Credit Privacy Policy

Keebo, a Wagestream company
Who are we?

We are Keebo Limited (“we”, “our”, “us”). We are part of the Wagestream group and we operate the credit services features of the Wagestream app (the “App”). We’re registered with the UK data protection authority (the Information Commissioner’s Office or ICO) under reference number ZA568528.

This policy explains how and why we use your personal information when you open a Wagestream credit card account and use our App or card, or services for account holders.

Read our Cookie Policy for information on how we use cookies.

We are committed to protecting and respecting your privacy. We will:

  • Always keep your information safe and private;
  • Never sell your information; and
  • Allow you to manage and review your marketing choices at any time.

Why do I need to read this notice?

We may collect personal information when you use:

  • Our website at wagestream.com;
  • The App; or
  • Any of the services you can get access through the Wagestream app or website.

Under data protection law, we are what is known as the ‘data controller’ of your personal information. This document explains what information we collect, how we use it, and your rights if you want to change how we use your personal information. Got a question about something in this policy, or want to contact our Data Protection Officer (DPO)? Send us an email at [email protected] or write to us at 2- Work, Bank House, 27 King Street, Leeds, LS1 2HL.

The information we hold about you, and how we use it
Information you give us

We may collect information you provide when you:

  • Fill in any forms;
  • Correspond with us;
  • Register to use the App;
  • Apply for a credit card or use any of our services;
  • Take part in online discussions, surveys or promotions;
  • Speak with a member of our customer support team
  • Enter a competition; or
  • Contact us for any other reasons.

We may collect the following information:

  • Details you give when you sign up for a Wagestream credit card account, like your name, phone number, home address, date of birth (“basic details”).
  • Identification documents (for example, your passport or driving licence number), copies of any documents you have provided for identification purposes, and any other information you provide so we can set up an account for you.
  • The log-in credentials and settings you choose for the App and card, so we can give you the services you ask for safely.
  • Details of your bank account, including the account number, sort code and IBAN.
  • Details of your credit cards, including the card number, expiry data and CVC.
  • Your profile picture if you add one.
  • Details about your financial circumstances, to work out how we can provide credit to you.
  • Information you give us so we can help you.
  • Records of our discussions, if you contact us or we contact you.
  • The email address you use when you contact us and the contents of the email (and any attachments)
  • Answers you give to surveys so we can improve our services.
  • Public details from your social media profile (like Facebook, Instagram or Twitter) if you reach out to us via these platforms, and the contents of your messages or posts to us.

Information we collect when you use the App and our services

We collect this information to give you services in a safe and lawful way, and to keep improving them. This includes:

  • Details on transactions (for example, payments on your card and repayment), including date, time, amount, currencies, details of the merchant or ATMs associated with the transaction, IP address of sender and receiver, and other payment information;
  • Details about services from us and our partners that you express interest in; and
  • Details about how you use the App and your credit card.
 
Information we collect from your device

Whenever you use our website or the App, we may collect the following information:

  • Technical information, including the IP address used to connect your device to the internet, log-in information, browser type, time-zone setting, operating system, type of device you use, a unique device identifier, mobile network information, your mobile operating system, the type of mobile browser you use, and so on. This is used so we can analyse how our website and the App work and solve bugs.
  • Information about your visit, including the links you clicked on, through and from our site, page response times, download errors, length of visit to certain pages, page interaction information, and methods used to browse away from the page.
  • Your mobile advertising ID, so we can share it with companies that help us with advertising online. You can reset this ID or limit tracking in ‘Settings’ on your phone.
  • Your location if you’ve authorised tracking, so we can protect you against fraud. Information stored on your device, including if you give us access to contact information from your address book, log-in information, photos, videos or other digital content.

Information we get from external sources

When you sign up, we may search your record at:

  • Credit reference agencies (CRAs) to check what credit card product we can offer you.
  • Fraud prevention agencies and KYC (Know Your Customer) and AML (Anti Money Laundering) service providers to fulfill our legal duties.
  • Banks that you explicitly consent to linking to your Wagestream credit card account.

We may also collect information about you from public sources for AML reasons or market research. This includes:

  • Official public records, like the Electoral Register or Companies’ House; and
  • Information published by the press or on social media.

Our reasons for using your information

Data protection laws say we need to have a lawful basis for using your personal data. At least one of the following must apply: contractual or legal duty, legitimate interest, public interest, vital individual interest or consent. In this section we explain which one we rely on to use your data in a certain way.

We need to use your data for a contract we have with you, or to enter into a contract with you. We use details about you to:

  • Consider your application;
  • Give you the services we agreed to in line with our terms and conditions;
  • Send you messages about your account and other services you use if you get in touch, or we need to tell you about something;
  • Exercise our rights under contracts we’ve entered into with you, like managing, collecting and recovering money you owe us; and
  • Investigate and resolve complaints and other issues.

Cifas

The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further information can be found on https://www.cifas.org.uk/fpn

We need to use your data to comply with the law


We:

  • Confirm your identity when you sign up or get in touch;
  • Check your record at immigration and fraud prevention agencies;
  • Prevent illegal activities like money laundering, tax evasion and fraud;
  • Check your credit history and financial circumstances so that we can make responsible decisions when providing your credit card;
  • Keep records of information we hold about you in line with legal requirements; and
  • Adhere to financial laws and regulations (these mean we sometimes need to share customer details with regulators, law enforcement or other third parties).

When it’s in our ‘legitimate interest’. We need to use your data for our legitimate interests, or those of a third party. This means using data in a way that you might expect us to, for a reason which is in your and/or our (or a third party’s) interest and which doesn't involve overriding your privacy rights.


We may:

  • Check your record at CRAs when you sign up to see what kind of credit card we can offer. We will also check your credit history to help us develop and offer credit products that are tailored to you.
  • Tell you about products and services through the App or other channels, like social media companies, based on how you use our products and services and other information we hold about you. We do this so that we can make sure our marketing is useful. We don’t share any other identifying information about you with social media than your mobile advertising ID (unless you’ve disabled it).
  • Show where you were when you bought something with Google maps (in the App) and send you travel reports when you’re abroad (we tell this from transaction data, not by tracking your phone).
  • Track, analyse and improve the services we give you and other customers and how you respond to ads we show. We may ask for feedback if you’ve shown interest in a service. We do this so that we can make our products better and understand how to market them.
  • Protect the rights, property or safety of us, our customers or others.
  • Carry out security and maintenance checks to make sure the App, website and other services run smoothly for you.
  • Manage our business and financial affairs and protect our customers and staff.
  • Share information with credit bureaus so we can benefit from up-to-date information when we make decisions, and other companies so they can help us provide our services.

Consent

We’ll ask for your consent to:

  • Linking any bank accounts to the App.
  • Record any issues you want us to know about, like a gambling addiction or information about your health, so we understand how to best support you.
  • Tell you about our products and services, and those of our partners if we think they’re of interest to you. You can unsubscribe from our emails by email or via the App. If you don’t want to see lending promotions, you can opt out via the App ‘Settings’.
  • Help protect you against fraud by tracking the location of your phone if you’ve authorised it (iOS).
  • Show your profile picture in the App if you add one.
  • Share information about you with companies we work with when we need your permission (see ‘Who we share your data with’ below).

You don’t have to share information about yourself if you don’t want to. But if you don’t, you may not be able to use some (or any) of our services.

 
Who we share your data with
‍Companies that give services to us

Here we mean companies that help us provide services you use, and need to process details about you for this reason. We share as little information as we can and encrypt and/or make it impossible for you to be identified by the recipient where possible (for instance by using a User ID rather than your name).

  • Companies that make and issue our Wagestream credit cards.
  • Card producers and networks, like Visa and Mastercard.
  • Know Your Customer (KYC) and Anti-Money Laundering (AML) service providers that help us with identity verification or fraud checks
  • Credit reference agencies (CRAs)
  • Cloud computing power and storage providers
  • Our business intelligence and analytics platform provider
  • Companies that help us with functional analytics (to help us solve technical issues with the App for instance)
  • Companies that help us with marketing (but we won’t share identifiable personal data with third parties for their own direct marketing unless you give us permission, and you can opt out any time)
  • Software companies that we use for emailing you
  • Companies that help us with customer support (like our subsidiaries)
  • Companies that offer benefits or rewards through special programmes you sign up to via the App
  • Companies that print written statements and notices
  • Companies that manage our CCTV and security if you visit our offices

Anyone you give us permission to share it with

We tell you in the App when we need your consent to share your data with:

  • Your bank.
  • People you’ve asked to represent you, like solicitors.
  • Law enforcement and other external parties.
 
Group companies             

We share your personal data within the Wagestream group of companies to:        

  • provide you with the best service;
  • protect you, other customers and our systems from fraud or harmful behaviour;
  • facilitate you quickly signing up to use other Wagestream products or services;
  • improve existing, or develop new, products or services;
  • transfer information for reporting, regulatory or transaction processing purposes; and
  • send you information about Wagestream products and services we think you’ll be interested in hearing about.

 

We may share your details with:

  • Authorities that spot and stop financial crime, money laundering, terrorism and tax evasion if the law says we have to, or if it’s necessary for other reasons.
  • The police, courts or dispute resolution bodies if we have to
  • Banks to help trace money if you’re a victim of fraud or other crimes or if there’s a dispute about a payment.
  • Any other third parties where necessary to meet our legal obligations.

We may also share your details with people or companies if there’s a corporate restructure, merger, acquisition or takeover.

 
Information provided to CRAs

We will need to carry out credit checks when you apply for any of our credit products and to also help us develop and offer credit products tailored to you.

These checks of your credit history (credit insights) mean that when you apply for credit products, or we suggest credit products to you through the Wagestream app, we can better understand your financial circumstances and repayment history, and can tailor our credit products to your needs.

Some of the searches we make when you apply for a credit product leave a 'soft footprint' on your credit history. This means that the search will be registered on your credit file but will not be visible to others if they search your credit history. This means that you will be able to see this footprint but other people won't. A soft footprint will not affect your credit rating.

If you apply for credit, we will supply your personal information to CRAs and they will give us information about you, such as about your financial history. We do this to assess your creditworthiness, product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity.

We will also exchange certain information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs share your information with other organisations. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at www.experian.co.uk/crain.

Some of our third-party providers, such as fraud-prevention agencies, may also use CRAs to help us check your identity and prevent fraud. These searches also only leave a soft footprint credit history. We do not accept joint account holders, but credit-reference agencies may sometimes link your credit record with that of anyone else who is financially connected to you.

Due to the international nature of our services, we use credit-reference agencies and fraud-prevention agencies in the UK and overseas.

Sometimes you may have a right to see your personal records held by credit-reference and fraud-prevention agencies. If you would like details of the credit-reference and fraud-prevention agencies we use, please contact us by sending an email to [email protected].

When we make automated decisions

We sometimes use computers to make decisions. We do this for things like deciding what credit product we can offer you based on information we hold about you, and information we get from CRAS. This includes details on whether you’ve kept up to date with payments on any credit accounts, and if you’ve been to court. You can ask for a member of the team to review a decision.

We also use automated checks to make decisions about applications for Wagestream credit cards. But we never reject an application unless a member of staff has reviewed it first.

How we protect your personal information

We store your information on our secure servers.

Any payment transactions carried out by us or our payment-processing providers will be encrypted.

If you use a password for the Wagestream app or our website, you will need to keep this password confidential. Please do not share it with anyone.

Unfortunately, providing information online is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee that all information you provide through the Wagestream app or our website will be secure. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

When you use our services, which include social networking, chat room or forum features, do not share any personal information that you don't want to be seen, collected or used by other users, as this information will become publicly available.

How long we keep your information

We keep most of your data as long as you’re using the Wagestream app or the Wagestream credit card, and for 6 years after that to comply with the law and if we face a legal challenge. In some circumstances, like cases of anti-money laundering or fraud, we may keep data longer if we need to (that’s in our legitimate interest) and/or the law says we have to. To work out how long we keep different categories of data, we consider why we hold it, how sensitive it is, how long the law says we need to keep it for, and what the risks are.

Your rights

You have a right to:

  • Access the personal data we hold about you, or to get a copy of it;
  • Ask for a copy of your personal data in a portable (machine-readable) format or make us send it to someone else;
  • Make us correct inaccurate data;
  • Ask us to delete, 'block' or suppress your data, though for legal reasons we might not always be able to do it;
  • Say no to us using your data for direct marketing and in certain other ‘legitimate interest’ circumstances;
  • Withdraw any consent you’ve given us; and
  • Ask a member of staff to review a computer-made (automated) decision.

To do any of these things, please contact us through the app or by emailing [email protected]. Data protection laws, like the GDPR, give us one month to respond.

Where we store or send your data

We may transfer and store the data we collect from you to organisations outside the European Economic Area ("EEA"). When we do this, we make sure that your data is protected and that:

  • The European Commission says the country or organisation has adequate data protection, or
  • We’ve agreed to standard data protection clauses approved by the European Commission with the organisation.

If you’d like a copy of the relevant data protection clauses, please send an email to [email protected].

How to make a complaint

If you have a complaint about how we use your personal information, please contact us through the app or send an email to [email protected] and we’ll do our best to fix the problem. You can also reach our Data Protection Officer in these ways.

If you’re still not happy, you can refer your complaint with a data protection supervisory authority in the EU country you live or work, or where you think a breach has happened. The UK’s supervisory authority is the Information Commissioner’s Office (ICO). For more details, you can visit their website at ico.org.uk.

Changes to this policy

We’ll post any changes we make to our privacy notice on this page and if they’re significant changes we’ll let you know by email.

TPL Privacy Policy

This policy explains when and why we collect personal information about you, how we use it, the conditions under which we may disclose it to others and how we keep it secure.

TPL is committed to safeguarding the privacy of your information. By “your data”, "your personal data”, and “your information” we mean any personal data about you which you or third parties provide to us.

We may change this Policy from time to time so please check this page regularly to ensure that you’re happy with any changes.

Who are we?

Transact Payments Limited (“TPL”, “we”, “our” or “us”) is the issuer of your card and is the Data Controller for the personal data which you provide to us in relation to the card only. TPL is an e-money institution, authorised and regulated by the Gibraltar Financial Services Commission. Our registered office address is 6.20 World Trade Center, 6 Bayside Road, Gibraltar, GX11 1AA and our registered company number is 108217.

Wagestream Financial Services Limited (“WFS”) is the Program Manager for your card program. Keebo Limited (“Keebo”) is the Data Controller for any personal data which you provide which is not related to the card. WFS is incorporated and registered in England and Wales with registered office at 35 Gresse Street, London, United Kingdom, W1T 1QY and company registration number 13926226. Keebo is incorporated and registered in England and Wales with company number 12227891 and registered office is at Second Home, London Fields, 125 – 127 Mare Street, London, United Kingdom, E8 3SJ. Postal address: 2- Work, Bank House, 27 King Street, Leeds, LS1 2HL.

 

How do we collect your personal data?

We collect information from you when you apply online or via a mobile application for a payments card which is issued by us. We also collect information when you use your card to make transactions. We may also process information from Program Manager, Keebo, other third-party payment partners and service providers. We also obtain information from third parties (such as fraud prevention agencies) who may check your personal data against any information listed on an Electoral Register and/or other databases. When we process your personal data, we rely on legal bases in accordance with data protection law and this privacy policy. For more information see: On what legal basis do we process your personal data?

 

On what legal basis do we process your personal data?

Contract

Your provision of your personal data and our processing of that data is necessary for each of us to carry out our obligations under the contract (known as the Cardholder Agreement or Cardholder Terms & Conditions or similar) which we enter into when you sign up for our payment services. At times, the processing may be necessary so that we can take certain steps, or at your request, prior to entering into that contract, such as verifying your details or eligibility for the payment services. If you fail to provide the personal data which we request, we cannot enter into a contract to provide payment services to you or will take steps to terminate any contract which we have entered into with you.

Legal/Regulatory

We may also process your personal data to comply with our legal or regulatory obligations.

Legitimate Interests

We, or a third party, may have a legitimate interest to process your personal data, for example:

  • To analyse and improve the security of our business;
  • To anonymise personal data and subsequently use anonymized information.

What type of personal data is collected from you?

When you apply for a card, we, or our partners or service providers, collect the following information from you: full name, physical address, email address, mobile phone number, phone number, date of birth, gender, login details, IP address, identity and address verification documents.

When you use your card to make transactions, we store that transactional and financial information. This includes the date, amount, currency, card number, card name, account balances and name of the merchant, creditor or supplier (for example a supermarket or retailer). We also collect information relating to the payments which are made to/from your account.

 

 

How is your personal data used?

We use your personal data to:

- set up your account, including processing your application for a card, creating your account, verifying your identity and printing your card.

- maintain and administer your account, including processing your financial payments, processing the correspondence between us, monitoring your account for fraud and providing a secure internet environment for the transmission of our services.

- comply with our regulatory requirements, including anti-money laundering obligations.

- improve our services, including creating anonymous data from your personal data for analytical use, including for the purposes of training, testing and system development.

 

Who do we share your information with?

When we use third party service partners, we have a contract in place that requires them to keep your information secure and confidential.

We may receive and pass your information to the following categories of entity:

  • identity verification agencies to undertake required verification, regulatory and fraud prevention checks;
  • information security services organisations, web application hosting providers, mail support providers, network backup service providers and software/platform developers;
  • document destruction providers;
  • Mastercard, Visa, digital payment service partners or any third party providers involved in processing the financial transactions that you make;
  • anyone to whom we lawfully transfer or may transfer our rights and duties under this agreement;
  • any third party as a result of any restructure, sale or acquisition of TPL or any associated entity, provided that any recipient uses your information for the same purposes as it was originally supplied to us and/or used by us.
  • regulatory and law enforcement authorities, whether they are outside or inside of the United Kingdom (UK) or European Economic Area (EEA), where the law requires us to do so.

 

 

 

Sending personal data overseas

To deliver services to you, it is sometimes necessary for us to share your personal information outside the UK/Gibraltar e.g.:

  • with service providers located outside these areas;
  • if you are based outside these areas;
  • where there is an international dimension to the services we are providing to you.

These transfers are subject to special rules under Gibraltar data protection law.

These countries do not have the same data protection laws as Gibraltar. We will, however, ensure the transfer complies with data protection law and all personal information will be secure. We will send your data to countries where the Gibraltar Government has made a ruling of adequacy, meaning that they have ruled that the legislative framework in the country provides an adequate level of data protection for your personal information. You can find out more about adequacy regulations here and here.

 

Where we send your data to a country where no adequacy decision has been made, our standard practice is to use standard data protection contract clauses that have been approved by the United Kingdom government and/or the European Commission. You can obtain a copy of the European Commission’s document here and the UK’s document here.

 

If you would like further information, please contact our Data Protection Officer on the details below.

 

How long do we store your personal data?

We will store your information for a period of five years after our business relationship ends in order that we can comply with our obligations under applicable legislation such as anti-money laundering and anti-fraud regulations. If any applicable legislation or changes to this require us to retain your data for a longer or shorter period of time, we shall retain it for that period. We will not retain your data for longer than is necessary.

 

Your rights regarding your personal data?

You have certain rights regarding the personal data which we process:

  • You may request a copy of some or all of it.
  • You may ask us to rectify any data which we hold which you believe to be inaccurate.
  • You may ask us to erase your personal data (where applicable).
  • You may ask us to restrict the processing of your personal data.
  • You may object to the processing of your personal data (where applicable).
  • You may ask for the right to data portability.
  • If you would like us to carry out any of the above, please email your request to the Data Protection Officer at [email protected].

 

How is your information protected?

We recognise the importance of protecting and managing your personal data. Any personal data we process will be treated with appropriate care and security.

These are some of the security measures we have in place:

  • We use a variety of physical and technical measures to keep your personal data safe.
  • We have detailed information and security policies to ensure the confidentiality, integrity, and availability of information.
  • Your data is stored securely on computer systems with control over access on a limited basis. 
  • Our staff receives data protection and information security training on a regular basis.
  • We use encryption to protect data at rest and anonymization where applicable.
  • We have adequate security controls to protect our IT infrastructure and staff computers including but not limited to Identity and Access Management, Firewalls, VPN, Antivirus, Advanced Email Threat Protection and more.
  • We conduct regular audits such as PCI-DSS to ensure we are following adequate security controls to protect your data.

While we take all reasonable steps to ensure that your personal data will be kept secure from unauthorised access, we cannot guarantee it will be secure during transmission by you to the applicable mobile app, website or other services over the internet. However, once we receive your information, we make appropriate efforts to ensure its security on our systems.  

 

Complaints

We hope that our Data Protection Officer can resolve any query or concern you may raise about our use of your personal information.

The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in Gibraltar is the Gibraltar Regulatory Authority. Their contact details are as follows:

Gibraltar Regulatory Authority,

2nd floor, Eurotowers 4, 1 Europort Road, Gibraltar.

(+350) 20074636/(+350) 20072166   [email protected]

 

Other websites

Our website may contain links to other websites. This privacy policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.

 

Changes to our Privacy Policy

We keep our Privacy Policy under review and we regularly update it to keep up with business demands and privacy regulation. We will inform you about any such changes. This Privacy Policy was last updated on 22nd November 2023.

 

How to contact us

If you have any questions about our Privacy Policy or the personal information which we hold about you or, please send an email to our Data Protection Officer at [email protected].