Privātuma politika | Opal Transfer

Privacy Policy

In this privacy policy we:

Opal Transfer LTD, an authorised as a payment institution by the UK Financial Conduct Authority, No. 533677 with a registered office: 72 King William Street, London, EC4N 7HR. Information Commissioner's Office (ICO), Register of data controllers reference: Z1993210 www.ico.org.uk;

and

Opal Transfer EU UAB, legal entity’s code 305026817, with our registered office at Konstitucijos ave. 21A, Vilnius, the Republic of Lithuania (together – “Opal Transfer”, unless referred to individually),

explain how we treat personal information received about you when you use our services via the Opal Transfer Online Platform, our Mobile App, via phone conversation to our Call Centre.

We are established and based in respectively United Kingdom and Lithuania. As such, we take appropriate measures to comply with the UK Data Protection Act 2018, European Union (“EU”), including Regulation (EU) 2016/679 (the “ (“GDPR”), Lithuanian and United Kingdom data protection laws. If you are resident outside the EU or the UK, then we cannot confirm that our collection and treatment of personal data is compliant with your local data protection/privacy laws.

In this Privacy Policy, we present the most important structured information about the protection of your personal data: i.e., what personal data we collect, how and why we use it, on what legal basis we process it, how long we store it, to whom we transfer it, as well as our duties in processing your personal data, your rights, and the methods of their implementation. Please take the time to review this Privacy Policy, and please do not hesitate to contact us if you have any questions.

If you use the Mobile App and/or the Opal Transfer Online Platform, we will assume that you are familiar with this Privacy Policy and the purposes, methods, and procedures for processing of your personal data specified in it. If you do not want your personal data to be processed as described in this Privacy Policy, please do not use the Mobile App and/or the Opal Transfer Online Platform, and do not provide us with your personal data in any other way.

The Privacy Policy is a constantly changing document, so we can improve, change, and update it if necessary. For this reason, please visit the Website or Web App from time to time, where you will always find the latest version of the Privacy Policy. We will also additionally inform you about the most significant changes to the Privacy Policy, and we will always publish the updated version on our Mobile App and the Opal Transfer Online Platform.

For definitions used in this Privacy Policy, see our Terms and Conditions, available here.

1. How we use your personal data?

In this section you will find the information regarding:

the purposes for which we process your data;
how we use your personal data;
the categories of data we process;
the legal basis for processing; and
the data retention period.

We process your data specified in this Privacy Policy on these legal grounds:

for conclusion, performance, amendment and administration of an agreement (Article 6(1)(b) of the GDPR);
for fulfilment of legal obligations and requirements of legal acts applicable to us (Article 6(1)(c) of the GDPR);
for pursuing our legitimate interests and those of third parties (Article 6(1)(f) of the GDPR);
for acting in accordance with your consent (Article 6(1)(a) of the GDPR, Article 9(2)(a) of the GDPR).

In the scope and under the conditions set by applicable legal acts, one or several of the abovementioned legal grounds may apply to processing of the same of your personal data.

We collect and process only your personal data that are sufficient and necessary to achieve the purposes for which they are processed.

We may combine personal data we have received from you (when you are using the Mobile App and/or Opal Transfer Online Platform) with the personal data we have collected from other public or accessible sources (e.g., with data obtained using website cookies, or with data legally obtained from third parties, etc.).

More detailed information is provided below:

PURPOSE	HOW AND WHY WE USE IT	PERSONAL DATA	LEGAL BASIS	RETENTION PERIOD
For business correspondence purposes Administration of inquiries, requests, complaints, and other communications with you	To address you properly, and to communicate with you, including answers to your inquiries, requests, such as informing you about the services provided, their prices, specifics, changes in the contracts concluded with you, to contact you if we have identified any problems in connection with services provided etc., for the purpose of sending system and other notifications related to the services provided, so that we can properly examine your application and answer your question, request or complaint. If you contact us by phone and/or in writing (e-mail, via Mobile App / Opal Transfer Online Platform, social networks, or otherwise), we will save the fact of your application and the information provided, including personal data.	First name, last name, e-mail, phone number, address, device details (for example, your phone, computer or tablet), other information required to complete the customer verification; date of communication, content of correspondence in the business relationship with the client; information about communication in Opal Transfer social media account ("like", "follow", "comment", "share”, etc.), photos (profile and / or marked Opal Transfer), sent messages, information about the message (message receipt time, message content, message attachments, correspondence history, etc.), information about participation in Opal Transfers events and (or) games (participation, non-participation, interest, compliance with the rules of the game, etc.). In providing customer support, additional and sensitive information detailing circumstances of the complaint or other request may be used or disclosed. We have the right to make sure that you have been informed of the latest changes to the services terms and conditions and/or this Privacy Policy and to collect evidence that this type of notification has been provided and read (opened) by you. When we send you notifications of this type, we collect the above-indicated information about the notifications sent to you.	Consent Legal interest Performance of a contract	Pursuant to Article 19(11) of the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania (“Law”), and Section 40 Record Keeping, of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, correspondence relating to transactions with a client must be kept for 5 years from the date of the transactions or termination of transactions with a client.
Recording telephone conversations to ensure quality customer service	Recording of conversations is carried out and the recording data is processed in order to ensure the quality of telephone consultation.	Telephone number, the time and duration of the call and the audio recording of the call and the data it contains. First name, last name, mobile phone number, e-mail mailing address, residential address, other information required to complete the customer verification.	Legal Interest of quality assurance Consent when you initiate contact with us	3 (three) years after the recording.
Identification of the customer Creating an account in the Mobile App / Opal Transfer Online Platform	The personal data are processed in order to verify the authenticity of the client's identity and to check whether there are circumstances for the application of enhanced client authentication, to submit any necessary documents for above purposes ,as well as to create an account to use our services in the Mobile App and the Opal Transfer Online Platform.	First name, last name, e-mail address, mobile number, date of birth, tax reference code (personal code), native country, country of residence, address, customer number, IP address, device details (for example, your phone, computer or tablet), company name, registration number, records of our discussions, if you contact us or we contact you (including records of phone calls); Identity document data, your image in photo or video form (where required as part of our Know Your Customer (“KYC”)) checks or where you upload a photo to your Opal Transfer profile, proof of address and source of funds data like work agreements, payslips, tax returns, sales receipts, bank account details, card details, invoices, contracts, national tax ID, bills, payment type information-bank account details or card details. Account data (email and phone number) confirmation records, Account creation date, Terms of Use and Privacy Policy acceptance records, direct marketing consent records, IP address, and technical records.	Legal obligation Performance / conclusion of a contract	Pursuant to Article 19(10) of the Law, personal data must be kept for 8 years from the end of the transaction or business relationship with the client. Opal Transfer LTD client’s data is kept for 6 years from the end of the transaction or business relationship with the client pursuant to the UK Data Protection Act 2018.
Prevention of money laundering and financing, prevention of fraud	To meet regulatory KYC and anti-money laundering obligations.	First name, last name, personal code, date of birth (if a person is not a citizen of Republic of Lithuania), the number and period of validity of the residence permit in the Republic of Lithuania and the place and date of its issuance (if a person is not a citizen of Republic of Lithuania), address, citizenship, the country of issuance of the identification document (in cases of a stateless person), workplace (in cases of client’s director), image, personal identification document details, Company’s name and registration number; equity of the legal entity’s shares/voting rights/control (in cases of shareholder and beneficiary), signature, other data required by the Law; e-mail address, mobile number, customer number, IP address, device details (for example, your phone, computer or tablet), records of our discussions, if you contact us or we contact you (including records of phone calls); address history, proof of address and source of funds documents like work agreements, payslips, tax returns, sales receipts, bank account details, card details, invoices, contracts, national tax ID, bills, payment type information-bank account details or card details.	Legal obligation	Pursuant to Article 19(10) of the Law, personal data must be kept for 8 ( years from the end of the transaction or business relationship with the client. Opal Transfer LTD client’s data is kept for 6 years from the end of the transaction or business relationship with the client pursuant to the UK Data Protection Act 2018.
Money transfer services Use of Mobile App / Opal Transfer Online Platform	The personal data is processed in order to provide money transfer services to the client and to determine that the transactions are not for money laundering or terrorist financing, as well as to identify a possible threat or abuse of our Services, to protect the Mobile App / Opal Transfer Online Platform, information systems, and data from unauthorized changes, cyber-attacks, unauthorized access, and other related risks	First name, last name, e-mail address, mobile number, date of birth, native country, country of residence, address, customer number, IP address, device details (for example, your phone, computer, or tablet), documents and data evidencing a monetary transaction or transaction, or other documents and data having legal effect, relating to the execution of monetary transactions or the conclusion of transactions. Personal data about connecting to the Mobile App / Opal Transfer Online Platform, data about the device's operating system, Account usage history, settings, parameters, and changes, various usage records, and technical records; Direct marketing consents and/or withdrawals, Mobile App / Opal Transfer Online Platform reading records of important messages; Account information, records of acceptance of new terms of use and/or confirmation of familiarization with the Privacy Policy;	Performance of a contract Legal obligation	Pursuant to Article 19(12) of the Law, personal data must be kept for 8 years from the date of the monetary transaction or conclusion of the transaction. Opal Transfer LTD client’s data is kept for 6 years from the end of the transaction or business relationship with the client pursuant to the UK Data Protection Act 2018. Various system and technical records – 3 months from the date of their creation;
Direct marketing	This information is used, with your consent, to send you newsletters by e-mail or leave a notification in your Opal Transfer account.	First name, last name, e-mail, date of birth, mobile phone number, address, device details.	Consent	2 (two) years after the date of a consent receipt.
Profiling and automated decision-making	Profiling is used, with your consent, to make analysis for the entry into or performance of a contract, regular and systematic monitoring of data subjects: profiling and scoring for risk assessment purposes (e.g., to assess creditworthiness, to prevent fraud, to detect money laundering, for ongoing relationship and transaction monitoring. Profiling and automated decision-making is also used to improve the client´s user experience of the services, such as customizing the display of the services to the device used and creating suitable offers for clients.	Financial situation, preferences, interests, credibility, behaviour, address.	Consent	2 (two) years after the date of a consent receipt.
Debt management	Personal data is processed for this purpose in order to manage and recover debts, to lodge claims, demands, lawsuits and other documents, and to provide documents for the recovery of debts	All data relevant about you, available from the account and the use of the services; Information about debt(s), amount of debt, reminders, and calls to pay by e-mail. mail, repayment history, payment plan, and date of debt closing/discharge; If the service of a debt collection company is used: your name, surname, personal identification number or other personal code, residential address, e-mail address, telephone number, date of transfer of the debt to the collection company, debt, active actions of the debt collection company, repayment history and debt closing/ write-off date. Insurance cases and other related information; Information about the amount of damage, the fact of payment, payment plans, the debt incurred, etc.	Legal Interest to ensure the collection of fees for services provided and debt administration	The data is stored for 5 (five) years from the date the debt was incurred. The retention period shall be based on the limitation periods for legal actions laid down in the applicable legal acts of Republic of Lithuania and United Kingdom.
Execution of tax, accounting, and other obligations provided by law	To ensure the proper implementation of tax, accounting, and other legal obligations (i.e., correct writing and declaration of accounting documents to state institutions, implementation of money laundering prevention requirements, etc.), we create various accounting documents with your personal data and administer them.	Name, surname, residential address, personal identification number, VAT payer code (when the person is registered as a VAT payer); data about the Services (description of the Services; price/amount paid), issued accounting documents and their requisites, and other accounting and tax data that we must collect, process and store following laws and other legal acts.	Legal obligation	In most cases, the storage and deletion period is calculated from the date of creation of the accounting document - 10 years after the creation of the document (e.g., VAT invoice). Pursuant to Article 19(12) of the Law, personal data must be kept for 8 years from the date of the monetary transaction or conclusion of the transaction. Opal Transfer LTD client’s data is kept for 6 years from the end of the transaction or business relationship with the client pursuant to the UK Data Protection Act 2018.
Website administration, service, improvement	When you visit and browse our website, to collect statistical data and improve the quality of our services and the experience of visitors, we process the data of the cookies used on the website and analyse them You can find more information about the cookies used on the Website in Section 2 below.	IP address, MAC address, date of visit, duration, pages visited, devices and programs used for Internet browsing, etc.	Consent	See in Section 2.

2. About website cookies

Cookies are small textual files containing identifier that is sent by a web server to your web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

Cookies that we use in our website:

necessary cookies – help to make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies;
statistic cookies – these cookies allow us to monitor and analyse visits from a variety of traffic sources, this helps us to improve the overall site’s performance. This type of cookie also provides data on the most and least visited pages as well as the visitor’s navigation path around the site. The entirety of data collected by statistic cookies is aggregated and therefore completely anonymous. If these cookies are disabled, we can no longer follow your visits.
marketing cookies – these cookies are used to track visitors’ choices on websites. They are used to tailor the Website and the information displayed on it to the specific user. Marketing cookies are also used to link you to social networks, which may then use your visit information for targeted advertising on other websites.

More detailed information about the cookies we use is provided below:

NECESSARY COOKIES
COOKIE NAME	PROVIDER	PURPOSE	TYPE	EXPIRY
PHPSESSID	opaltransfer.com	Preserves user session state across page requests	HTTP	Session
rc::a	gstatic.com	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.	HTML	Persistent
rc::c	gstatic.com	This cookie is used to distinguish between humans and bots.	HTML	Session
_cf_bm	vimeo.com	Supports Cloudflare Bot Management by managing incoming traffic that matches criteria associated with bots.	HTTP	1 day
CONSENT	youtube.com	Used to detect if the visitors has accepted the marketing category in the cookie banner. This cookie is necessary for GDPR compliance of the website.	HTTP	2 years
JSESSIONID	nr-data.net	Describes the session ID which is a randomly-chosen key that is cached on your device.	HTTP	2 years
STATISTIC COOKIES
COOKIE NAME	PROVIDER	PURPOSE	TYPE	EXPIRY
_dc_gtm_UA-#	opaltransfer.com	Used by Google Tag Manager to control the loading of a Google Analytics script tag .	HTTP	1 day
_ga	opaltransfer.com	Registers a unique ID that is used to generate statistical data on how the visitor uses the website.	HTTP	2 years
_ga_#	opaltransfer.com	Used by Google Analytics to collect data on the number of times a user has visited the website as well as dates for the first and most recent visit.	HTTP	2 years
_gid	opaltransfer.com	Registers a unique ID that is used to generate statistical data on how the visitor uses the website.	HTTP	1 day
_tt_enable_cookie	opaltransfer.com	Used by the social networking service, Tik Tok, for tracking the use of embedded services.	HTTP	1 year
vuid	vimeo.com	Collects data on the user's visits to the website, such as which pages have been read.	HTTP	2 years
MARKETING COOKIES
COOKIE NAME	PROVIDER	PURPOSE	TYPE	EXPIRY
_fbp	opaltransfer.com	Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.	HTTP	3 months
_ttp	opaltransfer.com	Used by social networking service, Tik Tok, for tracking the use of embedded services.	HTTP	1 year
_ttp	tiktok.com	Used by social networking service, Tik Tok, for tracking the use of embedded services.	HTTP	1 year
LAST_RESULT_ENTRY_KEY	youtube.com	Used to track user’s interaction with embedded content.	HTTP	Session
LogsDatabaseV2:V#\|\|LogsRequestsStore	youtube.com	Preserves users states across page requests.	IndexedDB	Persistent
nextld	youtube.com	Used to track user’s interaction with embedded content.	HTTP	Session
remote_sid	youtube.com	Necessary for the implementation and functionality of YouTube video-content on the website.	HTTP	Session
requests	youtube.com	Used to track user’s interaction with embedded content.	HTTP	Session
TESTCOOKIESENABLED	youtube.com	Used to track user’s interaction with embedded content.	HTTP	1 day
tt_appinfo	analytics.tiktok.com	Used by the social networking service, Tik Tok, for tracking the use of embedded services.	HTML	Session
tt_pixel_session_index	analytics.tiktok.com	Used by the social networking service, Tik Tok, for tracking the use of embedded services.	HTML	Session
tt_sessionld	analytics.tiktok.com	Used by the social networking service, Tik Tok, for tracking the use of embedded services.	HTML	Session
VISITOR_INFO1_LIVE	youtube.com	Used to track, personalize, and save information about each user's session	HTTP	180 days
YSC	youtube.com	Used by YouTube to remember user input and associate a user’s actions.	HTTP	Session
yt.innertube::nextld	youtube.com	Registers a unique ID to keep statistic of what videos from YouTube the user has seen.	HTML	Persistent
YtdbMeta#databases	youtube.com	Used to track user’s interaction with embedded content.	IndexedDB	Persistent
yt-remote-cast-available	youtube.com	Stores the user’s video player preferences using embedded YouTube video.	HTML	Session
yt-remote-cast-installed	youtube.com	Stores the user’s video player preferences using embedded YouTube video.	HTML	Session
yt-remote-connected-devices	youtube.com	Stores the user’s video player preferences using embedded YouTube video.	HTML	Persistent
yt-remote-device-id	youtube.com	Stores the user’s video player preferences using embedded YouTube video.	HTML	Persistent
yt-remote-fast-check-period	youtube.com	Stores the user’s video player preferences using embedded YouTube video.	HTML	Session
yt-remote-session-app	youtube.com	Stores the user’s video player preferences using embedded YouTube video.	HTML	Session
yt-remote-session-name	youtube.com	Stores the user’s video player preferences using embedded YouTube video.	HTML	Session
UNCLASSIFIED
COOKIE NAME	PROVIDER	PURPOSE	TYPE	EXPIRY
gs_fpvss	fast.b-cdn.net	Unclassified.	HTML	Persistent
gs_session	fast.b-cdn.net	Helps to display social share buttons	HTML	Persistent
www_webascms	opaltransfer.com	This cookie is used to help manage website CMS	HTTP	Session

Please note that our social networking accounts are governed by the cookies policy of the respective social media network.

You can manage your preferences relating to the use of cookies on our Website by visiting here.

3. Can you not provide your personal data and/or not consent to the processing of your personal data?

Your personal data is collected and processed to conclude or fulfil the Services Agreement with you and/or enable us to provide the services and respond to your requests and complaints promptly and adequately or to fulfil our obligations stipulated by law applicable to us. Suppose you do not provide your data, provide it with errors, or refuse to provide it further. In that case, we will not be able to conclude and/or execute the Services Agreement, provide the services and adequately respond to your requests, complaints, and/or other requirements that require our action. Accordingly, failure to provide personal data or refusal to continue to provide certain personal data will mean that the Services Agreement with you will not be concluded or will be terminated.

If we process your personal data based on legitimate interest, we have weighed the opposing interests and have decided that considering the purpose for processing personal data and the measures that we have taken, our (or the relevant third party’s) interest in processing your personal data is not overridden by your interests or fundamental rights and freedoms which require protection of personal data. In this case, you have the right to receive more information regarding this processing and/or the right to object to the processing of your personal data based on legitimate interest.

In cases where we process personal data based on your consent, you have the right to withdraw your consent at any time, and data processing based on your consent will be terminated.

Chapter 11 of the Privacy Policy outlines more information about your rights.

4. Who receives your information?

Yes, we disclose all or part of your personal data to the following data recipients: various service providers, companies belonging to the same group as us, competent authorities, and other data controllers who have the right to information under applicable laws and/or our legitimate interests. Also, upon receipt of your consent, your personal data may be disclosed to persons and/or companies indicated by you.

Disclosure required by law. Under certain circumstances, we may be required to disclose your personal data if required to do so by law or in response to valid requests by public authorities.

Business Transaction. If we or our subsidiaries are involved in a merger, acquisition or asset sale, your personal data may be transferred or deemed transferred to our new owner(s).

Legitimate Interests: if we have a legitimate business interest to do so.

Third Parties. We may share your personal data with any of the following groups of third parties, and for the following reasons and will always only do so in accordance with applicable data protection rules:

Legal entities and their branches belonging to our company group and Close Link entities. We may share some or all of your personal information within the Opal Transfer group of companies. Generally, sharing such information would be necessary for us to perform on our contract with you – for example, to provide technical support after normal business hours. We also share your personal data within the Opal Transfer group of companies to provide you with the best service and send you information about our products and services.
Authorities and officials, such as regulators, supervisory authorities, tax authorities, law enforcement agencies, bailiffs, notaries, courts, out-of-court dispute resolution bodies.
Payment providers and processors. In case Opal Transfer has a legal obligation to provide such entities access to the Personal Data. Opal Transfer shares only the information necessary to execute the transaction with the financial intermediaries handling the transaction. Some of these services may also enable the sending of timed messages, such as emails containing invoices or notifications concerning the payment (card payments, 3DS verification etc.).
Credit and financial institutions, correspondent banks, custodian banks, intermediaries of Services, third parties participating in the services execution, safeguarding, settlement, and reporting cycle.
Financial and legal consultants, auditors, or any other service providers of Opal Transfer and authorized persons.
Providers of databases and registers, e.g., Adverse Media, Sanctions and Politically Exposed Person Screening service provider registers, credit reference agency registers, controllers who process consolidated Financial Sanction files, controllers who process consolidated debtor files, or other register holding or intermediating Personal Data, Debt collection service providers, assignees, insolvency administrators.
Counterparties, providing Card/Account and all the necessary activities relating to the operation of the Card/Account: allowing User to receive, activate and use the Card/Account (activating, managing and using your online account where applicable, making and receiving payment transactions, meeting legal requirements, answering requests, providing information to User).
Payment participants and (or) parties related to domestic, European, UK and international payments. Other persons who guarantee due discharge of the client’s obligations to Opal Transfer, such as sureties, guarantors, owners of collaterals.
The Bank of Lithuania, Financial Conduct Authority (FCA) when providing data in compliance with the requirements of legal acts to provide data on concluded financial services agreements, their execution and (or) changes in execution.
Fraud prevention agencies and authorities.
Other persons related to provision of services of Opal Transfer such as providers of telecommunications, IT, hosting, cloud computing services, archiving, postal services, providers of services rendered to the client.

Except as provided in this Privacy Policy, we do not provide your personal data to any other third parties.

The list of recipients or categories of recipients set out in this Privacy Policy is not extensive and subject to change, so if you wish to be informed of changes in the recipients of your personal data, please notify us by sending an e-mail to the e-mail address set out in this Privacy Policy, stating "I wish to be informed of a change in the recipients of my personal data, name".

5. Links to third-party websites

We may provide hyperlinks to third-party websites as a convenience to you. We do not control third-party websites and are not responsible for the contents of any linked-to, third-party websites or any hyperlink in a linked-to website. We are not responsible for the privacy practices or the content of third-party websites.

6. To what countries do we transfer your personal data?

Sometimes we may have to transfer your personal data to other countries that may offer lower levels of data protection. In such cases we would do all that is within our control to ensure the security of the data we transfer.

Where the Opal Transfer transfers your personal data to countries outside the EU and/or the UK, we ensure that any of the following safeguards is implemented:

The ICO (for Opal Transfer Ltd.) and/or European Commission (for Opal Transfer EU, UAB) has adopted adequacy decisions for specific country;
a contract is signed with the data recipient based on the standard contractual clauses adopted by the European Commission;
respect of data transmission by a group of undertakings, binding corporate rules are applied;
Authorization is obtained from the State Data Protection Inspectorate (for Opal Transfer EU, UAB) or ICO (for Opal Transfer Ltd.);
For Opal Transfer Ltd. – the transfer is a necessary and proportionate measure carried out —
- for the purposes of Opal Transfer Ltd. statutory functions, or
- for other purposes provided for, in relation to Opal Transfer Ltd., in section 2(2)(a) of the Security Service Act 1989 or section 2(2)(a) or 4(2)(a) of the Intelligence Services Act 1994.

The following service providers are established outside the European Economic Area and the UK, which may result in your data being transferred outside the European Economic Area:

Meta, formerly known as the Facebook (standard contractual clauses);
Linkedin (standard contractual clauses);
Google Inc. and Google LLC (standard contractual clauses);
MailChimp (The Rocket Science Group, LLC.) (standard contractual clauses);
Vimeo, LLC (standard contractual clauses);
Mastercard Inc (standard contractual clauses).
VISA Inc (standard contractual clauses).
Whatsapp (standart contractual clauses).

Please contact us via e-mail at dpa@opaltransfer.com if you want further information on the mechanism used by us when transferring your personal data out of the EU.

7. Marketing messages

In case you consent, we will send you marketing messages via email and (or) leave a notification in an account to inform you on what we are up to. You may opt-out of receiving marketing messages at any time. You may do so by: (i) choosing the relevant link in any of our marketing messages; (ii) contacting us via e-mail at marketing@opaltransfer.com.

Upon you having fulfilled any of the provided actions we will update your profile to ensure that you will not receive our marketing messages in the future.

8. Children

Our website is not directed at children, and we do not intend to knowingly collect personal information from any child under eighteen (18). We will delete any personal information collected that we later determine to be from a user younger than the age of eighteen (18). Despite this, if you are the parent or legal guardian of a child under eighteen (18) who has provided us with personal information themselves, you may ask to review or delete this information by contacting us at dpa@opaltransfer.com.

9. Do we perform automated decision-making and/or profiling?

Opal Transfer uses automated decision-making, including profiling, to fulfil the terms of services provision and to provide customized direct marketing services (e.g. sending newsletters only to interested clients). Accordingly, we may collect, analyse and process personal data by applying special algorithms and prediction models about your choices, behaviour, criteria for using the services, amounts spent, and similar characteristics. All these performed actions do not have any legal or similarly significant effect on you and are not performed without your consent.

10. Data retention

Personal data specified in this Privacy Policy shall be stored and otherwise processed for no longer than the periods specified in Chapter 1 for each relevant data category and for no longer than necessary to achieve the purposes for which the data were collected.

In those cases when the data storage period is not indicated in this Privacy Policy, your data will be stored no longer than necessary for achievement of the purposes, for which the data were collected, or for a period set by legal acts.

After the end of your data processing and storage period set in this Privacy Policy, we destroy your data or anonymise them irreversibly and reliably as soon as possible, within a period reasonably necessary for performance of such an action.

If different processing or storage periods can be applied to the same data category for different purposes in accordance with this Privacy Policy, the longest of the applicable periods shall apply.

Your personal data can be stored for a period longer than indicated in this Privacy Policy only when:

your data is necessary for the proper administration of debt, damages (for example, you have not fulfilled your financial and/or property obligations or caused damage to us or other persons), examination and settlement of a dispute, complaint, the protection of our legitimate interests or those of third parties;
that is necessary in order that we could defend ourselves from existing or threatening demands, claims or legal actions and exercise our rights;
there are reasonable suspicions of violations, illegal activities, which are or may be a subject to investigation;
this is necessary for ensuring the functioning, resilience, integrity of backup copies, information systems, traceability of operations, statistical and other similar purposes;
there are other grounds provided for in legal acts.

11. How do we ensure the security of your personal data?

We process your personal data responsibly and securely, following our internal data processing rules and appropriate technical and organizational measures to protect personal data against unauthorized data processing, accidental loss, destruction, damage, alteration, disclosure, or any other illegal processing action. Accordingly, we follow the following essential data processing principles:

we collect personal data only for defined and legal purposes;
we process personal data honestly and only for the primary purpose;
we store personal data for no longer than the established purposes or legal acts require;
we entrust the processing of personal data only to employees who have been granted such right and official access;
we process personal data only by applying appropriate technical and organisational measures;
we disclose personal data to third parties only if there is a legal basis;
if applicable, we inform the responsible authorities about recorded or suspected violations of personal data security;
we periodically conduct data protection training for our employees;
we perform periodic internal and/or external IT security audits;
we change, adapt, and constantly improve various processes to ensure the safest possible personal data collection, reception, transmission, use, etc. processing steps.

We emphasize that we regularly monitor our systems for possible violations or attacks. Still, it is impossible to ensure complete security of information transmitted over the Internet or to prevent breaches, especially those that may occur due to your carelessness or disclosure of data to others. Taking this into account, we note that you also bear the personal risk of submitting personal data using the Internet connection through the Mobile App and the Opal Transfer Online Platform. You also maintain the entire risk related to the voluntary disclosure of your account data to others and/or the careless use of your personal data you receive directly from us.

12. Your rights

In this section, we have summarised the rights that you have under data protection laws. Some of the rights are complex thus we only provide the main aspects of such rights. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.

Your other principal rights under data protection law are the following: (i) the right to access data; (ii) the right to rectification (note that you may exercise most of this right by logging to your account here; (iii) the right to erasure of your personal data; (iv) the right to restrict processing of your personal data; (v) the right to object to processing of your personal data; (vi) the right to data portability; (vii) the right to complain to a supervisory authority; and (viii) the right to withdraw consent.

The right to access data. You have the right to confirmation as to whether or not we process your personal data and, where we do, access to personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.

The right to rectification. You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.

In some circumstances you have the right to the erasure of your personal data. Those circumstances include when: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) you withdraw consent to consent-based processing and there are no other legal basis to process data; (iii) you object to the processing under certain rules of applicable data protection laws; (iv) the processing is for direct marketing purposes; or (v) the personal data have been unlawfully processed. However, there are exclusions of the right to erasure. Such exclusions include when processing is necessary: (i) for exercising the right of freedom of expression and information; (ii) for compliance with our legal obligation; or (iii) for the establishment, exercise or defence of legal claims.

In some circumstances you have the right to restrict the processing of your personal data. Those circumstances are when: (i) you contest the accuracy of the personal data; (ii) processing is unlawful but you oppose erasure; (iii) we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and (iv) you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data, however we will only further process such data in any other way: (i) with your consent; (ii) for the establishment, exercise or defence of legal claims; (iii) for the protection of the rights of another person; or (iv) for reasons of important public interest.

You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

The right to data portability. To the extent that the legal basis for our processing of your personal data is: (i) consent; or (ii) performance of a contract or steps to be taken at your request prior to entering into a contract, necessary to enter into such, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.

If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so:

For Opal Transfer LTD customers: by filling the “ICO Data protection breach notification form” and sending it to: casework@ico.org.uk or by post to the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

For Opal Transfer EU, UAB customers to the EU member state of your habitual residence, your place of work or the place of the alleged infringement. Opal Transfer EU, UAB data processing is supervised by State Data Protection Inspectorate of the Republic of Lithuania, registered office at L. Sapiegos St. 17, LT-10312, https://vdai.lrv.lt/.

To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.

You may exercise any of the rights indicated herein by contacting us at dpa@opaltransfer.com.

In order to protect your and other persons’ data from unlawful disclosure, we will have to verify your identity upon your request to provide data or exercise your other rights. For this reason, we may ask you to indicate your name, surname, e-mail address or telephone number and we will compare whether your provided data correspond to the respective data, or sign your request with a qualified electronic signature.

Upon receipt of your request concerning the exercise of any of your rights and having successfully carried out the above verification procedure, we commit, without undue delay, yet in any case within one month from the date of receipt of your request and completion of the verification procedure at the latest to inform you about actions we took according to your request. Having regard to the complexity and number of requests, we have the right to extend the period of one month by two additional months, informing you thereof by the end of the first month and indicating the reasons for this extension.

If your request is submitted by electronic means, we will also give you an answer by electronic means, except for cases where this is impossible (e.g., due to a particularly large scope of information) or when you ask us to respond in another way.

We will refuse to satisfy your request by a reasoned response when the circumstances specified in legislation are identified, notifying you thereof in writing.

13. Updating your data

Please let us know if the personal information that we hold about you needs to be corrected or updated. You are responsible for maintaining the confidentiality of the data you provide to us and for ensuring that the data you provide to us is accurate, correct and complete. If the data you provide changes, you must inform us immediately by e-mail. In no circumstances we will be liable for any damage caused to you as a result of you providing incorrect or incomplete personal data or failing to inform us of a change in the personal data you have provided.

14. Changes to our Privacy Policy

We may amend this Privacy Policy at any time, in case of material changes, we may inform you about such via email. This Privacy Policy was last updated in 13/01/2025.

15. Contact Information

We will use all reasonable efforts to answer any questions or resolve any concerns regarding your privacy promptly.

All comments, queries and requests relating to our use of your personal information are welcomed. If you would like to contact us at dpa@opaltransfer.com.