: https://www.zoho.com/gdpr.html

3d. How do we use the data?

The data about the order(s) you create is used to fulfill your order(s). We have taken care to only collect data that is necessary to fulfill your order. We also use the data to contact you if we have any questions, and to update you about the progress of your order.

We will not contact you about anything that is not related to your order(s).

3e. How long do we store the data?

The data about the order(s) you create is stored for:

  • Five years if we receive your currency
  • Three months if you decided not to send us the currency

When we receive your currency, this means that your transaction involves currency exchange. Therefore the transaction is applicable to the money laundering regulations (MLR). Under MLR we are required to keep our customer data for five years. This is explained in more detail in the next part ‘Data about the processing and fulfillment of your order(s)’.

If you don’t send us the currency, either because you changed your mind or because you forgot to send the currency, we will delete the data after three months. 

3f. What rights do I have regarding my data?

You have the right to access and/or change your data. If you want to access and or change the data about the order(s) you created please contact us. You have the right to ask us to delete your data. We will delete your order when you ask us to delete it, except when we have received your currency, in which case we need to store your data for five years under money laundering regulations.

You have the right to ask us to delete your account. We will delete your account when you ask us to delete it, except when we have received currency from you for one or more orders, in which case we need to store your data for five years under money laundering regulations.

4. Data about the processing and fulfilment of your order(s)

4a. What data do we collect?

When we process your order(s) we collect the following data:

  • Current and previous order statuses with timestamp indicating when the order status was updated: awaiting currency/processing/completed/order discrepancy/on hold
  • Name(s) of the Leftover Currency staff that processes your order(s)
  • Any messages sent by Leftover Currency staff regarding your order(s)
  • Results of the count of the currency, and a description of any discrepancies if there are any
  • Tracking and delivery status information if you used a tracked delivery method
  • Customs related information if your items passed through customs
  • Any information included with your order or on the packaging, for example a cover letter or a return address
  • Outcome of search for linked transactions: total combined value over 6 months for linked transaction
  • If your payment method is bank transfer and your bank account is outside of the UK, we may ask your date of birth. We will only do so if the receiving bank needs the date of birth of the sender to process the payment.

When you fill in a paper PDF exchange form, instead of using the online wallet, we receive the data about the order you created when your letter/parcel arrives at our office. When we start processing your order we receive the following data on the paper exchange form:

  • Preferred payout currency
  • Amount per currency, in banknotes and coins
  • Title
  • First name
  • Last name
  • Address
  • Email address
  • Preferred payout method (direct bank transfer/cheque/paypal/donate to charity)
  • Payment details:
    • If payout method is direct bank transfer: bank account details
    • If payout method is cheque: full name of payee
    • If payout method is paypal: email address for paypal
  • Date of signing
  • Signature

For (linked) orders, either online or with a PDF paper exchange form, with a (combined) value over £1000 GBP, $1000 USD or €1000 EUR (over six months) we may also collect the following data:

  • Scans/photocopies of forms of ID and proof of address sent in
  • Information about the true beneficiary of the funds
  • Information about the origin of the funds
  • Information about people/organisations linked to the beneficiary
  • Information about whether the beneficiary is a politically exposed person (PEP) or on a target/financial sanctions list
  • Outcome of (advanced) due diligence checks

When an order is created, we follow up the status. If we haven’t received the currency within 9 days, we may send a reminder email. We will only send the reminder email if you have consented to this during order creation. If we send the reminder email, we collect the following data:

  • Customer name
  • Purchased (Y/N)
  • Mailing list (Y/N)
  • Email stats: sent, opens, clicks
  • Total orders
  • Last order date
  • Lifetime value

If you indicated that you would like to review our service, you will receive an email with a link to Trustpilot, where you can leave a review if you would like to. If you leave a review, we collect the following data:

  • Star rating (1-5)
  • Alias name of reviewer
  • Review
  • Reference number of your order

4b. What is the legal basis for processing this data?

We are legally required to keep data about the processing and fulfillment of your order(s) under the Money Laundering Regulations 2017: https://www.gov.uk/government/consultations/money-laundering-regulations-2017

The legal basis for collecting data about the reminder email is your consent. When you create an order you indicate whether you want to receive a reminder email or not. 

The legal basis for collecting review data is your consent. When you create an order you indicate whether you would like to receive an invitation email to review our service or not.

4c. Will we share the data with any third parties?

When we are asked to share data with HMRC or law enforcement agencies, we will comply, as we are required to do under the Money Laundering Regulations 2017.

For performing due diligence checks we use a tool called GBG ID3global by identity data intelligence firm GBG: https://www.gbgplc.com/uk/what-we-do/supporting-gdpr/  For enhanced due diligence checks we also use the services of Compliance Assist Limited: https://www.complianceassist.co.uk/privacy-policy.

To fulfill your order and get you paid, we need to share information with the payment providers we work with:

If you have consented to receiving an invitation to review our service on Trustpilot, we will share the following data with Trustpilot: First name, last name, email address, reference number. Here is more information about how Trustpilot complies with GDPR: https://support.trustpilot.com/hc/en-us/articles/360000306528–How-do-we-protect-your-data

4d. How do we use the data?

We use the data to help us process and fulfill your order, and for compliance and accounting purposes.

We use review data to collect feedback about our service and to improve our processes where needed. Reviews are used by Trustpilot to calculate a ‘trustscore’ which can be used to compare reviews across websites.

4e. How long do we store the data?

We are legally required to store information about processing and fulfillment of your order(s) for a period of five years. After five years we will delete orders on a monthly basis. We will delete all online data, as well as offline (paper) data. For destroying offline data we use the services of Shred it: https://www.shredit.co.uk/en-gb/homeReview data is kept until the reviewer deletes his/her account or until the reviewer asks Trustpilot for the review to be deleted. 

4f. What rights do I have regarding my data?

You have the right to access your data. If you want to access the data about the processing and fulfillment of order(s) then please contact us. If the data is not accurate then you have the right to update your data. You have the right to access, amend and delete your review on Trustpilot: https://support.trustpilot.com/hc/en-us/articles/201839063-How-do-I-edit-or-delete-my-review-You have the right to amend your consent to receive our email reminder. You have the right to amend your consent to receive review invitations. If you want to update your consent, please contact us.

Your rights

Under the Data Protection Act 1998, you have rights as an individual which you can exercise in relation to the information we hold about you. You can read more about these rights here – https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/

Complaints or concerns

We do our best to meet the highest standards when collecting and processing your personal data. However if you want to file a complaint or report a concern, you can do so on the website of the Information Commissioner’s Office (ICO) https://ico.org.uk/concerns

Leftover Currency Limited is an organisation that processes personal information and is therefore required to pay an annual fee to the ICO. You can find Leftover Currency Limited on the online register of fee payers here: https://ico.org.uk/about-the-ico/what-we-do/register-of-fee-payers/

Third party links

On occasion we include links to third parties on our website. Although we carefully select any external links on our website, where we provide an external link it does not mean that we endorse or approve that site’s Privacy Policy. Customers should review any external site’s Privacy Policy before providing any personal data.

Convert leftover currency into cash, fast.

Exchange your currency now