Transfer Galaxy may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you accept any changes.
1. Who is Transfer Galaxy?
Transfer Galaxy is a digital-first money transfer service that enables customers to send money to their loved ones from a laptop, tablet or smartphone (the “Service”).
In the terminology of the General Data Protection Regulation (“GDPR”), Transfer Galaxy is the "controller" of your personal data and you, our customer, are the "data subject". This means that Transfer Galaxy determines the purposes and means of the processing of your personal data, while respecting your privacy rights.
2. What we collect
This section sets out the categories of personal data we collect and use.
2.1 Data you give us
We collect information you provide when you:
- Open an account or use the Service
- Respond to our requests for additional KYC information
- Apply for the temporary increase of your sending limit
- Communicate with a member of our customer support team (either on the phone or through the email)
- Participate in competitions or campaigns organised by us or share information with us on social media
All above mentioned information could potentially be collected, but may not be collected in each individual case. Some information, like Gender, will be collected indirectly by the information you are providing, such as by uploading your passport. You do not have to disclose the information to us, but if you choose not to, we may not be able to provide you with the Service.
2.2 Data collected through your use of the Service
2.3 Information from third parties
If you are established in Sweden or Norway, we collect your address information from third-party service providers who retrieve it from publicly available databases.
3. Purposes of the data processing and legal basis
The table below sets out:
- Our purpose for processing your personal data
- Our legal basis under data protection law
- Categories of personal data which we use for each purpose. See more about these categories in Section 2 ‘What we collect’
We may use one of the following legal bases:
- Performance of a contract: we need certain personal data to provide our Service and cannot provide it without this personal data.
- Compliance with legal obligations: in some cases, we have a responsibility to collect and store your personal data (for example, under anti-money laundering laws we are required to possess certain information about our customers).
- Legitimate interest: when we have an interest in using your personal data in a certain way, which is necessary and justified considering any potential risks to you.
- Consent: when we ask you to actively indicate your agreement to us using your personal data for a certain purpose
4. How long we keep your personal data
Depending on what purpose your data is used for, the length of time we keep it may vary.
Please note that we may retain any personal data mentioned above for a longer period than stated above, if required by law or if required to protect the rights, property or safety of Transfer Galaxy or of the Service provided by us or our partners.
5. How we share information with others
We may share your personal data with:
- Third-party service providers under contract with Transfer Galaxy that help us with our business operations, such as transaction processing, fraud prevention, communication, customer support and marketing. The information we share may include all categories of data about you that we possess. These service providers are authorized to use your personal data only as necessary to provide these services to us
- Third-parties that will transfer money to you through our app. If a party tries to send you money, they will see your name to be able to confirm that you are the correct recipient.
- In the event of a capital raising process or a sale process regarding some or all of our shares or assets, we may disclose your personal data to the prospective buyer. The categories of data we may share in this case include basic KYC data, additional KYC data, contact data, identity verification data, and usage data.
- Law enforcement and government officials, but only in connection with a formal request, subpoena, court order, or similar legal procedure, as well as circumstances where we believe in good faith that disclosure is necessary to comply with the law, report suspected illegal activity, or investigate violations of our Terms and Conditions. The categories of data we may share in this case include basic KYC data, additional KYC data, contact data, identity verification data, address verification data, payment data, recipient data, and usage data.
We will not sell or otherwise transfer the information we collect to third parties for their promotional purposes unless we have received your explicit permission to do so.
6. Transferring data outside of European Economic Area
Personal data which is submitted via our Service is sent to and stored on secure servers owned by, or operated for, us in the European Economic Area ("EEA"). Such data may be transferred to, or stored at, a destination outside the EEA and may also be processed by staff operating outside the EEA who work for us or for one of our service providers. Such transfers may be made in order to operate the Service, improve our Service, or to assist in our security or fraud protection activities.
Whenever we transfer personal data to a destination outside EEA, we take appropriate legal measures to:
- Make sure that the data transfer complies with applicable law.
- Ensure that your data has the same level of protection as it has in the EU/EEA.
To ensure that each data transfer complies with applicable EU/EEA legislation, we use the following legal mechanism:
- Standard Contractual Clauses, which are clauses that require the other party to protect your data with EU-level rights and protections.
- Adequacy decision, which means that we transfer personal data to a destination outside EEA which have adequate laws to protect personal data, as determined by the European Commission.
Depending on your use of the Service, including the countries you send money to, we may transfer your data to the following countries outside of the EEA: our recipient countries as displayed in the Service from time to time, Mauritius, New Zeeland, the USA and the UK.
When we transfer your data to the UK or New Zeeland, we do so on the basis of an adequacy decision issued by the European Commission in accordance with Article 45 of GDPR which can be accessed here. The decision confirms that the regulatory requirements in these countries ensure an adequate level of protection for your personal data. For transfers to all other countries, we rely on standard data protection clauses adopted by the European Commission. If you would like to obtain a copy of the clauses we use, please contact us by sending an email to firstname.lastname@example.org.
7. Your rights related to personal data
The GDPR establishes certain rights in relation to your personal data, which are listed below:
- Information: the right to be informed about how we use your personal data
- Rectification: the right to correct, amend or update your personal data if it is wrong or has changed
- Erasure: the right to ask us to remove your personal data from our records. You can ask us to delete your personal data if:
- your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
- you gave us consent to use your personal data and you have now withdrawn it
- you have objected to us using your personal data
- we have used your personal data unlawfully or
- the law requires us to delete your personal data
- Restriction: the right to ask us to stop processing your personal data. You can ask us to suspend using your personal data if:
- you want us to verify whether it is accurate
- our use of your personal data is unlawful, but you do not want us to delete it
- we no longer need your personal data, but you need it for the establishment, exercise or defence of legal claims or
- you have objected to us processing your personal data (see below), but we need to verify whether we have compelling legitimate grounds for the processing.
- Objection: the right to object to data processing, including profiling, if our legal basis for processing your data is legitimate interests. However, we may decline your request if there are compelling legitimate grounds for the processing which override your rights and interests
- Access and Portability: the right to access and receive your personal data which you have shared with us in a structured, commonly used and machine-readable format and the right to transmit the data to another controller if (i) the processing is based on that the data subject has given consent to the processing or that the processing is necessary for the performance of a contract, and (ii) the processing is carried out by automated means.
At any time, you are welcome to contact us in relation to these rights. However, please note that there are certain exceptions where these rights may be superseded by laws and other requirements applicable to regulated financial institutions like Transfer Galaxy. An example of this would be the obligatory retention period, which supersedes the right to data erasure.
8. Automated decision making, including profiling
We may conduct automated processing and/or profiling based information you provide to us, together with information obtained from third parties. For example, we may make automated decisions about you that relate to identity verification and sanction checks.
In some cases, automated processes may restrict or suspend access to our Service if such processes identity activity that we believe poses risks to our Service, other users, or third parties.
You have the right to not be subject to individual decisions made solely by automated means. This means that if we make an automated decision about you that significantly affects you, you can request us to perform a manual review of this decision.
The security of your personal data is important to us. When you enter financial information (such as credit/debit card and banking information) within our Service, we encrypt the transmission of that information using secure socket layer technology (SSL). We use 256-bit data security encryption, so all information sent between your web browser and our Service remains private and secure.
Transfer Galaxy has also introduced technical and organisational measures to ensure the appropriate level of protection for any personal data processed by us. These measures ensure that the personal data is treated confidentially, is available to the extent needed within the organisation and that the content is correct. All measures are designed to take into account the requirements set out in the GDPR and the Payment Services Act (2010: 751).
11. Third party sites
The Service contains links to other websites. Transfer Galaxy is not responsible for the privacy practices or the content of these other websites. We encourage you to familiarize yourself with the privacy practices of these other sites prior to submitting your personal data to them.
If you feel that we have not addressed your question, request or concern adequately, you have a right to make a complaint with the Swedish Data Protection Authority (Sw. Integritetsskyddsmyndigheten). You may access their details at https://www.imy.se.
27 November 2020, Örebro, Sweden (version 2.4)
06 July 2023, Örebro, Sweden