App privacy notice 4.0
Introduction
This App Privacy Notice (together with our Terms and Conditions which can be read here (“Terms”) applies to your use of:
- Credas Technologies Ltd web application software and/or Credas Technologies Ltd mobile application software (“App”).
- Any of the services accessible through the App (“Services”).
Version
| Version | Date | Amendment |
|---|---|---|
| 1.0 | 22/05/2018 | Initial notice |
| 2.0 | 03/07/2020 | Expansion to be compliant with GDPR |
| 3.0 | 26/07/2021 | Change of Data Protection Officer |
| 3.1 | 25/02/2022 | Data retention information |
| 4.0 | 31/08/2022 | Addition of Fair Processing Notice for fraud prevention agencies Removal of LexisNexis Risk Solutions UK as a Data Provider |
Who we are
Credas Technologies Ltd (referred to as “Credas“, “We“, “Us” or “Our” in this notice) is responsible for the App and Services.
We have appointed a Data Protection Officer (DPO). If you have any questions about this privacy notice, please contact them at dpo@credas.com.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, however We would always appreciate the opportunity to resolve any issue you may have with the App or Services in the first instance.
The purpose of the App is to help customers (“Customers”) provide Services to their clients (“you” or “End User”) and to enable you to upload, access, collect, retain and amend your data quickly and securely.
The data We collect about you
We will collect different data from you for different purposes:
As a processor when We are asked by a Company to process specific checks on you on their behalf (“Verification Checks”).
Unless expressly stated elsewhere, as a controller in respect of any commercial contract We may have with you.
As a controller to administer and protect Our business, App and Sites including troubleshooting, data analysis and system testing.
As a data controller when you sign up to an account with us and agree to the creation of a digital wallet (“Wallet”).
As a data controller in the set-up, store, maintenance and administration of your Wallet.
The categories of data which We may collect are as follows:
| Contact | Content | Financial | Identity | Profile | Usage |
|---|---|---|---|---|---|
| Email address | Document | Bank account | Biometric (selfie) | Feedback | Device |
| Postal address | Photo | Credit check | Date of birth | Password | IP address |
| Tel. number | Text | Transactional | Directorship | Preferences | System |
| Job title | |||||
| Name |
The above categories of data may change to reflect additional services offered by Us from time to time. However, you will always be given the option to determine and agree to what personal data is uploaded and stored in your Wallet from time to time. We will amend this policy from time to time to reflect such additional services.
Special Category Data We may collect about you
If you are using the App for identity verification (facial verification), this is classed as Special Category Data as it includes biometric data.
Under data protection laws We require your explicit consent to process Special Category Data, which will be provided by you in the registration process. If you do not provide your consent for Us to process this data, We may not be able to carry out the Verification Check.
How your personal data is collected
We may collect and process your data using different methods:
Information you give Us: This is information you consent to giving Us about you by using the App, Wallet and Services.
Information We receive from others: This is information given to Us by the Company or information We receive from our Data Providers when carrying out a Verification Check on behalf of the Company. Our current Data Providers are: Companies House; GB Group Plc; Cifas. We may update this list from time to time.
How We use your personal data
We will only use your personal data when the law allows Us to do so. Most commonly We will use your personal data in the following circumstances:
- Consent: where you have consented before the processing
- Contract: where We need to perform a contract We have with the Company that has requested that you use Our App
- Legitimate Interests: where it is necessary for Our legitimate interests and your interests and fundamental rights do not override those interests
Purposes for which We will use your personal data
This table identifies the purposes for processing types of personal data and confirms in which situations we are acting as a data controller or processor of such data. The range of data we collect will be dependent on the Services requested by the Company and the information you have provided to us as part of the Wallet.
| Purpose | Data | Lawful basis for processing | Controller/Processor |
|---|---|---|---|
| To install the App and register you as a new Wallet user | Contact Identity Profile | Consent Contract | Controller |
| To set-up, store, maintain and administer the Wallet. | Contact Identity Profile Usage | Consent Contract | Controller |
| To administer and protect Our business, App and Sites including troubleshooting, data analysis and system testing | Contact Identity Usage | Legitimate Interests | Controller |
| Verification Check(s) | Contact Content Financial Identity | Consent Contract | Processor |
Disclosures of your personal data
When you consent to providing Us with your personal data, you also consent for Us to share your personal data with the third parties set out below:
- Service providers acting as processors based in based in England and Wales to provide IT and system administration services (e.g. Microsoft).
- Professional advisers acting as processors including lawyers, bankers, auditors and insurers based in based in England and Wales to provide consultancy, banking, legal, insurance and accounting services.
- HM Revenue and Customs, regulators and other authorities acting as processors or joint controllers based in England and Wales who require reporting of processing activities in certain circumstances.
- Third parties to whom We may choose to sell, transfer or merge parts of Our business or Our assets. Alternatively, We may seek to acquire other businesses or merge with them. If a change happens to Our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
- Data Providers.
Fraud prevention agencies
The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found here.
International transfers
We do not transfer your personal data outside the United Kingdom.
Data security
All information you provide to Us is stored on secure servers situated in the United Kingdom.
No images are stored locally on your device. All communication between our App and the servers is carried out over secure connections, and data is encrypted during transit and at rest.
We perform ongoing automated penetration to ensure that the App is secure.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when We are legally required to do so.
Data retention
Upon you submitting data to Us, We will automatically create a Wallet for you which, in the future, should make it easier for you to provide your data to a requesting Company, without having to repeat Verification Checks. To facilitate the functionality of the Wallet and make the data within it available to you at all times, your data will be retained by us until you request the deletion of your Wallet. We may, however, delete your Wallet if it has not been accessed for a period of 6 years. You can delete your Wallet at any time by selecting the option in the App or contacting us at Louis.Lancaster@credas.com.
Your legal rights
Under certain circumstances you have rights under data protection laws in relation to your personal data.
Your right of access
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right here.
Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right here.
Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances. You can read more about this right here.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here.
Your right to object to processing
You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests. You can read more about this right here.
Your right to data portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about this right here.
You are not required to pay any charge for exercising your rights. We have one month to respond to you.
Please contact us at dpo@credas.com if you wish to make a request.
Lawful Basis
Legitimate Interest
Usage category data is required in order to troubleshoot any issues encountered (e.g. operating system version is not supported) and/or to inform product development (e.g. user preference of web app over mobile app).
