Welcome to the Airwallex Global Privacy Centre

At Airwallex, we believe that protecting your data is just as critical as protecting your money. Therefore, Airwallex is committed to protecting the privacy of everyone who engages with our platform. We also value the importance of transparency with respect to our privacy practices: we aim to explain in plain language what data we collect, why we collect it, and how we protect it - so there are no surprises.

We created this Airwallex Privacy Center to help you find answers to frequently asked questions about how we collect and use personal data (also referred to as personal information), the rights that individuals have in relation to personal data held by Airwallex, and how Airwallex complies with international data protection laws, such as the EU General Data Protection Regulation (“GDPR”). Personal data is any information that is related to an identified or identifiable natural person (e.g. you). The definition under the GDPR is broad, and can include information that could be used indirectly and/or with other information to identify a natural person – such as device identifiers or IP address. Examples of personal data include your name, email address, username, ID, bank account number, card details, telephone number, personnel number, appearance, customer number or home address.

This content is not legal advice. It has been published for your general information purposes only, may not be exhaustive or current and may be amended from time to time without notice to you.

Depending on the context, “you” may mean any of the following:

• End User: an end user (individual) who uses our services or receives the benefits of our services, regardless of whether the end user uses or receives our services for personal use or otherwise. We may collect an End User’s personal data when provided by the Business Customer. Depending on the services, an End User may be one of the following:

  • An individual customer of our Business Customer making a purchase from a Business Customer

  • An individual, employee, or business receiving a payment from a Business Customer

• Representative: an individual who is the owner of, or who acts on behalf of a Business Customer (e.g. employee, director or officer of Business Customer who has authority for managing the business customer’s account with us). 

• Visitor: a visitor (individual) to our sites or who otherwise communicates with us (e.g. if you send us a query on our Support Page) without being logged into an Airwallex account.

• Business Customer: a business entity who we provide services to, whether directly, such as to Platform Business Customers, or indirectly, such as to Connected Accounts of a Platform Business Customer.  A Business Customer will provide us with an End User’s personal data in connection with the Business Customer’s and that End User’s respective activities. When you (as an End User or Representative) interact with a Business Customer, your personal data will be collected, retained, shared and/or stored by the Business Customer in accordance with their own privacy policies and not our Global Privacy Policy.

You can learn about how we collect, use and store personal data in our Global Privacy Policy.

1. About us 

Airwallex is a leading global financial platform for modern businesses. We are building the future of global finance for a borderless, real-time, intelligent economy.

More than 200,000 companies worldwide – from startups to public enterprises – use Airwallex to manage their global banking and financial operations, or to build and monetize their own financial products using Airwallex infrastructure. 

Founded in Melbourne in 2015, Airwallex holds 80 licenses across North America, Europe, the Middle East, and Asia-Pacific, forming one of the most comprehensive financial infrastructures in the world. This regulated backbone powers Airwallex products at global scale, including: payment acceptance, billing, global accounts, corporate cards, and spend management. 

The company is co-headquartered in San Francisco and Singapore with over 2,000 employees across 26 offices. 

2. Our privacy principles

We operate on a simple principle: we collect data strictly to provide you with our services, including to move money, prevent fraud, comply with law or regulations, or keep your account secure. We avoid collecting extra or unnecessary data. We only ask for what’s needed to comply with legal and regulatory requirements, or to provide the financial services you request or to ensure we will be able to keep your account secure.

We are compliance-focused. We comply with global standards for financial institutions and for data security, from card-security certification (PCI-DSS) to audits and privacy reviews.

3. FAQ

What personal data does Airwallex collect and use?

We are required to know our customers. Therefore, we collect information in order to register your account, verify your identity, process transactions, and keep your funds safe and our platform secure. This can include contact details, identity documents, payment and transaction data, device information, and communications with us. For more detailed information on what personal data we collect and use, please see our Global Privacy Policy.

For what purposes does Airwallex collect and use my personal data?

Depending on how you use our products and services, we generally use your personal data to:

Create, verify and manage your Airwallex account To set up your profile, complete required “know your customer” (KYC) checks, verify your identity, understand the nature and purpose of the relationship and expected activity, and where required, conduct ongoing monitoring and periodic reviews to keep your account secure.

Deliver our financial services Including but not limited to processing payments, FX conversions, transfers, card transactions, wallet features, yield products and global payouts.

Prevent fraud and manage financial crime risk To detect suspicious activity, protect you and our platform, perform customer due diligence and transaction monitoring, meet Anti-Money Laundering (AML)/Counter-Terrorist Financing (CTF) obligations, comply with sanctions requirements (including screening), and where required report unusual activity to competent authorities.

Comply with legal, regulatory and audit requirements To meet obligations under any applicable laws and regulations, tax rules, reporting requirements, and duties to regulators and supervisory authorities.

Communicate with you about your account and activity To send confirmations, alerts, service notices (including security notices and important changes to our services or terms), and respond to support requests.

Improve our platform and develop new features To analyse how our web and app experiences are used, fix issues, enhance performance, and develop new Airwallex services.

Personalise your experience To tailor onboarding, dashboards, settings, features and support based on how you use the platform.

Maintain the security and integrity of our systems To secure your account, our infrastructure, prevent misuse, detect vulnerabilities, monitor for and respond to incidents and keep our services reliable and available.

Inform you about new features, offers and events (depending on your choices) To share relevant updates, offers, events or insights where permitted by law and based on your preferences.

For more detailed information, please see our Global Privacy Policy.

How does Airwallex protect my data?

Security is embedded in everything we do at Airwallex. Before a customer interacts with a product, feature, or change, it undergoes a range of security tests and reviews. Our underlying servers and infrastructure use industry-leading data encryption and access controls to secure your data, transactions, and accounts.

Airwallex takes a multi-layered approach to security, from advanced fraud detection systems to exceeding regulatory compliance requirements. We’ve received multiple globally recognized certifications and implemented a world-class security program to protect your data and transactions. These include an information security management system which is PCI DSS Level 1 certified, SOC1 Type II certified, SOC2 Type II certified, and aligned with ISO27001. 

To ensure the effectiveness of all these security measures, we regularly conduct third-party penetration testing and advanced threat adversary simulation attacks against Airwallex. These tests give us crucial assurance that everything is working as expected and provide invaluable insights to make even further improvements. 

For a full overview and more information about our security practices, please go to our Security Center.

What should I do if I think my account has been compromised?

Please reach out to [email protected] immediately. We have dedicated teams and security processes to help protect your account and investigate suspicious activity.

Who at Airwallex can actually see my data?

Access to personal data within Airwallex is strictly limited and carefully managed to ensure confidentiality, integrity, and security at all times.

We apply a need-to-know and least-privilege approach, meaning employees, contractors and third parties (where relevant) are only granted access to personal data where this is necessary to perform their role, for example, to provide customer support, operate our services, manage risk, or meet legal and regulatory obligations.

Access to systems and personal data is:

• Role-based, with permissions aligned to job responsibilities

• Formally approved and regularly reviewed

• Revoked promptly when access is no longer required (e.g. role changes or departures)

We use strong authentication measures, including multi-factor authentication, to prevent unauthorised access. Access to sensitive systems is logged and monitored to detect and respond to unusual or inappropriate activity.

Employees and contractors with access to personal data are subject to confidentiality obligations, ongoing security training, and internal policies governing acceptable use of data.

These controls help ensure that your data is accessed only when appropriate and handled responsibly across our global organisation.

Does Airwallex sell or rent my data?

No. We don’t sell, rent, or trade personal data, ever. We may provide your personal data, such as online activity (like cookie related data), to partners, such as advertising partners, analytics providers, and social networks, who assist us in advertising our products and services. Sometimes they may be a data processor, sometimes a data controller. When they are a data controller, Airwallex does not control or influence their data processing activities. The data that we use for these purposes are typically information about devices and browsers across certain sites, IP addresses associated with those devices and browsers, and usage data about how our products and services are used. 

For more information about how we collect and use online behavioral information, please see our Cookie Policy.

Does Airwallex use my personal data for profiling or automated decision-making?

We do not use personal data for profiling individuals or for automated decision-making with significant or legal effects on the individual that do not involve human intervention. Some processes, such as identity verification checks and transaction monitoring, are supported by automated systems (which may include AI) to improve speed, accuracy and efficiency of our services to our customers. If these systems provide any automated feedback, the decision is subject to human reviews (where legally required). Where automated processing has a legal or significant effect on you, we will provide the information and/or ask for your consent as required under applicable laws. 

Does Airwallex use artificial intelligence?

We continuously explore ways to make our services more efficient, secure, and reliable, and to meet our legal and regulatory obligations globally. This includes the responsible use of artificial intelligence (“AI”) and machine learning (“ML”) technologies, which may process your personal data. We may also process personal data to develop or improve our AI or ML technologies as described in section 4 of this Policy in accordance with applicable law and internal standards.

Before deploying AI or ML technologies, we assess whether their use is necessary and appropriate for the intended purpose, and whether it aligns with applicable laws, regulatory expectations and our internal standards. We also consider ethical, security, and reliability aspects to ensure that the use of such technologies is responsible and proportionate.

We may use AI or ML technologies to support operational efficiency, risk management, fraud prevention, compliance processes, customer support, and product improvement. For example, AI-enabled applications may be used to assist with summarising customer interactions, improving internal workflows, or streamlining risk assessments. We may also make AI tools available for use by you on our Platform, in accordance with applicable terms.  

We do not use AI systems to make solely automated decisions that produce legal or similarly significant effects on individuals unless permitted by applicable laws, your consent (where required), and supported by appropriate safeguards.

Is Airwallex acting as a data controller or a data processor?

A “data controller” is the entity that determines the purposes and means of the data processing taking place.

A “data processor” is an entity that acts on behalf of and at the direction of a data controller in processing personal data. As the data processor is acting on the instructions of the data controller, it does not exercise control or decision making over the processing of personal data. A typical data processor would be a software service provider. 

Data controllers and data processors have different responsibilities under the GDPR - for example, controllers are in charge of identifying a lawful purpose or legal basis, and must facilitate individual rights requests.

Airwallex acts in different roles depending on the context of products and services we provide. 

Airwallex acts as a data controller when it processes personal data for activities including the following:

1. Providing the Airwallex products and services;

2. Administering the Airwallex platform;

3. Developing new, or enhancing existing, products;

4. Providing customer support; 

5. Protecting the security and integrity of our systems

6. Monitoring, detecting and preventing fraudulent activities on our platform; and

7. Complying with the legal and regulatory obligations that apply to Airwallex.

Our Global Privacy Policy sets out who the Airwallex data controllers are and provides more details on the various processing purposes. 

When we process personal data strictly on documented instructions from a customer in connection with that customer’s use of our products and services, we act as that customer’s data processor. For example, we act as a processor where we process personal data in executing global spend rules that you apply in your customer account. In those processor contexts, the customer is primarily responsible for compliance with relevant and applicable data protection laws.

What is a Data Processing Addendum and do I need to have one with Airwallex?

A Data Processing Addendum (“DPA”) is a contract that sets out the roles and responsibilities of the parties when personal data is processed. This could be in the form of a controller-controller agreement, or controller-processor agreement. In case of a controller-processor agreement, we make sure we are compliant with applicable data protection laws, including guarantees that the processor will only act on instructions of the controller. 

If you are a customer of the Airwallex for Platforms embedded finance product, the DPA is part of the Master Services Agreement (“MSA”) that you will sign with Airwallex. Please find our Data Processing Addendum for customers here.

How does Airwallex deal with international data transfers?

Where required, Airwallex puts in place an international data transfer mechanism for international data transfers. Airwallex uses a set of Standard Contractual Clauses (“SCCs”) published by the European Commission for cross-border data transfers (for the EU), and the UK International Data Transfer Agreement (“UK IDTA”) issued by the UK’s Information Commissioner’s Office (for the UK) (in the form of a legal contract), to provide a legal mechanism to transfer EU or UK personal data outside of the European Economic Area (“EEA”)/UK/Switzerland, respectively. These are required under European and UK data protection laws and are incorporated into our agreements with third parties and our affiliates.

Airwallex continues to adopt appropriate measures to ensure an adequate level of protection of personal data transferred outside the UK, EEA and Switzerland. Our measures include the SCCs and UK IDTA to accommodate international data transfers, or any equivalent standard contracts issued by relevant authorities into its agreements (where applicable) and/or adopting alternative measures required for the lawful transfer of personal data in accordance with applicable data protection law. 

Airwallex restricts transfers of personal data to certain jurisdictions in accordance with applicable law.

What happens to my personal data if my account is terminated?

We will deactivate your account and will no longer use your data for providing any active services.  However, if you have not withdrawn your consent for activities such as receiving marketing communications from us, we may continue to use your data. 

As a regulated financial institution, we are required by law and regulations to retain your personal data, especially concerning financial services we have provided to you, for multiple (local and global) statutory retention periods. After expiry of those periods, we will destroy your personal data.

Can I access information about why my business account was suspended?

We cannot provide details relating to account suspension or termination when initiated by Airwallex. We are prohibited from sharing internal (risk) assessments, transaction monitoring outcomes, or the reasons underlying certain account actions. These safeguards are in place to comply with regulatory obligations and protect the security of our services and the financial system in general. However, you may request access to your personal data under relevant applicable laws. This right applies only to data that identifies you as an individual. This right does not apply to business related information, internal decision-making processes, risk assessments or data belonging to other individuals. 

4. Contact Us

If you would like to make any inquiries about our privacy and security practices, please contact us at:

• Airwallex Information Security Team: [email protected] 

• Airwallex Privacy Team: [email protected] 

• Airwallex Data Protection Officer: [email protected]