Privacy Policy

What is the source of your personal information?

We will generally collect your personal information from you directly. If you are introduced to us by another member of ACE group of companies, a broker or other intermediary, we will obtain some personal information about you indirectly from them when they introduce you to us.

In addition, we obtain your personal information from other sources such as Fraud Prevention Agencies, and other organisations to assist in prevention and detection of crime, police and law enforcement agencies. We may also obtain personal information from publicly accessible sources, such as court judgments and publicly available registers.

Some of the personal information obtained to verify your account will have originated from publicly accessible sources. We confirm that the third parties used to verify information include:

• Lexis Nexis
• Veriff

We recommend that you check the privacy policies on the websites of each of these organisations and contact those organisations if you have any questions (their details are in their policies). We periodically review these providers to ensure their controls remain appropriate.

DATA THAT YOU PROVIDE ABOUT THIRD PARTIES

At your request, where you provide us with information about third parties, e.g. recipients of transfers, we will also collect personal information in relation to those people (“Receiver Information”). By providing us with such information you confirm that you have obtained any necessary permissions from such persons to the reasonable use of the Receiver Information for such purposes in accordance with this notice, or are otherwise permitted to give to us the Receiver Information on their behalf. Please ensure that those other people are aware of this notice and that the provisions of this notice are clearly communicated to them.

WHAT DO WE DO WITH YOUR DATA AND WHO DO WE SHARE IT WITH?

We will only use your personal information when the law allows us to do so. Most commonly we use your personal information in the following purposes:

Transactional Purposes
We need to collect your personal information to process your transactions. To do so we require you and your beneficiaries bank account details or full name and address. Without the Receiver Information we would not be able to fulfil your transactions.

Regulatory Purposes
As a regulated institution, ACE must comply with the applicable money laundering, terrorist financing and data protection obligations, such as the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended) and other regulations and guidelines enforced by the Central Bank of Ireland. As a result, ACE (and its partners) must conduct Know Your Customer (“ KYC ”) and Customer Due Diligence (“ CDD ”) checks to comply with legal and regulatory obligations. Any personal information obtained for the purposes of preventing money laundering or terrorist financing is only used for that purpose. There may be occasions where use of the data is permitted under another enactment. All of this helps us keep our service safe and secure.

Marketing Purposes
We may process your personal information to provide you with certain types of marketing communications that we believe will be relevant and of interest to you. This helps us to provide a more personalised service. We will always endeavour to make these communications relevant and un-intrusive, and you are able to opt out of our marketing communications at any time.

• For email, SMS, and push notifications, we will only send marketing communications where you have given us your consent, or, if you are an existing customer, under the limited “soft opt-in” exemption (for similar products and services). You can withdraw consent or opt out at any time by using the unsubscribe link in our messages, changing your app/device settings, or contacting us.
• For postal marketing, we may rely on our legitimate interests in promoting our services. You have the right to object at any time.

We will always endeavour to keep our marketing relevant and not excessive, and we will never sell your personal data to third parties for their own marketing.

Analytical Purposes
We may collect and analyse data such as website or Mobile App visit logs, on our own or by using the services of third parties, in order to improve the quality of our service.

• Where this involves the use of non-essential cookies, SDKs, or similar technologies, we will only process your data with your consent, which you can withdraw at any time through our cookie banner, preference centre, or device settings.
• For limited essential analytics (e.g., service performance, fraud detection, error logging), we rely on our legitimate interests in maintaining a secure and reliable service.
• Where we use trusted third-party providers (for example, analytics or monitoring service providers), they act under Data Processing Agreements and may transfer data outside the EEA only with appropriate safeguards (e.g., Standard Contractual Clauses).

DATA THAT WE PROVIDE TO THIRD PARTIES

All third parties that process or handle personal data on behalf of UniReviews are engaged only under a legally binding Data Processing Agreement (DPA) in line with Article 28 GDPR. These agreements require processors to:

• act solely on ACE’s documented instructions;
• implement appropriate technical and organisational measures to safeguard data;
• maintain confidentiality;
• ensure secure transfer, storage, and deletion of data; and
• flow down equivalent obligations to any authorised sub-processors.

In accordance with the EU Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554), ACE performs due diligence at onboarding and periodic risk assessments thereafter of all third-party service providers handling personal or sensitive data. This includes reviewing their security controls, resilience, incident response readiness and regulatory compliance history.

Only vendors that continue to meet ACE’s legal, security and operational standards are authorized to process personal data on our behalf.

In addition, we may share your personal data with third parties when it is necessary for the fulfilment of the service or to comply with applicable laws. Depending on the purpose, this may include Basic Personal Data, Financial Information, anti-money laundering and due-diligence data, personal information obtained from third-party sources, and technical data. We set out below some purposes for which we may share your personal information with third parties:

• we may share your Basic Personal Data, Financial Information and data to comply with money laundering regulations with third parties, such as our partners and intermediaries including our recipient pay-out partners and our mapping provider, our professional advisors including legal advisors, auditors and actuaries, subcontractors, processors and outsourced service providers when they are necessary for the fulfilment of our service to you;
• we may share your Basic Personal Data, Financial Information, data to comply with money laundering regulations, Personal information obtained from third party sources and technical data with other organisations and businesses who provide services to us, such as back-up and hosting providers, IT software and maintenance providers, document storage providers and suppliers of other back-office functions;
• we may share your Basic Personal Data, Financial Information and data to comply with money laundering regulations with other payment services providers such as when you ask us to share information about your account with them and with financial institutions and trade associations;
• we may share your Basic Personal Data, Financial Information, data to comply with money laundering regulations, Personal information obtained from third party sources and technical data when required by law, for example for the purposes of security, taxation and criminal investigations, including with governmental and regulatory bodies, tax authorities here and overseas, for instance if you are subject to tax in another jurisdiction;
• we may share your Basic Personal Data, Financial Information, data to comply with money laundering regulations, Personal information obtained from third party sources and technical data with a court of law and with other organisations where that is necessary for the administration of justice, to protect vital interests and/or to protect the security or integrity of our business operations;
• we may also share your Basic Personal Data, Financial Information and Technical Data with other companies within the ACE group of companies for the purposes of sending you marketing communications only where we have a lawful basis to do so (for example, where you have given your consent or, for existing customers, under the “soft opt-in” exemption permitted by law). Such communications will relate to our own products and services and will be designed to be relevant to you. We may also share this data with market research organisations acting under contractual obligations as our processors who help us to develop and improve our products and services;
• we may share Basic Personal Data, Financial Information, data to comply with money laundering regulations, Personal information obtained from third party sources and technical data with buyers of ACE or the ACE group of companies and their professional representatives as part of any restructuring or sale of our business or assets (this Personal information will only be shared on the completion of any such sale); and
• we may also share your Basic Personal Data credit reference agencies for the purposes of identity verification, assessing creditworthiness, and fraud prevention (see below where we explain more).

What are the legal grounds for our processing of your personal information (including when we share it with others)?

Data protection laws require us to explain what legal grounds justify our processing of your personal information (this includes sharing it with other organisations). For some processing more than one legal ground may be relevant (except where we rely on a consent). Here are the legal grounds that are relevant to us:

1. Processing necessary to perform our contract with you or for taking steps prior to entering into it:

We process the following personal data:

• Title, full name, signature, and contact details,
• Your home address;
• Your date of birth;
• Your place of birth, nationality;
• Demographic information such as age and gender;
• Location data;
• Financial information (such as the amount you transfer and payee details);
• Banks and payment service providers used to transfer money to us;

for the purposes of:

• Administering and managing your account and related services, including updating your records and tracing your whereabouts to contact you about your account;
• Sharing your personal information with other payment services providers such as when you ask us to share information about your account with them;
• All stages and activities relevant to processing your transaction(s) including enquiry, registration, administration, management and requests for transfers; and
• For certain types of profiling and automated decision-making where this is strictly necessary for entering into or performing a contract with you (for example, automated fraud prevention checks or transaction approvals that must be carried out in order to provide the service). Where such processing takes place, you have the right to obtain human intervention, to express your point of view, and to contest the decision
2. Where we consider that it is appropriate for us do so, we undertake processing that is necessary for the legitimate interests , which apply to us and in some cases other organisations with whom we share your data with, of operating our business to a high standard, providing a high quality of service to you and managing business risks. We process the following personal data:
• Data obtained from third party sources, such as:
  • Facebook, Twitter and Google profile contact information, images and names;
  • Banks and payment service providers used to transfer money to us;
  • Advertising networks; and
  • Search engine providers (such as Yahoo or Google);
• Technical data, such as:
  • Information about your visit to our website, including page views, the length of visits to certain pages;
  • App downloads;
  • Operating system;
  • IP and GPS address; and
  • Browser type;
• When you download our Mobile App:
  • Location data;
  • Mobile analytics data, such as information on often you use the mobile app, the events that occur within it, aggregated usage, performance data, and where the Mobile App was downloaded from;
  • Information about your device, such as the type of device you use, operating system version, and system and performance indication;

for the purposes of:

1. Administering and managing your account and services relating to that, updating your records, tracing your whereabouts to contact you about your account and recent transactions, to assess your credit worthiness and advise you in relation to products and services;
2. To test the performance of our products, services and internal processes;
3. To adhere to guidance and best practice under the regimes of governmental and regulatory bodies;
4. For management and audit of our business operations including accounting and insurance;
5. To carry out searches to verify your account at the time of the first transaction, and following notification of any changes to your address;
6. To carry out monitoring and to keep records (see below);
7. To administer our good governance requirements and those of other members of our group;
8. For direct marketing communications carried out on the basis of our legitimate interests only where permitted by law (for example, postal marketing or electronic marketing to existing customers about our own similar products and services under the “soft opt-in” exemption), and we will always provide a clear and easy opt-out in every message;
9. For limited profiling and automated decision-making that supports our services and does not produce legal or similarly significant effects on you (for example, estimating transaction timing or analysing aggregated usage patterns). Where profiling or automated decision-making could have legal or similarly significant effects, we will not rely on legitimate interests and will only carry out such processing where it is necessary for a contract, required by law, or based on your explicit consent, and you will have the right to obtain human intervention, to express your point of view, and to contest the decision; and
10. When we share your personal information with these other people or organisations;
    • Our legal and other professional advisers, auditors and actuaries;
    • Financial institutions and trade associations;
    • Other organisations and businesses who provide services to us such as back up and server hosting providers, IT software and maintenance providers, document storage providers and suppliers of other back-office functions;
    • Buyers and their professional representatives as part of any restructuring or sale of our business or assets;
    • Credit Reference Agencies (see below where we explain more); and
    • Market research organisations who help us to develop and improve our products and services.
    • Other companies within ACE group of companies for direct marketing communications only where permitted by law on the basis of our legitimate interests (for example, postal marketing or electronic marketing to existing customers about our own similar products and services under the “soft opt-in” exemption). In all cases, you can opt out at any time
3. Processing necessary to comply with our legal obligations:

   We process the following personal data:

   • Proof of your identity;
   • Proof of address, such as a utility bill or bank statement;
   • Details on the source of funds being sent (where required);

   for the purposes of:

   1. For compliance with laws that apply to us, such as under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended) and other regulations and guidelines enforced by the Central Bank of Ireland;
   2. For establishment, defence and enforcement of our legal rights or those of any other member of our group;
   3. For activities relating to the prevention, detection and investigation of crime;
   4. To carry out identity checks, anti-money laundering checks, and checks with Fraud Prevention Agencies pre-application, at the application stage, and periodically after that.
   5. To carry out monitoring and to keep records (see below);
   6. To deal with requests from you to exercise your rights under data protection laws under the GDPR;
   7. To process information about a crime or offence and proceedings related to that (in practice this will be relevant if we know or suspect fraud) we only process information about offences where authorised under Article 10 GDPR and applicable national law (for example, anti-money laundering obligations); and
   8. When we share your personal information with these other people or organisations:
      • Other payment services providers such as when you ask us to share information about your account with them;
      • Law enforcement agencies, governmental and regulatory bodies,
4. Processing with your consent :
   1. When you request that we share your personal information with someone else and consent to that;
   2. For direct marketing communications; and
   3. For some of our profiling and other automated decision making processing.

CONSENT

We may also, from time to time, ask you for your consent for other processing purposes, which we will explain to you at the time. Much of what we do with your personal data is not based on your consent and is instead based on the above legal grounds. Consent will always be freely given, specific, informed and unambiguous.

HOW AND WHEN CAN YOU WITHDRAW YOUR CONSENT?

For processing that is based on your consent, you have the right to take back that consent for future processing at any time. You can do this by contacting us using the details below. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal. The consequence might be that we cannot send you some marketing communications (but this outcome will be relevant only in cases where we rely on explicit consent).

IS YOUR PERSONAL INFORMATION TRANSFERRED OUTSIDE THE EEA?

We are based in Ireland but sometimes your personal information may be transferred outside Ireland and the European Economic Area. If it is processed within the EU or other parts of the European Economic Area (EEA) then it is protected by EU data protection standards. Some countries outside the EEA have been deemed by the European Commission to provide an adequate level of protection for personal information (“adequacy decisions”). Where there is no adequacy decision, we will ensure that appropriate safeguards are in place — for example, by using the European Commission’s Standard Contractual Clauses (SCCs) together with supplementary measures where necessary — before transferring your personal information.

From time to time, your personal information may be transferred to, stored in or accessed from a destination outside the EEA. It may also be processed by staff operating outside of the EEA who work for us, or one of our partners.

Our service facilitates the transfer of currency to jurisdictions across the globe. The recipient pay-out partner will request information to verify the identity of the sender. Your personal information will therefore be transferred to the jurisdiction to which you choose to transfer the money and to which you have explicitly consented for your personal data to be transferred.

Therefore, when you ask us to, we may transfer your personal data to a destination outside of the EEA, where appropriate safeguards may not be in place. In those circumstances we will only transfer your personal data with your explicit consent, as your personal data may be at a heightened risk if transferred to a destination which does not have appropriate safeguards in place to protect it.

Whenever we transfer your personal data out of the EEA for other purposes aside from facilitating a money transfer you have requested (in other words in circumstances when you have not provided explicit consent), we ensure a similar degree of protection to EU data protection standards is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission via an ‘adequacy decision’. In the event that your personal data is transferred to the United Kingdom (“UK”), any such transfers are based on the European Commission’s ‘adequacy decision’ with regard to the UK dated 28 June 2021 (which provides that the UK offers an adequate level of data protection).
• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. These transfers will be based on the European Commission’s Standard Contractual Clauses (SCCs) and, where required, additional supplementary measures to ensure an essentially equivalent level of protection

All information you provide to us is stored on our secure servers. Our servers are hosted in the Ireland and the information is encrypted.

For more information about suitable safeguards and (as relevant) how to obtain a copy of them or to find out where they have been made available you can contact us using the contact details provided at the end of this Privacy Notice.

Unfortunately, transmission of information via the internet cannot be considered completely secure. We do our utmost to protect your personal information, however we cannot guarantee the security of those transfers. Any transmission of your personal information is at your own risk. Please note that while ACE implements industry-standard encryption and security protocols, transmission of information over the internet always carries inherent risks, and absolute security cannot be guaranteed. Customers are advised to take appropriate measures, such as safeguarding login credentials, when interacting with our services.

Once we have received your personal information, we will use strict procedures and security controls to try to prevent unauthorised access.

WHAT SHOULD YOU DO IF YOUR PERSONAL INFORMATION CHANGES?

You should tell us without delay so that we can update our records. Keeping your information accurate and up to date helps us meet our legal obligations and ensures we can continue to provide our services effectively. You can notify us of any changes by contacting us through the details provided in this Privacy Notice or via your account settings (where available). From time to time, we may also take steps to verify that the information we hold remains accurate.

Do you have to provide your personal information to us?

We are unable to provide you with products and services or to process your application without having personal information about you. This processing is necessary either for the performance of our contract with you (Article 6(1)(b) GDPR) or for compliance with our legal obligations (Article 6(1)(c) GDPR). Your personal information is required before you can open an account with us, or it is required during the life of that contract, or it is required so we can comply with legal obligations that apply to us. If we do not receive this information, this may impact our ability to continue dealing with you in compliance with our obligations and internal policies. We will never require you to provide personal information that is not relevant for these purposes.

In cases where providing some personal information is optional, we will make this clear. For instance, we will say in application forms, in branch or on our website if alternative (such as work) telephone number or contact details can be left blank.

DO WE DO ANY MONITORING INVOLVING PROCESSING OF YOUR PERSONAL INFORMATION?

In this section monitoring means any listening to, recording of, viewing of, intercepting of, or taking and keeping records (as the case may be) of calls, email, text messages, social media messages, in person face to face meetings and other communications.

We may monitor where permitted by law and we will do this where the law requires it. In particular, where we are required by the regulatory regime to record certain company telephone lines or in person meetings (as relevant) we will do so.

Some of our monitoring may be to comply with regulatory rules, self-regulatory practices or procedures relevant to our business, to prevent or detect crime, in the interests of protecting the security of our communications systems and procedures, to have a record of what we have discussed with you and actions agreed with you, to protect you and to provide security for you (such as in relation to fraud risks on your account) and for quality control and staff training purposes.

Some of our monitoring may check for obscene or profane content in communications.

We may conduct short term carefully controlled monitoring of your activities on your account(s) where this is necessary for our legitimate interests or to comply with our legal obligations. For instance, where we suspect fraud, money laundering or other crimes.

Email exchanges, web chat, telephone calls and in person meetings between us and you in connection with your application and/or your account(s) may be recorded to make sure that we have a record of what has been discussed and what your instructions are. We may also record these types of calls for the quality control and staff training purposes.

Recordings and monitoring data will be retained only for as long as necessary to fulfil the purposes outlined above and in accordance with our Records Retention Policy. Where monitoring captures special category data or data relating to criminal offences, this will only be processed where lawful under Articles 9 and 10 GDPR and applicable national law.

PROFILING AND OTHER AUTOMATED DECISION MAKING

This section is relevant where we make decisions about you using only technology, and where none of our employees or any other individuals have been involved in the process. For instance, in relation to transactions, triggers and events such account opening anniversaries and maturity dates. We may also use profiling to help determine what marketing communications are most relevant to you, to analyse statistics, or to assess lending and insurance risks.

We will only carry out profiling or automated decision-making where permitted by law:

• Where the activity is low-impact and does not produce legal or similarly significant effects on you, we may rely on our legitimate interests (see Section 8 above).
• Where the decision could have legal or similarly significant effects, we will only carry out such processing if it is necessary for entering into or performing a contract with you, is authorised by law, or is based on your explicit consent.

In those cases, we will inform you when such automated decision-making takes place, and you have the right to obtain human intervention, to express your point of view, and to contest the decision.

You also have a separate right to object to profiling carried out for direct marketing purposes at any time (see ‘rights to object’ below).

FOR HOW LONG IS YOUR PERSONAL INFORMATION RETAINED BY US?

Unless we explain otherwise to you, we will hold your personal information for the duration of any contract you have with us, for as long as you keep using our Mobile App and website, for the duration of any complaint handling procedure relating to you or for such a period of time as is necessary to comply with our obligations under applicable law and, if relevant, to deal with any subsequent claim or dispute that might arise in connection with your relationship with us. Your personal data will be retained in accordance with our records retention policy, which reflects statutory retention periods (for example, anti-money laundering records must generally be kept for at least five years) and our legitimate business needs, and ensures that data is not kept longer than necessary.

If you would like further information about our data retention practices, please contact us.

We may retain your contact information collected for the purposes of sending you marketing communications in accordance with this policy for as long as you do not unsubscribe from receiving the data from us.

WHAT ARE YOUR RIGHTS UNDER DATA PROTECTION LAWS?

Here is a list of the rights that all individuals have under data protection laws. They do not apply in all circumstances. If you wish to exercise any of them, we will explain at that time if they are engaged or not. We will respond without undue delay and in any event within one month of receiving your request. Where necessary, this period may be extended by up to two further months for complex or multiple requests; if so, we will inform you within the first month. We may request proof of identity before responding, and we may refuse or charge a reasonable fee for requests that are manifestly unfounded or excessive. In responding, we may restrict disclosure where required by law (for example, anti-money laundering obligations) or to protect the rights and freedoms of others.

• The right to be informed about your processing of your personal information;
• The right to have your personal information corrected if it is inaccurate and to have incomplete personal information completed ;
• The right to object to processing of your personal information;
• The right to restrict processing of your personal information;
• The right to have your personal information erased (the “right to be forgotten”);
• The right to request access to your personal information and to obtain information about how we process it;
• The right to move, copy or transfer your personal information (“data portability”);
• Rights in relation to automated decision making which has a legal effect or otherwise significantly affects you.
• If you have given your consent to the processing of your personal data, you have the right to withdraw this consent at any time . If you do withdraw consent at any time, this will not affect the lawfulness of the processing based on consent up until that time.

You have the right to complain to the Irish Data Protection Commission which enforces data protection laws: https://www.dataprotection.ie/. ou may also lodge a complaint with the supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or where you believe an infringement of data protection law has occurred.

In addition, you have the right, at any time, to object to processing of personal data for direct marketing purposes. If you wish to exercise any of these rights against the Credit Reference Agencies or any other intermediary who is data controller in its own right, you should contact them separately.

DATA ANONYMISATION AND USE OF AGGREGATED INFORMATION

Your personal information may be converted into statistical or aggregated data that cannot reasonably be used to re-identify you. Once anonymised, such data is no longer considered personal data under data protection laws. It may then be used to produce statistical research and reports. This aggregated data may be shared and used in all the ways described in this Privacy Notice.

We will only share anonymised and encrypted data with third parties. We may also provide our partners with anonymous aggregated data about our customers for marketing and analytical purposes, to help optimise our marketing communications.

YOUR MARKETING PREFERENCES AND WHAT THIS MEANS

We may use your home address, phone numbers, email address and social media (e.g. Facebook, Google and message facilities in other platforms to contact you to send you communications about offers or promotions that we believe are relevant for you based on your previous use. We will also remind you from time to time of your marketing options if you have shown an interest in receiving such . We will only do this if we have a legal ground which allows it under data protection laws – see above for our legal ground for marketing. You can opt out of our marketing at any time by contacting us (details of which can be found at the end of this notice) or by following the instructions on how to do that in the marketing email or other communication.

We will only send you marketing where we have a lawful basis under data protection and ePrivacy laws, this may be based on your consent (for example, where required for electronic communications to new customers) or on our legitimate interests, such as the “soft opt-in” exemption for existing customers in relation to our own similar products and services.

We will only do this if we have a legal ground which allows it under data protection laws – see above for our legal ground for marketing.

You can opt out of our marketing at any time by contacting us or by following the instructions on how to do that in the marketing email or other communication.

DATA COLLECTION POLICIES FROM OTHER ORGANISATIONS

We have mentioned that we share your personal information with beneficiary banks, partners who help us to complete your transactions and Credit Reference Agencies.

These organisations act as data controllers in their own right and require us to pass on information about you so that they can perform their services or functions. Their privacy notices are separate from ours, and you should review them directly for more information on how they process your data.

In addition, when you log into your account via Facebook, Google, YouTube, Instagram, Twitter or LinkedIn your data will be processed in accordance with the privacy policies of those platforms. Your personal information will therefore also be subject to those third-party data collection policies, over which we have no control or responsibility.

In circumstances where you use your Facebook or Google login credentials to create and/or log in to your account your personal information may be processed by Facebook or Google marketing tools. These tools may identify individuals and target content or advertisements based on interests or behaviours that are similar to those of our customers, in line with the respective platform’s policies.

CHANGES IN PRIVACY NOTICE

ACE may change this Privacy Notice from time to time. All changes to this Privacy Notice are effective when they are posted on this page. When we change the policy in a material manner, we will let you know via email and/or a prominent notice on our Site. The date of the most recent update is displayed at the top of the page.

Any dispute or claim arising in connection with this Privacy Notice will be considered in relation to the English version only.

CONTACT DETAILS

You can contact ACE:

By post:13 Adelaide Road, Saint Peter's, Dublin, D02 P950, Ireland

You can also contact our Data Protection Officer if you have any questions about this policy, would like further information about the points raised or to exercise any of your rights. Contact details for our Data Protection Officer are:

Cyber Data Law Solicitors