This notice is also available in Malay, Bahasa Indonesia and French.
This privacy notice explains the ‘what’, the ‘why’ and the ‘how’ of our personal data processing when you visit our website or sign-up for and use our products and services. It also tells you how to exercise the rights available to you and who to contact if you have any questions about how we process personal data concerning you. Please read it carefully.
This notice is reviewed regularly and may be updated. We will ensure the most up to date version of this notice is published here.
Navigating this privacy notice
Click on one of these links to jump to the section explaining:
- What personal data we obtain
- Why we use personal data
- Who we share it with
- What your rights are and how to exercise them
- How to contact us
Our relationship with you
To check which Luno entity you are a customer of, refer to our Terms of Use page. The Luno entity that offers and provides our services is the company that is responsible for protecting personal data. Depending on where you are located, the company with that responsibility will typically be known as the "data controller" or the "responsible party.”
The personal data that we process
The personal data that we process will depend on our relationship with you: the information we collect about you as our customer will differ from the information we obtain about you if you are still being verified as a customer or are just visiting our website. You can find out more about the different account levels at Luno in our Help Centre.
The personal data that you provide us
We obtain personal data from you in various ways, including when you sign-up with us (for example, by filling in forms and submitting documents to open an account online or through the app), when you use your Luno account, when you contact us for any reason by email, chat or social media chat, when we contact you to confirm information or instructions (for example when we call you on your mobile number), when you respond to surveys or give us feedback and when you participate in a competition or engage with us on social media or participate in campaigns and promotions.
Click here to see the specific categories of personal data we may process
Categories | Types of personal data |
---|---|
Your basic details | First, last and any middle names; date of birth; nationality; gender; email address; cell phone number |
Identity data | Employment status and industry; your reason for using Luno and (in some cases) your goals and experience; copies of your chosen identity document (e.g. your passport, national ID card); proof of address, and risk score which we calculate using the the data we collect and the data you provide |
Biometric data | Typically a scan of your face taken from a photo or video selfie to compare with the photograph of you on the copy of your identity document that you submit |
Financial data | Source of funds; nature and purpose of business relationship; bank account details; masked PAN debit, credit or other payment card number; voucher details; tax registration numbers; payment preferences |
Transaction data | The amount of the crypto or fiat transaction; fiat balance; crypto wallet address and balance; the type of transaction; wallet details of the recipient |
Correspondence data | Correspondence between Luno and you as a customer, including call recordings and call/chat transcripts, emails, feedback and survey responses |
Communication preferences | When and how you would like us to contact you |
The personal data that is collected automatically
Certain information is collected automatically when you use our services, for example when you use our app or visit our website.
Click here to see specific categories of personal data we may process
Categories | Types of personal data |
---|---|
Transaction data | The date, time and amount of the crypto or fiat transaction; the currency and exchange rate for crypto/fiat conversions; wallet details of the sender and recipient; payment references/notes; unique BX reference number associated with each customer |
Technical data | IP and MAC address; device IMEI number; mobile network information; login method; URL chain; browser type and version; device type, advertising ID, platform and operating system version; time zone; browser plug-ins used; service diagnostic logs; error reports; language preference |
Usage data | Information about your visit and use of our services including what you viewed and what you clicked on and the date and time of your actions; what you viewed and searched for; page and app performance including response times, whether there were errors or issues; length of time of your visit and use; your interactions with a page including scrolls and clicks; how you navigated away from a page |
From cookies and other similar technologies | Please see our separate cookie policy on our website |
Information about your location | Information that identifies your location in a reasonably specific way based on an IP address or GSM, GPS and/or WiFi. We will request and obtain your permission through your device settings where required to do so |
Referral details | If you sign-up using a referral code, the details of the Luno customer whose referral code you used, as well as the details of the Luno customers who sign-up for a Luno account using your referral code; your reward level, details of claimed and awarded promotions, total value of promotions |
The personal data we may obtain from other parties
We also obtain personal data from other companies in the course of providing our products and services to you and for managing our business and operations.
Click here to see specific categories of personal data we may obtain from other parties
Categories | Types of personal data |
---|---|
Luno Group companies | We may receive personal data about you from other Luno Group Companies in the normal course of business. This is because Luno is a global company headquartered in the United Kingdom. Luno Group Holdings Limited in the UK is the parent company of each operating entity and provides certain services to, and receives certain services from, each of our operating entities. |
Publicly available records | We may use public registers to obtain information about you. Examples of registers include sanctions lists, company and business repositories, government population registers and the media. |
Public blockchain | When you choose to create a wallet for your cryptocurrency, we can see your address on the public blockchain. |
Analytics providers | We receive information based on an analysis of how our customers use our products and services. |
Intermediaries | We may receive information from an intermediary, for example when a financial advisor or broker introduces you to Luno. |
Signing up with a social account | When you choose to sign-up using an existing Apple, Google or Facebook account, we will receive your name and email address. |
Market research providers | We may receive personal data when we conduct user and customer surveys. |
Other third party providers | We may obtain personal data from other third party providers such as credit reference agencies and KYC and sanctions screening providers. |
Sensitive personal data
We may be required to collect personal data that is considered sensitive or is classed as “special category” personal data. Sensitive personal data usually requires added protections under local law. We will only process sensitive personal data for limited purposes and when permitted by local law.
We may process the following categories of sensitive or “special categories” of personal data:
- Biometric data (see the section “Biometric data” below)
- Personal data concerning criminal convictions and offences
Where we obtain sensitive personal data about you for carrying out KYC and AML screening we typically do so because it is necessary for reasons of substantial public interest under relevant regional and local anti-money laundering and anti-financial crime laws.
Biometric data
We need to verify your identity before you may open an account with Luno, update your security-related information (such as your email address, password, etc.) or recover your account or password. To verify your identity, we will ask you to take a photo or video selfie which we’ll compare with the photo on your chosen identity document (e.g., your passport or national ID book or card) to see if they match. The information collected from your selfie includes biometric data, which we process to comply with strict know your customer and anti-money laundering screening requirements. We do this because it is necessary for reasons of substantial public interest under relevant regional and local anti-money laundering and anti-financial crime laws and regulations. Where required by local law, we will also ask for your consent to collect and use biometric data.
For more information on the service providers we use please see the “Who we share personal data with and why” section below.
Biometric data is securely held by our third party service providers for a period of no longer than 1 year from the time you cease to be a customer of Luno unless special circumstances apply and we instruct them to hold it for longer where we are required by law to do so.
If you refuse, or fail, to provide personal data
You will not be able to access and use our services if you fail or refuse to provide personal data that we are obliged to collect by law or that is needed to enter into and perform under our Terms of Use.
Why we use personal data
This section explains why we use personal data and the legal bases we rely on to use it. In most cases we use personal data because we need it to enter into and perform under our Terms of Use, to pursue our legitimate interests or those of third parties and to comply with our legal obligations. We may also ask for your consent before using certain personal data, including if the law of your country of residence does not recognise one or more of these legal bases.
Personal data needed to enter into and perform our contract with you
It is necessary for us to process personal data to enter into and perform under contracts we have with you, in particular our Terms of Use. For example, we need to review your application for an account, open your account to enable you to transact on the Luno platform and provide support to you when you need it. We won't be able to provide our services to you if we cannot process personal data on this basis.
Click here to see our more detailed reasons for processing your personal data
Our reasons for using personal data | Categories of personal data |
---|---|
In order to open and to maintain your Luno accountWhen you register with us and apply to open an account and to create and manage your account in accordance with our Terms of Use. | We may process all or some of the following categories of personal data:
|
In order to provide our services to youWhen you process and execute transactions on the Luno platform, including using our instant buy, your Luno wallet to send and receive cryptocurrency, repeat-buy, bundles and staking products, fiat deposits and fiat/crypto conversions, and other products we may offer our customers in the future. | We may process all or some of the following categories of personal data:
|
When you enable and use beta features in Luno LabsYou may choose to participate in testing and providing feedback on new features before they are widely released. | We may process all or some of the following categories of personal data:
|
In order to provide you with customer supportWe use personal data to communicate with you, by email, chat or phone call about your account, provide you with guidance and support, solve problems and issues you may encounter with your account, trouble shoot, and to resolve complaints and disputes, to contact you about your experience or to respond to a review you left on an app store or public website. We may also process personal data to authenticate you before responding to your request or as part of the account or password recovery processes. We record and monitor our communications with you to make sure we have understood your instructions, to improve our service and to train our customer success team, with the aim of preventing mistakes from occurring. | We may process all or some of the following categories of personal data (only if and to the extent necessary to respond to your query):
|
In order to send you important communications about your account and our servicesWe will notify you of service interruptions, important changes and security issues affecting your account. | We may process all or some of the following categories of personal data:
|
To maintain the safety, integrity and security of our servicesWe need to understand our customers' circumstances and their use of our services to prevent, detect and investigate inappropriate, fraudulent, unlawful or unauthorised use of our services as set out in our Terms of Use, and to maintain the security of your account with us. Please see our security page for more information on how we keep your account secure. | We may process all or some of the following categories of personal data:
|
Personal data needed to pursue our legitimate interests
We may process personal data for our legitimate interests, such as in running and growing our business and improving our products and services. If the law of your country does not recognise the legitimate interest ground then we process personal data for the reasons set out in the table below based on your acceptance of this Privacy Notice and your continued use of our services.
Click here to see our more detailed reasons for processing your personal data
Our reasons for using personal data | Categories of personal data |
---|---|
To help you make an informed decision about the right product for you.We may ask you about your circumstances and goals so that you can find the product that is right for you. For example, you might be interested in buying crypto in the simplest possible way or you might be interested in more advanced trading and wish to use our exchange. | We may process all or some of the following categories of personal data:
|
To give you a better experienceWe analyse usage and engagement with our products and services to personalise and improve your experience. This could also include the creation of anonymised aggregate demographic groups or “segments”. | We may process all or some of the following categories of personal data:
|
To improve our products and services and to research and innovateWe have an interest in improving our products and services to be competitive, innovative and to give our customers a first class experience. To do this we use data to prepare anonymous metrics about how our products and services are used for reporting purposes and to guide improvements. We ask you about your experience and to give your opinion on a product or service. We do this by conducting customer and market research, for example through surveys and user testing, to better understand the needs of our customers, to get feedback on our products and services, to identify pain points and to improve our products and services. This could also include the creation of anonymised aggregate demographic groups or “segments”. | We may process all or some of the following categories of personal data:
|
To offer promotions and provide rewardsWe have an interest in rewarding our loyal customers. We do this by providing opportunities to benefit from promotions, prize draws and incentives. | We may process all or some of the following categories of personal data:
|
To market our products and services that might be of interest to youIt is in our interest to promote our products and services that you may be interested in. We may send you messages about our products, features, promotions, surveys, news updates and events which may be sent by email, push notification or in-app notification. These messages may be personalised based on an analysis of your use of our products and your transactions to offer what we think may be of interest to you. We will obtain your consent before sending you these messages where we are legally required to do so. If you agree, we will send you messages about products, services and events of our trusted partners which we think may be of interest to you. We also use personal data to measure the performance and effectiveness of our marketing campaigns (such as how many people engaged with or responded to an ad) and to make sure that our campaigns are effective and reach the right people. | We may process all or some of the following categories of personal data:
|
To maintain the quality, integrity and security of our services including our website and appIn addition to the steps we take to protect our services under the Terms of Use we also process personal data to keep the Luno app and website safe and secure through ongoing monitoring, testing and improvements and to conduct customer risk assessments. We do this to identify any usual behaviour which could be indicative of misuse, compromised accounts or accounts that may be abused for financial crime reasons. We also screen against various databases, both internally and externally, to establish whether there may be a risk to Luno or our customers associated with providing our services to a customer, and to ensure that we are not involved in dealing with or assisting in criminal activities and the proceeds of crime. | We may process all or some of the categories of personal data listed in the “The personal data we collect” section above. |
To record calls and chat conversationsWhen we chat with you or call you on your mobile phone, we record our conversation for quality assurance (for example, to make sure we have understood your instruction, query or concern) and for training purposes. | We may process some or all of the following categories of personal data:
|
For organisational purposesWe may process personal data to manage our business (including collection and recovery of fees and payments) and in connection with corporate transactions such as mergers, acquisitions or divestitures. | We may process all or some of the categories of personal data listed in the “The personal data we collect” section above. |
To comply with our legal obligations
All of the countries we operate in have laws and regulations that require us to process personal data in order to comply with them. For example, we have legal and regulatory obligations to detect, investigate and prevent financial crimes like fraud, money-laundering, terrorist financing, proliferation financing and circumvention of sanctions. If you fail to provide personal data that we need to meet our legal obligations we can’t provide products and services to you.
Click here to see our more detailed reasons for processing your personal data
Our reasons for using personal data | Categories of personal data |
---|---|
To verify your identity and decide whether to approve your application, as part of our "know your customer" procedureWe comply with anti-financial crime laws to prevent financial crimes like money-laundering and terror financing and to prevent us from establishing a business relationship with companies and countries appearing on sanctions lists issued by authorities such as the United Nations, European Union, UK Treasury and US Office of Foreign Assets Control (OFAC). If you would like to know more please visit our Help Centre. It is also necessary to check your location to make sure you are verifying your account in the correct country and to ensure you are not in a sanctioned country. If you would like to know more about location sharing please see the “Luno asked me to share my location. Why?” article in our Help Centre. We also use your biometric data to ascertain and verify your identity, typically by comparing a scan of your face taken from a photo or video selfie with the photograph on the copy of the identity document you provide. You can find more information on Luno’s approach to combating money-laundering and financial crime in the Compliance Information page on our website. | Note, the exact categories of personal data we collect will depend on the account verification level. We may process all or some of the following categories of personal data:
|
To comply with other legal and regulatory obligationsWe are also required to use and share personal data in response to civil and criminal legal claims, legitimate requests from law enforcement authorities investigating criminal activity, requests from tax and other supervisory authorities. We also have obligations to:
| We may process all or some of the following categories of personal data:
|
When we ask for your consent to process personal data
Depending on where you are located you may have the right to withdraw your consent to our processing of personal data for the reasons below. You always have control over your device permissions and in-app settings. If you do withdraw your consent we will stop processing personal data relating to you, however prior processing will not be affected. We may also ask you to consent to processing when local law does not recognise the legal bases above.
Click here to see our more detailed reasons for processing your personal data
Our reasons for using personal data | Categories of personal data |
---|---|
For enabling device permissions for our appWe need your permission to collect information from your device to provide our products and services. Examples include requesting access to your camera, microphone, photos and location. | We may process all or some of the following categories of personal data:
|
To protect your vital interests or the vital interests of others
We might have to use and share personal data where strictly necessary to respond to emergencies.
Click here to see our more detailed reasons for processing your personal data
Our reasons for using personal data | Categories of personal data |
---|---|
To preserve and share personal data with law enforcement or othersIn rare situations, we might have to preserve or share personal data in an emergency or where there is a risk to a person’s safety. | The actual categories of personal data we collect will depend on the situation requiring disclosure to protect the vital interests of individuals. |
Automated Decisions
Our onboarding procedure is partially automated and we may make decisions regarding your eligibility as a customer by automated means. This means that we use technology to decide whether to accept you or refuse to onboard you as a customer. If we do not have enough information for the technology to make a decision on your eligibility, we will ask you to re-upload your documentation or a member of our Customer Success team will be in touch with you. If the automated procedure determines that you are underage, do not meet our acceptance criteria or are found to be violating our Terms of Use, your application will be automatically denied.
You always have the option to start the sign-up process again if you are rejected, or can reach out to our Customer Success team if you have any questions.
Marketing
We may send you information about our products, services, news and promotions, or otherwise communicate with you, by email, push or in-app notifications, text message or other means for marketing purposes. When we communicate with you for marketing purposes we will do so only in accordance with applicable laws relating to consent and opt-outs.
You may opt out of receiving marketing communications at any time by clicking on the “Unsubscribe” option included in every marketing communication sent to you. You can also manage your communications preferences in your account communications settings in our app or on our website. Please note that unsubscribing from marketing content will not stop you from receiving important communications in relation to the security or operation of your account or the Luno product (for example when we need to inform you of upcoming maintenance, changes to our Terms of Use, in the event of a security incident, etc.).
Cookies and similar technologies
You can adjust your cookie preferences online when you visit our website or by adjusting the settings on your browser. Please see our cookie policy for more information about the cookies we use.
Who we share personal data with and why
Luno engages third party service providers and works with partners and other third parties to provide our products and services to you. This requires us to share or give access to personal data to these parties for certain reasons.
Click here to see our more detailed reasons for processing your personal data
Category of recipient | Further details |
---|---|
Luno Group Companies | As we are a global business, personal data may be shared with other Luno Group companies to facilitate our operations. |
Identity verification, KYC and sanctions screening services | We use service providers who support our identity verification, sanctions screening and general KYC processes and help us to comply with legal and regulatory requirements, including:
|
Fraud detection and transaction monitoring | We use service providers who provide fraud detection and transaction monitoring solutions that help us comply with legal and regulatory requirements and to safeguard our services. These recipients include:
|
When you link your account to a third party service provider | For example if you link your Luno account to your bank account or to other websites and services. These third parties should process personal data in accordance with their own privacy notices. |
Law enforcement, government, and supervisory authorities, industry bodies, and our professional advisors | We share personal data to:
|
In the context of corporate transactions and restructuring | Personal data may be shared or transferred if Luno is acquired, merged or otherwise restructured, or if a change of control occurs or we become insolvent. It might be necessary for us to share personal data when evaluating and entering into transactions involving the purchase or sale of assets. |
Other services providers | We use service providers who help us to operate our platform and provide our services to you including in relation to technical infrastructure, marketing and analytics, and web and app development:
|
How long we keep personal data for
We will typically retain personal data for the duration of your relationship with us, and afterwards for such period as may be necessary for our legitimate business purposes (including compliance with our legal obligations, preventing fraud, resolving disputes and enforcing agreements), to protect the integrity of our services, to protect the safety and security of our customers and to comply with the law.
Click here to see how we decide how long to keep personal data for
We follow our internal data retention policy to determine appropriate retention periods for personal data. A retention period depends on a combination of factors such as when the personal data was collected and our reasons for collecting and using it, the amount and sensitivity of the personal data, whether it is needed to provide our services to you or to comply with our legal obligations, whether the personal data forms part of a master record subject to specific retention periods (for example under tax, regulatory, company administration, employment and/or accounting requirements and guidelines) and if we believe there is a prospect of a dispute or litigation.
You may ask us to delete personal data in certain circumstances. For more information please see the section “Your rights” below.
International transfers of personal data
Luno is a global organisation and, in the course of providing our products and services to you, personal data may be transferred to, and processed in, countries other than the country in which you are located. Those countries may have data protection laws that provide a level of protection which is lower than that available in your country. For example, personal data will be processed by Luno companies in various jurisdictions and by our third parties who operate around the world. We will only transfer personal data where permitted by local law and with appropriate safeguards such as standard contractual clauses.
Keeping personal data secure
Luno places great importance on ensuring the security of our systems and personal data. We maintain an ISO 27001 certification, which requires us to implement and regularly review appropriate and reasonable technical and organisational security measures to keep personal data safe. Our employees are trained to handle personal data securely and with the utmost respect, failing which they may be subject to disciplinary action. For more information on Luno’s security processes please visit the security page on our website.
Your rights
Depending on the applicable law and the reason for the processing, you may be entitled to exercise the following rights:
Ask us to give you access to personal data.
This right entitles you to receive confirmation that we process personal data relating to you and you may sometimes also be able to request a copy of the personal data.Ask to have personal data erased.
This right entitles you to ask us to delete or remove personal data concerning you. Please note that we may not be able to comply with your request either in whole or in part because of certain legal reasons. To the extent that we can’t comply with your request we will get in touch with you to give you the reasons for our decision.Object to our processing of personal data.
Where we process personal data based on our legitimate interests but you believe there are circumstances that mean we shouldn’t, you may submit an objection; however there may be times when we can demonstrate legitimate grounds that override your objection. If we believe we have legitimate grounds to override your objection we will be in touch with you to give you the reasons for our decision. You may also object to our processing for the purpose of sending you direct marketing communications.Ask for processing to be restricted.
If you are unsure about the accuracy of the personal data we are processing relating to you or you think we shouldn’t be processing it or our reason for processing is unclear, you may ask us to restrict the processing.Ask for personal data to be corrected or updated.
You may ask us to update any inaccurate or out of date record. Remember that you can always update your details on your Luno profile online or in the app, or by contacting us by email or chat.Ask us to transfer (or “port”) personal data to you or to a third party.
In limited circumstances, you may ask us to transmit to you or to another company personal data that you have provided to us in a structured, commonly used and machine readable format.Make a complaint to a supervisory authority.
You may have the right under local law to complain to the local supervisory authority in your country.
Luno will honour these rights to the extent required by law. You may exercise your rights by submitting a request or by emailing us at [email protected].
Personal data of children
You must be 18 years or older to open a Luno account. Our products and services are directed at adults aged 18 years and over, and are not intended for individuals under 18 years old. Luno will not knowingly request to collect personal data from individuals under the age of 18 and we make all efforts to comply with applicable local legal requirements regarding children’s personal data.
How to contact us
Should you have a query in relation to this Privacy Notice or about how we handle personal data, please submit a support ticket or send an email to [email protected].