The purpose of this privacy notice, together with the Customer Terms and Conditions, which was either (i) provided to you when you purchased your prepaid card or (ii) available online at www.swirlcard.com, sets out :

• The basis on which any personal data we collect about you or that you provide to us.
• How we use the collected data.
• The conditions under which it may be disclosed to others.
• How it is kept secure.

We are Smart Transfer Ltd. t/a SWIRL Card and act as a distributor of prepaid Mastercards on behalf of EML Money DAC, the card issuer. We will process your personal information on behalf of EML Money DAC who are the data controller in relation to the processing activities described below.

Information we receive and collect is strictly related to the service we provide. Information is collected from you when you register with us via our Mobile App, or when you order a card off our website. The information we collect is clearly set out on the  page on which we collect it.

This information allows us to provide you with our services and keep you up to date on any changes or additions made to the product/service that may interest or affect you. 

a)    Data collected Automatically

When you visit our website or Mobile App, we may automatically collect and store the following information:

• IP address
• The domain and host from which you access the internet
• The browser and browser version
• The operating system
• The type of device

We collect this data to administer our services and optimise our websites and Applications for you.

b)    Information You Give Us

We are legally required to obtain personal information from you to provide you with the service and issue you with a card. The information you give us  when you order cards from our website or create an account with us may include the following:

• Identity Data: Includes first and last name, date of birth, photo ID
• Contact Data: Includes address, email address and phone number.
• Transaction Data: Includes details about payments made or received on your Card.
• Technical Data: Includes your login data, browser type and version, operating system, device type, IP address
• Profile Data: Includes your username and password.
• Usage Data: Includes information about how you use your Website/Mobile App
• Marketing and Communications Data: Includes your preferences in receiving marketing from us.
• Biometric Data: Includes facial recognition data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter with you (for example, to issue you with a Card). In this case, we may have to cancel the product or service you have with us, but we will notify you if this is the case at the time.

The purposes for which we use your personal information and the legal basis under data protection laws on which we rely to do this are explained below. We will not use your personal information for marketing purpose unless you have given us explicit consent to do so.  

Where there is a LEGAL REQUIREMENT

We will use your personal information to comply with our legal obligations: (i) in connection with our obligations in relation to anti-money laundering; (ii) to identify you when you contact us; and/or (iii) to verify the accuracy of data we hold about you.

Where there is a LEGITIMATE INTEREST

We may use and process your personal information where it is necessary for us to pursue our legitimate interests as a business, or that of a third party, for the following purposes:

• To correspond or communicate with you.
• For the management of queries and complaints.
• For prevention of fraud and any other criminal activities (including financial crime)
• For network and information security for us to take steps to protect your information against loss or damage, theft or unauthorised access.
• To notify you about changes to our services.
• For the establishment and defence of our legal rights.

We may also monitor or record telephone calls with you to assess and improve our services to customers, follow your instructions correctly and train our staff.

Where it is Required to Complete a CONTRACT

We may use and process your personal information where we have supplied you (or continue to supply you) with any services in connection with your Card. We will also use and process your personal data if you require customer services support with respect to your Card or if you lose your Card and request a replacement. We will use this information in connection with the Terms and Conditions of the Card when it is needed to carry out that contract or for you to enter it.

Employees: We may disclose user data to any member of our organisation who reasonably needs access to user data to achieve the purposes set out in this Privacy Notice.

Our Suppliers and Service Providers: We will only share your personal information with third parties to facilitate the delivery of our services (for example hosting, email management). If a processing activity is outsourced to an external processor, we will establish Data Processing Agreements (DPAs) to ensure the external processor complies with GDPR requirements).  When we use third party service providers, we only disclose to them any personal information that is necessary for them to provide their service.

To meet our Legal Obligations: We will share your personal information where we are legally obliged to so (under any law or regulation) or if we are under a duty to disclose or share your personal data to comply with any legal obligation as part of our checks to prevent fraud, financial crime or money laundering, including with fraud prevention agencies and other organisations which may use the information to prevent fraud and money laundering.

Credit/Debit Card Payment Processors: When you purchase or order our cards online, your credit/debit card payment is processed by a third-party payment processor, who specialises in the secure online capture and processing of credit/debit card transactions. If you have any questions regarding secure transactions, please contact us using the details at the end of this notice.

Other ways we may Share your Personal Information: We may transfer your personal information to a third party as part of a sale of some or all our business and assets or as part of any business restructuring or reorganisation. We may also transfer your personal information if we’re under a duty to disclose or share it to comply with any legal obligation, to detect or report a crime, to enforce or apply the terms of our contracts or to protect the rights, property or safety of our customers. We will always take steps with the aim of ensuring that your privacy rights continue to be protected.

The personal information that you provide may be disclosed to fraud prevention agencies which may keep a record of that information. The checks performed by these agencies are to confirm your identity only, a credit check is not performed, and your credit rating will be unaffected.

We may also disclose and use information in aggregate (so that no individual customers are identified) for marketing and strategic development purposes.

If we collect your personal information, the length of time we retain it is determined by several factors including the purpose for which we use that information and our obligations under other laws. We do not retain personal information in an identifiable format for longer than is necessary.
We may need your personal information to establish, bring or defend legal claims. For this purpose, we will always retain your personal information for 6 years after the date it is no longer needed by us for any of the purposes listed under How we use your personal information above. The only exceptions to this are where:

• The law requires us to hold your personal information for a longer period or delete it sooner.
• You exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law (see further Erasing your personal information or restricting its processing below); or
• In limited cases, the law permits us to keep your personal information indefinitely provided we put certain protections in place.

All information you provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site or Mobile App, you are responsible for keeping this password confidential. We ask you not to share this password with anyone. Keeping information about you secure is very important to us and certain sections of the website and our Mobile App may encrypt data using SSL or a comparable standard. We will take appropriate measures to ensure confidentiality of all information, both paper and electronic required for the operation of our business. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Mobile App or our Site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

All information you provide to us may be transferred to countries outside the European Economic Area (EEA). By way of example, this may happen where any of EML Money DAC’s group companies or operational divisions are incorporated in a country outside of the EEA or if any of our servers or those of our third-party service providers are from time to time located in a country outside of the EEA. These countries may not have similar data protection laws to the EEA. If we transfer your information outside of the EEA in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this notice. These steps include imposing contractual obligations on the recipient of your personal information or ensuring that the recipients are subscribed to ‘international frameworks’ that aim to ensure adequate protection.

Please contact us using the details at the end of this notice for more information about the protections that we put in place and to obtain a copy of the relevant documents.
If you use our services whilst you are outside the EEA, your information may be transferred outside the EEA to provide you with those services.

You have several rights in relation to your personal information under data protection law. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will respond to you within one month from either (i) the date that we have confirmed your identity or (ii) where we do not need to do this because we already have this information, from the date we received your request.

a)    Right of Access

You have the right to ask for a copy of the information that we hold about you (commonly known as a “data subject access request”) by emailing or writing to us at the address at the end of this notice. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.

You can access your personal data through our Mobile App  under “Edit my Profile” 24/7. Alternatively, you can request this information by phone or email to our Customer Helpdesk. All other data subjects must request this information by phone directly. Requests will be processed within one month of receipt of the request.  

b)    Right to Rectification  

The accuracy of your information is important to us. If you change your name or address/email address, or you discover that any of the other information we hold is inaccurate or out of date, please let us know by contacting us in any of the details described at the end of this notice.

You can rectify some of your information (address, email address) through our Mobile App  under Edit my Profile 24/7. Alternatively, you can request for information to be updated by phone or email to our Customer Helpdesk. All other data subjects must request for information to be updated by phone directly. Requests will be processed within 24 hours  of receipt of the request. 

c)    Right to Restrict Processing 

You may also ask us to restrict processing your personal information where you believe it is unlawful for us to do so, you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings. In these situations, we may only process your personal information whilst its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.

d)   Right to withdraw your consent:

Where we rely on your consent as the legal basis for processing your personal information, as set out under How we use your personal information, you may withdraw your consent at any time by contacting us using the details at the end of this notice. If you would like to withdraw your consent to receiving any direct marketing to which you previously opted-in, you can manage your opt In preferences through your online account or by using the opt Out function on the respective channels. If you withdraw your consent, our use of your personal information before you withdraw is still lawful.

e)    Right to object to our use of your personal information and automated decisions made about you

Where we rely on your legitimate business interests as the legal basis for processing your personal information for any purpose(s), as outlined under How we use your personal information, you may object to us using your personal information for these purposes by emailing or writing to us at the address at the end of this notice. Except for the purposes for which we are sure we can continue to process your personal information; we will temporarily stop processing your personal information in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise we will provide you with our justification as to why we need to continue using your data.

f)     Right to Data Portability 

Where we rely on your consent as the legal basis for processing your personal information or need to process it in connection with your contract, as set out under How we use your personal information, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly used and machine-readable form, such as a CSV file. You can ask us to send your personal information directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.  

g)    Right to Erasure 

In certain circumstances, you may ask for your personal information to be removed from our systems by emailing or writing to us at the address at the end of this notice. Unless there is a reason that the law allows us to use your personal information for longer, we will make reasonable efforts to comply with your request.

EML Money DAC and Smart Transfer Ltd. have a legal obligation to retain your personal data for a period of 6 years after expiry of your card. Requests from all other data subjects can be made verbally or in writing. We will respond to this request within one month of receipt. If we are unable to comply with the request, we will inform you of the reason why and your right to make a complaint.

f)   Right to Complain

 You have the right to complain to the Data Protection Commissioner (DPC) if you are concerned about the way we have processed your personal information. Please visit the DPC’s website at www.dataprotection.ie for further details.

Any changes we make to our privacy notice in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes.

If you have any questions or complaints relating to this Privacy Notice or how we use the personal information we have about you, please contact us at info@swirlcard.com. We will endeavour to respond to you promptly.

If you would like to make a complaint, or exercise  any of your rights under the GDPR please contact us using the following details: 

• By Post to Smart Transfer Ltd. t/a SWIRL Card, PO Box 1008, Naas, Co. Kildare
• By Telehone on +353 (1) 6877 985
• By Email: info@swirlcard.com