D•One Privacy Policy
Version 1
Effective from 11 July 2023
1 min read
Introduction
This Privacy Policy explains the personal data we collect, use and process about you, and the basis for doing so. We respect your privacy and protecting your information is paramount. We may change or update this Privacy Policy at any time. Please check our website frequently to see the current version.
Who we are
“D•One” (“we”, “our” or “us”) is a trading name of Money Dashboard Ltd (company number SC301187, registered office Suite 2, Ground Floor Orchard Brae House, 30 Queensferry Road, Edinburgh, United Kingdom, EH4 2HS), and is a part of the ClearScore Group. We are registered as a data controller with the UK Information Commissioner’s Office (“ICO”) under number Z3625637.
D•One delivers Open Banking services as described in our Terms of Use. We are authorised by the UK Financial Conduct Authority (“FCA”) as an “Account Information Services Provider” (“AISP”) to provide “Account Information Services”.
You (“you”, “your”) may be using our services as:
- a business client or partner (“Client”), for example, if you’re a lender, credit provider or other financial institution (collectively “Financial Institution”)
- a consumer (“User”), for example, as a visitor of our website or if you access our services in order to use products or services that are being offered to you by a Client.
Whether you are a Client or a User, this Privacy Policy applies to you. It is important that you read this Privacy Policy together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your personal data. This Privacy Policy supplements the other notices and is not intended to override them.
How to contact us or if you have any concerns
If there is anything you don’t understand or you’re not happy about, please get in touch with us by emailing us at: privacy@clearscore.com
You also have the right to lodge a complaint with a supervisory body, which is the ICO in the UK. However, if you do have a complaint, we would appreciate the chance to deal with your concerns first, so please do contact us first.
The information we may collect about you and how we use it
We use different methods to collect data from and about you including through:
- Direct interactions. You may give us your personal data by filling in forms or by corresponding with us in person, by email, by phone, by post or otherwise. This includes personal data you provide when registering to use our service.
- Automated technologies or interactions. As you interact with our website, we may automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. Please see below on Cookies for further information.
- Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources, for example, analytics providers such as Google.
Personal data
- Source of data. We may obtain your data directly from you, from publicly available sources or your Financial Institution, or create data in connection with your use of our services.
- Types of personal data:
- Identification details, such as name and unique user ID.
- Account Information, including your account type and details; names and number of account holders; address on account, account number and sort code, currency; account balance; transaction details (incoming and outgoing, reference, payee details); card balance; card transactions (incoming and outgoing, reference, payee details). We also categorise your account information, that may help Clients build insights about you.
- Technical account information. Unique user ID, account and transactional information and related technical information.
- Financial services records. Any records we need to maintain about you to comply with our FCA requirements or obligations under the Payment Services Regulations 2017.
- Purpose. We collect and process this data about you:
- to create your personal record, which we need to uniquely identify you and to register you as a User of our services;
- to verify your identity, and to process any request in exercise of your rights.
- to deliver our services to you and /or our Clients (i.e. because you’re interested in a product offered by a Client), for example to help our Clients:
- to assess your eligibility for a product;
- to allow the Client to conduct analysis with the intent to better understand the market or to provide you with better products and services in the future, and/or for segmentation purposes;
- assess your affordability for a product;
- assess credit risk
- to conduct income or identity verification;
- for fraud prevention purposes;
- to provide aggregated analytics to our Clients;
- to provide support and technical instructions regarding your use of our services in communication with the relevant Client.
- Lawful basis. We conduct the above processing activities to perform our contractual obligations and to fulfil our legal obligations.
- Source of data. We may obtain your data directly from you, from publicly available sources or from marketing lists that we’ve acquired. We may also create data that relates to you in connection with your use of our services.
- Types of personal data.
- Contact details. Your title, name, address, phone number, email address
- Profile data. Profile data, such as any username and password, your saved preferences, D•One application credentials, API consents entered by you.
- Phone calls and other communications. Records and transcripts of calls or other communications we have with you, including any survey responses, feedback or complaints.
- Purpose. We collect and process this data about you
- to provide our services to you;
- to monitor or record telephone conversations or other communications between you and us, for record keeping purposes, training our staff and improving our services;
- to market our services to you.
- Lawful basis. We conduct the above processing activities to perform our contractual obligations, for our legitimate interests, and (in the case of marketing), with your consent.
- Source of data. We may obtain your data directly from you, or create data that relates to you when you interact with our website or services.
- Types of personal data
- Online identifiers. Your IP address, browser type and version, geolocation information, operating system and version and time zone, that we may collect when placing cookies
- Contact details. Your name, email and any other contact details or personal data you provide to us, such as comments or feedback.
- Analytics. Data about how you use or interact with D•One services, viewed pages, actions on pages, the paths you take through our services, etc.
- Purpose. We collect and process this data about you:
- to enable us to operate and run our site, to gather analytics, and to optimise or personalise our website services for your experience;
- to administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to improve the service we offer you such as understanding the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;
- to enable us to contact you about our services, market to you and to conduct surveys and collect feedback;
- to understand how you use our services and improve them
- to provide aggregated analytics to our Clients;
- for analysis of information about you on a personalised or aggregated basis to further tailor the experience to you and for marketing purposes
- for network and information security in order for us to take steps to protect your information against loss or damage, theft or unauthorised access;
- Lawful basis. We conduct the above processing activities for our legitimate interests, and in respect of any marketing activities or non-essential cookies, with your consent.
Special categories of personal data. We do not collect or process special category data for our services. If you are a User, the categorisation of some of your account transactions that we obtain from Financial Institutions may reveal special categories of data as it may be indicative of your political beliefs (for e.g., if you pay membership for a political party) or trade union membership.
Clients - Direct marketing
If you’re a Client, we will normally send direct marketing by email if we have your consent to do so, or if you are an employee or representative of a body corporate who we have identified as a potential Client, we may contact you to discuss our services to satisfy our legitimate interests. Whenever you receive direct marketing, you will be given an option to unsubscribe. You can opt out easily of receiving marketing from us at any time.
You can also tell us that you do not wish to receive any more marketing communications at any time by writing, with your full name, address and other contact details (to enable us to find your records) by email at privacy@clearscore.com, or by post to Data Protection Officer, D•One, c/o ClearScore Group, Vox Studios, VG 203, 1-45 Durham Street, London, SE11 5JH.
Who we may share your personal data with
We will not share your personal data unless we have your permission to do so, other than as set outin this Privacy Policy or where we have your consent.We share your personal data in the following situations:
- Group companies. We may share your personal data with any member of the ClearScore group, which means our subsidiaries, our ultimate holding company and its subsidiaries, in order to deliver the services to you.
- Our Clients. If you are a User, we share your personal data with our Clients for the purposes described above. Our Clients may retain the information and process your data in accordance with their own policies. You should check their privacy policies for further information.
- Selected third parties. We may also share your information with selected third parties including:
- third parties which enable us to provide you with the services such as cloud back-up and server hosting providers, security service providers, IT software and third parties that provide communication services;
- if we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets (or the buyer or seller’s advisers)
- if we or part or all of our assets are acquired by a third party, in which case personal data held by us about our Users and Clients will be one of the transferred assets;
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms of Use and other agreements; or to protect the rights, property, or safety of the ClearScore group, our Users, Clients or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction;
- advertisers that require data, to perform services on our behalf, including selecting and serving relevant adverts;
- to professional advisers, including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
- Fraud Prevention Agencies. We will share your personal information with fraud prevention agencies. If false or inaccurate information is provided and fraud is identified, details of this fraud will be passed to these agencies. Law enforcement agencies may access and use this information. We and other organisations may access and use from other countries the information recorded by fraud prevention agencies.
How long we keep your information for
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, our contractual obligations, any consents we have obtained from you, fraud and risk management (such as the potential risk of harm from unauthorised use or disclosure of your personal data), our legitimate interests, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements
If you are a User who has shared your account information, we will retain it for so long as we need to under our legal or regulatory obligations. If we have contracted with a Client to provide certain data management services and you have connected your account with us because you’re interested in a product or a service being offered by that Client, we may retain your personal data to fulfil our contractual obligations with that Client
How we protect your information
We take the security of your data very seriously and use strict procedures to protect it. Whenever we transfer personal data outside of the UK/ European Economic Area, we ensure that appropriate safeguards are in place to protect the data. All information you provide to us is stored on our secure servers.
We do our best to protect your personal data, but we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access, loss or damage.
International transfers
Some of our external third parties are based outside the UK so their processing of your personal data will involve a transfer of data outside of the UK. Where possible, we try to only process your information within the UK and European Economic Area (EEA). Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
- Where we use certain service providers, we may use specific contracts approved, or other appropriate safeguards, for use in the UK which give personal data the same protection it has in the UK.
- In any other case, we will obtain your explicit consent before any transfer takes place
Cookies and Other Tracking Technologies
What are cookies? A cookie is a text file containing a small amount of information that is sent to your browser when you visit a website. The cookie is then sent back to the originating website on each subsequent visit, or to another website that recognises it. Cookies are an extremely useful technology and do lots of different jobs.
We may collect information through the use of cookies.
What cookies do we use? We have listed below all the cookies that we use. These fall into the following categories:
- Strictly necessary /essential cookies. These are cookies that are required for the operation of our website and services. They include, for example, cookies that enable enable us to monitor the secure use of our services
- Analytics/performance cookies. These types of cookies allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users can easily find what they are looking for.
- Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences
- Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
You can find more information about the individual cookies we use and the purposes for which we use them below:
- d1-userSession – Monitors User sessions. Expires after 1 hour or is cleared once the User has completed their connection using D•One services and is returned to the Client.
- d1-selectedBank - Keeps track of selected Financial Institution. Enables fetching of the correct logos and auth URLs.
- d1-firstLinkedAccount - Lets us know if the users has made a first-time connection so we can show them the onboarding screens (DOne cookie).
- d1-from-management-page – Returns user to the management page after the user has re-authenticated.
- d1-hard-reauth-accounts - identifies what banks need to be hard re-authenticated
- d1-web-portal-userID – session cookie that identifies a User
- d1-web-portal-partnerId – session cookie that identifies Clients
- d1-web-portal-okta-issuer – session cookie, for Okta authentication purposes
- __Secure-next-auth.session-token – to authenticate a user of our services and all their requests while they are logged-in
- __Secure-next-auth.callback-url – for authorisation purposes
- __Host-next-auth.csrf-token – to prevent CSS and CSRF attacks on login
- Sentry.io - Enables us to track any errors
- Segment.io – To assist with collection of analytics information
- Perimeter.com - For security and bot detection purposes
Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.
You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set, visit www.aboutcookies.org or www.allaboutcookies.org.
To find out how to manage cookies on popular browsers:
To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout.
Your rights
Request access to your data. You have the right to ask us for access to the personal data that we hold about you.
Object to processing, including for direct marketing. You can ask that we no longer use your personal data where that use is based on a legitimate interest. You always have the right to object to processing for direct marketing purposes.
Restrict the use of your data. You have the right to ‘block’ or suppress further use of your information in certain circumstances. When usage is restricted, we can still store your information, but may not use it further. We will not be able to continue to provide the services.
Correct your data. You will usually be able to amend any information that we hold about you that is inaccurate or incomplete through the settings in your account. Some information we receive about you from your Financial Institution can only be correct by that Financial Institution.
Erase your data. You can ask us to fully or partially delete your information where there is no compelling reason for us to keep using it, although we will not be able to continue to provide our services. We reserve the right to keep your information if it is necessary for compliance with our legal obligations
Request to transfer. You can obtain a copy of the data you provided us in a machine-readable format. In addition, where certain conditions apply, you have the right to have such information transferred directly to a third party.
Right to withdraw consent. If you have given your consent for us to use your information, you have the right to withdraw your consent at any time.
For the exercise of any of your rights, you can also contact us at privacy@clearscore.com.
Your right to lodge a complaint with the ICO
If you are not satisfied with our response to any complaints you raise with us or you believe our processing of your information does not comply with the data protection law, we suggest you contact our Data Protection Officer. However, you can make a complaint to the Information Commissioner’s Office (ICO) at any time.
Please see the ICO website for further information – https://ico.org.uk/make-a-complaint/.