Consents Online Limited - Privacy Policy

This privacy policy sets out the basis on which Consents Online Limited (with its registered office at 2 Minton Place, Victoria Road, Bicester, Oxfordshire OX26 6QB) (referred to in this policy as we, our or us) collects and uses your personal information. Our privacy policy also provides information about your rights.

We are also registered with the Information Commissioner's Office with registration number ZA301350.

This notice covers the following:

1 WHAT IS PERSONAL INFORMATION?

2 WHAT INFORMATION DO WE COLLECT FROM YOU?

3 HOW DO WE USE YOUR INFORMATION?

4 WHAT IS THE LEGAL BASIS THAT PERMITS US TO USE YOUR PERSONAL INFORMATION?

5 WHAT HAPPENS IF YOU DO NOT PROVIDE INFORMATION THAT WE REQUEST?

6 WHO WILL WE SHARE YOUR INFORMATION WITH?

7 HOW DO WE USE YOUR IP ADDRESS AND COOKIES?

8 WHERE DO WE STORE YOUR PERSONAL DATA?

9 HOW LONG WILL WE KEEP YOUR PERSONAL INFORMATION FOR?

10 WHEN WILL WE MAKE CHANGES TO OUR PRIVACY POLICY?

11 HOW CAN YOU CONTACT US?

12 YOUR RIGHTS.

Summary

In order to provide the services to you:

· We will arrange for the transfer of your password and security login details to Yodlee or the bank holding your online bank account.

· Yodlee or your bank (as the case may be) will use your password and security login details, in accordance with your instructions, to access your online bank account.

· After accessing your online bank account, Yodlee or your bank will provide us with a history of your banking transactions for the period indicated by you.

· In turn, we will provide it to your proposed lender, debt advisor or financial services provider (as applicable), in a more readily accessible format.

· Your proposed lender, debt advisor or financial services provider (as applicable) will carry out any affordability and credit assessment(s) as instructed by you.

· Please note that we cannot make payments or transfer funds to third parties or otherwise use your online bank account in any way. We will only be able to read your online bank account history.

This privacy policy sets out in more detail how the service will work and how we will use your data. This privacy policy will be updated as we make available a wider range of services to you that enable you to take advantage of open banking products and services. If there are any changes to the way in which your personal information is used, we will update this privacy policy and notify you of the changes. Please note that this privacy policy was last updated on 24 May 2018.

1 WHAT IS PERSONAL INFORMATION?

Personal information is any information that tells us something about you. This could include information such as your name, contact details and bank account details.

2 WHAT INFORMATION DO WE COLLECT FROM YOU?

2.1 We will collect and process the following information about you:

2.1.1 your name, surname, email address and mobile phone number. You will provide this information directly if you register for our services on consents.online ("Site") and create your own profile on our Site.

2.1.2 as part of our service, you will provide your password and security login details ("Internet Banking Credentials") for your online bank account ("Bank Account"). We will then arrange for the transfer of your Internet Banking Credentials to Yodlee Inc (a Delaware corporation, having its principal place of business at 3600 Bridge Parkway, Redwood City, California 94065) ("Yodlee") or the bank holding your Bank Account ("Bank").

2.1.3 our online portal allows you to control how data from your Bank Account(s) is used by your proposed lender, debt advisor or financial services provider (as applicable) ("Approved Provider") and link such Bank Account(s) to your profile on our Site. This will enable us to report on your record of transactions as revealed in your Bank Account history (your "Transaction Data") to your Approved Provider.

2.1.4 your Transaction Data.

2.1.5 information you provide us by filling in forms on our Site (including your name, address, email address, mobile number(s)).

2.1.6 a record of correspondence if you contact us or we contact you (including personal information you choose to provide us with, such as your name, surname and email address).

2.1.7 proof of identification or details to confirm or verify your identity, address, Bank Account or payment card.

2.1.8 details of your visits to our Site (including traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise) and the resources that you access.

2.1.9 information from third parties, including your employer or a referee.

3 HOW DO WE USE YOUR INFORMATION?

3.1 We will use the information in connection with our services for the following purposes:

3.1.1 to invite you to register for our services, where you will create a username and password. This may also include your fingerprint, if applicable to your device.

3.1.2 to access, use and retrieve your Transaction Data following the process set out in section 3.3.

3.1.3 to administer the contract we have with you.

3.1.4 to investigate where you report a problem with our Site.

3.1.5 to verify or enforce compliance with the policies governing our Site and/or applicable laws.

3.1.6 fraud and crime prevention.

3.1.7 to protect against misuse or unauthorised use of our Site.

3.1.8 to comply with our regulatory obligations, to bodies such as the FCA.

3.2 Through our online portal you can control the access rights to your Transaction Data and Bank Account(s). For example, you will be able to tell us the:

3.2.1 reasons for disclosing your data to your Approved Provider;

3.2.2 type of access granted and for how long (i.e. whether this is unlimited, until a specific date or on a one-off basis only); and

3.2.3 frequency of access to your information (i.e. whether this is restricted to daily or weekly access).

3.3 Where you provide your Approved Provider(s) with your Internet Banking Credentials, you accept that the following process will be undertaken to access, use and retrieve your Transaction Data:

3.3.1 we will arrange for the transfer of your Internet Banking Credentials to Yodlee or to your Bank. We will not retain your Internet Banking Credentials. We will only pass your Internet Banking Credentials onto Yodlee or your Bank using an encrypted and secure method of transmission;

3.3.2 your Bank (or Yodlee if your Bank does not provide direct access to your Transaction Data) will collate and send the Transaction Data to us;

3.3.3 we will analyse the Transaction Data and separate out your transactions into different categories and set out the amount you spend within each category. It will also set out the credits and debits from your Bank Account(s) over the same period;

3.3.4 depending on your instructions your Approved Provider may be able to:

(a) view and monitor your Bank Account and the balance on your Bank Account on either a single look up one-off basis or on a recurring basis;

(b) copy Transaction Data from your Bank Account from time to time;

(c) store the copied Transaction Data on their own server or Yodlee's server(s); and

(d) use your Transaction Data in making decisions on lending and collecting money from you where you have agreed for your Approved Provider to be able to review your Transaction Data on a recurring basis, but not where you have only agreed to a single look at your Transaction Data.

3.4 Our access, the access of your Approved Provider and the access of Yodlee will be limited to the process set out in section 3.3 and will be in accordance with your instructions.

3.5 Your Approved Provider will have its own privacy policy, which will explain in further detail how your Approved Provider will use your personal information. Please note that we do not accept any responsibility for this policy.

3.6 We also have an app, which is available for download from Apple's App Store and Android's Google Play Store. Please be aware that separate terms will govern your use of our app and you should read these carefully when you download the app.

4 WHAT IS THE LEGAL BASIS THAT PERMITS US TO USE YOUR PERSONAL INFORMATION?

4.1 Under data protection legislation, we are only permitted to use your personal information if we have a legal basis for doing so as set out in the data protection legislation. We rely on the following legal basis to use your information:

4.1.1 where we need information to perform the contract we have entered into with you. This includes:

(a) to access, use and retrieve your Transaction Data (following the process set out in section 3.3) to deliver our services to you; and

(b) to administer the contract we have with you.

4.1.2 where we need to comply with a legal obligation. This includes compliance with our regulatory obligations, to bodies such as the FCA.

4.1.3 where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. This includes:

(a) inviting you to register for our services;

(b) to investigate where you report a problem with our Site;

(c) to verify or enforce compliance with the policies governing our Site and/or applicable laws;

(d) fraud and crime prevention; and

(e) to protect against misuse or unauthorised use of the Site.

4.2 In more limited circumstances we may also rely on the following legal bases:

4.2.1 where we need to protect your interests (or someone else's interests).

4.2.2 where it is needed in the public interest or for official purposes.

5 WHAT HAPPENS IF YOU DO NOT PROVIDE INFORMATION THAT WE REQUEST?

5.1 We need some of your personal information in order to perform our contract with you. For example, we need to know your Internet Banking Credentials so that we can arrange for your Transaction Data to be provided to your Approved Provider.

5.2 Where information is needed for these purposes if you do not provide it we will not be able to perform our contract with you and provide you with our services. We explain when this is the case at the point where we collect information from you.

6 WHO WILL WE SHARE YOUR INFORMATION WITH?

6.1 We will share your personal information with:

6.1.1 your Approved Provider, where we are required to do so in order to provide you with our services;

6.1.2 your Bank and Yodlee (to the extent such information is required in order to provide you with the services);

6.1.3 regulators, including the FCA, where we are required to do so to comply with our regulatory obligations;

6.1.4 AccountScore Limited, to assist us with categorisation of your Transaction Data in order to provide you with the services; and

6.1.5 third parties where we are required to do so by law. For example, if a government authority is conducting an investigation and requires us to share your personal information.

6.2 We will use third parties from time to time to help us in delivering services to you. Where we use such third parties, we will ensure appropriate safeguards are in place to protect your personal information and to ensure that it is solely used for legitimate purposes in line with this privacy policy.

6.3 Please note that:

6.3.1 we will only share your Transaction Data with Yodlee and/or your Bank and your Approved Provider for the purpose of providing our service to you; and

6.3.2 we will only arrange for the transfer of your Internet Banking Credentials to Yodlee and/or your Bank for the purpose of providing our service to you.

7 HOW DO WE USE YOUR IP ADDRESS AND COOKIES?

7.1 We may collect information about your computer. This may include your IP address, operating system and browser type. This will be for our system administration. We may also report combined information to our advertisers. Please note that this information will not be personal information and will not identify you, and this information will only be statistical data about our users' browsing actions and patterns.

7.2 A "cookie" is a small electronic file that collects information about you when you visit our Site. A cookie can identify the pages that are being viewed, and this can assist us to select the pages that you see. Some cookies only exist whilst you are online, but "persistent" cookies remain on your computer, so that you can be recognised as a previous visitor when you next visit our Site. We may use persistent cookies to allow us to collect information about your browsing habits whilst on our Site, so that we can monitor and improve our services.

7.3 By continuing to use our Site, you agree to the use of cookies by us in the manner outlined in this policy and a pop up will appear on the screen when you first access the Site to remind you of this.

7.4 We do not store your sensitive information in persistent cookies. Cookies in themselves do not contain enough information to identify you. We will only acquire a personal identity in relation to your browsing habits after you have provided us with your personal data for the purposes outlined at section 3 above.

7.5 In addition to using cookies, we might also use web tools to collect information about your browsing activities whilst on our Site. In this respect the information that is provided is similar to the information supplied by cookies, and we use it for the same purposes.

7.6 Any information that we acquire about you using cookies or web tools is subject to the same restrictions and conditions as any other information we collect about you in this policy.

7.7 Some of our advertisers may also use cookies or web tools that are set by other people such as advertising agencies, or the businesses to which the advertisements in question relate. If you follow a link to any of these websites, please note that these websites contain their own privacy policies and we do not accept any responsibility for these policies. Please check these policies before you submit any personal data to these websites. We do not have access to any information that might be collected in this way and if you are concerned, you should contact the advertiser for more information.

7.8 List Of Cookies

Cookie

Summary

Persistent/Session

Description

__utma

Google Analytics

Persistent

This cookie is part of Google Analytics and helps us improve your experience by anonymously tracking how users interact with our Site. It is specifically used to track the number of visits to our Site.

__utmc

Google Analytics

Persistent

This cookie is part of Google Analytics and helps us improve your experience by anonymously tracking how users interact with our Site. It is specifically used to check approximately how long you stay on our Site.

__utmz

Google Analytics

Persistent

This cookie is part of Google Analytics and helps us improve your experience by anonymously tracking how users interact with our Site. It is used specifically to track how you arrived at our Site.

_vis_opt_exp*

Visual Website Optimizer

Persistent

This cookie is used to run content experiments so we can improve the effectiveness of our Site.

AcceptCookies

Whether to display cookie message

Persistent

This cookie tells us whether this is your first visit to our Site and, if so, to display our cookie policy banner.

ASP.NET_SessionId

ASP.NET Session ID

Session

This cookie is required to make our Site work by setting an anonymous ID which is used when you navigate the Site.

7.9 Most browsers automatically accept cookies. You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you select this setting some of our Site features may not work as a result. Our system will automatically issue cookies when you log on to our Site, unless you have adjusted your browser setting to refuse cookies.

7.10 Please note that it is not possible for you to carry your settings between your browsers and devices, so you will need to change these settings for each browser you use.

8 WHERE DO WE STORE YOUR PERSONAL DATA?

8.1 All information you provide to us is stored on our secure servers.

8.2 We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

8.3 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

9 HOW LONG WILL WE KEEP YOUR PERSONAL INFORMATION FOR?

9.1 As a general rule, we will keep your personal information for the duration in which we are providing the services to you, and for a period of six years thereafter. However, where we have statutory obligations to keep personal information for a longer period or where we may need your information for a longer period in case of a legal claim, then the retention period may be longer.

10 WHEN WILL WE MAKE CHANGES TO OUR PRIVACY POLICY?

10.1 Our privacy policy was last updated on 24 May 2018.

10.2 Our privacy policy will be reviewed and amended from time to time and we will notify you of the changes.

10.3 Any changes we may make to our privacy policy in the future will be posted on this page. We will update the privacy policy to reflect our service offering.

11 HOW CAN YOU CONTACT US?

11.1 Questions, comments and requests regarding this privacy policy are welcomed at:

11.1.1 enquiries@consentco.co.uk;

11.1.2 Consents Online Limited, Floor 33, Euston Tower, 286 Euston Road, London NW1 3DP; or

11.1.3 by telephone: 0800 180 8570.

11.2 If you have any concerns about the information we hold, please contact our Data Protection Officer via the above methods.

11.3 If you still feel dissatisfied, you can appeal to our Managing Director at the above address.

12 YOUR RIGHTS

12.1 Complaints

Please contact us by using the details in section 11 and we will try to resolve your issue. You also have the right to lodge a complaint with the Information Commissioner's Office ("ICO"). You can contact the ICO by writing to them at: Information Commissioner's Office Client Services Team, Wycliffe House, Water Lane, Wilmslow, SK9 5AF or by visiting their website for further information at https://ico.org.uk/.

12.2 You have a number of rights in relation to your personal information, which include the following:

12.2.1 You have the right to request a copy of the information that we hold about you. This right relates to personal information that you have provided to us that we need in order to perform our agreement with you and personal information where we are relying on consent to process your personal information.

12.2.2 You can also ask us to:

· provide a copy of the personal data we hold about you in a commonly used and machine-readable format; and

· send your personal data to another data controller (e.g. another service provider).

12.2.3 We want to ensure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate, incorrect or incomplete.

12.2.4 You have the right to request us to erase the personal information we hold about you in certain circumstances, which is also known as the "right to be forgotten":

· if we are continuing to process your personal information beyond the period when it is necessary to do so for the purpose for which it was originally collected

· if we are relying on consent as the legal basis for processing and you withdraw consent

· if we are relying on legitimate interest as the legal basis for processing and you object to this processing and there is no overriding compelling ground which enables us to continue with the processing

· if it is necessary to delete the personal information to comply with a legal obligation

12.2.5 You have the right to ask us if we are processing your personal data. If so, you have the right to access such personal data and obtain certain information about our processing, including the purposes of our data processing and the categories of personal data which we are processing.

12.2.6 You have the right to object to our processing of your personal information where we are relying on legitimate interests or exercise of a public interest task to make the processing lawful. If you raise an objection we will carry out an assessment to determine whether we have an overriding legitimate ground which entitles us to continue to process your personal information

12.2.7 You have the right to ask us to restrict the processing of your personal data where you consider that:

· our processing of your personal information is unlawful

· where we no longer need the personal information but you require us to keep it to enable you to establish, exercise or defend a legal claim

· where you have raised an objection to our use of your personal information

12.2.8 You have the right not to be subject to automated decisions which produce legal effects or which could have a similarly significant effect on you.

12.2.9 You have the right to withdraw our consent at any time, where consent is the legal basis for our processing. This will not affect the lawful ness of our processing based on your consent prior to its withdrawal.

12.3 If you would like to exercise any of your rights or find out more, please contact us via the methods set out in section 11.