Privacy Policy



1. Who we are
This website is operated by Exchange Capital Partners Ltd (“ECAP”) and, where relevant, ECAP (IOM) Limited.

Exchange Capital Partners Ltd
1 Gemini Court, 42a Throwley Way, Sutton, England, SM1 4AF

ECAP (IOM) Limited
Mezzanine Level, 10–12 Prospect Hill, Douglas, Isle of Man, IM1 1EJ  

In this policy, “ECAP”, “we”, “us” or “our” refers to one or both entities, depending on which you deal with and where you are located.  

For the purposes of data protection law, ECAP generally acts as:

a data controller in relation to personal information we collect via our website, in our own marketing and in the operation of our business; and 
• a data processor when we process personal information on behalf of our clients and regulated partners in connection with services they provide. 

When we act as a processor, we do so only on the documented instructions of the relevant controller and in accordance with our contractual and legal obligations.

When we act as a data processor
In many cases, particularly where you enter a relationship directly with one of our regulated partners, that partner will be the data controller for your personal data. ECAP may process your personal data on their behalf as a data processor.

In those circumstances, the partner’s own privacy notice will explain how your personal data is used and your rights. If you have questions about how your personal data is processed in those scenarios, you should contact the relevant partner in the first instance.

If you have any questions about this policy, please contact us at admin@exchange-capital.com

2. Scope and applicable law
This privacy policy explains how we collect, use, disclose and protect personal information when you:

• visit or use our website (www.exchange-capital.com); 
• contact us about our services; or 
• subscribe to our updates or events. 

For individuals in the United Kingdom, we process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

For individuals in the Isle of Man, we process personal data in accordance with the Isle of Man Data Protection Act 2018 and the Data Protection (Application of GDPR) Order 2018 (the “applied GDPR”).

3. What personal information we collect
The information we collect will depend on how you interact with us. It may include: 
• Identity and contact data – name, job title, company, postal address, email address, telephone number. 
• Business information – details about your organisation, role, sector and the nature of your enquiry or relationship with us. 
• Onboarding and KYC information (where you proceed towards a facility with one of our partners), information we or our partners request to meet regulatory and compliance requirements. 
• Usage and technical data – IP address, browser type, device identifiers, pages visited and interactions with our • website (collected via cookies and similar technologies). 
• Marketing and communication preferences – your choices about whether and how you wish to receive marketing from us. 
We may collect this information directly from you (for example through forms, emails or calls), from your organisation, from our partners, or from publicly available sources where appropriate.

4. How we use your personal information and legal basis
We use personal information for the following purposes and under these legal bases
1. To respond to enquiries and provide information you request
A. For example, when you contact us for information about FX, payments, banking or related services.
B. Legal basis: our legitimate interests (to respond to enquiries and operate our business) and, where appropriate, taking steps at your request prior to providing a service.

2. To arrange and manage a potential or existing client relationship
A. Including assessing your needs, introducing you to regulated partners where appropriate, and coordinating the services they may provide. 
B. Legal basis: performance of a contract or taking steps at your request before entering a contract; and our legitimate interests in managing our business and relationships. 

3. To send you relevant marketing communications
A. Such as information about ECAP services, insights or events that we believe may be of interest to you. 
B. Legal basis: 
     I. Legitimate interests, where we are marketing similar services to existing or prospective business contacts; or 
     II. Consent, where required by law (for example, some email marketing). 
C. You can opt out of marketing at any time. See section 9 below.

4. To operate, maintain and improve our website
A. Including monitoring performance, improving content, ensuring security, and understanding how visitors use the site. 
B. Legal basis: our legitimate interests in running an effective, secure website.

5. To comply with legal and regulatory obligations
A. For example, anti-money laundering, anti-fraud, sanctions, record-keeping, and responding to requests from regulators or law enforcement. 
B. Legal basis: compliance with legal obligations and, where applicable, our legitimate interests in cooperating with regulators and protecting our rights.

When we act as a data processor on behalf of a controller, our legal basis for processing is that processing is necessary for the purposes of the controller’s legitimate interests or other lawful basis, and we act only on that controller’s documented instructions.

5. Who we share your information with
We may share your personal information with: 
• Our group entities. Exchange Capital Partners Ltd and ECAP (IOM) Limited, where necessary to coordinate our services. 
• Our regulated partners including FCA-regulated firms that provide banking, payment and FX services, such as Ebury Partners (UK) Ltd, Global Currency Exchange Network Ltd and The Currency Cloud Ltd, where this is necessary in connection with the services you request. 
• Other service providers such as IT, hosting, analytics, professional advisers and other suppliers who act on our instructions and are subject to confidentiality obligations. 
• Authorities and regulators where we are required to do so by law, regulation or court order, or to protect our rights or the rights of others. 

We do not sell your personal information.

6. International transfers
Because we work with global partners and service providers, your personal information may be transferred to, and processed in, countries outside the United Kingdom and the Isle of Man.

Where we do this, we will ensure that appropriate safeguards are in place, such as:
• an adequacy decision from the UK or Isle of Man authorities in respect of the destination country; or 
• standard contractual clauses or equivalent legal mechanisms with the recipient; 
• other safeguards required under UK GDPR or the applied GDPR.

You can contact us for more information about the safeguards used for any transfer.

7. How long we keep your information
We keep personal information only for as long as reasonably necessary to fulfil the purposes described in this policy and to meet legal, regulatory and reporting requirements. In general: 

enquiry and marketing records are kept for a period that reflects our sales cycle and your level of engagement;
client-related records are kept for the duration of the relationship and for a period afterwards as required by law (for example, financial and anti-money laundering rules).

When we no longer need personal information, we will securely delete or anonymise it.

Specifically: Data collected in relation to Currency Cloud accounts is retained for a period of 5 years.


8. Marketing and your choices
We may use your contact details to send you information about ECAP services, events or insights that we believe may be relevant.

You can opt out of marketing at any time by:
• clicking the “unsubscribe” link in any marketing email; or 
• emailing us at admin@exchange-capital.com with “Unsubscribe” in the subject line.

Even if you opt out of marketing, we may still contact you about service or legal communications where this is necessary (for example, in relation to a specific enquiry or relationship).

9. Your rights
Depending on where you are located and subject to certain conditions, you may have the following rights in relation to your personal information:

• Access – to obtain a copy of the personal data we hold about you. 
• Rectification – to correct inaccurate or incomplete data. 
• Erasure – to ask us to delete your data in certain circumstances. 
• Restriction – to ask us to restrict how we use your data in certain circumstances. 
• Data portability – to receive certain data in a structured, commonly used, machine-readable format and/or have that data transmitted to another controller. 
• Object – to object to our processing where we rely on legitimate interests, including an absolute right to object to direct marketing. 
• Withdraw consent – where we rely on consent, you can withdraw it at any time. 
• To exercise any of these rights, please contact us using the details above.

You also have the right to raise concerns with the relevant data protection authority:
• In the UK – the Information Commissioner’s Office (ICO) (www.ico.org.uk). 
• In the Isle of Man – the Isle of Man Information Commissioner (see www.inforights.im). 

We would, however, appreciate the chance to deal with your concerns before you approach a regulator, so please contact us in the first instance.

10. Cookies and similar technologies
Our website may use cookies and similar technologies to: 
• help the site function properly; 
• understand how visitors use our site; 
• improve performance and user experience.

Further details are provided in our Cookie Policy, which explains the types of cookies we use and how you can control them through your browser settings and consent choices.

11. Security
We take reasonable technical and organisational measures to protect personal information from loss, misuse, unauthorised access, disclosure, alteration and destruction. These measures include access controls, encryption where appropriate, and regular review of our information security practices.

However, no internet transmission or storage system can be guaranteed as completely secure, and you transmit information at your own risk.

12. Children 
Our website and services are not directed at children, and we do not knowingly collect personal data from anyone under 18. If you believe that a child has provided us with personal information, please contact us and we will take appropriate steps to delete it.

13. E-mail communications
Please note that e-mail is not always a fully secure means of communication. If you choose to send information to us by e-mail, you do so at your own risk. Where appropriate, we can arrange more secure methods for transmitting sensitive information.

14. Changes to this policy
We may update this privacy policy from time to time to reflect changes in law, regulation or how we operate. Any changes will be posted on this page with an updated “Last updated” date. We encourage you to review this policy periodically.