For the purposes of General Data Protection Legislation (GDPR) the data controller is Cardeo Ltd, registered at Hat Loft, 1 Mill Yard, Guildford street, Luton, LU1 2NR.
This policy is available on this web page cardeo.com/privacy-policy where you can review it to stay updated with recent changes.
We process data collected from you, your connected accounts, and third parties, to make Cardeo work for you, and comply with our regulatory requirements. Most importantly we use:
Your personal details – names, address, date of birth, to comply with our obligations to know our customer.
Your transaction data – (but not your account login details or security details) to make Cardeo work, and enable us to give you insights into your credit card data and how best to repay your cards.
Payment data – necessary to process payments on your behalf as requested by you.
Data about your use of Cardeo – to help us make Cardeo work better for you.
We also share your data with other companies to fulfil our services to you, or to comply with regulation:
- E-money provider - Modulr provides the e-wallet which allows payments to your credit cards on our behalf.
- Account aggregation providers – FriendlyScore and TrueLayer securely connect your accounts to Cardeo.
- Direct Debit provider – Modulr manages any Direct Debits on our behalf in relation to certain products (only when applied for).
- KYC provider - Modulr helps us check the identity information you provide us.
- Soft credit checks - when using our services we may carry out a soft credit check against your credit report. This does not affect your credit rating.
- Other selected service providers - under GDPR rules.
GDPR gives you the right to see, erase, or challenge the data we hold about you, among other rights. Our support team can help with this.
Information we collect about you
You may give us information about yourself by accessing our website cardeo.com, by using the app or by contacting us by phone, email or otherwise. We may store this information along with any consent that you give.
Information you give us when you sign up in our app
This is information necessary to provide you with Cardeo’s services and to comply with regulatory obligations to know your customer (KYC):
First and last name
Date of birth
Some additional information may be collected if you access certain services within the app. For example, occupation, salary, and expenditure.
Information we automatically collect when you use Cardeo
When you use the Cardeo app or visit our website, we automatically collect information. This includes personal information about the parts of the Cardeo service you use, and how you use them. The following information is necessary to fulfil our services to you, to fulfil our regulatory obligations, and given our legitimate interest in being able to provide Cardeo services to you:
Information about your payments – needed to process payments and carry out fraud prevention measures, including credit and debit card numbers, security code numbers and other such relevant billing details.
Information about your device – your use of the site or the service (including your IP address, geographical location, browser or platform type and version), internet service provider, operating system.
Information about your use of the product – to be able to offer you cost saving features and benefits.
Information we receive from third parties
We receive the following personal information about you from our third party service providers who help us in providing some or all of our service:
Your credit card data (through our account aggregation partners) – credit card number, interest rates, balances, payment history, transactional data, to fulfil our services to you.
Our KYC provider – the outcome of your know-your-customer check, to perform our money-laundering obligations.
Public and commercial sources – to perform our KYC obligations and regulatory obligations we might collect information from public sources such as sanction lists or credit reference agencies.
How we use the information we collect from you
To provide and improve the Cardeo product
We process the information we collect given our legitimate interests in improving the Cardeo service, and to fulfil our services to:
Give you access to, and enable your interaction with, Cardeo’s products and features
Give you insights into your credit card data, spending and balances
Offer you customer service
Offer products and services that we feel may be of interest to you
Offer Cardeo debt advice and credit where eligibility allows
Keep you informed by sending you support messages, push notifications, security alerts, updates and account notifications
Manage our website and app services and for internal analysis, such as troubleshooting, data analytics, testing, research, statistical analysis and surveys
To prevent fraud, and to meet regulatory obligations
We process the information we collect given our legitimate interest to protect us from fraud, and to comply with regulatory obligations to:
Detect fraud, including transaction monitoring
Verify your identity and check it against sanction lists
Keep our platform secure
To provide our services to you, we use trusted service providers. These providers will each handle your data according to their own privacy policies. The most important service providers we use are:
- Aggregation providers – FriendlyScore and Truelayer help us to deliver our services by securely accessing your credit card information (“account aggregators”). By using the account aggregator’s service, you agree and grant them permission to aggregate your personal data.
- E-money provider – Modulr helps us to deliver our services by providing you with an e-wallet. We will share data with e-money providers to fulfil our payment services for you. Our e-money provider might pass your data on to its own subcontractors and partners when this data is necessary to fulfil its legal and regulatory obligations as an issuer of electronic money. If you take out a service or product that requires a Direct Debit, Modulr will also provide this service on our behalf and may involve the transfer of data to make it happen.
- KYC and screening provider - Cardeo will share your personal information (name, date of birth, address) with Modulr for sanctions, PEP (politically exposed person) and adverse media checks, and to verify your identity in line with our KYC obligations.
- Regulatory bodies - To comply with our regulatory obligations to report activity suspected to be money laundering we might share your information with government entities responsible for this. We may be required by the Financial Conduct Authority or the Financial Ombudsman Service to share personal data with them.
- Aggregated data - We may share aggregated and non-personally identifiable information for industry and market analysis, demographic profiling, marketing and advertising, and other business purposes. Aggregated information is information about our users that we combine together so that it no longer identifies or references an individual user. It is not considered personal data under GDPR as it can’t be used to directly or indirectly identify you.
- Soft credit checks - When you use Cardeo’s services, soft credit checks may be carried out against your credit report for the following purposes:
— To assess your financial profile and creditworthiness, allowing us to offer you access to suitable products and services, such as Cardeo Credit
— To verify your identity and details, prevent fraud, or both
— To allow further customisation of the app
— To enable eligibility checks to be undertaken as part of our introducer services for credit broking
Soft credit checks are carried out by using credit reference agency data. Credit reference agencies may keep a record of the search and you may see this recorded against your credit file, but these soft credit checks have no impact on your credit rating.
Where a soft credit check is required for eligibility purposes in relation to credit broking, these will be undertaken by our partner Monevo. Monevo will use the data to match against providers' lending criteria, to check your eligibility and calculate your percentage chances of successfully obtaining a loan. Monevo in these instances will be the data controller. More details can be found in their terms of service.
Cardeo Credit customers
In order to process your credit application we will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity.
We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates.
The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at:
- Call Credit – callcredit.co.uk/crain
- Equifax – equifax.co.uk/crain
- Experian – experian.co.uk/crain
How long we keep your data
We generally keep your information for as long as we need to perform the service we have with you, or to comply with our regulatory obligations. If you no longer want us to use your information you can send a request to firstname.lastname@example.org.
Please note that if you ask us to erase your personal data, we will keep relevant personal information for at least 5 years to comply with our regulatory obligations.
Your rights under GDPR
Individuals shall have the following rights with regard to personal data that we process:
The right of access
You have the right to get a copy of the data we hold about you. This is free of charge. To do this please email email@example.com or talk to one of our support team at firstname.lastname@example.org.
The right of rectification
You have the right to ask us to correct or update any information we hold which may be inaccurate, and which you can't change yourself through the Cardeo app or website.
The right of erasure
You have the right to ask us to erase personal information we hold on you and close your Cardeo account. If you do this we might maintain personal information we hold on you which is necessary to comply with our regulatory obligations or to reduce fraud.
The right to withdraw consent or restrict processing
If you wish to withdraw consent or restrict processing you can do this by contacting cardeo.com/support. If you withdraw your consent to share your financial transaction data, we will be unable to provide the Cardeo service to you. Some information you have provided to us will be retained after you withdraw consent to comply with legal and regulatory obligations.
The right to complain
You have the right to lodge a complaint with the Information Commissioner's Office for any processing carried out by Cardeo. You can contact them through ico.org.uk or by phoning 0303 123 1113. Cardeo’s ICO reference number is ZA813859.