Open Exchange Rates (UK) Limited ("We") is committed to protecting and respecting your privacy.
This policy (together with our Terms and Conditions of Website Use and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
For the purpose of the UK Data Protection Act 1998 and the European Union General Data Protection Regulation 2016 (the "GDPR"), the data controller is Open Exchange Rates (UK) Limited with its registered office at 5 Luke Street, London, England EC2A 4PX.
Information We May Collect From You
We may collect and process the following data about you:
- Information that you provide by filling in forms on our site https://openexchangerates.org and associated application programming interface (collectively, our site). This includes information provided at the time of registering to use our site, subscribing to our service, posting material, requesting further services, and adding/amending information in your account. We may also ask you for information when you report a problem with our site.
- If you register for an account with us, we will ask for your first and last name, your email address, a password (to be stored in an encrypted format), and optionally your website address, at the time of registration.
- After you register for an account with us, we may also ask for details concerning your business (if you have one), such as your business name and address, VAT Number, and alternative contact details.
- If you contact us, we may keep a record of that correspondence. This includes email messages and their attachments, records of phone calls and postal mail that we receive from you.
- We may ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
- Details of transactions you carry out through our site and of the fulfilment of your orders.
- Details of your visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access.
- When you enter payment information, such as your credit card number, these are processed by our payment processor (Braintree Payments or PayPal depending on your choice of payment method) and we do not process or store your full unmasked payment information. We may store and process the first 6 and last 4 digits of your credit card number and its expiry date, the card type and issuer, the cardholder name and address, and/or (in the event of payment via PayPal) your PayPal account email address.
The data we collect and process is strictly limited to that which is necessary for us to provide our service to you under the lawful bases of consent and/or necessity.
Where we have given you (or where you have chosen) a password or access credentials which enable you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration and to report aggregate information to our partners, providers or advertisers. This is statistical data about our users' browsing actions and patterns, and does not identify any individual.
If you register for an account with us, we may use your IP address at the time of registration for "geolocation" (meaning that we will infer your likely country of location, based on your IP address). Such geolocation is limited to the country level, and is not guaranteed to be accurate. We will provide you the opportunity to correct or remove this information if you wish.
We do not request or otherwise collect or store any sensitive personal data as defined under the GDPR (for example: data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, gender or sexual orientation), whether in aggregate or linked to any person or account. If we become aware of any such data being stored or processed in our systems, we will take reasonable steps to erase it.
Our website uses specific cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them see our Cookie Notice.
Where We Store Your Personal Data
Our entire site is available over secure SSL (HTTPS) connection. Information that you provide to us by filling in forms on our site is therefore transferred from your web browser or server using SSL encryption.
When you enter payment information, such as your credit card number, these are processed by our payment processor (Braintree Payments or PayPal depending on your choice of payment method). The checkout page and/or specific form fields where you enter such information are served directly from their secure servers, and we do not process, receive or store your full unmasked payment details.
Although we will do our best to protect your personal data, including the use of SSL technology, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Uses Made Of The Information
We use information held about you in the following ways, under the lawful bases of consent, necessity and/or legal obligation:
- To ensure that content from our site is presented in the most effective manner for you and for your computer.
- To provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes and only where provided by us.
- To carry out our obligations arising from any contracts entered into between you and us.
- To allow you to participate in interactive features of our service, when you choose to do so.
- To notify you about your account activity and usage, and about changes to our service, where you have consented to receive such updates.
Where we permit selected third parties to use your data, such use is strictly limited to that which is necessary to enable us to provide our service to you, and for purposes for which you have provided your consent. We ensure that these third parties are compliant with the GDPR and other relevant data protection law, and that your data is not used or stored by any third party for purposes for which you have not consented.
If you are an existing customer, we will only contact you with information about goods and services similar to those which were the subject of a previous sale to you, and only where these are provided by us.
If you are a new customer, we will contact you by electronic means only if you have consented to this. If you email us before registering for or using our site, we will respond to you by email, only insofar as required to provide you with the information you have asked for. If you then decide that you do not wish to use our site or services based on our response to you, please inform us of this and we will no longer contact you.
We will retain information held about you for the duration of your having an account with us (or longer, if required by law). When you no longer need your account, you may delete it by visiting your Account Dashboard or by emailing us at firstname.lastname@example.org and requesting account deletion. We will then no longer retain information about you. If your account is inactive for a long period of time, we may also erase information held about you as part of routine maintenance and data purging practices.
If you do not want us to use your data in this way, or to pass your details on to third parties, please untick the relevant box situated on the form on which we collect your data (the registration form or forms in your Account Dashboard).
Disclosure Of Your Information
We may disclose your personal information to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
We may disclose your personal information to third parties:
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms and Conditions of Website Use and other agreements; or to protect the rights, property, or safety of Open Exchange Rates (UK) Limited, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
- In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
- If Open Exchange Rates (UK) Limited or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
In the event of any such disclosure, we will use our best efforts contact you to notify you of such disclosure, and give you the opportunity to exercise your right to erasure.
Notification Of Breach
While we take great precaution to protect our systems and servers from unauthorised access, and carry out regular internal data security audits, there is a risk of malicious activity occurring. If we become aware of any potential or actual breach of our systems which may have caused exposure of your personal information, we will contact you via the email address you have provided to us within 72 hours of such discovery to inform you of the situation.
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at email@example.com.
Access To Information (Subject Access Requests)
You have the right to access personal information held about you by us (known as a Subject Access Request under the GDPR). You may exercise this right at any time by emailing firstname.lastname@example.org from the email address associated with your request. If you have an account with us, or we hold any personal information pertaining to you, we will provide this in a machine-readable format (such as CSV) within 30 days. There is no fee in relation to your request for access.
Right To Erasure
You have the right to ask us to remove all data and/or personal information we hold about you. We will use reasonable endeavours to remove all information from our systems, including backups where technically feasible, within 30 days. You can exercise this right at any time by contacting us at email@example.com. We may retain certain specific information, where required by law. There is no fee in relation to your request for erasure.
Withdrawal Of Consent
You have the right to withdraw your consent for data processing and storage at any time, including (but not limited to) your consent to be contacted by us. You may exercise this right at any time by emailing firstname.lastname@example.org or by unticking the relevant box in the registration form, and/or forms displayed in your Account Dashboard.
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
To contact us for any other reason, please email email@example.com.
Version 4, last updated: 22/05/2018