Credas Compliance Wallet Consent Policy

The Credas Compliance Wallet is designed to protect your information and help you choose what you share, when you share it, and with who.

This Consent Policy should be read in conjunction with our Privacy Notice available here on our website.

Why are you asking my consent?

To save you having to repeat identity verification and compliance checks, an organisation you are using would like to reuse the existing checks you have already successfully completed with Credas.

For us to securely share the results of your identity verification and compliance checks with your chosen organisation, we first need to obtain your consent.

We will do this by sending you a consent request notification via SMS/email. We will ask you to authenticate the response by performing a selfie for facial recognition to verify that it is you giving consent.

When you give us your consent to share your existing checks with your chosen organisation, you are agreeing to Credas sharing personal and special category data from the identity documents and photographic evidence you uploaded to prove who you are.

This data might include your:

full name;

date of birth;

residential address;

email address;

telephone number;

selfie;

the information extracted from the identity documents you chose to upload;

the results of electronic identity verification checks to verify your address and mortality which may leave a soft footprint on your credit report (this will not impact your credit score); and

the results of Politically Exposed Person and Sanctions screening checks on your full name.

When will you share my data?

We will only ever share your identity verification and compliance check results with an organisation you are already using that you trust, when you tell us to.

Who will you share my data with?

These trusted organisations will typically include central professionals that are relevant to your transaction(s) such as your estate agent, mortgage lender or conveyancer.

How will you share my data?

The process begins when you ask an organisation you are using to search for the identity verification and compliance checks you have already completed with Credas. The organisation will in turn contact us and ask if you have any existing checks that they can reuse.

We will notify you by SMS/email of the request to share your identity check results and ask for your consent to share them with your chosen organisation in the same message.

For example, you would receive an SMS/email from us asking whether you consent to share the identity verification and compliance checks that you conducted for your estate agent with the conveyancer acting for you.

You will have the option to accept or decline this request.

If you accept the request, the organisation you are using may then meet their requirements by getting the results directly from the secure Credas portal saving you having to repeat the checks.

You may withdraw your consent instantly at any time.

The Wallet’s functionality also enables you to proactively “Push” your identity verification and compliance checks to an organisation you are using. This can be done by you sharing a unique share code that only you have access to.

A log recording every service provider you have consented to share your data with and the date that you shared it will be available to you upon request.

If you do not wish to provide consent, then you are able to repeat the identity verification process by way of invitation from us as you did previously.

Where and how do you store my data?

Data security is very important to us. To protect your data, we have taken suitable measures to safeguard and secure data collected through use of our app or via web browser.

Steps we take to secure and protect your data include (but are not limited to):

Website secured using SSL;

Azure storage service encryption (SSE);

Secure App;

Data masking;

All personal data encrypted in transit;

Facial recognition authentication to give or decline consent; and

The following standards: ISO 27001 certified, DIATF certified and ICO registered

As a user of the Credas Compliance Wallet, your data will only be stored by us in the United Kingdom and in accordance with our Privacy Notice.

How long will you store my data for?

We will retain your Compliance Wallet data for as long as is necessary for the requesting organisation to identify you as their customer. We will erase the data upon request from the organisation(s) that needed to verify your identity in accordance with the timeframes set out by the Information Commissioner’s Office.

Applicable legal basis for processing personal data

When performing an identity verification check with us, we process your personal data for performance of our contract with the organisations who have commissioned us to verify your identity, as necessary to provide the service, and to comply with our legal obligations.

When sharing your identity and compliance check results via the Credas Compliance Wallet, consent is the legal basis, and we seek it in accordance with applicable local law.

Your rights

As a data subject, you have the following rights under the Data Protection Act 2018 and UK GDPR, which this Policy and our use of personal data have been designed to uphold:

The right to be informed about our collection and use of personal data;

The right to rectification if any personal data we hold about you is inaccurate or incomplete;

The right to be forgotten – i.e. the right to ask us to delete any personal data we hold about you;

The right to restrict (i.e. prevent) the processing of your personal data;

The right to object to us using your personal data for particular purposes; and

Rights with respect to automated decision making and profiling.

If you have any queries or cause for complaint about our use of your personal data, please contact us using the details below and we will do our best to solve the problem for you. If we are unable to help, you also have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office.

For further information about your rights, please contact the Information Commissioner’s Office or your local Citizens Advice Bureau.

How to withdraw consent

If you consent to Credas sharing the results of your identity check with a service provider and change your mind, you can withdraw your consent at any time.

This can be done by emailing our dedicated Support Team on support@credas.com and stating your full name, email address and telephone number.

You may also withdraw your consent by contacting us by telephone on 029 2010 2555 or by post in writing to Credas, The Maltings, East Tyndall Street, Cardiff, CF24 5EA.

If you withdraw your consent to share your identity check, we will prevent any further access of these results by the client who previously had access to them. It is reasonable that whilst your consent was valid the client may have downloaded your identity check results for their own files and record keeping purposes.

Cookie	Duration	Description
	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.
__cf_bm .hs-analytics.net	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__cf_bm .hubspot.com	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__cf_bm hs-scripts	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	1 hour	HubSpot sets this cookie to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (which increments with each pageview in a session), and session start timestamp.
__hssrc	session	HubSpot cookie sets this cookie to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
_cfuvid	session	Calendly sets this cookie to track users across sessions to optimize user experience by maintaining session consistency and providing personalized services
afl_wc_utm_*	90	Tracks the visitors UTM parameters and click identifiers to help determine the best action to perform
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.

Cookie	Duration	Description
__hstc	6 months	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-77550291-23	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
hubspotutk	6 months	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie to track the use of embedded services.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.