Privacy Notice
- Introduction
Ebury Partners Hong Kong Limited (“we”, “us” or “our”) are committed to protecting and respecting your privacy.
As part of our normal business operation, we collect certain Personal Information (as defined below) from our clients. This notice sets out the basis on which we process any such Personal Information that we collect or that you or Your Organisations provide to us. For the purpose of this notice, “you” mean any relevant individuals associated with Your Organisation of whom any Personal Information will be provided to or processed by us, including without limitation Your Organisation’s legal representatives, shareholders, investors, partners, directors, supervisors, senior management personnel or other employees, business operators, authorised signatories, actual controllers, substantial owners, beneficial owners, designated account holders or payees, or the representatives, family members, nominees or agents (as applicable) of any of the foregoing. “Your Organisations” mean the customers and other business counterparties of us that you are associated with, work for or are otherwise engaged by, or interact or deal with. “Process” or “processing” means collection, storage, usage, handling, transmission, provision, disclosure, or deletion activities over the Personal Information.
Please read this notice carefully to understand our practices regarding the processing of your Personal Information.
In addition, we may separately issue Personal Information protection policies for our specific products, services or activities or agree to Personal Information protection clauses in specific product or service agreements, authorization letter or other legally binding documents with you, Your Organisations (collectively, “Special Terms“), to the extent permitted by law. In case of any discrepancy between this notice and the Special Terms, the Special Terms shall prevail.
By visiting www.ebury.hk, online.ebury.com or bos.eburypartners.com (“Our Sites”), or dealing with or providing any Personal Information to us, or accepting this notice in any other agreed form including signing a separate Consent Form for Personal Information Processing we may request from you, or if Your Organisation continues to use our products or services, or continues to conduct dealings with us , you shall be deemed to have been informed by Your Organisation of, and have read, understood and accepted, and agreed to be bound by, the terms hereof and you shall be deemed to have given the consent and/or separate consent to our processing of your Personal Information in accordance with the terms hereof.
- Our contact information
For the purpose of the data protection, the Hong Kong Personal Data Privacy Ordinance (“PDPO“) and the Personal Information Protection Law of the People’s Republic of China (“PIPL“) and related cybersecurity, data security and personal information protection laws, regulations and other binding regulatory documents and requirements of the PRC (for the purpose of this notice only, excluding the Hong Kong Special Administrative Region, the Macao Special Administrative Region and Taiwan) (collectively, “Regulations”), where applicable, the legal entities and establishments responsible for the processing of your Personal Information and their contact details are:
Data Controller
Ebury Partners Hong Kong Limited,
Unit 1701, 17/F, Sino Plaza,
255-257 Gloucester Road,
Causeway Bay, Hong Kong
Telephone: +852 5808 4081
Email: [email protected]
Data Protection Officer
Data Protection Officer, Ebury Partners
UK Limited, 100 Victoria Street
SW1E 5JL
London
Telephone: +44 (0)207 197 9900
Email: [email protected]
In case the Personal Information relates to a resident within the PRC:
Data Processor
(as defined under the PIPL)
Ebury Partners Hong Kong Limited,
Unit 1701, 17/F, Sino Plaza,
266-257 Gloucester Road,
Causeway Bay, Hong Kong
Telephone: +852 5808 4081
Email: [email protected]
PRC Representative
(as defined under Article 53 PIPL)
Ebury Partners China Limited
Unit 5160, 51/F, No.268 Middle Xizang Road,
Huangpu District, Shanghai,
200001, P.R. China
Telephone: +86 21 23127888
Email: [email protected]
You may contact our Data Protection Officer or our PRC Representative (in case you are a resident of the PRC) that directly with requests for access to, correction or deletion of Personal Information, for withdrawal of authorisation or disposal of Personal Information beyond retention period, for a copy of this notice, or enquiries about our practices regarding Personal Information and privacy protection.
use this link to fill out a Privacy Request / Complaint.
- How to complain
You have the right to lodge a complaint with your Supervisory Authority. For the purpose of our processing of your Personal Information, the lead Supervisory Authority is:
Lead Supervisory Authority
Office of the Privacy Commissioner for Personal Data
Room 1303, 13/F,
Dah Sing Financial Centre,
248 Queen’s Road East,
Wanchai, Hong Kong.
Telephone: +852 2827 2827
Email: c[email protected]
Website: https://www.pcpd.org.hk/
In case the Personal Information relates to a resident within the PRC, the lead Supervisory Authority is:
Lead Supervisory Authority
Cyberspace Administration of China
225 Chaoyangmennei Da Jie
Beijing 100010, China
Telephone: +86 (10) 8805 0686
Website: http://www.cac.gov.cn
- The type of Personal Information we collect
“Personal Information” means all kinds of information related to identified or identifiable natural persons recorded by electronic or other means, excluding any information processed anonymously. We may collect and process the following data about you:
Information you or Your Organisations give us through the use of Our Sites or our services.
You or Your Organisations may give us information about you by filling in forms on Our Sites or by corresponding with us by phone, email or otherwise. This includes information you or Your Organisations provide when you or Your Organisations register to use Our Sites, subscribe to our services, place an order or transact on Our Sites or report a problem with Our Sites. We may also potentially process your Personal Information collected in video surveillance and telephone/audio recordings for ordinary business operation purposes.
The information you or Your Organisations give us may include:
- Contact information, such as your name, address, email address and phone number
- Identification information, such as certified identity documents, proof of address or business documentation including your personal details
- Financial and credit information
You or Your Organisations may give us information relating to beneficiaries, shareholders, trustees and directors to enable us to deliver our services. This may be through filling in forms on Our Sites or by corresponding with us by phone, email or otherwise. You or Your Organisations must obtain appropriate consent and/or separate consent before disclosing such information to us. The information you or Your Organisations give us may include their names, addresses, email addresses and phone numbers, financial and credit information.
You or Your Organisations may give us information relating to other accounts held by other financial institutions to enable us to deliver our services. This may be through filling in forms on Our Sites or by corresponding with us by phone, e-mail or otherwise. You or Your Organisations must obtain appropriate consent before disclosing such information to us. The information you or Your Organisations give us may include the bank code, the bank country, the type of account, the name of the bank and the account number.
Information we collect about you when you or Your Organisations use Our Sites
With each visit to Our Sites, we may automatically collect the following information:
- technical information, including the internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
- information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from Our Sites (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
Information we receive from other sources when delivering our services
- We may receive information about you if you or Your Organisations use any other websites we operate or other services we provide. This data may be shared internally and combined with data collected on Our Sites.
- We also work closely with third parties (including, for example, introducers, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.
For the purposes stated in Section 6 below titled “How we use your information”, we may collect your Sensitive Personal Information amongst other Personal Information stated above. “Sensitive Personal Information” means personal or property information that, once leaked or illegally provided or misused, may harm personal or property safety and will easily lead to infringement of the personal reputation, human dignity, physical or psychological health, or discriminatory treatment. Sensitive Personal Information mainly includes ID certificate information (ID card, passport and etc.), personal biometrics recognition information, credit information, property information, transaction information, medical and health information, specific identity, financial accounts, individual location tracking etc. as well as any personal information of a minor under the age of 14.
We collect your Sensitive Personal Information strictly following the principle of minimum and necessity. This notice has informed you of our processing of your Sensitive Personal Information, and your acceptance to this notice shall be deemed as your separate consent to such processing according to the Regulations.
Where we receive the above-mentioned information, we will ensure this will be in full compliance with the Regulations.
- Cookies
We follow the “Express Consent” basis for processing cookies. The first time you visit Our Sites, we will inform you of the cookies we use and you will be given the option to consent for us to use cookies. Some cookies are strictly necessary for the operation of Our Sites.
A cookie is a very small text file placed on your computer, that allows us to distinguish you from other users of Our Sites. These cookies help us to provide you with a good experience when you browse Our Sites. We use the following cookies:
- Strictly necessary cookies. These are cookies that are required for the operation of Our Sites. They include, for example, cookies that enable you to log into secure areas of Our Sites.
- Analytical/Performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around Our Sites when they are using them. This helps us to improve the way Our Sites work, for example, by ensuring that users are finding what they are looking for easily.
- Functionality cookies. These are used to recognise you when you return to Our Sites. This enables us to personalise our content for you, by remembering your preferences (for example, your choice of language or region).
Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.
You may block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of Our Sites.
- How we use your information
Information you or Your Organisations give to us. We will use this information as recognised by and in compliance with the Regulations:
- to carry out our obligations arising from any contracts entered into between you or Your Organisations and us and to provide you or Your Organisations with information, products and services that you or Your Organisations request from us;
- to carry out our obligations arising from any contracts entered into between us and third parties relating to the services provided to you or Your Organisations:
- your information will only be used in these circumstances in the performance of a contract with you or Your Organisations;
- where there is a defined legitimate interest, for the purpose of monitoring the contractual relation between us and the third parties involved in the relationship with you or Your Organisations; and
- when the processing is in Ebury’s or some other party’s legitimate interests, and these interests are not overridden by your interests or rights in the protection of your Personal Information. This may include processing your data for (i) identification or prevention of suspicious or high risk transactions or fraudulent activity, internal research and analytics assessments, (ii) for purposes of communication with you or Your Organisations and (iii) informing you or Your Organisations about new products and services we are offering or to promote new products and services of other parties which we think may be of interest to you or Your Organisations. Before we process your Personal Information to pursue our legitimate interests for the purposes outlined in this notice, we determine if such processing is necessary and we carefully consider the impact of our processing activities on your fundamental rights and freedoms. On balance, we have determined that such processing is necessary for our legitimate interests and that the processing which we conduct does not adversely impact on these rights and freedoms;
- to provide you or Your Organisations with information about other products and services we offer:
- where you are an existing private customer, we will only contact you with information about goods and services similar to those which were the subject of a previous sale or negotiations of a sale to you;
- where you are a new private customer, we will contact you only if you have consented to this. If you do not want us to use your data in this way, please tick the relevant box situated on the form on which we collect your data;
- where Your Organisation is a corporate/business customer, we will contact you where we have identified a legitimate interest in relation to the services we offer and Your Organisation’s business; and
- you may withdraw this consent at any time by using the links provided at the bottom of marketing emails from us, or by contacting our Data Protection Officer or our PRC Representative (in case you are a resident of the PRC);
- to notify you or Your Organisations about changes to our service;
- to respond to any enquiry you or Your Organisations have made through Our Sites, or via phone, email or otherwise;
- to comply with legal obligations we are subject to as a data controller/data processor (as defined under the PIPL) and regulated business. This includes:
- using Personal Information needed to comply with legal and regulatory duties related to anti-money laundering and counter-terrorism financing;
- detecting, preventing and prosecuting fraud or theft, as well as preventing illegitimate or prohibited use of our services or other illegal or wrongful activity;
- monitoring and reporting compliance issues; and
- this may further include using your Personal Information to validate and authenticate your identity, and utilising third parties to help us do so. See the sub-section below titled “Information we disclose about you”;
- where required to protect your vital interests or that of another natural person under emergency;
- where it is necessary to process the Personal Information disclosed by you or other Personal Information that has been legally disclosed within a reasonable scope;
- where performing tasks carried out in the public interest or in the exercise of official authority invested in us; and
- other circumstances prescribed and permitted by the Regulations.
Information we receive from other sources. We will use this information:
We may combine this information with the information you or Your Organisations give to us and the information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
Information we disclose about you
We may share your Personal Information with any member of our group, which means our branches, our representative offices, our subsidiaries, our ultimate holding company and its subsidiaries, as defined in the PDPO and the PIPL. Any such sharing will be made in full compliance with the Regulations.
We will never sell your Personal Information without your consent. We may share your information with selected third parties; where this is necessary, we are required to comply with all aspects of the Regulations. The following are the types of organisations we may share some of your Personal Information with:
- Business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you or Your Organisations;
- Analytics and search engine providers that assist us in the improvement and optimisation of Our Sites;
- Credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you or Your Organisations;
- the identities of the CRAs, and the ways in which they use and share Personal Information, are explained in more detail at https://www.experian.co.uk/crain
- Capita Identity Solutions: https://www.securitywatchdog.org.uk/privacy-policy
- Trulioo: https://www.trulioo.com/privacy
- Where you provide consent, Identity Verification services for the purpose of confirming your identity through online applications:
- Where you provide your explicit consent, for the purpose of facilitating communications between us and you or Your Organisations:
- ChatLabs: https://www.chatlabs.com/
- Police and law enforcement agencies, where required to do so by law.
- We are a participant in Amazon’s payment service provider (“PSPs”) program which is designed to enhance its ability to detect, prevent and take action against bad actors so Amazon and participating PSPs can continue to protect customers and sellers from fraud and abuse. As a PSP, if your or Your Organisation’s Ebury account is registered with Amazon, we would share with Amazon certain data collected during the onboarding process with us and as you or Your Organisation use our services. This may include data collected by us in the framework of anti-money laundering obligation, such as identification data, contact information and details regarding your or Your Organisation’s accounts with Ebury and your or Your Organisation’s bank account. If Amazon deactivates or terminates your or Your Organisation’s account with them due to (i) abuse, fraud, illegal activity, (ii) a breach to their terms and conditions or (iii) Amazon has initiated litigation or enforcement action against you or Your Organisation, we may share additional information, including transaction-related information on your or Your Organisation account with us.
We may disclose your Personal Information to third parties:
- In the event that we sell or buy any business or assets, in which case we may disclose your Personal Information to the prospective seller or buyer of such business or assets;
- If we or substantially all of our assets are acquired by a third party, in which case Personal Information held by us about our customers will be one of the transferred assets; and
- If we are under a duty to disclose or share your Personal Information in order to comply with any legal obligation, or in order to enforce or apply our Terms of use or Terms and Conditions and other agreements; or to protect the rights, property, or safety of us, our group companies, customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Please understand that if any of your Personal Information (including your Sensitive Personal Information) that we request is not provided, we may not be able to enter into or perform a legal agreement or document with, or provide (or continue providing) the relevant services to, or otherwise initiate or maintain a business relationship with you or Your Organisation.
Please also understand that our products, services and activities we provide or engage with you or Your Organisations are constantly evolving, and that if your Personal Information (including your Sensitive Personal Information) will be used for any purposes not stated above, we will update this notice as appropriate or separately inform you of the scope of and purposes for which we will collect and process your Personal Information in accordance with the Regulations, through interactions with you, agreements entered into with you or any other appropriate method, and obtain the consent from you.
- Will automated decisions and profiling take place?
We process some of your Personal Information automatically to assess certain personal aspects (profiling), which is necessary to assist us to personalise and improve the quality of services provided to you or Your Organisations and to help us meet legal and regulatory requirements. For example, we may use profiling, including behavioural analysis in the following ways:
- to combat money laundering, terrorism financing, fraud and other financial crime, and assess risks and offences that pose a danger to assets. Data assessments (including on payment transactions) are also carried out for this purpose. At the same time, these measures also serve to protect you or Your Organisation;
- we use assessment tools in order to be able to specifically notify you or Your Organisations and advise you or Your Organisation about our products and services, including market and opinion research. These tools allow our communications and marketing to be tailored to you or Your Organisations as needed;
You have the right to refuse the application of these tools, which may, however, affect our ability to manage a business relationship with, or to provide well-tailored products and services to, you or Your Organisation. Please also note that this right is not available to you in certain situations (e.g. the automated-processing authorised by the Regulations.)
- Where we store your Personal Information
The data that we collect from you or Your Organisations may be transferred to, and stored at, a destination outside Hong Kong or the PRC (when applicable). It may also be processed by staff operating outside Hong Kong or the PRC (when applicable) who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the fulfilment of your or Your Organisations’ order, the processing of your or Your Organisation’s payment details and the provision of support services. When these transfers are needed, they will be done in full compliance of the Regulations.
Specifically, we may transfer your data to either the United Kingdom (“UK”), European Economic Area (“EEA”) or the USA.
Where data is transferred to another jurisdiction this is done so under relevant data protection laws, supported by the use of Standard Contractual Clauses for transfers internal to Ebury. In relation to transfers to the USA, we may transfer Personal Information through the use of Standard Contractual Clauses and additional measures as required.
All your Personal Information will be afforded a high level of protection wherever it is processed and no matter whether it is held by us, or our contractors or agents.
All information you or Your Organisations provide to us is stored under our control. Any payment transactions will be encrypted. Where we have given you (or where you have chosen) a password which enables you to access certain parts of Our Sites, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal Information, we cannot guarantee the security of your data transmitted to Our Sites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Should you have particular concerns about a method of data transmission, we will take reasonable steps to provide an alternative method.
- How we protect your Personal Information
Ensuring the security of your Personal Information is one of our most important responsibilities. We maintain physical, technical, electronic, procedural and organisational safeguards and security measures to protect your Personal Information against accidental, unlawful, or unauthorised destruction, loss, alteration, disclosure, or access, regardless of where it is processed. To ensure the security and confidentiality of your Personal Information, we have been implementing technical and organisational measures for a long time, including:
- control of access and authorizations for IT equipment related to the processing of your Personal Information;
- measures to secure technical infrastructure (workstation, network, server) and data (backup, business continuity plan);
- taking data security and processing into account in the design of a product or solution;
- restricting the persons authorised to process your Personal Information according to the purpose and the processing means provided for in each case;
- strict confidentiality obligations imposed on our service providers, professional advisors and (sub-)contractors;
- raising the awareness of all our employees and training those employees most concerned by the collection or management of your Personal Information; and
- establishment of procedures making it possible to react promptly in the event of a Personal Information security incident.
Upon occurrence of any data security incident (such as including information loss, damage, leakage, tampering), we will take the following steps in accordance with the Regulations:
- promptly notifying you of basic information about the security incident and its potential impact, treatment measures we have taken or will take, suggestions about proactive defence and risk mitigation, and remedial measures etc.;
- keeping you informed of status of the incident by proper means, and submitting reports to the competent regulators; and
- making a public announcement when we have difficulty to notify you.
- Your rights in relation to your Personal Information
You may contact our Data Protection Officer or our PRC Representative (in case you are a resident of the PRC), to exercise your rights in relation to your Personal Information. When exercising your rights we will always inform you of any lawful reason that may require us to continue processing your Personal Information.
You have the right to request from us information about whether we process your Personal Information, and ask questions about how we collect, store and process that information, and make decisions on the processing of your Personal Information.
You have the right to access free information about the Personal Information we hold about you, whether this is transferred to a third country or international organisation and the associated safeguards.
You have the right to receive any Personal Information we hold about you in a commonly used and machine-readable format.
Where Personal Information we hold is not accurate or is incomplete, you have the right to request us correct such Personal Information and we will do so without undue delay.
You have the right to request that we delete any Personal Information we process about you, where the processing is no longer necessary.
Where you have previously provided consent for our processing of your Personal Information, you have the right to remove that consent and for us to stop processing your Personal Information specific to that consent. You also have the right to object to our processing of your Personal Information, unless otherwise provided for by the Regulations.
- External sites
Our Sites may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you or Your Organisation submit any Personal Information to these websites.
- Retaining your Personal Information
The period for which we will retain your Personal Information is dependent upon any statutory retention periods we are required to adhere to as a regulated organisation. After the expiration of that period, Personal Information shall be securely deleted, as long as it is no longer required for the fulfilment of any contract, initiation of a contract or in relation to other legal proceedings.
- Changes to our privacy notice
This notice was last updated on 22 June 2023 . Any changes we may make to our privacy notice in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our privacy notice. Your Organisations shall provide a copy of or a link to this notice to you, notify you of the scope of and purposes for which we will collect and process your Personal Information and how your Personal Information will be collected and processed as described in this notice, and notify you of any amendments or updates to this notice. The amendments will take effect and supersede all prior versions on the date specified therein. You acknowledge and agree that if you continue to deal with or provide any Personal Information to us, or Your Organisations continue to use our products or services, or continue to conduct dealings with us, you shall be deemed to have been informed of, and given your consent for, such amendments or updates, and you shall be deemed as having accepted the amendments or updates of this notice.