Dated: February 2019
Privacy and the security of data are of paramount importance to all of us at TrueLayer. Please read this document carefully, and if you have any questions or queries about the contents, please email us at firstname.lastname@example.org
We are the data controller for the purposes of the personal data we collect via our website and for the performance of the services listed under the usages of your personal data, below (together, the “Services”).
Collection of your personal data
When you use our Services we will have access to your personal data that you submit to us and personal data held by Account Servicing Payment Service Providers (i.e. any payment service provider, such as a bank or a credit card issuer that maintains an online payment account on your behalf) (“ASPSPs”) (“Personal Data”) for the duration of the transmission.
Such Personal Data may include your date of birth, gender, account information, account balance, transactions, information on loans, insurance data and investments data. The manner in which we access, use, process and store your personal data for the provision of the Services is set out below.
When you use our website (the “Site”) we will collect browser information, including your IP address. We will also store some cookies (see our Cookies section below for more details).
Use of your personal data
Your Provider will direct you to use our Services which will include the following:
- We will provide you with a software tool (“Tool”) which you can use to transmit information (including personal data) relating to payment accounts (“Account Information”) that you hold with ASPSPs to your Provider, and for Payment Initiation, which you can use to consent to and authorise a payment as specified by your Provider; this may require that your Provider sends us your bank account details;
- To use our Services you may need to provide the same identifying information that you use to login to your online bank account to access your relevant payment accounts with your bank (“Credentials”).
- The Tool may allow you to use your Credentials to retrieve such Account Information as you choose to transmit to the Provider. Schedule 1 to the Terms of Service ists the information that you can elect to retrieve and transfer using the Tool.
You should check your Provider’s rules on data privacy. If your Account Information (including any Personal Data) is transmitted from a Provider to us, or through our software to a Provider, that Provider (and not TrueLayer) is responsible for it.
Our Tool may merge or aggregate Account Information retrieved from your Provider, or a particular ASPSP with Account Information retrieved from other ASPSPs where you or your Provider have instructed us to access and transmit such information.
When you have signed up on TrueLayer’s website for marketing purposes we will use your email address to contact you in relation to products, events and service-related matters, where you have provided your consent to do so.
Retention of your personal data
We will not retain your information for any longer than we think is necessary. Information that we collect will be retained for as long as needed in order to:
- fulfil the purposes outlined in the ‘Use of your personal data’ section above;
- in line with our legitimate interest;
- or for a period specifically required by applicable regulations or laws, such as retaining the information for regulatory reporting purposes.
When determining the relevant retention periods, we consider factors including:
- our contractual obligations and rights in relation to the information involved;
- legal obligation(s) under applicable law to retain data for a certain period of time;
- statute of limitations under applicable law(s);
- our legitimate interests where we have carried out balancing tests (see section on 'How we use your personal information' above);
- fraud and risk management;
- (potential) disputes; and
- guidelines issued by relevant data protection authorities.
Otherwise, we securely erase your information where we no longer require your information for the purposes collected.
Deletion of Personal Data
We will not keep your Personal Data for longer than necessary. We will delete your Personal Data:
- as soon as it is no longer needed to provide the Services to you;
- upon termination of the Terms of Service; and / or
- if You withdraw Your consent, and Your consent is necessary for us to retain the data.
We may share your Personal Data with selected third parties, including business partners, suppliers and sub-contractors that assist us in the provision of our Service to you. The third-party providers used by us will only collect, use and disclose your information as instructed by us to provide Services to you.
We may also disclose your Personal Data to other third parties in the event that:
- We reasonably consider that we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or
- in order to enforce or apply our Terms of Service and other agreements; or
- to protect the rights, property, or safety of TrueLayer, our customers, or others.
Transfer of your personal data outside of the European Economic Area
The Legal basis for processing personal data
These are our legal reasons for processing your personal data:
- For the performance of a contract with You or Your Provider;
- For the purpose of furthering TrueLayer’s legitimate interests including providing better products, services, websites and applications, to operate our websites and applications.
- With your consent to provide you with updates of TrueLayers, products, events and service-related matters.
When you use our services you may provide us with your Credentials and we require your consent to use those Credentials to:
- retrieve your Account Information (including any Personal Data);
- to provide such Account Information to the Providers which referred you to us;
- improve the Services or the Tool.
- temporarily access your payment account to debug any issues and to improve our automated processes for retrieving data.
You or your Provider may provide us with your Personal Data in order to initiate a payment.
The Personal Data we collect about You may be stored and processed to provide, maintain and improve our Services and Tool.
Your Personal Data may be anonymised, to be part of a market study or analytics by us or a third party. On our website, we use Google Analytics or Mixpanel to process data in an anonymous form to provide us information about the use of our Site.
When you have signed up on TrueLayer’s website for marketing purposes you provide your personal information voluntarily and TrueLayer can only send you updates with your consent.
We use industry-standard encryption methods to ensure the security of your Personal Data in accordance with applicable law and regulation but cannot guarantee the security of any data transmitted to a Provider using our Tool. Once we have received your information, we take reasonable precautions to ensure that it is not lost, misused, accessed, disclosed, altered or destroyed. If you have reason to believe that your Personal Data is no longer secure (for example if you feel that the security of your Personal Data has been compromised then please contact us immediately).
Our Services are not intended for use by anyone younger than 18 years old. Please do not use our Services if you are under 18.
Subject Access Requests
You have the right to ask us to provide any personal data we have collected about You, to You. Should You wish to do so, please email us at email@example.com to make a subject access request detailing:
- your name,
- your address,
- the details of your Provider, and
- the period of data you’d like access to.
Making a complaint to a supervisory authority
Should you be dissatisfied with the service we provide, You have the right to file a formal complaint to the Information Commissioner's Office at www.ico.org.uk.
Object to Direct Marketing
You have the right to ask us at any time to stop processing your Personal Data for direct marketing at any time. We provide for the right for you to unsubscribe from any of our marketing material at any time.
The Right to be Forgotten
If after you provided your consent, you change your mind, you may withdraw your consent by contacting us at our address or at the email address set out in the contact information above.
Questions and Contact Information
If you would like to access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information about how we process your Personal Data, you can contact us at firstname.lastname@example.org or by mail at:Data Protection Officer, TrueLayer, 1 Hardwick Street, London EC1R 4RB.