Privacy Policy

1. Introduction

Keel Money Ltd respects your privacy and is committed to protecting your personal data.

This privacy notice explains how we look after your personal data when you use our services, whether directly or through one of our authorised distributors or agents. It sets out your rights regarding your personal data and how the law protects you.

This notice reflects the requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), the Data (Use and Access) Act 2025 (DUAA 2025), and the Privacy and Electronic Communications Regulations 2003 (PECR), as amended.

The meaning of defined terms used throughout this notice can be found in the Glossary at Section 17.

2. Who We Are

We are Keel Money Ltd (we, us, our).

We are a company incorporated in England and Wales (Company No. 12231881). Our registered address is Ground Floor, Fortunata House, 15 Wellington Road, Eccles, Manchester, M30 0DR.

Keel Money Ltd is authorised by the Financial Conduct Authority (FCA) as an Electronic Money Institution under the Electronic Money Regulations 2011 (Firm Reference Number: 1020783). We are registered with the Information Commissioner’s Office (ICO).

2.1 Our Business Model

Keel Money Ltd operates a business-to-business-to-consumer (B2B2C) model, sometimes referred to as Banking-as-a-Service (BaaS). This means that we provide the regulated electronic money and payment services infrastructure, while our authorised distributors and agents offer these services to you under their own brand. In this model:

where a distributor or agent collects your personal data on our behalf, we are the data controller responsible for that processing;
where a distributor acts as an independent data controller for its own purposes, that distributor is separately responsible for its own processing and should provide you with its own privacy notice; and
in certain arrangements, we and a distributor may act as joint controllers, in which case the essential terms of that arrangement will be made available to you on request.

Regardless of how you access our services, this notice describes the processing carried out by Keel Money Ltd as a data controller.

For more information on what is considered personal data, please visit the website of the Information Commissioner’s Office at www.ico.org.uk.

3. Data Protection Contact

We have designated an internal data protection contact who is responsible for overseeing questions in relation to this privacy notice and for coordinating our compliance with data protection laws. If you have any questions about this notice, including any requests to exercise your legal rights, please contact us using the details set out in Section 14 (Contact Details and Complaints).

4. The Personal Data We Collect

4.1 Sources of Personal Data

We collect personal data from the following sources:

directly from you, when you interact with us or use our services;
from our authorised distributors or agents, who collect your data in the course of providing our services to you;
from identity verification and Know Your Client (KYC) service providers;
from fraud prevention agencies, including Cifas;
from credit reference agencies and adverse media screening providers;
from sanctions and politically exposed persons (PEP) screening databases;
from card schemes (such as Visa or Mastercard) and payment processors;
from HM Revenue & Customs, law enforcement agencies, or other public authorities; and
from publicly available sources, including the electoral register and Companies House.

4.2 Information You Provide

We collect information you (or your distributor or agent on your behalf) provide when you:

fill in any forms;
correspond with us;
register to use an app or platform through which our services are provided;
open an e-money account or use any of our services;
take part in online discussions, surveys or promotions;
speak with a member of our customer support team; or
contact us for other reasons.

4.3 Categories of Personal Data

We will collect and process the following categories of personal data:

your name, address, and date of birth;
your email address, phone number and details of the device you use (for example, your phone, computer or tablet);
your password and other registration information;
details of your e-money account, including account identifiers;
details of any payment instruments (such as debit or prepaid cards) issued to you or registered with us, including card number, expiry date and CVC;
identification documents (for example, your passport or driving licence), copies of any documents you have provided for identification and verification purposes, and any other information you provide to prove you are eligible to use our services;
records of our discussions, if you contact us or we contact you (including records of phone calls);
your image in photo or video form (where required as part of our KYC checks or where you upload a photo to your account);
geolocation data, device identifiers (including IP addresses), and browser or app usage data collected automatically when you use our services;
biometric data where required for identity verification purposes (for example, facial recognition during KYC onboarding);
employment details, where relevant to the verification checks we are required to perform; and
vehicle details, where relevant to the services provided.

If you give us personal data about other people (such as your spouse or family), or you ask us to share their personal data with third parties, you confirm that you have brought this notice to their attention beforehand.

4.4 Special Category and Criminal Offence Data

Certain data we process may constitute special category data under Article 9 of the UK GDPR (for example, biometric data used for identity verification) or data relating to criminal convictions and offences under Article 10 (for example, data processed in connection with fraud prevention). We process such data only where a lawful condition is met, including:

Schedule 1, Part 1, paragraph 10 of the DPA 2018 (preventing or detecting unlawful acts), subject to our maintaining an appropriate policy document;
Schedule 1, Part 2, paragraph 14 of the DPA 2018 (preventing fraud); and
your explicit consent, where applicable and separately obtained.

4.5 Fraud Prevention Notice

The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found at www.cifas.org.uk/fpn.

4.6 Consequences of Not Providing Personal Data

We are required by law to collect certain personal data from you before we can provide our services. In particular, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs 2017) require us to carry out customer due diligence before establishing a business relationship. If you fail to provide the required data, we will be unable to provide our services to you and may be required to terminate any existing relationship.

5. How We Use Your Personal Data

We will use the information you give us to provide you with the services you have agreed to and to comply with applicable laws and regulations. We apply the principle of data minimisation and will only process personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

5.1 Legal Bases for Processing

We must have a valid legal basis for using your personal data under Article 6 of the UK GDPR. Our legal bases include:

Contract – processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract (Article 6(1)(b)).
Legal obligations – processing is necessary for compliance with a legal obligation to which we are subject (Article 6(1)(c)). Our principal legal obligations requiring data processing include the Electronic Money Regulations 2011, the MLRs 2017, the Proceeds of Crime Act 2002, the Terrorism Act 2000, the Sanctions and Anti-Money Laundering Act 2018, and the retained UK Wire Transfer Regulation (Regulation (EU) 2015/847).
Legitimate interests – processing is necessary for the purposes of our legitimate interests or those of a third party, except where overridden by your interests or fundamental rights (Article 6(1)(f)). In particular, we have a legitimate interest in preventing fraud and money laundering, verifying identity, protecting our business, and improving our services.
Consent – you have given consent to the processing of your personal data for one or more specific purposes (Article 6(1)(a)). You may withdraw your consent at any time.
Substantial public interest – where we process special category data in accordance with Schedule 1 of the DPA 2018, for example to comply with regulatory requirements relating to vulnerable customers.
Recognised legitimate interests – as introduced by the DUAA 2025, this basis applies to certain pre-approved purposes such as crime prevention, safeguarding, and national security, without the requirement for a full balancing test. We rely on this basis only where the specific conditions set out in the legislation are met.

5.2 Purposes of Processing

The table below sets out the principal purposes for which we process your personal data and the legal bases we rely on:


Purpose	Legal Basis
Account opening and administration – Verifying your identity and address (KYC/CDD), opening and maintaining your e-money account, issuing payment instruments, processing transactions, and providing customer support.	Contract; Legal obligations (EMRs 2011; MLRs 2017)
Enhanced due diligence – Conducting enhanced checks where you or your transactions present a higher risk, including source of funds and source of wealth verification.	Legal obligations (MLRs 2017); Legitimate interests
Fraud and financial crime prevention – Screening against fraud prevention databases, monitoring transactions, sharing data with fraud prevention agencies, and reporting suspicious activity.	Legitimate interests; Legal obligations (MLRs 2017; POCA 2002; Terrorism Act 2000)
Sanctions and PEP screening – Screening your identity against UK, UN, and EU sanctions lists, and politically exposed persons databases.	Legal obligations (Sanctions and Anti-Money Laundering Act 2018; MLRs 2017)
Safeguarding of funds – Processing data as necessary to safeguard your funds in accordance with the Electronic Money Regulations 2011.	Legal obligations (EMRs 2011)
Regulatory reporting and cooperation – Providing data to the FCA, the Payment Systems Regulator, the National Crime Agency, HMRC, or other competent authorities as required.	Legal obligations; Legitimate interests; Substantial public interest
Wire transfer information – Collecting and transmitting payer and payee information in connection with fund transfers.	Legal obligations (UK Wire Transfer Regulation)
Statistical and analytical purposes – Preparing anonymised or aggregated datasets for forecasting, service improvement, and regulatory compliance.	Legitimate interests
Technical purposes – Managing our platforms, troubleshooting, data analysis, testing, and maintaining security.	Contract; Legitimate interests
Marketing – Personalising your experience and providing partner promotions (with consent).	Consent; Legitimate interests
AI and automated processing – Using automated systems for transaction monitoring, fraud detection, sanctions screening, and risk assessment.	Legitimate interests; Legal obligations; Recognised legitimate interests

6. Fraud Prevention

Before we provide services to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.

The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.

Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including IP addresses, and vehicle details.

We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services you have requested.

We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

7. Automated Decision-Making

As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity.

We also use automated processing for:

real-time transaction monitoring to detect potentially fraudulent or suspicious patterns;
sanctions screening, matching your identity against UK, UN, and EU sanctions lists; and
risk scoring to determine the level of due diligence applicable to your account.

You have rights in relation to automated decision-making. You may request meaningful information about the logic involved in any automated decision, and ask a member of staff to review an automated decision. If you want to know more, please contact us using the details in Section 14.

7.1 Consequences of Processing

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services you have requested, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us using the details in Section 14.

7.2 Safeguards

Under the DUAA 2025, where we make solely automated decisions that produce legal effects or similarly significant effects concerning you, we will ensure that appropriate safeguards are in place, including the right to obtain human intervention, express your point of view, and contest the decision. We will inform you at the point of data collection if automated decision-making will be used.

8. Restrictions on Disclosure

There may be circumstances in which we are unable to inform you about how your personal data is being processed or the reasons for decisions we have taken in relation to your account. In particular:

where we have made or are considering making a suspicious activity report (SAR) to the National Crime Agency under Part 7 of the Proceeds of Crime Act 2002 or Part III of the Terrorism Act 2000, we are prohibited by law from disclosing the existence or content of any such report (“tipping off”);
where disclosure could prejudice the prevention, detection, investigation or prosecution of criminal offences; and
where we are subject to a court order, regulatory direction, or other legal restriction preventing disclosure.

In such cases, our obligations under the UK GDPR (including the rights of access and the duty to provide reasons for automated decisions) are subject to the restrictions and exemptions set out in Schedule 2, Part 1 of the DPA 2018 and in the MLRs 2017.

We may share your personal data with the following categories of recipients when it is necessary for the provision of our services, the prevention of financial crime, or compliance with our legal and regulatory obligations:

our authorised distributors and agents, to the extent necessary for the provision of our services to you;
card schemes (such as Visa and Mastercard), card processors, and settlement networks, for the purpose of issuing payment instruments and processing transactions;
identity verification, KYC, and anti-money laundering service providers;
fraud prevention agencies, including Cifas, in order to prevent fraud and money laundering and to verify your identity;
credit reference agencies and adverse media screening providers;
the National Crime Agency, in connection with suspicious activity reports;
HM Revenue & Customs, the Financial Conduct Authority, the Payment Systems Regulator, and other competent regulators and authorities, where required by law;
safeguarding credit institutions, with which we hold safeguarded funds in accordance with the Electronic Money Regulations 2011;
law enforcement agencies, to detect, investigate and prevent crime;
third-party cloud computing and hosting providers who provide essential infrastructure, data storage, and security services;
professional advisers, including lawyers, auditors, and insurers, who provide consultancy, legal, insurance, and accounting services;
the Information Commissioner’s Office, where required by law or in connection with data protection matters; and
any successor, assignee, or purchaser of all or a substantial part of our business, in connection with a merger, acquisition, or reorganisation.

10. International Data Transfers

Fraud prevention agencies may allow the transfer of your personal data outside of the UK. This may be to a country where the UK Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then the fraud prevention agencies will ensure your data continues to be protected by ensuring appropriate safeguards are in place.

Where we or our service providers transfer personal data outside the United Kingdom, we ensure that appropriate safeguards are in place in accordance with the UK GDPR. These safeguards include:

transfers to countries that have received a UK adequacy decision (including EU/EEA member states, whose adequacy was renewed in December 2025 and extended until December 2031);
the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses, where no adequacy decision is in place;
Binding Corporate Rules, where approved by the ICO; and
any other transfer mechanism permitted under Article 46 of the UK GDPR.

You may request a copy of the safeguards we have in place for any international transfer of your personal data by contacting us using the details in Section 14.

11. Storage and Security of Your Personal Data

We process your information through servers located in the EEA and the United Kingdom. Those servers are located across a number of secure data centres managed by our hosting providers.

Although we implement appropriate technical and organisational measures to protect your personal data, the transmission of information via the internet can never be completely secure. Any transmission is therefore at your own risk.

11.1 Data Retention

We will retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, including to satisfy any legal, regulatory, accounting, or reporting requirements. Our principal statutory retention obligations include:

customer due diligence records: five years from the date on which the business relationship ends or an occasional transaction is completed, as required by regulation 40 of the MLRs 2017;
transaction records: five years from the date on which the transaction is completed, as required by regulation 40 of the MLRs 2017; and
general account and business records: six years following the closure of your account, in accordance with limitation periods under English law.

Where fraud prevention agencies hold your data as a result of a filing, they may retain it for up to six years. Where we are required by law, regulation, or a court order to retain data for a longer or shorter period, we will comply with that requirement.

11.2 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

12. Your Rights Over Your Personal Data

Your personal data is protected by legal rights, which include your rights to:

request access to your personal data (commonly known as a “subject access request”);
request that your personal data be corrected;
request the erasure of your personal data;
object to the processing of your personal data;
restrict the processing of your personal data;
request a transfer of your personal data (data portability);
withdraw your consent at any time where we rely on consent as the legal basis for processing;
ask a member of staff to review an automated decision; and
lodge a complaint with the Information Commissioner’s Office or with us directly through our formal data protection complaints process (see Section 14).

For more information or to exercise your data protection rights, please contact us using the details in Section 14.

Please note: the exercise of certain rights (in particular, erasure and restriction) may be limited where we are required by law to continue processing your data, for example under the MLRs 2017 or in connection with ongoing fraud prevention investigations. We will inform you of any such limitation when responding to your request.

12.1 Fees

You are not required to pay a fee to access your personal data or to exercise any of your other rights. However, we may charge a reasonable fee if your request is manifestly unfounded, repetitive, or excessive.

12.2 Identity Verification

We may need documentation from you to confirm your identity in order to process your request. We will carry out a reasonable and proportionate search of our records when responding, in accordance with the requirements of the DUAA 2025.

12.3 Time Limits

We aim to respond to all legitimate requests within 30 days. It may take longer if your request is particularly complex or you have not supplied requested documentation. If we are unable to respond within 30 days, we will notify you accordingly.

13. Cookies and Similar Technologies

We use cookies to analyse how you use our website and to improve our services.

Under the Privacy and Electronic Communications Regulations 2003 (as amended by the DUAA 2025), certain categories of cookies are exempt from the requirement to obtain prior consent. These include:

cookies that are strictly necessary for the provision of the service you have requested;
cookies used solely for the purpose of carrying out the transmission of a communication;
analytics cookies used to collect statistical data for improving website performance;
functional cookies to enhance website appearance or user experience; and
cookies used for security purposes or to prevent or detect fraud.

For exempt analytics and functional cookies, we will provide you with clear information about how these cookies are used and offer a prominent opt-out mechanism. All other non-essential cookies require your prior consent before being placed on your device.

For more information on cookies, please read our separate Cookies Policy.

14. Contact Details and Complaints

14.1 Contact Details

If you have any questions about this privacy notice, wish to exercise your data protection rights, or have a complaint about how we use your personal information, please contact us:

By post: Keel Money Ltd, Ground Floor, Fortunata House, 15 Wellington Road, Eccles, Manchester, M30 0DR

By internet: Form submission on this page.

14.2 Formal Data Protection Complaints Process

In accordance with the DUAA 2025, we have established a formal data protection complaints process. You may submit a complaint about how we handle your personal data by writing to us at the postal address above, or by emailing our data protection contact. We will acknowledge your complaint within five working days and aim to provide a substantive response within 30 days.

14.3 Escalation to the ICO

You also have a right to complain to the Information Commissioner’s Office, which regulates the processing of personal data.

If, following our review of your complaint, you are still not satisfied, you may contact the ICO. More details can be found on their website at www.ico.org.uk.

You do not have to approach us before contacting the ICO. However, we ask that you contact us first to enable us to address your complaint.

15. Children’s Data

Our services are not directed at children under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18 without appropriate parental consent, we will take steps to delete that data as soon as reasonably practicable.

In accordance with the DUAA 2025, where we provide online services that are likely to be accessed by children, we will take account of children’s need for specific protection with regard to their personal data, given that they may be less aware of the risks, consequences, and safeguards concerned.

16. Changes to This Notice

We will keep this notice under review and will make any relevant updates as required.

Any changes to this notice will be available on our website and within the app. Where material changes are made, we will notify you by email or through an in-app notification before the changes take effect.

17. Glossary

The following terms have the meanings set out below:


Term	Definition
Agent	A person who acts in Keel Money Ltd’s name and on its behalf in the provision of payment services, as registered with the FCA.
CDD	Customer due diligence, the checks we are required to carry out under the MLRs 2017 before establishing a business relationship with you.
Cifas	The UK’s largest cross-sector fraud sharing organisation, which operates the National Fraud Database.
Data protection laws	The UK GDPR, the DPA 2018, and the DUAA 2025, as applicable.
Distributor	A person who distributes or redeems electronic money on behalf of Keel Money Ltd, as permitted under the Electronic Money Regulations 2011.
DUAA 2025	The Data (Use and Access) Act 2025.
EEA	The European Economic Area.
EMRs 2011	The Electronic Money Regulations 2011.
Fraud prevention agencies	Organisations such as Cifas that maintain databases of known fraud and money laundering risks, and which receive and share personal data for the purpose of preventing fraud.
ICO	The Information Commissioner’s Office, the UK’s independent supervisory authority for data protection.
KYC	Know Your Client, the identity verification checks we perform as part of our customer due diligence obligations.
MLRs 2017	The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
Our website / site	Keel.money and all related sites and applications.
PECR	The Privacy and Electronic Communications Regulations 2003 (as amended).
PEP	Politically exposed person, as defined in regulation 35 of the MLRs 2017.
POCA 2002	The Proceeds of Crime Act 2002.
SAR	Suspicious activity report, a report filed with the National Crime Agency under Part 7 of POCA 2002 or Part III of the Terrorism Act 2000.
UK GDPR	The UK General Data Protection Regulation, as it forms part of UK domestic law.
UK IDTA	The UK International Data Transfer Agreement, the UK’s standard contractual mechanism for international data transfers.
We / us / our / Keel	Keel Money Ltd (Company No. 12231881; FCA FRN 1020783).
Your information	Personal data (as defined in data protection laws) about you.