data controller, to meet the requirements of the UK’s Data Protection Act 2018, (the “Act”) and the
provisions of Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR) relating to
the collection, protection, disclosure and use of personal data from which living individuals are
identified or identifiable.
Tappily is registered by the Information Commissioner’s Office (ICO) with registration number: Z2878281.
at https://www.tappily.co.uk/content/html/terms.html and any other documents referred to in it)
sets out the basis on which any personal data we collect from you, or that you provide to us, will be
processed by us. Please read the following carefully to understand our views and practices regarding
your personal data.
Our site may, from time to time, contain links to and from the websites of our advertisers and
affiliates. If you follow a link to any of these websites, please note that these websites have their
own privacy policies and that we do not accept any responsibility or liability for these policies. Please
check these policies before you submit any personal data to these websites.
- INFORMATION WE MAY COLLECT ABOUT YOU
Bank transaction data
As part of our Tappily service and Tappily Running Account Credit Agreement, (referred to as
the Tappily facility), you may, depending on which bank you have your internet banking account with, be required to enter your internet banking details into our Tappily Site directly,
including your personal identification numbers (PIN) and security passwords (Internet Banking Credentials).
Your Internet Banking Credentials are in such case encrypted in transit and
securely transferred to our agent and supplier Yodlee, Inc. (Yodlee). Your encrypted Internet
Banking Credentials are then stored by Yodlee, upon their servers in a secure environment.
As part of Tappily’s revolving credit facility, you give us permission as your agent and
nominated representative, to access, view, represent, and copy up to 366 days of
transaction history from your nominated internet banking account (Transaction Data) at the
time of your application and subsequent Transaction Data on a daily basis thereafter. We use your Transaction Data to
assess your credit worthiness, to make on-going lending and collecting decisions and, in
accordance with your marketing consent preferences, to notify you of products and/or
services, offered by ourselves or trusted third parties that we believe you may be interested
in. Your raw Transaction Data is treated as confidential and will not be passed to any third
parties other than members of our group (which means our subsidiaries, our ultimate
holding company and its subsidiaries in each case as defined in section 1159 of the UK
Companies Act 2006), or our business partners, suppliers and sub-contractors for the
performance of services under any contract we enter into with them or you. Aggregated
and/or anonymised Transaction Data will be used by us to enhance our product and service
offerings, and will be shared with third parties.
- For the avoidance of doubt, we will not pass your Internet Banking Credentials to any third parties.
referring to sharing your Internet Banking Credentials or raw Transaction Data.
Other personal data
In addition to your Transaction Data as defined above we may collect and process the following data about you:
- Information that you may provide by filling in forms on www.tappily.co.uk (our
“Site”). This includes your name, address, email address and telephone numbers along with
any other information provided at the time of your request for a revolving credit facility or
requesting further services. It will also include your date of birth, residential status, time at
address, employment details and financial information. We may also ask you for information
when you report a problem with our Site.
- Correspondence, or a record of it, if you should contact us or we contact you and
recordings of telephone calls between us.
- Surveys that we use for research purposes, which we have asked you to complete,
although you do not have to respond to them.
- Financial transactions relating to your Tappily facility.
- Credit reference and fraud prevention data pertaining to you and any financial
associates (See also section 4).
- Publicly available information including, but not limited to, electoral roll, county
court judgements, bankruptcy and insolvency information.
- Proof of identification or details required to confirm or verify your identity, address,
bank account or payment card.
- Details of your visits to our Site (including, but not limited to, traffic data, location
data, weblogs and other communication data, whether this is required for our own billing
purposes or otherwise) and the resources that you access.
- Information from third parties in respect of you which may include information from
a lead provider/credit broker, if you have applied to them for a loan and they pass your
information to us, your employer or a referee.
- Any information you voluntarily provide, which may include special category
personal data, for example data which you provide about your health where this relates to
your ability to meet your obligations under the agreement.
- You are responsible for the accuracy of any information you provide to us. If the data is
inaccurate or incomplete, you have the right to request it to be rectified (see section 10.3 below).
Your use of our website and services is entirely voluntary and you are not required to provide any
personal information unless you choose to do so. However, where such information is necessary for
us to enter into a contract with you (for example for providing a loan) we may not be able to provide
our services to you in the absence of information that we may require.
- HOW WE USE YOUR INFORMATION
We use information held about you in the following ways:
- to process any loan application you make and to assess your creditworthiness;
- to carry out our obligations arising from any contracts entered into between you and us
including determining optimum repayment conditions;
- for legal compliance and administrative purposes, for example to process payments, make
collections, trace you where necessary, update/maintain our records, prevent fraud and
money laundering and enforce our loan terms;
- to communicate with you by telephone, email, SMS or post using the details you have
provided in relation to your application/agreement with us;
- to provide you with marketing communications from us (which you may opt out of receiving
when you provide your information and at any other time) and, where you have provided
your express consent for us to do so, to pass your details to named third parties so that they
may contact you by SMS, email, post or telephone to market their goods and services to you
(this may include other lenders where we are not able to provide you with a loan but you
agree that we can pass your details to another lender who may be able to offer you credit);
- to ensure that content from our Site is presented in the most effective manner for you and
for your computer;
- for statistical analysis and trend monitoring; and
- to notify you about changes to our service.
- DISCLOSURE OF YOUR INFORMATION
We may disclose your personal information, including information about how you manage
your account, to third parties in the following circumstances:
- To those who provide a service to us or are acting as our agents, to prepare or send
any communications to you, or to assist us in connection with any of our
administrative or business functions, or in the provision of any of our services to you,
subject to contractual or other legal obligations to keep the information confidential,
and to use your personal data only for the purpose of providing the service to us. If
they are located in another country we will meet our legal obligation to ensure that
they agree to apply equivalent levels of protection to those we are required to apply
to information held in the UK.
- To Credit Reference Agencies and Fraud Prevention Agencies (see section 4 below
for more information).
- In the event that we sell or buy any business or assets, in which case we may disclose
your personal data to the prospective seller or buyer of such business or assets.
- If we or substantially all of our assets are acquired by a third party, in which case
personal data held by us about our customers will be one of the transferred assets.
- To our professional advisers where required to advise us from time to time and
always subject to a duty of confidentiality.
- To other members of our group where required for management information and
- If we are under a duty to disclose or share your personal data in order to comply with
any legal obligation, or in order to enforce or apply our Website Terms and Conditions
of Use https://www.tappily.co.uk/content/html/terms.html, other agreements; or to
protect the rights, property, or safety of Indigo Michael Ltd, our customers, or others,
or if the law allows us to do so. This includes exchanging information with other
companies and organisations for the purposes of fraud protection and credit risk reduction.
- Wherever possible we will anonymise your information before it is transferred to third
parties so it does not identify you personally. We may, for example, perform statistical
analyses of the behaviour of the users of our Site in order to measure interest in the various
areas of our site and to inform advertisers as to how many consumers have seen or
“clicked” their advertising banners. This information, and any other general information
about our users that we share with advertisers and other partners, will not disclose any
personal information about you.
CREDIT REFERENCE AND FRAUD PREVENTION AGENCIES
You can also contact the major CRAs directly:
We use Credit Reference Agencies (CRAs) to assess your application for credit, fulfil our legal
obligations (for example to assess affordability and verify your identity to prevent money
laundering. We may also make periodic searches at CRAs to manage your account with us.
When CRAs receive a search from us they will place a search footprint on your credit file that
may be seen by other lenders. Information on credit applications and details of how
you manage your account with us will be sent to CRAs and will be recorded by them. If you
borrow and do not repay in full and on time, CRAs will record the outstanding debt. If false
or inaccurate information is provided and fraud is identified, details will be passed to fraud
If you tell us that you have a spouse or financial associate, we will link your records together
so you must be sure that you have their agreement to disclose information about them.
CRAs also link your records together and these links will remain on your and their files until
such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
The information held by CRAs may be supplied by them to other organisations which make
searches of your credit record such as lenders, debt recovery agents, law enforcement
agencies and insurers. Records remain on file for 6 years after they are closed, whether
settled by you or defaulted.
More information about CRAs, their role also as fraud prevention agencies, the data they
hold, the ways in which they use and share personal information, data retention periods and
your data protection rights with the CRAs are explained in more detail in the CRA
information notice (CRAIN) available at https://www.equifax.co.uk/crain.html
Call Credit, Consumer Services, PO Box 491, Leeds, LS3 1WZ or call 0870 060 1414 or log on to www.callcredit.co.uk
Equifax plc, Credit File Advice Centre, PO Box 3001, Bradford, BD1 5US or call 0870 010 0583 or log on to www.equifax.co.uk
Experian, Consumer Help Service, PO Box 8000, Nottingham NG80 7WF or call 0870 241 6212 or log on to www.experian.co.uk:
- PROCESSING YOUR DATA USING AUTOMATED DECISION-MAKING SOFTWARE
We use automated decision-making software to underwrite your loan. Our automated decision-making systems includes but is not limited to the following inputs:
- • Credit model algorithms
- • Affordability algorithms
- • Employment verification
- • Anti-fraud and Anti-money laundering databases
- • Other data sources that provide inputs that show your creditworthiness, affordability or fitness to receive credit
- The use of automated decision-making software is a requirement to enter into a loan
agreement with us. You have the right to request that we undertake a manual review of the
results of the automated decision rendered.
- OUR LEGAL BASIS FOR USING YOUR PERSONAL INFORMATION
We use your personal information for a variety of reasons, subject to different legal bases for processing, including:
- Where necessary for the purposes of the performance of our agreement with you or
to take steps at your request prior to entering into an agreement with you. If you do
not provide such information we will be unable to provide you with a loan.
- Where necessary for our legitimate interests, for example in managing and monitoring
our website operation, preventing fraud and for our business compliance purposes
- Where necessary in order to comply with a legal obligation, for example making
reports to our regulatory authority or to law enforcement agencies.
- Where our use of your data is not necessary for one of the purposes outlined above we may
seek your consent to use it in a particular way, for example if we ask you to complete a
customer survey, or request your consent to pass your information to named third parties for
the purposes of marketing to you by electronic means. Where we ask for your consent you
are free to refuse our use of the data for those purposes and you may withdraw your consent
at any time by contacting us using the details set out at section 12 below.
SECURE STORAGE, TRANSFER AND RETENTION OF YOUR PERSONAL INFORMATION
- All information you provide to us is, as far as reasonably practicable, stored on our secure
servers. Any payment transactions will be encrypted using industry standard 256-bit bank level encryption.
- Unfortunately, the transmission of information via the internet is not completely secure.
Although we will do our best to protect your personal data, we cannot guarantee the security
of your data transmitted to our Site; any transmission is at your own risk. Once we have received
your personal data, we will use strict procedures and security features to try to prevent
unauthorised access. We ask you not to permit anyone to use your Tappily profile.
- If you have provided your internet banking details to be encrypted in transit and securely transferred
to Yodlee your data will be stored on Yodlee servers which are situated in the United States; Yodlee is a
member of the US government ‘Privacy Shield’ scheme (go
to http://www.yodlee.com/privacy-policy/ for more details and to
https://www.privacyshield.gov/list to verify Yodlee’s certification). The European Commission
considers that personal data sent to the US under the “Privacy Shield” scheme is adequately
protected to equivalent standards as prescribed under the GDPR.
- If we otherwise transfer your data outside of the European Economic Area, we will always
ensure that your data is transferred subject to equivalent protections applying the principles
under Chapter V of the GDPR.
- Information we collect from you will only be kept for the length of time considered necessary
after you cease using Tappily’s revolving credit facility and in accordance with any statutory
retention periods. We will not ordinarily store information for in excess of six years after your
account is closed whether settled by you or in default.
- Where we have obtained your contact details in the course of a sale
or negotiations for a sale of our products and services to you, we may contact you by electronic methods including
telephone, e-mail, or SMS, with information about similar products and services we provide,
unless you have opted out of receiving such marketing communications (see 8.3 below).
- Where you have provided your consent by way of an opt in by ticking the appropriate box on
the Tappily revolving credit facility application form on our Site or written consent, we may
share your personal information with named third parties for marketing purposes (for
example if we decline your loan application and you agree we can pass you information to
another lender or credit broker who may be able to assist you in finding a loan)
- You may opt-out at any time from receiving any marketing communications from us or third
parties to which you have agreed we can pass your personal data as per section 8.2 by getting
in touch through the below methods. You may opt-out of any SMS marketing by following the
instruction in the message itself. Likewise, by responding to any of our email communications
with “remove” in the subject line, or by sending us an email to
firstname.lastname@example.org or writing to us at Indigo Michael Ltd t/a Tappily, PO Box
1515, High Wycombe, HP11 9JE. We are not responsible for stopping unwanted
communications from sources beyond our control.
- If you opt-out of our use of your data for marketing purposes, we will honour such choice once
we have had a reasonable opportunity to process your request. We reserve the right to take
reasonable steps to authenticate your identity with respect to any such request or other enquiry.
- For the avoidance of doubt, we will never use Transaction Data or special category data within
the meaning of the GDPR for marketing purposes.
IP ADDRESSES AND COOKIES
- We may collect information about your computer, including where available your IP address,
operating system and browser type, for system administration and may report aggregate
information to our advertisers. This is statistical data about our users’ browsing actions and
patterns, and does not identify any individual.
- A “cookie” is a small electronic file that collects information when someone visits a website. A
cookie can identify the pages that are being viewed, and this can assist us to select the pages
that the viewer sees. Some cookies only exist whilst viewers are online, but “persistent” cookies
- which are not session-based - remain on the viewer’s computer, so that he or she can be
recognised as a previous visitor when he or she next visits our website. We may use persistent
cookies to allow us to collect information about a viewer’s browsing habits whilst on our site,
so that we can monitor and improve our services.
- Under the Privacy and Electronic Communications (EU Directive) Regulations 2003 (as
amended) we are required to get the consent of everyone who uses our Site to the use of
cookies. When first accessing our site you will be presented with a pop up requesting your
- We do not store sensitive information such as account numbers or passwords in “persistent”
cookies, and cookies in themselves do not contain enough information to identify you. We will
only acquire a personal identity in relation to your browsing habits after you have formally
provided us with your personal data for the purposes outlined at section 4 below.
- In addition to using cookies, we might also use web tools to collect information about your
browsing activities whilst on our Site. In this respect the information that is provided is similar
to the information supplied by cookies, and we use it for the same purposes.
- Any information that we acquire about you using cookies or web tools is subject to the same
restrictions and conditions as any other information we collect about you.
advertising agencies, or the businesses to which the advertisements in question relate. We do
not have access to any information that might be collected in this way, and, if you are
concerned, you should contact the advertiser for more information. We have no control over
third party cookies technology.
List of Cookies
ASP.NET Session ID
This cookie is required to make our website work by setting an anonymous ID which is used when you navigate the website.
Whether to display cookie message
This cookie contains information to help us understand which marketing channels are most effective and how you found our website.
This cookie is used by us to personalise customer experience.
This cookie helps us improve our customer experience by tracking how users interact with our site.
This cookie is used to protect the site from cross-site request forgery.
This cookie is part of Google Analytics and helps us improve our customer experience by anonymously tracking how users interact our website. It is specifically used to track the number of visits to our website.
This cookie is part of Mouseflow and helps us improve our customer experience by tracking how users interact with our website.
- Most browsers automatically accept cookies. You may refuse to accept cookies by activating
the setting on your browser which allows you to refuse the setting of cookies. However, if you
select this setting you may be unable to access certain parts of our site and we cannot guarantee
that your experience with our Site will be as quick or responsive. Unless you have adjusted your
you log on to our Site.
- You can find and control your cookie settings via your browser; your browser help function will
tell you how. Please note, it is not possible for Tappily to allow you to carry your settings with
you between your browsers and devices so you will need to change these settings for each
browser you use.
Your personal information is protected under data protection law and you have a number of
rights (explained below) which you can seek to exercise. Please contact us using the details
shown at section 12 below if you wish to do so, or if you have any queries in relation to your
rights. If you seek to exercise your rights we will explain to you whether or not the right
applies to you; these rights do not apply in all circumstances.
Right of access
Subject to certain exceptions, you have the right of access to information that we hold about
you upon request. You can exercise this right by making a request in writing, by email or
telephone using the contact details shown below.
Right to rectify your personal information
If you discover that the information we hold about you is inaccurate or incomplete, you have
the right to have this information rectified (i.e. corrected).
Right to be forgotten
You may ask us to delete information we hold about you in certain circumstances, this is
often referred to as the ‘right to be forgotten’. This right is not absolute and only applies in
particular circumstances. It may not therefore be possible for us to delete the information
we hold about you, for example, if we have an ongoing contractual relationship or are
required to retain information to comply with our legal obligations or to exercise or defend legal claims.
Right to restriction of processing
In some cases you may have the right to have the processing of your personal information
restricted. For example, where you contest the accuracy of your personal information, its
use may be restricted until the accuracy is verified. You have the right to ask us to restrict
the use of your information certain purposes for example for marketing communications.
Right to object to processing
You may object to the processing of your personal information (including profiling) when it is
based upon our legitimate interests. You may also object to the processing of your personal
information for the purposes of direct marketing (including profiling to the extent it relates
to direct marketing) and for the purposes of statistical analysis.
Right to data portability
- You have the right to receive, move, copy or transfer your personal information to a
controller which is also known as ‘data portability’. You have the right to this when we are
processing your personal information based on consent or on a contract and the processing
is carried out by automated means. You should note that this right is different from the right
of access (see above) and the types of information you can obtain under the two separate rights may be different.
policy in the future will be posted on this page, with immediate effect and we will notify you of the change.
CONTACT & COMPLAINTS
protect your privacy, if you have any comments or wish to seek to exercise any of your rights
as outlined above please contact the Data Protection Officer:
By post to The Data Protection Officer, Tappily, PO Box 1515, High Wycombe, HP11 9JE
By email to DPO@tappilymail.co.uk
By telephoning the Data Protection Officer on 0203 819 6410.
- You have the right to lodge a complaint with the Information Commissioner’s Office (ICO). You
can contact the ICO by writing to them at Information Commissioner’s Office Client Services
Team, Wycliffe House, Water Lane, Wilmslow, SK9 5AF telephone 0303 123 1113. www.ico.org.uk/.