Intrinsicly evisculate emerging cutting edge scenarios redefine future-proof e-markets demand line

Privacy Policy
  • Home
  • /
  • Privacy Policy

Introduction

Saaf Services Limited is a UK based company working as Money Service Business, regulated by the FCA and HMRC. We offer Money Transfer services through our registered office for individuals intending to remit money to Afghanistan. Company is led by the Director and MLRO; Mr. Haroon Elahi. Saaf Services Limited intends to use the services of Premier Forex (Intermediary Payment Service Provider) for settling the transactions.

This GDPR Policy sets out how Saaf Services Limited (“the Company”) collects, processes, stores, and protects personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable UK laws.

The purpose is to ensure that the Company respects and protects the privacy rights of its customers, employees, partners, and stakeholders. Since Saaf Services Limited is intending to operate as a regulated money remittance provider under the FCA and HMRC, strict compliance with data protection laws is fundamental not only to safeguard sensitive information but also to maintain regulatory trust, prevent financial crime, and ensure operational integrity.

As a Small Payment Institution intending to provide money remittance and currency exchange services, the company recognises the importance of protecting customer information and maintaining trust. This policy outlines how Saaf Services Limited manages personal data, the rights of customers, and the safeguards in place to prevent misuse or unauthorised access.

Scope of the Policy

This policy applies to all personal data processed by Saaf Services Limited in the course of its business. It covers customer data (such as names, addresses, identification documents, and transaction history), customer data, service provider data, and data shared with regulatory or supervisory authorities. The scope includes data collected during on-boarding, transaction processing, monitoring, record-keeping, reporting to regulators, and communication with customers. It applies to all engaged by Saaf Services Limited, including the payment service provider supporting remittance services to Afghanistan.

Lawful Basis for Processing Data

Saaf Services Limited processes personal data under several lawful bases as defined by GDPR:

  • Contractual Necessity: To provide money transfer or currency exchange services, customer information such as ID, proof of address, and payment details will be collected.
  • Legal Obligation: As an FCA-registered institution and HMRC-regulated entity, the company will comply with AML/CTF/CPF regulations, which require verification and record-keeping of customer identity.
  • Legitimate Interest: To maintain operational security and prevent fraud, the company needs to monitor transactions and IT systems.
  • Consent: For marketing or communication outside of regulatory necessity, explicit consent will be obtained from customers before using their data.

Data Collection and Categories of Data

Saaf Services Limited collects personal data necessary to deliver its money remittance and currency exchange services and meet regulatory requirements. This includes:

  • Identification Data: name, date of birth, nationality, and identification documents (passport, driving licence, utility bills).
  • Contact Data: Address, email, and telephone number
  • Financial Data: bank account details (if applicable), Source of funds and, remittance transaction history.
  • Regulatory Data: Know Your Customer (KYC) and Anti-Money Laundering (AML) documentation, sanctions screening records, and source of funds/wealth information.

This collection is proportionate and limited to what is necessary for legal compliance and service delivery.

Data Use and Processing

Data is processed strictly for legitimate business and compliance purposes. For customers, data is used to verify identity, execute remittance transactions, monitor suspicious activities, and fulfil reporting obligations. Data may also be used for internal risk management, fraud prevention, and maintaining business continuity. Saaf Services Limited prohibits the use of personal data for unrelated or unlawful purposes.

Data Sharing and Third-Party Processing

Saaf Services Limited may share personal data with:

  • Regulatory bodies: FCA, HMRC, and National Crime Agency (NCA) for compliance and reporting.
  • Payment Service Provider (PSP): to execute remittance transactions to Afghanistan securely.
  • Financial institutions: correspondent banks, payment networks, or settlement partners.
  • Service providers: IT, cloud hosting, compliance screening tools, and auditors.

Saaf Services Limited does not allow third-party access to customer data unless legally required by regulators (e.g., FCA, HMRC, NCA) or law enforcement. Where registered APIs are used to process transactions, due diligence is carried out to ensure compliance with GDPR standards. Any outsourcing partners or service providers must sign Data Processing Agreements (DPAs) confirming they meet equivalent standards of security and data protection.

Data Storage and Retention

Saaf Services Limited will store data in secure systems within the UK or jurisdictions with adequate data protection frameworks. Regulatory requirements mandate that customer transaction and identification records are retained for at least five years after the business relationship ends, in line with AML regulations. After the retention period, data will be securely deleted or anonymised unless required for ongoing investigations, audits, or litigation.

Data Security Measures

Data security is a core component of Saaf Services Limited’s compliance framework. Measures include:

  • Encryption of sensitive data during transmission and storage.
  • Role-based access controls ensuring only authorised staff can access customer data.
  • Secure on-boarding systems integrated with KYC/AML checks.
  • Regular IT security assessments, vulnerability testing, and patch management.
  • Business continuity and disaster recovery plans to safeguard against data loss.

Employees will undergo mandatory data protection and information security training to minimise risks of human error or insider threats.

Saaf Services Limited has implemented multiple security layers to protect personal data:

  • Physical Security: Shatterproof glass, secured premises, and restricted access to paper files.
  • IT Security: Regular monitoring of systems, network firewalls, intrusion detection, and server backups.
  • Insurance: Business insurance to mitigate risks from data breaches or physical loss of records.

These measures ensure that personal data is safeguarded against theft, loss, or unauthorised use.

Data Subject Rights

Under the UK GDPR, individuals have specific rights, and Saaf Services Limited is committed to upholding them:

  • Right to access: Customers can request copies of the personal data held.
  • Right to rectification: Correction of inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”): Where data is no longer required for lawful purposes.
  • Right to restrict processing: In cases of dispute over accuracy or lawfulness.
  • Right to data portability: Transfer of data to another provider in a structured format.
  • Right to object: To processing based on legitimate interests or direct marketing.

Requests will be handled transparently and within statutory timelines (usually one month).

Data Protection Principles

Saaf Services Limited adheres to the seven key principles of GDPR:

  • Lawfulness, Fairness, and Transparency – Customers are informed of how their data will be used.
  • Purpose Limitation – Data is only used for legitimate business, regulatory, and contractual reasons.
  • Data Minimisation – Only essential data is collected.
  • Accuracy – Data is regularly reviewed and updated.
  • Storage Limitation – Data is retained only for as long as necessary (e.g., 5 years for AML compliance).
  • Integrity and Confidentiality – Data is secured with physical and IT protections.
  • Accountability – The Director and MLRO ensure compliance with GDPR obligations.

Breach Notification Procedures

In the event of a personal data breach, Saaf Services Limited will follow a structured response:

  • Immediate Containment: Secure systems, prevent further loss, and isolate affected areas.
  • Assessment: Identify the scope, cause, and potential harm of the breach.
  • Notification to ICO: Report within 72 hours if the breach poses risks to individuals.
  • Customer Communication: Inform affected individuals without undue delay where risks exist.
  • Root Cause Analysis: Conduct an internal review and strengthen safeguards to prevent recurrence.

Monitoring, Training, and Review

Saaf Services Limited provides regular training on GDPR, AML, Consumer Duty, and cybersecurity. The GDPR policy is reviewed annually, or sooner if regulatory changes or operational risks emerge.

Saaf Servies Limited trading as Saaf Remit

You have any question please reach us at any moment

Contact Us