Privacy Policy

Last updated: 1 September 2023

Overview

This Privacy Notice explains how we collect, store, process and protect your personal data when providing you with our Services.

Please read this Privacy Notice carefully before using our website, console or other web applications (collectively the "Site") or any of our Services. If you have any questions or queries about the contents, please email us at [email protected].

TrueLayer Limited (TrueLayer), with company number 10278251, is based at Part Ground Floor (East), Floors 6 and 7, The Gilbert, 40 Finsbury Square, London, EC2A 1PX and is registered as a data controller with the Information Commissioner's Office ("ICO") under number ZA797592.

In this Privacy Notice, TrueLayer will be referred to as "we", "us", or "our". 

Depending on the context, “you” means a visitor to our Site, a representative of one of our Merchants, or the End User of one of our Services.

Our Services

If you are an End-User, the provider of the website or app through which you access our Services (a Merchant) will direct you to use our Services.

We currently provide the following Services (these are further explained in our Terms of Service):

  • Account Information Services (AIS)

  • Payment Initiation Services (PIS)

  • Verification Services

  • Signup+

  • Pay Ins

  • Pay Outs

  • Remember Me

What personal data do we collect?

The table below sets out the personal data that we collect, process and in some instances store when you use our Services.

The personal data we collect about you and how we use itWhat type of personal data are we using?Purpose of ProcessingWhat lawful basis do we rely on to use your Personal Data?
If you represent a TrueLayer MerchantYour name, date of birth, address, email, number, username, client ID and login data if you register as a user.So we can register you as a user and deliver our Services.Performance of a contract with you
Your name, email address, username and login data you supply to us if you register as a user.To provide you with updates on our activities, Services and products; to record your marketing preferences and any feedback or responses for the purposes of improving our ServicesWith your consent
Your name, date of birth, address, email, phone number, photo identification and any criminal background information.To conduct any due diligence that we are required to do in order for you to receive our ServicesTo comply with our legal obligations (including regulatory requirements that we are under)
If you are an End-User of any of our productsYour name, address, photo identification and any criminal background information.To conduct any due diligence that we are required to do in order for you to receive our ServicesTo comply with our legal obligations (including regulatory requirements that we are under)
Your name, email address, username and login data you supply to us if you register as a user via any TrueLayer portal or console.To deliver our Services to you and to give you access to information we hold about youWith your consent
Your name, email address, postal address, account number and sort-codeTo keep a record of your use of our Services, to provide our Services to you and/or our Merchants, to improve our Services and to allow us to identify you for reporting, compliance and customer service purposes.To comply with our legal obligations (including regulatory requirements), and where it is necessary for our legitimate interest in ensuring we can provide you and your Merchant with the Services and to continuously improve our Services
If you are an End-User using our AIS or Verification ServiceAny personal data that is contained in the account information that you have given us your explicit consent to access in our Terms of Service including your bank account, balance and transaction detailsTo deliver our Services to you and/or our Merchants and to improve our Services It is necessary for our legitimate interest in ensuring that we can provide you and your Merchant with the Services and to continuously improve our Services
If you are an End-User using our PIS ServiceAny personal data that you give to us, for example your name, email address, username, login data and any payment reference that you supply.To deliver our Services to you and/or our Merchants and to improve our ServicesIt is necessary for our legitimate interest in ensuring that we can provide you and your Merchant with the Services and to allow us to continuously improve our Services
If you are receiving a payment from a MerchantYour name, account details (account number, sort code and/or IBAN), date of birth and postal addressTo deliver our Services to you and/or our Merchants including processing a Pay Out to you.It is necessary for our legitimate interest in ensuring that we can provide you and your Merchant with the Services and to allow us to continuously improve our Services
If you are an End-User using our Signup+ServiceYour name, postal address, date of birth, phone number, email address, account number, sort-code and/or National ID numberTo deliver our Services to you and/or our Merchants and to improve our ServicesIt is necessary for our legitimate interest in ensuring that we can provide you and your Merchant with the Services and to allow us to continuously improve our Services
If you opt in to store your details with us for future payments (Remember Me / Save Details)Any personal data that you have chosen to store with usTo deliver our Services to you and/or our Merchants and to improve our ServicesPerformance of a contract with you
If you are a visitor to our SiteYour name, email address and any other personal data you supply to us (such as any feedback)To provide you with updates on our activities, Services and products; to record your marketing preferences and any feedback or responses for the purposes of improving our Services.With your consent
Any personal data we collect as part of your Cookies setting, namely online identifiers (such as your cookie identifier, IP address, browser type and version, time zone settings and location)To allow us to run the operation of our Site and ensure that our provision of Services through our website runs as smoothly as possibleWith your consent

Important: Before we process your personal data to pursue our legitimate interests for the above purpose, we determine if such processing is necessary and we carefully consider the impact of our processing activities on your fundamental rights and freedom. On balance, we have determined that such processing is necessary for our legitimate interests and that the processing which we conduct does not adversely impact on these rights and freedoms.

We will only use your personal data for the purposes for which we collect it (as outlined in this section) unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

How we collect your Personal Data

Everyone

We will collect personal data about you:

  • Through email when you communicate with us.

  • When you visit our Site through cookies or other similar tracking technologies

    • For more information see the “Cookies” section below

  • When you provide us with your consent, your marketing preferences.

If you are an End User

We will collect personal data about you:

  • From Merchants

    • Basic identity information (name, email address, postal address, phone number, date of birth) will be provided to us by your Merchant. This is required in order for us to provide you with the Service you have explicitly consented to.

  • From you

    • Some of our Services require you to share personal data with us directly. We will also give you the opportunity to store some of this information with us to speed up future payments.

  • From your bank

    • The provision of our Services requires us to collect information from your bank regarding bank accounts, account transactions and other financial information. Please note that we do not collect this type of information without your explicit consent.

  • From Identity Providers

    • We will sometimes use third party identity providers to obtain further information about you in order to provide our Service. 

ServiceWhat DataFrom Who
AIS and/or VerificationPersonal data in your Account InformationYour bank
Personal data identifying you Your Merchant
PIS and/or PayIn Personal data in your Account Information or payment account details shared with usYour bank
Personal data identifying youYour Merchant
Personal data included in a payment reference You
Signup+Personal data identifying youYour Merchant
Personal data identifying your bank accountYour bank
Personal data identifying youEquifax, our third party data provider
PayOutsPersonal data to identify your bank accountYour Merchant
Save details / Remember mePersonal data collected as part of the Service we provide you withYou, Your Merchant, Your bank
End User Portal RegistrationPersonal data to identify youYou

If you represent a Merchant

If you represent a Merchant, we may collect your personal data from the following sources:

  • through our Site when you register as a Merchant or use our Services

  • through information that you provide to us and from third party sources such as Companies House and LexisNexis for due diligence at onboarding and periodically. 

How long we keep your personal data

We will not keep your personal data for any longer than we think is necessary. When deciding how long to keep your personal data, we consider factors including:

  • our contractual obligations and rights in relation to the personal data involved (including the Terms of Service)

  • legal obligation(s) to retain data, or delete data, for/after a certain period of time 

  • whether we relied on your consent to use the personal data, but you have since withdrawn your consent

  • our legitimate interests where we have carried out balancing tests;

  • fraud and risk management

  • (potential) disputes

  • guidelines issued by relevant data protection authorities.

Sharing of your personal data

By using our Services as an End-User, we share your personal data with your Merchant who will become responsible for it. You can refer to your Merchant’s privacy notice to understand how they use and manage your personal data.

If you are an End-User or represent a Merchant, we may also have to share your personal data:

  • if we reasonably consider that we are under a duty to disclose or share your personal data in order to comply with any legal obligation

  • if we need to enforce or apply our Terms of Service and other agreements

  • to protect the rights, property, or safety of TrueLayer, our Merchants or others

  • to fulfil our legal obligations

  • with our professional advisors such as lawyers, auditors, consultants or insurers

  • with partners or suppliers who process personal data on our behalf. 

    • We take the security and protection of your personal data seriously and only allow such suppliers to use your personal data for specified purposes and in accordance with our instruction

  • with third parties to whom we may sell, transfer or merge parts of our business or assets. 

    • If a change like this happens to our business, the new owners may use your personal data in the same way as set out in this Privacy Notice

  • to another company in our group, if this is necessary to ensure continuity in the provision of Services to you, or to reflect any business reorganisation or expansion that we may engage in from time to time

Depending on the Service that you use, your personal data may be shared with one of the following entities solely for the purpose of providing that Service.

ProcessorService DescriptionLocation of Processing Which Services?
AWSCloud infrastructure Merchant United KingdomAll Services
ZendeskZendesk provides our ticketing and chat system used to communicate with you IrelandAll Services
PonticaPontica is used to triage incoming end user questions and complaintsIrelandAll Services
Auth0Auth0 provides user authentication and authorisation ServicesUnited KingdomAll Services
Salv Technologies OÜProviding transaction monitoring ServicesGermanyAll Payments Products
MoodysProviding transaction monitoring ServicesBelgiumAll Payments Products
AS LHV PankLHV is our partner bank for SEPA CT, SEPA INST and Target2 Covering the EUEstoniaEU PayIns and PayOuts
Form 3Form3 is our technical Service provider that facilitates our communication with the SEPA and Target payment schemes. Covering the EUIreland and United KingdomEU PayIns and PayOuts
ClearBankClearBank is our partner bank and provides TrueLayer the ability to facilitate Faster Payments, CHAPS, and BACS payment schemes covering the UKUnited KingdomUK PayIns and Payouts
EquifaxEquifax is our data provider for the purposes of our Signup+ productUnited KingdomSignup+
TwilioTwilio sends a one time password (OTP) to authenticate youUnited StatesRemember me / Save Details
GB Group PlcProviding transaction monitoring ServicesUnited KingdomAll Payments Products

International transfers of your personal data

The data that we collect from you will generally speaking not be transferred to or stored outside the European Economic Area ("EEA") or the UK. We will take reasonable steps to ensure that your personal data is handled securely and in accordance with this Privacy Notice.

However, whenever we do transfer your personal data out of the EEA or the UK, we will only do so if:

  • you have given your prior written authorisation; or

  • there is an appropriate transfer agreement or other approved transfer mechanism in place such as Standard Contractual Clauses or an adequacy decision by the European Commission.


Please contact us if you want further information on how we ensure adequate protection for any personal data transferred out of the EEA or the UK.

Cookies

When you browse the Site, use our Services or visit websites or apps that offer our Services, we will automatically receive your computer’s internet protocol (IP) address. We may collect data about how you interact with our Site or Services through the use of cookies or other similar tracking technologies (collectively referred to as Cookies). A cookie is a small file of text that is stored on your browser or the hard drive of your computer.


We use Cookies to distinguish you from other users of our Site and/or Services. It helps us to remember your preferences. When you visit our Site and/or use our or Services, Cookies allow us to keep track of how many times you’ve visited us, how long you’ve visited us for and what you’ve done whilst you’ve been on our Site and/or using our Services.

The information collected with these technologies helps us in ensuring that we can:

  • provide you with, and continuously improve, our Services; 

  • enhance your experience of our Site;

  • better understand how our Site is used;

  • help our Merchants better understand the uses of their platform; and 

  • help our Merchants to enhance your customer experience.


None of the Cookies we use are used to identify you as an individual. They typically collect anonymous identifiers associated with your device, browser, referring site URLs, time or usage information. Cookies never store any of your banking details.

Cookies can be "first party" which are cookies set by us, or "third-party" which are cookies that are placed on your computer/device by a third party when you visit our Site or use our Services.

We will only deploy non-necessary Cookies on your computer/device when we have obtained your prior consent to do so. If you choose to consent to our use of non-necessary Cookies, you may withdraw your consent to these Cookies at any time.

We use the following types of cookies:

  • Strictly Necessary Cookies

    • These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

  • Functional Cookies

    • These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

  • Targeting Cookies

    • These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

  • Performance Cookies

    • These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Managing cookies

We only deploy strictly necessary Cookies upon the initial loading of our Site. All other types of Cookies are non-necessary and so we need your prior consent to deploy them. Non-necessary Cookies help to maximise your experience when using our Site.

We request your prior consent to use non-necessary Cookies via our Cookie banner. You can change your Cookie preferences and withdraw your consent through changing the setting via our cookie banner.

You may also set your browser to disable Cookies, but this action may block our strictly necessary cookies and prevent our Site from functioning properly, and you may not be able to fully utilise all of the Site's features and services.

Your Rights

Subject to applicable law, you have the following rights which you can seek to exercise in respect of your personal data that we process.

  • The right to request confirmation of whether we process any personal data relating to you, and if so, to request a copy of that personal data

  • The right to request us to stop processing personal data and, in particular, to cease using your personal data for any direct marketing purposes

  • The right to request that we restrict the use of your personal data in certain circumstances

  • The right to request that we rectify or update your personal data that is inaccurate, incomplete or outdated

  • The right to request that we delete any personal data we hold about you where there is no legitimate reason for us to continue to process it

  • Where the processing of your personal data is based on your previously given consent, you have the right to withdraw your consent at any time

  • The right to request that we export your personal data to another company, where technically feasible

In order to exercise any of the above rights, please email us at [email protected] to make a subject access request detailing:

  • your name;

  • your address;

  • the details of your Merchant; and

  • the period of data you would like access to.

We may not always be able to delete or correct your data on request if it is not within our control (such as with Account Information, in which case we will forward your request to the ASPSP) or if we are subject to legal requirements to keep the data.

Changes to this Privacy Notice

Any changes we make to our Privacy Notice in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our Privacy Notice.

Questions and Contact Information

If you would like to access, correct, amend or delete any personal information we have about you, or simply want more information about how we process your personal data, you can contact us at [email protected] 


Making a complaint to a supervisory authority

Should you be dissatisfied with the service we provide, you have the right to register a complaint with us at [email protected] and/or file a to file a formal complaint to the Information Commissioner's Office at www.ico.org.uk, or to the relevant data protection supervisory authority in your country of residence.