Get your card

Privacy Policy

Crosscard S.A.
26-28, Rue Edward Steichen
2540 Luxembourg

Email: service.en(at)

Company Number: B215831
Commercial Court: Luxembourg

Reference of used images on this website:


This Privacy Notice will help you understand how we collect, use and protect your personal information when you use our websites (,, and – collectively, ‘Our Sites’), our mobile device application (the ‘App’) or if we receive your personal information for recruitment purposes.


Crosscard S.A. (“Crosscard”) is a company registered in Luxembourg under company number B215831, with its registered address at 26-28, Rue Edward Steichen, L-2540 Luxembourg, Luxembourg. Crosscard is authorised and regulated as an electronic money institution by the Luxembourg Commission de Surveillance du Secteur Financier (CSSF), under number W00000011. Crosscard has overall responsibility for the processing of your personal information. This means that we are a ‘data controller’ under the General Data Protection Regulation (also known as the GDPR). We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. If you have any queries about this Privacy Notice or how we process your personal information, please contact us by email: data(at) or by post to: 26-28, Rue Edward Steichen, L-2540 Luxembourg, Luxembourg.



The personal information we collect about you includes:

  • name, date of birth and gender;
  • identification document details;
  • contact details, including address, telephone number and email address;
  • financial information, including credit/debit card and other payment methods’ details (although we do not retain complete payment card information) and source of funds information;
  • identifiers assigned to your computer or other devices, including your Internet Protocol (IP) address.

Furthermore, by using Our Sites and our App, Cookies may be stored on your devices. You can find further information on Cookies below, under the title ‘Cookies and Web Beacons’.

Special categories of personal data

Crosscard does not intentionally collect any special categories of personal data (sensitive personal information) via Our Sites or App unless in a specific country we are legally required to do so, for example, for recruitment purposes. Sensitive personal information includes: information revealing racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; information concerning health; information concerning a natural person’s sex life or sexual orientation; and in some cases, social security numbers or financial information.


Crosscard works to protect the confidentiality and security of the information it obtains in the course of its business. Access to such information is limited and policies and procedures are in place, designed to safeguard the information from loss, misuse and improper disclosure.



Most of the personal information we hold about you is collected directly from you. We do this for example, when you:

  • visit Our Sites and register to receive information from us or sign up to our newsletter;
  • download e-books and other information from Our Sites;
  • contact us directly, either via our call centre, by email or social media;
  • register with us for recruitment and vacancy updates;
  • apply for a vacancy on Our Sites;
  • respond to communications or surveys;
  • visit Our Sites and apply for a prepaid product;
  • start an application for a prepaid product but fail to complete it;
  • make enquiries or raise concerns with our customer service team;
  • use our App;
  • accept the use of Cookies.

We will also collect information about you if you get in touch through one of our external partners (for instance, if you apply for a job vacancy using a third party provider, such as a recruitment agency or Lever, our Applicant Tracking System). In order to understand more about you and to verify your identity, we may supplement and combine the personal information that we collect from you with other categories of data obtained from other sources. We may change or add to these from time to time and the changes will be updated on our Privacy Notice.

Information we collect on social media platforms

You may wish to participate in the social media platforms which we make available to you. The main aim of these social media platforms is to inform, assist and engage with you. We monitor and record comments and posts made on these channels so that we can improve our products and services. We use a third-party provider, ApS to manage our social media interactions. If you send us a private or direct message via social media the message will be stored by ApS for three years. Crosscard may also provide links to other social media platforms maintained on separate servers by individuals or organisations over which Crosscard has no control. Crosscard makes no representations or warranties regarding the accuracy or any other aspect of the information located on such servers. A link to a third party’s website should not be construed as an endorsement by either Crosscard or that third party of each other or its products and services. Furthermore, Crosscard is not responsible for any information posted on those websites other than information we have posted ourselves. We do not endorse the social media websites themselves, or any information posted on them by third parties or other users. We recommend reviewing the privacy statement of each third-party site linked from Our Sites to determine their use of your personal information:

Information we collect when you use our call centre

We use a third-party provider, Multi-Connect GmbH, to manage our VIABUY customer service telephone interactions. When you call the VIABUY call centre we collect Calling Line Identification (CLI) information, as well as some information about yourself for security, identification and verification purposes. We use this information to help you with your queries and to help improve our service’s efficiency and effectiveness. We may also monitor or record phone calls with you in case we need to check that we have carried out your instructions correctly, to resolve queries or issues, for regulatory purposes, to help improve our quality of service, and to help detect or prevent fraud or other crimes. Conversations may also be monitored and/or recorded for staff training purposes.



We will store and use your personal information as is necessary for the performance of a contract between you and us, for compliance with our legal and regulatory obligations, for our legitimate interests or, for certain other additional purposes, based on your explicit consent. Examples of how we may use your personal information include:

  1. administering your account (as is necessary for performance of a contract between you and us and/or as is necessary for our legitimate interests);
  2. carrying out anti-fraud and anti-money laundering checks and verifying your identity (as is necessary for compliance with our legal and regulatory obligations and/or as is necessary for our legitimate interests);
  3. using your details to process payments (as is necessary for the performance of a contract between you and us and/or as is necessary for our legitimate interests);
  4. sending you information about our products and services (as is necessary for the performance of a contract between you and us and/or as is necessary for our legitimate interests);
  5. monitoring your usage and the effectiveness of Our Sites and App (as is necessary for our legitimate interests);
  6. undertaking market research and statistical analysis, including analysing your use of Our Sites and developing new products and services (as is necessary for our legitimate interests);
  7. fulfilling our obligations owed to a relevant regulator, tax authority, or revenue service (as is necessary for compliance with our legal and regulatory obligations and/or as is necessary for our legitimate interests); and
  8. storing the curriculum vitae of unsuccessful job candidates in line with our Data Retention Policy for consideration for future vacancies (as is necessary for our legitimate interests).

Our legitimate interests as referred to above (and below) include our legitimate business purposes and commercial interests in operating our business in a customer-focused, efficient and sustainable manner, in accordance with all applicable legal and regulatory requirements.

Using your data for fraud prevention

In certain situations, before we provide you with our prepaid products and services, we use your personal data to conduct checks for the purposes of preventing fraud and money laundering and to verify your identity. We may also share your details with other financial institutions, credit reference agencies, trade bodies, fraud prevention organisations and law enforcement agencies for the purposes of preventing fraud, money laundering, terrorist financing and other financial crimes, pursuing debtors and to verify your identity. If we, or a fraud prevention agency, determine that you pose a risk of fraud or money laundering, we may refuse to provide you the prepaid products or services you have requested. We may also stop providing existing services to you. A record of any fraud or money laundering risk will be retained by us and the fraud prevention agencies. It may also result in others refusing to provide products, services, financing or employment to you. If you have any questions about our processing of your data for fraud purposes, please contact us via the details provided above. When Crosscard and fraud prevention agencies process your personal data, we do so on the basis that we have a legitimate interest to process your data in such way, in order to protect our business and to comply with the various laws that apply to us. Such processing may also be a contractual requirement in relation to the services you have requested from us.

Using your personal data for marketing

In addition to the purposes above, we may also use your personal information to send you newsletters and/or marketing about similar products and services by post, email, text message, and through various digital channels, such as social media platforms, if you have expressly consented to this or as is necessary for our legitimate interests. We consider that it is within our legitimate interests to send you information about our own products and services for marketing purposes. We use a third party provider, The Rocket Science Group LLC, to deliver our newsletters. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter. For more information, please see The Rocket Science Group LLC’s privacy notice. You can object to receiving marketing from us at any time – please follow the unsubscribe link in our marketing emails or text message; or send us your name, address and date of birth via email to data(at) or by post to: 26-28, Rue Edward Steichen, L-2540 Luxembourg, Luxembourg. We also use the personal data you provide to us, information about you provided for third parties (please see “How we collect information about you” for further details), and of individuals who have similar characteristics to you, to enable us to evaluate and predict your behaviour to assist us to provide and improve our products and services.


Where relevant given the nature of our relationship or of the products and services provided to you, we may also share your information with the following categories of third parties:

  • payment service providers (as is necessary for the performance of a contract between you and us);
  • third-party service providers with whom you also have a contractual relationship (as it is necessary for our legitimate interests and for the legitimate interests of the third-party service provider with whom you also have a contractual relationship);
  • third-party service providers who we instruct for the purposes of processing service information (as is necessary for the performance of a contract between you and us and/or as is necessary for our legitimate interests and/or as is allowed by your explicit consent);
  • third-party data suppliers, as explained under “How we collect information about you” (as is necessary for our legitimate interests);
  • third-party service providers who support the operation of our business, such as IT and marketing suppliers, financial service providers and other administrative support services to operate Our Sites (as is necessary for the performance of a contract between you and us and/or as is necessary for our legitimate interests);
  • fraud prevention agencies and associations (as is necessary for compliance with our legal obligations and/or as is necessary for our legitimate interests);
  • as required by a court order or any other legal or regulatory required such regulators and law enforcement agencies, including the police, the CSSF, the Luxemburgish Tax Authorities or any other relevant authority who may have jurisdiction (as is necessary for compliance with our legal and regulatory obligations).


The personal information that we collect from you, and which is shared with the third-parties mentioned above, may be transferred to and processed in a destination outside of the European Economic Area (EEA). It may also be processed by staff operating outside the EEA who work for us or one of our suppliers. In these circumstances, your personal information will only be transferred on one of the following bases:

  • the country that we send the data is approved by the European Commission as providing an adequate level of protection for personal information; or
  • the recipient has agreed with us standard contractual clauses approved by the European Commission, obliging the recipient to safeguard the personal information; or
  • there exists another situation where the transfer is permitted under applicable data protection legislation (for example, where a third-party recipient of personal data in the United States has registered for the EU-US Privacy Shield).

To find out more about how your personal information is protected when it is transferred outside the EEA (and if you wish to obtain a copy of the standard contractual clauses which we have entered into with recipients of your personal information outside of the EEA), please contact us using the details above. Crosscard will only disclose your personal information to third parties that have agreed in writing to provide an adequate level of privacy protection.


Crosscard only ever retains personal information for as long as is necessary and we have strict review and retention policies in place to meet these obligations. Unless specifically mentioned otherwise, we keep your personal data (name, address, contact details) for a minimum of 6 years after which time it will be destroyed. Where you have consented to us using your details for direct marketing, we will keep such data until you notify us otherwise and/or withdraw your consent. We may retain some of your personal information for a number of purposes, as necessary to allow us to carry our business. The retention periods apply as follows:

  • Personal data contained online where no account is opened: We will retain this data for as long as necessary for us to anonymise it for the purposes of undertaking market research and statistical analysis. However, this data will not be kept for longer than 1 year;
  • Personal data contained within your prepaid product: We need to retain your personal information for the purposes of processing of your existing or future claims for 6 years from the date your account is closed. Access to such data will be restricted to a small number of employees who need to access it for legitimate reasons;
  • Personal data contained in complaints records and correspondence: If you raise a complaint with our customer services team or correspond with us by email or letter, your records will be deleted 3 years after your complaint record is closed. However, in some circumstances, these records may be kept for 5 years to comply with our legal and regulatory obligations;
  • For fraud prevention purposes: Your records will be deleted 7 years after your fraud record is created; Fraud prevention agencies can hold your personal data for different periods of time, depending on how that data is being used. Please contact them for more information.
  • For hiring purposes: CVs of unsuccessful candidates may be stored in line with our Data Retention Policy for consideration for future vacancies.


Our Sites and App use Cookies, Web Beacons and other web technologies such as CAPTCHA’s, as applicable, to improve their performance and to enhance your browsing experience. These technologies will help us track and monitor your engagement and usage of Our Sites and App, to understand more about you, so we can offer you a more personalised browsing experience.


We may place small data files on your access device. These data files may be cookies or other local storage provided by your browser or associated applications (collectively, “Cookies”). We use Cookies to recognise you as a customer, customise our services, content and advertising, measure promotional effectiveness, help ensure that your account security is not compromised, mitigate risk and prevent fraud, and to promote trust and safety across our Sites and services.

What Cookies do we use?

The Cookies used by Our Sites or App can be:

  1. Transient (or per-session) Cookies – these only exist for your site visit and are deleted on exit. They recognise you as you move between pages, for example, recording items added to an online shopping basket. These Cookies also help maintain security.
  2. Persistent (or permanent) Cookies – these stay on your machine until expiry or deletion. Many are built with automatic deletion dates to help ensure your hard drive does not get overloaded. These Cookies often store and re-enter your log-in information, so you don’t need to remember membership details.

We use both types of Cookies. Additionally, Cookies can be first or third party Cookies. First-party Cookies are owned and created by the website you’re viewing. Third-party Cookies are owned and created by an independent company, usually a company providing a service to the website owners. These Cookies collect information relating to the origin of your visit, where you were exposed to Crosscard advertising, what advertising feature you saw, whether you arrived directly or indirectly to Our Sites, the device you used to visit Our Sites or use our App and which downloads you performed. This information is collected via the below third parties:

How do I disable Cookies?

You are free to decline our Cookies if your browser or browser add-on permits it, unless our Cookies are required to prevent fraud or ensure the security of Our Sites and App. However, declining our Cookies may interfere with your use of Our Site/App and services. To enable or disable cookies, follow the instructions provided by your browser (usually located within the “Help”, “Tools” or “Edit” facility). Alternatively, an external resource is available at providing specific information about cookies and how to manage them to suit your preferences.

Web Beacons

We use small graphics (also called tracking pixels or clear GIFs – collectively, “Web Beacons”) in Our Sites, App or emails which remain invisible to you but provide us with information about your experience and interaction with Our Sites, App and emails such as which browser has been used, if an email was opened and similar. As part of our effort to track the success of our advertising campaigns, we may at times use visitor identification technology such as these “web beacons” which count visitors who have come to Our Sites after being exposed to a Crosscard banner ad on a third party site. Web Beacons often work in conjunction with Cookies. No personally identifiable or sensitive personal data is collected via Web Beacons. By navigating on Our Sites or using our App, you agree that we can place Cookie and Web Beacons on your computer or device, as applicable. If you prefer not to receive Cookies or Web Beacons, then you should consult your browsing settings or stop using Our Sites.  


According to data protection legislation you have the right to:

  • obtain access to, and copies of, the personal information that we hold about you;
  • require that we stop processing your personal information if the processing is causing you damage or distress;
  • ask us not to send you marketing communications;
  • ask us to erase your personal information;
  • ask us to restrict our data processing activities;
  • receive from us the personal information we hold about you which you have provided to us, in a structured, commonly used and machine-readable format, including for the purpose of you transmitting that personal information to another data controller; and
  • require us to correct the personal information we hold about you if it is incorrect.

Please note that these rights may be limited by data protection legislation, and we may be entitled to refuse requests where exceptions apply.  


If you are concerned about an alleged breach of privacy law or any other regulation by Crosscard, please contact us by email at data(at) or by post to 26-28, Rue Edward Steichen, L-2540 Luxembourg, Luxembourg. If you are not satisfied with the way in which Crosscard has resolved your complaint, you have the right to complain to the CNPD or the data protection authority in your country. You can find out more about your rights under data protection legislation from the CNPD’s website.  


We may update this notice from time to time by publishing a new version on Our Sites. You should check this page occasionally to ensure you are happy with any changes. If the changes are substantial, we may notify you of changes to this notice by email. If you have any questions or concerns about this Privacy Notice, please contact us at data(at)