Introduction

This Privacy Policy was created on 24th May 2018 to be GDPR compliant. Since then, we have made some small improvements, the latest one on 5 February 2025.

We aim to be transparent and provide accessible information about how we process and use your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 1998 (DPA). 

Although the United Kingdom exited the European Union on 31 January 2020, GDPR remains a part of British legislation, and we will continue to comply with GDPR, as explained in this Privacy Policy. 

Who we are

We are Leftover Currency Limited, company number 09026053, registered in England and Wales. 

Our registered office address is Unit 1 Portland Business Centre, Manor House Lane, Datchet, Berkshire SL3 9EG, United Kingdom. 

How to contact us

You can contact us via email at info@leftovercurrency.com or by telephone: 0800 030 6855. This is our toll-free number for calls from the UK. For international calls, our telephone number is 0044 333 939 8455. 

Our office hours are Monday through Friday, 9 am to 5 pm GMT.

What types of data we collect

We collect four types of data:

1. Data about your visit to our website
2. Data about your interactions with us via email, contact form and telephone
3. Data about the order(s) you create
4. Data about the processing and fulfilment of your order(s)

For each data type, we will answer these six questions:

1. What data do we collect?
2. What is the legal basis for processing this data?
3. Will we share the data with any third parties?
4. How do we use the data?
5. How long do we store the data?
6. What rights do I have regarding my data?

We aim to answer these questions in clear and plain language. However, if anything is unclear, please do not hesitate to contact us.

1. Data about your visit to our website

1a. What data do we collect?

To track and report on website traffic, we use Google Analytics, a web analytics service offered by Google. No personal information is stored in Google Analytics or shared with Google. We have taken the following measures to ensure this:

• No personally identifiable information is present in page titles, URLs, event actions or other dimensions.
• We have enabled the feature to anonymise IP addresses in Google Analytics.
• We do not use the Google Analytics User-ID feature or any pseudonym identifiers.

Our website is hosted by Vultr, a leading web hosting service provider. Vultr stores IP addresses and visited pages with a timestamp in their server logs.  

When you visit our website for the first time, a message will appear about how we use non-invasive cookies to improve your experience. When you accept the use of cookies, we will store small pieces of data, known as cookies, on your device during your visit. 

Below are the types of cookies we use:

• Essential cookies: These are required for the website to function correctly. They help you navigate securely, such as when logging in or making a purchase. Without these cookies, certain parts of the website may not work;
• Analytics cookies: These cookies help us understand how visitors interact with our website, allowing us to improve its performance. For example, they tell us which pages are visited most frequently and how users move around the site;
• Marketing cookies: These cookies are used to personalise the ads you see. They help us deliver relevant content and track the effectiveness of our advertising campaigns, ensuring that we only show you ads that might interest you.

You can manage your cookie preferences at any time. You can adjust your browser settings to block or control cookies or use our cookie consent tool (which appears when you visit our website). 

Please note that blocking certain types of cookies may affect your experience on the site.

The cookies we use are designed to make your visit to our website easier and more user-friendly. For example, a cookie can be used to store your preferred payout currency. We don’t store any personally identifiable information in cookies, nor do the third parties we work with. The following plugins and applications can store cookies on your device when consent has been granted:

• Google Analytics: a web analytics service by Google
• WooCommerce: a plugin for e-commerce on WordPress websites, by Automattic
• WordPress: a blogging and website content management system by Automattic
• WPML: a translation plugin to run multilingual websites on WordPress
• GDPR cookie consent: the plugin that triggers the cookie consent notice and remembers your choice by WordPress

1b. What is the legal basis for processing this data?

For tracking and reporting website traffic, no personal information is stored or shared. Therefore, no consent is required.

Storing IP addresses, visited pages, and a timestamp in a server log is a common practice designed to prevent fraud. As a registered bureau de change, we are required to have processes in place to prevent fraud, money laundering, and terrorist financing. This is a legitimate interest, and therefore, no consent is required.

We will seek your consent before storing cookies on your device. If you opt out, we will not place cookies on your device, which may affect the basic functionality of our website. 

1c. Will we share the data with any third parties?

Tracking data is shared with Google Analytics, owned by Google, who is the data processor. None of the data shared with Google contains personal information. This page shows Google’s actions to comply with EU GDPR: https://privacy.google.com/businesses/compliance/

Our data processor is Vultr for server logs. This page explains Vultr’s actions to comply with EU GDPR: https://www.vultr.com/news/Vultr-is-GDPR-Ready/

The third parties that store cookies on your device have access to the content of these cookies. We require the third parties that store cookies on your device to be fully compliant with EU GDPR. Here is more information about how they comply with EU GDPR:

• Google Analytics: https://privacy.google.com/businesses/compliance/
• WooCommerce, part of Automattic: https://automattic.com/privacy/ 
• WordPress: part of Automattic: https://automattic.com/privacy/ 
• WPML: https://wpml.org/documentation/privacy-policy-and-gdpr-compliance/
• GDPR Cookie Consent, part of Automattic: https://automattic.com/privacy/ 

We do not share data about your visit with any other third parties.

1d. How do we use the data?

We use Google Analytics’ tracking data to monitor website traffic and understand how our visitors interact with the website. Based on these findings, we optimise our website to become more user-friendly.

We use the IP addresses, visited pages and timestamps stored in server logs for the following purposes:

• To identify linked transactions that have been deliberately broken into smaller transactions to avoid customer due diligence checks.
• To protect our website against hackers, scammers and spammers.

The cookies stored by third parties we work with serve to make the plugin or functionality work. The types and purposes of cookies stored are explained in detail here:

• Google Analytics: https://policies.google.com/technologies/cookies?hl=en-GB 
• WooCommerce: https://docs.woocommerce.com/document/woocommerce-cookies/
• WordPress: https://codex.wordpress.org/WordPress_Cookies
• WPML: https://wpml.org/documentation/support/browser-cookies-stored-wpml/

1e. How long do we store the data?

Google Analytics retains user-level and event-level data associated with cookies for 14 months. After this, data is deleted automatically on a monthly basis. Server logs on Vultr are kept for 6 months, after which they are deleted automatically. Information about how long each cookie is stored for can be found here: 

• Google Analytics: https://policies.google.com/technologies/cookies?hl=en-GB 
• WooCommerce: cookies stored for 24 hours or 48 hours depending on the type
• WordPress: https://codex.wordpress.org/WordPress_Cookies
• WPML:https://wpml.org/documentation/support/browser-cookies-stored-wpml/ 

1f. What rights do I have regarding my data?

Under the rules of EU GDPR, you have the right to access, update and delete your data. Regarding Google Analytics data: No personal information is stored in Google Analytics or shared with Google. For this reason, it is not possible to access, update or delete your data since we only see aggregated values and we cannot identify which data is yours. 

However, it is possible to opt out of Google Analytics tracking. If you do so, Google Analytics will not include your visit data in our website traffic reports. To do so, you need to install the free Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout Regarding server logs: To prevent fraud, we need to store the server logs for 6 months, after which they will be automatically deleted.

 It is not possible to change or delete server log data prior to the 6 months period ending. It is, however, possible to request access to your data in the server logs. Please contact us if you would like to do so. Regarding cookies: You have the right at any time to change your consent for cookies. Here’s how to do this:

1. Delete your cookies:https://www.microsoft.com/en-us/edge/learning-center/how-to-manage-and-clear-your-cache-and-cookies?form=MA13I2 
2. Navigate to https://www.leftovercurrency.com/
3. The cookie consent notice will appear again. You can either accept cookies or opt-out.

2. Data about your interactions with us via email, contact form and telephone

2a. What data do we collect?

When you choose to contact us via email, the contact form on the website or by telephone, we receive and retain data.

If you contact us via email, we receive the following data:

• Your email address and any extra email addresses included in the TO or CC fields
• The display name that email recipients see. In most cases this is your first name and last name.
• The content in the email subject line, body and any attachments
• The email header, including timestamp and your IP address. For more information about what an email header is, please read this: https://whatismyipaddress.com/email-header

This information is received and stored in our webmail client Gmail, part of G Suite, developed by Google.

If you contact us via the contact form on our Contact Us page, we receive the following data:

• The name and email address you provided in the contact form fields.
• The subject and message you provided.

Contact form submissions are converted to emails using the WordPress plugin Contact Form 7 and stored in our webmail client Gmail, part of G Suite, developed by Google.

If you call us by telephone or leave a voice message, we receive the following data:

• Your telephone number, unless you withhold it.
• The date, time and length of your call. This information is stored in the call log.
• The information you provide us during the call. We do not record calls. We may take down information on a piece of paper during the call.

If you send us a text message, we receive the following data:

• Your telephone number, unless you withhold it.
• The content of your text message and any attachments.

This data is held on the mobile phone device we use to receive calls.  

2b. What is the legal basis for processing this data?

When customers contact us via email, contact form message or by telephone, they expect us to receive the message and send a reply. The information we collect, such as email addresses and telephone numbers, serves this purpose.

For messages sent via the contact form on our website we will seek consent from the user prior to sending it via our third party plugin Contact Form 7.

Our internal email retention and deletion policy ensures we comply with the EU GDPR’s data minimisation and storage limitation principles.

2c. Will we share the data with any third parties?

Emails are stored in our webmail client. We have selected Gmail as our preferred email hosting provider because of their enhanced data integrity and security. Google is fully compliant with the EU GDPR: https://cloud.google.com/security/gdpr/ 

Messages sent via the contact form are converted to emails by the WordPress plugin Contact Form 7. We only collect and share essential data with Contact Form 7: name, email address, subject line and message content. This article describes the steps taken by Contact Form 7 to be EU GDPR compliant: https://contactform7.com/2018/04/16/how-to-make-privacy-friendly-contact-forms/

Our calls and text messages are delivered by BT. This document describes the actions that BT has taken to be compliant with EU GDPR: https://business.bt.com/gdpr-information/

We may share your information with trusted third parties, such as:

• Payment processors and service providers who assist in our operations.
• Regulatory authorities, if required by law or for compliance purposes.
• Marketing platforms to facilitate our communication with you.

We will not share data about your interactions with us via email, contact form and telephone to any other third parties, except if we are legally required to do so. Examples in which we may have to share your data include when we are approached by HMRC or law enforcement services.

2d. How do we use the data?

The data we collect by interacting with our customers via email, contact form and phone is used to answer our customers’ queries and to help them with exchanging their leftover currency.

Additionally, we may use this data to personalise and improve our marketing communications, including via:

• Email: We may send promotional emails about our services, special offers, or other information we think you may find valuable.
• SMS: We may send text messages with updates, promotional offers, and reminders about our services.

You can opt-out of receiving these communications at any time by:

• Clicking the “Unsubscribe” link in our emails.
• Replying “STOP” to our SMS messages.
• Contacting us directly at info@leftovercurrency.com

2e. How long do we store the data?

Our internal email retention and deletion policy ensures we comply with the EU GDPR’s data minimisation and storage limitation principles. We categorise emails into groups and have a policy to only store emails for as long as necessary. If your interaction with us involves money exchange, we are legally required to keep the data for five years. Voice messages are deleted weekly. Call logs and text messages are deleted on a monthly basis. If, during a call or while listening to your voice message, we write down personal information on a post-it or a piece of paper, we will make sure to discard of it safely directly after. We use the services of Shred it for secure shredding services: https://www.shredit.co.uk/en-gb/home

2f. What rights do I have regarding my data?

You have the right to access your data: Contact us to receive a list of the information we store about your interactions with us via email, contact form and telephone. You have the right to request a change to your data if you believe that the data about your interactions with us via email, contact form and telephone is not correct or incomplete.

 If your interaction with us does not involve money exchange, you can ask us to delete the data about your interactions with us via email, contact form and telephone. If your interaction with us involves money exchange: Under anti-money laundering regulations we are legally required to keep records of interactions with our customers for five years. For this reason it is not possible to request us to delete the data about your interactions with us via email, contact form and telephone, prior to the completion of this five-year period.

3. Data about the order(s) you create

3a. What data do we collect?

When you create an online order to exchange and receive payment for your leftover currency, we collect data via the form on our website. The data we collect is the following:

• Preferred payout currency (GBP, USD, EUR)
• Content of online wallet: quantity, buy rate and value for each banknote/coin
• Title (optional)
• First name
• Last name
• Address
• Email address
• Phone number (optional)
• Order notes: any extra information supplied in the text field (optional)
• Preferred payout method (direct bank transfer/cheque/paypal/donate to charity)
• Payment details:
  • If payout method is direct bank transfer: bank account details
  • If payout method is cheque: full name of payee
  • If payout method is paypal: email address for paypal
  • If payout method is donate to charity: selected charity to receive donation
• Read and accepted terms and conditions (Y/N)
• Would like to receive reminder email (Y/N)
• Would like to receive an invitation to review our service (Y/N)
• Time stamp when order was submitted
• Unique reference number generated when order was submitted

During the order creation process you have the option to create an account. By creating an account you can log in next time when you create an order, and you don’t need to fill in all your details again. Creating an account is optional. If you create an account we collect the following data, in addition to the data collected for the order(s) you submitted:

• Username: this is your email address
• Orders created by user
• Lifetime order value of user

3b. What is the legal basis for processing this data?

We collect this data to be able to fulfill the order. When you create an order, you indicate that you intend to exchange the currency in your online wallet, and that you would like to receive payment by your preferred payment method.

The collected data allows us to send you the payment for your leftover currency. It also allows us to update you regarding the status of your order, and to contact you if we have any questions.

Creating an account is optional, as indicated during the order creation process. You don’t have to create an account if you don’t want to. The legal basis for information on an account level is consent.

3c. Will we share the data with any third parties?

When an order is created, a confirmation email is generated by the WooCommerce plugin called ‘PDF invoice’, part of Automattic. In the confirmation email, bank account information is replaced by Xs, so that only the last three digits of an account number are shown. A copy of the confirmation email is sent to Leftover Currency, to inform us of the creation of your order. Emails are stored in our webmail client Gmail. We have selected Gmail as our preferred email hosting provider because of their enhanced data integrity and security. Google is fully compliant with the EU GDPR: https://cloud.google.com/security/gdpr/ 

3d. How do we use the data?

The data about the order(s) you create is used to fulfill your order(s). We also use the data to contact you if we have any questions, and to update you about the progress of your order. We may contact you regarding your order via the following ways:

• Email: We may send promotional emails about our services, special offers, or other information we think you may find valuable.
• SMS: We may send text messages with updates, promotional offers, and reminders about our services.

You can opt-out of receiving these communications at any time by:

• Clicking the “Unsubscribe” link in our emails.
• Replying “STOP” to our SMS messages.
• Contacting us directly at info@leftovercurrency.com

3e. How long do we store the data?

The data about the order(s) you create is stored for:

• Five years if we receive your currency
• Three months if you decided not to send us the currency

When we receive your currency, this means that your transaction involves currency exchange. Therefore the transaction is applicable to the money laundering regulations (MLR). Under MLR we are required to keep our customer data for five years. This is explained in more detail in the next part ‘Data about the processing and fulfillment of your order(s)’.

If you don’t send us the currency, either because you changed your mind or because you forgot to send the currency, we will delete the data after three months. 

3f. What rights do I have regarding my data?

You have the right to access and/or change your data. If you want to access and or change the data about the order(s) you created please contact us. You have the right to ask us to delete your data. We will delete your order when you ask us to delete it, except when we have received your currency, in which case we need to store your data for five years under money laundering regulations.

You have the right to ask us to delete your account. We will delete your account when you ask us to delete it, except when we have received currency from you for one or more orders, in which case we need to store your data for five years under money laundering regulations.

4. Data about the processing and fulfilment of your order(s)

4a. What data do we collect?

When we process your order(s) we collect the following data:

• Current and previous order statuses with timestamp indicating when the order status was updated: awaiting currency/processing/completed/order discrepancy/on hold
• Name(s) of the Leftover Currency staff that processes your order(s)
• Any messages sent by Leftover Currency staff regarding your order(s)
• Results of the count of the currency, and a description of any discrepancies if there are any
• Tracking and delivery status information if you used a tracked delivery method
• Customs related information if your items passed through customs
• Any information included with your order or on the packaging, for example, a cover letter or a return address
• Outcome of search for linked transactions: total combined value over 6 months for linked transaction
• If your payment method is bank transfer and your bank account is outside of the UK, we may ask your date of birth. We will only do so if the receiving bank needs the date of birth of the sender to process the payment.

When you fill in a paper PDF exchange form, instead of using the online wallet, we receive the data about the order you created when your letter/parcel arrives at our office. When we start processing your order we receive the following data on the paper exchange form:

• Preferred payout currency
• Amount per currency, in banknotes and coins
• Title
• First name
• Last name
• Address
• Email address
• Preferred payout method (direct bank transfer/cheque/paypal/donate to charity)
• Payment details:
  • If payout method is direct bank transfer: bank account details
  • If payout method is cheque: full name of payee
  • If payout method is paypal: email address for paypal
• Date of signing
• Signature

For (linked) orders, either online or with a PDF paper exchange form, with a (combined) value over £1000 GBP, $1000 USD or €1000 EUR (over six months) we may also collect the following data:

• Scans/photocopies of forms of ID and proof of address sent in
• Information about the true beneficiary of the funds
• Information about the origin of the funds
• Information about people/organisations linked to the beneficiary
• Information about whether the beneficiary is a politically exposed person (PEP) or on a target/financial sanctions list
• Outcome of (advanced) due diligence checks

When an order is created, we follow up the status. If we haven’t received the currency within 9 days, we may send a reminder email. We will only send the reminder email if you have consented to this during order creation. If we send the reminder email, we collect the following data:

• Customer name
• Purchased (Y/N)
• Mailing list (Y/N)
• Email stats: sent, opens, clicks
• Total orders
• Last order date
• Lifetime value

If you indicated that you would like to review our service, you will receive an email with a link to Trustpilot, where you can leave a review. If you leave a review, we collect the following data:

• Star rating (1-5)
• Alias name of reviewer
• Review
• Reference number of your order

4b. What is the legal basis for processing this data?

We are legally required to keep data about the processing and fulfillment of your order(s) under the Money Laundering Regulations 2017: https://www.gov.uk/government/consultations/money-laundering-regulations-2017

The legal basis for collecting data about the reminder email is your consent. When you create an order you indicate whether you want to receive a reminder email or not. 

The legal basis for collecting review data is your consent. When you create an order you indicate whether you would like to receive an invitation email to review our service or not.

4c. Will we share the data with any third parties?

When we are asked to share data with HMRC or law enforcement agencies, we will comply, as we are required to do under the Money Laundering Regulations 2017.

For performing due diligence checks we use a tool called GBG ID3global by identity data intelligence firm GBG: https://www.gbgplc.com/uk/what-we-do/supporting-gdpr/  For enhanced due diligence checks we also use the services of Compliance Assist Limited: https://www.complianceassist.co.uk/privacy-policy.

We may share your information with trusted third parties, such as:

• Payment processors and service providers who assist in our operations.
• Regulatory authorities, if required by law or for compliance purposes.
• Marketing platforms to facilitate our communication with you.

To fulfill your order and get you paid, we need to share information with the payment providers we work with:

• For bank transfers: We share the following information with our bank and the receiving bank: account holder’s name, account number, sort code, order value.
• For cheques: We share the following information with our bank and the receiving bank: payee name, order value.
• For Paypal payments: PayPal. We share the paypal email address and the order value: https://www.paypal.com/en/webapps/mpp/ua/privacy-full
• For international bank transfers: Wise https://wise.com/gb/legal/global-privacy-policy-en
•  and GlobalWebPay: https://www.globalwebpay.com/Domain/GWP/Home/PrivacyPolicy.aspx We share the account holder’s name, address, date of birth (if required), bank name, bank account information (e.g. IBAN, SWIFT, BSB,…), reason for payment and order value.

If you have consented to receiving an invitation to review our service on Trustpilot, we will share the following data with Trustpilot: First name, last name, email address, and reference number. Here is more information about how Trustpilot complies with GDPR: https://support.trustpilot.com/hc/en-us/articles/360000306528–How-do-we-protect-your-data

4d. How do we use the data?

We use the data to help us process and fulfill your order and for compliance and accounting purposes.

We use review data to collect feedback about our service and to improve our processes where needed. Reviews are used by Trustpilot to calculate a ‘trustscore’ which can be used to compare reviews across websites.

We may also use the data to send marketing communications from us, including via:

• Email: We may send promotional emails about our services, special offers, or other information we think you may find valuable.
• SMS: We may send text messages with updates, promotional offers, and reminders about our services.

You can opt-out of receiving these communications at any time by:

• Clicking the “Unsubscribe” link in our emails.
• Replying “STOP” to our SMS messages.
• Contacting us directly at info@leftovercurrency.com.

4e. How long do we store the data?

We are legally required to store information about processing and fulfilment of your order(s) for a period of five years. After five years we will delete orders on a monthly basis. We will delete all online data, as well as offline (paper) data. For destroying offline data we use the services of Shred it: https://www.shredit.co.uk/en-gb/home. Review data is kept until the reviewer deletes his/her account or until the reviewer asks Trustpilot for the review to be deleted. 

4f. What rights do I have regarding my data?

You have the right to access your data. If you want to access the data about the processing and fulfillment of order(s) then please contact us. If the data is not accurate then you have the right to update your data. You have the right to access, amend and delete your review on Trustpilot: https://support.trustpilot.com/hc/en-us/articles/201839063-How-do-I-edit-or-delete-my-review-You have the right to amend your consent to receive our email reminder. You have the right to amend your consent to receive review invitations. If you want to update your consent, please contact us.

Security measures

We take the security of your personal data seriously and implement appropriate measures to protect it, including: 

• Encryption: Securing sensitive data during transmission and storage;
• Access control: Restricting access to your data to authorised personnel only;
• Monitoring: Regularly reviewing and updating security protocols to address emerging threats.

In the unlikely event of a data breach, we will notify affected users and take immediate steps to mitigate the impact.

Your rights

Under the Data Protection Act 1998, you have rights as an individual which you can exercise in relation to the information we hold about you. You can read more about these rights here – https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/

Complaints or concerns

We do our best to meet the highest standards when collecting and processing your personal data. However, if you want to file a complaint or report a concern, you can do so on the website of the Information Commissioner’s Office (ICO) https://ico.org.uk/concerns

Leftover Currency Limited is an organisation that processes personal information and is therefore required to pay an annual fee to the ICO. You can find Leftover Currency Limited on the online register of fee payers here: https://ico.org.uk/about-the-ico/what-we-do/register-of-fee-payers/

Third-party links

On occasion we include links to third parties on our website. Although we carefully select any external links on our website, where we provide an external link it does not mean that we endorse or approve that site’s Privacy Policy. Customers should review any external site’s Privacy Policy before providing any personal data.

Latest update

This Privacy Policy was last updated on 5 February 2025.