This Privacy Notice explains what information we collect about you, how we use it and the purposes for which we use it. It applies to all your interactions with us, including when you use our app or our website and when you apply for any of our products or services.

We are committed to collecting and using your personal information fairly and in accordance with our obligations under the General Data Protection Regulation (‘GDPR’) and the Data Protection Act 2018.

1. Who we are:

We are Koto Card Limited, trading as The Credit Thing (“The Credit Thing”, “we”, “our”, “us”), a Company registered in England and Wales under No. 11224081 whose registered office is at Nightingale House, 46-48 East Street, Epsom, Surrey, KT17 1HQ. We are committed to protecting and respecting your privacy.

As a Data Controller and Processor, we are registered with the Information Commissioner’s Office under number ZA455892.

If you have a question or concern about this Privacy Notice or your data protection rights, please contact us through the app, by emailing us at support@thecreditthing.com or by writing to us at Koto Card Limited, Nightingale House, 46-48 East Street, Epsom, Surrey KT17 1HQ.

2. What personal information do we collect from you?

We collect information from you directly when you apply for and you use our services, or from relevant third parties.

(i) Information provided by you:

When you apply for our services and throughout the course of our relationship with you we will collect information from you. This information includes:

• your full name and date of birth;
• your residential address and any recent previous addresses;
• your email address and telephone number(s);
• a photograph of you (‘selfie’);
• your marital status and details of any dependants;
• information about people who are financially linked to you;
• your employment and income details; and
• documentation provided by you evidencing your identity and address.

We will also collect information from you and about you when you interact with us:

• Electronically/Online - Where you use our website, information from any accounts you share with us, when and how you use our mobile application (‘app’), your login data, information we use to identify you and other information obtained from your mobile device.
• In writing - Where you send us letters, forms, survey responses, emails, chat messages and texts or your social media posts about us.
• On the telephone - We may monitor or record calls with you to check we have carried out your instructions correctly, to resolve queries or disputes, to improve the quality of our service, or for regulatory or fraud prevention purposes.

Where you provide us with your personal information you should ensure that it is accurate and you should tell us without delay if it changes. You are required to do this under your contract with us.

(ii) Information we collect when you use our services:

We will collect and use transaction and payment data, for example when we deal with or manage your account, when you request credit from us and to monitor payments made to and from your account.

We will collect usage and profile data, for example from your use of our website and app. We gather this data from the devices you use using cookies and other software. This includes location and configuration information about your mobile device, which is used for fraud detection and to help us fix bugs, such as app crashes.

Data from your mobile device is also used to help us make our decision on your application. We use information, including that listed below, to validate your application and (together with information and data on any new device of yours) to protect you from fraud in future:

• details of your device, such as the model of your phone;
• the geolocation of your device; and
• the IP (‘internet protocol’) address of your device.

We also collect information you have stored on your device, such as your contact list, the other apps you have downloaded and the way you use your device. This is used to help us make our decisions and in particular to help us make our lending decisions in future. Where we obtain information through this process that is not about you directly, such as your contact list, before using it we will anonymise that data by removing information which would allow us to identify the person or persons to whom it does relate and will only process and store that data in an anonymised form. This means we will not store any names from your contact list and we will mask the associated phone numbers so they cannot be seen. We will retain and may use this anonymised information to help us with our decisions on future applications to us by you and by other persons.

(iii) Information provided by third parties:

When you make your application, we will also use data from persons or entities that may introduce you to us, for example credit brokers and introducers.

To reach a decision on your application and where necessary on an ongoing basis, we will also use information from the following third parties:

• Credit reference agencies (primarily Experian);
• Comply Advantage;
• Fraud prevention agencies.

We will also use publicly available information, for example from the Open Register (also known as the Edited Register) and other information available online or in the media, including social media.

We may collect your personal data from organisations to which you have given permission to share it for specific purposes, such as direct marketing or who have another legal basis on which to share it with us.

Where relevant, we will also collect and use information from your representatives or a third party to whom you have given authorisation to deal with your account. We may also use information about people who are financially linked with you.

We will use information shared with us by PrePay Technologies Limited who provide and operate your E-Money account. We will also use information shared with us by third party providers of information services and payment services to you in the initiation of your payment orders, such as TrueLayer Limited.

3. How we will use your personal information:

By law, we may use your personal information provided we have a lawful basis for doing so or we are under a legal duty to do so. This includes sharing it with third parties in certain circumstances as described below. We consider we have the following reasons (lawful bases) to use your personal information:

Entering into and performance of our contract with you

We need to use your personal information to be able to enter into a contract with you and to provide you with products and services under that contract. This will include:

• making and receiving payments;
• providing you with information such as account statements and notices relating to your account;
• making decisions on how much credit we will let you have;
• administering your account with us;
• carrying out your instructions e.g., to fulfil a payment request you make;
• exercising our rights under our contract with you; and
• dealing with any complaints or queries you or a representative you appoint may have.

Meeting our legal obligations

We need to use your personal information so as to comply with legal requirements upon us. These include:

• checking your identity and conducting a creditworthiness assessment when you apply for credit;
• detecting, investigating and reporting financial crime and taking measures to prevent it;
• identifying and dealing with vulnerable customers appropriately;
• responding to our Regulators’ enquiries and requests for information; and
• keeping business records.‎

Our legitimate interests

We have a legitimate interest in using your personal information:

• to understand our customers’ use of our products and services, improve them and develop and test new products and services;
• to invite you to participate in market research and customer surveys;
• to offer new products and services to you (where you have agreed to this);
• to help prevent and detect financial crime and fraud and to prevent overindebtedness including the sharing of personal data with third parties;
• to lend responsibly (including making creditworthiness checks);
• to support our tracing, collection and litigation processes;
• to recover money you owe us;
• for business analysis, data verification and data enrichment purposes;
• to share your personal information with any person to whom we may transfer or consider transferring our rights under our agreement with you;
• to sell debts owed to us and/or purchase debts from third parties;
• to establish, exercise and defend our legal rights; and
• to assist in complying with legal and regulatory requirements placed upon us.

Where we need your consent

Where we have your consent or in the case of special category data where we have your explicit consent we may also use your personal information for additional purposes.

We will ask you for your consent to offer you new products and services from time to time. We may do this for a reasonable period after you cease your relationship with us. If your application was unsuccessful we will keep your personal information for this purpose for up to 12 months.

We will ask you for your explicit consent to process ‘special category data’ relating to you. We will process biometric data relating to you in the form of your ‘selfie’ which we will use to verify your identity when logging on to the app. Where appropriate, we will also process ‘special category data’ relating to your health or medical condition so we can establish whether you would benefit from and then to provide you with support or make adjustments in how we provide you with information and deliver our products and services to you.

Where use of your personal information is based on consent, you can withdraw it at any time and we will stop using your data for that purpose.

How we make decisions about you

We may use automated systems to help us make decisions on your eligibility to apply, on your application, on how much credit we will grant you, to carry out fraud and money laundering checks and assess risks associated with the use of your account. Details of your rights in respect of these decisions can be found in the ‘Automated decision making and profiling’ section below.

Recording our interactions with you

We may monitor and record calls, letters, emails and chats with you to check we have carried out your instructions correctly, to resolve your queries or disputes with us, to deal with any complaints you may have, to assess and improve the quality of our service, for training our staff, or for regulatory or fraud prevention purposes.

Marketing

We may use your personal information to provide your with information about our products and services. We may send you marketing messages online or by email, text or other messages or through social media. We do this either with your consent or where we have a business or commercial interest to use your information for this purpose. At any time you can change your preferences on how you receive marketing messages or choose to stop receiving them. Please tell us through the app or by emailing us at support@thecreditthing.com. You will still continue to receive statements and other information relating to your account, such as changes in your contract with us.

4. Who we share your personal information with:

We may share your personal information with anyone who works for us when they need it to do their job, certain authorities that detect and prevent terrorism and terrorism financing (including authorities outside the UK if one of your payments is processed through a worldwide payment system) and anyone you give us permission to share it with.

We will also share your personal information with organisations (including our sub-contractors, agents or service providers), that facilitate any of our services when they need it to provide their services. These include:

• card producers and networks, such as PrePay Technologies Limited (the Authorised E-Money Institution through which the account is provided);
• credit reference agencies - further information on how credit reference agencies use your data can be found in the Credit Reference Agency Information Notice;
• fraud prevention agencies;
• analytical, ‘know your customer’ and cyber security service providers;
• customer ‘interface’ providers (such as the ones who manage our in-app chat service);
• website hosting service providers;
• payment processors;
• companies that provide specific payment services for your account, such as TrueLayer Limited in the initiation of your payment orders;
• companies that undertake advertising and marketing for us, whether online, by email, text or other messages or through social media - we won’t share identifiable personal information with third parties for their own direct marketing unless you give us permission; and
• debt collection agencies.

We will also share your personal information where it is necessary to comply with the law, to enforce our contract with you or other agreements or to protect our rights, property and safety and those of our customers or others.

If, in the future, we sell, transfer or merge all or part of our business or assets (including debts you and others may owe us) and including the acquisition of other businesses, we may share your information with other parties. We will only do this if they agree to keep it safe and private and to only use it in the same ways an subject to the same limitations as set out in this Privacy Notice.

5. Credit Reference and Fraud and Money Laundering Checks:

When you make an application to us we will perform appropriate credit and identity checks with a fraud prevention and one or more credit reference agencies. We will share your personal information, such as that in your application, with the agency and they will supply us with information about you which may include public information (the Open Register), shared credit information and fraud prevention information.

Fraud Prevention Agencies

Before we provide you with our products and services, we undertake checks for the purposes of preventing fraud and money laundering and to verify your identity. These checks require us to process your personal information. The personal information you have provided, we have collected from you or we have received from third parties about you will be used to prevent fraud and money laundering and to verify your identity.

Details of the personal information that will be processed include your full name, address, date of birth, selfie, contact details, financial information, and device identifiers including IP address.

We and fraud prevention agencies may also give law enforcement agencies access to your personal information to detect, investigate and prevent crime.

We process your personal information on the basis that we have a legitimate interest in preventing fraud and money laundering and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or credit you request from time to time.

As a result of our checking with a fraud prevention agency we may decline to provide you with the services and credit you have requested and may suspend or close any account you have with us.

Fraud prevention agencies will record the checks we make and can hold your personal information for different periods. If you are considered to pose a fraud or money laundering risk, your information can be held by them for up to six years.

As part of the processing of your personal information, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, is inconsistent with previous communications from you or you appear to have deliberately hidden your true identity. For more information see ‘Automated decision making and profiling’ below.

Credit Reference Agencies (‘CRAs’)

In order to process your application, we may supply your personal information to CRAs in which case they will give us information about you, such as about your financial situation and history. We do this to assess your creditworthiness and the suitability to your financial circumstances of the product you have requested, check your identity, verify any information you have given us, manage your account, trace and recover debts and prevent criminal activity such as fraud and money laundering.

When CRAs receive a search from us they may place what is known as a search footprint on your credit file that may be seen by other lenders and used to assess applications for finance from you and members of your household to whom you are financially linked. The CRA may also share your personal information with other organisations.

We may also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates. The principal CRA we use is Experian and information on how it uses your personal data is available at experian.co.uk/crain

6. For how long will we keep your personal information:

We will keep your personal information for as long as you are a customer of The Credit Thing and for up to seven years afterwards to enable us to deal with any matters including disputes and legal claims that may arise subsequently. Data about live and settled accounts is also kept on credit files for six years from the date they are settled or closed. If the account is recorded as defaulted, the data is kept for six years from the date of the default. We may retain your information for longer periods for statistical purposes. If we do this, your information will be anonymised or pseudonymised to protect your privacy.

If your application is unsuccessful we will keep your personal information for up to 12 months.

In some circumstances, like cases of anti-money laundering or fraud or in the case of a dispute, we may keep data longer if we need to and/or the law says we have to.

We may also retain your data for research and statistical purposes in which case we will ensure it is anonymised where necessary and used only for these purposes.

7. The consequences of our use of your personal information:

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and credit you have requested or we may stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies and may result in others refusing to provide services, financing or employment to you.

If you fail to provide us with data we require, this may delay or prevent us from entering into a contract with you and/or complying with our obligations. Depending on the importance of the data, it may mean that we are entitled to terminate an agreement with you.

If you have any questions about your personal information and how it is handled, please contact us through the app or by emailing support@thecreditthing.

8. When your personal information is transferred overseas:

We will transfer and store your personal data outside the United Kingdom in specific circumstances, including making this information available for use by customer services teams based in Ukraine. We may do this in order to perform our obligations under our contract with you, to fulfil legal obligations to which we are subject, to protect our legitimate interests and where the public interest may require it.

Wherever we, or any other party with whom we have shared your personal information as mentioned above, transfer your personal information outside the U.K., we, or they, will make sure that either the data protection laws of the country to which your personal information is to be transferred provide an equivalent level of protection to the standards required in the U.K or, if they do not, the organisations to which your personal information is to be transferred themselves apply a level of protection for your information equivalent to the standards required in the U.K.. This may include imposing conditions in the contracts we have with these parties.

We, or they, may also require the recipient of your personal information to subscribe to ‘international frameworks’ intended to enable the secure sharing of information.

In any other cases, if we transfer your personal information outside the U.K., for example because we have to do so to help prevent or detect a crime, we will only share it lawfully.

9. Automated decision making and profiling

We may use automated systems to help us make decisions concerning entering into or performing our contract with you, for example when you apply to us for credit or an increase in your credit limit and when we carry out fraud and money laundering checks. We may use technology to help us identify the level of risk to us presented by your characteristics (such as your future ability to meet your credit commitments, your interests and your preferences), your activity or activity on your account with us, such as for credit, fraud or financial crime reasons or to identify if your account is being used by a third party without your knowledge or permission.

You have a right to information about how we make these decisions and you can request reconsideration of the decision and ask for human intervention in reviewing it.

10. Your Privacy Rights:

The law which protects your personal information gives you the right to:

• Access the personal information we hold about you, or to get a copy of it.

This can be a request for specific information you wish to access, or a general request to get a copy of all the personal information we hold about you that we are legally permitted to share.

• Request that we amend, update or correct inaccurate information.

This also includes your right to request that we correct inaccurate information that we have shared with third parties.

• Request that your personal information is erased.

The right to erasure is often referred to as the ‘right to be forgotten’. This request will be fulfilled unless and to the extent that we have a legal or contractual obligation to continue to hold or process your information.

• Request that we restrict the personal information we use about you.

You can ask us to restrict the personal information we use about you where it is inaccurate, where you have asked for its erasure, or where you have objected to our using it. We may still use your restricted information where we need to bring or defend legal claims, to protect the rights and freedoms of others or for important public interest reasons.

• Object to our controlling and processing your personal information.

This request will be fulfilled unless and to the extent that we have a legal or contractual obligation to continue to process your information.

• Object to automated decision making.

You have a right to request human intervention where an automated decision has been made relating to your application or your account that has significant effects which may be detrimental to you.

• Request that we transfer your personal information.

If you request it, we will transfer your information you have provided with your consent or relating to the products you have with us (which we process by automated means) to another lender in a structured, commonly used electronic format.

• Object to our sharing of your personal information with others or with certain organisations.

In some cases, however, this sharing is required by legal or contractual obligations.

• Request that we confirm what personal information we currently control and/or process in relation to you.

We will confirm all the data we control in relation to you that we are legally permitted to disclose.

• Withdraw any consent you have previously given us.

For example, if you’d like to withdraw your consent for use of your personal information for marketing purposes.

To exercise any of these rights, or for further information, please contact us through the app or by emailing support@thecreditthing.com.

You also have the right to complain if you are unhappy about how your personal information has been used.

• To make a complaint, please contact us via the app, or using the website
• To complain to the Information Commissioner’s Office, which regulates the processing of personal data, you can contact them direct at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, on 03031231113, or by email to icocasework@ico.org.uk. See also ico.org.uk/global/contact-us

11. Changes to this Privacy Notice:

We will post any changes we make to our Privacy Notice here on our website. If we make any significant changes we will let you know by email. This Privacy Notice was last updated in December 2020.

12. Cookie Information

Our Cookie Policy has more information on what cookies are and how we use them. You can access this here.