1. Who We Are
Verge Capital Limited (“Finclude”, “We”, “us”, “our” or “Company”) Registered in Ireland No. 630528. Registered Office: 2 Ballymount Road Upper, Dublin 24, D24 XW40, Ireland, trading as finclude. References to “You” or “Your” is to the individual applicant who wishes to utilise the software services/platform of the Company (the “Services”) to facilitate the provision of financial performance data and metrics by the Company to the relevant credit institution or other client (the “Finclude Clients”) in connection with Your application for any service and/or product of the relevant Finclude Client and from whom the Company and/or relevant Finclude Client shall collect and process the Personal Data required for these purposes.
2. How We Use Your Personal Information
Finclude is committed to ensuring that Your privacy is protected and to Processing Your Personal Data in a fair, transparent and secure way. Finclude will take all reasonable commercial measures in ensuring Your information is protected and secured in accordance with all relevant laws and regulatory standards.
We will handle Your Personal Data in accordance with Data Protection Legislation. “Data Protection Legislation” means the Data Protection Acts 1988 to 2018, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and any other applicable law or regulation relating to the Processing of Personal Data and to privacy, including the E-Privacy Directive 2002/58/EC and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (“E-Privacy Regulations”), as such legislation shall be supplemented, amended, revised or replaced from time to time.
3. Information We Gather From You or Finclude Clients
Before they provide services, products or financing to You, Finclude Clients shall collect and process Your Personal Data and will share it with Finclude to allow Finclude to undertake financial analysis so as to assess Your eligibility for postpaid and/or credit products (the “Business”). We may also collect Your Personal Data from you directly through the use of the Services.
The Personal Data collected from You or which we have received from Finclude Clients, may include information obtained directly from You, from Finclude Clients or from other sources, as set out in table 3.1 below (Sources of Personal Data/Requirements to Provide Personal Data). The Personal Data we hold about You may be used for any of the purposes set out in table 4.1 below (Purposes of Processing). Any Personal Data You provide to us will be held and processed by us at all times in accordance with Data Protection Legislation.
We endeavour to keep Your Personal Data accurate and up-to-date. As such, You must tell us about any changes to such information that You are aware of as soon as possible. You can change Your stated interests in respect of whether or not You wish to receive direct marketing from us by clicking ‘unsubscribe’ on any direct marketing electronic communication which You receive from us.
If You are aged 18 or under, please get Your parent/guardian’s permission before You provide Your Personal Data to us/use the Services.
3.1 Sources of Personal Data/Requirements to Provide Personal Data
|Category of Personal Data||Source||Requirement||Consequence of Failure to Provide|
Tax Residency Information
|You/Finclude Clients||Statutory||It would not be possible to complete an application for the requested product and/or service.|
|Employment Status Information||You/Finclude Clients||Contractual||It would not be possible to complete an application for the requested product and/or service.|
Tax Residency Information
|Financial Institutions APIs||Contractual||It would not be possible to complete an application for the requested product and/or service.|
We have explained in table 3.2 below the type of information included in each of the categories of Personal Data listed in table 3.1 above (Glossary of Categories of Personal Data).
3.2 Glossary of Categories of Personal Data
|Category of Personal Data||Included Information|
|Contact Information||postal address, email address, telephone number(s)|
|Identity Information||title, name, nationality, gender, age, date of birth, photograph, signature, electoral roll data, passport|
|Employment Status Information||employed, self-employed, student, retired, other|
|Financial Information||assets, liabilities, income and expenses|
|Credit Information||credit history|
|Transactional Information||deposits, withdrawals, and payment history of Your account(s) with Finclude or Finclude’s client|
|Tax Residency Information||national insurance / social security number, foreign tax identification number(s), citizenship(s)|
4. Why We Collect/Have Access to Your Information
We may collect information directly from You as necessary in the course of providing our Services. We may collect Your personal information while monitoring our technology tools and Services, including our Website and email communications sent to and from us. We gather information about You when You provide it to us, or interact with us directly.
We may use Your Personal Data on any one or more of the following legal bases: (i) to perform a contract with You; (ii) for our legitimate business purposes in providing the Services (in which case, our legitimate interests will not override Your fundamental privacy rights); (iii) where we have a legal or regulatory obligation to do so; and/or (iv) in limited circumstances, where You have given us Your express consent.
Note that we may process Your Personal Data for more than one legal basis depending on the specific purpose for which we are using Your Personal Data. Please contact us if You need details about the specific legal basis we are relying on to process Your Personal Data where more than one ground has been set out in the table below.
4.1 Purposes of Processing
|Category of Personal Data||Purpose for processing||Lawful basis for processing|
Tax Residency Information
Employment Status Information
|1. operating, maintaining and administering Your loan account(s) application(s) and/or our Business
2. providing You with the services and products You have requested
|Performance of a contract/to take steps prior to entering into a contract|
Tax Residency Information
Employment Status Information
|1. internal reporting (for business operation purposes) and external reporting (for compliance with any relevant legal and/or regulatory obligations)
2. our confidential internal research and analysis so as to generate new assessment models and reports on countries/regions which may be offered to market research firms and financial institutions
3. compliance with any other legal and/or regulatory requirements including legitimate requests for information from law enforcement and/or regulatory bodies/agencies
4. general record keeping requirements as stipulated by relevant laws, regulations, and/or regulatory authorities including but not limited to the Central Bank of Ireland
5. developing the products and services we provide
6. carrying out public register and commercial databases searches
We restrict access to Your Personal Data to employees/contractors who need to know that information in order to operate, develop, or improve our Services and/or Website (including in respect of the support of our software, and marketing/analytics). These individuals are bound by confidentiality obligations and may be subject to discipline, including termination, civil litigation and/or criminal prosecution, if they fail to meet these obligations. We may also share Your Personal Data with our suppliers/service providers for the purpose of providing and improving the Service to you.
If the Company becomes involved in a merger, acquisition, or any form of sale of some of all of its assets, Your Personal Data will not be transferred to any third party unless there are adequate safeguards in place with the recipient in respect of the security of Your Personal Data.
We will not disclose information about You to anyone else (other than agents or third parties performing any of the above activities/Services on our behalf) unless we are required by law to do so.
5. Retention of Personal Data
We will retain records in accordance with our retention policy and to comply with relevant laws and regulatory requirements. This includes retaining backups of our systems infrastructure for disaster recovery purposes. We will retain Your Personal Data, that You supply in the application form and elsewhere (including identification data, product data, email correspondence, and transactional information) on paper and on computer, and/or other electronic devices for a period of six years after the closing date of Your last application (unless you delete your account with us in which case Your Personal Data will be deleted) to comply with legal and regulatory obligations (including any possible fraud, financial crime and complaints investigations), to retain a reference and audit trail of any discussions, and to preserve a record of account history to facilitate a streamlined customer journey for any future new account applications. Finclude Clients and the external agencies they use (fraud prevention, credit reference and risk management agencies) may retain Your Personal Data for different periods of time, as covered by their own separate privacy notices.
6. Breach Reporting
We will notify serious data breaches in respect of Your Personal Data to the DPC without undue delay, and where feasible, not later than 72 hours after having become aware of same. If notification is not made after 72 hours, we will record a reasoned justification for the delay; however, it is not necessary to notify the DPC where the Personal Data breach is unlikely to result in a risk to the rights and freedoms of natural persons. A Personal Data breach in this context means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
We will keep a record of any data breaches, including their effects and the remedial action taken, and will notify You of any data breach affecting Your Personal Data (which poses a high risk to You) when we are required to do so under Data Protection Legislation. We will not be required to notify You of a data breach where:
- we have implemented appropriate technical and organisational measures that render the Personal Data unintelligible to anyone not authorised to access it, such as encryption; or
- we have taken subsequent measures which ensure that the high risk to data subjects is not likely to materialise; or
- it would involve disproportionate effort, in which case we may make a public communication instead.
7. Cookies Policy
8. Security Measures
We will take appropriate security measures to ensure that Your Personal Data is protected and secured in accordance with Data Protection Legislation. We will only disclose information about You to third party data processors who shall process Your Personal Data on our behalf. We may also disclose information about You to credit reference, fraud prevention, and risk management agencies, or if we are required by law or regulation to do so. We shall ensure that our data processors shall process Your Personal Data based on our instructions and have appropriate data security measures in place to protect the Personal Data and we will enter into a contract with all such third party data processors to reflect these requirements as set out in Article 28 of GDPR.
In some cases, we may need to transfer Your information to third parties overseas such as affiliate entities outside the European Economic Area. However, we will ensure that adequate procedures and safeguards such as the European Commission Model Contract Clauses, as an example, are in place to protect Your Personal Data at all times and that the affiliate and the third parties are contractually obligated to provide an adequate level of data protection in accordance with the EU data protection laws and regulations.
9. Third Party Websites
10. Impacts of Processing
If we determine that You pose a fraud or financial crime risk (which may be based on information provided to us by a fraud prevention or risk management agency), we and/or Finclude’s client may refuse to provide the services You have requested, or we may stop providing Services to You. A record of any fraud or money laundering risk will be retained by us for so long as is permitted by law, and may result in others refusing to provide services, financing or employment to You.
If false or inaccurate information is provided and fraud is identified or suspected, we may pass information to financial and other organisations involved in fraud prevention to protect us and our customers from theft and fraud.
Law enforcement agencies may also access and use this information to detect, investigate and prevent crime. We may provide the law enforcement agencies with information about You or Your account which we consider relevant to assist with any investigation of criminal activity.
11. Where We May Use Your Information To Contact You
We may contact You:
- for administration reasons related to the Services (e.g. to provide You with password reminders or to notify You that a particular service, activity or online content has been suspended for maintenance, or in response to a question that You ask us;
- to provide You with information about our Service, activities or online content, including sending e-newsletters or similar correspondence and updates or responding to any contact You have made with us, e.g. on our Website, by email or via the ‘How To Contact Us’ facility referred to below; and
- for direct marketing purposes.
12. Your Rights
As a data subject, You have the following rights under Data Protection Legislation and we, as Controller in respect of Your Personal Data, will comply with such rights in respect of Your Personal Data. These rights are explained in more detail below, but if You have any comments, concerns or complaints about our use of Your Personal Data, please contact us (see ‘Contact Us’ below). We will respond to any rights that You exercise within a month of receiving Your request, unless the request is particularly complex or cumbersome, in which case we will respond within three months (we will inform You within the first month if it will take longer than one month for us to respond). Where a response is required from us within a particular time period pursuant to Data Protection Legislation, we will respond within that time period.
12.1 The right to be informed
The right to be informed encompasses our obligation to provide ‘fair processing information’ through a privacy notice. It emphasises the need for transparency over how we use Personal Data.
12.2 The right of access
You have the right to access Your Personal Data and supplementary information. The right of access allows You to be aware of and verify the lawfulness of the processing of Your Personal Data. The right of access allows You to submit a Data Subject Access Requests (“DSAR”) for a copy of the Personal Data that we hold about You.
Requests for Your Personal Data must be made to us (see ‘Contact Us’ below) specifying what Personal Data You need access to, and a copy of such request may be kept by us for our legitimate purposes in managing the Services. To help us find the information easily, please give us as much information as possible about the type of information You would like to see. If, to comply with Your request, we would have to disclose information relating to or identifying another person, we may need to obtain the consent of that person, if possible. If we cannot obtain consent, we may need to withhold that information or edit the data to remove the identity of that person, if possible.
There are certain types of data which we are not obliged to disclose to You, which include Personal Data which records our intentions in relation to any negotiations with You where disclosure would be likely to prejudice those negotiations. We are also entitled to refuse a DSAR from You where (i) such request is manifestly unfounded or excessive, in particular because of its repetitive character (in this case, if we decide to provide You with the Personal Data requested, we may charge You a reasonable fee to account for administrative costs of doing so), or (ii) we are entitled to do so pursuant to Data Protection Legislation.
12.3 The right to rectification
GDPR gives You the right to have Personal Data rectified if it is inaccurate or incomplete free of charge. If You would like to do this, please:
- email or write to us (see ‘Contact us’ below);
- let us have enough information to identify You (e.g. name, registration details); and
- let us know the information that is incorrect and what it should be replaced with.
If we are required to update Your Personal Data, we will inform recipients to whom that Personal Data have been disclosed (if any), unless this proves impossible or has a disproportionate effort.
It is Your responsibility that all of the Personal Data provided to us is accurate and complete. If any information You have given us changes, please let us know as soon as possible (see ‘Contact Us’ below).
12.4 The right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable You to request the deletion or removal of Personal Data where there is no compelling reason for its continued processing. The right to erasure does not provide an absolute ‘right to be forgotten’.
In accordance with Data Protection Legislation, You can ask us (please see ‘How To Contact Us’ below) to erase Your Personal Data where:
- if You had given us consent to process Your Personal Data, You withdraw that consent and we cannot otherwise legally process Your Personal Data;
- You object to our processing and we do not have any legal basis for continuing to process Your Personal Data;
- Your Personal Data has been processed unlawfully or have not been erased when it should have been; or
- the Personal Data have to be erased to comply with law.
We may continue to process Your Personal Data in certain circumstances in accordance with Data Protection Legislation (i.e. where we have a legal justification to continue to hold such Personal Data, such as it being within our legitimate business interest to do so to retain evidence of billing information etc.). Where You have requested the erasure of Your Personal Data, we will inform recipients to whom that Personal Data have been disclosed, unless this proves impossible or involves disproportionate effort. We will also inform You about those recipients if You request it.
12.5 The right to restrict processing
You have the right to ‘block’ or suppress processing of Your Personal Data, which will make it restricted, and permit us to store the Personal Data, but not to further process it. We would retain just enough information about You to ensure that the restriction is respected in future. We will be required to restrict the processing of Your Personal Data temporarily in the following circumstances:
- You do not think that Your Personal Data is accurate (but we may start processing again once we have checked and confirmed that it is accurate);
- the processing is unlawful but You do not want us to erase Your Personal Data;
- we no longer need the Personal Data for our processing; or
- You have objected to processing because You believe that Your interests should override the basis upon which we process Your Personal Data.
If You exercise Your right to restrict us from processing Your Personal Data, we will continue to process the Personal Data if:
- You consent to such processing;
- the processing is necessary for the exercise or defence of legal claims;
- the processing is necessary for the protection of the rights of other individuals or legal persons; or
- the processing is necessary for public interest reasons.
We must inform You when we decide to lift a restriction on processing.
12.6 The right to data portability
The right to data portability allows You to obtain and reuse Your Personal Data for Your own purposes across different services. It allows You to move, copy or transfer Personal Data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The right to data portability only applies to Personal Data You provided to us, where the processing is based on Your consent or for the performance of a contract; and when processing is carried out by automated means.
12.7 The right to complain to the DPC
12.8 Right to ask us to stop contacting You with direct marketing
We have a legitimate interest to send You electronic communications in connection with the Services and related matters (which may include but shall not be limited to newsletters, announcement of new features etc. and which may also appear on social media platforms such as Facebook, LinkedIn, Twitter or Instagram.). We may also ask You for Your consent to send You direct marketing from time to time. You may be able to select Your preferences with respect to direct marketing when registering with us for the Servces. We may also ask You different questions for different services, including competitions. We may also ask You to complete surveys that we use for research purposes, although You do not have to respond to them.
You can ask us to stop contacting You for direct marketing purposes. If You would like to do this, please:
- Click on ‘unsubscribe’ on an email (this will be instantaneous);
- Send an email via ‘Contact Us’ below (this can take up to 5 working days).
We will provide You with information on action taken on a request to stop direct marketing – this may be in the form of a response email confirming that You have ‘unsubscribed’.
12.9 The right to object/withdrawal of consent
12.10 The right in relation to automated decision making and profiling
You may ask us to ensure that, if we are evaluating you, we don’t base any decisions solely on an automated process and have any decision reviewed by a member of staff. These rights will not apply in all circumstances, for example where the decision is (i) authorised or required by law, (ii) necessary for the performance of a contract between You and us, or (ii) is based on your explicit consent. In all cases, we will endeavour that steps have been taken to safeguard Your interests.
13. Contact Us
For more information or to exercise Your Personal Data protection rights, please contact our Data Protection Officer with subject heading “Data Protection Queries”:
- By writing: Data Protection Officer Verge Capital Limited – Harcourt Centre, Harcourt Road, Dublin 2, D02 HW77, Ireland
- By calling: +353 (0) 1 477 3266
- By emailing: [email protected]