Privacy Notice

Privacy notice

Details of Notice

Introduction
Website user
Consumer user
Partner user

Version

Version	Date	Comment
1.0	16/10/2023	Initial notice
2.0	02/04/2024	Updated

For previous versions of our privacy notices, please click here.

Introduction to Credas

Credas Technologies Ltd (CRN: 10429398) is registered in England and Wales with a registered office of The Maltings, East Tyndall Street, Cardiff, CF24 5EA.

In this privacy notice, when we mention “Credas“, “we“, “us” or “our”, we are referring to Credas Technologies Ltd.

The personal information we process about you

We will process different personal information belonging to you for different use cases:

As a website user;
As a consumer;
As a partner user.

Website user

Personal information you may provide, or we may collect

Where you use our website, you may provide, or we may collect the following:

Contact	Content	Identity	Usage
Email	Free text	Company name	Device
Tel. number		Job title	IP address
		Personal name	System

The above categories of data may change from time to time and this privacy notice may be updated to reflect such changes.

Purpose for processing personal information

Website user data may be processed for the following purposes:

Purpose	Data	Lawful basis
To respond to your enquiry	Contact Content Identity Usage	Legitimate interest
To resolve issues or fix problems with the website	Contact Content Identity Usage	Legitimate interest

Legitimate interest

Legitimate interest is most appropriate where we use your data in a way you would reasonably expect.

Where you are submitting an enquiry, it is reasonable to expect us to process your data to respond to you.

Where you are encountering an issue with our website, it is reasonable to expect us to process your data to resolve the issue.

Sharing your personal information

We share usage data with our data analytic provider and share contact, content and identity data with our cloud-based data processing and hosting provider.

International transfers

We do not transfer your personal information outside of the United Kingdom of Great Britain and Northern Ireland.

Your legal rights

Under data protection laws, you have rights relating to your personal data. Further information on your rights can be found on the Information Commissioner’s website.

If you wish to exercise any of your rights, you are able to contact our Data Protection Office in the following ways:

Email: privacy.officer@dyedurham.com
Post: Credas Technologies Ltd, The Maltings, East Tyndall Street, Cardiff, CF24 5EA

Consumer user

The purpose of our Android, iOS, and Web apps (“apps”) is to help partner clients (“partners”) provide services to their customers (“you”, “consumer”) and to enable you to provide your data quickly and securely.

Personal information you may provide, or we may collect

Where you use our apps at the request of one of our partners, you may provide, or we may collect, the following:

Contact	Content	Financial	Identity	Profile	Usage
Email	Document	Bank account	Date of birth	Feedback	Device
Residence	Free text	Credit check	Personal name	Password	IP address
Tel. number	Photo	Transactional	Selfie	Preferences	System

The above categories of data may change from time to time and this privacy notice may be updated to reflect such changes.

Special category data

Our partners are able to request a variety of verification checks. These checks may require special category data from you.

Under data protection laws we require your explicit consent to process special category data, which will be provided by you in the registration process. If you do not provide your consent for us to process this data, we will not be able to carry out the verification checks.

Biometric

If you are using any of our apps to verify your identity at the request of one of our partners, this may include using biometric (facial) data which is categorised as special category data.

The biometric data will be used to determine the likeness between your selfie image and your photo identity document. This determination will be completed by our data supplier who will retain the biometric data for 30 days before it is automatically erased. This retention period allows for any queries to be raised but is not unduly long due to it being special category data. We will retain the selfie (but not the biometric mapping) for as long as required by our partner, the Data Controller, so that they might identify you, as their customer.

Other special category data

Our partner may request any of the following as part of their verification checks:

personal data revealing racial or ethnic origin;
personal data revealing political opinions;
personal data revealing religious or philosophical beliefs;
personal data revealing trade union membership;
genetic data;
biometric data (where used for identification purposes);
data concerning health;
data concerning a person’s sex life; and
data concerning a person’s sexual orientation.

Criminal offence data

Our partner may request criminal offence data as part of their verification checks. Our partner is only permitted to request criminal offence data if they have a lawful basis to do so. Any queries regarding a partner’s lawful basis should be raised with the partner.

Purpose for processing personal information

Consumer data may be processed for the following purposes:

Purpose	Data	Lawful basis
To register you as a new consumer user	Contact Identity Profile	Contract Consent
To carry out verification checks on behalf of a partner	Contact Content Financial Identity	Contract
To administer and protect our business and apps including troubleshooting, data analysis and system testing	Contact Identity Usage	Legitimate interest

Legitimate interest

Legitimate interest is most appropriate where we use your data in a way you would reasonably expect.

Usage category data is required in order to troubleshoot any issues encountered (e.g. operating system version is not supported) and to inform product development (e.g. user preference of desktop over mobile).

Sharing your personal information

We may share your personal information with our providers for the following purposes:

Provider	Purpose
Acuris Risk Intelligence Limited	To perform politically exposed person status checks To perform sanctioned person status checks
Cifas	To perform identity fraud checks
FreshWorks Inc	To store and handle query/complaint tickets
GB Group Plc	To perform document authenticity checks To perform biometric facial checks To perform mortality checks To perform bank account checks To perform adverse credit checks To perform electronic proof of address checks To perform politically exposed person status checks To perform sanctioned person status checks
HM Land Registry	To perform property ownership checks
LexisNexis Risk Solutions UK Limited	To perform document authenticity checks To perform mortality checks To perform bank account checks To perform adverse credit checks To perform electronic proof of address checks To perform politically exposed person status checks To perform sanctioned person status checks
Microsoft Limited	To perform biometric facial checks
Onfido Ltd	To perform document authenticity checks To perform biometric facial checks To perform identity fraud checks
TxtLocal Ltd	To issue sms verification check invitations
Twilio Inc	To issue email and/or sms verification check invitations
Yapily Ltd	To perform open banking checks

We also share contact, content and identity data with our cloud-based data processing and hosting provider.

Disclosure of personal data

In addition to our providers, we may also disclose your person data to the following:

Professional advisers acting as processors including lawyers, bankers, auditors and insurers based in based in England and Wales to provide consultancy, banking, legal, insurance and accounting services;
HM Revenue and Customs, regulators and other authorities acting as processors or joint controllers based in England and Wales who require reporting of processing activities in certain circumstances; and
Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

For the avoidance of doubt, we do not sell personal data to third parties.

Fraud prevention agencies

The personal information we have collected from you may be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found here.

International transfers

With the exception of FreshWorks and Onfido, we do not transfer your personal information outside of the European Economic Area (EEA). The UK and the EEA have mutually adopted data protection adequacy decisions.

FreshWorks data is transferred outside the EEA. FreshWorks implements the appropriate safeguards required under GDPR.

Onfido data may be transferred outside the EEA. Onfido implements the appropriate safeguards required under GDPR.

Data security

Credas stores all information you provide to us on secure servers situated in the United Kingdom of Great Britain and Northern Ireland.

No images are stored locally on your device. All communication between our apps and the servers is carried out over secure connections, and data is encrypted during transit and at rest.

We perform ongoing automated penetration to ensure that our apps are secure.

We have put in place procedures to deal with any suspected personal data breach and will notify our partner when we are legally required to do so.

Data retention

Our partner is the data controller and decides the retention period for data we process on their behalf. We shall retain the data until such a time as we are told to erase or anonymise the data; whether that be by explicit instruction by our partner or contractual obligation.

Where our partner requires you to create an account with us, we are the data controller. In such instances your account data is retained until such a time as you ask for it to be erased or our partner’s default retention period has elapsed; whichever is sooner. Should you wish for your account to be erased, please email privacy.officer@dyedurham.com and include the name, email address, and mobile number used to create the account. Erasure of your account will be actioned within 30 days of receiving your request. Please note: The erasure of your account does not include the erasure of data collected on behalf of our client. Should you wish to exercise your right to erasure in full, please contact our partner for whom you submitted your personal information.

Your legal rights

Under data protection laws, you have rights relating to your personal data. Further information on your rights can be found on the Information Commissioner’s website.

If you wish to exercise any of your rights, you are required to contact our partner to do so.

Partner user

As a (prospective) partner, there may be times when your personal information is processed as part of our business relationship. For example, a business email address containing your name will still constitute personal data as it can be used to identify you.

Personal information you may provide, or we may collect

Where you use our website or apps, you may provide, or we may collect the following:

Contact	Content	Identity	Usage
Email	Free text	Company name	Device
Tel. number		Job title	IP address
		Personal name	System

The above categories of data may change from time to time and this privacy notice may be updated to reflect such changes.

Purpose for processing personal information

Website user data may be processed for the following purposes:

Purpose	Data	Lawful basis
To issue you a business contract	Contact Identity	Legitimate interest
To register you as a new partner user	Contact Identity Profile	Contract
To administer and protect our business and apps including troubleshooting, data analysis and system testing	Contact Content Identity Usage	Legitimate interest

Legitimate interest

Legitimate interest is most appropriate where we use your data in a way you would reasonably expect.

Where you have indicated willingness to sign a business contract, it is reasonable to expect us to issue one to you.

Where you are submitting an enquiry, it is reasonable to expect us to process your data to respond to you.

Sharing your personal information

We may share your personal information with our providers for the purposes:

Provider	Purpose
FreshWorks Inc	To store and handle query/complaint tickets
Hubspot Inc	To store business contracts and communications
TxtLocal Ltd	To issue sms partner registration invitations
Twilio Inc	To issue email and/or sms partner registration invitations

We also share contact, content and identity data with our cloud-based data processing and hosting provider.

International transfers

TxtLocal and Twilio data is not transferred outside of the European Economic Area (EEA). The UK and the EEA have mutually adopted data protection adequacy decisions.

FreshWorks and Hubspot data is transferred outside the EEA. Both providers implement the appropriate safeguards required under GDPR.

Your legal rights

Under data protection laws, you have rights relating to your personal data. Further information on your rights can be found on the Information Commissioner’s website.

If you wish to exercise any of your rights, you are able to contact our Data Protection Office in the following ways:

Email: privacy.officer@dyedurham.com
Post: Credas Technologies Ltd, The Maltings, East Tyndall Street, Cardiff, CF24 5EA

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-77550291-23	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.