logo Trusted experts in foreign exchange since 1978
logo Trusted experts in foreign exchange since 1978

Privacy Statement

About us

Thomas Exchange UK Ltd (also referred to as “TEFX”, “we”, “us”, or “our”) are a registered company in the UK (company registration number 04237922).


Our registered address is:

Lawford House, Albert Place, London, N3 1QA


Update

This privacy statement was last updated Tuesday 23rd April 2024.


TEFX keep this privacy statement under regular review and may update it on occasion without notice. Please refer to this document periodically to make sure you are happy with any updates that TEFX may have made.


Purpose of this statement

This statement is designed to help you understand what kind of information TEFX collect in connection with our products and services, as well as, how we will process and use this information. In the course of providing you with products and services, we will collect and process information that is commonly known as personal data.


This statement describes how we collect, use, share, retain and safeguard personal data.


This statement also sets out your individual rights, which we explain later; these rights include your right to know what data is held about you, how this data is processed, and how you can place restrictions on the use of your data.


Data Controller

Thomas Exchange UK Ltd 48 Bishopsgate

London EC2N 4AJ

Tel: 0207 256 7457

Email: dataprotection@tefx.co.uk


What is personal data?

Personal data is information relating to an identified or identifiable natural person. Examples include an individual’s name, age, address, date of birth, gender and contact details.


Personal data may contain information which is known as special categories of personal data. This may be information relating to an individual’s health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, or data relating to sexual orientation. Personal data may also contain data relating to criminal convictions and offences. For the purposes of safeguarding and processing criminal convictions or offences responsibly, this data is treated in the same manner as special categories of personal data, where we are legally required to comply with specific data processing requirements.


What data we collect

For TEFX to provide you with our services as an MSB (Money Service Business), we will collect and process personal data about a person that is specifically identifiable such as name, address, email, telephone number and details of financial affairs. This is collected alongside KYC (Know Your Customer) documentation of ID, proof of address, bank/credit card statement, invoices, or all possible documentary evidence for any underlying transaction its source of funds and/or the reason for transaction.


You may provide TEFX with personal data when signing up to our services, through application forms, when completing contact forms, when you contact us via the telephone, when writing to us directly or we complete forms in conjunction with you.

We may also need to collect personal data relating to others when providing you with our products and/or performing due diligence checks, in most circumstances you will provide us with this information. Where you disclose the personal data of others, you must ensure that you are entitled to do so. We may also collect personal data from publicly available sources (e.g. the internet) which is lawfully obtained and is available with permission.

What data is used for

The processing and screening of data is carried out for identity verification, anti-fraud, anti-money laundering, counter -terrorist financing measures and crime prevention/prosecution. CCTV surveillance is used to gather evidence in the event of a robbery, to prevent financial crime, and identify any person suspected of criminal activity. It may also be used as evidence in a legal claim or as a defence in the event of a litigation. Call tracking/recording and website marketing attribution is used to monitor customer enquiries, analyse customer orders, and overall review the most effective avenues in which customers can contact us or place an order.


Additionally, to the above, personal contact information provided by you may also be used by us to provide you with further news and information about the services and initiatives that are available.


Lastly TEFX reserves the right to use your data to contact you should there be any issue with your payment.

In accordance with the Data Protection Act 2018 and GDPR; TEFX applies the following lawful bases for processing your personal data.

  1. Processing is necessary for compliance with our legal obligation to which we are subject

  2. Legitimate Interests: processing is necessary for our legitimate interests or the legitimate interests of a third party, provided that individual data subject rights are not overriding

TEFX is legally obligated to gather and use certain information when entering into a business relationship with another company. These can include customers, suppliers, business contacts, employees, and other people the company has a business relationship with or may need to contact.


As a financial institution, we are required to conform to all laws of the UK and EU regulations (wherever applicable). Further, we are guided by the regulatory bodies such as HMRC, the Financial Conduct Authority (FCA) and the Information Commissioner`s Office (ICO).


Marketing

If you register with TEFX you will be asked to provide your email address on our registration form. This information may be used to contact you about offers, products or services provided by us which we believe may be of interest to you. If you do not wish to receive any further information, there is an unsubscribe option in our emails which will cancel any further correspondence. TEFX will never contact you via post, telephone, or any other mediums of communication for marketing purposes other than email.


TEFX also perform market research using an external, visitor level call tracking and online marketing attribution vendor.


Obligation of customers to provide data

TEFX is statutorily obligated by UK and EU legislation to verify the identity of its customers, and by extension request identifying documentation before entering into a business relationship. If you refuse to provide us with the necessary information and/or documentation when asked, then by law we will not be allowed to carry out any transactions with you or establish any type of business relationship.


Data protection risks

This policy is here to make sure that TEFX is compliant with the law and provide protection from possible security risks such as:

  • Breaches of confidentiality – Information being inappropriately released

  • Reputational damage – Hackers gain access to company’s computer systems and acquire

    sensitive data

  • Fraud – Sensitive data used by an individual to commit fraud


    Responsibilities

    All employees of TEFX have a responsibility for ensuring that all data collected is stored and handled in accordance with the Data Protection Act 2018, GDPR and PSD2. The senior members of staff will have a larger responsibility of not only the handling the data, but also making sure all employees, systems, services, and equipment meet acceptable security standards.


    General staff guidelines

  • All data collected is for TEFX to remain compliant with AML and CTF regulations, only staff members who require this data have access to the systems.

  • All data is considered confidential, employees need to share data in order to be able to work effectively; however, data is not to be shared informally or outside of the company

  • All employees receive compliance training when they first join, as well as annual refresher training which includes the responsibilities of handling data.

  • No data should be taken, emailed, or posted outside the office and under no circumstances should the company website be accessed by any other computer other than one belonging to TEFX or its contractors.

  • All authorised staff are trained in confidentiality and the handling of personal data adhering to an internal data protection policy, as well as, signing an NDA.

    Protecting your data

    TEFX will take all appropriate technical and organisational steps to protect the confidentiality, integrity, availability, and authenticity of your data, including when sharing your data within our group of companies, and authorised third parties.

    Statement scope

    This statement applies to:

  • The head office of TEFX

  • All branches of TEFX

  • All staff and volunteers of TEFX

  • All contractors, suppliers and other people working on behalf of TEFX


    Information sharing

    TEFX does not share your information with any unauthorised parties under any circumstances; nor will it be sold, rented, or loaned to any third parties. Certain systems that TEFX use for data storage are not maintained in house, but rather outsourced to our IT specialists and web administrators; some of the data may not be stored on site, but is accessed via the company website, or uploaded onto the cloud each evening for retrieval in the event of data loss/damage; all data stored off site is encrypted and only accessible to TEFX. Any vendor that deals with our data undergoes a Data Protection Impact Assessment (DPIA) for verification purposes and will be evaluated annually.


    TEFX also uses fully qualified outside compliance consultants and auditors to make sure that we remain as up to date as possible on all UK and EU regulations, as such these professional consultants are allowed access to certain systems which remains confidential under law.


    TEFX uses collected data alongside an electronic identity verification software, and in conjunction with credit reference agencies to carry out regulatory compliance checks, this software is hosted by one of the world’s leading risk management service providers. Credit reference agencies may place a search ‘footprint’ on the electronic file of the subject and their personal details may be accessed by third parties for the specific purpose of anti-money laundering, credit assessment, identity verification, debt collection, asset reunification, tracing, and fraud prevention; please note that these ‘footprints’ have no effect on your credit rating. Checks may also be used in conjunction with our internal monitoring, and customers may on occasion be checked if their transactions are under due diligence amounts; these spot checks are at random with the sole goal to monitor our risk-based approach and determine if transaction limits need to be moved.

    Disclosing data

    On occasion the Data Protection Act 2018 obligates us to disclose personal data with law enforcement agencies for crime prevention/detection, statutory authorities (HMRC, FCA and ICO), and government bodies provided that individual data subject rights are not overriding. Data may also be used in a legal claim or defence for any possible litigation.

    TEFX as a regulated MSB is subject to compliance reviews from either its statutory regulators or its wholesalers. During these reviews we are obliged to allow them access to our systems to demonstrate our due diligence processes, as well as any data/documentation we have on randomly selected customers. These reviews are for both our statutory regulators and wholesalers to make certain that TEFX is consistently upholding to UK and EU regulations. Both our regulators and wholesalers are held accountable to the Data Protection Act 2018, GDPR, PSD2 and all other UK/EU legislation regarding data protection.

    Data accuracy

    AML and CTF regulations state that all data handled and stored by TEFX must be as accurate as possible. To make sure that TEFX is as accurate as possible with customer data the following guidelines have been put in place:

  • Data should be reviewed regularly to make certain that it is accurate

  • It has been made easy for customers to update us on any changes

  • Customer files are updated upon discovery

    Data retention period

    In compliance with HMRC Money Laundering Regulations 2017, all data stored for the reason of compliance must be retained for no less than five years from either the last transaction or end of business relationship. However, unless requested otherwise this data may be stored for longer as part of a customer’s outgoing record. If a customer enacts their ‘right to erasure’, their data will be moved to a secure, access controlled server where it will be deleted after the five year period.


    If a customer uses their debit card to make a payment, TEFX will require a scan of their ID for the possibility of a chargeback or accusation of fraud. This data is held on our secure server and is deleted after 18 months.

    All recorded phone calls and online enquiry information is stored on our Marketing vendor’s server and is deleted after 12 months or from the latest of;


  • A customer deciding not to pursue a claim or withdrawing a claim.

  • Settlement of a claim.

  • Conclusion of any legal proceedings relating to a claim.

  • Conclusion of any complaint made by a customer through either TEFX or an alternative dispute resolution scheme.

  • Termination of an agreement between TEFX and a customer.

  • The date of last contact made by TEFX.


    Disposing of data

    Upon disposal, all soft data is deleted, and all documents/hard data is shredded by TEFX staff in house or by a professional shredding service under the supervision of TEFX staff, after which a certificate will be obtained.

    Your Individual Rights

    Individuals are provided with legal rights governing the use of their personal data. These grant individuals the right to understand what personal data relating to them is held, for what purpose, how it is collected and used, with whom it is shared, where it is located, to object to its processing, to have the data corrected if inaccurate, to take copies of the data and to place restrictions on its processing. Individuals can also request the deletion of their personal data.

    These rights are known as ‘Individual Rights’ under GDPR which are as follows:

  • The right to be informed about the personal data being processed

  • The right of access to your personal data

  • The right to object to the processing of your personal data

  • The right to restrict the processing of your personal data

  • The right to rectification of your personal data

  • The right to erasure of your personal data

  • The right to data portability (to receive an electronic copy of your personal data)

  • Rights relating to automated decision making including profiling


Customers can exercise their individual rights at any time, as mandated by law, TEFX will not charge a fee to process these requests; however, if your request is considered to be repetitive, wholly unfounded and/or excessive, we are entitled to charge a reasonable administration fee.

In exercising your individual rights, you should understand that in some situations TEFX may be unable to fully meet your request, for example if you make a request for us to delete all your personal data, we may be required to retain some data for taxation, prevention of crime and for regulatory and other statutory purposes.


The flow of data within TEFX can be complex and we ask you to keep this in mind when exercising your ‘right of access’ to your information. The full collection of any data we hold on you may take some time to gather, depending on how much of your data we have on our systems; additionally, TEFX may be reliant on other organisations to help satisfy your request and this may impact on timescales.

Children

TEFX will not deal with anyone under the age of 16 years and will not collect or maintain the data of anyone under that age.


Data Protection Officer

To comply with our legal obligations and to ensure data privacy and protection has appropriate focus within our organisation, we have nominated a Data Protection Officer who reports to our senior management team.


How to contact us

If you have any questions regarding this statement, the use of your data, require further information on your individual rights, or you wish to exercise these rights, please contact our Data Protection Officer on the details below:

48 Bishopsgate, London,

EC2N 4AJ

Tel: 0207 256 7457

Email: dataprotection@tefx.co.uk


Complaints

If you are dissatisfied with any aspect of the way in which we process your personal data, please contact our Data Protection Officer on the details above.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), our regulatory authority regarding data security, please find their details below.


Information Commissioner's Office (ICO)

Wycliffe House Water Lane Wilmslow

SK9 5AF

Tel: 030 3123 1113

Email: registration@ico.org.uk
Websiteico.org.uk/concerns

Regulatory Authorities

TEFX is regulated by the following statutory authorities:

  • HM Revenue & Customs Registration No. XDML00000105651

  • FCA Authorisation No. 579247

  • Information Commissioner’s Office Registration No. ZA035885