Privacy Notice
1. Introduction
TTMFS Singapore Pte Ltd and all relevant subsidiaries and affiliates (collectively “Thunes” or “we”/”us”/”our”) are committed to safeguarding your right to privacy and your Personal Data.
This Privacy Notice describes how we handle and treat your Personal Data when we provide our services, when we process your job application, when you visit our website, or when we interact with you in other ways (collectively “Services”).
“Personal Data” is any information which can be used to identify you or from which you are identifiable. This includes but is not limited to your name, nationality, telephone number, bank and credit card details, email address, date of birth, as well as government-issued identification numbers.
The Thunes Privacy Management Program, which governs our privacy policies and practices, is aligned with privacy regulations worldwide, and ensures that we are compliant with the EU and UK General Data Protection Regulations (“GDPR”), Singapore’s Personal Data Protection Act (“PDPA”), as well as other privacy regulations.
2. Scope of this Privacy Notice
This Privacy Notice applies when we receive your Personal Data, either directly from you, or indirectly via our partners. Please refer to the sections below for details about the Personal Data we collect and how we collect it.
This Privacy Policy does not apply to the policies and practices of companies that are not related to Thunes. We are not responsible for other company’s privacy policies and practices.
We do not endorse other company’s policies and practices when we provide a link to a website. We do not knowingly attempt to solicit or receive information from children or minors per applicable local laws.
This Privacy Notice describes and explains our practices regarding:
- What Personal Data we may collect
- How and why we use Personal Data
- How we protect Personal Data
- Our use of Cookies and Tracking Technologies
- Your Rights as a Data Subject
3. Types of Personal Data We Collect
The exact types of Personal Data we may collect depends on your interaction with us, and may include:
- First and last name;
- Country and city of residence;
- Location data;
- Job title;
- Nationality;
- Phone number;
- Government Issued ID number;
- Date of birth;
- Any online identifier; and
- Any other information that may be used to identify you
To reiterate, this is a sampling of the information we may collect, and is not an exhaustive list.
4. How we collect Personal Data
We collect Personal Data when you:
- send money or make a payment, by using the website or mobile app provided by one of our partners, of which you are a customer;
- receive a money transfer or payment, which is being made through our partners;
- apply to use our services;
- provide information about your company during the onboarding and due diligence processes;
- contact our support team for help or for more information about a transaction;
- apply for an employment opportunity with us;
- interact with our sales or network representatives;
- interact with any of our social media accounts;
- contact us via our website contact form;
- visit our website;
- send us Personal Data for any other reasons.
If you provide us with the Personal Data of someone else (e.g. a colleague, shareholder or company director during onboarding), you represent that you have permission to do so.
We may also gather Personal Data from public databases, joint marketing partners, social media platforms (including from people with whom you are friends or otherwise connected), and from other third parties.
5. What are our Legal Bases for Processing Personal Data
We rely on the following legal bases (as defined by data protection regulations) to process Personal Data:
- The processing is necessary for the fulfilment of our contractual obligations to our partners;
- The processing is necessary for the fulfilment of our legal/regulatory requirements and obligations;
- The processing is necessary for pursuing our legitimate interests; or
- Consent was given for a specific purpose.
We will only use the Personal Data you provide for the purposes for which we collected it, as well as for related purposes. If we need to use the Personal Data you provide for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
6. Other Information We May Collect
We may also collect other information that by itself doesn’t identify you. Such information may include:
- Browser and device information;
- Information collected through cookies, pixel tags and other technologies;
- Demographic information and other information provided by you that does not reveal your specific identity; and
- Information that has been aggregated in a manner that it no longer reveals your specific identity.
We may merge Personal Data with other information. We will treat this information as Personal Data if we are required to by law.
7. How We May Collect Other Information
We may collect other information in a variety of ways, including:
- Through your browser or device: most browsers collect certain information automatically through your device, such as your Media Access Control (MAC) address, computer type (Windows or Macintosh), screen resolution, operating system name and version, device manufacturer and model, language, or internet browser. We may use this information to ensure that the Services we provide function properly.
- Through your IP address: An IP (Internet Protocol) address is a unique identifier that electronic devices used to identify and communicate with each other on the internet. We may identify your IP address and log it into our server log files when you access our websites or mobile applications, along with the time and page(s) you visit. When you visit our website, we may view the IP address of the computer or device you use to connect to the internet. Collecting IP addresses is standard practice and is done automatically by many websites, applications and other services. We use IP addresses for a variety of reasons, such as calculating usage levels, diagnosing server problems and administering the services.
8. How We Use Personal Data and Other Information
We may use Personal Data and other information for our legitimate and reasonable business purposes, to the extent permitted by applicable law, including but not limited to:
- Completing your money transfer or payment request, that you submit to our partners;
- Completing a money transfer or payment request receiving a money transfer or payment from our partners;
- Providing you with the services that you have signed up for;
- Conducting due diligence on your company to satisfy our regulatory obligations;
- Providing you with support when you need help with our services;
- Processing your job application;
- Exploring how your company can join our partner network;
- Interacting with you on our social media accounts;
- Handling your queries and feedback;
- Operating and growing our business (e.g., conduct data analysis; audit our activities; develop new products; enhance, improve and modify our services; identify usage trends; determine the effectiveness of our promotional campaigns);
- Monitoring and preventing fraud, money laundering, abuse, and other actual and potential prohibited or illegal activities;
- Meeting our legal, auditing, regulatory, insurance, security and processing requirements;
- Responding to court orders;
- Complying with applicable laws, which may include laws outside your country of residence;
- Responding to requests from public and government authorities, which may include authorities outside your country of residence;
- Cooperating with law enforcement or for other legal reasons;
- Enforcing our terms and conditions; and
- Other reasonable and legal purposes which you have consented to.
9. How We Share and Disclose Personal Data and Other Information
We share and disclose information with:
- Our partners in our network, so that they can complete your money transfer/payment requests, provide our service to you, and to meet their own legal and regulatory obligations;
- Our subsidiaries and affiliated entities. Like most international businesses, we have centralised certain aspects of our data processing in order to allow us to better manage our business and share the Personal Data you provide accordingly if required and needed in this context. We may also share the Personal Data you provide with recipients in other Thunes entities if this is necessary to provide our service;
- Our vendors that provide us with services related to information technology, such as website hosting, data analysis, payment processing, order fulfilment, information technology and related infrastructure provision, customer service, and email delivery;
- Our vendors that provide us with services related to our marketing communications and campaigns, consistent with your choices, including any applicable choices we provide for you to opt into such sharing;
- Your social media connections, other website users and your social media account providers;
- Other third parties in the event of a reorganisation, merger, sale, joint venture, assignment, transfer or other disposition of our business, assets or stock, or in any bankruptcy or similar proceedings; and
- Others as required by law. We reserve the right to disclose any Personal Data you have provided if we are compelled to do so by a court of law or requested to do so by a governmental entity or if we determine it is necessary or desirable to comply with the law or to protect or defend our rights or property in accordance with applicable laws. We also reserve the right to retain Personal Data to comply with any specific record retention laws that apply.
10. Our Information Security
Thunes implements reasonable organisational, technical and administrative measures to protect Personal Data and other information. These measures are aligned with industry best practices, as well as with guidance from data protection authorities like the ICO, CNIL and PDPC. Our security measures include:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
- a process for embedding security when designing and developing systems;
- an education program that regularly trains employees and maintains awareness of security;
- the implementation of technical controls to detect and prevent unauthorised access, including firewalls, intrusion detection and anti-virus software.
- the implementation of technical and operational access controls that determine the information that each user can access, including role based access, strong passwords and multi-factor authentication;
- the ability to continuously monitor and log our systems and networks, as well as to regularly review security logs;
- a patch management program that regularly monitors and updates our systems with the latest updates.
Thunes is ISO27001 and PCI DSS certified. This means that our security program has been audited and certified to meet industry best practices and standards.
Please know, however, that no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at dpo@thunes.com.
11. Automated Decision Making/Profiling
We do not take decisions which have a significant impact on you based only on using automated means. There is always human intervention into decisions based on automated processing.
12. Your Marketing Choices
You can opt out from receiving marketing communications from us by:
- Clicking on the “unsubscribe” link at the bottom of a Thunes marketing email; or
- Contacting us at: marketing@thunes.com
We will respond to your request as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails from us, we may still send you transactional or administrative messages.
13. Accessing Your Personal Information
You can request to review, correct, update, suppress, restrict or delete personal information that you have given to us, or receive an electronic copy of your personal information to transmit it to another company (to the extent provided to you by applicable law), by contacting us at: dpo@thunes.co
We will respond to your request as soon as reasonably practicable. For your protection, we may need to verify your identity before implementing your request.
14. How Long We Keep Information
We keep information if necessary, for the purpose it was collected, or for a longer retention period as required or permitted by law. Once information is no longer needed for its initial purpose, unless required to retain it under applicable law, it is deleted in accordance with our policies and procedures.
Please note that we may need to keep certain information for recordkeeping purposes or for regulatory compliance purposes. There may also be residual information that will remain within our databases and other records, which cannot be reasonably removed.
15. International Data Transfers
Due to the nature of our service, your Personal Data will be transferred internationally. Thunes will secure international data transfers using the appropriate safeguards required by the relevant data protection regulations. These safeguards include the EU Standard Contractual Clauses and UK International Data Transfer Agreements.
16. Your Rights to Your Personal Data
Applicable data protection laws may allow you certain rights regarding your Personal Data that Thunes handles. These rights include:
- Right to access: you have the right to demand access to your personal data processed by us and to request a copy of your Personal Data being processed by us.
- Right to rectification: you have the right to have incorrect or incomplete personal data corrected.
- Right to erasure: where legally envisaged you have the right to have your Personal Data deleted under certain circumstances.
- Right to restriction of the processing: under certain conditions, you have the right to demand a restriction of the processing of your Personal Data
- Right to data portability: under certain circumstances, you have the right to obtain the personal data that was provided to us in a readable format.
- Right to object: where your Personal Data is processed on the legal basis of our legitimate interest, you can object processing on grounds relating to their particular situation.
- Right to lodge a complaint with the supervisory authority: you have the right to lodge a complaint regarding our privacy practices, to the relevant data protection/supervisory authority. These include:
– UK: Information Commissioner’s Office (www.ico.org.uk)
– EU: Commission Nationale de l’Informatique et des Libertés (www.cnil.fr)
– Singapore: Personal Data Protection Commission (www.pdpc.gov.sg) - Right to withdraw consent: you have the right to revoke your consent at any time, without affecting the lawfulness of processing based on your consent before the withdrawal.
You may exercise your rights by emailing us at dpo@thunes.com. We will respond to your request as soon as reasonably practicable. For your protection, we may need to verify your identity before implementing your request.
17. Contact us
If you have any questions about this Privacy Notice, our privacy practices, the data we hold on you, or you would like to exercise any of your rights to your Personal Data, please do not hesitate to email us at dpo@thunes.com