Privacy policy

Last updated: 21 August 2024

This policy sets out the basis on which Counting Ltd (“Countingup”, “we”, “us”, “our”) and our financial service partner, Prepay Technologies Ltd, will process any personal data about you that we collect from you or third parties, or that you provide to us, under the Data Protection Act 2018 (including the General Data Protection Regulation (EU) 2016/679 as implemented in the UK (“UK GDPR”), and any replacement statute from time to time (the “DPA”).

Words beginning with a capital letter that are not defined where they first appear in this policy will have the meaning given to them in the applicable Terms for Countingup Customers at https://countingup.com/terms-countingup/, as the case may be (“Service Terms”), which include this policy and govern your use of the Countingup services (“Services”).

1. Details of the Data Controllers

Counting Ltd (trading as ‘Countingup’), company number 10729748, has its registered address at 20-22 Wenlock Road, London, N1 7GU and is registered with the Information Commissioner’s Office with reference number ZA274056.

The details of Prepay Technologies Ltd (our financial services partner) are set out in Annex C to this policy. In addition to the rest of this policy, Annex C is applicable if you apply for or have been issued a Card and/or Account under our Service Terms.

2. Information we collect about you, for what purposes and on what legal basis

In the course of providing the Services, we may collect and process the personal data specified in Annex A, for the relevant purpose and on the relevant legal basis also specified in that Annex.

Where relevant to your application and/or role the Services, we may check your details with a fraud prevention agency/agencies and credit reference agencies and if you give false or inaccurate information and fraud is identified, this will be recorded and may be shared by those agencies with other organisations and us, so that we and those other organisations, including law enforcement agencies and debt collection agencies, may access, use and search these records to check the details provided to us in the course of your job application or employment.

The personal information we have collected from you (specified in Annex A) will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and fraud prevention agencies, and your data protection rights, can be found here (https://countingup.com/cifas-fair-processing-notice/). Please contact us through secure messaging in the app (or by email at support@countingup.com) if you want to receive additional details of the relevant fraud prevention agencies.

More information about credit reference agencies, their role as fraud prevention agencies, the data they hold, for how long, your rights and how they use personal data is available at the following links to each agency’s Credit Reference Agency Information Notice:

Call Credit: www.callcredit.co.uk/crain

Equifax: www.equifax.co.uk/crain

Experian: www.experian.co.uk/crain

Any credit reference agency we search will keep a record of any search, and other financial service providers may use it to assess applications they receive from you in the future.

3. Your rights

Your rights under the DPA and how to exercise them are explained in the table in Annex B to this policy. This policy explains your right of access.

Our Services may, from time to time, contain links to and from the websites of partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

We aim to keep your personal data up-to-date, so please advise us of any changes through secure messaging in the app (or by email at support@countingup.com).

You must notify us through secure messaging in the app (or by email at support@countingup.com) within thirty days if any of any change in your name, residential address, telephone number, e-mail address, or referees’ address, and any other details that we may reasonably consider to be material to our dealings with you.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

4. Disclosure of your information

We will keep your personal data confidential and only disclose it to others for the purposes explained in Annex A to this Policy.

5. Storing and transferring your data

The personal data that we collect will be stored in the UK and may be transferred to, and stored at, a destination inside the European Economic Area (EEA). As we provide an international service your data may be processed outside of the EEA in order for us to fulfil our contract with you to provide the Services. We will need to process your personal data in order for us, for example, to action a request made by you to execute an international payment, process your payment details, carry out anti- money laundering and counter-terrorist financing checks and provide ongoing support services.

Where we have given you (or where you have chosen) a password that enables you to access certain parts of our App and/or our Site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised and unlawful access and processing, as well as accidental loss, destruction or damage. We use sophisticated website encryption technology to protect sensitive data that you submit to us online. We use this technology to reduce the risk of your data being intercepted by unauthorised persons during transmission. However, the transmission of information via the Internet or other public networks is not completely secure and, while we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Services and any transmission is at your own risk.

6. Data retention

Your personal data will be stored for the duration of the Service Terms and any other agreement that we have with you, and for such time after that as required by Applicable Law or the limitation period for bringing claims under those agreements.

Countingup is required under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 to retain personal data about you and your transactions for a period of five years from the last transaction or end of the business relationship. We are also under other regulatory obligations to retain your data for a certain amount of time, such as under the Electronic Money Regulations 2011. We will not hold any of your personal data for more than 6 years after the termination of our business relationship, unless we are compelled to do so by a regulatory body or law enforcement agency.

7. Support, Complaints and Our Data Protection Officer

All questions relating to our use of your personal data and your privacy are welcomed and should be addressed to our support team through secure messaging in the app (or by email at support@countingup.com)

You have certain rights under the Data Protection Act and we have explained these and how you may exercise them in section 3 below.

Helpful guidance generally may also be found on Information Commissioner’s Office (“ICO”) website here: https://ico.org.uk/for-the-public/.

We have also appointed a data protection officer, who has a number of important responsibilities in connection with this policy.

You can contact our data protection compliance manager at: legal@countingup.com

You have the right to make a complaint about our collection or use of your personal data at any time to the Information Commissioner’s Office (ICO) at www.ico.org.uk. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance at support@countingup.com.

8. Changes to Privacy Policy

We may make changes to this policy on the same basis as changes to the Service Terms.

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by email (or SMS). The new terms may be displayed on-screen and you may be required to read and accept them to continue your use of the App or the Services.

9. Cookies

This section sets out our policy on cookies and any personal data collected by us through their use (“Cookie Policy”).

What are cookies?

Cookies are data files containing small amounts of information which are downloaded to the device or browser you use when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website which recognises that cookie.

Please note that we can also collect information about Service usage from data contained in “log files” from third parties. Log files are not cookies; they do not contain any personal data; and they are not used to identify your personal use of the Service. When you request any web page from the Service, web servers automatically obtain your domain name and IP address, but they reveal nothing personal about you and that data is only used to examine Service traffic in aggregate, to investigate abuse of the Service and its users, and/or to cooperate with law enforcement. Such data is not disseminated to third parties, except in aggregate.

How do we use cookies?

We use cookies in order to ensure our Services function correctly and to improve our understanding of how they are used in order to make improvements. Cookies cannot harm your computer or other device.

What cookies do we use?

Firstly, we explain what each type is and then below, we have stated which types we actually use. In general, there are four different types of cookies.

Necessary cookies: those required for the operation of our Services, which do not gather information about you that could be used for marketing or remembering where you have been on the internet.
Analytical/performance cookies: these allow us to collect information about how you use our Services, such as, how you move around our website and if you experience any errors. These cookies do not collect personal data. The information collected is anonymous and is only used to help us improve the way the Services work, understand what interests our users generally and measure how effective our advertising is. Some of the performance cookies we use are issued as part of services provided by third parties, like Google Analytics.
Functionality cookies: these are used to provide services or to recognise you when you return to our website, for example. These would enable us to personalise our content for you, greet you by name and remember your preferences and improve your visit.
Targeting cookies: these record your visit to the Service, the pages you have visited and the links you have followed. They are linked to services provided by third parties, such as “Like” and “Share” buttons. The third party provides these services in return for recognising that you have visited our website and are subject to the privacy policy of the third party who set them (e.g. a social media or network service). The third party may subsequently use information about your visit to target advertising to you on other websites and present you with advertisements that you may be interested in.

How do I manage my cookie settings

Please note that configuring your computer and/or mobile browser to reject ‘necessary’, ‘performance’ or ‘functional’ cookies may severely impact your experience on our website and some parts of our Services will not function at all.

All browsers provide tools that allow you to control how you handle cookies: accept, reject or delete them. These settings are normally accessed via the ‘settings’, ‘preferences’ or ‘options’ menu of the browser you are using, but you could also look for a ‘help’ function or contact the browser provider. To manage your cookies, please go to your web browser settings for example to edit Chrome cookie settings you can use this link (chrome://settings/).

You should check the privacy policy and tools provided by any third party service you may use that set Targeting cookies on your browser or device.

10. General

This Privacy Policy shall be governed by and construed in accordance with English law and the parties agree that the courts of England shall have exclusive jurisdiction to decide any dispute arising under it, except that you may bring proceedings in the courts of Northern Ireland or Scotland if you are resident in either of those jurisdictions.

Annex A

Personal data collected	Purpose	Basis for processing (lettering aligned to GDPR regulations where relevant)
a) Information you give us “Submitted Information”: This is information you give us about you by filling in forms or on the App and/or the Site, including information and images you may upload, or by corresponding with us (for example, by e-mail or). It includes information you provide when you register for an account, subscribe to any of our services, enter into any transaction, participate in discussion boards or other social media functions, enter a competition, promotion or survey and when you report a problem with your account, the Services, or the Site. If you contact us, we will keep a record of that correspondence, and may use redacted information for other services. The information you give us may include your name, address, date of birth, e-mail address, phone number, username, password and other registration information, financial, details of your account including the bank account number, sort code, IBAN, details of your debit and credit cards including the long number, relevant expiry dates and CVC, identification document numbers, copies of identification documents (for example, passport, driving licence and utility bill) personal description and photograph and any other information you provide us in order to prove your eligibility to use our Services. b) transaction information including date, time, amount, currencies used, exchange rate, beneficiary details, details and location of the merchant or ATMs associated with the transaction, IP address of sender and receiver, sender’s and receiver’s name and registration information, messages sent or received with the payment, device information used to facilitate the payment and the payment instrument used; c) details of your transaction relating to your use of our services, including who you have sent money or electronic money to, foreign exchange transactions you have entered into, the time, date and location of the place the transaction was entered into. d) location Information. We use GPS technology and your IP address to determine your location – this may be used when the App is running in the foreground and the background of your Device. This is used to prevent fraud, for instance if your mobile device is saying that you are based in the UK, but your card is being used to enter into an ATM Withdrawal or point of sale purchase in Spain, we may not allow that transaction to be processed. Our card protection and fraud-prevention measures require this personal data for the feature to work.	to manage and administer the Services; to enable you to use the Services; to deal with enquiries, complaints and feedback from you; To give you any notices under any agreement with you; To keep you informed about your relationship with us; To update our records; To identify, prevent, detect or tackle fraud, money laundering and other crime; To carry out checks required by applicable regulation or regulatory guidance; To carry out our obligations arising from and exercise our rights under, any agreements between you and either of us or other users of the Service; To check any instructions given to us, for training purposes, for crime prevention and to improve the quality of our customer service. For the above purposes, each of we may disclose your personal data to any member of our group, which means our subsidiaries, in any part of the EEA or elsewhere. To disclose to third parties: If it is under a duty to disclose or share your personal data in order to comply with any legal obligation; To enforce this Privacy Policy or any other agreement with you; to a credit reference agency to check your identity and to prevent fraud, (it will also keep a record of your request and use it whenever anyone applies to be authenticated in your name); to our banking and financial service providers, card manufacturing, personalization and delivery service providers agents and subcontractors, acting for the purpose of operating the Services; to debt collectors and other third parties to trace you and recover any debt; to provide a unified service across all of our products and services, we may disclose your personal information to any member of the Countingup group, which means any of our subsidiaries or related entities. Companies in the Countingup group will be acting as joint controllers or processors in order to provide the Countingup Services; In the event that we sell any business or assets, in which case it may disclose your personal data to the prospective seller or buyer of such business or assets; To protect the rights, property, or safety of us, our customers, or others (which includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction); To investigate, prevent or detect fraud or carry out checks against money laundering; For audit purposes and to meet obligations to any relevant regulatory authority or taxing authority.	‘b’ processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract; ‘c’ processing is necessary for compliance with a legal obligation to which we are subject; ‘f’ processing is necessary for the purposes of the legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.
Information we collect about you and your Device. Each time you visit the App or our Site we will automatically collect the following information: (a) technical information, including the internet protocol (IP) address used to connect your computer or Device to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, Device information and the type of mobile device you use, a unique Device identifier (for example, your Device’s IMEI number, the MAC address of the Device’s wireless network interface, or the mobile phone number used by the Device), mobile network information, your mobile operating system, the type of mobile browser you use, time zone setting “Device Information”; (b) information about your visit, including the full uniform resource locators (URL), clickstream to, through and from our site (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse overs), methods used to browse away from the page, device information; (c) information stored on your Device, including if you allow Countingup to access contact information from your address book, login information, photos, videos or other digital content, check ins (Content Information). The App will periodically recollect this information in order to stay up-to-date;	To identify, prevent, detect or tackle fraud, money laundering and other crime; to prevent your Countingup Card being used fraudulently; to improve your browsing experience by personalising the Services; To develop and improve the Service; To ensure that content on the Services is presented in the most effective manner for you and for your computer; To disclose to third parties: To comply with a current judicial proceeding, a court order or legal process served on us or our Services, any request by any regulator who may have jurisdiction over us from time to time or for audit purposes and to meet obligations to any relevant regulatory authority or taxing authority; To enforce this Privacy Policy or other agreement with you;	‘b’ processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract; ‘f’ processing is necessary for the purposes of the legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.
We may make and retain copies of passports or other identification evidence that you provide for anti-money laundering and anti-fraud purposes;	To carry out checks required by applicable regulation or regulatory guidance; To disclose to third parties: To comply with a current judicial proceeding, a court order or legal process served on us or our Services, any request by any regulator who may have jurisdiction over us from time to time or for audit purposes and to meet obligations to any relevant regulatory authority or taxing authority; To enforce this Privacy Policy or other agreement with you; to a credit reference agency to check your identity and to prevent fraud, (it will also keep a record of your request and use it whenever anyone applies to be authenticated in your name);	‘b’ processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract; ‘c’ processing is necessary for compliance with a legal obligation to which we are subject; ‘f’ processing is necessary for the purposes of the legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.
Information about your physical or mental health or condition (where necessary and appropriate to comply with regulatory requirements relating to customers with such conditions)	to meet our employment and related regulatory obligations; to manage and administer the Services; to enable you to use the Services; To disclose to third parties for: To comply with a current judicial proceeding, a court order or legal process served on us or our Services, any request by any regulator who may have jurisdiction over us from time to time or for audit purposes and to meet obligations to any relevant regulatory authority or taxing authority; To enforce this Privacy Policy or any other agreement with you; to agents and subcontractors, acting for us, to use for the purpose of operating the Services; to debt collectors and other third parties to trace you and recover any debt;	processing is necessary for the establishment, exercise or defence of legal claims; An exemption under the Act also applies to records of our intentions in relation to any negotiations with you to the extent that the provisions would be likely to prejudice those negotiations.
Marketing Submitted Information, Location Information or transaction information) Records of any surveys that you may be asked to complete, your responses and related details;	To provide you with information, products or services that you request or which we decides may interest you; For statistical analysis; To identify which elements of the Services or other products might interest you; If we decide to engage advertisers to promote our products and services, the advertisers and their advertising networks may require anonymised personal data to serve relevant adverts to you and others. We will never disclose identifiable information about individuals to advertisers, but we may provide them with aggregate information about our users. We may also use such aggregate information to help our advertising partners provide a tailored and targeted campaign, relevant for a sub-section of our users (for example, women in Manchester). In some instances, we may use personal data we have collected from you to enable our advertising partners to display their advertisement to their target audience; We also use analytics and search engine providers that assist us in the improvement and optimisation of our site;	With your consent You will receive marketing communications from us if you have signed up to and/or utilise the Countingup Services and, in each case, you have not opted out of receiving marketing notifications. Third-party Marketing: We will obtain your express opt-in consent before we share your personal data with any company outside the Countingup group of companies for marketing or promotional purposes. Opting Out: You can ask us or third parties to stop sending you marketing messages at any time by adjusting your marketing preferences by following the unsubscribe links on any marketing message sent to you.
Information related to any interactions with third parties connected to your account, whether directly or indirectly enabled by us or you. This includes but is not limited to any accounting, tax, bookkeeping or financial services providers, such as your accountant, Sleek, Iwoca and Superscript. This may include some of the “Submitted Information”, transaction information, Location Information, Device information and Identification information described elsewhere in this table	to manage and administer the Services; to enable you to use the Services; to deal with enquiries, complaints and feedback from you; To give you any notices under any agreement with you; To keep you informed about your relationship with us; To update our records; To identify, prevent, detect or tackle fraud, money laundering and other crime; To carry out checks required by applicable regulation or regulatory guidance; To carry out our obligations arising from and exercise our rights under, any agreements between you and either of us or other users of the Service; To check any instructions given to us, for training purposes, for crime prevention and to improve the quality of our customer service. To enable you to use any third party Services, including where these interpret your information or data to provide quality and accurate services to you	for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract; ‘c’ processing is necessary for compliance with a legal obligation to which we are subject; ‘f’ processing is necessary for the purposes of the legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.

Personal data collected

Purpose

Basis for processing

(lettering aligned to GDPR regulations where relevant)

a) Information you give us “Submitted Information”: This is information you give us about you by filling in forms or on the App and/or the Site, including information and images you may upload, or by corresponding with us (for example, by e-mail or). It includes information you provide when you register for an account, subscribe to any of our services, enter into any transaction, participate in discussion boards or other social media functions, enter a competition, promotion or survey and when you report a problem with your account, the Services, or the Site. If you contact us, we will keep a record of that correspondence, and may use redacted information for other services. The information you give us may include your name, address, date of birth, e-mail address, phone number, username, password and other registration information, financial, details of your account including the bank account number, sort code, IBAN, details of your debit and credit cards including the long number, relevant expiry dates and CVC, identification document numbers, copies of identification documents (for example, passport, driving licence and utility bill) personal description and photograph and any other information you provide us in order to prove your eligibility to use our Services.

b) transaction information including date, time, amount, currencies used, exchange rate, beneficiary details, details and location of the merchant or ATMs associated with the transaction, IP address of sender and receiver, sender’s and receiver’s name and registration information, messages sent or received with the payment, device information used to facilitate the payment and the payment instrument used;

c) details of your transaction relating to your use of our services, including who you have sent money or electronic money to, foreign exchange transactions you have entered into, the time, date and location of the place the transaction was entered into.

d) location Information. We use GPS technology and your IP address to determine your location – this may be used when the App is running in the foreground and the background of your Device. This is used to prevent fraud, for instance if your mobile device is saying that you are based in the UK, but your card is being used to enter into an ATM Withdrawal or point of sale purchase in Spain, we may not allow that transaction to be processed. Our card protection and fraud-prevention measures require this personal data for the feature to work.

to manage and administer the Services;
to enable you to use the Services;
to deal with enquiries, complaints and feedback from you;
To give you any notices under any agreement with you;
To keep you informed about your relationship with us;
To update our records;
To identify, prevent, detect or tackle fraud, money laundering and other crime;
To carry out checks required by applicable regulation or regulatory guidance;
To carry out our obligations arising from and exercise our rights under, any agreements between you and either of us or other users of the Service;
To check any instructions given to us, for training purposes, for crime prevention and to improve the quality of our customer service.

For the above purposes, each of we may disclose your personal data to any member of our group, which means our subsidiaries, in any part of the EEA or elsewhere.

To disclose to third parties:

If it is under a duty to disclose or share your personal data in order to comply with any legal obligation;
To enforce this Privacy Policy or any other agreement with you;
to a credit reference agency to check your identity and to prevent fraud, (it will also keep a record of your request and use it whenever anyone applies to be authenticated in your name);
to our banking and financial service providers, card manufacturing, personalization and delivery service providers agents and subcontractors, acting for the purpose of operating the Services;
to debt collectors and other third parties to trace you and recover any debt;
to provide a unified service across all of our products and services, we may disclose your personal information to any member of the Countingup group, which means any of our subsidiaries or related entities. Companies in the Countingup group will be acting as joint controllers or processors in order to provide the Countingup Services;
In the event that we sell any business or assets, in which case it may disclose your personal data to the prospective seller or buyer of such business or assets;
To protect the rights, property, or safety of us, our customers, or others (which includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction);
To investigate, prevent or detect fraud or carry out checks against money laundering;
For audit purposes and to meet obligations to any relevant regulatory authority or taxing authority.

‘b’ processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;

‘c’ processing is necessary for compliance with a legal obligation to which we are subject;

‘f’ processing is necessary for the purposes of the legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.

Information we collect about you and your Device. Each time you visit the App or our Site we will automatically collect the following information:

(a) technical information, including the internet protocol (IP) address used to connect your computer or Device to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, Device information and the type of mobile device you use, a unique Device identifier (for example, your Device’s IMEI number, the MAC address of the Device’s wireless network interface, or the mobile phone number used by the Device), mobile network information, your mobile operating system, the type of mobile browser you use, time zone setting “Device Information”;

(b) information about your visit, including the full uniform resource locators (URL), clickstream to, through and from our site (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse overs), methods used to browse away from the page, device information;

(c) information stored on your Device, including if you allow Countingup to access contact information from your address book, login information, photos, videos or other digital content, check ins (Content Information). The App will periodically recollect this information in order to stay up-to-date;

To identify, prevent, detect or tackle fraud, money laundering and other crime;
to prevent your Countingup Card being used fraudulently;
to improve your browsing experience by personalising the Services;
To develop and improve the Service;
To ensure that content on the Services is presented in the most effective manner for you and for your computer;

To disclose to third parties:

To comply with a current judicial proceeding, a court order or legal process served on us or our Services, any request by any regulator who may have jurisdiction over us from time to time or for audit purposes and to meet obligations to any relevant regulatory authority or taxing authority;
To enforce this Privacy Policy or other agreement with you;

‘b’ processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;

‘f’ processing is necessary for the purposes of the legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.

We may make and retain copies of passports or other identification evidence that you provide for anti-money laundering and anti-fraud purposes;

To carry out checks required by applicable regulation or regulatory guidance;

To disclose to third parties:

To comply with a current judicial proceeding, a court order or legal process served on us or our Services, any request by any regulator who may have jurisdiction over us from time to time or for audit purposes and to meet obligations to any relevant regulatory authority or taxing authority;
To enforce this Privacy Policy or other agreement with you;
to a credit reference agency to check your identity and to prevent fraud, (it will also keep a record of your request and use it whenever anyone applies to be authenticated in your name);

‘b’ processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;

‘c’ processing is necessary for compliance with a legal obligation to which we are subject;

‘f’ processing is necessary for the purposes of the legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.

Information about your physical or mental health or condition (where necessary and appropriate to comply with regulatory requirements relating to customers with such conditions)

to meet our employment and related regulatory obligations;
to manage and administer the Services;
to enable you to use the Services;

To disclose to third parties for:

To comply with a current judicial proceeding, a court order or legal process served on us or our Services, any request by any regulator who may have jurisdiction over us from time to time or for audit purposes and to meet obligations to any relevant regulatory authority or taxing authority;
To enforce this Privacy Policy or any other agreement with you;
to agents and subcontractors, acting for us, to use for the purpose of operating the Services;
to debt collectors and other third parties to trace you and recover any debt;

processing is necessary for the establishment, exercise or defence of legal claims;

An exemption under the Act also applies to records of our intentions in relation to any negotiations with you to the extent that the provisions would be likely to prejudice those negotiations.

Marketing

Submitted Information, Location Information or transaction information)

Records of any surveys that you may be asked to complete, your responses and related details;

To provide you with information, products or services that you request or which we decides may interest you;
For statistical analysis;
To identify which elements of the Services or other products might interest you;
If we decide to engage advertisers to promote our products and services, the advertisers and their advertising networks may require anonymised personal data to serve relevant adverts to you and others. We will never disclose identifiable information about individuals to advertisers, but we may provide them with aggregate information about our users. We may also use such aggregate information to help our advertising partners provide a tailored and targeted campaign, relevant for a sub-section of our users (for example, women in Manchester). In some instances, we may use personal data we have collected from you to enable our advertising partners to display their advertisement to their target audience; We also use analytics and search engine providers that assist us in the improvement and optimisation of our site;

With your consent

You will receive marketing communications from us if you have signed up to and/or utilise the Countingup Services and, in each case, you have not opted out of receiving marketing notifications.

Third-party Marketing: We will obtain your express opt-in consent before we share your personal data with any company outside the Countingup group of companies for marketing or promotional purposes.

Opting Out: You can ask us or third parties to stop sending you marketing messages at any time by adjusting your marketing preferences by following the unsubscribe links on any marketing message sent to you.

Information related to any interactions with third parties connected to your account, whether directly or indirectly enabled by us or you. This includes but is not limited to any accounting, tax, bookkeeping or financial services providers, such as your accountant, Sleek, Iwoca and Superscript. This may include some of the “Submitted Information”, transaction information, Location Information, Device information and Identification information described elsewhere in this table

to manage and administer the Services;
to enable you to use the Services;
to deal with enquiries, complaints and feedback from you;
To give you any notices under any agreement with you;
To keep you informed about your relationship with us;
To update our records;
To identify, prevent, detect or tackle fraud, money laundering and other crime;
To carry out checks required by applicable regulation or regulatory guidance;
To carry out our obligations arising from and exercise our rights under, any agreements between you and either of us or other users of the Service;
To check any instructions given to us, for training purposes, for crime prevention and to improve the quality of our customer service.
To enable you to use any third party Services, including where these interpret your information or data to provide quality and accurate services to you

for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;

‘c’ processing is necessary for compliance with a legal obligation to which we are subject;

‘f’ processing is necessary for the purposes of the legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.

Annex B: Your rights

Your rights and how to exercise them	Exception
Right of Access: To obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) of the GDPR and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. How to exercise: This Privacy Policy provides confirmation of the details required in relation to your right of access. Under the DPA, you have a right to access certain personal records that we hold about you. Any access request may be subject to a fee to meet our costs (as the case may be) in providing you with details of the information they hold about you if the request is unfounded or excessive. If you wish to exercise this right, then please reach out to our support team via the in-App chat function or support@countingup.com.
Right to rectification: to obtain from us without undue delay the rectification of inaccurate personal data concerning you. We must communication to each recipient to whom the rectified personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We shall inform the data subject about those recipients if the data subject requests it. You can exercise the right at any time by contacting us at support@countingup.com.
Right to erasure: to obtain from us the erasure of personal data concerning you without undue delay where: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (c) you object to the processing based on legitimate interest where there are no overriding legitimate grounds for the processing; (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation to which we are subject. We must communication to each recipient to whom the erased personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We shall inform the data subject about those recipients if the data subject requests it. You can exercise the right at any time by contacting us at support@countingup.com.	Processing is necessary for: ‘b’ compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us; or ‘e’ the establishment, exercise or defence of legal claims. Where we are not able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. For example, as an FCA authorised firm, Countingup is under certain obligations to retain certain data for a minimum of 6 years (see above). Please note that these retention requirements supersede any right to erasure requests under applicable data protection laws.
Right to request the restriction of processing concerning you: to obtain from us restriction of processing where: (a) the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data; (b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead; (c) we no longer need the personal data for the purposes of the processing, but it is required by you for the establishment, exercise or defence of legal claims; (d) you object to the processing based on legitimate interest pending the verification whether our legitimate grounds override yours. We must communication to each recipient to whom the restricted personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We shall inform the data subject about those recipients if the data subject requests it. You can exercise the right at any time by contacting us at support@countingup.com.	Where processing has been restricted under this right, such personal data shall, with the exception of storage, only be processed: (a) with your consent; or (b) for the establishment, exercise or defence of legal claims; or (c) for the protection of the rights of another natural or legal person; or (d) for reasons of important public interest of the Union or of a Member State. Please note that any requests in relation to the restriction of the processing of your data means that we may not be able to perform the contract we have or are trying to enter into with you (including the Countingup Services). In this case, we may have to cancel your use of the Countingup Services, but we will notify you if this is the case at the time.
The right to data portability: to receive the personal data concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us, where: (a) the processing is based on consent or is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract; and (b) the processing is carried out by automated means. You have the right to have the personal data transmitted directly from us to another controller, where technically feasible. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to the right to erasure. If you wish to exercise this right, then please reach out to our support team via the in-App chat function or email support@countingup.com.	That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
The right to object to processing: to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on processing necessary for the purposes of the legitimate interests pursued by us or a third party (except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data), including profiling. You can exercise the right at any time by contacting us at support@countingup.com.	Where: (a) we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject; or (b) for the establishment, exercise or defence of legal claims. If you object to the processing of certain data, then we may not be able to provide the Countingup Services and it is likely we will have to terminate your account.
The right to ask us not to process your personal data for direct marketing purposes: to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. You have the right to ask us not to process your personal data for marketing purposes. Each of we will usually inform you (before collecting your data) if it intends to use your data for such purposes or if it intends to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms used to collect your data. You can also exercise the right at any time by contacting us at support@countingup.com.
The right not to be subject to automated individual decision-making, including profiling: to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. You can exercise the right at any time by contacting us at support@countingup.com.	If the decision: (a) is necessary for entering into, or performance of, a contract between you and us; (b) is authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or (c) is based on the data subject’s explicit consent. In the cases referred to in points (a) and (c) we shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on our part, to express his or her point of view and to contest the decision.

Your rights and how to exercise them

Exception

Right of Access: To obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) of the GDPR and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

How to exercise: This Privacy Policy provides confirmation of the details required in relation to your right of access.

Under the DPA, you have a right to access certain personal records that we hold about you. Any access request may be subject to a fee to meet our costs (as the case may be) in providing you with details of the information they hold about you if the request is unfounded or excessive.

If you wish to exercise this right, then please reach out to our support team via the in-App chat function or support@countingup.com.

Right to rectification: to obtain from us without undue delay the rectification of inaccurate personal data concerning you.

We must communication to each recipient to whom the rectified personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

We shall inform the data subject about those recipients if the data subject requests it.

You can exercise the right at any time by contacting us at support@countingup.com.

Right to erasure: to obtain from us the erasure of personal data concerning you without undue delay where:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(c) you object to the processing based on legitimate interest where there are no overriding legitimate grounds for the processing;
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation to which we are subject.

We must communication to each recipient to whom the erased personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

We shall inform the data subject about those recipients if the data subject requests it.

You can exercise the right at any time by contacting us at support@countingup.com.

Processing is necessary for:

‘b’ compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us; or

‘e’ the establishment, exercise or defence of legal claims.

Where we are not able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. For example, as an FCA authorised firm, Countingup is under certain obligations to retain certain data for a minimum of 6 years (see above). Please note that these retention requirements supersede any right to erasure requests under applicable data protection laws.

Right to request the restriction of processing concerning you: to obtain from us restriction of processing where:

(a) the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data;
(b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
(c) we no longer need the personal data for the purposes of the processing, but it is required by you for the establishment, exercise or defence of legal claims;
(d) you object to the processing based on legitimate interest pending the verification whether our legitimate grounds override yours.

We must communication to each recipient to whom the restricted personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

We shall inform the data subject about those recipients if the data subject requests it.

You can exercise the right at any time by contacting us at support@countingup.com.

Where processing has been restricted under this right, such personal data shall, with the exception of storage, only be processed:

(a) with your consent; or
(b) for the establishment, exercise or defence of legal claims; or
(c) for the protection of the rights of another natural or legal person; or
(d) for reasons of important public interest of the Union or of a Member State.

Please note that any requests in relation to the restriction of the processing of your data means that we may not be able to perform the contract we have or are trying to enter into with you (including the Countingup Services). In this case, we may have to cancel your use of the Countingup Services, but we will notify you if this is the case at the time.

The right to data portability: to receive the personal data concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us, where:

(a) the processing is based on consent or is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract; and
(b) the processing is carried out by automated means.

You have the right to have the personal data transmitted directly from us to another controller, where technically feasible.

The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to the right to erasure.

If you wish to exercise this right, then please reach out to our support team via the in-App chat function or email support@countingup.com.

That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

The right to object to processing: to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on processing necessary for the purposes of the legitimate interests pursued by us or a third party (except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data), including profiling.

You can exercise the right at any time by contacting us at support@countingup.com.

Where:

(a) we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject; or
(b) for the establishment, exercise or defence of legal claims.

If you object to the processing of certain data, then we may not be able to provide the Countingup Services and it is likely we will have to terminate your account.

The right to ask us not to process your personal data for direct marketing purposes: to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

You have the right to ask us not to process your personal data for marketing purposes. Each of we will usually inform you (before collecting your data) if it intends to use your data for such purposes or if it intends to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms used to collect your data.

You can also exercise the right at any time by contacting us at support@countingup.com.

The right not to be subject to automated individual decision-making, including profiling: to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

You can exercise the right at any time by contacting us at support@countingup.com.

If the decision:

(a) is necessary for entering into, or performance of, a contract between you and us;
(b) is authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
(c) is based on the data subject’s explicit consent.

In the cases referred to in points (a) and (c) we shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on our part, to express his or her point of view and to contest the decision.

Annex C

About Prepay Technologies Ltd (our financial services partner)

This section is applicable if you apply for or have been issued a Card and/or Account which is regulated as E-Money or Payment Services (refer to our Terms and Conditions for definitions).

Our financial services partner, Prepay Technologies Ltd, trading as PrePay Solutions (“PPS”, “Our” and “We”) is a company registered in England and Wales with number 04008083 and a registered office at 6th Floor, 3 Sheldon Square, Paddington, London, W2 6HY, United Kingdom. You can email PPS at contact@prepaysolutions.com or you can call PPS on 0845 303 5303 (+44 845 303 5303 from outside the UK).

The Card and/or Account (Card) is issued by PPS (see details below). PPS is the Data Controller in relation to your Card and all necessary activities relating to the operation of the Card: allowing you to receive, activate and use your Card (activating, managing and using your online account where applicable, making and receiving payment transactions, meeting legal requirements, answering requests, providing information to you).

You may be the Customer or you may be a person that has been provided with a Card by the Customer.

Contact details for the PPS Data Protection Officer

Our Data Protection Officer can be contacted at PO Box 3883, Swindon SN3 9EA or at DPO@prepaysolutions.com.

The purposes and legal basis for processing your personal information

Processing is necessary for the performance of your contract with PPS and for the issue and operation of Cards and is necessary for compliance with legal obligations applicable to PPS. PPS does not use your personal information for marketing purposes and will not share your information with third parties for marketing purposes.

Categories of personal information and collection

Personal Details: Full name and date of birth
Contact Details: Where you live and how to contact you including phone numbers and e-mail addresses
Transactional Data: Details about use of your Countingup Card and payments to and from your accounts with us
Contractual Information: Details about the products or services we provide to you
Locational Data: Data PPS collects about your location, such as data from your mobile phone, the address where you connect a computer to the internet, or a shop where you buy something with your Countingup Card.
Behavioural Data: Details about how you use Countingup’s products and services.
Technical Data: Details on the devices and technology you use
Communications What we learn about you from letters, emails and conversations between us.
Communications: What PPS learns about you from letters, emails and conversations between you, them and/or Countingup.
Documentary Data: Details about you that are stored in documents in various formats, or copies of them. This could include things like your passport, drivers licence or birth certificate collected to fulfil customer due diligence requirements.

Personal information will only be collected directly and voluntarily from you as part of the application process or as a result of transactions relating to your Countingup Cards. Some personal information may be verified by PPS with use of publicly accessible sources to fulfil customer due diligence.

Sending personal information outside of the EEA

PPS will only send your personal information outside of the European Economic Area (EEA) to:

Follow your instructions
Comply with a legal duty

In relation to personal information processed by Mastercard, certain processors are located outside of Europe. Personal information processed by Mastercard is subject to Mastercard Binding Corporate Rules which you have enforcement rights under as a third-party beneficiary.

Recipients (or categories of recipients) of personal information

PPS is committed to ensuring that your information is secure and with third parties who act on our behalf. These third parties include Mastercard, card manufacturers, suppliers of identity validation services, IVR and call recording (telephone) suppliers and Countingup. PPS uses many tools to make sure that your information remains confidential and accurate and may monitor or record calls, emails, text messages or other communications in order to protect you and them.

Retention of personal information

PPS will not keep your information for longer than it is needed, which is usually up to 7 years in the United Kingdom and up to 10 years in the EEA after the end of the relationship or upon termination of the contract, unless required to keep it longer (for example due to a court order or investigation by law enforcement agencies or regulators).

Your Rights

You have certain legal rights to control what PPS does with your information. These include:

Access: You have a right to access the personal information PPS holds about you
Rectification: You have a right to rectification of inaccurate personal information and to update incomplete personal information
Erasure: You have a right to request that PPS deletes your personal information (where applicable – see ‘Retention of personal information’ above, as well as Article 17 3(b) of the Act)
Restriction on processing: You have a right to request PPS to restrict the processing of your personal information
Objection to processing: You have a right to object to the processing of your personal information
Portability: You have a right to personal information portability
Marketing: You have a right to object to direct marketing

To exercise any of your legal rights, you can email PPS at dpo@prepaysolutions.com or you can write to PPS DPO at PO Box 3883, Swindon SN3 9EA.

Privacy policy

1. Details of the Data Controllers

2. Information we collect about you, for what purposes and on what legal basis

3. Your rights

4. Disclosure of your information

5. Storing and transferring your data

6. Data retention

7. Support, Complaints and Our Data Protection Officer

8. Changes to Privacy Policy

9. Cookies

10. General

Annex A

Annex B: Your rights

Annex C

Contact details for the PPS Data Protection Officer

The purposes and legal basis for processing your personal information

Categories of personal information and collection

Sending personal information outside of the EEA

Recipients (or categories of recipients) of personal information

Your Rights

Company

Products and Services

Help and Support