Who we are and how to contact us§
1.1The controller
Jubilee Services SA/NV (“Jubilee”, “we”, “us”, “our”) is the controller of your personal data when you use the money remittance services we offer through the NALA application. “Controller” has the meaning given in Article 4(7) of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).
| Legal name | Jubilee Services SA/NV |
| Registered office | Rue Dethy 4, 1060 Saint-Gilles, Brussels, Belgium |
| Company number | 0639.848.226 (Crossroads Bank for Enterprises) |
| Regulator | National Bank of Belgium (NBB) |
| Authorisation | Payment institution under the Belgian Law of 11 March 2018 (payment service no. 6 — money remittance) |
| Lead supervisory authority for data protection | Belgian Data Protection Authority — Autorité de protection des données / Gegevensbeschermingsautoriteit (“APD/GBA”) |
1.2Our role in the NALA service
When you use the NALA application to send money, several regulated entities are involved. Each has a specific role under EU data protection law:
- Jubilee Services SA/NV — the licensed payment institution that executes your remittance and that is the controller of the personal data we process for that purpose. This notice covers our processing.
- NALA Payments Netherlands B.V. (“NALA”) — operates the customer-facing application and provides operational and technical services to Jubilee.
- Modulr Finance B.V. (“Modulr”) — the regulated Electronic Money Institution (Dutch Central Bank, firm reference R182870) that issues the e-money wallet used to hold funds before they are paid out. Modulr acts as a separate controller in respect of its e-money services and publishes its own privacy policy.
Each entity is responsible for its own data processing. Where a payout partner, bank or other recipient in the destination country receives your data to deliver funds, that recipient processes the data under its own legal basis and privacy policy.
1.3How to contact us
For any question about this notice, to exercise your rights, or to make a privacy complaint, please contact our privacy team:
| privacy@jubilee-services.com | |
| Postal address | Jubilee Services SA/NV, Privacy Office, Rue Dethy 4, 1060 Saint-Gilles, Brussels, Belgium |
| Response time | We acknowledge privacy queries within five (5) business days and respond substantively within one (1) calendar month. |
If we have appointed a Data Protection Officer, the DPO can also be reached at the email address above; their details are filed with the APD/GBA.
When this notice applies§
This notice applies to personal data that Jubilee processes as controller when:
- you register for, or use, the money remittance service offered by Jubilee through the NALA application;
- you are a recipient (payee) of a remittance executed by Jubilee on behalf of a sender; or
- you contact us, or NALA on our behalf, about a remittance, a complaint or a query.
This notice does not cover:
- NALA's own processing of your personal data as a controller in its direct relationship with you — see the NALA Privacy Notice.
- Modulr's processing of your personal data as the e-money wallet issuer — see Modulr's Privacy Policy.
- Processing carried out by payout banks, mobile money operators or other recipients in the destination country in their own capacity.
How we collect your personal data§
We collect personal data in three ways:
3.1Directly from you, via the NALA application
When you register, complete onboarding (Know-Your-Customer / KYC), initiate a remittance, or contact support, NALA collects the relevant data on our behalf and transmits it to us. NALA does this under a written Data Processing Agreement which limits its use of your data to what we have instructed.
3.2Automatically, when you use the service
Device identifiers, IP addresses, session metadata, transaction timestamps and similar technical data are generated automatically when you interact with the application. We use this data primarily for security, fraud prevention and audit logging.
3.3From third parties
We receive personal data from:
- Identity verification providers — EU-based identity verification providers using ICAO-compliant document checks, and (where used) biometric liveness providers, to confirm your identity from your ID document and selfie.
- Sanctions and PEP screening providers — Global sanctions and PEP screening providers, drawing on the EU consolidated sanctions list, OFAC, UN and FATF lists, to check you and other transaction parties against international sanctions lists and politically exposed persons lists.
- Fraud and anti-money-laundering analytics providers — to detect unusual or suspicious transaction patterns.
- Modulr — confirmation messages, balances and status of the e-money wallet used to fund or settle your remittance.
- Payout partners and correspondent banks — return codes, payout confirmations, name-matching responses and, where required, additional information to comply with the laws of the destination country.
- Public and regulated registers — for example, the EU sanctions consolidated list, FATF/UN lists, and public commercial registers.
A current list of the principal third-party data sources used by Jubilee is available on request from privacy@jubilee-services.com.
What personal data we collect§
We only collect personal data that is strictly necessary to execute your remittance and to comply with our legal obligations. The categories of personal data we process are:
| Category | Examples |
|---|---|
| Identity data | Full name; date of birth; nationality; country and place of birth; gender (where required by law) |
| Contact data | Residential address; email address; telephone number (including mobile-money number where applicable) |
| Identity document data | Type, number, issuing country and expiry date of your ID document (e.g. passport, national ID, residence permit); copy of the document |
| Proof of address data | Utility bill, bank statement or similar (where required for enhanced due diligence) |
| Biometric data (where applicable) | Selfie / liveness check result used to confirm that the person presenting the ID document is you. This is a special category of personal data under Article 9 GDPR and is processed only on a specific lawful condition (see Section 5). |
| Transaction data | Amount and currency; sender and beneficiary details; destination country; payout method (bank account, mobile money, cash pick-up); payment reference; timestamps; status; fees and exchange rate applied |
| Source-of-funds / source-of-wealth data | Information you provide when required to substantiate the source of the funds being remitted (for example, for larger or higher-risk transactions) |
| Screening and risk data | Outcomes of sanctions, PEP, adverse-media and fraud screening, including risk scores assigned by automated systems |
| Device and session data | IP address; device identifier; operating system and version; app version; session and login times; geolocation derived from IP (city/country level) |
| Communications data | Your messages and our responses through support channels, including chat transcripts, emails and call recordings. Where calls between you and our support team are recorded (we tell you in advance), we do so on the basis of legitimate interests (Article 6(1)(f) GDPR) for evidence and complaint-handling purposes, and to comply with applicable regulatory record-keeping obligations (Article 6(1)(c)). Recordings are retained for 2 years from the date of the call, save where required for a specific dispute or investigation. You may request access to recordings of your own calls under Article 15 GDPR. |
| Regulatory filings data | Records relating to suspicious activity reports (SARs/STRs) we have filed with the Belgian Financial Intelligence Unit (CTIF-CFI), and any related correspondence (this data is subject to strict legal confidentiality and is not normally accessible by you) |
4.1Personal data about the recipient (payee)
To execute a remittance we also process personal data about the payee — typically name, contact details and account/mobile-money details. If you are the sender, you should only provide the recipient's data if you are entitled to do so and should make the recipient aware that their data will be shared with Jubilee, NALA, Modulr and our payout partners.
4.2Children's data
Our remittance service is provided only to persons aged 18 or over, in line with applicable contractual-capacity, financial-services and anti-money-laundering requirements. We do not knowingly process personal data of children in connection with this service. If you believe a child has provided us with personal data, please contact us at privacy@jubilee-services.com and we will take steps to delete it.
4.3Whether you are required to provide your data
We are required by law to collect certain personal data from you, in particular under the Belgian AML Law of 18th September 2017, the Belgian Payment Services Act of 11th March 2018, and the EU Funds Transfer Regulation. Without this data we cannot register you as a customer, verify your identity, or execute a remittance on your behalf. Where data is requested on a discretionary basis (for example, optional contact preferences or marketing consent), we identify this at the point of collection and you may refuse to provide it without affecting your access to the service.
Why we use your data and our lawful basis§
We process your personal data only for the purposes set out below and only where we have a valid lawful basis under Article 6 GDPR (and, where applicable, Article 9 GDPR for special categories of personal data).
| Purpose | What this involves and lawful basis |
|---|---|
| Executing your remittance | Setting up your account, initiating, processing and confirming each remittance, applying exchange rates, charging fees, and transmitting funds to the payout partner. Lawful basis: Performance of a contract with you (Article 6(1)(b) GDPR). |
| KYC, AML and counter-terrorist-financing (CTF) compliance | Verifying your identity at onboarding and on an ongoing basis; carrying out customer due diligence (CDD) and, where required, enhanced due diligence (EDD); transaction monitoring; sanctions, PEP and adverse-media screening; filing suspicious activity reports with the Belgian Financial Intelligence Unit (CTIF-CFI); record-keeping. We have no discretion over this processing — it is required by law. Lawful basis: Compliance with legal obligations (Article 6(1)(c) GDPR), in particular the Belgian Law of 18 September 2017 on the prevention of money laundering and terrorist financing (the “Belgian AML Law”), Directive (EU) 2015/849 (as amended by Directive (EU) 2018/843), Regulation (EU) 2015/847 (information accompanying transfers of funds) and the EU Funds Transfer Regulation / TFR (Regulation (EU) 2023/1113) where applicable, EU and UN sanctions regulations, and the Belgian Law of 11 March 2018. |
| Biometric identity verification (where used) | Where we use a liveness check or facial-recognition comparison to confirm that the person presenting the ID is the same person on the document. This is processing of a special category of personal data. Lawful basis: Article 6(1)(c) (legal obligation) combined with Article 9(2)(g) GDPR (substantial public interest — prevention of money laundering and terrorist financing, on the basis of Belgian AML Law) or, where this basis is not available, your explicit consent under Article 9(2)(a). Where consent is the basis, you may withdraw it at any time without affecting the lawfulness of earlier processing. |
| Fraud prevention and security | Monitoring transactions and account activity for indicators of fraud, account takeover, unauthorised access and abuse of the service; risk-scoring of transactions and devices; investigating and responding to incidents; protecting our systems and our customers. Lawful basis: Legitimate interests (Article 6(1)(f) GDPR) in protecting our customers and the integrity of the payment system, balanced against your rights and freedoms. We have carried out a Legitimate Interests Assessment (LIA), available on request. |
| Customer support and complaint handling | Responding to your enquiries, handling complaints, escalating issues to Jubilee's compliance, operations or legal teams where required, and meeting our complaint-handling obligations. Lawful basis: Performance of a contract (Article 6(1)(b)) and compliance with legal obligations applicable to regulated payment institutions (Article 6(1)(c)). |
| Regulatory reporting and supervision | Reporting to the NBB, the CTIF-CFI, Belgian tax authorities (including FATCA/CRS reporting where applicable), and other competent regulators; responding to lawful requests for information; cooperating with audits and investigations. Lawful basis: Compliance with legal obligations (Article 6(1)(c) GDPR). |
| Operational resilience and security of information systems | Logging, monitoring, vulnerability and incident management as required under the EU Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) and applicable NBB circulars. Lawful basis: Compliance with legal obligations (Article 6(1)(c)) and legitimate interests (Article 6(1)(f)). |
| Defending legal claims | Retaining and disclosing personal data where necessary to establish, exercise or defend legal claims, or to respond to subpoenas or other lawful demands. Lawful basis: Legitimate interests (Article 6(1)(f)). |
| Service improvement (aggregated only) | Analysing aggregated, non-identifying patterns of use to improve the reliability and quality of the remittance service. This does not involve automated decision-making about you. Lawful basis: Legitimate interests (Article 6(1)(f)). |
5.1We do not use your data for marketing or profiling without consent
Jubilee does not sell your personal data, does not share it with third parties for their own marketing, and does not use it to train AI or machine-learning models for purposes unrelated to the service. Any direct marketing communications from Jubilee will only be sent on the basis of your prior consent, and you may withdraw consent at any time.
5.2Personal data about persons who are not our customers
Where we process personal data about persons who are not our customers, in particular as part of sanctions, PEP, adverse-media and transaction screening, we do so on the basis of compliance with legal obligations (Article 6(1)(c) GDPR). We rely on Article 14(5)(c) and (d) GDPR to limit notification to such persons, on the basis that direct notification would compromise the confidentiality required by AML and sanctions law, including the tipping-off prohibition under Article 55 of the Belgian AML Law.
Automated decision-making§
Some checks we are required to perform — in particular sanctions, PEP and fraud screening — involve automated processing. In limited cases this can produce a decision with legal or similarly significant effects on you, for example blocking a transaction, freezing funds, or refusing onboarding.
Where a fully automated decision produces such effects, we rely on Article 22(2)(b) GDPR. The authorising provisions are in particular Articles 26 (duty to suspend) and 47 (suspicious transaction reporting) of the Belgian AML Law, and the EU consolidated sanctions framework. Where an automated decision blocks or freezes a transaction, the decision is reviewed by a member of our compliance team within one business day, unless legal obligations (in particular the tipping-off prohibition under Article 55 of the Belgian AML Law) prevent us from disclosing the outcome of that review to you. In all other cases, decisions are reviewed by a human before they affect you.
In all cases, you have the right to:
- obtain meaningful information about the logic involved (to the extent compatible with our legal obligations of confidentiality, in particular the prohibition on “tipping off” under AML law);
- express your point of view;
- contest the decision and request human review.
To exercise these rights, contact us at privacy@jubilee-services.com.
International transfers of personal data§
Money remittance, by its nature, requires transfers of personal data to countries outside the European Economic Area (“EEA”) — typically to the payout partner in the destination country selected by the sender.
Where we transfer your personal data outside the EEA, we ensure an adequate level of protection by relying on one or more of the following safeguards:
- Adequacy decisions — where the European Commission has decided that the destination country provides an essentially equivalent level of protection (Article 45 GDPR), including, where applicable, the EU-US Data Privacy Framework for certified US recipients.
- Standard Contractual Clauses (SCCs) — the European Commission's Standard Contractual Clauses adopted under Article 46(2)(c) GDPR (Implementing Decision (EU) 2021/914), using the appropriate module for each transfer relationship.
- Transfer Impact Assessments (TIA) — where SCCs are used we carry out, and document, an assessment of the law and practice of the destination country in line with EDPB Recommendations 01/2020 and the Schrems II judgment of the Court of Justice of the EU. A redacted summary of the TIA for each high-risk destination is available on request at privacy@jubilee-services.com.
- Supplementary measures — such as encryption in transit and at rest, strict access controls and contractual safeguards, where the TIA shows they are necessary.
- Derogations under Article 49 GDPR — relied upon only in genuinely exceptional and occasional cases, for example a one-off transfer where Article 46 safeguards cannot be put in place in time. Systematic transfers to our payout partners are not made on this basis; they are made under Standard Contractual Clauses or another Article 46 mechanism.
You may request a copy of the relevant safeguard or a list of the recipient countries by contacting privacy@jubilee-services.com.
How we protect your personal data§
We implement technical and organisational measures that meet the requirements of Article 32 GDPR, the EU Digital Operational Resilience Act (DORA), PSD2 Article 95 and Commission Delegated Regulation (EU) 2018/389 on strong customer authentication, and applicable NBB circulars. These include:
- encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent), with documented key management;
- strict role-based access controls and multi-factor authentication for systems processing personal data;
- strong customer authentication (SCA) applied at remittance initiation and at other sensitive operations in accordance with Commission Delegated Regulation (EU) 2018/389;
- audit logging, monitoring and alerting on access to and processing of personal data;
- regular penetration testing and vulnerability management;
- documented business continuity and disaster recovery plans with annual testing;
- background checks, confidentiality obligations and regular data-protection training for staff with access to personal data;
- written Data Processing Agreements with all processors, including equivalent obligations on sub-processors.
If a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, as required by Article 34 GDPR.
How long we keep your personal data§
We retain personal data only for as long as necessary for the purposes for which it was collected, including to meet legal, accounting, regulatory or reporting requirements, and to defend legal claims. The main retention periods are:
| Category | Retention period |
|---|---|
| KYC / onboarding records and transaction records | Ten (10) years from the end of the customer relationship (for KYC) or from the date of the transaction (for transaction records), in accordance with Article 60 of the Belgian AML Law and equivalent obligations under the Belgian Law of 11 March 2018. |
| Suspicious activity reports (SARs/STRs) and related records | Ten (10) years from the date of the report. Access to this data is restricted by law (“tipping-off” prohibition). |
| Sanctions, PEP and fraud-screening results | Same as the underlying record (10 years for AML-related screening; up to 5 years for fraud screening of declined transactions). |
| Complaints and dispute records | Five (5) years from final resolution, or longer where required by applicable law or supervisory guidance. |
| Customer support records (other than complaints) | Two (2) years from the date of last contact. |
| Device, session and security logs | Twelve (12) months from collection, unless required for an ongoing dispute or investigation. |
| Marketing data (if you have given consent) | Until you withdraw your consent (in which case we delete it without undue delay) or until 24 months have elapsed since your last interaction with us, whichever occurs first. |
| Cookies and similar technologies | As described in our Cookie Notice. |
At the end of the applicable retention period we delete or irreversibly anonymise the data. Where we are legally required to keep the data for longer (for example, in connection with an investigation), we restrict its processing to storage only until the legal obligation no longer applies.
Your rights§
Under the GDPR you have a number of rights in relation to your personal data. Some rights are not absolute and may be limited by other legal obligations (in particular the Belgian AML Law and the EU Funds Transfer Regulation, which prevent us from deleting certain records or from disclosing certain information about suspicious activity reports).
| Right | What this means and how to exercise it |
|---|---|
| Right of access (Article 15) | Request a copy of the personal data we hold about you, together with information on how and why we process it, who we share it with, and how long we keep it. Free of charge unless your request is manifestly unfounded or excessive. |
| Right to rectification (Article 16) | Request that inaccurate or incomplete personal data is corrected without undue delay. |
| Right to erasure (Article 17) | Request that we delete your personal data. Subject to our legal retention obligations (in particular AML record-keeping) and to our right to refuse where one of the grounds in Article 17(3) GDPR applies. |
| Right to restriction of processing (Article 18) | Request that we pause processing in defined circumstances (for example, while we verify the accuracy of contested data). |
| Right to data portability (Article 20) | Where processing is based on your consent or on the performance of a contract with you and is carried out by automated means, you may request that we transmit the relevant personal data to you or to another controller in a structured, commonly used, machine-readable format (CSV or JSON). This right does not extend to data we process to comply with our legal obligations, in particular KYC, AML, sanctions and tax data. |
| Right to object (Article 21) | Where we rely on legitimate interests, object on grounds relating to your particular situation. We will assess your objection and respond. For direct marketing, the right to object is absolute and we will stop immediately. |
| Right not to be subject to a solely automated decision (Article 22) | See Section 6. You may request human review of an automated decision producing legal or similarly significant effects on you, express your point of view, and contest the outcome. |
| Right to withdraw consent | Where we rely on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. |
| Right to lodge a complaint | With the APD/GBA or the supervisory authority of the EU/EEA Member State where you live or work — see Section 14. |
11.1How to exercise your rights
To exercise any of these rights, contact privacy@jubilee-services.com. We will:
- acknowledge your request within five (5) business days;
- respond to it within one (1) calendar month of receipt;
- notify you within that first month if we need to extend the period by up to two further months, explaining the reason;
- not charge a fee unless your request is manifestly unfounded or excessive;
- ask you to verify your identity before processing your request, to protect your data;
- explain clearly if we are unable to fulfil a request and tell you about your right to complain to your supervisory authority.
Account closure§
When you close your NALA account, or when we close our relationship with you (for example, on legitimate AML or risk grounds), we cease active processing of your personal data. However, we are legally required to keep KYC and transaction records for the periods described in Section 10. During that period, access to the retained data is restricted to authorised personnel in our compliance, legal and internal audit functions, requires a logged and justified access request, and is subject to periodic access reviews (for audit, regulatory or legal-defence purposes).
Where your account is inactive (“dormant”) for an extended period, we may apply additional controls to protect your data and the funds (if any) associated with it. We will contact you before taking any action that affects your funds or access.
Right to complain — supervisory authorities§
You have the right to lodge a complaint with the relevant supervisory authority if you believe we have processed your personal data in breach of applicable data protection law. We encourage you to contact us first at privacy@jubilee-services.com so that we have an opportunity to resolve your concern, but you may complain to a supervisory authority at any time.
Our lead supervisory authority is:
| Authority | Belgian Data Protection Authority — Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA) |
| Address | Rue de la Presse 35 / Drukpersstraat 35, 1000 Brussels, Belgium |
| Telephone | +32 (0)2 274 48 00 |
| contact@apd-gba.be | |
| Website | https://www.dataprotectionauthority.be / https://www.gegevensbeschermingsautoriteit.be |
If you live, work or believe a GDPR infringement has taken place in another EU/EEA Member State, you may also contact your local data protection authority. A list is available on the European Data Protection Board website at https://edpb.europa.eu.
Changes to this notice§
We may update this notice from time to time to reflect changes in our practices, in the legal or regulatory framework, or in the services we provide. The current version, with the effective date and version number, is always available in the NALA application and on request from privacy@jubilee-services.com.
Where changes are material (for example, a change to the categories of recipients of your data, the legal basis for processing, or the retention periods) we will draw your attention to them in advance through the application or by other appropriate means.
Applicable law§
This notice is intended to comply with all data protection law applicable to Jubilee, in particular:
- Regulation (EU) 2016/679 (GDPR);
- the Belgian Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data;
- the Belgian Law of 18 September 2017 on the prevention of money laundering and terrorist financing;
- the Belgian Law of 11 March 2018 on the status and supervision of payment institutions and electronic money institutions;
- Regulation (EU) 2015/847 and Regulation (EU) 2023/1113 on information accompanying transfers of funds;
- Regulation (EU) 2022/2554 (DORA) and applicable NBB circulars.
Where there is any conflict between this notice and applicable law, applicable law prevails.
Version history§
| Version | Date | Summary of changes | Author | Status |
|---|---|---|---|---|
| 1.0 | 12 May 2026 | Initial customer-facing privacy notice for Jubilee Services SA/NV money remittance services provided via the NALA application, aligned with the Jubilee-NALA Outsourcing Framework Agreement and Data Processing Agreement, and with the NALA Master Privacy Notice. | Jubilee Privacy Office | Live |
End of notice · 2026