Privacy Policy

Dated: 15 Jul 2022

Overview

The privacy and security of your data is of paramount importance to all of us at TrueLayer. Please read this Privacy Policy carefully before using our website, our Tools (collectively the "Site") or any of our services. If you have any questions or queries about the contents, please email us at [email protected].TrueLayer Limited ("TrueLayer") (with company number 10278251) is based at 1 Hardwick Street, London, EC1R 4RB. For the purposes of data protection laws, TrueLayer is registered as a data controller with the Information Commissioner's Office ("ICO") under number ZA797592.In this Privacy Policy, TrueLayer will be referred to as "we", "us", or "our". Additionally, there are references to "You" and "Your". In these instances, "You" may be a visitor to our Site, a customer that is an individual, or an employee of a corporate customer (in each case, a "Customer"), or a user of our Customer’s products or services ("End User").This Privacy Policy explains how we collect, store, process and protect your personal data for the services listed below (together, the "Services").You should read this notice, so that you know what we are doing with your personal data. Please also read our End-User Terms of Service, in addition to any other privacy notices and documentation that we give you that might apply to our use of your personal data in specific circumstances in the future.

Personal Data

The personal data we collect about you and how we use it	What type of personal data are we using?	Purpose of Processing	What lawful basis do we rely on to use your personal data?
If you are a TrueLayer Customer	Your name, date of birth, address, email, number, username, client ID and login data if you register as a user.	To deliver our Services to you	To deliver a contractual service to you as our Customer
	Your name, date of birth, address, email, number and photo identification. Such personal data may include any criminal background information.	To conduct any due diligence that we are required to do in order for you to receive our Services	To comply with our legal obligations (including regulatory requirements that we are under)
	Your name, email address, username and login data you supply to us if you register as a user.	To provide you with updates on our activities, services and products; to record your marketing preferences and any feedback or responses for the purposes of improving our Services	With your consent
If you are an End-User of our AIS Tool or our Verification Tool	Any Personal Data that is contained in the account information that you have given us your explicit consent to access in accordance with the End-User Terms of Service.	To deliver our Services to you and/or your Provider and to improve our Services, AIS Tool and Verification Tool	It is necessary for our legitimate interest in ensuring that we can provide you and your Provider with the Services and to continuously improve our Services
If you are an End-User of our PIS Tool	Any Personal Data that you give to us, for example your name, email address, username, login data and any payment reference that you supply.	To deliver our Services to you and/or your Provider and to improve our Services and PIS Tool	It is necessary for our legitimate interest in ensuring that we can provide you and your Provider with the Services and to allow us to continuously improve our Services
If you are an End-User of Merchant Services (as defined in the End-User Terms of Service)	Any Personal Data that you have given to your Provider (through whom you are accessing Merchant Services), including your name, account number, sort code, date of birth, address and email address and any photo identification. Such personal data may include any criminal background information.	To conduct any identification and verification checks which are required for customer due diligence during the onboarding process that we are required to do in order for you to receive our Services	To comply with our legal obligations (including regulatory requirements that we are under)
	Your name and IBAN details that are set up when you register with your Provider through whom you are accessing Merchant Services	To deliver our Merchant Services to you and/or your Provider, including initiating payment and, where relevant, processing a refund.	It is necessary for our legitimate interest in ensuring that we can provide you and your Provider with the Services
If you are an End-User of Signup+	Your name, postal address, date of birth, phone number, email address, account number and sort-code	To deliver and improve our Services to you and your Provider	It is necessary for our legitimate interest to (i) ensure we provide you and your Provider with the Services; and (ii) to improve our Services.
If you are an End-User of any of our products	Your name, address and any photo identification. Such personal data may include any criminal background information.	To conduct any due diligence that we are required to do in order for you to receive our Services	To comply with our legal obligations (including regulatory requirements that we are under)
	Your name, email address, username and login data you supply to us if you register as a user via any TrueLayer portal or console.	To deliver our Services to you and to give you access to information we hold about you	With your consent
	Your username, email and account information, supplied to us by your Provider	To debug any issues you have when you access our Services and to improve our automated processes for retrieving data.	It is necessary for our legitimate interest in ensuring that we can provide you and your Provider with the Services and to allow us to continuously improve our Services
	Any Personal Data that is contained in the account information that you have given us your explicit consent to access in accordance with the End-User Terms of Service.	To anonymise or pseudonymise the Personal Data in order for it to be used to improve our Services, to be part of a market study or analytics by us or a third party.	It is necessary for our legitimate interest in ensuring that we are able to continuously improve and develop our Services and enhance the experience of you and your Provider
	Your name, email address, postal address, account number and sort- code where made available to us.	To keep a record of your use of our services, to provide our services to you and/or your Provider, to improve our services and to allow us to identify you for reporting, compliance and customer service purposes.	To comply with our legal obligations (including regulatory requirements); it is necessary for our legitimate interest in ensuring we can provide you and your provider with the service.
If you are a visitor to our Site or Tool	Your name, email address and any other Personal Data you supply to us (such as any feedback)	To provide you with updates on our activities, services and products; to record your marketing preferences and any feedback or responses for the purposes of improving our Services.	With your consent
	Any Personal Data we collect as part of your Cookies setting, namely online identifiers (such as your cookie identifier, IP address, browser type and version, time zone settings and location)	To allow us to run the operation of our Site and ensure that our provision of Services through our website runs as smoothly as possible	With your consent

How we collect your Personal Data

These are the ways in which we may collect your personal data:If you are an End-UserIf you are an End-User, the provider of the application through which you access our Services (your “Provider”) will direct you to use our Services which will include the following:

If you are an End-User using either:
1. our AIS product, through a software tool (the “AIS Tool”); or
2. our Verification product, through a software tool (the “Verification Tool”)
which you can use to transmit information (including Personal Data) relating to payment accounts (“Account Information”) that you hold with Account Servicing Payment Service Providers (i.e. any payment service provider, such as a bank or a credit card issuer that maintains an online payment account on your behalf) (“ASPSPs”) to you and your Provider, in accordance with the End-User Terms of Service. When you use the AIS Tool or Verification Tool, we will collect and process the Personal Data contained in the Account Information retrieved from your ASPSP. We may also collect and process Personal Data provided to us by your Provider.
If you are an End-User using our payment initiation services (“PIS”) product, through a software tool (the “PIS Tool”) which you can use to consent to and authorise a payment as specified by your Provider; this may require that your ASPSP sends us your bank account details. When you use the PIS Tool, we will collect and process the Personal Data that you provide to us (e.g. any Personal Data you include in the payment reference) in order for us to provide the PIS Tool. We may also collect and process Personal Data contained in your bank or payment account details shared with us by your ASPSP.Our Tool may merge or aggregate Account Information retrieved from a particular ASPSP with Account Information retrieved from other ASPSPs where you have consented to us accessing and transmitting such information. Our Tool may use your Account Information for profiling purposes or store your Account Information if this forms part of the Services we are delivering to your Provider, for example, if it is necessary for the functioning of your Provider’s app.
If you have registered to use the TrueLayer End-User Portal or console we will collect and process your name, email, username that you provide to us in order to access the End-User Portal and the information about your use of the AIS Tool.
Through email when you communicate with us.
When you visit our Site.
When you provide us with your marketing preferences.

If you are a CustomerIf you are a Customer, we may collect your personal data from the following sources:

through our Site when you register as a Customer or use our Services;
through email when you communicate with us;
through information that you provide to us, and from third party sources such as Companies House and LexisNexis for due diligence and onboarding purposes;
when you visit our Site; and/or
when you provide us with your marketing preferences.

If you are a visitor to our SiteIf you are a visitor to our Site, we may collect your personal data from the following sources:

through cookies or similar tracking technologies that we have set on our Site; and/or
when you provide us with your marketing preferences through the Site.

For more information on our use of cookies and/or similar tracking technologies, see the “Cookies” section below.

How long we keep your Personal Data

We will not keep your Personal Data for any longer than we think is necessary.When deciding how long to keep your Personal Data, we consider factors including:

our contractual obligations and rights in relation to the Personal Data involved (including the End-User Terms of Service);
legal obligation(s) under applicable law to retain data for a certain period of time;
whether we relied on your consent to use the Personal Data, but you have since withdrawn your consent;
statute of limitations under applicable law(s);
our legitimate interests where we have carried out balancing tests;
fraud and risk management;
(potential) disputes; and
guidelines issued by relevant data protection authorities.

Sharing of your Personal Data

By using our Services as an End-User, we share your Personal Data with your Provider who will become responsible for it as a data controller.If you are an End-User or a Customer, we may also have to share your Personal Data:

if we reasonably consider that we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation;
we need to enforce or apply our End-User Terms of Service and other agreements;
to protect the rights, property, or safety of TrueLayer, our customers, or others;
if we have to do so to fulfil our legal obligations;
with partners or suppliers who process Personal Data on our behalf - we take the security and protection of your Personal Data seriously and only allow such suppliers to use your Personal Data for specified purposes and in accordance with our instructions;
with third parties to whom we may sell, transfer or merge parts of our business or assets. If a change like this happens to our business, the new owners may use your Personal Data in the same way as set out in this Privacy Policy; and/or
to another company in our group, if this is necessary to ensure continuity in the provision of Services to you (including in relation to the UK’s withdrawal from the European Union), or to reflect any business reorganisation or expansion that we may engage in from time to time.

Depending on the Service that you use, your personal data may be shared with one the following entities in order for us to be able to provide both you and your Provider with the services you have opted to use.

Sub-Processor	Service Description	Location of Processing
AWS	Cloud infrastructure provider	United Kingdom
Zendesk	Zendesk provides our ticketing and chat system used to communicate with you	Ireland
Auth0	Auth0 provides user authentication and authorisation services	United Kingdom
Salv Technologies OÜ	Providing transaction monitoring services	Germany
AS LHV Pank	LHV is our partner bank for SEPA CT, SEPA INST and Target2 Covering the EU	Estonia
Form 3	Form3 is our technical service provider that facilitates our communication with the SEPA and Target payment schemes. Covering the EU	Ireland and United Kingdom
ClearBank	ClearBank is our partner bank and provides TrueLayer the ability to facilitate Faster Payments, CHAPS, and BACS payment schemes covering the UK	United Kingdom

International transfers of your Personal Data

The data that we collect from you will generally speaking not be transferred to, or stored outside the European Economic Area ("EEA") or the UK. We will take reasonable steps to ensure that your Account Information (including any Personal Data) is handled securely and in accordance with this Privacy Policy.However, whenever we do transfer your Personal Data out of the EEA or the UK, we will only do so if:

it is to a country that has been deemed to provide an adequate level of protection for Personal Data by the European Commission (or the UK once the Brexit transition period is over); or
we have entered into a standard contractual clause approved by the European Commission or the UK once the Brexit transition period is over, which give Personal Data the same protection it has in the EEA or the UK, with the recipient of the data.

Please contact us if you want further information on how we ensure adequate protection for any Personal Data transferred out of the EEA or the UK.

Cookies

When you browse the Site, use our Services, Tools or visit websites or apps that offer our Services, we automatically receive your computer’s internet protocol (IP) address. We may collect data about how you interact with our Site, Tools or Services through the use of cookies or other similar tracking technologies (collectively referred to as “Cookies”). A cookie is a small file of text that is stored on your browser or the hard drive of your computer.We use Cookies to distinguish you from other users of our Site, Tools and/or Services. It helps us to remember your preferences. When you visit our Site or use our Tools and/or Services, Cookies allow us to keep track of how many times you’ve visited us, how long you’ve visited us for and what you’ve done whilst you’ve been on our Site or using our Tools and/or Services.The information collected with these technologies helps us in ensuring that we can:

provide you with, and continuously improve our Services;
enhance your experience of our Site;
better understand how our Site is used;
help our merchants better understand the uses of their platform; and
help our merchants to enhance your customer experience.

None of the Cookies we use are used to identify you as an individual. They typically collect anonymous identifiers associated with your device, browser, referring site URLs, time or usage information. Cookies never store any of your banking details.We use the following types of cookies:

Strictly necessary Cookies that are required for the operation of our Site, Tools and/or Services. These include Cookies that tell us if you’ve consented to the placement of functionality or analytical /performance Cookies, let you log into secure areas of our website, let us authenticate you when you sign-on to use any of our Services, and help us distinguish you from other users of our Site, Tools and/or Services (for example, if you are using our chat service). The functionality of our Services would be affected if these cookies are disabled.
Functionality or preference Cookies, that are used to recognise you when you return to our website so we can personalise our content for you (such as your country or language preferences).
Analytical or performance Cookies, that enable us to count the number of unique visitors to our Site and/or Tools and to see how users interact with our Site, Tools and/or Services by collecting information such as network requests, console logs, text entered and mouse movements.. We use this information to help improve our Site Tools and/or Services and your experience. For example, we can use these Cookies to understand what areas of our website are not being used by users and make improvements.

Managing cookiesYou can change your cookie preferences by changing the setting on your browser. Below we have provided links to some of the most popular browser websites:

To find information relating to other browsers, visit that browser developer's website.Finally, you can find more information about how to manage and remove cookies (including how to opt-out) at this link.

Your Rights

Right of accessYou have the right to ask us to provide any personal data we have collected about you, to you. Should you wish to do so, please email us at [email protected] to make a subject access request detailing:

your name;
your address;
the details of your Provider; and
the period of data you would like access to.

Object to processing, including Direct MarketingYou may have the right in certain circumstances to ask us to stop processing your Personal Data. You always have the right to ask us to stop processing your Personal Data for direct marketing purposes, at any time.Request to restrict processingYou may, in certain circumstances, have the right to ask us to restrict the processing of your data or to suppress your data.Request correction or erasureIf we hold any of your Personal Data, you have the right to ask us to correct any inaccurate data we hold about you or delete the data where there is no legitimate reason for us to continue to process it. We may not always be able to delete or correct on request if it is not within our control (such as with Account Information, in which case we will forward your request to the ASPSP) or if we are subject to legal requirements to keep the data.Withdraw consentIf any of our Services require your consent to process your Personal Data and after you provided your consent, you change your mind, you may withdraw your consent by contacting us as set out in the contact information below.Request to transferWhere we collect and store your Personal Data to perform a contract that we have with a Provider, you may request the transfer of your personal data to a third party, which we will provide to you in a structured, commonly used and machine-readable format.

Changes to this Privacy Policy

Any changes we make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.

Questions and Contact Information

If you would like to access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information about how we process your Personal Data, you can contact us at [email protected] or by mail at:

Data Protection Officer,
TrueLayer,
1 Hardwick Street,
London EC1R 4RB.

Making a complaint to a supervisory authority

Should you be dissatisfied with the service we provide, you have the right to file a formal complaint to the Information Commissioner's Office at www.ico.org.uk, or to the relevant data protection supervisory authority in your country of residence.

Account Information

Subject to such Account Information being returned by the relevant ASPSP, Account Information shall include, but not be limited to, the following financial information and Personal Data:

Personal details: name, date of birth, full address(es), email address, phone number, gender;
Bank account information:
- Account type (e.g. current, saving, investment, credit card);
- Account name;
- IBAN/Account number/Sort code/SWIFT;
- Currency;
Account balance information:
- Current balance;
- Available balance (credit cards);
Transactions;
- Time;
- Description;
- Amount;
- Meta-data (arbitrary data that banks associate with a transaction e.g. category); and/or
Additional data which TrueLayer may collect in the future (as confirmed in writing from time to time):
- Loans data when available;
- Insurance data when available; and/or
- Investments data when available;
- Payment due date (credit cards) when available; and/or
- Minimum payment due (credit cards) when available.