1. Introduction
We have developed an online platform that allows us to provide our clients (“Clients”) with certain services in relation to their customers and potential customers, such as financial behaviour assessments, financial information verification, creditworthiness and affordability assessments. Our Clients use the outputs of our services to assist them in deciding whether to provide services to their customers, such as postpaid and/or credit products.
In order to provide our service to our Clients, we process personal data in relation to their customers. This privacy policy (the “Privacy Policy”) explains how we will collect and use your personal data when we provide our services. The Privacy Policy applies to you if you have been asked by one of our Clients to give your permission for Finclude to access your payment accounts.
2. Who We Are
Verge Capital Limited (“Finclude”, “We”, “us”, “our”) Registered in Ireland No. 630528. Registered Office: Riverside One, Sir John Rogerson’s Quay, Dublin 2, D02 X576, Ireland, trading as finclude.
3. Information We Gather From You or Our Clients
Before they provide services, products or financing to you, our Clients will collect and process certain of your personal data and will share it with us. We may also collect personal data from you directly through your use of the Finclude platform. Details of the personal data that we collect and process are set out in table 3.1 below, with details of how your personal data is used set out in table 4.1.
We endeavour to keep your personal data accurate and up-to-date. As such, you must tell us about any changes to such information that you are aware of as soon as possible using the details in the ‘Contact Us’ section below.
If you are aged under 18, please get your parent/guardian’s permission before you provide your personal data to us/use the services.
3.1 Sources of Personal Data
Category of Personal Data | Source | Consequence of Failure to Provide |
---|---|---|
Contact Information
Financial Information Identity Information Tax Residency Information |
You/Our Clients | It would not be possible for Finclude to provide its service to its Client, which may prevent you from completing an application for the requested product and/or service. |
Employment Status Information | You/Our Clients | It would not be possible for Finclude to provide its service to its Client, which may prevent you from completing an application for the requested product and/or service. |
Financial Information
Credit Information Identity Information Tax Residency Information |
Financial Institutions APIs | It would not be possible for Finclude to provide its service to its Client, which may prevent you from completing an application for the requested product and/or service. |
We have explained in table 3.2 below the type of information included in each of the categories of Personal Data listed in table 3.1 above (Glossary of Categories of Personal Data).
3.2 Glossary of Categories of Personal Data
Category of Personal Data | Included Information |
---|---|
Contact Information | postal address, email address, telephone number(s) |
Identity Information | title, name, nationality, gender, age, date of birth, photograph, signature, electoral roll data, passport |
Employment Status Information | employed, self-employed, student, retired, other |
Financial Information | assets, liabilities, income and expenses |
Credit Information | credit history |
Transactional Information | deposits, withdrawals, and payment history of Your account(s) with Finclude or our Client |
Tax Residency Information | national insurance / social security number, foreign tax identification number(s), citizenship(s) |
4. Why We Collect/Have Access to Your Information
We may collect information directly from you as necessary in the course of providing our services. We gather information about you when you provide it to us, or interact with us directly.
We may use your personal data on any one or more of the following legal bases: (i) to perform a contract with you; (ii) for our legitimate business purposes in providing the services (in which case, our legitimate interests will not override your fundamental privacy rights); (iii) where we have a legal or regulatory obligation to do so; and/or (iv) in limited circumstances, where you have given us your express consent.
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate.
Note that we may process your personal data for more than one legal basis depending on the specific purpose for which we are using your personal data.
4.1 Purposes of Processing
Category of Personal Data | Purpose for processing | Lawful basis for processing |
---|---|---|
Contact Information
Financial Information Transactional Information Identity Information Tax Residency Information Security Information Employment Status Information |
Accessing personal data held by your payment account provider(s) | Your consent |
1. Undertaking our financial behaviour assessments, financial information verification, creditworthiness and affordability assessments
2. Carrying out public register and commercial databases searches |
Our legitimate interests in providing our service to our Clients, and our Client’s legitimate interests in assessing whether to provide you with their services | |
Internal reporting (for business operation purposes) | Our legitimate interests in operating our business in a commercially prudent manner | |
1. Our confidential internal research and analysis so as to generate new assessment models and reports on countries/regions which may be offered to market research firms and financial institutions.
2. developing the products and services we provide |
Our legitimate interests in operating our business, improving our products and services, and processing data in order to generate insights that are valuable to our potential customers | |
1. Compliance with any legal and/or regulatory requirements including legitimate requests for information from law enforcement and/or regulatory bodies/agencies
2. General record keeping requirements as stipulated by relevant laws, regulations, and/or regulatory authorities including but not limited to the Central Bank of Ireland |
Compliance with a legal obligation |
5. Recipients of Your Personal Data
We restrict access to your personal data to employees/contractors who need to know that information in order to operate, develop, or improve our Services and/or Website (including in respect of the support of our software, and marketing/analytics). These individuals are bound by confidentiality obligations and may be subject to discipline, including termination, civil litigation and/or criminal prosecution, if they fail to meet these obligations.
We may share copies of your personal data with the following categories of recipients:
- Our Clients – Where you have applied to one of our Clients for a product or service, we will provide that Client with personal data in connection with that application (e.g. transaction history, reports, verification information, etc.). You can access a copy of any reports that we generate at https://my.finclude.ai. Please note that as our Clients are then responsible for how they use your personal data, you should check the relevant Client’s privacy policy/notice for details of how your personal data will be processed.
- Mergers/Acquisitions/Sales – If Finclude becomes involved in a merger, acquisition, or any form of sale of some of all of its assets, your personal data may be shared with the ultimate purchaser of Finclude or its assets.
- Regulators/Law Enforcement – We will share your personal data with law enforcement and/or regulatory bodies/agencies in order to comply with any legal and/or regulatory requirements including legitimate requests for information from law enforcement and/or regulatory bodies/agencies.
We may also share your personal data with our suppliers/service providers for the purpose of providing and improving the service that we provide (e.g. IT service providers, legal advisors, consultants etc.). These suppliers/service providers process your personal data on our behalf, and are not allowed to use your personal data for their own purposes.
6. Retention of Personal Data
We will retain records in accordance with our retention policy and to comply with relevant laws and regulatory requirements. This includes retaining backups of our systems infrastructure for disaster recovery purposes. We will retain your personal data, that you supply in the application form and elsewhere (including identification data, product data, email correspondence, and transactional information) on paper and on computer, and/or other electronic devices for a period of six years after the closing date of your last application (unless you delete your account with us in which case your personal data will be deleted) to comply with legal and regulatory obligations (including any possible fraud, financial crime and complaints investigations), to retain a reference and audit trail of any discussions, and to preserve a record of account history to facilitate a streamlined customer journey for any future new account applications.
Our Clients and the external agencies they use (fraud prevention, credit reference and risk management agencies) may retain your Personal Data for different periods of time, as covered by their own separate privacy policies/notices.
7. Transfers of Your Personal Data
In some cases, we may need to transfer your personal data to third parties overseas such as affiliate entities outside the European Economic Area. However, we will ensure that adequate procedures and safeguards such as the European Commission Model Contract Clauses, as an example, are in place to protect your personal data at all times and that the affiliate and the third parties are contractually obligated to provide an adequate level of data protection in accordance with the EU data protection laws and regulations. For more information on our transfers of your data, please contact us using the details set out below in the Contact Us section.
8. Impacts of Processing
If we determine that you pose a fraud or financial crime risk (which may be based on information provided to us by a fraud prevention or risk management agency), we may inform our Client of our analysis, who may refuse to provide the services you have requested. A record of any fraud or money laundering risk will be retained by us for so long as is permitted by law, and may result in others refusing to provide services, financing or employment to you.
If false or inaccurate information is provided and fraud is identified or suspected, we may pass information to financial and other organisations involved in fraud prevention to protect us and our customers from theft and fraud.
Law enforcement agencies may also access and use this information to detect, investigate and prevent crime. We may provide the law enforcement agencies with information about you or your account which we consider relevant to assist with any investigation of criminal activity.
9. Where We May Use Your Information To Contact You
We may contact You:
- for administration reasons related to the Services (e.g. to provide You with password reminders or to notify You that a particular service, activity or online content has been suspended for maintenance, or in response to a question that You ask us); and
- to provide You with information about our Service, activities or online content, including sending e-newsletters or similar correspondence and updates or responding to any contact You have made with us, e.g. on our Website, by email or via the ‘How To Contact Us’ facility referred to below.
10. Your Rights
As a data subject, you have the following rights and we will comply with such rights in respect of your personal data. These rights are explained in more detail below, but if you have any comments, concerns or complaints about our use of your personal data, please contact us (see ‘Contact Us’ below). We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex or cumbersome, in which case we will respond within three months (we will inform you within the first month if it will take longer than one month for us to respond). Where a response is required from us within a particular time period under relevant data protection legislation, we will respond within that time period.
10.1 The right to be informed
The right to be informed encompasses our obligation to provide ‘fair processing information’ through a privacy notice. It emphasises the need for transparency over how we use personal data.
10.2 The right of access
You have the right to access your personal data and supplementary information. The right of access allows you to be aware of and verify the lawfulness of the processing of your personal data. The right of access allows you to submit a Data Subject Access Requests (“DSAR”) for a copy of the personal data that we hold about you.
You can access a copy of the personal data that we hold by visiting https://my.finclude.ai. Alternatively, requests for a copy of your personal data must be made to us (see ‘Contact Us’ below) specifying what personal data you need access to. To help us find the information easily, please give us as much information as possible about the type of information you would like to see. If, to comply with your request, we would have to disclose information relating to or identifying another person, we may need to obtain the consent of that person, if possible. If we cannot obtain consent, we may need to withhold that information or edit the data to remove the identity of that person, if possible.
There are certain types of data which we are not obliged to disclose to you, which include personal data which records our intentions in relation to any negotiations with you where disclosure would be likely to prejudice those negotiations. We are also entitled to refuse a DSAR from you where (i) such request is manifestly unfounded or excessive, in particular because of its repetitive character (in this case, if we decide to provide you with the personal data requested, we may charge you a reasonable fee to account for administrative costs of doing so), or (ii) we are entitled to do so pursuant to data protection legislation.
10.3 The right to rectification
You have the right to request to have personal data rectified if it is inaccurate or incomplete free of charge. If you would like to do this, please:
- email or write to us (see ‘Contact us’ below);
- let us have enough information to identify you (e.g. name, registration details); and
- let us know the information that is incorrect and what it should be replaced with.
If we are required to update your personal data, we will inform recipients to whom that personal data have been disclosed (if any), unless this proves impossible or has a disproportionate effort.
It is Your responsibility that all of the personal data provided to us is accurate and complete. If any information You have given us changes, please let us know as soon as possible (see ‘Contact Us’ below).
10.4 The right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable you to request the deletion or removal of your personal data where there is no compelling reason for its continued processing. The right to erasure does not provide an absolute ‘right to be forgotten’.
You can ask us (please see ‘Contact Us’ below) to erase your personal data where:
- You do not believe that we need your personal data in order to process it for the purposes set out in this Privacy Policy;
- if you had given us consent to process your personal data, you withdraw that consent and we cannot otherwise legally process your personal data;
- You object to our processing and we do not have any legal basis for continuing to process your personal data;
- Your personal data has been processed unlawfully or have not been erased when it should have been; or
- the personal data have to be erased to comply with law.
We may continue to process your personal data in certain circumstances in accordance with data protection legislation (i.e. where we have a legal justification to continue to hold such personal data, such as it being within our legitimate business interest to do so to retain evidence of billing information etc.). Where you have requested the erasure of your personal data, we will inform recipients to whom that personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We will also inform you about those recipients if you request it.
10.5 The right to restrict processing
You have the right to ‘block’ or suppress processing of your personal data, which will make it restricted, and permit us to store the personal data, but not to further process it. We would retain just enough information about you to ensure that the restriction is respected in future. We will be required to restrict the processing of your personal data temporarily in the following circumstances:
- You do not think that your personal data is accurate (but we may start processing again once we have checked and confirmed that it is accurate);
- the processing is unlawful but you do not want us to erase your personal data;
- we no longer need the personal data for our processing; or
- You have objected to processing because you believe that your interests should override the basis upon which we process your personal data.
If you exercise your right to restrict us from processing your personal data, we will continue to process the personal data if:
- you consent to such processing;
- the processing is necessary for the exercise or defence of legal claims;
- the processing is necessary for the protection of the rights of other individuals or legal persons; or
- the processing is necessary for public interest reasons.
We must inform you when we decide to lift a restriction on processing.
10.6 The right to data portability
The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The right to data portability only applies to personal data you provided to us, where the processing is based on your consent or for the performance of a contract; and when processing is carried out by automated means.
10.7 The right to complain to Supervisory Authorities
If you do not think that we have processed your personal data in accordance with this Privacy Policy, please contact us in the first instance. If you are not satisfied, you can complain to your local supervisory authority. You can find the contact details for your supervisory authority at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
10.8 The right to object/withdrawal of consent
If you no longer consent to our processing of your personal data (in respect of any matter referred to in this Privacy Policy as requiring your consent), you may request that we cease such processing by contacting us via the ‘Contact Us’ facility referred to below. Please note that if you withdraw your consent to such processing, it may not be possible for us to provide all/part of the services to you.
10.9 The right in relation to automated decision making and profiling
You may ask us to ensure that, if we are evaluating you, we don’t base any decisions solely on an automated process and have any decision reviewed by a member of staff. These rights will not apply in all circumstances, for example where the decision is (i) authorised or required by law, (ii) necessary for the performance of a contract between you and us, or (ii) is based on your explicit consent. In all cases, we will endeavour that steps have been taken to safeguard your interests.
Please note that we do not make any decisions on behalf of our Clients in relation to whether to offer you a product or service. We provide our Clients with insights on the basis of our processing of your personal data, which they then use in connection with their decision making process.
11. Contact Us
For more information or to exercise your personal data protection rights, please contact our Data Protection Officer with subject heading “Data Protection Queries”:
- By writing: Data Protection Officer Verge Capital Limited – Riverside One, Sir John Rogerson’s Quay, Dublin 2, D02 X576, Ireland
- By emailing: [email protected]