Privacy Policy

1. Overview

Cardeo Ltd (“Cardeo”) is a financial services company. The privacy of its clients, employees (including ex-employees and job applicants), investors, beneficiaries, users of its online offerings (including website), and, in broader terms, all interested parties that we interact with, and security of their personal data is of extreme importance for us at Cardeo.

This privacy policy (the “policy”) explains how we at Cardeo may collect and use (that is, process) information related to our clients, employees (including ex-employees and job applicants), investors, beneficiaries, users of our online offerings (including website), and, in broader terms, all interested parties that we interact with. This policy may be amended or updated from time to time, as necessary. This policy is available on Cardeo website https://cardeo.com where you can review it in order to stay updated with regard to recent changes.

This policy applies to Cardeo to the extent that it does not contradict national laws or specific Cardeo policies dealing with personal data outside the European Union.

2. Nature of personal data that we process

Cardeo may process the following personal data obtained through the use of means that are covered in this policy:

Personal details and preferences

Name, username, password, date of birth, age, preferred language(s), other preferences, where it is relevant to the services we provide, content of CV and cover letter.

Contact details

Address, telephone number (including mobile phone number), email address, any other information provided when filling out a contact form.

Consent records

Records of any consents given, together with any related information.

Online details

Information that is obtained through the use of website, and may or may not constitute personal data, depending on the circumstances and applicable laws: non-precise information about the approximate physical location, internet protocol address, information collected through the use of cookies, Javascript, other technologies, log files and similar information.

Payment data

Information that is necessary to process payments and implement fraud prevention measures, including credit and debit card numbers, security code numbers and other such relevant billing details.

Business details

Business information which we necessarily process as part of our instructions or projects we are involved in or otherwise provided by individuals voluntarily.

Compliance details

Information that we are legally required to collect for compliance purposes, such as know your client (KYC) information, details relevant to international sanctions and restrictive measures and information about relevant and significant litigation, which may impact our ability to act.

Publicly available information

Information collected from publicly available resources, including but not limited to information collected from databases we use to carry out compliance checks.

Statutory register information

Information about individuals on account of an interest or office they may hold in or certain relationships they may have with a corporate entity, partnership, trust or other vehicle to which we provide.

Sensitive information

Cardeo will process personal data that may be deemed sensitive: race or ethnicity, political views, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life and sexuality, any actual or alleged criminal offences or penalties, or any other information that may be deemed to be sensitive under General Protection Data Regulation (GDPR) in the ordinary course of our business.

3. Means of collecting personal data

We employ the following means of collecting personal data:

Provided

Personal data provided directly by an individual engaging with us through any means. For example through direct interaction, by signing up for emails or newsletters, registering for site membership, contact through any means, becoming an employee, provided in the ordinary course of our business relationship.

Obtained

Personal data will be obtained from various third party sources to enable Cardeo to provide its services and conduct its operations in compliance with the relevant laws and regulations. Source of obtained information may include but are not limited to: open banking platform data including transactional data, credit reference agency data, KYC data.

Made public

Personal data that was clearly chosen to be made public, including via social media.

Website and other technical means

Personal data of an individual obtained through the use of our website.

Advertising and third party

Personal data collected from service providers and third parties that an individual chose to interact with.

This policy does not cover the practices of third parties, including those that may disclose information to us. We are not responsible for the accuracy of any information provided by third parties or third-party policies or practices (including personal data processing practices).

4. Purposes of personal data collection

Relationship management

Purpose/activity: To manage our relationship with individuals, including our clients, employees (including ex-employees and job applicants), investors and beneficiaries.

Nature of personal data: Personal details and preferences, contact details, consent records, payment data, business details, details for events.

Lawful basis of processing, including basis of legitimate interest:

(a) Necessary to comply with legal requirements (legal compliance).

(b) Necessary to further our legitimate interests (to keep our records updated and to ensure uninterruptible flow of our business).

Security, relevance and efficacy

Purpose/activity: To manage and protect our business and ensure security of online services (including website), deliver relevant content and understand the effectiveness of our online offerings (including advertising).

Nature of personal data: Personal details and preferences, online details, consent records, business details.

Lawful basis of processing, including basis of legitimate interest:

(a) Necessary to further our legitimate interests (to ensure uninterruptible availability of our online services, maximise their effectiveness, grow our business and further our marketing strategy).

(b) Necessary to comply with legal requirements (legal compliance).

Personalised suggestions

Purpose/activity: To make suggestions and recommendations to individuals about services that may be of interest to them.

Nature of personal data: Personal details, contact Details, online details, consent records, business details, details for events.

Lawful basis of processing, including basis of legitimate interest:

(a) Necessary to further our legitimate interests (to grow our business and further our marketing strategy).

Financial management

Purpose/activity: To be able to manage our finances, including planning and reporting; personnel; sales; accounting; finance; corporate audit; and compliance with legal requirements.

Nature of personal data: Personal details, contact details, online details, consent records, payment data, business details.

Lawful basis of processing, including basis of legitimate interest:

(a) Necessary to further our legitimate interests (to grow our business and further our marketing strategy).

(b) Necessary to comply with legal requirements (legal compliance).

Legal compliance

Purpose/activity: To ensure possibility of legal compliance (including applicable rules with regard to anti-money laundering compliance and “know your client” compliance checks) and legal proceedings in case of necessity.

Nature of personal data: Personal details, contact details, online details, consent records, compliance details, publicly available information, statutory register information.

Lawful basis of processing, including basis of legitimate interest:

(a) Necessary to comply with legal requirements (legal compliance).

5. Legal basis for use of personal data

Cardeo will only use personal data of an individual when legally allowed to do so. Most commonly, Cardeo will use personal data of an individual in the following circumstances:

To ensure that we are able to perform our obligations under the contract that we entered or are about to enter (including contract with an individual whose personal data we use or other third party, provided that we obtained consent from such individual).

To ensure that we are able to further our legitimate interests (or legitimate interests of a third party that we have a contractual relationship with, provided that we obtained consent from any individual whose personal data we use) and the fundamental rights of an individual, whose personal data we use, do not override those interests.

To ensure that we are compliant with applicable legal and regulatory requirements.

We always consider whether the risk to an individual’s personal data protection rights in connection with personal data that we process on the basis of our legitimate interests is not excessive. We also protect individuals' rights by ensuring proper retention periods and security controls with regard to personal data of such individuals.

We use legitimate interests as a legal basis for processing personal data of individuals, in cases of sending marketing communications (including those of third parties).

6. Disclosure of personal data to third parties and international transfer of personal data

Some areas of business we engage in and services that we provide require the involvement of third parties. We have procedures in place to screen and select these third parties based, among other criteria, on their ability to adequately protect personal data that we process.

From time to time we will transfer personal data to third parties. We will only transfer personal data if such third parties provide adequate levels of protection as specified under the GDPR.

Sharing personal data within Cardeo

In order to ensure that our business processes run uninterrupted we share personal data with service providers within Cardeo subject to obtaining consent from individuals whose personal data is shared. Such consent may be obtained in an online form (by ticking a box or similar form). We may share personal data without consent of an individual if it is required in order to provide services (or fulfill other obligations) to such individuals.

We may use personal data for other purposes subject to informing individuals whose personal data is used first.

We use and share personal data in relation to our website for the purposes of hosting and maintaining it, providing data storage; assisting us with database management, and in order to assist us with related tasks or processes.

All of our service providers are bound by written contract to process personal data provided to them only for the purpose of providing the specific service to us and to maintain appropriate security measures to protect such personal data.

Sharing with other third parties

We share personal data with our accountants, auditors, lawyers or similar advisers when we ask them to provide us with professional advice.

We share personal data with any other third party if we are under a duty to disclose or share personal data in order to comply with any legal obligation, or to protect our rights, property and/or safety of our personnel or others.

We share personal data with any other third party for the purposes of acting in accordance with the requirements of a court, regulator or government agency.

We share personal data with investors and other relevant third parties in the event of a potential corporate transaction that we may be party to.

All of the third parties that we have a contractual relationship with are under obligation to process personal data provided to them only for the purpose of providing the specific service to us.

Links to other websites

Our app contains hyperlinks to and from the websites of other third parties we feel may be of interest to you. Any hyperlinks we provide are there to help you access the services of those third parties and are for your reference and convenience only. They don’t imply any endorsement of the activities of those third-party websites or any association with their operators.

This privacy policy only applies to the personal data that we collect or which we received from third-party sources, and we aren’t responsible for personal data about you that is collected and stored by third parties. Third-party websites have their own terms and conditions and privacy policies, and you should read these carefully before you submit any personal data to these websites.

We do not endorse or otherwise accept any responsibility or liability for the contents of third party websites, terms and conditions or policies.

7. Personal data security, accuracy, minimisation, confidentiality

We have implemented appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way. Such measures include two-factor authorisation when accessing our data management systems, and market standard encryption algorithms used where our data is stored electronically. Moreover, such measures include means of physical protection and limited access in cases where our data is stored physically.

We limit access to personal data to employees and third parties on a need to know basis. Such employees and contractors are bound by our instructions and respective confidentiality agreements.

We have put in place procedures to deal with any suspected personal data breach and will notify relevant regulators and individuals of a breach where we are legally required to do so. However, we cannot guarantee there will not be a breach, and we are not responsible for any breach of security or for the actions of any third parties. We also cannot guarantee the security of any personal data that is being transmitted to us electronically.

We take reasonable effort to ensure that personal data in our possession is accurate and, where necessary, kept up to date, and any personal data of which we were informed that is inaccurate is erased or rectified. However, we cannot guarantee that personal data in our possession is accurate if we were not informed that it is inaccurate and given reasonable time to rectify discrepancies.

We take reasonable effort to ensure that personal data that we process is limited to the information reasonably necessary in connection with the purposes set out in this policy.

We treat personal data in our possession as confidential. We do not make personal data available to any third party, except our service providers for the purposes and on conditions set out in this policy or applicable laws. We maintain confidentiality agreements with all our service providers and employees.

8. Personal data retention

We take reasonable effort to ensure that personal data is processed for the minimum period necessary for the purposes set out in this policy. In order to ensure that we consider the following:

  • The amount, nature, and sensitivity of the personal data in our possession

  • The potential risk of harm from unlawful breach or disclosure of personal data

  • Whether it is possible to fulfill the purposes stated in this policy without use of personal data in our possession

Once personal data is no longer able to be used in order to fulfill the purposes stated in this policy, we immediately delete it.

9. The rights of individuals

Individuals shall have the following rights with regard to personal data that we process:

The right to be informed

Individuals have the right to be informed about the collection and use of their personal data.

The right of access

Individuals have the right to access their personal data.

The right to rectification

An individual can make a request for rectification verbally or in writing.

The right to erasure

Individuals can make a request for erasure verbally or in writing.

The right to restrict processing

Individuals have the right to request the restriction or suppression of their personal data.

The right to data portability

Individuals have the right to obtain and reuse their personal data for their own purposes across different services.

The right to object

Individuals have the right to object to the processing of their personal data in certain circumstances.

Each right listed above is not absolute and subject to certain restrictions, exceptions and qualifications. We will be able to grant each such right only to an extent that is determined by us taking into account our prior assessment. We do not grant any rights that go beyond the rights explicitly granted by GDPR.

10. Contact details

Individuals may contact us with regard to the above rights. Individuals may submit a query or a complaint in relation to this. If a consumer submits a complaint this will be handled in accordance with our complaints policy.

Our full contact details are:

Full name of legal entity

Cardeo Ltd

Responsible officer

Gemma Bramhall

Email address

complaints@cardeo.com

Postal address

Hat Loft, 1 Mill Yard, Guildford Street, Luton, LU1 2NR, UK

11. Complaints

If you feel that we have broken our commitments to you in respect of our privacy policy you have the right to complain directly to us about this matter. To submit a complaint, please use the contact details provided above in section 10.

You also have the right to complain to the Information Commissioner’s Office (ICO) if you believe we might have broken data protection rules. The ICO can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lan
Wilmslow
Cheshire
Sk9 5AF

Telephone: 0303 123 1113 (local rate) or 01625 545 745.

Cardeo’s ICO reference number is: ZA813859