Privacy notice

Version

VersionDateComment
1.016/10/2023Initial notice
2.002/04/2024Updated

For previous versions of our privacy notices, please click here.

Introduction to Credas

Credas Technologies Ltd (CRN: 10429398) is registered in England and Wales with a registered office of The Maltings, East Tyndall Street, Cardiff, CF24 5EA.

In this privacy notice, when we mention “Credas“, “we“, “us” or “our”, we are referring to Credas Technologies Ltd.

The personal information we process about you

We will process different personal information belonging to you for different use cases: 

  • As a website user;
  • As a consumer;
  • As a partner user.

Website user

Personal information you may provide, or we may collect

Where you use our website, you may provide, or we may collect the following: 

ContactContentIdentityUsage
EmailFree textCompany nameDevice
Tel. number Job titleIP address
  Personal nameSystem

The above categories of data may change from time to time and this privacy notice may be updated to reflect such changes.

Purpose for processing personal information

Website user data may be processed for the following purposes:

PurposeDataLawful basis
To respond to your enquiryContact
Content
Identity
Usage
Legitimate interest
To resolve issues or fix problems with the websiteContact
Content
Identity
Usage
Legitimate interest

Legitimate interest

Legitimate interest is most appropriate where we use your data in a way you would reasonably expect.

Where you are submitting an enquiry, it is reasonable to expect us to process your data to respond to you.

Where you are encountering an issue with our website, it is reasonable to expect us to process your data to resolve the issue.

Sharing your personal information

We share usage data with our data analytic provider and share contact, content and identity data with our cloud-based data processing and hosting provider.

International transfers

We do not transfer your personal information outside of the United Kingdom of Great Britain and Northern Ireland.

Your legal rights

Under data protection laws, you have rights relating to your personal data. Further information on your rights can be found on the Information Commissioner’s website.

If you wish to exercise any of your rights, you are able to contact our Data Protection Office in the following ways:

Email: privacy.officer@dyedurham.com
Post: Credas Technologies Ltd, The Maltings, East Tyndall Street, Cardiff, CF24 5EA

Consumer user

The purpose of our Android, iOS, and Web apps (“apps”) is to help partner clients (“partners”) provide services to their customers (“you”, “consumer”) and to enable you to provide your data quickly and securely. 

Personal information you may provide, or we may collect

Where you use our apps at the request of one of our partners, you may provide, or we may collect, the following: 

ContactContentFinancialIdentityProfileUsage
EmailDocumentBank account Date of birthFeedbackDevice
ResidenceFree textCredit checkPersonal namePasswordIP address
Tel. numberPhotoTransactionalSelfiePreferencesSystem

The above categories of data may change from time to time and this privacy notice may be updated to reflect such changes.

Special category data

Our partners are able to request a variety of verification checks. These checks may require special category data from you.

Under data protection laws we require your explicit consent to process special category data, which will be provided by you in the registration process. If you do not provide your consent for us to process this data, we will not be able to carry out the verification checks.

Biometric

If you are using any of our apps to verify your identity at the request of one of our partners, this may include using biometric (facial) data which is categorised as special category data.

The biometric data will be used to determine the likeness between your selfie image and your photo identity document. This determination will be completed by our data supplier who will retain the biometric data for 30 days before it is automatically erased. This retention period allows for any queries to be raised but is not unduly long due to it being special category data. We will retain the selfie (but not the biometric mapping) for as long as required by our partner, the Data Controller, so that they might identify you, as their customer.

Other special category data

Our partner may request any of the following as part of their verification checks:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; and
  • data concerning a person’s sexual orientation.

Criminal offence data

Our partner may request criminal offence data as part of their verification checks. Our partner is only permitted to request criminal offence data if they have a lawful basis to do so. Any queries regarding a partner’s lawful basis should be raised with the partner.

Purpose for processing personal information

Consumer data may be processed for the following purposes:

PurposeDataLawful basis
To register you as a new consumer userContact
Identity
Profile
Contract
Consent
To carry out verification checks on behalf of a partnerContact
Content
Financial
Identity
Contract
To administer and protect our business and apps including troubleshooting, data analysis and system testingContact
Identity
Usage
Legitimate interest

Legitimate interest

Legitimate interest is most appropriate where we use your data in a way you would reasonably expect.

Usage category data is required in order to troubleshoot any issues encountered (e.g. operating system version is not supported) and to inform product development (e.g. user preference of desktop over mobile).

Sharing your personal information

We may share your personal information with our providers for the following purposes:

ProviderPurpose
Acuris Risk Intelligence LimitedTo perform politically exposed person status checks
To perform sanctioned person status checks
CifasTo perform identity fraud checks
FreshWorks IncTo store and handle query/complaint tickets
GB Group PlcTo perform document authenticity checks
To perform biometric facial checks
To perform mortality checks
To perform bank account checks
To perform adverse credit checks
To perform electronic proof of address checks
To perform politically exposed person status checks
To perform sanctioned person status checks
HM Land RegistryTo perform property ownership checks
LexisNexis Risk Solutions UK LimitedTo perform document authenticity checks
To perform mortality checks
To perform bank account checks
To perform adverse credit checks
To perform electronic proof of address checks
To perform politically exposed person status checks
To perform sanctioned person status checks
Microsoft LimitedTo perform biometric facial checks
Onfido LtdTo perform document authenticity checks
To perform biometric facial checks
To perform identity fraud checks
TxtLocal LtdTo issue sms verification check invitations
Twilio IncTo issue email and/or sms verification check invitations
Yapily LtdTo perform open banking checks

We also share contact, content and identity data with our cloud-based data processing and hosting provider.

Disclosure of personal data

In addition to our providers, we may also disclose your person data to the following:

  • Professional advisers acting as processors including lawyers, bankers, auditors and insurers based in based in England and Wales to provide consultancy, banking, legal, insurance and accounting services;
  • HM Revenue and Customs, regulators and other authorities acting as processors or joint controllers based in England and Wales who require reporting of processing activities in certain circumstances; and
  • Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

 For the avoidance of doubt, we do not sell personal data to third parties.

Fraud prevention agencies

The personal information we have collected from you may be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found here.

International transfers

With the exception of FreshWorks and Onfido, we do not transfer your personal information outside of the European Economic Area (EEA). The UK and the EEA have mutually adopted data protection adequacy decisions.

FreshWorks data is transferred outside the EEA. FreshWorks implements the appropriate safeguards required under GDPR.

Onfido data may be transferred outside the EEA. Onfido implements the appropriate safeguards required under GDPR.

Data security 

Credas stores all information you provide to us on secure servers situated in the United Kingdom of Great Britain and Northern Ireland.  

No images are stored locally on your device. All communication between our apps and the servers is carried out over secure connections, and data is encrypted during transit and at rest. 

We perform ongoing automated penetration to ensure that our apps are secure. 

We have put in place procedures to deal with any suspected personal data breach and will notify our partner when we are legally required to do so. 

Data retention 

Our partner is the data controller and decides the retention period for data we process on their behalf. We shall retain the data until such a time as we are told to erase or anonymise the data; whether that be by explicit instruction by our partner or contractual obligation.

Where our partner requires you to create an account with us, we are the data controller. In such instances your account data is retained until such a time as you ask for it to be erased or our partner’s default retention period has elapsed; whichever is sooner. Should you wish for your account to be erased, please email privacy.officer@dyedurham.com and include the name, email address, and mobile number used to create the account. Erasure of your account will be actioned within 30 days of receiving your request. Please note: The erasure of your account does not include the erasure of data collected on behalf of our client. Should you wish to exercise your right to erasure in full, please contact our partner for whom you submitted your personal information.

Your legal rights

Under data protection laws, you have rights relating to your personal data. Further information on your rights can be found on the Information Commissioner’s website.

If you wish to exercise any of your rights, you are required to contact our partner to do so.

Partner user

As a (prospective) partner, there may be times when your personal information is processed as part of our business relationship. For example, a business email address containing your name will still constitute personal data as it can be used to identify you.

Personal information you may provide, or we may collect

Where you use our website or apps, you may provide, or we may collect the following: 

ContactContentIdentityUsage
EmailFree textCompany nameDevice
Tel. number Job titleIP address
  Personal nameSystem

The above categories of data may change from time to time and this privacy notice may be updated to reflect such changes.

Purpose for processing personal information

Website user data may be processed for the following purposes:

PurposeDataLawful basis
To issue you a business contractContact
Identity
Legitimate interest
To register you as a new partner userContact
Identity
Profile
Contract
To administer and protect our business and apps including troubleshooting, data analysis and system testingContact
Content
Identity
Usage
Legitimate interest

Legitimate interest

Legitimate interest is most appropriate where we use your data in a way you would reasonably expect.

Where you have indicated willingness to sign a business contract, it is reasonable to expect us to issue one to you.

Where you are submitting an enquiry, it is reasonable to expect us to process your data to respond to you.

Usage category data is required in order to troubleshoot any issues encountered (e.g. operating system version is not supported) and to inform product development (e.g. user preference of desktop over mobile).

Sharing your personal information

We may share your personal information with our providers for the purposes:

ProviderPurpose
FreshWorks IncTo store and handle query/complaint tickets
Hubspot IncTo store business contracts and communications
TxtLocal LtdTo issue sms partner registration invitations
Twilio IncTo issue email and/or sms partner registration invitations

We also share contact, content and identity data with our cloud-based data processing and hosting provider.

International transfers

TxtLocal and Twilio data is not transferred outside of the European Economic Area (EEA). The UK and the EEA have mutually adopted data protection adequacy decisions.

FreshWorks and Hubspot data is transferred outside the EEA. Both providers implement the appropriate safeguards required under GDPR.

Your legal rights

Under data protection laws, you have rights relating to your personal data. Further information on your rights can be found on the Information Commissioner’s website.

If you wish to exercise any of your rights, you are able to contact our Data Protection Office in the following ways:

Email: privacy.officer@dyedurham.com
Post: Credas Technologies Ltd, The Maltings, East Tyndall Street, Cardiff, CF24 5EA

Top