Privacy Notice

Privacy Notice

ABOUT THIS DOCUMENT

This Privacy Notice will help you understand how we collect, use, and protect your personal information when you use our websites (viabuy.com, crosscard.com, fleetmoney.com and cardstatus.com – collectively, ‘Our Sites’), our mobile device applications (the ‘Apps’) or if we receive your personal information for recruitment purposes.

WHO WE ARE AND OUR CONTACT DETAILS

Crosscard S.A. (“Crosscard”) is a public company limited by shares, incorporated and existing under the Laws of the Grand Duchy of Luxembourg with the Luxembourg trade and companies register under the company number B215831, with its registered address at 26-28, Rue Edward Steichen, L-2540 Luxembourg, the Grand Duchy of Luxembourg. Crosscard is authorised by the Ministry of Finance of the Grand Duchy of Luxembourg as an electronic money institution with Authorization Number: 17/19, and regulated and supervised by the Commission de Surveillance du Secteur Financier (“CSSF”) in the Grand Duchy of Luxembourg, under national ID number W00000011.

Crosscard Technologies GmbH is part of the Crosscard Group.

Crosscard has overall responsibility for the processing of your personal information. This means that we are a ‘data controller’ under the General Data Protection Regulation (also known as the GDPR). We fully comply with GDPR as well as the Luxembourg Professional Secrecy Law. We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any queries about this Privacy Notice or how we process your personal information, please contact us by email: data@crosscard.com or by post to: 26-28, Rue Edward Steichen, L-2540 Luxembourg, Luxembourg.

WHAT INFORMATION WE COLLECT ABOUT YOU

The personal information we collect about you includes:

  • name, date of birth, and gender;
  • identification document details;
  • contact details, including address, telephone number and email address;
  • financial information, including credit/debit card and other payment methods’ details (although we do not retain complete payment card information) and source of funds information;
  • identifiers assigned to your computer or other devices, including your Internet Protocol (IP) address.

Furthermore, by using Our Sites and our Apps, Cookies may be stored on your devices. You can find further information on Cookies below, under the title ‘Cookies and Web Beacons’.

Special categories of personal data

Crosscard does not intentionally collect any special categories of personal data (sensitive personal information) via Our Sites or Apps unless in a specific country we are legally required to do so, for example, for recruitment purposes. Sensitive personal information includes: information revealing ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; information concerning health; information concerning a natural person’s sex life or sexual orientation; and in some cases, social security numbers or financial information.

Security

Crosscard works to protect the confidentiality and security of the information it obtains in the course of its business. Access to such information is limited and policies and procedures are in place, designed to safeguard the information from loss, misuse and improper disclosure.

WHY WE COLLECT AND KEEP YOUR PERSONAL DATA 

We retain Personal Data for the least amount of time required for business purposes to offer our services and for legal or regulatory obligations. You can rest assured that we have secure controls in place at all times to protect all your personal data from unauthorized access.

We may retain your Personal Data for longer periods than the minimum required by law if it is in our legitimate business interests and it is not prohibited by the law.

We use cookies, web beacons, and other web technologies, as applicable, to enhance your browsing experience. These have limited expiration times.

HOW WE COLLECT INFORMATION ABOUT YOU

Most of the personal information we hold about you is collected directly from you. We do this for example, when you:

  • visit Our Sites and register to receive information from us or sign up to our newsletter;
  • download PDFs or other files or information from Our Sites;
  • contact us directly, either via our call centre, by email or social media;
  • register with us for recruitment and vacancy updates;
  • apply for a vacancy on Our Sites;
  • respond to communications or surveys;
  • visit Our Sites and apply for a prepaid product;
  • start an application for a prepaid product but fail to complete it;
  • make enquiries or raise concerns with our customer service team;
  • use our Apps;
  • accept the use of Cookies.

We will also collect information about you if you get in touch through one of our external partners (for instance, if you apply for a job vacancy using a third party provider, such as a recruitment agency or our HR tool).

In order to understand more about you and to verify your identity, we may supplement and combine the personal information that we collect from you with other categories of data obtained from other sources.

We may change or add to these from time to time and the changes will be updated on our Privacy Notice.

Information we collect on social media platforms

You may wish to participate in the social media platforms which we make available to you. The main aim of these social media platforms is to inform, assist, and engage with you. We monitor and record comments and posts made on these channels so that we can improve our products and services. We use a third-party providerto manage our social media interactions. If you send us a private or direct message via social media the message will be stored for three years.

Crosscard may also provide links to other social media platforms maintained on separate servers by individuals or organisations over which Crosscard has no control. Crosscard makes no representations or warranties regarding the accuracy or any other aspect of the information located on such servers.

A link to a third party’s website should not be construed as an endorsement by either Crosscard or that third party of each other or its products and services. Furthermore, Crosscard is not responsible for any information posted on those websites other than information we have posted ourselves. We do not endorse the social media websites themselves, or any information posted on them by third parties or other users.

We recommend reviewing the privacy statement of each third-party site linked from Our Sites to determine their use of your personal information.

Information we collect when you use our call centre

We use a third-party provider to manage our VIABUY customer service telephone interactions. When you call the VIABUY call centre we collect Calling Line Identification (CLI) information, as well as some information about yourself for security, identification and verification purposes. We use this information to help you with your queries and to help improve our service’s efficiency and effectiveness.

We may also monitor or record phone calls with you in case we need to check that we have carried out your instructions correctly, to resolve queries or issues, for regulatory purposes, to help improve our quality of service, and to help detect or prevent fraud or other crimes. Conversations may also be monitored and/or recorded for staff training purposes.

WHAT WE USE YOUR INFORMATION FOR AND REASONS FOR PROCESSING

We will store and use your personal information as is necessary for the performance of a contract between you and us, for compliance with our legal and regulatory obligations, for our legitimate interests or, for certain other additional purposes, based on your explicit consent. Examples of how we may use your personal information include:

  1. administering your account (as is necessary for performance of a contract between you and us and/or as is necessary for our legitimate interests);
  2. carrying out anti-fraud and anti-money laundering checks and verifying your identity (as is necessary for compliance with our legal and regulatory obligations and/or as is necessary for our legitimate interests);
  3. using your details to process payments (as is necessary for the performance of a contract between you and us and/or as is necessary for our legitimate interests);
  4. sending you information about our products and services (as is necessary for the performance of a contract between you and us and/or as is necessary for our legitimate interests);
  5. monitoring your usage and the effectiveness of Our Sites and Apps (as is necessary for our legitimate interests);
  6. undertaking market research and statistical analysis, including analysing your use of Our Sites and developing new products and services (in line with the settings you chose for Cookie Consent);
  7. fulfilling our obligations owed to a relevant regulator, tax authority, or revenue service (as is necessary for compliance with our legal and regulatory obligations and/or as is necessary for our legitimate interests); and
  8. storing the curriculum vitae of unsuccessful job candidates in line with our Data Retention Policy for consideration for future vacancies (as is necessary for our legitimate interests).

Our legitimate interests as referred to above (and below) include our legitimate business purposes and commercial interests in operating our business in a customer-focused, efficient, and sustainable manner, in accordance with all applicable legal and regulatory requirements.

Using your data for fraud prevention

In certain situations, before we provide you with our prepaid products and services, we use your personal data to conduct checks for the purposes of preventing fraud and money laundering and to verify your identity. We use third-party service providers to assist in verifying your ID documents, to screen your name and country of residence against sanctions, and the list of Politically Exposed Persons as required by regulations. We may also share your details with other financial institutions and law enforcement agencies for the purposes of preventing fraud, money laundering, terrorist financing, and other financial crimes, within the limits of privacy regulations.

If we, or a fraud prevention agency, determine that you pose a risk of fraud or money laundering, we may refuse to provide you the prepaid products or services you have requested. We may also stop providing existing services to you. A record of any fraud or money laundering risk will be retained by us and the fraud prevention agencies. It may also result in others refusing to provide products, services, financing or employment to you. If you have any questions about our processing of your data for fraud prevention purposes, please contact us via the details provided above.

When Crosscard and fraud prevention agencies process your personal data, we do so on the basis that we have a legitimate interest to process your data in such a way, in order to protect our business and to comply with the various laws that apply to us. Such processing may also be a contractual requirement in relation to the services you have requested from us.

Using your personal data for marketing

In addition to the purposes above, we may also process your personal information for the purposes of marketing, to send information promoting similar products and services by post, email, text message, and other channels, such as social media platforms, if you have expressly consented to this.

You can object to receiving marketing emails from us at any time – please follow the unsubscribe link in our marketing emails or text message; or send us your name, address and date of birth via email to data@crosscard.com or by post to: 26-28, Rue Edward Steichen, L-2540 Luxembourg, Luxembourg.

WHO WE SHARE YOUR DATA WITH

Where relevant given the nature of our relationship or of the products and services provided to you, we may also share your information with the following categories of third parties:

  • payment service providers (as is necessary for the performance of a contract between you and us);
  • third-party service providers with whom you also have a contractual relationship (as it is necessary for our legitimate interests and for the legitimate interests of the third-party service provider with whom you also have a contractual relationship);
  • third-party service providers who we instruct for the purposes of processing service information (as is necessary for the performance of a contract between you and us and/or as is necessary for our legitimate interests and/or as is allowed by your explicit consent);
  • third-party data suppliers, as explained under “How we collect information about you” (as is necessary for our legitimate interests);
  • third-party service providers who support the operation of our business, such as IT and marketing suppliers, financial service providers and other administrative support services to operate Our Sites (as is necessary for the performance of a contract between you and us and/or as is necessary for our legitimate interests);
  • fraud prevention agencies and associations (as is necessary for compliance with our legal obligations and/or as is necessary for our legitimate interests);
  • as required by a court order or any other legal or regulatory requirement specified by institutions such as law enforcement agencies, including the police, the Regulatory Authorities, Tax Authorities, and any other relevant Authority who may have jurisdiction (as is necessary for compliance with our legal and regulatory obligations).

WHERE YOUR INFORMATION IS PROCESSED

The personal information that we collect from you, and which is shared with the third-parties mentioned above, may be transferred to and processed in a destination outside of the European Economic Area (EEA). It may also be processed by staff operating outside the EEA who work for us or one of our suppliers.

In these circumstances, your personal information will only be transferred on one of the following bases:

  • the country that we send the data is approved by the European Commission as providing an adequate level of protection for personal information; or
  • the recipient has agreed with us standard contractual clauses approved by the European Commission, obliging the recipient to safeguard the personal information; or
  • there exists another situation where the transfer is permitted under applicable data protection legislation.

To find out more about how your personal information is protected when it is transferred outside the EEA (and if you wish to obtain a copy of the standard contractual clauses which we have entered into with recipients of your personal information outside of the EEA), please contact us using the details above.

Crosscard will only disclose your personal information to third parties that adhere to  GDPR and Luxembourg Professional Secrecy regulations.

HOW LONG IS YOUR INFORMATION KEPT?

Crosscard only ever retains personal information for as long as is necessary and we have strict review and retention policies in place to meet these obligations. Unless specifically mentioned otherwise, we keep your personal data as long as legally permitted or required and as long as it is still in our business interest.

COOKIES AND WEB BEACONS

Our Sites and Apps use cookies, web beacons, and other web technologies, as applicable, to improve their performance and to enhance your browsing experience. These technologies will help us track and monitor your engagement and usage of Our Sites and Apps, to understand more about you, so we can offer you a more personalised browsing experience.

Cookies

We may place small data files on your access device. These data files may be cookies or other local storage provided by your browser or associated applications (collectively, “Cookies”). We use Cookies to recognise you as a customer, customise our services, content and advertising, measure promotional effectiveness, help ensure that your account security is not compromised, mitigate risk and prevent fraud, and to promote trust and safety across our Sites and services.

What Cookies do we use?

The Cookies used by Our Sites or Apps can be:

  1. Transient (or per-session) Cookies – these only exist for your site visit and are deleted on exit. They recognise you as you move between pages, for example, recording items added to an online shopping basket. These Cookies also help maintain security.
  2. Persistent (or permanent) Cookies – these stay on your machine until expiry or deletion. Many are built with automatic deletion dates to help ensure your hard drive does not get overloaded. These Cookies often store and re-enter your log-in information, so you don’t need to remember membership details.

We use both types of Cookies.

Additionally, Cookies can be first or third party Cookies. First-party Cookies are owned and created by Crosscard. Third-party Cookies are owned and created by an independent company, usually a company providing a service to the website owners. These Cookies collect information relating to the origin of your visit, where you were exposed to Crosscard advertising, what advertising feature you saw, whether you arrived directly or indirectly to Our Sites, the device you used to visit Our Sites or use our Apps and which downloads you performed.

You can review, enable or disable Cookies before you enter our site for the first time or anytime by clicking on the cookie symbol.

For a full list of 3rd parties, please contact our Data Protection Officer under the email address provided below.

How do I disable Cookies?

You are free to decline our Cookies by setting your preferences in the pop-up window in your first visit to Our Sites. Essential Cookies cannot be declined because they are required for the website to function correctly or to prevent fraud or ensure the security of Our Sites and Apps. If you don’t want these cookies to be used you cannot visit or use Our Sites. Declining any Cookies may interfere with your use of Our Site/Apps and services. To enable or disable cookies, click on the Cookie symbol in the corner on Our Sites and follow the instructions.

Web Beacons

We use small graphics (also called tracking pixels or clear GIFs – collectively, “Web Beacons”) in Our Sites, Apps or emails which remain invisible to you but provide us with information about your experience and interaction with Our Sites, Apps and emails such as which browser has been used, if an email was opened and similar. As part of our effort to track the success of our advertising campaigns, we may at times use visitor identification technology such as these “web beacons” which count visitors who have come to Our Sites after being exposed to a Crosscard banner ad on a third party site. Web Beacons often work in conjunction with Cookies. No personally identifiable or sensitive personal data is collected via Web Beacons.

YOUR RIGHTS

According to data protection legislation you have the right to:

  • obtain access to, and copies of, the personal information that we hold about you;
  • require that we stop processing your personal information if the processing is causing you damage or distress;
  • opt out of marketing communications;
  • ask us to erase your personal information;
  • receive from us the personal information we hold about you which you have provided to us, in a structured, commonly used and machine-readable format, including for the purpose of you transmitting that personal information to another data controller; and
  • require us to correct the personal information we hold about you if it is incorrect.

Please note that these rights may be limited by data protection legislation, and we may be entitled to refuse requests where exceptions apply.

COMPLAINTS

If you are concerned about an alleged breach of privacy law by Crosscard, please contact us by email at data@crosscard.com or by post to 26-28, Rue Edward Steichen, L-2540 Luxembourg, Luxembourg.

If you are not satisfied with the way in which Crosscard has resolved your complaint, you have the right to complain to the CNPD or the data protection authority in your country. You can find out more about your rights under data protection legislation from the CNPD’s website.

CHANGES TO THIS PRIVACY NOTICE

We may update this notice from time to time by publishing a new version on Our Sites. You should check this page occasionally to ensure you are happy with any changes. If the changes are substantial, we may notify you of changes to this notice by email.

If you have any questions or concerns about this Privacy Notice, please contact our Data Protection Officer at data@crosscard.com or send a letter to Crosscard at 26-28, Rue Edward Steichen, L-2540 Luxembourg, Luxembourg.

The original text of this Privacy Notice is in English. Any other language translation is provided as a convenience only. In the case of any inconsistency or discrepancy between original English texts and their translation into any other language, as the case may be, original versions in English shall prevail.