Best Rate Group Ltd
Privacy Policy 26th October 2025
1. Introduction and Contact Details
Best Rate Group Ltd. (referred to as "we," "us," or "our") is an independent bureau de change. We are a business registered in England and Wales (No. 07685809). Its registered office is located at The Snow Centre, St. Albans Hill, Hemel Hempstead, Herts. HP3 9NH. and an HMRC-registered Money Services Business (No: XGML00000138278), ICO ZA767874, the company which provides the Services. When we talk about the “Services” in this policy, we are referring to the retail foreign exchange service that we provide, both through our store, and online, offered via the website. Our Services are currently available for use via a web browser or applications specific to your desktop or mobile device. We are committed to protecting the privacy and security of your personal data. We are the Data Controller for the personal data we process, meaning we determine the purposes and means of processing your personal data.
This policy sets out how we collect, use, and protect your personal data in compliance with UK GDPR and the Data Protection Act 2018, and reflects upcoming changes, including the Data (Use and Access) Act 2025 (DUAA).
Detail Information
Our Name Best Rate Group Ltd.
Our Address The Snow Centre, St. Albans Hill, Hemel Hempstead, Herts. HP3 9NH.
Data Protection Contact Peter Wilkie
Email Address compliance@bestratefx.com
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO. Please contact us in the first instance.
2. The Data We Collect About You
We may collect, use, store, and transfer different kinds of personal data about you, which we have grouped together as follows:
• Identity Data: First name, last name, marital status, title, date of birth, and gender.
• Contact Data: Billing address, physical address, email address, and telephone numbers.
• Financial Data: Bank account details, payment card details, source of funds/wealth information.
• Transaction Data: Details about payments to and from you, currency exchange details, and other services you have purchased from us.
• Verification Data: Copies of identity documents (e.g., passport, driving licence, utility bills) collected for Anti-Money Laundering (AML) and Know Your Customer (KYC) compliance.
• Technical Data: Internet Protocol (IP) address, browser type and version, time zone setting, operating system and platform, and other technology on the devices you use to access our website.
• Marketing and Communications Data: Your preferences in receiving marketing from us and your communication preferences.
• CCTV Data: Images captured on our premises for security and crime prevention purposes.
We also collect, use, and share Aggregated Data (e.g., statistical or demographic data) for any purpose. This data is not considered personal data as it does not directly or indirectly reveal your identity.
3. How and Why We Use Your Personal Data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
Purpose/Activity Type of Data Used Lawful Basis for Processing
Provide Currency Exchange Services and manage your account. Identity, Contact, Financial, Transaction, Verification Performance of a contract with you.
Comply with UK AML/KYC Legal Obligations and counter-terrorism financing. Identity, Contact, Financial, Verification Legal obligation.
Process and record transactions and manage payments and fees. Financial, Transaction Performance of a contract with you.
Prevent, detect, and investigate fraud and other crimes. Identity, Contact, Financial, Verification, CCTV Recognised Legitimate Interests (as clarified by the DUAA 2025).
Manage our relationship with you, including notifying you about changes to our terms or policy. Identity, Contact, Marketing Legal obligation, or Performance of a contract with you.
Administer and protect our business and website (including troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting of data). Identity, Contact, Technical Legitimate interests (for running our business, network security, and preventing fraud).
Marketing to you via electronic mail (email/SMS). Identity, Contact, Marketing Consent (for new customers), or Legitimate interests (Soft Opt-In for similar services, subject to the DUAA 2025 clarifications on direct marketing).
Operate CCTV on our premises for staff and customer security. CCTV Legitimate interests (security and crime prevention).
4. Disclosure of Your Personal Data
We may share your personal data with the parties set out below for the purposes described in section 3:
• External Third Parties:
o Financial crime prevention agencies, fraud detection agencies, and KYC/AML screening providers.
o HM Revenue & Customs (HMRC), regulators (e.g., the FCA), and other authorities based in the UK who require reporting of processing activities in certain circumstances.
o Professional advisers including lawyers, bankers, auditors, and insurers providing consultancy, banking, legal, insurance, and accounting services.
o Service providers who provide Wholesale Currency, IT and system administration services.
o Payment processing services to facilitate transactions.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
5. International Transfers
We may transfer your personal data outside the UK. Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
• We transfer your personal data to countries that the UK has deemed to provide an adequate level of protection.
• We use the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), which have been approved by the ICO.
• We rely on the amended standard under the DUAA 2025, assessing whether the third country offers protections that are not materially lower than the UK baseline.
6. Data Security and Retention
Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. We also have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so, typically within 72 hours of becoming aware.
Data Retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements.
• In the financial services sector, we are subject to strict regulatory requirements. We typically retain customer Identity, Financial, Transaction, and Verification Data for five years after the relationship ends, as required by AML/CTF regulations.
• In some cases, we may retain your data for longer to deal with any complaints or to protect our legal rights.
7. Your Legal Rights
Under data protection law, you have rights including:
• Your right of access: You have the right to ask us for copies of your personal data (a Subject Access Request). Under the DUAA 2025, we are only required to carry out reasonable and proportionate searches in response to your request.
• Your right to rectification: You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Your right to erasure (Right to be Forgotten): You have the right to ask us to erase your personal data in certain circumstances.
• Your right to restriction of processing: You have the right to ask us to restrict the processing of your personal data in certain circumstances.
• Your right to object to processing: You have the right to object to the processing of your personal data in certain circumstan3ces, particularly where we rely on Legitimate Interests.
• Your right to data portability: You have the right to ask that we transfer the personal data you gave us to another organisation, or to you, in certain circumstances.
You also have a new statutory right under the DUAA 2025 to complain to us about our compliance with data protection laws. We are required to acknowledge receipt within 30 days and respond without undue delay.
To exercise any of these rights, please contact our Data Protection Contact using the details in section 1. We will not charge you a fee, and we aim to respond to all legitimate requests within one month.