Open banking: Privacy policy

This Privacy Policy explains how we use personal information about you and the steps we take to ensure your personal information is kept secure and confidential. It should be read together with our Terms and Conditions.

If you provide us with information about another person (for example, in relation to your client if you are a financial advisor or in relation to a named party on your policy if you are an insurance policy holder), in doing so, you confirm that they have consented for you to provide the information to us for us to be able to process their personal data, including any “special categories of personal data” (for further information, see below) and that you have told them who we are and what we will use their data for, as set out in this Privacy Policy.

Certua Financial Information Services Limited

1.       Data controller

1.1              In section 2 of this Privacy Policy, “Certua”, “we”, “us” and “our” refers to Certua Financial Information Services Limited and, where the context requires, the relevant member of the “Certua Group” (which includes Certua Financial Information Services Limited, Certua Group Limited, Certua Licensing Limited, Certua Protect Limited, Certua Lending Limited, Certua Sport Limited and Certua Services Limited).

1.2              Certua Financial Information Services Limited is a company incorporated in England with company registration number 11506180 and whose registered office address is 1st Floor Healthaid House, Marlborough Hill, Harrow, United Kingdom HA1 1UD.

1.3             Certua Financial Information Services Limited is authorised and regulated by the Financial Conduct Authority (registration number 834554) as a Registered Account Information Service Provider.

1.4             Section 2 of this Privacy Policy applies to all account information and related products and services offered by us (or offered on behalf of us), including open banking services, through any websites, web applications, mobile applications or similar devices, channels, platforms, service applications or other applications operated by or on behalf of us (or a member of the Certua Group) or which reference this Privacy Policy (“Applications”).

1.5             We are the data controller in relation to the processing of the personal information that you provide to us. Our contact details are as follows:

1.5.1           Address: Certua, Unit 7, 27 Corsham Street, London, N1 6DR.

1.5.2          Telephone number: +44 (0)20 3962 0003.

1.5.3          Email address: (please include “Personal Data Request” in your subject heading to ensure it receives the correct attention).

1.6             The Certua Data Protection Officer (DPO) will handle any questions you may have regarding the use of your personal data and/or your rights as a data subject as outlined in this policy.

2.       How we collect your information

How you engage with us

2.1              The information we hold about you comes from the way you engage with us (or a member of the Certua Group, or one of our distribution, insurance, banking or financial advisor partners or other partners), for example by doing any of the following:

2.1.1             sharing information with us via Open Banking (for further information, see below);

2.1.2            providing us, or one of our partners, with information in the course of registering for and/or using our Applications or services;

2.1.3            taking part in surveys, posting on our message boards or blogs and entering into any competitions or prize draws;

2.1.4           downloading information or participating in any other interactive areas that appear on our Applications;

2.1.5            interacting with us using social media; and/or

2.1.6            contacting us offline, for example by telephone, SMS, email or by post.

2.2             We may also obtain information about you from credit reference agencies and fraud prevention agencies.

What information do we collect?    

2.3             The information we collect when you engage with us or any of our partners for any of the purposes described below may include, for example:

2.3.1            basic personal details such as your name, date of birth or age, address, email address, telephone number, gender and marital status;

2.3.2           your national insurance number;

2.3.3           details of the internet protocol (IP) address connected to your device, browser type, Internet Service Provider (ISP), date and time stamp, referring/exit pages, and possibly the number of clicks (Technical Log Data);

2.3.4           sensitive or special categories of personal data e.g. relating to your health (for further information, see above);

2.3.5           information about your employment, including salary;

2.3.6           information about your lifestyle and insurance requirements;

2.3.7           payment information (such as bank account details);

2.3.8           record-keeping information which we collect in order to meet our regulatory and statutory duties;

2.3.9           banking transaction data including details of your spending habits; and

2.3.10         your marketing preferences.

2.4            Please note that it is your responsibility to check and ensure that all information you provide on the Applications or that we receive via Open Banking (whether the information is about you or someone else) is correct and accurate and that you disclose all relevant facts.

3.       What we use your information for

3.1             We may use your information for the following purposes, based on the following legal grounds:

3.1.1             If it is necessary for the performance of our contract or for the purposes of entering into a contract, for example:            in order to register you as a customer of our services;           for the provision of account information services, open banking services, loan/lending application services, data analytics services, insurance services or other services to you;           for the purpose of receiving payments for services provided to you;           to provide you with user support and technical instructions regarding the services or your account; and           carrying out automated processing in regard to your personal data using our automated technology to provide useful information and insights (see further information below).

3.1.2            Compliance with a legal obligation, for the purpose of, for example:           verifying your identity in order to comply with our regulatory requirements;           maintaining our statutory records to comply with FCA requirements; and          carrying out anti-fraud checks in order to prevent fraud or money laundering or to comply with any other legal or regulatory requirements.

3.1.3            If it is in our legitimate business interests to do so, for the purpose of:           sending information to you (if you agree) about products and services which we think may be of interest to you (see further information in the “Marketing” paragraph below);          internal record keeping for administration and management purposes;          using our customer insight products to understand customer behaviours, analyse market trends and customer demographics, and develop the product/service which we offer to you or other individuals in the future;          research or statistical purposes, including to analyse how people use the Applications, view our products, respond to our advertising and to improve our understanding of what customers need; and          training purposes, to improve our services and their delivery, for example by recording telephone calls.

3.1.4           In certain circumstances (and in accordance with data protection legislation), we will only collect and process your personal information if you have provided consent for us to do so. For example:           third party marketing emails - we will not pass your information to third parties for marketing purposes unless we have your consent to do so; and          to retrieve your information via Open Banking (see below for further details).

If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of any contract with us that you agree to any request for consent from us.

3.2             Please note that if we provide open banking services or other services involving access to your financial and/or other information via other sources, your data may be refreshed periodically in order to ensure that the services we provide to you are tailored and based on up-to-date data about you. We will be able to refresh the data until your consent expires (the relevant timeframe for which your consent will apply will vary depending on the data source – e.g. for Open Banking, such consent will last for a period of 90 days at which point we will ask you to re-consent for a further period). Please see below for further information regarding Open Banking.

3.3            For all other processing of your personal information (where your consent is not required), we will only do so in accordance with this Privacy Policy and data protection legislation.

4.       Sharing your information

How we use and share information within the Certua Group

4.1             We may share and aggregate information about you with any company within the Certua Group for general administration and management purposes if it is in our legitimate interests to do so and pursuant to any purpose set out in this Privacy Policy only (e.g. customer relationship management, software and service compatibility and improvements and to provide you with any information, applications, products or services that you have requested).

         How we use and share information outside the Certua Group

4.2            If you use or purchase a product or service, your personal information may be shared with and processed by:

4.2.1           account servicing payment servicing providers (“ASPSPs”) for the purpose of accessing your online banking transaction information in order to provide open banking services;

4.2.2           third party credit providers for the purpose of obtaining lending, asset purchase and/or loan application decisions;

4.2.3           regulators (such as the Financial Conduct Authority) or other third parties for the purposes of monitoring and/or enforcing our compliance with any legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts;

4.2.4          credit reference and fraud prevention agencies;

4.2.5          any third party in the context of actual or threatened legal proceedings, provided we can do so lawfully (for example in response to a court order);

4.2.6          our own professional advisors and auditors for the purpose of seeking professional advice or to meet our audit responsibilities;

4.2.7           our service providers and agents (including their subcontractors) or third parties which process information on our behalf (e.g. internet service and platform providers, payment processing providers and those organisations we engage to help us send communications to you) so that they may help us to provide you with the applications, products, services and information you have requested or which we believe may be of interest to you;

4.2.8          third parties where you have a relationship with that third party and you have consented to us sending information (for example social media sites or other third party application providers);

4.2.9          third parties for marketing purposes (with your consent), e.g. our partners and other third parties with whom we work and whose products or services we think will interest you; and

4.2.10        another organisation to whom we may transfer our agreement with you or if we sell or buy (or negotiate to sell or buy) our business or any of our assets.

4.3            We may share non-personally identifiable information about the use of our website, applications, products or services publicly or with third parties but this will not include information that can be used to identify you.

5.    Open Banking

       What is it?

5.1             Open Banking launched in early 2018 as an initiative to facilitate the offering of tailored products and services to consumers.

5.2            The scheme will allow customers of certain banks to give permission to share account transaction data securely with “Third Party Provider” companies, that are registered with and regulated by the Financial Conduct Authority, and also offers a new way to make online payments straight from your current account through a Third Party Provider’s website or app. Certua is currently registered as a Third Party Provider (namely an “Account Information Service Provider”).

5.3            To use Open Banking you will need to have a current account and be registered for your bank’s online or mobile banking service.

How we access and use your data

5.4            Open Banking does not mean that any company can access your transaction data. You are in control, and you will need to give explicit permission for your financial information to be shared.

5.5            With your authority, we will securely access your bank transaction information in order to aggregate and categorise this data to provide you with consolidated information about your spending habits, analytics and insights together with recommendations regarding financial services and products. Your bank information may also be used and shared with third party credit providers to facilitate lending and/or loan application decisions to be made about you.

5.6            If you provide consent for us to access your information (via our Applications), you will be directed to your existing bank or building society’s online banking login page where you can log in securely to share your account information.

We will keep your information secure

5.7            We are committed to keeping your financial information secure and helping you stay protected from fraud when you share your data through Open Banking. All usage of your information is tracked and you will be able to withdraw your consent at any time.

5.8            In the event of fraudulent payments, banks are required to reimburse you fully. You are also protected by data protection laws and the Financial Ombudsman Service. With Open Banking, you will never be asked to share your bank login details or password by us or with any other Third Party Provider.

6.       Automated decision making

6.1             Please note that your personal data may be subject to automated profiling and/or automated decision-making.

6.2            Our automated technology allows us to aggregate, analyse and categorise your personal data and banking transaction information in order to provide you with consolidated information, insights and recommendations about your spending habits. This technology allows us to provide a fast, efficient service that is tailored to you.

6.3            Automated technology may also be used by third-party credit providers in order to decide whether to grant a loan, asset purchase or mortgage application submitted by you, based on your personal data and banking transaction information. Please refer to the individual privacy policies of such third parties for further information as to how your personal data may be used.

6.4            You have the right to request a manual review of the accuracy of an automated decision that you are unhappy with by contacting us (our details are displayed above).

7.       Please also refer to Section 4 of this Privacy Policy which includes further information including your rights with regards to your personal data.

Additional information (including your rights in respect of your personal data)

1.       What is personal data

1.1              For the purposes of this Privacy Policy, personal data or personal information means any information relating to a living individual who can be identified from that information (or from that information and other information in our possession). Personal data may be factual (e.g. name, address, date of birth) or it can be an opinion about that person, their action or behaviours.

1.2              There are special categories of more sensitive personal information which require a higher level of protection. These include information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, physical or mental health or condition or sexual orientation. For the purposes of this Privacy Policy, any information about the commission of, or proceedings for any criminal offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings are treated in the same way as special categories of personal data.

2.       International Transfers

It may be necessary in certain cases for us to transfer your personal information outside the UK to locations that may not provide the same level of protection as the UK.  However, we will not do so unless one of the following scenarios under the UK General Data Protection Regulation (UK GDPR) applies:  

2.1              the country or recipient is covered by UK adequacy regulations under UK GDPR Article 45;

2.2             appropriate safeguards have been put in place which meet the requirements of UK GDPR Article 46 (for example using the European Commission’s Standard Model Clauses); or

2.3             one of the derogations for specific situations under UK GDPR Article 49 is applicable to the transfer.  These include (in summary):

2.3.1            the transfer is necessary to perform, or to form, a contract to which we are a party:           with you; or           with a third party where the contract is in your interests;

2.3.2           the transfer is necessary for the establishment, exercise or defence of legal claims;

2.3.3           you have provided your explicit consent to the transfer; or

2.3.4           the transfer is of a limited nature, and is necessary for the purpose of our compelling legitimate interests.

3.       How long will we keep your information for?

3.1             Unless we are required or permitted by law to hold on to your data for a specific retention period (for example, the Payment Services Regulations requires us to hold certain information for a period of 5 years) or where we retain data pursuant to our policy with you or for our legitimate business purposes, we will only hold your personal information on our systems for as long as is necessary to fulfil the purposes outlined in this Privacy Policy (for example, to carry out services ordered by you) or until you request it is deleted.

3.2             Where we no longer need your personal information, we will dispose of it in a secure manner.

3.3            In some circumstances you can ask us to delete your data: see your legal rights at paragraph 6 below for further information.

3.4            In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research, analytics or statistical purposes for use by us or by third parties and, in those circumstances, we may use this information indefinitely without further notice to you.

4.       Security

4.1             We keep your information protected by taking appropriate technical and organisational measures to guard against unauthorised or unlawful processing, accidental loss, destruction or damage. For example:

4.1.1             where appropriate, data is encrypted when transiting on our system or stored on our databases;

4.1.2            where appropriate, our Applications use HTTPS to help keep information about you secure;

4.1.3            we have implemented safeguards in relation to access and confidentiality in order to protect the information held within our systems; and

4.1.4           we frequently carry out risk assessments and audits to monitor and review threats and vulnerabilities to our systems to prevent fraud.

4.2            However, while we will do our best to protect your personal information, we cannot guarantee the security of your information which is transmitted to any Application via an internet or similar connection.

4.3            The registration process via any Application may include the creation of a username, password and/or other identification information. All such details should be kept confidential by you and should not be disclosed to or shared with anyone. In order to protect your account, please choose a strong password (which should include a mixture of letters and numbers) and ensure that it is kept safe. If you disclose details of your username or password information, you will be responsible for all activities undertaken on the Applications where they are used.

5.       Marketing

5.1             From time to time, we may use your information to contact you with details about our applications, products and services which we feel may be of interest to you.

5.2            You have the right at any time to stop us from contacting you for marketing purposes. If you wish to exercise these rights you can do so by selecting your contact preferences at the point where you provide us with your information on any Applications, or by sending an email to us at  

5.3            You can also unsubscribe from any electronic marketing communications at any time using the links provided in the communications we send to you.

6.       Your rights to your personal data

6.1             You have certain rights under existing data protection laws, including the right to (upon written request) access a copy of your personal data that we are processing. In accordance with UK data protection legislation:

6.1.1            you will have the following rights:            right to access: the right to request certain information about, access to and copies of the personal information about you that we are holding (please note that you are entitled to request one copy of the personal information that we hold about you at no cost, but for any further copies, we reserve the right to charge a reasonable fee based on administration costs);           right to rectification: the right to have your personal information rectified if it is inaccurate or incomplete;

6.1.2            in certain circumstances, you will also have the following rights:           right to erasure/“right to be forgotten”: the right to withdraw your consent to our processing of the data (if the processing is based on your consent) and the right to request that we delete or erase your personal information from our systems (however, this will not apply if we are required to hold on to the information for compliance with any legal obligation or if we require the information to establish or defend any legal claim);          right to restriction of use of your information: the right to stop us from using your personal information or limit the way in which we can use it;          right to data portability: the right to request that we return any information you have provided in a structured, commonly used and machine-readable format, or that we send it directly to another company, where technically feasible; and          right to object: the right to object to our use of your personal information including where we use it for our legitimate interests or for marketing purposes.

6.2            Please note that if you withdraw your consent to the use of your personal information for purposes set out in our Privacy Policy, we may not be able to provide you with access to all or parts of our Application or services.

6.3            If you consider our use of your personal information to be unlawful, you have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office. Please see further information on their website:

7.       Changes to this Privacy Policy

We may amend this Privacy Policy from time to time, for example, to keep it up to date, to implement minor technical adjustments and improvements or to comply with legal requirements. We will always update this Privacy Policy via our Applications (the “last updated” reference tells you when we last updated our Privacy Policy).