In this privacy policy we:
Opal Transfer LTD, an authorised as a payment institution by the UK Financial Conduct Authority, No. 533677 with a registered office: 27 Clement's Lane, London, EC4N 7AE. Information Commissioner's Office (ICO), Register of data controllers’ reference: Z1993210 www.ico.org.uk;
And
Opal Transfer EU UAB, legal entity’s code 305026817, with our registered office at Konstitucijos ave. 21A, Vilnius, the Republic of Lithuania (together – “Opal Transfer”, unless referred to individually),
explain how we treat personal information received about you when you use our services via the Opal Transfer Online Platform, our Mobile App, via phone conversation to our Call Centre.
We are established and based in respectively United Kingdom (“UK”) and Lithuania. As such, we take appropriate measures to comply with the UK General Data Protection Regulation (UK GDPR) and UK Data Protection Act 2018, European Union (“EU”), including Regulation (EU) 2016/679 (the “GDPR”), Lithuanian and United Kingdom data protection laws. If you reside outside the EU or UK, please note that while we apply UK and EU data protection standards, we cannot guarantee that our data collection and processing practices fully comply with all local data protection laws in other jurisdictions.
Opal Transfer LTD and Opal Transfer EU UAB operate as separate and independent data controllers for the personal data they process. This means that each entity is responsible for ensuring compliance with applicable data protection laws in relation to the personal data it collects and processes. If you wish to exercise your data protection rights, you should contact the entity that originally collected your data. However, for certain processing activities related to the provision of our services , Opal Transfer LTD and Opal Transfer EU UAB act as joint controllers. This means that both entities jointly determine the purposes and means of processing your personal data and share collective responsibility for ensuring compliance with applicable data protection laws. In such cases, you may exercise your data protection rights by contacting either entity, and we will coordinate to handle your request accordingly.
Opal Transfer’s lawfulness of processing customer data is based on the laws of United Kingdom and Lithuania which regulates the business operations of both companies:
· “Money Laundering Regulations” means EU AML Directive (EU) 2015/849, Directive (EU) 2018/843 and Directive 2024/1640; The Money Laundering and Terrorist Financing Prevention Law of the Republic of Lithuania1997 No. VIII-275 (wih amendments); and the United Kingdom law: The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (with amendments);
· “Electronic Money Regulations” means EU Directive 2009/110/EC and Electronic Money Institutions by the Law of Lithuania on 22 December 2011, No XI-1868 (with amendments);
· “Wire Transfer Regulation“ means Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds;
· “Payment Services Regulations” means Directive (EU) 2015/2366 of the European Parliament and the Council of 25 November 2015; and the United Kingdom law: Payment Services Regulations 2017 (with amendments).
As joint controllers, Opal Transfer LTD and Opal Transfer EU UAB jointly process your personal data for the following purposes:
- customer onboarding and identity verification;
- payment initiation, processing, and monitoring;
- customer behaviour analysis and service improvement;
- marketing activities, including communication preferences and promotional messages;
- customer support and query management; and
- anti-Money Laundering (AML) and counter-terrorist financing (CTF) compliance measures.
In this Privacy Policy, we present the most important structured information about the protection of your personal data: i.e., what personal data we collect, how and why we use it, on what legal basis we process it, how long we store it, to whom we transfer it, as well as our duties in processing your personal data, your rights, and the methods of their implementation. Please take the time to review this Privacy Policy, and please do not hesitate to contact us if you have any questions.
By using the Mobile App and/or the Opal Transfer Online Platform, you acknowledge that you have been informed about this Privacy Policy and understand the purposes, methods, and procedures for processing your personal data as described in it. If you do not agree with how your personal data is processed as described in this Privacy Policy, you have the right to object to certain types of processing where applicable, in accordance with GDPR. You may also exercise your data protection rights, such as access, rectification, or restriction of processing, as detailed in this Privacy Policy. If you choose not to use our Mobile App and/or the Opal Transfer Online Platform, we will not process your data beyond what is required for legal or contractual purposes.
The Privacy Policy is a constantly changing document, so we can improve, change, and update it if necessary. For this reason, please periodically visit the Website or Web App from time to time, where you will always find the latest version of the Privacy Policy. We will also additionally inform you about any significant changes to the Privacy Policy, and we will always publish the updated version on our Mobile App and the Opal Transfer Online Platform.
For definitions used in this Privacy Policy, see our Terms and Conditions, available here.
In this section you will find the information regarding:
- the purposes for which we process your data;
- how we use your personal data;
- the categories of data we process;
- the legal basis for processing;
- the data retention period;
- international data transfers, if applicable, and the safeguards in place;
- your rights regarding your personal data and how to exercise them; and
- automated decision-making and profiling, if applicable, and its impact on you.
We process your data specified in this Privacy Policy on these legal grounds:
- for conclusion, performance, amendment and administration of an agreement (Article 6(1)(b) of the GDPR);
- for fulfilment of legal obligations and requirements of legal acts applicable to us (Article 6(1)(c) of the GDPR);
- for pursuing our legitimate interests and those of third parties (Article 6(1)(f) of the GDPR);
- for acting in accordance with your consent (Article 6(1)(a) of the GDPR, Article 9(2)(a) of the GDPR).
Within the scope and under the conditions established by applicable legal acts, one or more of the abovementioned legal grounds may apply to processing of the same personal data.
We collect and process only your personal data that are proportionate and necessary to achieve the purposes for which it is processed.
We may combine personal data we have collected from you (when you are using the Mobile App and/or Opal Transfer Online Platform) with the personal data obtained from publicly available sources (e.g., with data obtained using website cookies, or with data legally obtained from third parties, etc.).
More detailed information is provided below:
| PURPOSE | HOW AND WHY WE USE IT | PERSONAL DATA | LEGAL BASIS | MINIMUM RETENTION PERIOD |
| Business correspondence and communication management | To properly address and communicate with you, including responding to your inquiries, requests, and complains. This includes providing information about the services we offer, their prices, terms, and changes in contractual agreements. We may also contact you in case of any issues related to the services provided. . If you contact us via phone and/or in writing (e-mail, via Mobile App / Opal Transfer Online Platform, social networks, or other means), we will store the details of your inquiry, including personal data, to ensure proper record-keeping and follow – up. | First name, last name, e-mail, phone number, address, device details (e.g., phone, computer, or tablet), other information required for customer verification; date of communication, content of correspondence; interactions with Opal Transfer social media accounts (e.g., "like", "follow", "comment", "share”, etc.), profile pictures or tagged images related to Opal Transfer, messages sent, including receipt time, message content, message attachments, correspondence history, etc.), information about participation in Opal Transfers events and (or) games (participation status, interest, compliance with the rules of the game, etc.). In case of customer support, additional details relevant to the inquiry or complaint may be processed, including sensitive information. |
Consent – where applicable, for certain types of communication
Performance of a contract - where communication is necessary to fulfil contractual obligations. |
5 (five) years from the date of the transactions or termination of transactions with a client. |
| Recording telephone conversations to ensure quality customer service | Recording of conversations is carried out and the recording data is processed in order to ensure the quality of customer service and to monitor and improve the effectiveness of telephone consultations. | Telephone number, the time and duration of the call and the audio recording of the call and the data it contains. First name, last name, mobile phone number, e-mail mailing address, residential address, other information required to complete the customer verification. | Consent | 3 (three) years after the recording. |
| Identification of the customer; Creating an account in the Mobile App / Opal Transfer Online Platform | The personal data are processed in order to verify the authenticity of the client's identity and to check whether there are circumstances for the application of enhanced client authentication, to submit any necessary documents for above purposes ,as well as to create an account to use our services in the Mobile App and the Opal Transfer Online Platform. | First name, last name,e-mail address, mobile number, date of birth, tax reference code (personal code), native country, country of residence, address, customer number, IP address, device details (for example, your phone, computer or tablet), company name, registration number, records of our discussions, if you contact us or we contact you (including records of phone calls); Identity document data, your image in photo or video form (where required as part of our Know Your Customer (“KYC”)) checks or where you upload a photo to your Opal Transfer profile, proof of address and source of funds data like work agreements, payslips, tax returns, sales receipts, bank account details, card details, invoices, contracts, national tax ID, bills, payment type information-bank account details or card details. Account data (email and phone number) confirmation records, Account creation date, Terms of Use and Privacy Policy acceptance records, direct marketing consent records, IP address, and technical records. | Legal obligation Performance / conclusion of a contract |
EU: 8 (eight) years from the end of the transaction or business relationship with the client.
UK: 5 (five) years from the end of the transaction or business relationship with the client. |
| The purpose of anti-money laundering and counter-terrorist financing management (Customer Due Diligence) | We use Customer Due Diligence (CDD) procedures to verify the identity of customers, assess the nature and purpose of their business relationships, and evaluate potential risks associated with money laundering and terrorist financing. This involves collecting and verifying personal and financial information, understanding the source of funds, and monitoring transactions to ensure compliance with regulatory requirements. By implementing CDD measures, we can detect and prevent financial crimes, identify high-risk individuals or entities, and apply appropriate risk-based controls to safeguard our services. |
Personal Identification Data Personal identification number Email address Tax residence address Political exposure (PEP status) Information about accounts in other financial institutions |
Legal obligation |
EU: 8 (eight) years from the end of the transaction or business relationship with the client.
UK: 5 (five) years from the end of the transaction or business relationship with the client. |
| The purpose of anti-money laundering and counter-terrorist financing management (PEP and other information screening) | We use Politically Exposed Person (PEP) and other information screening to identify individuals who may pose a higher risk of money laundering or terrorist financing due to their political status or involvement in high-risk activities. This process helps us assess the potential risks associated with a customer's financial transactions and ensure compliance with anti-money laundering (AML) and counter-terrorist financing (CTF) regulations. By screening against PEP lists, sanctions databases, and other relevant public sources, we enhance our ability to detect and prevent illicit financial activities while maintaining a secure and compliant financial environment. |
Personal Identification Data Personal identification number Data on political involvement |
Legal obligation |
EU: 8 (eight) years from the end of the transaction or business relationship with the client.
UK: 5 (five) years from the end of the transaction or business relationship with the client. |
| The purpose of anti-money laundering and counter-terrorist and proliferation financing management (Implementation of sanctions requirements) | We implement sanctions screening to ensure compliance with international and national regulations aimed at preventing money laundering ,terrorist and proliferation financing. This process involves identifying individuals, entities, and transactions that may be subject to financial or economic sanctions imposed by regulatory authorities and reporting full matches with designated persons to authorities. By cross-checking customer data against sanctions lists, we mitigate the risk of engaging in prohibited financial activities and prevent illicit transactions. This helps us maintain a secure and legally compliant financial environment while supporting global efforts to combat financial crime. |
Identification Data Personal identification number Data on applied sanctions |
Legal obligation |
EU: 8 (eight) years from the end of the transaction or business relationship with the client.
UK: 5 (five) years from the end of the transaction or business relationship with the client. |
| Fulfilment of international data exchange obligations | We process and exchange personal identification and tax-related data internationally to comply with legal and regulatory requirements related to tax transparency and financial reporting obligations. This includes sharing relevant information with authorized regulatory bodies, tax authorities, and supervisory institutions as required by international agreements and local laws. Ensuring proper data exchange helps us comply with cross-border financial regulations, fulfil tax reporting obligations, and enhance regulatory transparency. |
Personal Identification Data First name and last name Tax residence address |
Legal obligation |
EU: 8 (eight) years from the end of the transaction or business relationship with the client.
UK: 5 (five) years from the end of the transaction or business relationship with the client. |
| Anti-money laundering and counter-terrorist and proliferation financing management process (real-time payment monitoring and retroactive payment monitoring). |
We implement real-time payment monitoring as part of our anti-money laundering (AML) and counter-terrorist financing (CTF) management process to detect and prevent suspicious transactions. This involves the continuous and automated analysis of payment activities to identify transactions that may indicate potential financial crime risks.
We implement retroactive payment monitoring as part of our anti-money laundering (AML) and counter-terrorist and proliferation financing (CTF) management process to identify suspicious transactions that may not have been detected in real-time. This process involves the periodic and systematic review of past payment activities to detect patterns, anomalies, or links to financial crime that may have emerged over time. |
Payer: -First name and last name or Company name -First name and last name or Company name |
Legal obligation |
EU: 8 (eight) years from the end of the transaction or business relationship with the client.
UK: 5 (five) years from the end of the transaction or business relationship with the client. |
| Prevention of money laundering and counter terrorism and proliferation financing, prevention of fraud |
To meet regulatory KYC ,anti fraud and anti-money laundering counter terrorism and proliferation financing obligations. |
· First name, last name; · Personal identification number; · Identity document number and period of validity of the residence permit in the Republic of Lithuania and the place and date of its issuance (if a person is not a citizen of Republic of Lithuania); · Address; · Citizenship; · Personal identification document details and image; · The country of issuance of the identification document (in cases of a stateless person); · Workplace (in cases of client’s director); · Company’s name and registration number; · Equity of the legal entity’s shares/voting rights/control (in cases of shareholder and beneficiary); · Signature, other data required by the Law; · E-mail address; · Phone number; · Unique Identifier; · IP address, device details (for example, your phone, computer or tablet), records of our discussions, if you contact us or we contact you (including records of phone calls); · Proof of address and source of funds documents like work agreements, payslips, tax returns, sales receipts, bank account details, card details, invoices, contracts, national tax ID, bills; · Payment type information-bank account details or card details. |
Legal obligation |
EU: 8 (eight) years from the end of the transaction or business relationship with the client.
UK: 5 (five) years from the end of the transaction or business relationship with the client. |
| Mobile App Transfers |
A dedicated mobile application enables quick transfers, easy registration, and secure payments on the go. |
Identity and Customer Information: |
Performance of a contract
Legal obligation |
EU: for 8 (eight) years from the date of the monetary transaction or conclusion of the transaction.
UK: 5 (five) years from the end of the transaction or business relationship with the client.
Various system and technical records – 3 months from the date of their creation. |
| Money Transfers by Phone |
Allows customers to send money by calling customer service, providing recipient details, and making a payment to Opal Transfer’s bank account. |
Identity and Customer Information: Full name Date of birth Nationality Personal identification number or passport/ID card details Contact information: Phone number Email address (if provided during the call) Financial and transactional data: Payment method details (e.g., bank transfer, debit/credit card) Bank account details (IBAN, SWIFT/BIC) Transaction details (amount sent, currency, recipient details, date and time of the transaction) Purpose of the transaction Recipient’s Information: Full name Bank account details Country of residence Call and System Records: Call recordings (if applicable and with consent where required) Date and time of the call Operator notes or transaction confirmation details IP address (if follow-up is made via email or online platform) Device and technical data (if accessed through a digital platform after the call) |
Performance of a contract
Legal obligation |
EU: 8 (eight) years from the date of the monetary transaction or conclusion of the transaction.
UK: 5 (five) years from the end of the transaction or business relationship with the client.
Various system and technical records – 3 months from the date of their creation. |
| Online Money Transfers |
Users can conveniently send money through the Opal Transfer website without needing to visit a physical location. |
Identity and Customer Information: |
Performance of a contract
Legal obligation |
EU: 8 (eight) years from the date of the monetary transaction or conclusion of the transaction.
UK: 5 (five) years from the end of the transaction or business relationship with the client.
Various system and technical records – 3 months from the date of their creation. |
| Direct marketing |
This information is used, with your consent, to send you newsletters by e-mail or leave a notification in your Opal Transfer account. |
First name, last name, e-mail, date of birth, mobile phone number, address, device details.
Marketing Preferences & Consent Data Direct marketing consent records (date and method of consent) Open rates and click-through rates of marketing emails Account creation date (to determine eligibility for specific promotions) IP address (for geographic targeting or fraud prevention) |
Consent | 2 (two) years after the date of a consent receipt. |
| Profiling and automated decision-making |
Profiling is used, with your consent, to make analysis for the entry into or performance of a contract, regular and systematic monitoring of data subjects: profiling and scoring for risk assessment purposes (e.g., to use electronical means to verify identity, assess creditworthiness, to prevent fraud, to detect money laundering, for ongoing relationship and transaction monitoring.
Profiling and automated decision-making is also used to improve the client´s user experience of the services, such as customizing the display of the services to the device used and creating suitable offers for clients. |
Electronical identity footprint, Financial situation, preferences, interests, credibility, behaviour, address.
Identification & Demographic Data Financial & Transactional Data (if used for risk assessment and fraud detection) Technical & Device Data (if user experience personalization applies) |
Legal obligation
Consent |
EU: 8 (eight) years from the end of the transaction or business relationship with the client.
UK: 5 (five) years from the end of the transaction or the end of business relationship with the client.
2 (two) years after the date of a consent receipt for Marketing purposes |
| Debt management | Personal data is processed for this purpose in order to manage and recover debts, to lodge claims, demands, lawsuits and other documents, and to provide documents for the recovery of debts |
All data relevant about you, available from the account and the use of the services; Information about debt(s), amount of debt, reminders, and calls to pay by e-mail. mail, repayment history, payment plan, and date of debt closing/discharge.
If the service of a debt collection company is used: your name, surname, personal identification number or other personal code, residential address, e-mail address, telephone number, date of transfer of the debt to the collection company, debt, active actions of the debt collection company, repayment history and debt closing/ write-off date. Insurance cases and other related information; Information about the amount of damage, the fact of payment, payment plans, the debt incurred, etc. |
Legal Interest to ensure the collection of fees for services provided and debt administration | Personal data related to debt management will be stored for 5 (five ) years after the full repayment of the debt or from the date of the last recorded debt-related action, whichever is later. If legal proceedings are initiated regarding the outstanding debt, the data may be retained for the duration of the proceedings and for an additional period necessary to comply with legal obligations. The retention period is based on the statutory limitation periods for legal actions under the applicable laws of the Republic of Lithuania and the United Kingdom. |
| Execution of tax, accounting, and other obligations provided by law | To ensure the proper implementation of tax, accounting, and other legal obligations (i.e., correct writing and declaration of accounting documents to state institutions, implementation of money laundering prevention requirements, etc.), we create various accounting documents with your personal data and administer them. | Name, surname, residential address, personal identification number, VAT payer code (when the person is registered as a VAT payer); data about the Services (description of the Services; price/amount paid), issued accounting documents and their requisites, and other accounting and tax data that we must collect, process and store following laws and other legal acts. | Legal obligation |
EU: 10 (ten) years after the creation of the document (e.g., VAT invoice).
UK: 6 (six) years after the creation of the document (e.g., VAT invoice). |
| Website administration, service maintenance, and improvement | When you visit and browse our website, to collect statistical data and improve the quality of our services and the experience of visitors, we process the data of the cookies used on the website and analyse them You can find more information about the cookies used on the Website in Section 2 below. | IP address, MAC address, date of visit, duration, pages visited, devices and programs used for Internet browsing, other technical information. | Consent | See in Section 2. |
Cookies are small textual files containing identifier that is sent by a web server to your web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
Cookies that we use in our website:
We use both first-party cookies (set by us) and third-party cookies (set by external service providers integrated into our website).
Third-party cookies
Some cookies on our website are set by third-party service providers. These include, but are not limited to:
- analytics providers (e.g., Google Analytics);
- advertising and social media platforms (e.g., Meta/Facebook, TikTok);
- video and content platforms (e.g., YouTube, Vimeo);
- security and performance providers (e.g., Google reCAPTCHA, content delivery networks).
These third parties may collect and process data about your online activity across different websites and services.
Cookies are stored for different periods depending on their purpose:
- session cookies are deleted when you close your browser;
- persistent cookies remain on your device for a defined period or until deleted.
More detailed information about the cookies we use is provided below:
| NECESSARY COOKIES | ||||||
| COOKIE NAME | PROVIDER | PURPOSE | TYPE | EXPIRY | RECIPIENTS | DATA |
| PHPSESSID | First-party (set by opaltransfer.com) | Maintains the user session and ensures the website functions correctly | HTTP | Session | No third-party recipients |
User authentication data (if the user is logged in, their session is linked to an account). IP address (in some cases, session data is tied to the user's IP for security reasons). Browser and device information (may be logged for session tracking and fraud prevention).
User preferences or actions on the website (e.g., language selection) |
| www_webascms | opaltransfer.com | CMS session / site management | HTTP | Session | Opal Transfer | Session state |
| rc::a | gstatic.com | This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website. | HTML | Persistent | Interaction + device signals | |
| rc::c | gstatic.com | This cookie is used to distinguish between humans and bots. | HTML | Session | Session interaction signals | |
| _cf_bm | vimeo.com | Supports Cloudflare Bot Management by managing incoming traffic that matches criteria associated with bots. | HTTP | 1 day | Vimeo / Cloudflare | Request metadata |
| CONSENT | youtube.com | Used to detect if the visitors has accepted the marketing category in the cookie banner. This cookie is necessary for GDPR compliance of the website. | HTTP | 2 years | Google / YouTube | Consent preference |
| JSESSIONID | nr-data.net | Describes the session ID which is a randomly-chosen key that is cached on your device. | HTTP | 2 years | New Relic | Session ID |
| STATISTIC COOKIES | ||||||
| COOKIE NAME | PROVIDER | PURPOSE | TYPE | EXPIRY | RECIPIENTS | DATA |
| _dc_gtm_UA-# | opaltransfer.com | Used by Google Tag Manager to control the loading of a Google Analytics script tag . | HTTP | 1 day | Tag execution data | |
| _ga | opaltransfer.com | Registers a unique ID that is used to generate statistical data on how the visitor uses the website. | HTTP | 2 years | Google Analytics | Client ID |
| _ga_# | opaltransfer.com | Used by Google Analytics to collect data on the number of times a user has visited the website as well as dates for the first and most recent visit. | HTTP | 2 years | Google Analytics | Visit frequency, timestamps |
| _gid | opaltransfer.com | Registers a unique ID that is used to generate statistical data on how the visitor uses the website. | HTTP | 1 day |
|
Anonymous user ID, page views, session interactions |
| _tt_enable_cookie | opaltransfer.com | Used by the social networking service, Tik Tok, for tracking the use of embedded services. | HTTP | 1 year | TikTok | |
| vuid | vimeo.com | Collects data on the user's visits to the website, such as which pages have been read. | HTTP | 2 years | Vimeo | Unique user ID, video interaction events, page/video engagement signals |
| yt-remote-* | youtube.com | Stores YouTube video preferences | HTML | Session | Video player state | |
| VISITOR_INFO1_LIVE | Estimates bandwidth and video performance | HTTP | ~6 months | Video playback performance | ||
| LAST_RESULT_ENTRY_KEY | YouTube UI state memory | Local storage | Variable | Interface state only | ||
| MARKETING COOKIES | ||||||
| COOKIE NAME | PROVIDER | PURPOSE | TYPE | EXPIRY | RECIPIENTS | DATA |
| _fbp | opaltransfer.com | Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers. | HTTP | 3 months | Meta | Browser ID, ad interaction, page visits |
| _ttp | tiktok.com | Used by social networking service, Tik Tok, for tracking the use of embedded services. | HTTP | 1 year | TikTok | Device ID, browsing behaviour, ad interactions |
|
LogsDatabaseV2:V#|| LogsRequestsStore |
youtube.com | Preserves users states across page requests. | IndexedDB | Persistent | IndexedDB/local storage/Google | Variable/ Request metadata |
| nextld | youtube.com | Used to track user’s interaction with embedded content. | HTTP | Session | Session sequencing | |
| remote_sid | youtube.com | Necessary for the implementation and functionality of YouTube video-content on the website. | HTTP | Session | Session ID | |
| requests | youtube.com | Used to track user’s interaction with embedded content. | HTTP | Session | Request metadata | |
| TESTCOOKIESENABLED | youtube.com | Used to track user’s interaction with embedded content. | HTTP | 1 day | Boolean test flag | |
| tt_appinfo | analytics.tiktok.com | Used by the social networking service, Tik Tok, for tracking the use of embedded services. | HTML | Session | TikTok / ByteDance and service processors | App version, device/app metadata, configuration signals |
| tt_pixel_session_index | analytics.tiktok.com | Used by the social networking service, Tik Tok, for tracking the use of embedded services. | HTML | Session | TikTok Ads / advertising partners (via TikTok Pixel) | Session event ordering, interaction index data |
| tt_sessionld | analytics.tiktok.com | Used by the social networking service, Tik Tok, for tracking the use of embedded services. | HTML | Session | TikTok / ByteDance services | Session identifier, login/session state token |
| yt.innertube::nextld | analytics.tiktok.com | Used by the social networking service, Tik Tok, for tracking the use of embedded services. | HTML | Persistent | Google / YouTube services | Anonymous session identifiers, recommendation continuity signals |
| YtdbMeta#databases | youtube.com | Used to track user’s interaction with embedded content. | IndexedDB | Persistent | Local database structure | |
| UNCLASSIFIED | ||||||
| COOKIE NAME | PROVIDER | PURPOSE | TYPE | EXPIRY | RECIPIENTS | DATA |
| gs_fpvss | fast.b-cdn.net | Unclassified. | HTML | Persistent | Bunny.net (formerly BunnyCDN / Fast CDN infrastructure | Session ID |
| gs_session | fast.b-cdn.net | Helps to display social share buttons | HTML | Persistent | Bunny.net | Session ID |
| NID / Google Maps cookies (varies) | Google Maps | Map display + user preferences | Cookie | Up to 6 months | Location/IP signals | |
| Vimeo cookies | Vimeo | Video playback tracking | HTTP | Variable | Vimeo | Playback data |
| LinkedIn widgets cookies | Social interaction tracking | Cookie | Variable | Profile interaction data | ||
| SECURITY/SPAM PROTECTION | ||||||
| COOKIE NAME | PROVIDER | PURPOSE | TYPE | EXPIRY | RECIPIENTS | DATA |
| reCAPTCHA tokens (varies, incl. _GRECAPTCHA sometimes) | Bot detection and spam prevention | Cookie | Up to 6 months | Risk score, device signals | ||
Please note that:
· the actual cookies used may change over time depending on the services and tools implemented on the website
· our social media accounts are subject to the cookies policies of the respective social media platforms;
· we make reasonable efforts to keep this information accurate and up to date.
You can manage your cookie preferences on our website by clicking here or adjusting your browser settings to block or delete cookies.
Your personal data is collected and processed to conclude or fulfil the Services Agreement with you and/or enable us to provide the services and respond to your requests and complaints promptly and adequately or to fulfil our obligations stipulated by law applicable to us. Suppose you do not provide your data, provide it with errors, or refuse to provide it further. In that case, we will not be able to conclude and/or execute the Services Agreement, provide the services and adequately respond to your requests, complaints, and/or other requirements that require our action. Accordingly, failure to provide personal data or refusal to continue to provide certain personal data will mean that the Services Agreement with you will not be concluded or will be terminated.
If we process your personal data based on legitimate interest, we have weighed the opposing interests and have decided that considering the purpose for processing personal data and the measures that we have taken, our (or the relevant third party’s) interest in processing your personal data is not overridden by your interests or fundamental rights and freedoms which require protection of personal data. In this case, you have the right to receive more information regarding this processing and/or the right to object to the processing of your personal data based on legitimate interest.
In cases where we process personal data based on your consent, you have the right to withdraw your consent at any time, and data processing based on your consent will be terminated.
Chapter 11 of the Privacy Policy outlines more information about your rights.
Yes, we disclose all or part of your personal data to the following data recipients:
· various service providers (e.g., IT support, cloud storage providers, payment processors) who process data on our behalf under strict data protection agreements);
· companies within our corporate group when necessary for administrative, operational, or compliance purposes;
· competent authorities and officials (e.g., law enforcement, regulatory bodies, tax authorities, law enforcement agencies, bailiffs, notaries, courts, out-of-court dispute resolution bodies) when required under applicable laws;
· other data controllers who have a legal basis to receive your data under applicable laws or where necessary for our legitimate interests; and
· third parties identified by you when we have obtained your explicit consent to share your data with them;
· business successors or acquiring entities (if we or our subsidiaries are involved in a merger, acquisition or asset sale, your personal data may be transferred or deemed transferred to our new owner(s));
· legal entities and their branches belonging to our company group and entities that have a close relationship with a company, typically through ownership, control, or significant influence. We may share some or all of your personal information within the Opal Transfer group of companies. Generally, sharing such information would be necessary for us to perform on our contract with you – for example, to provide technical support after normal business hours. We also share your personal data within the Opal Transfer group of companies to provide you with the best service and send you information about our products and services;
· payment providers and processors. In case Opal Transfer has a legal obligation to provide such entities access to the Personal Data. Opal Transfer shares only the information necessary to execute the transaction with the financial intermediaries handling the transaction. Some of these services may also enable the sending of timed messages, such as emails containing invoices or notifications concerning the payment (card payments, 3DS verification etc.);
· credit and financial institutions, correspondent banks, custodian banks, intermediaries of Services, third parties participating in the services execution, safeguarding, settlement, and reporting cycle;
· financial and legal consultants, auditors, or any other service providers of Opal Transfer and authorized persons;
· providers of databases and registers, e.g., Adverse Media, Sanctions and Politically Exposed Person Screening service provider registers, credit reference agency registers, controllers who process consolidated Financial Sanction files, controllers who process consolidated debtor files, or other register holding or intermediating Personal Data, Debt collection service providers, assignees, insolvency administrators;
· counterparties, providing Card/Account and all the necessary activities relating to the operation of the Card/Account: allowing User to receive, activate and use the Card/Account (activating, managing and using your online account where applicable, making and receiving payment transactions, meeting legal requirements, answering requests, providing information to User);
· payment participants and (or) parties related to domestic, European, UK and international payments. Other persons who guarantee due discharge of the client’s obligations to Opal Transfer, such as sureties, guarantors, owners of collaterals;
· the Bank of Lithuania, Financial Conduct Authority (FCA) when providing data in compliance with the requirements of legal acts to provide data on concluded financial services agreements, their execution and (or) changes in execution;
· fraud prevention agencies and authorities;
· other persons related to provision of services of Opal Transfer such as providers of telecommunications, IT, hosting, cloud computing services, archiving, postal services, providers of services rendered to the client.
Except as provided in this Privacy Policy, we do not provide your personal data to any other third parties.
The list of recipients or categories of recipients outlined in this Privacy Policy is not exhaustive and may change over time. In the event of significant changes to the recipients of your personal data, we will notify you in accordance with applicable legal requirements.
We may provide hyperlinks to third-party websites as a convenience to you. We do not control third-party websites and are not responsible for the contents of any linked-to, third-party websites or any hyperlink in a linked-to website. We are not responsible for the privacy practices or the content of third-party websites.
Sometimes we may have to transfer your personal data to other countries that may offer lower levels of data protection. In such cases, we would do all that is within our control to ensure the security of the data we transfer.
When Opal Transfer transfers your personal data to countries outside the EU and/or the UK, we ensure that at least one of the following safeguards is implemented:
The following service providers are established outside the European Economic Area and the UK, which may result in your data being transferred outside the European Economic Area:
Please contact us via e-mail at dpa@opaltransfer.com if you want further information on the mechanism used by us when transferring your personal data out of the EU
In case you consent, we will send you marketing messages via email and (or) leave a notification in an account to keep you informed about our latest updates, offers, and services. You may opt-out of receiving marketing messages at any time. You may do so by: (i) choosing the relevant link in any of our marketing messages; (ii) contacting us via e-mail at marketing@opaltransfer.com.
Upon you having fulfilled any of the provided actions we will update your profile to ensure that you will not receive our marketing messages in the future. This will not affect service-related communications necessary for your account management or transactions.
Our website is not directed at children, and we do not knowingly collect personal information from anyone under the age of eighteen (18). We will promptly delete any personal information collected that we later determine to be from a user younger than the age of eighteen (18). Despite this, if you are a parent or legal guardian of a child under eighteen (18) who has provided us with personal information themselves, you may request to review or delete this information by contacting us at dpa@opaltransfer.com.
Opal Transfer uses automated decision-making, including profiling, to fulfil the terms of services provision and to provide customized direct marketing services (e.g. sending newsletters only to interested clients). Accordingly, we may collect, analyse and process personal data by applying special algorithms and prediction models about your choices, behaviour, criteria for using the services, amounts spent, and similar characteristics. All these performed actions do not have any legal or similarly significant effect on you and are not performed without your consent.
Opal Transfer uses automated decision-making, including profiling, to fulfil service provision requirements and to provide customized direct marketing services (e.g., sending newsletters only to interested clients). This process involves the collection, analysis, and processing of personal data using specialized algorithms and predictive models to assess your preferences, behaviour, service usage patterns, amounts spent, and similar characteristics.
The automated decision-making logic is based on predefined rules and statistical models that analyse historical interactions, transactional behaviour, and engagement levels to tailor our services and communications. This enables us to improve our offerings and ensure that marketing messages are relevant to your interests.
These automated processes do not produce legal effects or similarly significant consequences for you. Where required, automated decision-making and profiling will only be performed with your explicit consent, and you have the right to object to such processing at any time. If you wish to receive more information about the automated decision-making process or to exercise your rights, you may contact us at dpa@opaltransfer.com.
Personal data specified in this Privacy Policy will be stored and processed for no longer than the periods specified in Chapter 1 for each relevant data category. In cases when the data storage period is not indicated in this Privacy Policy, your data will be stored no longer than necessary for achievement of the purposes, for which the data were collected, or for a period set by legal acts.
Your personal data may be stored for a longer period than specified in this Privacy Policy only if strictly necessary for the following purposes and in accordance with applicable data protection laws:
After the end of your data processing and storage period set in this Privacy Policy, we destroy your data or anonymise them irreversibly and reliably as soon as possible, within a period reasonably necessary for performance of such an action.
We process your personal data responsibly and securely, following our internal data processing rules and appropriate technical and organizational measures to protect personal data against unauthorized data processing, accidental loss, destruction, damage, alteration, disclosure, or any other illegal processing action.
Accordingly, we follow the following essential data processing principles:
- Lawfulness, fairness, and transparency. We collect and process personal data only for specific, defined, and lawful purposes, ensuring transparency regarding how data is used.
- Purpose limitation. We process personal data only for the purposes for which it was collected, and do not use it for incompatible purposes.
- Storage limitation. We store personal data only for as long as necessary to fulfil the specified purposes or as required by legal and regulatory obligations.
- Integrity and confidentiality. We implement strict access controls to ensure that personal data is processed only by authorized employees with legitimate access rights.
- Security measures. We apply appropriate technical and organizational security measures, such as encryption, access control, and secure data storage, to protect personal data from breaches or unauthorized access.
- Third-party disclosures. We disclose personal data to third parties only when there is a lawful basis for such sharing, and we ensure that recipients comply with data protection obligations.
- Incident response. If applicable, we promptly notify the relevant data protection authorities and affected individuals in the event of a personal data breach or security incident.
- Ongoing training and awareness. We regularly train employees on data protection and privacy best practices to ensure compliance with evolving legal and security standards.
- Regular security audits. We conduct periodic internal and/or external IT security audits to assess and strengthen our data protection measures.
- Continuous improvement: We regularly review, update, and enhance our data processing procedures and security controls to ensure the highest possible level of personal data protection.
We emphasize that we regularly monitor our systems for possible violations or attacks. Still, it is impossible to ensure complete security of information transmitted over the Internet or to prevent breaches, especially those that may occur due to your carelessness or disclosure of data to others. Taking this into account, we note that you also bear the personal risk of submitting personal data using the Internet connection through the Mobile App and the Opal Transfer Online Platform. If you voluntarily share your account details with others or mishandle personal data received from us, this may expose you to security risks beyond our control.
In this section, we summarize your rights under data protection laws in the context of our data processing activities. Each right is briefly explained, including what it entails, how you can exercise it, and any applicable limitations. For more detailed information, please contact us at dpa@opaltransfer.com.
Your other principal rights under data protection law are the following: (i) the right to access data; (ii) the right to rectification (note that you may exercise most of this right by logging to your account here; (iii) the right to erasure of your personal data; (iv) the right to restrict processing of your personal data; (v) the right to object to processing of your personal data; (vi) the right to data portability; (vii) the right to complain to a supervisory authority; and (viii) the right to withdraw consent.
The first copy of your personal data will be provided free of charge. However, if you request additional copies and your request is manifestly unfounded or excessive, we may charge a reasonable fee based on administrative costs, as permitted under GDPR.
The right to access data
You have the right to request confirmation of whether we process your personal data. If we do, you can request access to your personal data, along with additional details about:
- the purposes of processing;
- the categories of personal data being processed,
- the recipients or categories of recipients with whom your data has been shared,
- the retention period, or, if not possible, the criteria used to determine it,
- your rights regarding data correction, deletion, or processing restriction,
- your right to lodge a complaint with a supervisory authority,
- the source of data (if it was not collected directly from you), and
- whether we use automated decision-making, including profiling, and meaningful information about the logic involved.
Your right of access may be restricted if fulfilling the request would adversely affect the rights and freedoms of others (e.g., confidentiality, intellectual property, or security considerations). Your right of access may also be restricted in cases where fulfilling the request could interfere with ongoing investigations, regulatory inquiries, or legal proceedings. Also, in some cases, technical limitations may also prevent immediate access to certain data, particularly if it is stored in secure backup systems that are only accessed under specific circumstances.
The right to rectification
You have the right to request the correction of any inaccurate personal data concerning you. If the data we process about you is incomplete, you also have the right to request that it be completed, considering the purposes of the processing.
There are certain limitations to the right to rectification. Before processing your request, we may need to verify your identity to ensure the security of your personal data. In some cases, we may also require supporting documentation to confirm the accuracy of the requested changes. Additionally, if the rectification request involves data processed for legal or regulatory purposes, we may be restricted from making modifications due to compliance obligations.
The right to the erasure
You have the right to the erasure of your personal data when: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) you withdraw consent to consent-based processing and there are no other legal basis to process data; (iii) you object to the processing under certain rules of applicable data protection laws; (iv) the processing is for direct marketing purposes; or (v) the personal data have been unlawfully processed. However, there are exclusions of the right to erasure. Such exclusions include when processing is necessary: (i) for exercising the right of freedom of expression and information; (ii) for compliance with our legal obligation; or (iii) for the establishment, exercise or defence of legal claims.
Your right to erasure, also known as the "right to be forgotten," may be subject to certain limitations in specific situations. One of the key restrictions applies when data retention is required to comply with legal obligations. For example, we may be required to retain certain personal data to comply with tax, financial, anti-money laundering, or other regulatory requirements. In such cases, we cannot erase the data until the legally mandated retention period expires.
Another limitation arises when data processing is necessary for the establishment, exercise, or defense of legal claims. If your personal data is relevant to an ongoing or potential legal dispute, we may be required to retain it to protect our legal interests or comply with legal proceedings. Similarly, if your data is needed to prevent fraud, enforce contractual agreements, or resolve disputes, erasure may not be possible until those matters are settled.
Your right to erasure may also be restricted when the processing of data is necessary to exercise the right of freedom of expression and information. This is particularly relevant in cases where personal data is included in journalistic, academic, or research materials that must be preserved for public interest purposes. Additionally, if your personal data has been anonymized or aggregated in a manner that no longer allows identification, the right to erasure would not apply, as the data is no longer considered personal information.
There are also technical and operational constraints that may affect the erasure process. If your data is stored in secure backup systems that are only accessed in exceptional circumstances, immediate deletion may not be technically feasible. However, in such cases, the data will no longer be actively processed and will be deleted permanently once the backup retention period expires. Similarly, if you request the erasure of data that has been shared with third parties, we will take reasonable steps to inform those parties of your request, but we cannot guarantee that they will erase the data if they are legally required to retain it.
Right to restrict
You have the right to restrict the processing of your personal data when: (i) you contest the accuracy of the personal data; (ii) processing is unlawful but you oppose erasure; (iii) we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and (iv) you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data, however we will only further process such data in any other way: (i) with your consent; (ii) for the establishment, exercise or defence of legal claims; (iii) for the protection of the rights of another person; or (iv) for reasons of important public interest.
The right to restrict processing is subject to several limitations that affect when and how it can be exercised. While you have the right to request restriction under specific circumstances, it does not guarantee that all processing will be halted indefinitely.
One of the key limitations is that restriction applies only in specific situations, such as when you contest the accuracy of the data or object to processing. However, if we can demonstrate that the data is accurate or that we have overriding legitimate grounds for processing, we may not be required to apply the restriction. Similarly, if we no longer need the data but are legally obligated to retain it, restriction may not override our legal retention requirements.
Another limitation is that even when processing is restricted, we may still store your personal data. This means that while we will no longer actively process it, the data is not necessarily deleted or fully removed from our systems. Additionally, we may still process the restricted data in certain circumstances, such as when you provide consent, when it is necessary for legal claims, for the protection of another person’s rights, or for important public interest reasons. This means that restriction does not result in a complete halt of all data use, but rather limits it to specific, legally justified purposes.
Furthermore, the right to restrict processing does not necessarily apply to all types of data processing. If the data is being processed for security, compliance, or regulatory purposes, we may be unable to fully restrict it.
Additionally, technical limitations may affect how quickly we can implement restrictions, particularly if the data has already been shared with third parties who have their own processing obligations. In such cases, we will take reasonable steps to inform them of the restriction, but we cannot guarantee that they will be able to apply the same measures.
Right to object
You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
However, there are limitations to your right to object. If we are processing your personal data to comply with a legal obligation, such as tax regulations, anti-money laundering requirements, or other mandatory legal frameworks, we may not be able to stop processing your data based on your objection. Similarly, if the processing is necessary for the performance of a contract between you and us, objecting to the processing may not be sufficient to halt it. In contrast, if we process your personal data for direct marketing purposes, you have an absolute right to object at any time, and upon receiving your request, we will immediately stop processing your data for such purposes. If the objection concerns automated decision-making or profiling, additional rules may apply, and in certain cases, we may still be able to process your data under legally justified grounds.
Right to data portability
You have the right to data portability to the extent that the legal basis for our processing of your personal data is: (i) consent; or (ii) performance of a contract or steps to be taken at your request prior to entering into a contract, necessary to enter into such, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
However, there are limitations to this right. Data portability applies only to personal data that you have provided to us and does not extend to data derived from or inferred by our processing activities. Additionally, this right does not apply if fulfilling your request would adversely affect the rights and freedoms of others, including trade secrets, intellectual property, or the confidentiality of third-party personal data. Furthermore, this right applies exclusively to automated processing, meaning that data stored in non-digital formats or manually recorded information may not be subject to portability.
If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so:
· For Opal Transfer LTD customers: by filling the “ICO Data protection breach notification form” and sending it to: casework@ico.org.uk or by post to the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
· For Opal Transfer EU, UAB customers to the EU member state of your habitual residence, your place of work or the place of the alleged infringement. Opal Transfer EU, UAB data processing is supervised by State Data Protection Inspectorate of the Republic of Lithuania, registered office at L. Sapiegos St. 17, LT-10312, https://vdai.lrv.lt/.
To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal. If you choose to withdraw your consent, we will cease processing your personal data for the relevant purposes unless there is another legal basis that allows us to continue processing.
You may exercise any of the rights indicated herein by contacting us at dpa@opaltransfer.com.
In order to protect your and other persons’ data from unlawful disclosure, we will have to verify your identity upon your request to provide data or exercise your other rights. For this reason, we may ask you to indicate your name, surname, e-mail address or telephone number and we will compare whether your provided data correspond to the respective data, or sign your request with a qualified electronic signature.
Upon receipt of your request concerning the exercise of any of your rights and having successfully carried out the above verification procedure, we commit, without undue delay, yet in any case within one month from the date of receipt of your request and completion of the verification procedure at the latest to inform you about actions we took according to your request. Having regard to the complexity and number of requests, we have the right to extend the period of one month by two additional months, informing you thereof by the end of the first month and indicating the reasons for this extension.
If your request is submitted by electronic means, we will also give you an answer by electronic means, except for cases where this is impossible (e.g., due to a particularly large scope of information) or when you ask us to respond in another way.
We will refuse to satisfy your request by a reasoned response when the circumstances specified in legislation are identified, notifying you thereof in writing.
Please let us know if the personal information that we hold about you needs to be corrected or updated. You are responsible for maintaining the confidentiality of the data you provide to us and for ensuring that the data you provide to us is accurate, correct and complete. If the data you provide changes, you must inform us immediately by e-mail. In no circumstances we will be liable for any damage caused to you as a result of you providing incorrect or incomplete personal data or failing to inform us of a change in the personal data you have provided.
We may amend this Privacy Policy at any time, in case of material changes, we may inform you about such via email. This Privacy Policy was last updated in [X].
We will use all reasonable efforts to answer any questions or resolve any concerns regarding your privacy promptly.
All comments, queries and requests relating to our use of your personal information are welcomed. If you would like to contact us at dpa@opaltransfer.com.
Choose which cookies Opal Transfer can use. Essential cookies are required for the service to function and cannot be disabled. For the full list of cookies, providers, retention periods and recipients, see our Privacy Policy.
Required for the website to function. Covers both Necessary cookies (session, authentication, language and other preferences — e.g. PHPSESSID) and Security / spam-protection cookies (e.g. Google reCAPTCHA for bot detection). The site will not work safely without these and they cannot be disabled.
Statistic cookies that help us monitor and analyse visits so we can improve the site (e.g. Google Analytics, Google Tag Manager, TikTok, Vimeo, YouTube playback metrics). All data is aggregated and anonymous; disabling these means we can no longer follow your visits.
Used to tailor content and show you relevant Opal Transfer offers on other websites, and to embed third-party content (e.g. Meta/Facebook, TikTok, YouTube, Vimeo, LinkedIn, Google Maps). Also covers cookies that are currently unclassified or in the process of classification.
