This policy applies to information held about customers and possible future customers, suppliers and possible future suppliers, contacts and all other people we hold information about. By ‘information’ we mean personal and financial information about you that we collect, use, share and store. This may include your name, date of birth, address, contact information, financial information, credit rating, car information, and device identifiers including internet protocol (IP) address and mobile device ID. It includes information about any other Carmoola products and services (or products and services provided by our partners) you currently have, you’ve applied for or you’ve had in the past.
We collect, use, share and store information about you to provide you with the services you have asked us for and to share information with you about services that may be of interest to you.
You may provide this information direct to us, for example by the way you communicate or do business with us, such as:
This information may also come from other organisations or people, such as other Carmoola companies, other organisations you have a relationship with, joint account holders, credit reference agencies (who may search the Electoral Register), employers, fraud prevention agencies or other organisations.
If you do not provide the information that we tell you you must provide, this may mean that we are unable to properly provide you with our services or carry out all our obligations under our agreement with you.
We use this information:
Under data protection laws, whenever we process your personal information, we must meet at least one set condition for processing. These conditions are set out in data protection law and we rely on a number of different conditions for the activities we carry out.
Specifically, we and other Carmoola companies may use your information for the following purposes and under the following legal bases.
How we use your information and legal basis
1) To provide and manage your accounts and our relationship with you.
2) To give you statements and other information about your account or our relationship with you.
3) To handle enquiries and complaints.
4) To provide our services to you.
5) To improve the user experience of the Carmoola App and website, such as recording contact details to auto-populate fields.
6) For assessment, testing (including systems tests) and analysis (including credit or behaviour scoring (or both)), statistical, market and product analysis and market research.
7) To prepare statistical reports to be shared internally or externally with others, including non-Carmoola companies. We produce these reports using information about you and our other customers. The information used and shared in this way is never personal and you will never be identifiable from them.
8) To evaluate, develop and improve our services to you and other customers.
9) To protect our business interests and to develop our business strategies.
10) To contact you, by post, phone, text, email and other digital methods.
This may be: to help you manage your accounts; to meet our regulatory obligations; to provide you with details of other products, including those provided by other companies if you’re not eligible for a credit card; or to keep you informed about products and services you hold with us and to send you information about products, services, rewards, offers, promotions and competitions (including those of other companies) which may be of interest to you.
11) To make sure any marketing messages we send you are more relevant to you.
12) To collect any debts you owe to us.
13) To prevent, detect, investigate and prosecute fraud and alleged fraud, money laundering and other crimes, and to check your identity. We may record your image on CCTV when you visit our premises.
14) To assess any application you make, including checking for fraud and money laundering, confirming your identity, and carrying out any other regulatory checks. We may compare your details with the details of countries, organisations and people who sanctions apply to, to decide whether we are prevented from doing business with you or processing a transaction under sanctions law.
15) To monitor, record and analyse any communications between you and us, including phone calls.
16) To check that your mobile phone is in the same place as your payments are being made from.
17) To transfer your information to or share it with any organisation your account has been or may be transferred to following a restructure, sale or takeover of any Carmoola company or debt.
18) To share your information with the UK or other relevant tax authorities, credit reference agencies, fraud prevention agencies, and UK and overseas regulators and authorities.
19) To share your information with our partners and service providers.
20) To share your information in an encrypted format with social-media companies. They can then match this to personal information they already hold about you so they can display messages to you about our products and services, or create lookalike audiences for our products.
Data protection law allows us to use personal information for our genuine and legitimate reasons as long as we respect your rights and freedoms. This lawful basis for using your information is called ‘legitimate interests’. When we rely on our legitimate interests as the legal basis for processing your personal information for the purposes set out above, we will carefully consider and balance any possible effect this may have on you and your rights.
We will occasionally need to use sensitive information and criminal convictions information about you in the following ways.
We will use information you provide to us about your health if this is relevant for us to help you when using our services, for example, if you are struggling to repay a debt due to health reasons, or if it is relevant to a complaint you are making about us, or it is relevant to how you want us to contact you. When we process your data in this way, we will usually be relying on your consent.
When you make an application to us, we will conduct certain financial crime checks, and as a result of doing so, we may receive information that relates to your criminal convictions and may be required to disclose that information to fraud prevention bodies.
If you apply to us for a product or service, we have an automated decision-making process which will carry out fraud, credit and affordability assessment checks to decide whether we will accept your application. This process is necessary for us to decide whether to enter into a contract with you, and the terms of that contract.
Within our automated process, we will use automated decision-making to:
The automated processes may decline or refer your application. If your application is referred, this means we will manually review your application before making a final decision.
Affordability: the processes will consider your income, spending and credit history to decide how easily you will be able to manage repaying credit. We may compare you with other people in a set (for example, people who are in a certain age bracket may be more likely to be able to manage credit). If the process decides that you cannot afford the financial facility requested, your application may be declined.
Regulatory assessment: certain details in your financial information may suggest that you are likely to become financially vulnerable and we may need to help you. This financial information may include credit checks or details of income which can be obtained from open banking data.
Financial crime checks: the processes will compare your details with the details of countries, organisations and people who sanctions apply, to decide whether we are prevented from doing business with you under sanctions law. This means that we may automatically decide that you present a fraud or money-laundering risk, or risk of breaking financial sanctions, if the processing reveals your behaviour to be consistent with money laundering or known fraudulent behaviour, is inconsistent with information you have previously provided, or you appear to have deliberately hidden your true identity.
If we, or a fraud prevention agency, decide that you present a fraud or money-laundering risk:
You have rights relating to automated decision-making, including the right to request a review of any automated decision made about you. If you want to know more or to request a review, please contact us using the details set out in the ‘Contact us’ section.
If you have any questions about this, please contact us using the details set out in the ‘Contact us’ section.
We’ll keep your information confidential but we may share it in certain circumstances, for the purposes set out in this policy, with:
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may be required to share your information as follows:
When processing your application, we will carry out credit and identity checks on you with one or more credit reference agencies. To do this, we will give the credit reference agencies your personal information and they will give us information about you. We will also continue to exchange information about you with credit reference agencies while you have a relationship with us, for example, if we have asked you to pay an amount you owe us and we do not receive a satisfactory reply from you within our stated time limit, or if you give us false or inaccurate information.
Credit reference agencies may share your personal information with other organisations. The credit reference agencies, and the ways in which they use and share personal information, are explained in more detail on the webpages linked below:
Examples of circumstances when we may share your information or information relating to your partner or other members of your household include when we are:
Records we share with credit reference agencies will stay on your file for six years after your file is closed, whether you’ve settled the debt or failed to pay it off.
Should the account be closed or settled, the information will be retained for a further six (6) years from the date the credit account is closed or settled.
If you’d like to know about the information credit reference agencies hold about you, you should contact them directly (please note, they may charge you a fee for this service). Not every agency will hold the same information, so you should consider contacting them all. Their contact details are as follows:
TransUnion, Consumer Services Team, PO Box 491, Leeds, LS3 1WZ.
Phone: 0870 060 1414 (personal credit information only)
Equifax PLC, Credit File Advice Centre, PO Box 1140, Bradford, BD1 5US
Phone: 0844 335 0550
Experian, Consumer Help Service, PO Box 8000, Nottingham, NG90 7WF
Phone: 0344 481 8000
You may be charged to call the credit reference agencies. Please check with your phone provider.
We will share your information with fraud prevention agencies who will use it to prevent fraud and money laundering and to confirm your identity. We and fraud prevention agencies may also allow law enforcement agencies to access and use your personal information to detect, investigate and prevent crime. If fraud is detected, you could be refused certain services or finance.
Fraud prevention agencies can hold your personal information for different periods of time, and if you are considered to present a fraud or money-laundering risk, they can hold your information for up to six years.
We analyse your personal information to allow us to send you personalised offers, discounts or recommendations based on various things, such as your credit history, the way you use your account and the products you hold with us.
You will receive marketing communications from us if you have requested information from us or taken out a loan with us and you have not opted out of receiving that marketing.
We may also share your email address with Facebook and other social media providers to create lookalike audiences for our products. During this process, Facebook will link your email address with your Facebook profile, and then create an audience of potential customers for us, based on similarities to your (and other customers’) profiles. We will enter into a legal contract with Facebook and any other social media provider to require them to only use your data for the purpose of creating an audience for us.
You have the right to object to us carrying out profiling activities – see further details below in the section “Your Rights” .
We do not share your information with third parties for the purpose of them marketing their products and services to you.
You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you, by updating your preferences in the Carmoola App or by contacting us at any time.
Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of any loan or transaction we have entered into with you.
You can also ask us to stop conducting periodic analysis and profiling of your credit information and the utilisation and record of soft credit searches on your credit file. Please note that this will mean that we will not be able to identify and inform you of eligibility for products suited to your credit circumstances in the future.
If you give us information about other people (such as people who depend on you financially or additional cardholders), which we will use to provide services as set out in this policy, you are confirming that you have provided those people with a copy of this policy.
Your information may be linked to people who are associated with you, such as your partner or other members of your household. These linked records are called associated records. If we contact a credit reference agency with an enquiry about you, they may answer it by referring to the records of anyone associated with you. Another person’s records will be associated with yours if:
If you are associated with another person, we will take this association into account in all future applications either or both of you make. The association will continue until one of you applies to the credit reference agencies and is successful in filing a ‘disassociation’, which allows your information to be unlinked.
We may transfer your information outside the United Kingdom.
Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
You can ask for details of the appropriate protection we have in place by contacting us as set out in the ‘Contact’ section.
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
If you close your account, if we refuse your application for an account or product, or you decide not to go ahead with your application for an account or product, we’ll still keep your information. We may also continue to collect information from credit reference agencies to use after your account is closed. We’ll do this for as long as we’re allowed to for legitimate business purposes, to help prevent fraud and other financial crime, and for other legal and regulatory reasons.
You have rights relating to the way that we use your information. You have the right to:
To use any of the rights set out above, or to discuss any other issue relating to your information, please contact us using the methods set out in the ‘Contact’ section.
If you have any concerns about the way we use your information, you have the right to complain to the Information Commissioner’s Office, which regulates the use of personal information in the UK. You can contact them by:
Please get in touch with us if you have any questions about privacy issues. If you would like more information on your rights, or you want to exercise them, please send a request through our website.
You can contact our data protection officer at: The Data Protection Officer, Carmoola, First Floor, 1 Whittlebury Mews West, Primrose Hill, London, NW1 8HS or email: email@example.com