(This version of the privacy notice is for our UK customers. If you are looking for an English language version of our privacy notice for our EU customers, please click here.)
CRIF Realtime Limited (“we”, “us”) respects your privacy and is committed to protecting your personal data. This privacy notice tells you how we look after your personal data when you use our Credit Passport Web App and website (the “App”) and about your privacy rights and how the law protects you. References in this privacy notice to “SME” mean the company which has authorised you to access and/or use the App on its behalf.
1. IMPORTANT INFORMATION AND WHO WE ARE
This privacy notice aims to give you information on how we collect and process your personal data through your use of the App.
It is important that you read this privacy notice together with any other fair processing notice or privacy notice we may provide on specific occasions when we collect or process personal data about you, so you are fully aware how and why we are using your data. There are some small ‘pop-ups’ that supplement this notice when you are about to leave this site that describe the site to which the link is taking you, but such sites are subject to their own privacy notices.
For the purposes of data protection legislation, including the Data Protection Act 2018 and the UK General Data Protection Regulation (“UK GDPR”), we (CRIF Realtime) are the controller of your personal data.
We have appointed a Data Protection Officer who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this policy, including any request to exercise any of your legal rights, please contact the Data Protection Officer using the following contact details:
Email address: dpo.uk@crif.com
Postal address: Data Protection Officer, CRIF Realtime Ltd., 55 Old Broad Street, London, EC2M 1RX
It is important that the personal data we hold about you is accurate and up-to-date. Please let us know if any of your personal data changes during your relationship with us.
The App may include links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third parties and are not responsible for their privacy policies. When you leave this site we recommend that you read the privacy notice of every website you visit and every plug-in or application you use.
2. THE DATA WE COLLECT ABOUT YOU
Personal data means any information about a living individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
-
- Identity data including your first name, last name, username or other identifier, title;
- Contact data including your business registered address, billing address, email address, telephone numbers;
- Bank account data, being transaction and other account data from all of the SME’s business banking accounts which is accessible online and which is submitted to us via the App where such data may identify you directly or indirectly;
- Additional data in respect of the SME’s business and financial position such as documents, books, reports, accounts, balance sheets, records, correspondence, papers and behavioural and payments information where such data may identify you directly or indirectly;
- Technical data including your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other details about the devices you use to access the App;
- Usage data including information about how you use the App including pages visited, products and services; and
- Marketing and communications data including your preferences in receiving marketing material from us and your communication preferences.
We also create, use and share aggregated data such as statistical or demographic data. Aggregated data may be derived from your personal data but is not considered to be personal data in law as it does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific feature of the App. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, the combined data is personal data and we deal with it in accordance with applicable data legislation as well as our privacy notice.
If we need to collect personal data in order to comply with law or under the terms of any contract we have with the SME, and you fail to provide this data when requested, we may not be able to perform the contract we have or are trying to make with the SME (i.e. to provide the SME with the services). In this situation, we may need to cancel an order placed on behalf of the SME or stop providing a service to the SME, but we will notify the SME if this is the case.
3. HOW YOUR PERSONAL DATA IS COLLECTED
We collect data from and about you in different ways, including by:
Direct interaction with you. You may give us identity and contact data by filling in forms or by communicating with us by email or via the App. This includes data you provide when you order our products or services or create an account on behalf of the SME, request marketing information, use interactive features on the App (e.g. the ‘chatbot’ on the site) or give us feedback.
Automated technologies. When you use the App, we may automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data using cookies, server logs and other similar tracking technologies. We may also receive technical data about you if you visit other websites using our cookies.
Accessing your bank account data. When you use our service we will process your transaction and other account data.
Third parties and publicly available sources. We may receive personal data about you from other people and/or from public sources, as set out below:
-
- technical data from:
-
-
- analytics providers such as Google;
- advertising networks;
- search information providers;
-
-
- contact, financial and transaction data from providers of technical, payment and delivery services;
- identity or financial data from CRIF VisionNet and/or other similar providers;
- identity, contact data and public filing data from publicly available sources such as Companies House.
4. HOW WE USE YOUR PERSONAL DATA
We will only use your personal data when the law allows us to do so. Our most common uses of your personal data will be:
-
- in order for us to perform a contract we are about to make or have made with the SME (or to take steps at your request before entering such a contract);
- if it is necessary to do so for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
- provide you with information within the App or via email on relevant products and services offered by our third party Partners that we believe will be of interest to you and/or your company;
- in order for us to comply with a legal or regulatory obligation including processing payments where applicable through our payment services provider, Stripe.
The table below sets out all the ways in which we plan to use your personal data, which of the legal bases we rely on to do so and, where relevant, what the legitimate business interests are. Our Legitimate Interests Assessment is available on application to our Data Protection Officer. We may process your personal data on more than one lawful ground depending on the specific purpose for which we are using your data.
|
Purpose/activity |
Type of data (see Section 2) |
Lawful basis for processing |
|
To register you as a new user |
Identity Contact |
Our legitimate interest in performing the services you have requested as part of your company’s contract with us. |
|
To process & deliver the SME’s order for our services, including:
|
Identity Contact Financial Additional Data Transactions with us
|
Our legitimate interest in performing the services you have requested as part of your company’s contract with us. Our legitimate business interests (recovering debts due to us) |
|
To manage our relationship with the SME, including:
|
Identity Contact Marketing & communications |
Our legitimate interest in performing the services you have requested as part of your company’s contract with us. Our legitimate business interests (keeping our records up-to-date, studying how customers use our products/services) |
|
To administer & protect our business and the App (including troubleshooting, data analysis, testing, system maintenance, support, reporting & hosting data) |
Identity Contact Technical |
Our legitimate business interests (running our business, providing administration & IT services, network security, preventing fraud, for a business reorganisation or group restructuring)
|
|
To deliver relevant App content & advertisements to you including content & advertisements from third party Partners To understand &/or measure the effectiveness of the advertising we serve to you for your SME |
Identity Contact Usage Marketing & Communications Technical |
Our legitimate interests (studying how customers use our products/services, developing our products/services, growing our business, & informing our marketing strategy, direct marketing to you for your SME) |
|
To use data analytics to improve our App, products/services, marketing, customer relationships & experiences |
Technical Usage |
Our legitimate interests (defining customer types for our products/services, keeping our App updated & relevant, developing our business & informing our marketing strategy) |
|
To suggest products/services which may be of interest to you and/or the SME |
Identity Contact Technical Usage |
Our legitimate interests (developing our products/services, growing our business) |
|
To transfer your Bank Account data, Additional data, Identity and Contact data to a third party so that the SME can avail of relevant offers and services. |
Identity Contact Bank Account Additional Data |
Our legitimate interest in carrying out the data transfer at your request so that your company can avail of the offered service. |
.
We use the following categories of cookies and tracking technologies:
-
- Strictly necessary cookies: These are cookies that are required for the operation of our App. They include, for example, cookies that enable you to load webpages by balancing the load on our servers.
- Analytical/performance cookies: These cookies allow us to recognise and count the number of visitors to our website and to see how visitors move around our Platform. This helps us to improve the way our App works, for example by ensuring that visitors can easily find what they are looking for.
- Functionality cookies: These are used to recognise you when you return to our App. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
- Targeting cookies. These cookies record your visit to our App, the pages you have visited and the links you have followed. We will use this information to make our App and the advertising displayed on it more relevant to your interests. We may also share this information with or obtain from third parties such as social media marketing services for this purpose.
|
STRICTLY NECESSARY |
|||
|
Cookie Name |
Host |
Description |
Expiry |
|
ARRAffinity |
Credit Passport |
Load balancing to sustain your session |
0 |
|
ANALYTICAL/PERFORMANCE |
|||
|
Cookie Name |
Host |
Description |
Expiry |
|
_ga |
Credit Passport |
Google cookie used to record pages visited. |
180 |
|
_gat_UA-132834188-1 |
Credit Passport |
Google cookie to manage data collected |
0 |
|
ai_session |
Credit Passport |
Collects anonymised usage on our platform. |
0 |
|
ai_user |
Credit Passport |
Used to count number of users |
180 |
|
_uetvid |
Credit Passport |
Bing tracking cookie |
16 |
|
_gclxxxx |
Credit Passport |
Google conversion tracking cookie |
90 |
|
_gid |
Credit Passport |
Google cookie that records pages visited |
1 |
|
FUNCTIONALITY |
|||
|
Cookie Name |
Host |
Description |
Expiry |
|
__atuvs |
Credit Passport |
AddThis cookie enabling cookie sharing. |
0 |
|
__atuvc |
Credit Passport |
AddThis cookie that stores page sharing. |
180 |
|
TARGETING |
|||
|
Cookie Name |
Host |
Description |
Expiry |
|
_uetsid |
Credit Passport |
Bing cookie that selects ads to display. |
1 |
|
_fbp |
Credit Passport |
Facebook cookie that selects ads to display. |
90 |
|
uuid2 |
AppNexus |
Advertising |
90 |
|
B |
Yahoo |
Advertising |
180 |
|
personalization_id |
|
Tracking |
180 |
|
__atuvs |
AddThis |
Advertising |
0 |
|
|
|
Advertising |
0 |
|
anj |
AppNexus |
Advertising |
|
|
xtc |
AddThis |
Advertising |
180 |
|
li_gc |
|
Tracking |
180 |
|
pa_google_ts |
Marin Software |
Advertising |
180 |
|
pa_openx_ts |
Marin Software |
Advertising |
180 |
|
pa_uid |
Marin Software |
Advertising |
180 |
|
pa_yahoo_ts |
Marin Software |
Advertising |
180 |
|
__atuvc |
AddThis |
Advertising |
180 |
|
A3 |
Yahoo |
Advertising |
|
|
pa_rubicon_ts |
Marin Software |
Advertising |
180 |
|
pa_crosswise_ts |
Marin Software |
Advertising |
180 |
|
__atrfs |
AddThis |
Advertising |
0 |
|
MUID |
Microsoft (Bing) |
Search engine |
180 |
|
pa_twitter_ts |
Marin Software |
Advertising |
180 |
|
uvc |
AddThis |
Tracks interaction with AddThis |
180 |
|
UNCLASSIFIED |
|||
|
Cookie Name |
Host |
Description |
Expiry |
|
ARRAffinitySameSite |
Credit Passport |
|
0 |
|
__ss_referrer |
Credit Passport |
|
0 |
|
originationUrl |
Credit Passport |
|
0 |
|
__ss |
Credit Passport |
|
1 |
|
__ss_tk |
Credit Passport |
|
180 |
|
koitk |
SharpSpring |
|
180 |
|
__ss |
SharpSpring |
|
1 |
|
__ss_referrer |
SharpSpring |
|
0 |
|
_gat_gtag_xxxxxxxxxxxxxxxxxxxxxxxxxxx |
CSMail |
|
0 |
|
_gat |
CSMail |
|
0 |
|
_ga |
CSMail |
|
180 |
|
__ss_tk |
SharpSpring |
|
180 |
|
_gid |
CSMail |
|
1 |
You can set your browser to refuse some or all browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, some parts of our App may become inaccessible or may not function properly.
6. DISCLOSURES OF YOUR PERSONAL DATA
We may share your personal data with the parties set out below for the purposes set out above:
-
- Internal third parties: other companies in our group, CRIF
- External third parties:
- at your request, your financial transaction data and/or contact data will be transferred to third parties (for example lenders or professional service companies), solely so that they can assess your company’s eligibility for their offerings and contact you to discuss offering their services (including loans) to your company. ‘Pop-up’ notices will alert you to any personal data being transferred to these partners should you follow their links;
- service providers (acting as processors) including Moody’s Analytics who provide data to us relating to the SME’s business and financial position, IT and system administration services;
- o professional advisers (acting as processors or independent controllers), including lawyers, accountants, auditors, bankers, insurers and marketing service providers who provide legal, accountancy, audit, banking, insurance or consultancy, marketing advice or other services to us;
- HM Revenue & Customs, regulators and other authorities (acting as processors or independent controllers) who require us to report on processing activities in certain circumstances;
- other third parties, if we transfer any part of our business or assets to them or acquire any part of their business or assets, or otherwise merge any part of our and their businesses; in any of these cases, the new owners of our business may use your personal data in the same ways and for the same purposes as set out in this privacy notice.
We also share anonymised Bank account and Additional data with our Third Party Partners for statistical purposes. However, once the data is anonymised it is no longer considered to be personal data.
7. INTERNATIONAL TRANSFERS
When and where your personal data may be transferred outside the UK/EEA
Some of the third parties with whom we work (e.g. SharpSpring which provides marketing automation services and Mouseflow which records anonymised usage of the site) may be based outside both the United Kingdom and the European Economic Area so their processing of your personal data will involve a transfer of this data outside both the United Kingdom and the European Economic Area.
If we use cloud-based platforms to store personal data, this may involve the use of geographically-distributed data centres including data centres outside both the United Kingdom and the European Economic Area.
How we protect your personal data outside the UK/EEA
We will not transfer your personal data to any country which is outside the United Kingdom or the European Economic Area, except:
-
- to a country which has been found by the UK Government to provide an adequate level of protection for personal data;
- where we have ensured your personal data benefits from a similar degree of protection by using model clauses approved by the UK Government which give personal data the same protection it has in the United Kingdom. For further information see: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en ;
- where the transfer is necessary to exercise or defend legal claims; or
- with your explicit consent to the transfer, after we have notified you of the possible risks of such transfer.
8. DATA SECURITY
We have put in place appropriate security measures to protect your personal data from being accidentally or unlawfully destroyed, lost or altered or disclosed or accessed in an unauthorised way. For example, we limit access to this information to authorised employees and contractors who need to know that information in order to operate, develop or improve our App. Please be aware that although we endeavour to provide appropriate security for information we process and maintain, no security system can prevent all potential security breaches.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any relevant regulator of a breach in line with data protection legislation.
9. HOW LONG WILL YOU USE MY PERSONAL DATA FOR
We will only retain your personal data for as long as necessary to fulfil the purposes we collected and processed it for. Upon expiry of this period your personal data will be deleted.
9.1 Identity data and Contact data will be retained for a period of maximum of 7 years or as long as required by Law;
9.2 Bank account data which you provided us for the Permitted Purposes as listed under Terms and Conditions Section 5.3, will be retained for a maximum period of 90 days following the closure of the SME’s Credit Passport account by an authorised Director or Secretary.
9.3 Legal and Accounting data will be retained for a period of maximum of 7 years or as long as required by Law.
10. YOUR LEGAL RIGHTS
As a result of us collecting and processing your personal data, you may have the following legal rights:
- to access personal data held about you;
- to request us to make any changes to your personal data if it is inaccurate or incomplete;
- to request your personal data is erased where we do not have a compelling reason to continue to process such data in certain circumstances;
- to receive your personal data provided to us as a controller in a structured, commonly used and machine-readable format where our processing of the data is carried out by automated means and is based on: (i) your consent; (ii) our necessity for performance of a contract to which you are a party; or (iii) steps taken at your request prior to entering into a contract with us;
- to object to, or restrict, our processing of your personal data in certain circumstances;
- if we use your personal data for direct marketing, you can ask us to stop and we will comply with your request;
- if we use your personal data on the basis of having a legitimate interest, you can object to our use of it for those purposes, giving an explanation of your particular situation, and we will consider your objection;
- to object to, and not be subject to a decision which is based solely on, automated processing (including profiling), which produces legal effects or could significantly affect you; and
- to lodge a complaint with a data protection supervisory body. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/make-a-complaint/, although we would like the prior opportunity to respond to any complaint.
To exercise any of your rights set out above, including to withdraw your consent where we have stated we are processing your personal data based on your consent, please contact us using the contact details above.
Date: 16th March 2021