Skip to content
Header Logo Private

Privacy Policy

Download full document

Last updated: November 2025 

This policy was updated in November 2025 to clarify our privacy practices and expand coverage for EU and US users. It also reflects new requirements under the OECD CRS 2.0 framework, including the collection and reporting of Tax Identification Numbers (TINs) to determine tax residency, where applicable. 

1. INTRODUCTION  

This Privacy Policy applies to personal data (“information”) held by Lumon Holdings Ltd, Lumon Pay Ltd, Lumon Risk Management Ltd or Lumon FX Europe Ltd as data controller. It explains in detail the types of information we collect about you, how we use this information and your rights in relation to the personal data we hold about you. Please read it carefully.  

When this policy mentions “we,” “us,” or “our,” it refers to the relevant legal entity that you contract with and who is responsible for your information under this Privacy Policy (the “Data Controller”).  

For EU residents (including customers of Lumon FX Europe Ltd), the supervisory authority is the Irish Data Protection Commission (DPC). 

Please read this policy carefully to understand how we handle your information.  

2. THE INFORMATION WE MAY COLLECT  

Information you provide us  

  • Personal details, e.g. your name, date of birth, gender;  
  • Contact details, e.g. your address, email, phone number, mobile number  
  • Information about your identity, e.g. your nationality, passport information, photo ID, tax information number, tax residency;  
  • Information relating to source of funds; and  
  • Your bank details (account name, number, and sort code).  

Information we collect about you  

Transactional information, e.g. details about your accounts, including payments made to and from these accounts and the geographic location from which the transaction originates;  

Communication records, e.g. details recorded during our written and verbal communications with you;  

Your preferences, such as consents for marketing and other communications;  

Publicly available information, e.g. information made available by you on websites such as LinkedIn, Companies House;  

Usage data, including information about how you use our products and services;  

Investigations data. This may include; anti-money laundering checks, credit checks, external intelligence reports, and other due diligence checks;  

Information required to satisfy our regulatory obligations, e.g. information about transactions, detection of any suspicious and unusual activity, information relating to tax circumstances, and information about parties connected to you or these activities; and Information gathered when you visit our websites.  

This might include; the Internet Protocol (IP) address used to connect your computer to the internet, your login information, browser type and version, time zone setting, browsing plug-in types and versions, operating system and platform, Uniform Resource Locators (URL), and how you navigate our websites. We use this information for technical monitoring and optimising our websites.  

We also use website analytics and optimisation tools to help us understand how visitors use our website and to improve its usability. These tools use cookies or similar technologies and only operate when you have given consent through our cookie settings. For more information, please read our Cookie Policy.  

Where we collect biometric or special category data—such as ID photographs, live video for verification, or facial scans—we do so under Article 9(2)(g) of the UK and EU GDPR (substantial public interest, including the prevention of fraud and financial crime). In certain cases, we may also rely on your explicit consent, where required by law. 

3. HOW WE COLLECT YOUR INFORMATION  

We collect your personal information when you subscribe to our services, for example by filling in forms on our websites or our partners’ websites, by talking to us on the telephone or corresponding with us via email or text, or when you provide us copies of the documents required for us to confirm your identity. We may also collect your information when you interact with our websites.  

Information from other sources   

We may receive your information from other legal entities within our group if you use, enquire about, or demonstrate an interest in other services we offer. We will only do this when we have obtained your consent, have a legitimate interest, or have a legal obligation to do so.  

We may also receive your information from other third parties, such as:  

  • Our business partners (companies that introduce you to us because you have expressed an interest in our products or services);  
  • Our clients (when they wish to make a payment to you);  
  • Advertising networks, analytics providers and search information providers;  
  • Credit reference agencies;  
  • Fraud prevention agencies;  
  • Identity verification agencies;  
  • Sub-contractors and advisers;  
  • Agents and suppliers;  
  • Government and law enforcement agencies (such as Companies House and HMRC);  
  • Publicly available online sources, such as company websites, social networks and company registries.  

Information you provide about other people  

If you provide us with personal information about another person, we ask that you inform them of our identity and the purposes for which their information will be processed by us.  

If you ask us to make a payment to another individual, you will need to provide us with their bank account and contact details. We use this information to notify the individual that they will be receiving a payment from us, on your behalf. We will never use the information you provide about another individual for marketing purposes.  

Individuals whose data is provided to us by a third party (such as a customer or partner) may contact us directly to exercise their rights under UK and EU GDPR, including access, correction or objection. 

4. HOW WE USE YOUR INFORMATION  

We may use your information for one or more of the following purposes:  

To facilitate delivery of our services to you, including:  

  • responding to enquiries about our products and services  
  • delivering our products and services to you and any joint account holder under our terms and conditions  
  • reporting on transaction performance  

To comply with a legal obligation  

In certain cases, we are required by law to collect and process your information. For example, to fulfil our financial reporting obligations, we must store all records of communications you make with us that relate to transactions. This also includes collecting information for tax agencies to comply with legal and regulatory obligations. 

We are also required to check that you are the person you say you are before we discuss any of our clients’ accounts (which we may do by asking you to confirm your date of birth or other details about yourself) and to retain personal information to facilitate investigations detecting and preventing fraud, money laundering and other financial crimes to meet requirements imposed on us by, and to respond to notices and requests we receive from our regulator the Financial Conduct Authority or HM Revenue & Customs, the National Crime Agency or their replacements.  

We are also required to comply with data protection laws and respond to notices and  requests we receive from the Office of the Information Commissioner (ICO) or any other national or supra-national authority with the same of similar responsibilities.  

Where we have a legitimate interest  

We may use your personal information to pursue our legitimate business interests. Some of our legitimate interests include, but are not limited to:  

  • Carrying out marketing activities;  
  • Communicating with you about our products and services;  
  • Improving our products, services, and relationships with you and our partners;  
  • Creating a smoother customer service experience;  
  • Monitoring complaints handling;  
  • Improve our websites to ensure that content is well presented for you.  

We may record texts, emails or telephone calls, including for training purposes, customer service, quality control, performance improvement, to verify any comments you or any of our dealers may make during any conversation, for regulatory purposes and for the purposes of fraud or crime prevention and detection.  

You have the right to object at any time to processing based on our legitimate interests, in accordance with Article 21 of the UK and EU GDPR. 

Automated decisions and profiling 

We may use automated decision-making in limited situations to detect fraud, verify identity, or ensure compliance with financial crime obligations. For example, if a transaction or account activity triggers certain risk criteria, it may be flagged or blocked without immediate human review. 

You have the right to request human review of any decision made solely through automated means if it produces legal or similarly significant effects. 

Consent  

Consent is also a lawful basis for our processing of personal data and so, sometimes, we may ask for your permission (called “consent” in the legislation) to process your personal data.  

Where this is the case, we will make this clear together with how we might use your personal data should you allow us to do so. If, at the time we ask for it, you choose not to provide us with the requested information or do not consent, then we will not use it in that way. 

If you have given consent to the use of your personal information, you are entitled to withdraw your consent at any time. Please be aware, however, that in some circumstances, the withdrawal of your consent may result in us being unable to provide some services to you.  

Combining information  

We may combine information about you which we receive from other sources with the information you give to us, and the information we collect about you, for the same purposes as those set out above.  

5. HOW WE SHARE YOUR INFORMATION  

We only share your personal information under the following circumstances:  

  • If we are under a duty to disclose or share your personal information in order to comply with a legal obligation;  
  • In order to conduct necessary background checks on you before offering our products and services;  
  • Where we have been asked for information to facilitate an investigation;  
  • In order to enforce or apply our terms and conditions and other agreements;  
  • To protect the rights, property, or safety of our organisation, our customers, or others;  
  • Where we have a legitimate business interest that is not overridden by your own rights and freedoms; and  
  • Where we have obtained your consent.  

Entities that we may share your information with include:  

  • Other companies within our organisation;  
  • Our partners (individuals or companies that introduce you to us);  
  • Our clients (when they wish to make a payment to you);  
  • Credit reference agencies;  
  • Fraud prevention agencies;  
  • Identity verification agencies;  
  • Agents, suppliers, sub-contractors and advisers;  
  • Regulatory bodies.  

6. INTERNATIONAL TRANSFERS AND SECURITY  

We may be required to transfer your information to countries outside of the UK and the European Economic Area (“EEA”), e.g. if we are obliged to report to foreign authorities, or when your information is processed by one of our partner or suppliers under our instruction. In these cases, we ensure that appropriate safeguards are in place to protect your information in accordance with the UK and EU GDPR. These safeguards may include: 

  • Transfers to countries that the UK government or European Commission has deemed to provide an adequate level of data protection (adequacy decisions);  
  • Standard Contractual Clauses (SCCs) approved by the European Commission; 
  • The UK International Data Transfer Agreement (IDTA) where applicable; 
  • Additional contractual, technical and organisational measures to ensure an equivalent level of protection. 

You may contact us using the details in Section 9 if you would like more information about these safeguards or to request a copy of the relevant transfer mechanism. 

We also implement strict procedures and security features to ensure that your information is transferred securely in line with the standards set out in the UK and EU General Data Protection Regulation (“GDPR”).  

7. STORING PERSONAL INFORMATION  

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or to meet legal, regulatory, or operational requirements. As a regulated financial services provider, we are required to retain some personal and transactional data beyond account closure. In most cases, this will be for five to seven years, depending on applicable laws. 

We routinely delete or anonymise data that is no longer needed, and this is done in accordance with our internal retention schedule. You do not need to take any action to request this. Deletion methods include secure erasure of digital records and physical destruction of paper files, where applicable. 

8. YOUR RIGHTS  

Access  

You may request access to the information we hold about you by making a Subject Access Request.  

Erasure  

You may request that we destroy, delete or discontinue using your personal information. We may not always be able to comply with your  

request of erasure for specific legal and regulatory reasons which will be notified to you, if applicable, at the time of your request.  

Restriction  

You may request that we stop processing your information when you contest its accuracy or the lawfulness of the processing.  

Rectification  

You may ask us to update and correct any out-of-date or incorrect personal information that we hold about you.  

Portability  

Under certain circumstances, you may ask us to provide a copy of your information to another organisation in a structured, machine-readable format.  

Withdrawing consent  

Whenever you have given us your consent to use your information, you have the right to change your mind at any time and withdraw your consent.  

Legitimate interest  

In cases where we are processing your information on the basis of our legitimate interests, you can ask us to stop for reasons connected to your individual situation.  

We will do so unless we believe we have a legitimate overriding reason to continue processing your information. Please bear in mind that if you do object, this may affect our ability to provide you with some of our services.  

Marketing  

You have the right to opt out of direct marketing and surveys from us at any time by visiting our online Preferences, where available on our websites, or clicking the ‘unsubscribe’ link in any email we have sent you, or sending an email to unsubscribe@lumonpay.com , or calling us on 0800 328 5884.  

9. CONTACTING US  

If you would like further information on the collection, use, disclosure, transfer or processing of your personal data, or would like to exercise of any of your rights listed above, please contact the Data Protection Officer through the following methods:  

Email: dpo@lumonpay.com  

Letter: Data Protection Officer, Lumon Holdings Ltd, 20 Farringdon Road, London EC1M 3HE.  

To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Policy. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act on your behalf.  

You will not have to pay a fee to access your personal information (or to exercise any other rights). However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. If we do refuse your request, we will explain to you the reasons for our refusal.  

Complaints about our use of your personal data 

If you have concerns about how we handle your personal data, please raise them with us first so we have the opportunity to resolve the issue. We will acknowledge your complaint within 30 days and investigate it without undue delay, keeping you informed of progress and the outcome. 

If you remain dissatisfied after receiving our response, you have the right to refer your complaint to the Information Commissioner’s Office (ICO), which is the supervisory authority in the United Kingdom. Further details concerning the ICO, how to contact them, their powers and your rights, can be found here ICO.  

If you are an EU resident and your data is processed by Lumon FX Europe Ltd, you may also raise a complaint with the Irish Data Protection Commission (DPC), which acts as the supervisory authority for EU-based customers. 

10. UPDATES TO THIS POLICY  

Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. We recommend you check back regularly for any changes that may affect you. 

11. ADDITIONAL INFORMATION FOR US RESIDENTS 

We do not directly offer services to individuals or businesses based in the United States. Where US-based transactions occur, these are provided by Currencycloud, a regulated third-party provider. Personal data processed in relation to those services is handled under Currencycloud’s privacy policy, which is available here. 

However, we may collect and retain limited personal data from individuals in the United States for specific purposes, such as responding to enquiries, managing commercial relationships, or sending marketing communications. In such cases, we act as an independent data controller. 

We do not sell personal information. If you are a US resident and wish to make a request regarding your personal data, you can contact us as outlined in Section 9.