Privacy Policy

Unicâmbio respects the privacy of its customers and suppliers. This Privacy Policy describes who we are, for what purposes we may use your data, how we process it, with whom we share it, how long we retain it, as well as how to contact us and exercise your rights.

Last update: June 2026

Your personal data will be processed by Unicâmbio – Instituição de Pagamento, S.A., a corporate entity with registration number 502870206, headquartered at Rua C, Edifício N124, 5.º Piso, 1700-008 Lisbon, Portugal, hereinafter referred to as "Unicâmbio," which acts, as a rule, as the data controller, except in situations specifically identified in this Policy. This company is responsible for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR).

For any questions related to the processing of your personal data, you may contact the Data Protection Officer via the following email address: dpo@unicambio.pt.

The collection of your personal data may be carried out from different sources, and these data may relate to any of the products and/or services of Unicâmbio that you have used or contracted, that you currently hold or have held in the past, or result from interactions you have had with us, for example, when visiting our branches, websites, or mobile applications, or when you contact us by telephone.

We may collect certain personal data directly from you or from third parties who are your intermediaries or who are related to the products and/or services you have subscribed to, or from other publicly accessible sources.

The categories of personal data collected and processed by Unicâmbio are structured as follows:

 

Categories of Personal Data

Examples of Processed Data

Identification data

Full name, number, validity, and copy of identification document, Tax Identification Number (NIF), photograph, and signature.

Contact data

Residential or professional address, telephone contact (mobile/landline), and email address.

Biographical data

Date of birth, nationality, place of birth, gender, profession, and political or public office held (PEP).

Contractual and product data

Payment account number, balance, history of acquired products, issued cards, and their respective conditions and specificities.

Transactional data

Date, time, amount, source/destination currency, detailed description of financial transactions (foreign exchange, fund transfers, purchase of precious metals), operating branch, and declared purpose of the transaction.

Documentary data

Information contained in proof of address, proof of source of funds, invoices, certificates, and other supporting documentation provided by the data subject.

Image and voice data

Images captured by video surveillance systems (CCTV) in branches or headquarters; voice and image records captured in validation videoconferences; audio recordings of calls to the contact center.

Technical and digital channel usage data

  Authentication credentials (user accounts), IP addresses, geolocation data, browser type, mobile device identifiers, and data collected via cookies.

Unicâmbio processes your personal data in a lawful, fair, and transparent manner, associating each processing activity with a specific purpose and its respective legal basis:

a) Management of the contractual relationship and provision of services

  • Description: Processing of your data is necessary for the provision of services, the execution of the contract to be concluded between you and Unicâmbio, or for taking pre-contractual steps at your request (including the opening and management of payment accounts and registration for electronic channels/Unimoney App). If you do not provide your data, we will not be able to provide the requested services.

  • Legal Basis: Performance of a contract or pre-contractual steps (Article 6(1)(b) of the GDPR).

  • Retention Period: Data will be kept during the term of the contractual relationship. Upon its termination, accounting, commercial, and transactional support data and documents will be kept for the applicable legal archiving periods and contractual liability safeguards, which may extend up to a maximum of 10 years, with other data being deleted as soon as the respective purpose is achieved.

b) Litigation management and defense of rights

  • Description: Processing of personal data of customers or suppliers for the purpose of managing pre-litigation, litigation, or extrajudicial proceedings, internal audits, and the active protection of the institution's rights.

  • Legal Basis: Legitimate interest of Unicâmbio in the establishment, exercise, or defense of legal claims in judicial proceedings (Article 6(1)(f) of the GDPR).

  • Retention Period: Data will be kept until the final res judicata decision of the corresponding judicial proceeding or until the definitive extinction of the obligation underlying the dispute.

c) Legal and regulatory obligations

  • Description: The processing of your data will be carried out for the strict compliance with legal and regulatory duties, of national and European scope, that regulate financial activity. This includes, in particular, the regime for the prevention of money laundering and terrorist financing (AML/CFT), tax, customs, and accounting obligations, physical and logical security requirements of the premises, and conservation of regulatory evidence.

  • Legal Basis: Compliance with a legal obligation (Article 6(1)(c) of the GDPR).

  • Retention Period: Data will be kept for the mandatory periods legally required for each matter (e.g., 7 years after the moment of identification or the end of the business relationship in the scope of the AML/CFT regime).

d) Marketing and consumption analysis

  • Description: Unicâmbio may process your personal data to send you information about its products and services, as well as to analyze your preferences and create consumption profiles (profiling), offering you tailored products. If you consent, you will receive commercial communications via email and/or SMS.

  • Legal Basis: Data subject's consent (Article 6(1)(a) of the GDPR).

  • Retention Period: Data will be kept for this purpose for a maximum period of 1 year after the last commercial interaction, unless consent is withdrawn earlier.

e) Management of complaints, incidents, and contacts

  • Description: Processing of suggestions, complaints (including the physical and electronic Complaint Book), reports of security incidents, or contact requests directed to Unicâmbio.

  • Legal Basis: Compliance with legal obligations, Unicâmbio's legitimate interest in the analysis and swift resolution of reported situations, and, in the case of spontaneous contacts, the data subject's consent.

  • Retention Period: Data will be kept for the period necessary to resolve the situation and, subsequently, for the applicable legal period (namely 5 years in the case of official complaints).

f) Supplier management

  • Description: Processing of supplier data (individuals or representatives of legal entities) is necessary for the execution of the contract or for taking pre-contractual steps. Data of supplier employees may be communicated to Unicâmbio clients for the fulfillment of contractual or security obligations.

  • Legal Basis: Performance of a contract or pre-contractual steps (Article 6(1)(b) of the GDPR).

  • Retention Period: Data will be kept during the term of the contractual relationship and, upon its termination, for the legal periods required or necessary for the fulfillment of tax and contractual obligations.

A) Video surveillance and access control

  • Purpose: Protection of people, assets, and physical facilities of the Unicâmbio branch network and Headquarters, as well as crime prevention and the gathering of evidence.

  • Legal Basis: Compliance with legal obligations (Law no. 34/2013, of May 16, and current amendments regarding private security) and legitimate interest in asset protection.

  • Retention Period: Recorded images are kept for a strict period of 30 days, unless required for the investigation of a pending judicial proceeding.

B) Telephone call recording

  • Purpose: Means of evidence for transactions, instructions, or financial orders transmitted remotely by the customer and, residually, internal monitoring of the contact center's service quality.

  • Legal Basis: Performance of the contract regarding documentary evidence, legitimate interest in service optimization, and express consent of the data subject (in the case of quality control).

  • Retention Period: Transactional recordings are kept for the statute of limitations period for contractual obligations. Calls recorded for quality control purposes are deleted within a maximum period of 30 days.

C) Video calls for onboarding and identity verification

  • Purpose: Carrying out the remote identity validation procedure via videoconference within the scope of enrollment and opening of payment accounts (Unimoney App).

  • Legal Basis: Compliance with mandatory regulatory due diligence and KYC (Know Your Customer) obligations established by the Bank of Portugal and the applicable AML/CFT regime.

  • Retention Period: They will be kept for 7 years starting from the end of the business relationship with the customer.

Unicâmbio may use automated tools and artificial intelligence (AI) systems exclusively as operational and technical support for its internal processes of information extraction, document validation, and data consistency verification (in the context of onboarding, compliance procedures, and KYC).

Unicâmbio ensures that:

  • Human Validation: Intervention and validation by a human employee are guaranteed before any decision is made that produces legal effects on the data subject or significantly affects them.

  • Automated Decisions: No decisions are adopted based solely on automated processing or profiling that restrict access to services without human supervision.

  • Contractual Safeguards: All technology providers of these AI solutions are contractually prohibited from using the personal data collected by Unicâmbio for the purpose of training, developing, or improving third-party AI models.

Your personal data may be communicated or shared by Unicâmbio with the following categories of recipients:

a) Unicâmbio Group Companies: For the purposes of centralized internal management and the provision of related or complementary services to those initially contracted by the data subject.

b) Subcontractors and Service Providers: Entities that act under the strict instructions of Unicâmbio, provided with only the data necessary for the provision of the service in question:

  • NOS Comunicações, S.A.: Communications support and data infrastructure hosting.

  • Sumsub Tech Ltd: Information technology activities and support for Digital Due Diligence (onboarding).

  • Codeware, S.A. / FINPAY Technology / DBS (Digital Banking Solutions): Maintenance and support for information technology systems.

  • Talkdesk: Support platform for the contact center and cloud hosting of call recordings.

c) Public Authorities and Regulators: For compliance with legal obligations and administrative or judicial orders, including the Bank of Portugal, the Tax and Customs Authority (AT), Courts, and Security Forces.

d) Third Parties under Agency Arrangements: As detailed in the following section.

Within the exclusive scope of the money transfer service executed through the Western Union platform, Western Union Payment Services Ireland Limited (WUPSIL) acts as an independent Data Controller for personal data, with Unicâmbio acting in the capacity of an Agent for said institution.

Data subjects should consult WUPSIL’s Privacy Policy on their respective website to understand the processing activities carried out and to exercise their rights through the channels provided by that entity (Western Union DPO contact: privacy@westernunion.com).

In certain operational situations, voice data associated with the contact center service (Talkdesk) may be transferred and stored outside the European Economic Area (EEA), specifically to the United States of America.

Unicâmbio ensures that such transfers are carried out based on appropriate legal mechanisms and safeguards, such as validation under the EU-U.S. Data Privacy Framework or the execution of Standard Contractual Clauses approved by the European Commission. The data subject may request additional information regarding these guarantees by contacting the DPO.

At any time, the data subject may request the exercise of the following rights from Unicâmbio:

  • Right of Access: Confirm whether your data is being processed and obtain a copy of the data and the related legal information.

  • Right of Rectification: Request, without undue delay, the correction of inaccurate data or the completion of incomplete data.

  • Right to Erasure ("Right to be Forgotten"): Obtain the deletion of data when it is no longer necessary, consent is withdrawn, or you object to the processing (provided there are no overriding legal obligations requiring its retention).

  • Right to Restriction of Processing: Request a temporary suspension of processing while you contest the accuracy of the data, when the processing is lawful but you refuse erasure, or for the exercise of legal claims.

  • Right to Portability: Receive the data you provided via automated means in a structured, commonly used, and machine-readable format, when the processing is based on consent or a contract.

  • Right to Object: Object to processing based on legitimate interests or carried out for direct marketing and profiling purposes.

Important Note: The exercise of certain rights (such as erasure or restriction) may be limited or conditioned by compliance with overriding legal obligations imposed on Unicâmbio within the scope of its financial and regulated activity.

To exercise these rights, the data subject may visit any branch of the Unicâmbio network or submit their request electronically via the following email addresses: dpo@unicambio.pt or info@unicambio.pt, attaching proof of identity to your request when necessary.

You also have the right to lodge a complaint with the national supervisory authority — the National Data Protection Commission (CNPD) (https://www.cnpd.pt/).

Unicâmbio uses cookies and similar technologies on its websites and applications to improve navigation, personalize the user experience, and perform aggregate analysis of the performance of its digital platforms.

Detailed preference management and the breakdown of the categories of cookies used can be consulted in our standalone Cookies Policy, available in the footer of our websites.

Unicâmbio adopts technical and organizational measures that are appropriate and proportionate to the risk to ensure a high level of security in protecting personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

These measures include strict control of logical and physical access to facilities and systems, encryption of data in transit and at rest, the use of firewalls, intrusion detection systems, corporate antivirus software, and the storage of information in restricted-access and duly auditable databases.

Unicâmbio will occasionally update this Privacy Policy to reflect operational improvements or legislative changes. We ask that you review this document periodically to stay informed.

If you still have any questions regarding the processing of your personal data, or wish to exercise any of your rights, please contact us:

Address

Contact Details:

Unicâmbio – Instituição de Pagamento S.A.

Aeroporto de Lisboa Rua C, Edifício Nº 124 - 5º Piso, 1700 - 008 - Lisboa

Email: dpo@unicambio.pt

Este site armazena cookies no seu equipamento, utilizados para melhorar a sua experiência de navegação. Ao avançar concorda com a sua utilização e com a nossa Política de Privacidade. Saber mais