Privacy Notice

Overview

The privacy and security of your data is of paramount importance to all of us at TrueLayer. Please read this Privacy Notice carefully before using our website, the tool(s) being provided by TrueLayer as part of our services (“Tools” and together with our website, the “Site”) or any of our services. If you have any questions or queries about the contents, please email us at [email protected].

For the purposes of this Data Privacy Notice the Data Controller is TrueLayer (Ireland) Limited (“TrueLayer”) (with company number 671615) with its registered office at 6th Floor, 2 Grand Canal Square, Dublin 2, D02 A342, Ireland.

In this Privacy Notice, TrueLayer will be referred to as ‘we’, ‘us’, or ‘our’. Additionally, there are references to “You”. In these instances, “You” may be a visitor to our Site, a customer that is an individual, or an employee of a corporate customer (in each case, a “Customer”), or a user of our Customer’s products or services (“End User”).

This Privacy Notice explains how we collect, store, process and protect your personal data for the services listed below (together, the “Services”).

You should read this notice, so that you know what we are doing with your personal data. Please also read our End-User Terms of Service, in addition to any other privacy notices and documentation that we give you that might apply to our use of your Personal Data in specific circumstances in the future.

Important: Please note that the below list of Personal Data we may collect about you, while intended to be as complete and accurate as reasonably possible, is not exhaustive and may be updated from time to time in accordance with the "Changes to this Privacy Notice" section of this Privacy Notice.

Personal Data

The Personal Data we collect about you and how we use itWhat type of Personal Data are we using?Purpose of ProcessingWhat lawful basis do we rely on to use your Personal Data?
If you are a TrueLayer CustomerYour name, date of birth, address, email, phone number, username, client ID and login data if you register as a user. To deliver our Services to you.Entering into or Performance of a Contract To deliver a contractual service to you as our Customer. Please note that in the event that you do not wish to provide us with your Personal Data for this purpose we will not be able to perform our contract of services with you.
Your name, date of birth, address, email, phone number and photo identification.Such Personal Data may include any criminal background information.To conduct any due diligence that we are required to do in order for you to receive our Services.Compliance with a Legal Obligation To comply with our legal obligations (including regulatory requirements that we are under) under applicable Irish and European law and to comply with other applicable Irish and European Union laws.
Your name, email address, username and login data you supply to us if you register as a useTo provide you with updates on our activities, services and products; to record your marketing preferences and any feedback or responses for the purposes of improving our Services.Consent With your consent. You have the right to withdraw consent by contacting us at any time. However please note that any processing carried out before you withdraw your consent will remain valid.
If you are an End-User of our AIS Tool or our Verification ToolYour email address To allow us to identify you for reporting, compliance and customer service purposes.To comply with our legal obligations (including regulatory requirements); and It is necessary for our legitimate interest to ensure we provide you and your Provider with the Services and to improve our Services
If you are an End-User of our PIS Tool or our Verification TooYour name, email address, postal address, account number and sort-codeTo allow us to identify you for reporting, compliance and customer service purposes.To comply with our legal obligations (including regulatory requirements); and It is necessary for our legitimate interest to ensure we provide you and your Provider with the Services and to improve our Services
If you are an End User of Merchant Services (as defined in the End-User Terms of Service) Any Personal Data that you have given to your Provider (through whom you are accessing Merchant Services), including your name, account number, sort code, date of birth, address and email address and any photo identification. Such Personal Data may include any criminal background information. To conduct any identification and verification checks which are required for customer due diligence during the onboarding process that we are required to do in order for you to receive our Services. Compliance with a Legal Obligation To comply with our legal obligations (including regulatory requirements that we are under) under applicable Irish and European law and to comply with other applicable Irish and European Union laws.
Your name and IBAN details that are set up when you register with your Provider through whom you are accessing Merchant Services.To deliver our Merchant Services to you and/or your Provider, including initiating payment and, where relevant, processing a refund. Legitimate Interest It is necessary for our legitimate interest in ensuring that we can provide you and your Provider with the Services.
If you are an End-User of any of our productsYour name, address and any photo identification. Such Personal Data may include any criminal background information.To conduct any due diligence that we are required to do in order for you to receive our Services.Compliance with a Legal Obligation To comply with our legal obligations (including regulatory requirements that we are under) under applicable Irish and European law and to comply with other applicable Irish and European Union laws.
Your name, email address, username and login data you supply to us if you register as a user via any TrueLayer portal or console.To deliver our Services to you and to give you access to information we hold about you.Legitimate Interest It is necessary for our legitimate interest in ensuring that we can provide you with the Services.
Your username, email and account information, supplied to us by your Provider.To debug any issues you have when you access our Services and to improve our automated processes for retrieving data.Legitimate Interests It is necessary for our legitimate interest in ensuring that we can provide you and your Provider with the Services and to allow us to continuously improve our Services.
Any Personal Data that is contained in the account information that you have given us your specific consent to access in accordance with the End-User Terms of Service.To anonymise or pseudonymise the Personal Data in order for it to be used to improve our Services, to be part of a market study or analytics by us or a third party.Legitimate Interests It is necessary for our legitimate interest in ensuring that we are able to continuously improve and develop our Services and enhance the experience of you and your Provider
Your name, email address, postal address, account number and sort-code where made available to us.To keep a record of your use of our services, to provide our services to you and/or your Provider, to improve our services and to allow us to identify you for reporting, compliance and customer service purposes.To comply with our legal obligations (including regulatory requirements); it is necessary for our legitimate interest in ensuring we can provide you and your provider with the service.
If you are an end user of any of our productsAny personalised security credentials you share with us.To deliver our Services to you where your bank requires us to log you in to your bank account in order to obtain your account information or make a payment.It is necessary for our legitimate interest in ensuring that we can provide you and your Provider with the Services.
If you are a visitor to our Site or ToolYour name, email address and any other Personal Data you supply to us (such as any feedback).To provide you with updates on our activities, services and products; to record your marketing preferences and any feedback or responses for the purposes of improving our Services.Consent With your consent. You have the right to withdraw consent by contacting us at any time. However please note that any processing carried out before you withdraw your consent will remain valid.
Any Personal Data we collect as part of your Cookies setting, namely online identifiers (such as your cookie identifier, IP address, browser type and version, time zone settings and location)To allow us to run the operation of our Site and ensure that our provision of Services through our website runs as smoothly as possible.Consent With your consent. You have the right to withdraw consent by contacting us at any time. However please note that any processing carried out before you withdraw your consent will remain valid.

Important: Before we process your Personal Data to pursue our legitimate interests for the above purpose, we determine if such processing is necessary and we carefully consider the impact of our processing activities on your fundamental rights and freedom. On balance, we have determined that such processing is necessary for our legitimate interests and that the processing which we conduct does not adversely impact on these rights and freedoms.

We will only use your Personal Data for the purposes for which we collect it (as outlined in this section) unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

How we collect your Personal Data

These are the ways in which we may collect your personal data:

If you are an End-User

If you are an End-User, the provider of the application through which you access our Services (your “Provider”) will direct you to use our Services which will include the following:

  • If you are an End-User using either:

    1. our AIS product, through a software tool (the “AIS Tool”); or

    2. our Verification product, through a software tool (the “Verification Tool”)

    which you can use to transmit information (including Personal Data) relating to payment accounts (“Account Information”) that you hold with Account Servicing Payment Service Providers (i.e. any payment service provider, such as a bank or a credit card issuer that maintains an online payment account on your behalf) (“ASPSPs”) to you and your Provider, in accordance with the End-User Terms of Service. When you use the AIS Tool or Verification Tool, we will collect and process the Personal Data contained in the Account Information retrieved from your ASPSP. We may also collect and process Personal Data provided to us by your Provider.

    Our AIS Tool and/or Verification Tool may merge or aggregate Account Information retrieved from a particular ASPSP with Account Information retrieved from other ASPSPs where you have consented to us accessing and transmitting such information. Our AIS Tool and/or Verification Tool may store your Account Information if this forms part of the Services we are delivering to your Provider, for example, if it is necessary for the functioning of your Provider’s app.

  • If you are an End-User using our payment initiation services (“PIS”) product, through a software tool (the “PIS Tool”) which you can use to consent to and authorise a payment as specified by your Provider; this may require that your ASPSP sends us your bank account details. When you use the PIS Tool, we will collect and process the Personal Data that you provide to us (e.g. any Personal Data you include in the payment reference) in order for us to provide the PIS Tool. We may also collect and process Personal Data contained in your bank or payment account details shared with us by your ASPSP.

  • Some banks require us to log you in to your account using your online banking personalised security credentials before you can use our services. Where you share your personalised security credentials with us, we will only use them to provide the service you requested and will delete them once that service has been completed.

  • If you have registered to use the TrueLayer End-User Portal or console we will collect and process your name, email, username that you provide to us in order to access the End-User Portal and the information about your use of the relvant Tool.

  • Through email when you communicate with us.

  • When you visit our Site.

  • When you provide us with your marketing preferences.

If you are a Customer

If you are a Customer, we may collect your personal data from the following sources:

  • through our Site when you register as a Customer or use our Services;

  • through email when you communicate with us;

  • through information that you provide to us, and from third party sources such as Companies House and LexisNexis for due diligence and onboarding purposes;

  • when you visit our Site; and/or

  • when you provide us with your marketing preferences.

If you are a visitor to our Site

If you are a visitor to our Site, we may collect your personal data from the following sources:

  • through cookies or similar tracking technologies that we have set on our Site; and/or

  • when you provide us with your marketing preferences through the Site.

For more information on our use of cookies and/or similar tracking technologies, see the “Cookies” section below.

How long we keep your Personal Data

We will not keep your Personal Data for any longer than is necessary for the purpose for which it is collected and a reasonable period thereafter. Please note that in certain circumstances we may hold your Personal Data for a longer period, for example, if we are processing an ongoing claim or believe in good faith that the law or a relevant regulator may reasonably, in our view, expect or require us to preserve your Personal Data.

When deciding how long to keep your Personal Data, we consider factors including:

  • our contractual obligations and rights in relation to the Personal Data involved (including the End-User Terms of Service);

  • legal obligation(s) under applicable law to retain data for a certain period of time;

  • whether we relied on your consent to use the Personal Data, but you have since withdrawn your consent;

  • statute of limitations under applicable law(s);

  • our legitimate interests where we have carried out balancing tests;

  • fraud and risk management;

  • (potential) disputes; and

  • guidelines issued by relevant data protection authorities.

Sharing of your Personal Data

By using our Services as an End-User, we share your Personal Data with your Provider who will become responsible for it in their own right as a Data Controller. If we still hold a copy of your Personal Data after sharing it with your Provider, we will continue to do so in accordance with the Personal Data section above.

If you are an End-User or a Customer, we may also have to share your Personal Data:

  • if we reasonably consider that we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation;

  • we need to perform, enforce or apply our End-User Terms of Service and other agreements;

  • to protect the rights, property, or safety of TrueLayer, our customers, or others;

  • if we have to do so to fulfil our legal and regulatory obligations, including, for example, to fraud agencies, regulators and/or ASPSPs for fraud investigations;

  • with partners or suppliers who process Personal Data on our behalf (such as our professional advisers, payment schemes, auditors or IT suppliers) - we take the security and protection of your Personal Data seriously and only allow such suppliers to use your Personal Data for specified purposes and in accordance with our instructions;

  • with third parties to whom we may sell, transfer or merge parts of our business or assets. If a change like this happens to our business, the new owners may use your Personal Data in the same way as set out in this Privacy Notice; and/or

  • to another company in our group, if this is necessary to ensure continuity in the provision of Services to you (including in relation to the UK’s withdrawal from the European Union), or to reflect any business reorganisation or expansion that we may engage in from time to time.

International transfers of your Personal Data

The data that we collect from you will generally speaking not be transferred to, or stored outside the European Economic Area ("EEA") or the UK. We will take reasonable steps to ensure that your Account Information (including any Personal Data) is handled securely and in accordance with this Privacy Notice.

However, whenever we do transfer your Personal Data out of the EEA or the UK, we will only do so if:

  • you have given your prior written authorisation; or

  • there is an appropriate transfer agreement or other approved transfer mechanism in place such as Standard Contractual Clauses or an adequacy decision by the European Commission.

Please contact us if you want further information on how we ensure adequate protection for any Personal Data transferred out of the EEA or the UK.

Cookies

When you browse the Site, use our Services, Tools or visit websites or apps that offer our Services, we automatically receive your computer’s internet protocol (IP) address. We may collect data about how you interact with our Site, Tools or Services through the use of cookies or other similar tracking technologies (collectively referred to as “Cookies”). A cookie is a small file of text that is stored on your browser or the hard drive of your computer.

We use Cookies to distinguish you from other users of our Site, Tools and/or Services. It helps us to remember your preferences. When you visit our Site or use our Tools and/or Services, Cookies allow us to keep track of how many times you’ve visited us, how long you’ve visited us for and what you’ve done whilst you’ve been on our Site or using our Tools and/or Services.

The information collected with these technologies helps us in ensuring that we can:

  • provide you with, and continuously improve our Services;

  • enhance your experience of our Site;

  • better understand how our Site is used;

  • help our merchants better understand the uses of their platform and

  • help our merchants to enhance your customer experience.

The Cookies we use collect anonymous identifiers associated with your device, browser, referring site URLs, time or usage information. Cookies never store any of your banking details.

Cookies can be "first party" which are cookies set by us, or "third-party" which are cookies that are placed on your computer/device by a third party when you visit our Site or use our Tools or Services.

We will only deploy non-necessary Cookies on your computer/device when we have obtained your prior consent to do so. If you choose to consent to our use of non-necessary Cookies, you may withdraw your consent to these Cookies at any time.

We use the following types of cookies:

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Functional Cookies

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Managing cookies

We only deploy strictly necessary Cookies upon the initial loading of our Site. All other types of Cookies are non-necessary and so we need your prior consent to deploy them. Non-necessary Cookies help to maximise your experience when using our Site.

We request your prior consent to use non-necessary Cookies via our Cookie banner. You can change your Cookie preferences and withdraw your consent through changing the setting via our cookie banner.

You may also set your browser to disable Cookies, but this action may block our strictly necessary cookies and prevent our Site from functioning properly, and you may not be able to fully utilise all of the Site's features and services.

Your Rights

The list below sets out the rights which you have to address any concerns or queries with us about the processing of your Personal Data. Note that in certain circumstances these rights may not be absolute. You can exercise any of these rights by submitting a request in writing to us.

Right of access

You have the right to ask us to provide any personal data we have collected about you, to you and to access the following information in relation to the processing of your Personal Data:

  1. the purposes of processing;

  2. the categories of Personal Data concerned;

  3. the recipients of your Personal Data;

  4. the period for which your Personal Data will be stored;

  5. the existence of your right to lodge a complaint with the Data Protection Commission; and

  6. the source of your Personal Data

Should you wish to do so, please email us at [email protected] to make a subject access request detailing:

  • your name,

  • your address,

  • the details of your Provider, and

  • the period of data you would like access to.

We will only charge you for making such an access request where we feel your request is unjustified or excessive.

Object to processing, including Direct Marketing

You may have the right to object at any time to the processing of your Personal Data where we process your Personal Data based on our legitimate interests.

You always have the right to ask us to stop processing your Personal Data for direct marketing purposes, at any time.

Request to restrict processing

You have the right to ask us to restrict processing your Personal Data in the following situations:

  1. where you contest the accuracy of your Personal Data;

  2. where the processing is unlawful, and you do not want us to delete your Personal Data;

  3. where we no longer need your Personal Data for the purposes of processing, but you require the data in relation to a legal claim; or

  4. where you have objected to us processing your Personal Data pending verification as to whether or not our legitimate interests override your interests or in connection with legal proceedings.

When you exercise this right, we may only store your Personal Data and may not further process the data unless you consent, or the processing is necessary in relation to a legal claim or to protect the rights of another person or legal person or for reasons of important public interest.

Request correction or erasure

If we hold any of your Personal Data, you have the right to ask us to correct any inaccurate data we hold about you or delete the data where there is no legitimate reason for us to continue to process it. We may not always be able to delete or correct on request if it is not within our control (such as with Account Information, in which case we will forward your request to the ASPSP) or if we are subject to legal requirements to keep the data.

Withdraw consent

If any of our Services require your consent to process your Personal Data and after you provided your consent, you change your mind, you may withdraw your consent by contacting us as set out in the contact information below.

Request to Data Portability

Where we collect and store your Personal Data to perform a contract that we have with a Provider, you may request the transfer of your Personal Data to a third party, which we will provide to you in a structured, commonly used and machine-readable format.

This right only arises where:

  1. we process your Personal Data with your consent or where it is necessary to perform our contract with you; and

  2. the processing is carried out by automated means.


Changes to this Privacy Notice

Any changes we make to our Privacy Notice in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our Privacy Notice.

Questions and Contact Information

If you would like to access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information about how we process your Personal Data, you can contact us at [email protected]

Making a complaint to a supervisory authority

Should you be dissatisfied with the service we provide, you have the right to file a formal complaint to the Data Protection Commission, or to the relevant data protection supervisory authority in your country of residence.

Annex

Account information

Subject to such Account Information being returned by the relevant ASPSP, Account Information shall include, but not be limited to, the following financial information and Personal Data:

  • Personal details: name, date of birth, full address(es), email address, phone number, gender;

  • Bank account information:

    • Account type (e.g. current, saving, investment, credit card);

    • Account name;

    • IBAN/Account number/Sort code/SWIFT;

    • Currency;

  • Account balance information:

    • Current balance;

    • Available balance (credit cards);

  • Transactions;

    • Time;

    • Description;

    • Amount;

    • Meta-data (arbitrary data that banks associate with a transaction e.g. category); and/or

  • Additional data which TrueLayer may collect in the future (as confirmed in writing from time to time):

    • Loans data when available;

    • Insurance data when available; and/or

    • Investments data when available;

    • Payment due date (credit cards) when available; and/or

    • Minimum payment due (credit cards) when available.