Privacy notice

Version

Version Date Comment
1.0 16/10/2023 Initial notice
2.0 02/04/2024 Updated

For previous versions of our privacy notices, please click here.

Introduction to Credas

Credas Technologies Ltd (CRN: 10429398) is registered in England and Wales with a registered office of The Maltings, East Tyndall Street, Cardiff, CF24 5EA.

In this privacy notice, when we mention “Credas“, “we“, “us” or “our”, we are referring to Credas Technologies Ltd.

The personal information we process about you

We will process different personal information belonging to you for different use cases: 

  • As a website user;
  • As a consumer;
  • As a partner user.

Website user

Personal information you may provide, or we may collect

Where you use our website, you may provide, or we may collect the following: 

Contact Content Identity Usage
Email Free text Company name Device
Tel. number   Job title IP address
    Personal name System

The above categories of data may change from time to time and this privacy notice may be updated to reflect such changes.

Purpose for processing personal information

Website user data may be processed for the following purposes:

Purpose Data Lawful basis
To respond to your enquiry Contact
Content
Identity
Usage
Legitimate interest
To resolve issues or fix problems with the website Contact
Content
Identity
Usage
Legitimate interest

Legitimate interest

Legitimate interest is most appropriate where we use your data in a way you would reasonably expect.

Where you are submitting an enquiry, it is reasonable to expect us to process your data to respond to you.

Where you are encountering an issue with our website, it is reasonable to expect us to process your data to resolve the issue.

Sharing your personal information

We share usage data with our data analytic provider and share contact, content and identity data with our cloud-based data processing and hosting provider.

International transfers

We do not transfer your personal information outside of the United Kingdom of Great Britain and Northern Ireland.

Your legal rights

Under data protection laws, you have rights relating to your personal data. Further information on your rights can be found on the Information Commissioner’s website.

If you wish to exercise any of your rights, you are able to contact our Data Protection Office in the following ways:

Email: privacy.officer@dyedurham.com
Post: Credas Technologies Ltd, The Maltings, East Tyndall Street, Cardiff, CF24 5EA

Consumer user

The purpose of our Android, iOS, and Web apps (“apps”) is to help partner clients (“partners”) provide services to their customers (“you”, “consumer”) and to enable you to provide your data quickly and securely. 

Personal information you may provide, or we may collect

Where you use our apps at the request of one of our partners, you may provide, or we may collect, the following: 

Contact Content Financial Identity Profile Usage
Email Document Bank account  Date of birth Feedback Device
Residence Free text Credit check Personal name Password IP address
Tel. number Photo Transactional Selfie Preferences System

The above categories of data may change from time to time and this privacy notice may be updated to reflect such changes.

Special category data

Our partners are able to request a variety of verification checks. These checks may require special category data from you.

Under data protection laws we require your explicit consent to process special category data, which will be provided by you in the registration process. If you do not provide your consent for us to process this data, we will not be able to carry out the verification checks.

Biometric

If you are using any of our apps to verify your identity at the request of one of our partners, this may include using biometric (facial) data which is categorised as special category data.

The biometric data will be used to determine the likeness between your selfie image and your photo identity document. This determination will be completed by our data supplier who will retain the biometric data for 30 days before it is automatically erased. This retention period allows for any queries to be raised but is not unduly long due to it being special category data. We will retain the selfie (but not the biometric mapping) for as long as required by our partner, the Data Controller, so that they might identify you, as their customer.

Other special category data

Our partner may request any of the following as part of their verification checks:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; and
  • data concerning a person’s sexual orientation.

Criminal offence data

Our partner may request criminal offence data as part of their verification checks. Our partner is only permitted to request criminal offence data if they have a lawful basis to do so. Any queries regarding a partner’s lawful basis should be raised with the partner.

Purpose for processing personal information

Consumer data may be processed for the following purposes:

Purpose Data Lawful basis
To register you as a new consumer user Contact
Identity
Profile
Contract
Consent
To carry out verification checks on behalf of a partner Contact
Content
Financial
Identity
Contract
To administer and protect our business and apps including troubleshooting, data analysis and system testing Contact
Identity
Usage
Legitimate interest

Legitimate interest

Legitimate interest is most appropriate where we use your data in a way you would reasonably expect.

Usage category data is required in order to troubleshoot any issues encountered (e.g. operating system version is not supported) and to inform product development (e.g. user preference of desktop over mobile).

Sharing your personal information

We may share your personal information with our providers for the following purposes:

Provider Purpose
Acuris Risk Intelligence Limited To perform politically exposed person status checks
To perform sanctioned person status checks
Cifas To perform identity fraud checks
FreshWorks Inc To store and handle query/complaint tickets
GB Group Plc To perform document authenticity checks
To perform biometric facial checks
To perform mortality checks
To perform bank account checks
To perform adverse credit checks
To perform electronic proof of address checks
To perform politically exposed person status checks
To perform sanctioned person status checks
HM Land Registry To perform property ownership checks
LexisNexis Risk Solutions UK Limited To perform document authenticity checks
To perform mortality checks
To perform bank account checks
To perform adverse credit checks
To perform electronic proof of address checks
To perform politically exposed person status checks
To perform sanctioned person status checks
Microsoft Limited To perform biometric facial checks
Onfido Ltd To perform document authenticity checks
To perform biometric facial checks
To perform identity fraud checks
TxtLocal Ltd To issue sms verification check invitations
Twilio Inc To issue email and/or sms verification check invitations
Yapily Ltd To perform open banking checks

We also share contact, content and identity data with our cloud-based data processing and hosting provider.

Disclosure of personal data

In addition to our providers, we may also disclose your person data to the following:

  • Professional advisers acting as processors including lawyers, bankers, auditors and insurers based in based in England and Wales to provide consultancy, banking, legal, insurance and accounting services;
  • HM Revenue and Customs, regulators and other authorities acting as processors or joint controllers based in England and Wales who require reporting of processing activities in certain circumstances; and
  • Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

 For the avoidance of doubt, we do not sell personal data to third parties.

Fraud prevention agencies

The personal information we have collected from you may be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found here.

International transfers

With the exception of FreshWorks and Onfido, we do not transfer your personal information outside of the European Economic Area (EEA). The UK and the EEA have mutually adopted data protection adequacy decisions.

FreshWorks data is transferred outside the EEA. FreshWorks implements the appropriate safeguards required under GDPR.

Onfido data may be transferred outside the EEA. Onfido implements the appropriate safeguards required under GDPR.

Data security 

Credas stores all information you provide to us on secure servers situated in the United Kingdom of Great Britain and Northern Ireland.  

No images are stored locally on your device. All communication between our apps and the servers is carried out over secure connections, and data is encrypted during transit and at rest. 

We perform ongoing automated penetration to ensure that our apps are secure. 

We have put in place procedures to deal with any suspected personal data breach and will notify our partner when we are legally required to do so. 

Data retention 

Our partner is the data controller and decides the retention period for data we process on their behalf. We shall retain the data until such a time as we are told to erase or anonymise the data; whether that be by explicit instruction by our partner or contractual obligation.

Where our partner requires you to create an account with us, we are the data controller. In such instances your account data is retained until such a time as you ask for it to be erased or our partner’s default retention period has elapsed; whichever is sooner. Should you wish for your account to be erased, please email privacy.officer@dyedurham.com and include the name, email address, and mobile number used to create the account. Erasure of your account will be actioned within 30 days of receiving your request. Please note: The erasure of your account does not include the erasure of data collected on behalf of our client. Should you wish to exercise your right to erasure in full, please contact our partner for whom you submitted your personal information.

Your legal rights

Under data protection laws, you have rights relating to your personal data. Further information on your rights can be found on the Information Commissioner’s website.

If you wish to exercise any of your rights, you are required to contact our partner to do so.

Partner user

As a (prospective) partner, there may be times when your personal information is processed as part of our business relationship. For example, a business email address containing your name will still constitute personal data as it can be used to identify you.

Personal information you may provide, or we may collect

Where you use our website or apps, you may provide, or we may collect the following: 

Contact Content Identity Usage
Email Free text Company name Device
Tel. number   Job title IP address
    Personal name System

The above categories of data may change from time to time and this privacy notice may be updated to reflect such changes.

Purpose for processing personal information

Website user data may be processed for the following purposes:

Purpose Data Lawful basis
To issue you a business contract Contact
Identity
Legitimate interest
To register you as a new partner user Contact
Identity
Profile
Contract
To administer and protect our business and apps including troubleshooting, data analysis and system testing Contact
Content
Identity
Usage
Legitimate interest

Legitimate interest

Legitimate interest is most appropriate where we use your data in a way you would reasonably expect.

Where you have indicated willingness to sign a business contract, it is reasonable to expect us to issue one to you.

Where you are submitting an enquiry, it is reasonable to expect us to process your data to respond to you.

Usage category data is required in order to troubleshoot any issues encountered (e.g. operating system version is not supported) and to inform product development (e.g. user preference of desktop over mobile).

Sharing your personal information

We may share your personal information with our providers for the purposes:

Provider Purpose
FreshWorks Inc To store and handle query/complaint tickets
Hubspot Inc To store business contracts and communications
TxtLocal Ltd To issue sms partner registration invitations
Twilio Inc To issue email and/or sms partner registration invitations

We also share contact, content and identity data with our cloud-based data processing and hosting provider.

International transfers

TxtLocal and Twilio data is not transferred outside of the European Economic Area (EEA). The UK and the EEA have mutually adopted data protection adequacy decisions.

FreshWorks and Hubspot data is transferred outside the EEA. Both providers implement the appropriate safeguards required under GDPR.

Your legal rights

Under data protection laws, you have rights relating to your personal data. Further information on your rights can be found on the Information Commissioner’s website.

If you wish to exercise any of your rights, you are able to contact our Data Protection Office in the following ways:

Email: privacy.officer@dyedurham.com
Post: Credas Technologies Ltd, The Maltings, East Tyndall Street, Cardiff, CF24 5EA

 

Top