Home Legal Privacy Policy

Legal · Privacy Policy

Privacy Policy

Effective: 1 January 2026

Global Currency Exchange Limited ("GCE") is committed to collecting, using and protecting personal data responsibly in accordance with the Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO") of Hong Kong and, where applicable, the General Data Protection Regulation ("GDPR"). This Privacy Policy explains how we handle personal data in the course of providing our services.

1. Introduction

GCE is registered with the Office of the Privacy Commissioner for Personal Data ("PCPD") in Hong Kong pursuant to section 64 of the PDPO. We comply with the six Data Protection Principles set out in the PDPO and are committed to processing personal data fairly, lawfully and transparently.

This Privacy Policy applies to all personal data collected by GCE in the course of account applications, ongoing client relationship management and platform usage. Where this Policy conflicts with any specific notice we provide in relation to a particular service or processing activity, the specific notice shall prevail.

2. Data We Collect

We may collect the following categories of personal data:

  • Corporate and entity information: Company name, registration number, registered address and principal place of business;
  • Director, officer and UBO personal data: Name, date of birth, nationality, identity documents (passport or national ID) and residential address;
  • Transaction data: Payment amounts, currencies, counterparty information and timestamps;
  • Platform usage data: IP addresses, browser types, device identifiers and API access logs;
  • Communications: Email correspondence, support tickets and call recordings (where applicable); and
  • Financial information: Source of funds and source of wealth documentation, and financial information related to business activities.

As GCE does not serve individual consumers, we do not knowingly collect personal data from individuals under the age of 18.

3. How We Use Your Data

GCE processes personal data for the following purposes:

  • KYB verification and ongoing client due diligence in compliance with AMLO (Cap. 615);
  • AML/CFT transaction monitoring;
  • Platform operation and service delivery, including processing payment instructions and managing accounts;
  • Regulatory reporting as required by Hong Kong law, including to the Customs & Excise Department and the HKMA;
  • Service communications and account management notifications;
  • Fraud detection and prevention; and
  • Improving our platform and services (using anonymised or aggregated data).

GCE does not use personal data for direct marketing purposes without first obtaining the explicit consent of the individual concerned.

4. Data Sharing

GCE may disclose personal data to third parties in the following circumstances:

  • Licensed KYC/identity verification providers, solely for verification purposes;
  • Correspondent banks and payment network partners, solely for transaction processing;
  • Hong Kong regulatory authorities (including Customs & Excise Department, HKMA and JFIU) when required by law or regulatory direction;
  • Professional advisers bound by confidentiality obligations, including legal counsel, auditors and compliance advisers; and
  • Prospective buyers or successors in the event of a business restructuring, merger or asset sale.

GCE does not sell or transfer personal data to any advertisers, data brokers or third-party marketing organisations.

5. Data Retention

Transaction and client records are retained for a minimum of six (6) years in compliance with section 20 of the AMLO. The retention period runs from the date of termination of the client relationship or execution of the relevant transaction, whichever is later.

Data that has passed the applicable retention period will be securely deleted or anonymised such that it can no longer be associated with an identifiable individual.

Data may be retained beyond the minimum retention period for the purposes of fraud investigations, litigation or court orders.

6. Your Rights

Under the PDPO, you have the following rights:

  • Access: Request access to personal data held by GCE relating to you;
  • Correction: Request correction of inaccurate or outdated personal data;
  • Deletion: Request deletion of personal data (subject to legal retention obligations); and
  • Objection: Object to the processing of personal data for direct marketing purposes.

To exercise any of these rights, please submit a written request to our Data Protection Officer (contact details in section 9 below). We will respond to your request within forty (40) days of receipt.

Please note that certain rights are subject to limitations. For example, data subject to legal retention obligations cannot be deleted, and GCE may need to verify the identity of the requestor before processing access requests.

7. Security

GCE implements appropriate technical and organisational measures to protect client data against unauthorised access, disclosure, alteration or destruction. Key security measures include:

  • Encryption at rest using AES-256;
  • Encryption in transit using TLS 1.3;
  • Access controls based on the principle of least privilege;
  • Multi-factor authentication for access to sensitive systems;
  • Regular vulnerability scanning and penetration testing; and
  • Annual independent security assessments.

In the event of a data security incident involving personal data, GCE will notify affected individuals and relevant regulators as soon as reasonably practicable, in accordance with the PDPO and applicable regulatory frameworks.

8. Cross-Border Transfers

Due to the cross-border nature of GCE's payment services, some personal data may be transferred to jurisdictions outside Hong Kong, for example, transaction data transmitted to correspondent banks or payment network partners for the processing of cross-border payments.

GCE ensures that such cross-border transfers are subject to appropriate safeguards, including standard contractual clauses, data processing agreements or adequate protections in the recipient jurisdiction.

For information about the specific safeguards applicable to cross-border transfers, please contact our Data Protection Officer.

9. Contact & Complaints

For queries regarding this Privacy Policy or how we handle personal data, please contact our Data Protection Officer:

  • Email: privacy@gce.hk
  • Post: Data Protection Officer, Global Currency Exchange Limited, Hong Kong SAR

If you believe GCE has not handled your personal data appropriately, you have the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD):