8 September 2020
When does this policy apply
Here is the information we may collect about you
Information you voluntarily provide:
- If you contact us (by phone, email, web chat or through the Platform), we may keep a record of that correspondence for two years in case we need to contact you in relation to the issue for which you contacted us, for operational performance improvement and/or nuisance caller management. We will not use it for marketing purposes.
- If you report a problem with the Platform and/or the Services, we may keep that information for two years in case we need to contact you in relation to the issue you for which you contacted us, for operational performance improvement and/or nuisance caller management. We will not use it for marketing purposes.
- As part of providing our Services, we retrieve account information contained within your financial accounts. Once we've retrieved your account information, we store and process this as a CRA as part of our credit reference and credit information services activities, as detailed in the below section "Credit Reference Agency Processing". Credit Kudos keeps account information and credit information for up to six years. We will not use it for marketing purposes.
The information you give may include your name, address, telephone number, email address, and financial account details.
Information we collect about you and your device
As part of this contract for our services, we may ask for ongoing access to your account information for up to 90 days. You will be informed before you complete the authorisation process of exactly how long this ongoing access will continue. You may withdraw consent for Credit Kudos to have ongoing access to your account information at any time through our consent management dashboard, managing consents through your financial institutions, letting us know through our web chat or by emailing firstname.lastname@example.org. In order to manage your consent, we will ask that you either create a password while using our platform, or we will email you a personalised link to access the service.
If you are prompted to set a password and do not do so, or are unable to find your consent management link, you can manage your consent by contacting us directly through our web chat or by email. We will need to collect two forms of identification to verify you are the same individual for which we collected consent in the first place.
Your withdrawal of consent for Credit Kudos to have ongoing access to your account information will not affect the lawfulness of any data processing carried out by us using data accessed prior to the revocation of ongoing consent. At that time, you may also want to remove any cookies which have been placed on any device used to access the Website, Platform and/or Services.
We are authorised and regulated by the Financial Conduct Authority as a CRA (reference number 770345). As such, when you use the Platform and interact and with our Services, we may receive outcome data from third parties related to your financial standing. This means we will collect information about any applications you make to financial services companies via the Platform. When you use the Platform and interact and with our Services, we may use technology such as that provided by Google Analytics to collect information. You can find more information about Google Analytics here. Google Analytics enables us to analyse how you and others interact with our Platform. The information we collect may include:
- your IP address;
- the type of browser you use (e.g. are you using the Chrome or Safari browser?); and
- the number of sessions per browser on each device;
- the type of device (eg Samsung) and operating system (eg Android) you are using;
- referrer information;
- time zone;
- user preferences; and
- which pages you visited.
- whether or not a credit product was granted;
- whether you repaid that credit product or not; and
- whether you are in arrears or default.
This is what we do with the information we collect about you and our legal basis for processing
As an Account Information Service Provider ("AISP") Credit Kudos retrieves your transaction history from your financial providers ("Account Servicing Payment Service Providers", or ASPSPs) to enable us to provide the Services. We perform these activities to fulfill the contract you entered with us when you requested we provide the Services.
Once Credit Kudos has retrieved your financial information from your financial providers, we store and process this data as a Credit Reference Agency ("CRA") so we can provide it back to Institutions to provide credit references. For more information on the types of activities CRAs engage in, please see the below section "Credit Reference Agency Processing".
Once your data is consolidated and categorised, we use this derived information to:
- store or send to third parties so that they can make a decision about whether to provide credit to you and on what terms. We also store your transaction history and collect repayment information to assist Institutions to make decisions on your credit risk;
- consolidate personal data about you that’s part of, derived from or used in credit activity, including: credit reporting and affordability checks; verifying data like identity, age and residence to preventing and detect criminal activity, fraud and money laundering; account management; tracing and debt recovery; screening; and statistical analysis, analytics and profiling;
The UK’s data protection law allows the use of personal data where the processing is necessary for a legitimate interest pursued by us or a third party and this interest is not outweighed by the interests, fundamental rights or freedoms of data subjects. Where Credit Kudos processes your personal data in our function as a CRA we rely on our Legitimate Interests and those of our clients, to:
- promote responsible lending and helping prevent over-indebtedness;
- help prevent and detect crime and fraud and anti-money laundering services and to verify identity;
- support tracing and collections;
- comply with and support compliance with legal and regulatory requirements;
- ensure that content from our Platform is presented in the most effective manner for you and for your device to achieve the most user-friendly navigation experience;
- with your consent, provide you with marketing information about us and our services;
- notify you about changes to the Platform and the Services; and/or
- defend our servers against malicious attacks.
Where we propose using your personal information for any other uses we will ensure that we notify you first. You will also be given the opportunity to withhold or withdraw your consent for the use of your personal information for purposes other than those listed above.
Credit reference agency processing
Credit Kudos is authorised by the Financial Conduct Authority to provide services as a CRA. CRAs receive personal data about individuals that’s part of, derived from or used in credit activity. The ways in which CRAs use this personal data include:
Credit reporting and affordability checks
- Credit Kudos uses data it gathers to provide credit reporting services to its clients.
- Institutions use credit reporting services to see the financial position of people and businesses. For example, a lender or creditor may check with a CRA when an individual or business applies for credit and the lender or creditor needs to make a credit decision taking into account that person or business’s credit history.
- Affordability checks help Institutions understand whether people applying for credit or financial products (like loans) are likely to afford the repayments.
- These activities help promote responsible lending, prevent people and businesses from getting into more debt than they can afford, and reduce the amount of unrecoverable debt and insolvencies.
Verifying identity, and preventing and detecting criminal activity, fraud and money laundering
CRAs also use data to provide verification, crime prevention and detection services to Institutions, as well as fraud and anti-money-laundering services. For example:
- When a person applies to an organisation for a product or service, the organisation might ask them to answer questions about themselves, and then check the answers against the data held by the CRA to see if they’re correct. This helps confirm the person they are dealing with is not trying to commit identity theft or any other kind of fraud.
- If a person applies for credit the lender or creditor might check the personal data that person gives them against the personal data held by CRAs to try and prevent fraud.
CRAs supply information including personal data to their clients for account management, which is the ongoing maintenance of the client organisation’s relationship with its customers. This could include activities designed to support:
- data accuracy (such as data cleansing - where bureau data can be used to clean or update lender data. This might involve checks that data is in the right format or fields, or to correct spelling errors);
- clients’ ongoing account management activities. (For example, data sharing with lenders and creditors so clients can make decisions relating to credit limit adjustments, transaction authorisations, and to identify and manage the accounts of customers at risk, in early stress, in arrears, or going through a debt collection process, or to confirm that assets are connected to the right person).
Tracing and debt recovery
CRAs may also use personal data to support debt recovery and debtor tracing.
Statistical analysis, analytics and profiling
CRAs can use and allow the use of personal data for statistical analysis and analytics purposes, for example, to create scorecards, models and variables in connection with the assessment of credit, fraud, risk or to verify identities, to monitor and predict market trends, to allow use by lenders for refining lending and fraud strategies, and for analysis such as loss forecasting.
CRAs carry out certain processing activities internally which support databases effectiveness and efficiencies. For example:
- Data loading: where data supplied to CRAs is checked for integrity, validity, consistency, quality and age help make sure it’s fit for purpose.
- Data matching: where data supplied to CRAs is matched to their existing databases to help make sure it’s assigned to the right person, even when there are discrepancies like spelling mistakes or different versions of a person’s name. CRAs use the personal data people give lenders together with data from other sources to create and confirm identities, which they use to underpin the services they provide.
- Data linking: as CRAs compile data into their databases, they create links between different pieces of data. For example, people who appear financially associated with each other may be linked together, and addresses where someone has previously lived can be linked to each other and to that person’s current address.
- Systems and product testing: data may be used to help support the development and testing of new products and technologies.
Other uses with an individual’s permission
From time to time Credit Kudos may use the personal data they hold or receive about individuals for other purposes where the individual has given consent.
Uses as required by or permitted by law
Personal data may also be used for other purposes where required or permitted by law.
Our use of aggregated or anonymised information
We may provide aggregate user statistics and other usage data which does not identify you specifically with third parties. We may combine your data with those of other users of our Platform and share or provide this information in aggregated and anonymised form with third parties. For example, if we establish that users who obtain their gas and electricity from the same energy retailer are less likely to default on a loan then we may share such information with loan providers, but we would only ever do this with anonymised and aggregated data from which it would be impossible to identify an individual.
We may also use information collected from you and combine it with information provided by other users of our Platform to help us improve the design and delivery of our software tools, increasing the effectiveness for all users.
This is where we store your information
The data that we collect from you may be processed outside the European Economic Area (EEA) (for example if a bank from which you are applying for a loan needs to seek authorisation from one of its subsidiaries overseas). Some of our service providers are located in the United States or other countries that do not provide the same standard of data protection as the EU. Where we work with a service provider, we look for a legal mechanism that requires them to protect data to EU standards. For example, the service provider has signed on to the EU-US Privacy Shield, operates under EU-approved binding corporate rules, or is in a country the EU recognises as having adequate data protection laws. Where no other legal mechanism exists, we enact the EU-approved standard contractual data protection clauses in our contracts.
Keeping your information secure
All information you provide to us is stored on servers owned and operated by Amazon Web Services, Inc. More information on this provider is available at https://aws.amazon.com.
Here are your rights
Most of the data we collect and the purposes we use it for are necessary for us to operate and improve our services or comply with our obligations as a CRA. We tell you in the service where you can make a choice or grant consent regarding your data. When you grant consent, you may withdraw it at any time to stop any further data collection. You can also ask us at any time not to send or to carry out profiling for direct marketing, or to stop using certain kinds of cookies.
If you have unresolved concerns, you have the right to complain to an EU data protection authority where you live or work, or where you believe a breach may have occurred.
If you want to stop using the Platform and the Services, you may do so. If you do, you may also want to remove any cookies that we have placed on any device used to access the Platform and the Services.
Credit Kudos has additional legitimate interests as a Credit Reference Agency that affect your rights:
CRAs don’t tell a lender if it should offer an individual credit – this is for the lender to decide. CRA provide data and analytics that help lenders make decisions about lending. The scoring tools and data CRAs provide may profile individuals, and are often a valuable tool in the lender’s overall processes and with the criteria they use to make their decisions. A lender’s own data, knowledge, processes and practices will also generally play a significant role in that lender’s business decisions - and lender decisions will always remain for lenders to make.
The same analytics from a CRA may lead to different decisions from different lenders, as they can place differing importance on some factors than others. That’s why an individual may receive a “yes” from one lender but a “no” from another.
The data CRAs provide is just one of the things that a lender might take into account when they make a lending decision. The lender might also take into account data provided by the person applying for credit, as well as any other data available to the lender from other sources. Each lender will have its own criteria for deciding whether or not to lend.
Scores and ratings
When requested, CRAs do use the data they obtain to produce credit, risk, fraud, identity, affordability, screening, collection and/or insolvency scores and credit ratings. CRAs don’t tell a lender if it should offer an individual credit – this is for the lender to decide. Each CRA and each lender will have its own criteria for how to calculate a credit score. CRAs may provide or make available further information on profiling where necessary from time to time.
Data Rights and Responsibilities
You may have certain rights under data protection law. These include the right to ask us for a copy of your personal data, to correct, delete or restrict processing of it, and to obtain personal data in a format you can share with a new provider. You may have the right to object to processing. These rights may be limited in some situations - for example, where we can demonstrate that we have a legal requirement to process your data. You can exercise your data protection rights by contacting us at email@example.com. We will require you to prove your identity with 2 pieces of approved identification.
Data Access Right
Individuals have a right to find out what personal data the Credit Reference Agencies hold about them.
To get online information: http://www.creditkudos.com/
To make a request by post: Credit Kudos, Data Access Team, 4 Bath Place, London EC2A 3DR
Data Portability Right
Data protection legislation (the GDPR) also contains a right to data portability that may give consumers a right in some data processing contexts, to receive their personal data in a portable format when it’s processed on certain grounds, such as consent. This is not a right that will apply to bureau data because this data is processed on the grounds of legitimate interests.
Incorrect Data and Rectification
When the CRAs receive personal data, they perform lots of checks on it to try and detect any defects or mistakes. Ultimately, though, the CRAs rely on the suppliers to provide accurate data.
If an individual thinks that any personal data a CRA holds about them is wrong or incomplete, individuals have the right to challenge it. It’s worth knowing that the CRA won’t have the right to change the data without permission from the organisation that supplied it, so the CRA will need to take reasonable steps to check the data first, such as asking the organisation that supplied it to check and confirm its accuracy.
If the data does turn out to be wrong, the CRA will update its records accordingly. If the CRA still believes the data is correct after completing their checks, they’ll continue to hold and keep it - although an individual can ask them to add a note to their file (a notice of correction) indicating that they disagree or providing an explanation of the circumstances.
Objections and Data Deletion
To understand data protection rights to object to personal data being used and how to ask for it to be deleted, and how they apply to the processing of bureau data, it’s important to know that the CRAs hold and process personal information in bureau data under the Legitimate Interests ground for processing (see above for more information about this), and don’t rely on consent for this processing. Individuals have the right to lodge an objection about the processing of personal data to a CRA by contacting the CRA directly.
Whilst everyone has complete freedom to contact a CRA with an objection at any time, under the General Data Protection Regulation, the right to object doesn’t automatically lead to a requirement for processing to stop, or for personal data to be deleted, in all cases.
Please note that, because of the importance of the credit referencing industry to the UK’s financial system, and the important purposes the personal data is needed for (like supporting responsible lending, and preventing over indebtedness, fraud and money laundering) it will be very rare that the CRAs do not have compelling, overriding grounds to carry on using the personal data following an objection. In many cases, it won’t be appropriate for the CRAs to restrict or to stop processing or delete bureau data, for example, where the result would be to hide a poor credit history that could enable a person or organisation to get credit they otherwise wouldn’t be eligible for.
Restrictions on Processing
In some circumstances, individuals can ask CRAs to restrict how they use personal data as set out in Article 18 of the GDPR.
This is not an absolute right, and personal data may still be processed where certain grounds exist. This is:
- With an individual’s consent;
- For the establishment, exercise, or defence of legal claims;
- For the protection of the rights of another natural or legal person;
- For reasons of important public interest.
Only one of these grounds needs to be demonstrated to continue data processing. Credit Kudos will consider and respond to requests we receive, including assessing the applicability of these exemptions.
Please note that given the importance of complete and accurate credit records, for purposes including for responsible lending, it will usually be appropriate to continue processing credit report data - in particular, to protect the rights of another natural or legal person, or because it’s an important public interest of the union or member state.
Credit Kudos is authorised and regulated in the United Kingdom by the Financial Conduct Authority for Account Information Services provided within the United Kingdom. We are also authorised to provide our Account Information Services in Ireland under the EU Passporting Regime. This means we have full regulatory permission from Central Bank of Ireland.
Third party properties accessed from the platform
Our Platform and Services may contain links to and from the online properties of third parties. If you follow a link to any of these online properties, please note that these online properties have their own privacy policies which will govern use of any personal data that they process. Please check these policies carefully before you click on any links and/or submit any personal data to these online properties.
Change of control
If the ownership of our business changes, we may transfer your information to the new owner so they can continue to operate the Platform and provide the Services. The new owner will be obliged to comply with this Policy.
Changes to our policy
Any changes we may make to this Policy in the future will be posted on this page. Where it makes sense because the changes are material, we will notify you of the changes by e-mail or in another appropriate manner such as when you next interact with the Platform.
Contacting us is easy and we want to hear from you
We really do welcome any questions, comments and requests you may have regarding this Policy. You can contact us by emailing us at firstname.lastname@example.org.