Canny Finance Ltd (Canny Finance) hereby certifies and adopts the policies and procedures contained in this document.
Canny Finance manages the day-to-day operation and distribution of the program as agreed to by the Issuer.
THE PURPOSE OF THIS NOTICE
This Notice is designed to help you understand what kind of personal data we collect in connection with our products and services and how we will process and use this information. This Notice describes how we collect, use, share, retain and safeguard personal data. This Notice also helps you to understand your legal rights to your personal data and explains our lawful basis for processing personal data and who to contact should you have a query on the collection and use of your personal data.
WHAT IS PERSONAL DATA?
Personal data is information relating to an identified or identifiable natural person. Examples include an individual’s name, age, date of birth, gender, contact details, national identity number and passport details.
Personal data may contain information which is known as special categories of personal data. This may be information relating to an individual’s health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, or data relating to sexual orientation. Personal data may also contain data relating to criminal convictions and offences.
PERSONAL DATA WE COLLECT
To allow us to provide you with our services we will collect and process personal data about you. We will collect this information when you register for our services, when you request information on our products and services, during customer events, promotions and campaigns, or when contacting us for technical assistance or for help navigating our website.
We will collect personal data when you first visit our website, where with your permission we will place a small text file which is commonly known as a cookie on your computer. Cookies are used to help identify visitors, to simplify accessibility when accessing the website and to monitor visitor behaviour when viewing website content, navigating our website and when using website features.
We will also collect your unique online electronic identifier when visiting our website; this is commonly known as an IP address. Collecting IP addresses allows us to calculate the number of website visitors and to help identify the origin of any malicious actions that are performed against our website.
The personal data we will collect includes the following categories of personal data:
- Personal data such as an individual’s name, address, date of birth, gender, contact and passport details, IP address, and details relating to national insurance or national identity number; and
- Data relating to criminal convictions and offences such as details on fraud and money laundering
WHY DO WE NEED YOUR PERSONAL DATA?
Your personal data is required to enable us to provide you with our products and services, to verify your identity and to perform anti money laundering screening, to help administer your products and our business, to respond to any requests from you about services we provide and to process complaints. We will also use your personal data to develop new and market existing products and services. When registering for our services or where you express an interest in our services, you will be presented with various marketing options. If you select to opt-in to receive marketing related information, if you change your mind, you can opt-out by emailing us.
DATA WE SHARE
We will share your personal data with authorized third parties. This is necessary where we are required to do so by law. We also share your personal data to help administer our business and to help manage and support your products and services.
If you object to the collection, sharing and use of your personal data we may be unable to provide you with our products and services
OUR LAWFUL BASIS FOR PROCESSING YOUR DATA
When registering for our products and services you should understand that you are forming a contract with us. When you request details on the services we provide, if you allow us to market to you, we would consider ourselves as having a legitimate business interest to provide you with information on similar products we provide. ‘Performance of a contract’ and ‘legitimate interest’ form our lawful basis for processing your personal data and for marketing to you. We will also ask for your consent to carry out AML/KYC checks, when signing up.
RETAINING YOUR DATA
We will retain your personal data when registering for our services for a period of 5 years. Where you have contacted us for details of our services and products, we will retain your personal data for 5 years. Where we are / have been in dispute with you we will retain your data for 5 years. Where you or law enforcement agencies inform us on any active investigation or potential criminal prosecution, we will comply with all legal requirements for retaining this data.
The retaining of data is necessary for business administration, legal reasons and for product development and marketing purposes. Sometimes we may need to retain your data for longer, for example if we are representing you or defending ourselves in a legal dispute or as required by law or where evidence exists that a future complaint may occur.
INTERNATIONAL TRANSFERS OF PERSONAL DATA
We may transfer your data to third party organizations that are based outside of the country where you reside. This is commonly known as an international transfer of data. This is necessary for the purposes of administering our business and/or your products and services. These parties are not permitted to use your personal data for any other purpose than for what has been agreed with us.
In addition, these organizations are also required to safeguard your personal data using appropriate technical, physical and organizational data security measures and are prohibited from disclosing or sharing your data with other third parties without our prior authorization, unless required by law.
Individuals are provided with legal rights governing the use of their personal data. These grant individuals the right to understand what personal data relating to them is held, for what purpose, how it is collected and used, with whom it is shared, where it is located, to object to its processing, to have the data corrected if inaccurate, to take copies of the data and to place restrictions on its processing. Individuals can also request the deletion of their personal data.
These rights are known as Access Rights under Data Protection Laws. The following list details these rights:
- The right to be informed about the personal data being processed;
- The right of access to your personal data;
- The right to object to the processing of your personal data;
- The right to restrict the processing of your personal data;
- The right to rectification of your personal data;
- The right to erasure of your personal data;
- The right to data portability (to receive an electronic copy of your personal data);
- Rights relating to automated decision-making including profiling.
Individuals can exercise their Access Rights at any time. As mandated by law, we will not charge a fee to process these requests, however if your request is repetitive, wholly unfounded and/or excessive, we are entitled to charge a reasonable administration fee or to refuse your request.
In exercising your Access Rights, you should understand that in some situations we may be unable to fully meet your request, for example if you make a request for us to delete all your personal data, we may be required to retain some data for business administration or for prevention of crime purposes.
PROTECTING YOUR DATA
We will take all appropriate technical, physical and organizational steps to protect the confidentiality, integrity, availability and authenticity of your data, including when sharing your data with third parties.
If you are dissatisfied with any aspect of how we process your personal data, please contact us and ask for our Data Privacy Representative. You also have the right to complain to the Data Protection Supervisory Authority.
HOW TO CONTACT US
If you have any questions regarding this Notice and its content, the use of your data and your Access Rights please contact us and ask for our Data Privacy Representative.
This policy explains when and why we collect personal information about you, how we use it, the conditions under which we may disclose it to others and how we keep it secure.
TPL is committed to safeguarding the privacy of your information. By “your data”, “your personal data”, and “your information” we mean any personal data about you which you or third parties provide to us.
We may change this Policy from time to time so please check this page regularly to ensure that you’re happy with any changes.
Who are we?
Transact Payments Limited (“TPL”, “we”, “our” or “us”) is the issuer of your card and is the Data Controller for the personal data which you provide to us in relation to the card only. TPL is an e-money institution, authorised and regulated by the Gibraltar Financial Services Commission. Our registered office address is 6.20 World Trade Center, 6 Bayside Road, Gibraltar, GX11 1AA and our registered company number is 108217.
Lerex Technology Limited (“Lerex”) is the Program Manager for your card program and is the Data Controller for any personal data which you provide which is not related to the card. Lerex is incorporated and registered in England and Wales with company number 09829039 and whose registered office is at Abacus House, Caxton Place, Cardiff, CF23 8HA.
How do we collect your personal data?
We collect information from you when you apply online or via a mobile application for a payments card which is issued by us. We also collect information when you use your card to make transactions. We also obtain information from third parties (such as fraud prevention agencies) who may check your personal data against any information listed on an Electoral Register and/or other databases.
On what legal basis do we process your personal data?
Your provision of your personal data and our processing of that data is necessary for each of us to carry out our obligations under the contract (known as the Cardholder Agreement or Cardholder Terms & Conditions or similar) which we enter into when you sign up for our payment services. At times, the processing may be necessary so that we can take certain steps, at your request, prior to entering into that contract, such as verifying your details or eligibility for the payment services. If you fail to provide the personal data which we request, we cannot enter into a contract to provide payment services to you or will take steps to terminate any contract which we have entered into with you.
We may also process your personal data to comply with our legal or regulatory obligations.
We, or a third party, may have a legitimate interest to process your personal data, for example:
- To analyse and improve the security of our business;
- To anonymise personal data and subsequently use anonymized information.
What type of personal data is collected from you?
When you apply for a card, we, or our partners on our behalf, collect the following information from you: full name, physical address, email address, mobile phone number, phone number, date of birth, gender, login details, IP address, identity and address verification documents.
When you use your card to make transactions, we store that transactional and financial information. This includes the date, amount, currency, card number, card name, account balances and name of the merchant, creditor or supplier (for example a supermarket or retailer). We also collect information relating to the payments which are made to/from your account.
How is your personal data used?
We use your personal data to:
– set up your account, including processing your application for a card, creating your account, verifying your identity and printing your card.
– maintain and administer your account, including processing your financial payments, processing the correspondence between us, monitoring your account for fraud and providing a secure internet environment for the transmission of our services.
– comply with our regulatory requirements, including anti-money laundering obligations.
– improve our services, including creating anonymous data from your personal data for analytical use, including for the purposes of training, testing and system development.
Who do we share your information with?
When we use third party service providers, we have a contract in place that requires them to keep your information secure and confidential.
We pass your information to the following categories of entity:
- identity verification agencies to undertake required verification, regulatory and fraud prevention checks;
- information security services organisations, web application hosting providers, mail support providers, network backup service providers and software/platform developers;
- document destruction providers;
- anyone to whom we lawfully transfer or may transfer our rights and duties under this agreement;
- any third party as a result of any restructure, sale or acquisition of TPL or any associated entity, provided that any recipient uses your information for the same purposes as it was originally supplied to us and/or used by us.
- regulatory and law enforcement authorities, whether they are outside or inside of the EEA, where the law requires us to do so.
Sending personal data overseas
To deliver services to you, it is sometimes necessary for us to share your personal information outside the European Economic Area (EEA), e.g.:
- with service providers located outside the EEA;
- if you are based outside the EEA;
- where there is an international dimension to the services we are providing to you.
These transfers are subject to special rules under European and Gibraltar data protection law.
These non-EEA countries do not have the same data protection laws as Gibraltar and EEA. We will, however, ensure the transfer complies with data protection law and all personal information will be secure. We will send your data to countries where the European Commission has made an adequacy decision, meaning that it has ruled that the legislative framework in the country provides an adequate level of data protection for your personal information. You can find out more about this here.
Where we send your data to a country where the European Commission has not made an adequacy decision, our standard practice is to use standard data protection contract clauses that have been approved by the European Commission. To obtain a copy of those clauses, please go to the European Commission’s website.
If you would like further information please contact our Data Protection Officer on the details below.
How long do we store your personal data?
We will store your information for a period of five years after our business relationship ends in order that we can comply with our obligations under applicable legislation such as anti-money laundering and anti-fraud regulations. If any changes to applicable legislation require us to retain your data for a longer period of time, we shall retain it for that period. We will not retain your data for longer than is necessary.
Your rights regarding your personal data?
You have certain rights regarding the personal data which we process:
- You may request a copy of some or all of it.
- You may ask us to rectify any data which we hold which you believe to be inaccurate.
- You may ask us to erase your personal data.
- You may ask us to restrict the processing of your personal data.
- You may object to the processing of your personal data.
- You may ask for the right to data portability.
- If you would like us to carry out any of the above, please email the Data Protection Officer at DPO@transactpaymentsltd.com.
How is your information protected?
We implement security policies and technical measures in order to secure your personal data and take steps to protect it from unauthorised access, use or disclosure.
While we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
We hope that our Data Protection Officer can resolve any query or concern you may raise about our use of your personal information.
The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in Gibraltar is the Gibraltar Regulatory Authority. Their contact details are as follows:
Gibraltar Regulatory Authority,
2nd floor, Eurotowers 4, 1 Europort Road, Gibraltar.
(+350) 20074636/(+350) 20072166 firstname.lastname@example.org
How to contact us