Terms & Policies

Country or region
HKHong Kong SAR

Global Privacy Centre


Last updated: 31 August 2023

Download PDF

Welcome to the Airwallex Global Privacy Centre

Airwallex is committed to protecting the privacy of everyone who engages with our platform. We also value the importance of transparency with respect to our privacy practices. 

We created this Airwallex Privacy Center to help you find answers to frequently asked questions about how we collect and use personal data, the rights that individuals have in relation to personal data held by Airwallex, and how Airwallex complies with international data protection laws, such as the General Data Protection Regulation (GDPR) of the UK and EU.

This content is not legal advice, has been published for your general information purposes only, may not be exhaustive or  current and may be amended from time to time without notice to you.

Depending on the context, “you” may mean any of the following:

  • End User: an end user (individual) who uses our Service, regardless of whether the end user uses our Services for personal use or otherwise. We also collect an End User’s personal information when provided by the Business Customer. 

  • Representative: an individual who is the owner of, or who acts on behalf of a Business Customer (e.g. employee, director or officer of Business Customer who has authority for managing the business customer’s account with us). 

  • Visitor: a visitor (individual) to our sites or who otherwise communicates with us (e.g. if you send us a query on our Support Page) without being logged into an Airwallex account.

  • Business Customer: a business entity who we provide Services to, whether directly or indirectly, or do business with and such Business Customer will provide us with an End User’s personal information in connection with the Business Customer’s and that End User’s respective activities. When you (as an End User or Representative) interact with a Business Customer, your personal information will be collected, retained, shared and/or stored by the Business Customer in accordance with their own privacy policies and not our Global Privacy Policy.

Global Privacy Policy

You can learn about how we collect, use and share information in our Global Privacy Policy.

What is the GDPR? 

The GDPR is the data protection regulation that gives individuals more control over their personal data. The European Union (EU) and United Kingdom (UK) have separate but similar versions of the GDPR.

Under the GDPR, organisations must take great care when processing personal data. Organisations must ensure there is a legal basis for every data processing activity and they must tell people how and why data is used. Individuals also have greater rights under the GDPR, and organisations must be accountable for all processing.

In addition, certain requirements must be satisfied before EU / UK individuals’ personal data may be transferred outside the EU or the UK, unless the organisation receiving the personal data is located in a permitted jurisdiction white listed by the European Commission or UK government. The list of white listed permitted jurisdictions may be found on the European Commission’s website here or the UK government website here.  

What is personal data?

Personal data is any information that is related to an identified or identifiable natural person (e.g. you), such as your name, email address, username, ID, bank account number, card details, telephone number, personnel number, number plate, appearance, customer number or address.  The definition under the GDPR is broad, and can include information that could be used indirectly and/or with other information to identify a natural person – such as device identifiers or IP address. 

What does ‘processing’ mean in this context?

Processing means any operation that is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

Who does the GDPR apply to? 

The GDPR applies to any data processor or data controller in the EU or UK that processes personal data, as well as any data processor or data controller outside the EU or UK that processes the personal data of individuals in the EU or UK residents where the processing activities are related to:

  1. offering goods or services to data subjects in the EU or UK (even if those goods or services are provided free of charge); or

  2. monitoring the behaviour of individuals taking place in the EU or the UK. 

Our Global Privacy Policy sets out who are the UK and EU Airwallex data controllers. 

Is Airwallex acting as a data controller or a data processor?

We act as a data controller in relation to your data.A “data controller” is the entity that determines the purposes and means of the data processing taking place.) 

Airwallex as a data controller processes personal data for activities including the following:

  1. providing the Airwallex products and services;

  2. developing new, or enhancing existing, products;

  3. providing customer support; 

  4. monitoring, detecting and preventing fraudulent activities on our platform; and

  5. complying with the legal and regulatory obligations that apply to Airwallex.

Our Global Privacy Policy sets out in more detail the various processing purposes.

A “data processor” is an entity that acts on behalf of and at the direction of a data controller in processing personal data. As the data processor is acting on the instructions of the data controller, it does not exercise control or decision making over the processing of personal data. A typical data processor would be a software service provider.

Data controllers and data processors have different responsibilities under the GDPR – for example, controllers are in charge of identifying a lawful purpose or legal basis, and must facilitate individual rights requests.

What ‘lawful purpose’ or ‘legal basis’ does Airwallex rely on to process personal data?

Airwallex relies upon a number of legal grounds to process personal data. 

Please refer to section 4 of our Global Privacy Policy for an overview of the types of personal data we collect from you, and the applicable ‘legal basis’ for each under GDPR or other similar laws. 

What rights do I have over my data?

You may have certain rights to your personal data. Airwallex as  a data controller of your personal data is  responsible for managing and responding to your request. You can read more about your rights and how you can exercise your rights in section 7 of our Global Privacy Policy.

Who are Airwallex’s processors and sub-processors and how are they evaluated?

In the course of operating our business and providing our services,  it may be necessary for us to provide personal data to our affiliates or certain third parties. Our affiliates or such third parties may process your personal data as an independent data controller or as a data processor, depending on the circumstances and the nature of the data transfer.  Table A describes who these third parties are and the purpose of transferring such data to them.  We do not sell or share data to third parties for their marketing purposes.

Airwallex also uses data processors to provide services to Airwallex such as technology, professional services and other services which we require to run our business . We make sure we have appropriate safeguards in place to protect any personal data that is processed, including through contractual obligations.

Before a particular data processor is engaged, Airwallex vets and evaluates that data processor through our vendor management program. As required under the GDPR, we enter into a contract with each data processor before sharing data with the data processor. All potential vendors are also vetted and approved through Airwallex’s information security review process before we use their services. This means we investigate their security standards, check their certifications, etc., before we consider sharing any data.

Table A - Description of Third Parties receiving data from Airwallex

Third Party

Purpose

Third party service providers

We engage a variety of service providers (who act as data processors) to enable us to provide our Services to you. For example, service providers may be used to: facilitate payment processing, support technology or infrastructure, cloud storage, conduct market research, marketing analytics, detect fraud, verify identity and perform audits or other functions. We will share your personal information with such service providers only to the extent necessary to allow the performance of their intended engagement. All service providers and business partners that receive your personal information are contractually bound to protect and use your information only in accordance with our Global Privacy Policy.

Our corporate affiliates

To facilitate or support us in providing our Services to you, we may share your personal information within the Airwallex group of companies. All Airwallex group companies may only use your personal information in accordance with the relevant Intra-Group contracts governing such processing and for the purposes set out in our Global Privacy Policy.

Financial and Ecosystem Partners

Our Services may be offered to you (as an End User, Business Customer or Representative) in conjunction with or facilitated by other financial institutions, other payment institutions or other ecosystem partners (such as a provider of accounting or treasury management services or a marketplace payment service provider programmes). In respect of financial or other payment institutions, such transfers and disclosures are necessary in order to provide the Airwallex services to you. In respect of Ecosystem Partners, such disclosures and transfers will be made in the manner you authorised or requested, or described to you (to enable use by you of such ecosystem partners’ products and services) at the time you authorised or requested such disclosures.  When you allow or authorise such 3rd party provider, plugins, widgets, and/or website to access your Airwallex Account or to receive your personal information, this will constitute a request and/ or authorisation.

In respect of Connected Account holders, the Platform (or any Platform partners)

For the Airwallex for Platforms solution, personal information relating to the Connected Account will be transferred to the Platform (or the Platform partners) to allow the Connected Account to consume the Airwallex services via the Platforms’ (or Platforms’ partner’s) website or mobile app.  The Platform (and/or Platform partner)is an independent data controller of the personal information it processes in relation to the Connected Account holder.

Commercial Partners

We may work with a network of Commercial Partners and we may refer you to services provided by such Commercial Partners (as an End User, Business Customer or Representative) or at your direction or request share your information with the Commercial Partners.  Such Commercial Partners provide services under their own licences or authorisations, will have direct contracts with you and are independent data controllers of the data you provide to them or data generated from your use of their services. Airwallex has no responsibility for any Commercial Partner services. Any data that may need to be transferred to such Commercial Partners from us will be done with your consent or as requested by you.

Regulatory Authorities: regulators, judicial authorities and law enforcement agencies, and other third parties for safety, security, or compliance with the law.

There are circumstances in which we are legally required to disclose information about you to authorities (e.g. regulators, judicial authorities, courts, law enforcement agencies, tax authorities, and other public / government authorities both domestic and international), such as to comply with a legal obligation or processes, enforce our terms, address issues relating to security or fraud, or to protect our users. These disclosures may be made with or without your consent, and with or without notice, subject to and in compliance with the terms of valid legal process, including but not limited to regulatory queries or requests, subpoena, court orders, or search warrants. We are usually prohibited from notifying you of any such disclosures by the terms of the legal process. We may also disclose your information to: 

enforce our Master Services Agreement entered into with the Business Customer or End User, or our online terms and conditions accepted by the Business Customer or End User or other applicable agreements or policies, including investigation of any potential violation thereof; 

detect, prevent or otherwise address security, fraud or technical issues; 

protect our rights, property, privacy, or security, or that of others, as permitted by law; or 

comply with relevant law, legal process or governmental requests or orders.

Social Media Platforms

Social media networks such as Facebook, Twitter, Pinterest, and Instagram that offer functionalities, plugins, widgets, or tools in connection with our corporate website or mobile application. If you as a Visitor choose to use these functionalities, plugins, widgets, or tools, certain information may be shared with or collected by those social media companies—for more information about what information is shared or collected, and how it is used, see the applicable social media company's privacy policy.

Potential Acquirers of our business

If we are the subject of or are involved in any corporate merger, acquisition, consolidation, reorganisation, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with bankruptcy or similar proceedings), we may share data with third parties during negotiations. In the event your personal information becomes subject to a different privacy policy, we will make reasonable efforts to notify you beforehand. We also may need to disclose information to a third party in connection with a commercial transaction where we or any of our affiliates are seeking financing, investment or funding.

Other Authorized Parties

If you request (as part of the Services provided to you) or provide your consent, we may share your information including your personal information with a third party not defined in our Global Privacy Policy.

For your reference, we have listed below Airwallex’s typical third party processors and sub-processors:

Vendor 

Data

Purpose of processing

Country of primary contracting entity

i2c 

User data and user's customers' data

Transaction processing, card issuing and maintenance

United States

Google Cloud Platform

User data and user's customers' data

Cloud service provider

United States

Alibaba Cloud Platform

User data and user's customers' data

Cloud service provider

Hong Kong

Zendesk

User data and information provided to Airwallex support by users

Customer support services

United States

Trulioo Information Services

User data and User's customers' data

User identity verification and fraud detection

Canada

Refinitiv

User data and User's customers' data

User identity verification and fraud detection

United Kingdom

Visa

User data and User's customers' data

Transaction processing, card issuing, and maintenance

United States

Mastercard

User data and User's customers' data

Card payment acquiring

United States

Megaport 

Encrypted data shared between cloud providers

Network connectivity between cloud providers

United States

Cloudflare

User data and User's customers data

Network security and anti-DDoS

United States

Valitor

User data and User's customers data

Card payment acquiring

Iceland

Splunk

Airwallex platform analytics and User data

Platform analytics, outage detection, and security monitoring

United States

Google 

Limited User data and internal data

Document creation and processing, mail provider

United States

Zoom Video Communications 

User data, insofar as that is shared in spoken word between the conversing parties, or recorded on the system

Video conferencing system

United States

Idemia

Cardholder name, PAN, CVV, expiration date, shipping address

Printing the cards for issuing

United States / Australia

Concentrix

Customer data

Customer service support function

Philippines

Salesforce 

User data

Customer relationship management platform which stores User contact information as well as supporting information about the business relationship

United States

New Relic

Airwallex platform analytics

Platform analytics and outage detection

United States

Sumologic

Airwallex platform analytics

Platform analytics and outage detection

United States

Equinix 

User data

Hardware data centre services

United States

Hubspot

User data

Customer relationship management

United States

Onfido

User data and User's customers' data

User identity verification and fraud detection

Singapore

Tencent

User data and User's customers' data

User identity verification and fraud detection

Singapore

Our Affiliates

In addition to the above, any affiliate of our global corporate group that does not contract directly with customers may be a data processor or sub-processor of one or more of the Airwallex data controller(s) that are listed for your reference in Section 2 of our Global Privacy Policy

What is a Data Processing Agreement and do I need to have one with Airwallex?

A Data Processing Agreement (DPA) is a contract between a data controller and a data processor, which sets out the roles and responsibilities of the parties when personal data is processed. The GDPR sets out requirements that a DPA must satisfy in order to be compliant, including guarantees around security and that the processor will only act on our instructions.  Airwallex will typically enter into a DPA when it transfers data to third parties who act as data processors to Airwallex.

If you are a customer of the Airwallex for Platforms embedded finance product, the DPA is part of the Master Services Agreement (MSA) that you will sign with Airwallex.  There is no additional DPA or data agreement that is usually required. 

International data transfers

The information presented below is for general information purposes only and is not legal advice. As rules surrounding international data transfers may vary across jurisdictions, please consult with your own legal counsel to familiarise yourselves with the requirements that govern your specific situations.

How does Airwallex deal with international data transfers?

Airwallex uses a set of Standard Contractual Clauses (SCCs) published by the European Commission for cross-border data transfers (for the EU), and the UK International Data Transfer Agreement (UK IDTA) issued by the UK’s Information Commissioner’s Office (for the UK) (in the form of a legal contract), to provide a legal mechanism to transfer EU or UK personal data outside of the EEA/UK/Switzerland, respectively. These are required under European and UK data protection laws and are incorporated into our agreements.

Airwallex continues to adopt appropriate measures to ensure an adequate level of protection of personal data transferred outside the UK, EEA and Switzerland. Our measures include the SCCs and UK IDTA to accommodate international data transfers, as well as a range of technical and organisational measures (described in more detail under the relevant heading below).

Airwallex’s technical and organisational measures

We apply technical and organisational measures to protect the security of personal data. These include an information security management system aligned with ISO27001 and SOC2 Type II as described below:

  • A.5: Information security policies

Airwallex has implemented security policies and standards that are constantly reviewed in line with the overall direction of the organisation’s information security practices. Risk assessments are performed on a regular basis and agreed mitigating controls are included in the policies, standards and procedures to address security globally.

  • A.6: Organization of information security

Airwallex’s information security policies and standard assign responsibilities for information security related tasks. It ensures that the organisation has established a framework that can adequately implement and maintain information security practices within the organisation supported by senior leadership.

  • A.7: Human resource security

Airwallex ensures individuals are screened before employment, makes sure that employees and contractors understand their responsibilities and addresses their responsibilities when they no longer hold that role – either because they’ve left the organisation or changed positions.

  • A.8: Asset management

Airwallex identifies, classifies information assets to define the appropriate level of defence required and defines appropriate protection responsibilities for them. Endpoints are hardened, protected and monitored to help prevent the unauthorised disclosure, modification, removal or destruction of sensitive data.

  • A.9: Access control

Policies and procedures for logical security are formally established and documented. User accounts belonging to Airwallex’s employees and contractors are approved, added, modified, or disabled in a timely manner and are reviewed on a periodic basis.

  • A.10: Cryptography

Airwallex deploys industry standard encryption technologies to protect business data and confidential information at rest and in transit and applies proper key management to the protection of its cryptographic keys.

  • A.11: Physical and environmental security

Airwallex offices have implemented rigorous physical and environmental controls for its security. Airwallex uses security certified GCP and Aliyun data centers and follows its Supplier relationship management process and controls.

  • A.12: Operations security

Airwallex applies management controls, operation controls and technological controls to protect business data and confidential information to provide for sustainable operation of business and application systems. Endpoints are protected against malware to mitigate the risk of infections, critical systems are logged and monitored, systems are hardening following CIS Benchmarks, periodically tested via automatic and manual means.

  • A.13: Communications security

Airwallex networks are managed and controlled in order to protect information within systems and applications. Airwallex uses technology to perform endpoint verification, has implemented firewalls to segregate environments, has clear segregation between production and non-production environments, access control lists, 2 factor authentication (i.e. software and hard token). Airwallex has also implemented strict endpoint controls for employees connecting to public networks (e.g. WFH arrangements) to consider the increased risk levels and to manage these risks. Airwallex also monitors its platforms to detect any anomalies that may present a threat to the company.

  • A.14: System acquisition, development and maintenance (13 controls)

Airwallex has implemented a DevSecOps model and embedded security into the SDLC. It has integrated the security, availability and confidentiality into product design, and provides related functions to meet the user entities’ requirements on security, availability and confidentiality. It has applied a secured change management process which encapsulates secure coding, configuration, scanning, patching monitoring and frequent testing.

  • A.15: Supplier relationships (5 controls)

Before onboarding Subprocessors, Airwallex conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Airwallex has assessed the risks presented by the Subprocessor, then subject to the engagement requirements the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.

  • A.16: Information security incident management

Security incidents and unauthorized disclosures of customer data are communicated to customers, relevant legal and regulatory authorities, and others as required by law, contract, or at the advice of legal counsel, as per defined in the information security management and data breach standards.”

  • A.17: Information security aspects of business continuity management

Airwallex has established corresponding service cycles and service availability commitments to provide high availability of user entities’ business and systems.

  • A.18: Compliance

Airwallex has implemented compliance processes to guarantee it addresses internal requirements, such as policies and standards, and with external requirements, such as laws and regulations and contractual requirements to mitigate the risks of non-compliance and the penalties that come with that.

Does Airwallex use cookies?

Yes, we use cookies and similar technologies (i.e. web beacons, pixels, ad tags and device identifiers) to recognize you and to customize your online experience. Depending on your relationship with Airwallex, different cookies may apply. Please refer to our Cookie Policy for more information.      

Contact Us

If you would like to make any inquiries about our privacy policy, please contact us at: