Privacy policy

This privacy policy sets out how Transfer Galaxy uses and protects any information that Transfer Galaxy have about you when you use our website or mobile applications or otherwise provide your personal details to us.

Transfer Galaxy is committed to ensure that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using our Service (as defined below), then you can be assured that it will only be used in accordance with this privacy policy.

Transfer Galaxy may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you accept any changes.

1. Who is Transfer Galaxy?

Transfer Galaxy is a digital-first money transfer service that enables customers to send money to their loved ones from a laptop, tablet or smartphone (the “Service”).

In this privacy policy, the terms "we", "us", "our", and "Transfer Galaxy" refer to Transfer Galaxy AB, a limited company incorporated under the laws of Sweden with registration number 556978-4464 and registered office at Osmundgatan 12, 703 83 Örebro, Sweden.

In the terminology of the General Data Protection Regulation (“GDPR”), Transfer Galaxy is the "controller" of your personal data and you, our customer, are the "data subject". This means that Transfer Galaxy determines the purposes and means of the processing of your personal data, while respecting your privacy rights.

2. What we collect

This section sets out the categories of personal data we collect and use.

2.1 Data you give us

We collect information you provide when you:

  • Open an account or use the Service
  • Respond to our requests for additional KYC information
  • Apply for the temporary increase of your sending limit
  • Communicate with a member of our customer support team (either on the phone or through the email)
  • Participate in competitions or campaigns organised by us or share information with us on social media

Data category

Description

Basic KYC data

  • Name
  • Address
  • Personal number
  • Date of birth

Additional KYC data

  • Nationality
  • Gender
  • IP address
  • Bank statement
  • Salary slip or pension slip
  • Contracts, loan documents that contain your name or other data about you

Contact data

  • Telephone number
  • Email address

Identity verification data

Copies of your identification documents that may include, in particular:

  • Passport
  • Driving license 
  • National ID card
  • Residence permit card 
  • Asylum status document

Address verification data

  • Rent payment receipts 
  • Household utility bill (e.g. gas, electric, water or fixed line telephone)
  • Rental contract with a housing association or city council
  • Letters from the tax or migration authority
  • Government benefits statement
  • Bank, building society or credit card statement
  • Any other document from a government or financial institution that contains your name and address

Payment data

  • Masked bank account number
  • Masked credit or debit card number

Recipient data

  • Name
  • Address
  • Telephone number
  • Date of Birth
  • Copy of a passport or another ID document
  • Nationality

Campaigns related data

  • Contact details (e.g. email and telephone number) of the participants and the winners
  • Other information necessary to fulfil our obligations in relation to competitions and campaigns

All above mentioned information could potentially be collected, but may not be collected in each individual case. Some information, like Gender, will be collected indirectly by the information you are providing, such as by uploading your passport. You do not have to disclose the information to us, but if you choose not to, we may not be able to provide you with the Service.

2.2 Data collected through your use of the Service

Data category

Description

Usage data

This includes information on transactions and your use of the Service, in particular:

  • date, time, amount, currencies, exchange rate of a transaction
  • recipient details
  • IP address of sender 
  • sender's and receiver's name
  • details of device used to arrange the payment and the payment method used

Device data

  • Operating system type and version number, manufacturer and model
  • Browser type and language
  • Screen resolution;
  • IP address
  • Unique device identifiers

Service data

  • Time spent on a page or screen
  • Navigation paths between pages or screens
  • Session date and time; activity status (including first seen, last seen, last heard from - and last contacted)
  • Pages viewed
  • Links clicked
  • Language preferences

 

2.3 Information from third parties

If you are established in Sweden or Norway, we collect your address information from third-party service providers who retrieve it from publicly available databases.

3. Purposes of the data processing and legal basis

The table below sets out:

  • Our purpose for processing your personal data
  • Our legal basis under data protection law
  • Categories of personal data which we use for each purpose. See more about these categories in Section 2 ‘What we collect’

We may use one of the following legal bases:

  • Performance of a contract: we need certain personal data to provide our Service and cannot provide it without this personal data.
  • Compliance with legal obligations: in some cases, we have a responsibility to collect and store your personal data (for example, under anti-money laundering laws we are required to possess certain information about our customers).
  • Legitimate interest: when we have an interest in using your personal data in a certain way, which is necessary and justified considering any potential risks to you.
  • Consent: when we ask you to actively indicate your agreement to us using your personal data for a certain purpose

Purpose of processing

Legal basis

Data categories

To identify you

Compliance with legal obligations

  • Basic KYC data

To verify your identity

Compliance with legal obligations

  • Identity verification data
  • Personal number
  • Your image in photo

To verify your address

Compliance with legal obligations

  • Address verification data

To process your transactions

Performance of a contract

  • Name
  • Contact data
  • Address
  • Payment data
  • Recipient data

To collect payment for your use of the Service

Performance of a contract

  • Basic KYC data
  • Payment data

To send transaction alerts to you and/or the recipient of your remittance

Performance of a contract

  • Name
  • Contact data
  • Recipient data

To provide you with information about the Service

Performance of a contract

  • Name
  • Contact data

To conduct competitions and campaigns

Performance of a contract

  • Campaigns data

To send you marketing notices, service updates, and promotional offers through direct marketing

Legitimate interest

  • Name
  • Contact data

To evaluate and develop new features, technologies, and improvements to the Service

Legitimate interest

  • Device data
  • Service data

To detect and prevent fraud

Compliance with legal obligations

  • Email
  • Your image in photo

To comply with applicable laws, regulations, and rules, such as those relating to anti-money laundering and counter-terrorist financing

Compliance with legal obligations

  • Additional KYC data
  • Address data
  • Recipient data
  • Usage data

To establish, exercise, or defend legal claims

Legitimate interest

  • Basic KYC data
  • Additional KYC data
  • Contact data
  • Identity verification data
  • Address verification data
  • Payment data
  • Recipient data
  • Campaigns related data
  • Usage data

 

4. How long we keep your personal data

Depending on what purpose your data is used for, the length of time we keep it may vary.

Data category

Purpose of processing

Retention period

  • Basic KYC data

 

To identify you

 

5 years following the termination of our contract with you. 10 years if instructed by the competent authorities 

  • Identity verification data
  • Personal number
  • Your image in photo 

To verify your identity

 

5 years following the termination of our contract with you. 10 years if instructed by the competent authorities

  • Address verification data

To verify your address

5 years following the termination of our contract with you. 10 years if instructed by the competent authorities

  • Name
  • Contact data
  • Address
  • Payment data
  • Recipient data

To process your transactions

As long as you are our customer

  • Basic KYC data
  • Payment data

To collect payment for your use of the Service

5 years following the termination of our contract with you. 10 years if instructed by the competent authorities 

  • Name
  • Contact data
  • Recipient data

To send transaction alerts to you and/or the recipient of your remittance

As long as you are our customer

  • Name
  • Contact data

To provide you with information about the Service

As long as you are our customer

  • Name
  • Contact data

To send you marketing notices, service updates, and promotional offers through direct marketing

As long as you are our customer

  • Device data
  • Service data

To evaluate and develop new features, technologies, and improvements to the Service

1 year from collection

  • Email
  • Your image in photo 

To detect and prevent fraud

5 years following the termination of our contract with you. 10 years if instructed by the competent authorities 

  • Additional KYC data
  • Address data
  • Recipient data

To comply with applicable laws, regulations, and rules, such as those relating to anti-money laundering and counter-terrorist financing

5 years following the termination of our contract with you. 10 years if instructed by the competent authorities 

Please note that we may retain any personal data mentioned above for a longer period than stated above, if required by law or if required to protect the rights, property or safety of Transfer Galaxy or of the Service provided by us or our partners.

5. How we share information with others

We may share your personal data with:

  • Third-party service providers under contract with Transfer Galaxy that help us with our business operations, such as transaction processing, fraud prevention, communication, customer support and marketing. The information we share may include all categories of data about you that we possess. These service providers are authorized to use your personal data only as necessary to provide these services to us
  • Third-parties that will transfer money to you through our app. If a party tries to send you money, they will see your name to be able to confirm that you are the correct recipient.
  • In the event of a capital raising process or a sale process regarding some or all of our shares or assets, we may disclose your personal data to the prospective buyer. The categories of data we may share in this case include basic KYC data, additional KYC data, contact data, identity verification data, and usage data.
  • Law enforcement and government officials, but only in connection with a formal request, subpoena, court order, or similar legal procedure, as well as circumstances where we believe in good faith that disclosure is necessary to comply with the law, report suspected illegal activity, or investigate violations of our Terms and Conditions. The categories of data we may share in this case include basic KYC data, additional KYC data, contact data, identity verification data, address verification data, payment data, recipient data, and usage data.

We will not sell or otherwise transfer the information we collect to third parties for their promotional purposes unless we have received your explicit permission to do so.

6. Transferring data outside of European Economic Area

Personal data which is submitted via our Service is sent to and stored on secure servers owned by, or operated for, us in the European Economic Area ("EEA"). Such data may be transferred to, or stored at, a destination outside the EEA and may also be processed by staff operating outside the EEA who work for us or for one of our service providers. Such transfers may be made in order to operate the Service, improve our Service, or to assist in our security or fraud protection activities.

Whenever we transfer personal data to a destination outside EEA, we take appropriate legal measures to:

  • Make sure that the data transfer complies with applicable law.
  • Ensure that your data has the same level of protection as it has in the EU/EEA.

To ensure that each data transfer complies with applicable EU/EEA legislation, we use the following legal mechanism:

  • Standard Contractual Clauses, which are clauses that require the other party to protect your data with EU-level rights and protections.
  • Adequacy decision, which means that we transfer personal data to a destination outside EEA which have adequate laws to protect personal data, as determined by the European Commission.

Depending on your use of the Service, including the countries you send money to, we may transfer your data to the following countries outside of the EEA: our recipient countries as displayed in the Service from time to time, Mauritius, New Zeeland, the USA and the UK.

When we transfer your data to the UK or New Zeeland, we do so on the basis of an adequacy decision issued by the European Commission in accordance with Article 45 of GDPR which can be accessed here. The decision confirms that the regulatory requirements in these countries ensure an adequate level of protection for your personal data. For transfers to all other countries, we rely on standard data protection clauses adopted by the European Commission. If you would like to obtain a copy of the clauses we use, please contact us by sending an email to privacy@transfergalaxy.com.

7. Your rights related to personal data

The GDPR establishes certain rights in relation to your personal data, which are listed below:

  • Information: the right to be informed about how we use your personal data
  • Rectification: the right to correct, amend or update your personal data if it is wrong or has changed
  • Erasure: the right to ask us to remove your personal data from our records. You can ask us to delete your personal data if:
    1. your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
    2. you gave us consent to use your personal data and you have now withdrawn it
    3. you have objected to us using your personal data
    4. we have used your personal data unlawfully or
    5. the law requires us to delete your personal data
  • Restriction: the right to ask us to stop processing your personal data. You can ask us to suspend using your personal data if:
    1. you want us to verify whether it is accurate
    2. our use of your personal data is unlawful, but you do not want us to delete it
    3. we no longer need your personal data, but you need it for the establishment, exercise or defence of legal claims or
    4. you have objected to us processing your personal data (see below), but we need to verify whether we have compelling legitimate grounds for the processing.
  • Objection: the right to object to data processing, including profiling, if our legal basis for processing your data is legitimate interests. However, we may decline your request if there are compelling legitimate grounds for the processing which override your rights and interests
  • Access and Portability: the right to access and receive your personal data which you have shared with us in a structured, commonly used and machine-readable format and the right to transmit the data to another controller if (i) the processing is based on that the data subject has given consent to the processing or that the processing is necessary for the performance of a contract, and (ii) the processing is carried out by automated means.

At any time, you are welcome to contact us in relation to these rights. However, please note that there are certain exceptions where these rights may be superseded by laws and other requirements applicable to regulated financial institutions like Transfer Galaxy. An example of this would be the obligatory retention period, which supersedes the right to data erasure.

8. Automated decision making, including profiling

We may conduct automated processing and/or profiling based information you provide to us, together with information obtained from third parties. For example, we may make automated decisions about you that relate to identity verification and sanction checks.

In some cases, automated processes may restrict or suspend access to our Service if such processes identity activity that we believe poses risks to our Service, other users, or third parties.

You have the right to not be subject to individual decisions made solely by automated means. This means that if we make an automated decision about you that significantly affects you, you can request us to perform a manual review of this decision.

9. Security

The security of your personal data is important to us. When you enter financial information (such as credit/debit card and banking information) within our Service, we encrypt the transmission of that information using secure socket layer technology (SSL). We use 256-bit data security encryption, so all information sent between your web browser and our Service remains private and secure.

Transfer Galaxy has also introduced technical and organisational measures to ensure the appropriate level of protection for any personal data processed by us. These measures ensure that the personal data is treated confidentially, is available to the extent needed within the organisation and that the content is correct. All measures are designed to take into account the requirements set out in the GDPR and the Payment Services Act (2010: 751).

10. Use of cookies

We use cookies to analyse how you use our website. For detailed information about cookies see our Cookie Policy.

11. Third party sites

The Service contains links to other websites. Transfer Galaxy is not responsible for the privacy practices or the content of these other websites. We encourage you to familiarize yourself with the privacy practices of these other sites prior to submitting your personal data to them.

The Service includes Social Media Features, such as the Facebook Like button and Widgets, such as the Share this button or interactive mini-programs that run on our site. These Features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the Feature to function properly. Social Media Features and Widgets are either hosted by a third party or hosted directly in our Service. Your interactions with these Features are governed by the privacy policy of the company providing it.

12. Contact

If you have any questions, requests or concerns about this privacy policy or the use of your personal data, please contact us by sending an email to the following address privacy@transfergalaxy.com.

If you feel that we have not addressed your question, request or concern adequately, you have a right to make a complaint with the Swedish Data Protection Authority (Sw. Integritetsskyddsmyndigheten). You may access their details at https://www.imy.se.




Click here for Previous Versions