This policy (together with any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.
Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting or using “our site” (the Countingup mobile application, and/or the website countingup.com), you are accepting and consenting to the practices described in this policy.
For the purpose of the Data Protection Act 2018 (the “Act”), we are the data controller. Please note that our financial services partner, PPS, is a separate Data Controller.
Who we are
Multi-award-winning Counting Ltd, backed by Sage and ING Bank, designs and operates the Countingup websites and app, offering an electronic money (‘e-money’) business current account with innovative built-in accounting software. Prepay Technologies Ltd trading as PPS is the e-money issuer of your business current account and Counting Ltd is a registered Agent of PPS. PPS is authorised and regulated by the Financial Conduct Authority under the Electronic Money Regulations 2011 (FRN 900010) for the issuance of electronic money and protects customers against its insolvency by safeguarding an amount equivalent to the money held in Countingup’s e-money business current accounts. The Countingup card is an electronic money product issued by PPS pursuant to a licence by Mastercard® International Incorporated.
Counting Ltd is registered with the Information Commissioner’s Office (ICO).
Our registration reference is ZA274056.
Information we may collect from you
We may collect and process the following data about you:
Information you give us: You may give us information about you by filling in forms on our site or by corresponding with us by phone, e-mail or otherwise. This includes information/documentation you provide when you register to use our site or update when using our site, subscribe to our service, post material on our site, carry out transactions or make payments through our site, report problems with our site or carry out any other activities on our site. The information you give us may include:
- your name (current and, where applicable, previous)
- your date of birth
- your address (current and, where applicable, previous)
- your email address (current and, where applicable, previous)
- your phone number (current and, where applicable, previous)
- financial and credit card information and other personal information (including – where applicable – copy/copies of your ID document(s), selfie(s), address document(s) and/or any other document shared with us during the application process and/or during/after accessing our services)
- any information you volunteer during our communications with you
- any permissions, consents or preferences that you give us
Information we proactively collect: With regard to each of your visits to our site we may automatically collect the following information:
- technical information, including the Internet protocol (IP) address used to connect to our site using the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and
- information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.
- information about your usage of our products and services
- information about you or business which is available publicly
Information we receive from other sources: We may receive information about you if you use any of the other websites we operate or the other services we provide. We are also working closely with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.
- Strictly necessary cookies. These are cookies that are required for the operation of our site. They include, for example, cookies that enable you to log into secure areas of our site.
- Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our site when they are using it. This helps us to improve the way our site works, for example, by ensuring that users are finding what they are looking for easily.
You can block all cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.
Uses made of the information
We use information held about you in the following ways:
Information you give to us. We will use this information:
- to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;
- to provide you with information about other goods and services we offer that compliment or are similar to those you have already purchased or enquired about;
- to provide you, or permit selected third parties to provide you, with information about goods or services we feel may interest you. If you are an existing customer, we will only contact you by electronic means (e-mail or SMS) with information about goods and services we provide which are similar to those which were the subject of a previous sale or negotiations of a sale to you. If you are a new customer, and where we permit (only if you have consented to this) selected third parties to use your data, we (or they) will contact you by electronic means. If you want us to use your data in this way, or pass your details on to third parties for marketing purposes, please tick the relevant box situated on the form on which we collect your data during your application, or update your preferences in the app;
- to notify you about changes to our service; and
- to ensure that content from our site is presented in the most effective manner for you and for your computer.
Information we collect about you. We will use this information:
- to administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to improve our site to ensure that content is presented in the most effective manner for you and for your computer;
- to allow you to participate in interactive features of our service, when you consented to do so;
- as part of our efforts to keep our site safe and secure;
- to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you; and
- to make suggestions and recommendations to you and other users of our site about goods or services that may interest you or them.
Information we receive from other sources. We may combine this information with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
Lawful basis for processing personal data
Depending on the processing activity, we rely on the following lawful basis for processing personal data under the GDPR (and/or UK equivalent):
- Article 6(1)(a) where you have consented to the processing of personal data for one or more specific purposes.
- Article 6(1)(b) when the processing of personal data is necessary for the performance of your contract(s) with us.
- Article 6(1)(c) and Article 17 3(b) so we can comply with our legal obligations (such as those listed in the ‘Retention of personal information’ section below).
- Article 6(1)(d) and Article 9(2)(c) in order to protect your vital interests or those of another person where you are incapable of giving your consent (generally with law enforcement in an emergency).
- Article 6(1)(e) when the processing of personal data is necessary for the performance of a task carried out in the public interest (for example, if it is necessary to protect your economic well-being if you are at risk, and seeking consent might be unreasonable or negatively impact our ability to help you).
- Article 6(1)(f) for the purposes of legitimate interest (for example, to improve our products and/or services).
Retention of personal information
As a regulated financial institution, we are required to continuously screen/monitor applications/applicants/accounts/account holders and any linked person(s) or business(es) (under – but not limited to – Part 3 of the UK Money Laundering Regulations 2017).
The GDPR is retained in domestic law as the UK GDPR, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018.
The key principles, rights and obligations remain the same.
We do not keep your information for longer than we need to, which is usually up to 7 years after the termination of any existing contract or the completion of any application (regardless of its outcome) unless we are required to keep it longer (for example due to a court order or investigation by law enforcement agencies or regulators).
We do this in order to comply with UK GDPR requirements (see below for additional information) such as:
- Article 17 3(b) where Paragraphs 1 and 2 do not apply to the extent that processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Article 6 1(c) where processing is identified as lawful only if and to the extent that processing is necessary for compliance with a legal obligation to which the controller is subject.
We are also required to comply with the requirements of the Proceeds of Crime Act 2002 and report to/liaise with/assist the relevant authorities when/where required/applicable.
We do this continuously as well as retrospectively, which is why any data provided to us is retained for a maximum of 7 years.
Amongst other requirements, retaining data for these purposes allows us to better align with a risk-based approach as recommended by the Financial Action Task Force and protect prospective/existing/previous customers, as well as our internal operations.
Disclosure of your information
We may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006
We may share your information with selected third parties including:
- Business partners, suppliers and subcontractors for the performance of any contract we enter into with them or you;
- Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others (if you have consented to this);
- Analytics and search engine providers that assist us in the improvement and optimisation of our site and services; and
- Credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you.
We may disclose your personal information to third parties:
- In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
- If we, or substantially all of our assets, are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets; and
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply any agreements between you; or to protect the rights, property, or safety of us, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud and/or money-laundering protection and credit risk reduction.
Where we store your personal data
The data that we collect from you may be transferred to, and stored at, destinations located outside the European Economic Area (“EEA”) where privacy laws offer the same protection as those of the UK or the EEA, or if we have agreed to standard data protection clauses approved by the European Commission with the relevant organisation. It may also be processed by staff operating outside the UK/EEA who work for us or for one of our suppliers.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share such a password with anyone and decline any liability or loss resulting from failing to meet this request.
Unfortunately, the transmission of information via the internet is not entirely secure. Although we will do our best to protect it, we cannot guarantee the security of personal data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
If you no longer wish to receive emails unrelated to our core services, there is an unsubscribe link located in the footer of all emails that we send and you can set your preferences in our site.
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
- Right of access: The Act gives you the right to access information held about you. Your right of access can be exercised in accordance with the Act. Any access request is free of charge and will be completed within 30 days. We may charge a £10.00 fee for the administrative costs of complying with your request if it is found to be manifestly excessive; or you request additional copies of your data.
- Right to rectification: You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
- Right to erasure: You have the right to ask us to erase your personal information (where applicable – see ‘Retention of personal information’ above, as well as Article 17 3(b) of the UK GDPR).
- Right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances.
- Right to object to processing: You have the right to object to processing if we are processing your information for a task carried out in the public interest, for the exercise of official authority, for our legitimate interests, for scientific or historical research, or statistical purposes or for direct marketing purposes.
- Right to data portability: This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at firstname.lastname@example.org.
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
If you choose not to volunteer personal information
If you choose not to give us your personal information, it may mean that we cannot perform services needed to run your Account and result in the closure/termination of the Account and services you have with us.
About Prepay Technologies Ltd (our financial services partner)
This section is applicable if you apply for or have been issued a Card and/or Account which is regulated as E-Money or Payment Services (refer to our Terms and Conditions for definitions).
Our financial services partner, Prepay Technologies Ltd, trading as PrePay Solutions (“PPS”, “Our” and “We”) is a company registered in England and Wales with number 04008083 and a registered office at 6th Floor, 3 Sheldon Square, Paddington, London, W2 6HY, United Kingdom. You can email PPS at email@example.com or you can call PPS on 0845 303 5303 (+44 845 303 5303 from outside the UK).
The Card and/or Account (Card) is issued by PPS (see details below). PPS is the Data Controller in relation to your Card and all necessary activities relating to the operation of the Card: allowing you to receive, activate and use your Card (activating, managing and using your online account where applicable, making and receiving payment transactions, meeting legal requirements, answering requests, providing information to you).
You may be the Customer or you may be a person that has been provided with a Card by the Customer.
Contact details for the PPS Data Protection Officer
Our Data Protection Officer can be contacted at PO Box 3883, Swindon SN3 9EA or at DPO@prepaysolutions.com.
The purposes and legal basis for processing your personal information
Processing is necessary for the performance your contract with PPS and for the issue and operation of Cards and is necessary for compliance with legal obligations applicable to PPS. PPS does not use your personal information for marketing purposes and will not share your information with third parties for marketing purposes.
Categories of personal information and collection
- Personal Details: Full name and date of birth
- Contact Details: Where you live and how to contact you including phone numbers and e-mail addresses
- Transactional Data: Details about use of your Countingup Card and payments to and from your accounts with us
- Contractual Information: Details about the products or services we provide to you
- Locational Data: Data PPS collects about your location, such as data from your mobile phone, the address where you connect a computer to the internet, or a shop where you buy something with your Countingup Card.
- Behavioural Data: Details about how you use Countingup’s products and services.
- Technical Data: Details on the devices and technology you use
Communications What we learn about you from letters, emails and conversations between us
- Communications: What PPS learns about you from letters, emails and conversations between you, them and/or Countingup.
- Documentary Data: Details about you that are stored in documents in various formats, or copies of them. This could include things like your passport, drivers licence or birth certificate collected to fulfil customer due diligence requirements.
Personal information will only be collected directly and voluntarily from you as part of the application process or as a result of transactions relating to your Countingup Cards. Some personal information may be verified by PPS with use of publicly accessible sources to fulfil customer due diligence.
Sending personal information outside of the EEA
PPS will only send your personal information outside of the European Economic Area (EEA) to:
- Follow your instructions
- Comply with a legal duty
In relation to personal information processed by Mastercard, certain processors are located outside of Europe. Personal information processed by Mastercard is subject to Mastercard Binding Corporate Rules which you have enforcement rights under as a third-party beneficiary.
Recipients (or categories of recipients) of personal information
PPS is committed to ensuring that your information is secure and with third parties who act on our behalf. These third parties include Mastercard, card manufacturers, suppliers of identity validation services, IVR and call recording (telephone) suppliers and Countingup. PPS uses many tools to make sure that your information remains confidential and accurate and may monitor or record calls, emails, text messages or other communications in order to protect you and them.
Retention of personal information
PPS will not keep your information for longer than it is needed, which is usually up to 7 years in the United Kingdom and up to 10 years in the EEA after the end of the relationship or upon termination of the contract, unless required to keep it longer (for example due to a court order or investigation by law enforcement agencies or regulators).
You have certain legal rights to control what PPS does with your information. These include:
- Access: You have a right to access the personal information PPS holds about you
- Rectification: You have a right to rectification of inaccurate personal information and to update incomplete personal information
- Erasure: You have a right to request that PPS deletes your personal information (where applicable – see ‘Retention of personal information’ above, as well as Article 17 3(b) of the GDPR)
- Restriction on processing: You have a right to request PPS to restrict the processing of your personal information
- Objection to processing: You have a right to object to the processing of your personal information
- Portability: You have a right to personal information portability
- Marketing: You have a right to object to direct marketing
To exercise any of your legal rights, you can email PPS at firstname.lastname@example.org or you can write to PPS DPO at PO Box 3883, Swindon SN3 9EA.
Your right to lodge a complaint with the Information Commissioner’s Office
If you wish to raise a complaint on how PPS have handled your personal information, you can contact its Data Protection Officer and address any concerns you may have. If PPS fails to address your complaint you can contact the Information Commissioner’s Office (https://ico.org.uk/).
Financial crime prevention
PPS will use your personal information to help decide if your accounts may be being used for fraud or money-laundering. PPS may detect that an account is being used in ways that bad actors operate. Or PPS may notice that an account is being used in a way that is unusual. If PPS thinks there is a risk of fraud, it may stop activity on the accounts or refuse access to them. PPS might also check and share your information with fraud prevention agencies. If fraud is identified or suspected, these agencies may keep a record of that information and PPS may refuse to provide any services. Law enforcement agencies may access and use this information.
If you choose not to give personal information
If you choose not to give PPS your personal information, it may mean that they cannot perform services needed to run your Account and result in the closure/termination of the Account and services you have with Countingup.