Privacy Policy

Introduction Who we are Data we collect about you Collecting your data Using your data Processing your data Sharing your data Storing your data Your rights Contacting us TPL PRIVACY POLICY

1. Introduction

1.1. We value your privacy. We want to be accountable and fair to you and transparent about how we collect and use your personal data.

1.2. This privacy notice tells you what to expect when we collect and use personal data about you. It applies to all users of our website www.hellopillar.com and the Pillar mobile app.

1.3. You should also read our Terms of Use and Cookie Policy carefully before you decide to use our services.

1.4. Any changes we make to this privacy notice will be posted on this page, and we will notify you by email if there are any significant changes.

1.5. This privacy notice applies only to the personal data that we collect in relation to our services only. Our website may contain links to and from third party websites. For example, we may link to and from the websites of lenders, credit reference agencies, our partners, advertisers or affiliates. We can’t be responsible for personal data that these third parties collect, store and use through their website without our involvement. You should always read the privacy notice of each website you visit carefully and before you submit any personal data to them.

2. Who we are

2.1. We are Affinitech Limited. We own and operate the personalised financial essentials website, www.hellopillar.com, and the Pillar app. We provide a range of services to help you better understand and improve your financial situation and also provide a range of credit products.

2.2. Affinitech Limited is a company registered in England (No. 13637649). Our trading address and registered office address is Co-Foundry, 11-13 Cowgate, Peterborough, United Kingdom, PE1 1LZ.

2.3.     Affinitech Limited is an Appointed Representative of CREATIVE FINANCE CORP LTD which is registered in England and Wales (Company Registration Number- 09463062). Creative Finance Corp Limited is authorised and regulated by the Financial Conduct Authority (Reference number: 702435) in respect of:
     2.3.1.     Credit broking
     2.3.2.     Providing credit information services
     2.3.3.     Consumer credit lending

2.4. Data protection law applies to our collection and use of personal data and Affinitech Limited is the controller of that personal data (ICO Registration Number ZB261170).

2.5. If you have any questions about this privacy notice, please contact us or email us at help@hellopillar.com. If you wish to contact our Data Protection Officer you can email them at dpo@hellopillar.com, or you can write to them at Affinitech Limited, Co-Foundry, 11-13 Cowgate, Peterborough, United Kingdom, PE1 1LZ.

2.6. Please note that our partner, Transact Payments Limited (“TPL”), is the issuer of your payment card and is the independent Data Controller for the personal data which you provide to us in relation to processing undertaken to enable you to use the card. TPL is an e-money institution, authorised and regulated by the Gibraltar Financial Services Commission. TPL’s registered office address is 6.20 World Trade Center, 6 Bayside Road, Gibraltar, GX11 1AA and its registered company number is 108217.

2.7. When you apply for a Pillar card, you agree to TPL’s Cardholder Terms and Conditions and Privacy Policy which are provided to you when you sign up for a card. We encourage you to read the TPL Privacy Policy.

‍

3. What data we collect about you

3.1. Personal data means any information about an individual from which that person can be identified. It does not include data where the person's identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you. In this privacy notice we’ve used the following definitions to refer to some of this data:

3.2. Account data includes:

3.2.1. the basic information you provide when you sign up to use our services (e.g. first name, last name, date of birth, postcode, address details, residential status, employment status, annual income, phone number, email address and password);

3.2.2. any additional ‘affordability information’ you give us (e.g. marital status, additional household income, monthly rent or mortgage cost, how many people depend on you financially, monthly cost of childcare and dependent support); and

3.2.3. any information you give us about your job (e.g. job title, industry and/or company name).

It’s vital that you keep your account data accurate and up to date, because inaccurate personal data will produce inaccurate results. You can update your information in the Pillar app, and we sometimes will give you a nudge to do so when you log in. If you’re not sure how to update your information, please contact us through the in-app chat functionality.

3.3. Credit report data means information about your credit file given to us by Experian, Equifax or TransUnion (see section 7.1 for more details).

3.4. Credit score data means information about your credit score given to us by Experian, Equifax or TransUnion (see section 7.1 for more details).

3.5. Financial account information - Account balance, overdraft or credit limit, incoming and outgoing transactions, including the amount, data and description of transaction (together, “Transaction Data”) as well as your Account number and sort code.

3.6. Technical and behavioural data means details of your visits to the website including the actual pages you visit, IP address (from which we may derive your location) and details of the resources that you access, as well as your interaction with messages (e.g. whether or not you have opened an email from us). We also capture information about your computer or device including, where available, your operating system and browser type.

3.7. We also collect, use and share aggregated data such as statistical or demographic data. Aggregated data may be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

4. How we collect your data

We use different methods to collect data from and about you, including:

4.1.     Direct interactions. You may give us your personal data by filling in forms or by corresponding with us. This includes personal data you provide when you:
     4.1.1.     sign up for a Pillar account;
     4.1.2.     contact us (for example by post, phone, email or via our website or app);
     4.1.3.     give us feedback; or
     4.1.4.     enter a competition, promotion or survey.

4.2. Credit reference agencies. The credit reference agencies that we work with will give us eligibility data, credit score data and credit report data.

4.3. Open Banking providers / Account Information Services Providers. We work with Consents Online, An Equifax Company in order for you to provide us with access to your account transaction information. As part of this process you directly provide the information (where prompted to) from your relevant financial provider which is providing access to your account. We may ask for you to instruct us to provide ongoing access to your transaction information. In such circumstances you will be asked every 90 days if you would like to continue sharing your information with the option to stop doing so.

4.4. Automated technologies or interactions. We’ll automatically collect technical and behavioural data as you interact with our website or app. For example, we use cookies and other similar technologies (e.g. pixels) to tell us which area of the website you have visited and which products you have clicked out on. For more information on how we use Cookies and similar technologies, please read our Cookie Policy.

5. How we use your data

5.1. Personalisation

5.1.1. All of our services are personalised to you. This means that we’ll analyse and profile your personal data to tailor the services we provide to you. This includes using the information that you have given us directly or that we have collected, such as account data, service-specific data or technical and behavioural data, and also information that we have obtained through third parties, such as your credit report data, credit score data, eligibility data, and product application data.

5.1.2. We’ll use your personal data to personalise the information we show you in your account and that we send to you by email or push notification.

5.1.3.     For example, we’ll use your personal data to tailor:
     5.1.3.1.      The eligibility checks we do for you;
     5.1.3.2.     The information we show you about your free credit report and credit score;
     5.1.3.3.     whether or not we wish to offer you a Pillar credit card;
     5.1.3.4.     where you have agreed to receive marketing from us, the marketing material we send you.

5.1.4.      Pillar will soft search you while your account is live, to provide you with updates and personalised information and offers. For example, Pillar and its partners will soft search your credit file with the credit reference agencies:
     5.1.4.1.     to create and update your free credit report, if you have one; and
     5.1.4.2.    to provide an indication about your eligibility for a Pillar Card.

5.1.5. See section 5.4 for more details about soft searches.

5.2. Pillar credit cards

5.2.1. When you sign up for a Pillar account, we may ask Experian to carry out a soft search in order to understand your eligibility for a credit product provided by Pillar.

5.2.2. Some of these soft searches that we do will leave a ‘footprint’ on your credit file. For more information about soft searches and footprints, see section 5.4 below.

5.2.3. If you agree to apply for a Pillar credit card after the eligibility check, a hard search will be recorded with the Credit Reference Agencies (CRAs), which may be seen by other lenders. If you agree to the credit terms we offer, we will continue to exchange information about you with CRAs, whilst you have a relationship with us.

5.3. Your credit score and credit report

5.3.1. When you sign up for a Pillar account, we may use your account data to check whether Experian, Equifax and TransUnion are able to provide you with a free credit report and credit score.

5.3.2. You will need to successfully pass an authentication process before we can show you your credit report and credit score. If you pass, Experian, Equifax and TransUnion will give us your credit report data and credit score data, and we will show this to you in your account.

5.3.3. We’ll ask the credit reference agencies for your updated credit report data and credit score data at least every month for as long as you have a live Pillar account. We reserve the right to suspend these monthly searches if your account is deemed as inactive.

5.3.4. We may also offer the feature to allow you to refresh your credit scores and report when you log-in to the app. If so, this feature will be accessible within the Pillar app and will allow you to be provided with an updated credit report and credit score.

5.3.5.     We’ll use your credit report data and credit score data:
     5.3.5.1.     to provide you with your free credit report and credit score; and
     5.3.5.2.     to make our service better and more personalised to you, as explained in this privacy policy.

5.3.6. For a summary of the different ways in which we use your credit report data and credit score data see section 6. Some of the credit report and credit score searches that we do will leave ‘footprints’ on your credit file. For more information about soft searches and footprints, see section section 5.4.

5.4. Soft searches and ‘footprints’ on your credit report

5.4.1. Some of our services involve soft searching your credit file. A soft search is like a quick peek at your credit file. Soft searches will not harm your credit rating or affect the way lenders see you, and are not visible to third parties on your credit report.

5.4.2.     You (and only you) may see these soft searches as ‘footprints’ on your credit report in either our name or the name of one of the partners or credit reference agencies that we work with. Soft searches on your credit file will be given different markings, depending on their purpose, such as:
     5.4.2.1.     Affordability
     5.4.2.2.     Anti-Money Laundering
     5.4.2.3.     Consumer Credit File Request
     5.4.2.4.     Identity Check
     5.4.2.5.     Quotation/Preliminary Search

5.4.3.     You may see multiple footprints on your credit file because soft searches will be carried out:
     5.4.3.1.     when you first sign up for our services; and
     5.4.3.2.     in the background on a monthly basis to refresh your credit report and credit score (we reserve the right to suspend these monthly searches if your account is inactive).

5.5. Hard searches on your credit report

5.5.1. If you agree to apply for a Pillar credit card after the eligibility check, a hard search will be recorded with the CRAs, which may be seen by other lenders. If you agree to the credit terms we offer, we will continue to exchange information about you with CRAs, whilst you have a relationship with us.

5.6. Keeping in touch

Service messages

5.6.1. We’ll send you a welcome email when you sign up.

5.6.2. If you have a free credit report with us, we’ll send you messages as a reminder that we’ve retrieved your credit report and credit score data.

5.6.3. We may also send you ad hoc service emails from time to time (for example, to contact you about forgotten passwords or to notify you about changes to our services).

5.6.4. If push notifications are enabled on your device, we may send you service messages by push notification.

5.6.5. Retrieving your credit report and credit scores from the credit reference agencies are core elements of our account service. We want to make sure that you remember that we are getting this data about you each month, even if you don’t need to log into your account very often. Similarly, other service messages will contain important information about your account or our services.

5.6.6. Similarly, if you take out a Pillar credit we will be obliged to provide you with service information relating to your ongoing use of the product e.g. transaction notifications as well as statutory documents such as monthly statements.

5.6.7. Please be aware that you can’t unsubscribe from service messages. If you do not wish to receive service messages, you will need to close your Pillar account, which you can do within the Pillar app.

5.6.8. We’ll keep refreshing your credit report and credit score (and sending you service messages about them) until you close your Pillar account or we terminate or suspend your account (e.g. for misuse). We reserve the right to suspend these monthly searches if your account is inactive.

5.7. Marketing

5.7.1.     When you sign up for a Pillar account, you can choose not to receive marketing messages. You can also unsubscribe from receiving marketing communications at any time by:
     5.7.1.1.     updating your preferences from within your Pillar app; or
     5.7.1.2.     messaging us through our in app chat messaging service or emailing us at help@hellopillar.com; or
     5.7.1.3.     clicking the unsubscribe link in any marketing email from us; or
     5.7.1.4.     (for push notifications) updating your push notification preferences or settings.

5.7.2. If you have not opted out of marketing (or if you have otherwise consented to receiving marketing from us) we’ll use your personal data to send you tailored offers or information about our products and services that may be of interest to you. For example, we will use your personal data to provide a marketing communication to you when you may be eligible for a Pillar credit card.

5.7.3. We may occasionally have arrangements in place with third parties that have a direct relationship with you and they may send information to you about us and our services where they are legally permitted to do so.

5.8. Website, app and message analytics

5.8.1.     We use technical and behavioural data:
     5.8.1.1.     for system administration;
     5.8.1.2.     to measure and analyse traffic to our website or app;
     5.8.1.3.     to enable us to analyse behaviour and trends on the website and app; and
     5.8.1.4.     to personalise marketing (for example, if you have not opened marketing emails in a while, we may start sending you less).

Meeting our legal and regulatory obligations

5.8.2.     We and our third-party service providers are required to comply with certain legal and regulatory requirements including:
     5.8.2.1.     complying with our regulatory obligations to the Financial Conduct Authority (FCA) and the Information Commissioner’s Office (ICO); and
     5.8.2.2.     addressing enquiries or complaints from you or from a regulator.

5.8.3. We may process your personal data to comply with those requirements. For example, the Financial Conduct Authority requires us to provide extra support to consumers that are vulnerable. To help us do this, we may add a ‘vulnerable consumer’ flag to your customer service record, if we consider that you meet the Financial Conduct Authority’s criteria for vulnerability.

5.8.4. Occasionally, we may be asked to provide certain information to regulators or law enforcement agencies. We’ll comply with these requests where legally required or permitted.

Fraud Prevention

5.8.5. Pillar and the third parties that we work with (e.g. credit reference agencies) will process and share your data for the purposes of fraud prevention.

6. Our legal process for processing your personal data

Purpose/Activity	Type of data	Lawful basis for processing including basis of legitimate interest
To provide you with your credit score and free credit report as well as a Pillar credit card	Account data Credit report data Credit score data	Legitimate interest (When you sign up for a Pillar account and we use your account data to check whether the CRAs are able to provide you with a free credit report and credit score) Performance of a contract with you (when we retrieve your credit report data and credit score data)
To verify your identity and request access to your Transaction Data from your bank or other financial provider. This will include: verifying the information you provide with the Credit Reference Information Equifax already hold about you; disclosing the information to your nominated banking provider, so they can confirm your identity and grant access to your Transaction Data; and conducting any additional verification checks.	Account data Transaction data Account Number and Sort Code	We are required by law to ensure your identity prior to providing services It is in our legitimate interest to take reasonable steps to help verify your identity.
To send you service messages	Account data Credit report data Credit score data Product application data Service-specific data	Performance of a contract with you
To send you marketing messages or to include or exclude you from targeted advertising	Account data Eligibility data Credit report data Credit score data Marketing data Technical and behavioural data	Necessary for our legitimate interests (to promote our products and services) Consent (e.g. where you give opt-in consent to receive email marketing from us or when you opt in to marketing using the preference centre)
Correspondence with you	Account data Product application data Marketing data Technical and behavioural data Any additional personal data that you provide as part of your correspondence	Necessary for our legitimate interests (to ensure customer satisfaction and to answer queries about the service, to monitor trends in queries to improve the services)
To meet legal or regulatory requirements	Account data Credit report data Credit score data Eligibility data Marketing data Service-specific data Product application data Technical and behavioural data	Compliance with a legal or regulatory requirement to which we are subject to comply with
To assist the wider industry with fraud prevention	Account data Product application data Technical and behavioural data	Necessary for our legitimate interests (as a company working in the financial services industry)
To carry out research and development and business insight	Account data Eligibility data Credit report data Credit score data Marketing data Product application data Technical and behavioural data Transaction data Service-specific data	Necessary for our legitimate interests (to help us understand our customers, to improve our products and services and to inform our marketing strategy)

7. How we share your personal data with others

7.1. Credit Reference Agencies

     7.1.1.     In order to process your application, we will perform credit and identity checks on you with one or more Credit Reference Agencies (CRAs). We may also carry out further periodic searches at CRAs to allow us to manage your account with us.
     7.1.2.     To do this, we will supply your personal information to CRAs. This will include your name, date of birth and residential address. It may also include additional information such as your salary, previous residential addresses and other information you provide as part of your credit application.
     7.1.3.     The CRAs will match this information to the records they hold about you, and provide in return, both public information (including the electoral register) and shared credit information in relation to your financial situation and financial history.
     7.1.4.     CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information. We will use this information to:

Assess your creditworthiness and whether you can afford to take the product;
Verify the accuracy of the data you have provided to us;
Prevent criminal activity, e.g fraud and money laundering;
Manage your account(s);
Trace and recover any debts; and
Ensure any offers provided to you are appropriate to your circumstances.‍

     7.1.5.     We will continue to exchange information about you with CRA’s while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full or on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.
     7.1.6.     We will also provide with the CRAs with information relating to the private rental payments you make each month, you should be aware that these transactions can adversely affect your credit history.
     7.1.7.     When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
     7.1.8.     If you are making a joint application, or tell us that you have a spouse (or a financial associate), we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as your spouse (or financial associate) successfully files for a disassociation with the CRAs to break the link.
     7.1.9.     The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail through the following links:

Experian - www.experian.co.uk/legal/crain/
TransUnion - www.transunion.co.uk/CRAIN
Equifax - www.equifax.co.uk/crain

7.1.10. Experian, Equifax and TransUnion’s Privacy Policies can be found through the following links:

Experian - www.experian.co.uk/consumer/privacy.html
Equifax - www.equifax.co.uk/public-sector/en_gb
TransUnion - www.transunion.co.uk/legal/privacy-centre

7.1.11. In addition, we will share information with Equifax’s group company, Consents Online Limited as part of our process of verifying your identity as well as you sharing your Transaction Information with us. Consents Online’s Privacy Policy can be found here: consents.online/Privacy

7.2.     We also operate Pillar’s credit monitoring service (“Pillar Monitor”) in conjunction with the UK credit reference agencies Experian, Equifax and TransUnion (“CRAs”).
     7.2.1.     By submitting your details to us, you are consenting to them being passed to the credit reference agencies and to us letting you know every time your Credit Score or report data has been updated.
     7.2.2.     The CRAs may share the information they collect from us with fraud prevention agencies, including Cifas, who will use it to prevent fraud and money-laundering and to verify your identity. Law enforcement agencies may access and use this information.
     7.2.3.     If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by the CRAs can be obtained in their privacy policies, found in section 7.1.10. Within the policies will be information on how to contact the CRAs for further information.
     7.2.4.     The CRAs may access and use the information recorded by fraud prevention agencies from other countries.
     7.2.5.     More information about your rights in relation to the personal data the CRAs hold and how your details will be used by the CRAs can be found in their Privacy Policies in 7.1.10.

7.3.     The information regarding your rental payments and track record as a tenant, will be shared with the CRAs. The CRAs will add this information to the credit reference data it holds about you and use it as a controller, in accordance with their privacy policies (7.1.10) including to assist organisations to:
     7.3.1.     assess and manage any new tenancy agreements you may enter into;
     7.3.2.     assess your financial standing to provide you with suitable products and services;
     7.3.3.     manage any accounts that you may already hold, for example reviewing suitable products or adjusting your product in light of your current circumstances;
     7.3.4.     contact you in relation to any accounts you may have and recovering debts that you may owe;
     7.3.5.     verifying your identity, age and address, to help other organisations make decisions about the services they offer;
     7.3.6.     help to prevent crime, fraud and money laundering;
     7.3.7.     screen marketing offers to make sure they are appropriate to your circumstances;
     7.3.8.     plus, for the CRAs to undertake statistical analysis, analytics and profiling and,
     7.3.9.     to conduct system and product testing and database processing activities, such as data loading, data matching and data linkage.

7.4. If you would like to see more information on these, and to understand how the credit reference agencies each use and share rental data as bureau data (including the legitimate interests each pursues) this information is provided in the CRAs’ Credit Reference Agency Information Notice “CRAIN” notices here:

Experian - www.experian.co.uk/legal/crain/
TransUnion - www.transunion.co.uk/CRAIN
Equifax - www.equifax.co.uk/crain‍

7.5. Please note, you are eligible for the Rent Reporting feature if your name is on the tenancy agreement and you pay rent to the person who owns the property directly or you pay an agent on their behalf. Rent Reporting means we will report your rental payments to the credit reference agencies.

7.6. If you pay a housemate and they pay on your behalf or you pay in another way, like in cash, then sadly we cannot recognise these payments yet. We need to see a pattern of payments for you to get the benefit, so we may wait until we see six consistent payments before we report them but once you have reached that mark then you will get the benefit for every payment.

7.7. We will consider you to be making consistent payments if you pay a rental amount, to the same payee on your rent payment date. If your tenancy changes in any way, you can update these details with us and we will update the CRAs regarding this so that your rental payments can continue to be recognised.

7.8. We and the CRAs will ensure that your information is treated in accordance with UK data protection law, so you can have peace of mind that it will be kept secure and confidential and your information will not be used for prospect marketing purposes.

7.9. If you are unhappy with anything relating to rent reporting, please contact us via the contact details in 2.5. You also have the ability to get in touch with the Information Commissioner’s Office. More information about this can be found using this link here: ico.org.uk/concerns/.

7.10. Payment Services Providers

We use GoCardless to process your Direct Debit payments. More information on how GoCardless processes your personal data and your data protection rights, including your right to object, is available at gocardless.com/legal/privacy/

7.11. Fraud Prevention and Financial Crime Agencies

The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by reading CIFAS’ Privacy Policy (www.cifas.org.uk/fpn), Jumio’s (www.jumio.com/legal-information/privacy-notices/) as well as Comply Advantage’s policy (complyadvantage.com/privacy-notice/).

7.12. Marketing and advertising agencies

7.12.1. We share a limited amount of your personal data with companies that help us with marketing and advertising, namely:

your marketing preference data (i.e. whether or not you have agreed to receive marketing from us);
your technical and behavioural data (e.g. cookie and pixel data); and/or
your email address (in a protected format).

‍     7.12.2.     The marketing and advertising companies with whom we share your personal data include service providers who provide platforms and systems that we use to help us serve marketing and advertising (i.e. Facebook).
     7.12.3.     Some of this information is gathered through cookies and other similar technologies on our website and app. For more information about how we use cookies please see our Cookie Policy.
     7.12.4.     In some cases, these third parties will also use the data that they collect for their own purposes, for example they may aggregate your data with other data they hold and use this to inform advertising related services provided to other clients.

7.13. Sharing your data with our Principal Firm

7.13.1. We work with and are an appointed representative of Creative Finance Corp Limited to provide our services to you. This requires us to share your personal data with Creative Finance Corp Limited, so that Creative Finance Corp Limited can meet its regulatory obligations as the regulated principal.

7.14. Other third parties

7.14.1. We may share your personal data with:

the Financial Conduct Authority, the Information Commissioner’s Office or any other legal, regulatory or governmental body that we are required to disclose information to;
our suppliers of technical and support services, insurers, logistic providers, and cloud service providers; these include Google Cloud Platform (GCP) and Intercom instant messaging service
the analytics and search engine providers that assist us in the improvement and optimisation of our website and services.

‍     7.14.2.     We may share your personal data with potential suppliers and partners if we want to trial those suppliers and partners to see if they can help us improve our services. For example, we may share your personal data with potential suppliers and partners to test the efficacy of their systems. We’ll only do this where we need to use real rather than dummy or anonymous data for the test to be effective. Some of these trials will involve soft searching your file and may leave footprints on your credit file.
     7.14.3.     We may consider corporate transactions such as a merger, acquisition, reorganisation or asset sale. We may share information with third parties in relation to that transaction. If we are acquired in whole or part, customer personal data may be one of the assets transferred.
     7.14.4.     We may disclose or share your personal data with third parties (e.g. professional advisors or public bodies) if it is necessary to:

enforce or apply our terms of use and other agreements; and
protect the rights, property or safety of our staff, customers or other people.

‍ 7.14.5. This includes exchanging information with other companies and organisations for the purposes of identity verification and validation, fraud protection and credit risk reduction.

7.15. Transferring data outside of the country

7.15.1. We currently transfer some of your personal data to the USA to our chat and messaging provider Intercom. This transfer is done through the recognised transfer mechanism standard contractual clauses.
7.15.2. If, in the future, we transfer any more of your personal data outside of the EEA, we’ll take steps necessary to ensure that your data is treated securely and in accordance with this privacy notice and all relevant statutory requirements. This includes using recognised transfer mechanisms that incorporate appropriate safeguards. For example, we use approved standard contractual arrangements to transfer personal data, where appropriate.

8. How we store your personal data

8.1. What we do to keep your personal data safe

8.1.1 All the information that you give us is stored on secure servers. The internet is not a secure medium, but we’ve put in place various security procedures to protect your information. We use firewalls to block unauthorised traffic to the servers. We host your information on Google’s Cloud Platform (GCP) which is secure and can only be accessed by ourselves. We use industry-standard encryption technology to ensure that all your personal and transactional information is encrypted before transmission to certain lenders or third-party service providers. Our security policies are in place to safeguard your privacy from unauthorised access or improper use. We’ll continue to enhance our security as and when new technology becomes available.

8.2. What you can do to keep your personal data safe

8.2.1. You’re responsible for keeping your Pillar account password confidential. We ask you not to share a password with anyone. From time to time, we or our service providers may communicate with you by email. You should keep your email account secure. Where possible, you should not provide us with any personal data that we’ve not asked for. If you’re unsure whether we need a certain piece of information, please ask us first before sending it to us.

8.3. How long we keep your personal data for

8.3.1. We keep your personal data for no longer than necessary for the purposes for which the personal data is processed. We may retain personal data where we need to for:

the purposes of complying with our legal and regulatory responsibilities;
responding to legal and regulatory enquiries;
our own required record keeping
Answer any queries/complaints you may have;
Respond to queries or investigations from the Financial Conduct Authority or Financial Ombudsman Service; or to Respond to legal claims.

8.3.2. We’ll keep the archived data for no longer than six years following your account closure.

9. What are your rights in relation to personal data

9.1. Data protection law provides you with a number of rights in relation to your personal data (which are summarised below). You can exercise these rights by contacting us via email on help@hellopillar.com

9.2. Subject to the requirements of applicable laws and certain limitations or exemption, you have the right to:

access your personal data and be provided with certain information in relation to it, such as the purpose for which it is processed;
require us to correct any inaccuracies in your personal data without undue delay;
require us to erase your personal data (please be aware that the right of erasure under data protection law is not an absolute right as it only applies in relation to one or more specific circumstances);
require us to restrict the processing of your personal data;
receive the personal data which you have provided to us in a machine readable format, where we are processing it on the basis consent or to comply with a contract with you (please see the above tables) and such processing is automated; and
object to a decision that we make which is based solely on automated processing of your personal data.

9.3. Access to your credit report and corrections

9.3.1. In addition to the rights listed above, you also have the right to obtain your statutory credit report free of charge from Experian. This report contains all the personal data Experian holds about you that is relevant to your financial standing. If you wish to find out how to exercise this right please visit: www.experian.co.uk/consumer/statutory-report

9.3.2. Should you wish to request access to all of the personal data Experian holds about you (not just your credit report) you have the right to do so (as noted above).

9.3.3. Experian wants to make sure that your personal information is accurate and up to date. However, please be aware that as a credit reference agency, much of the information Experian holds about you is received from lenders and banks. Experian is not able to automatically amend this information upon request. Experian must instead follow a set process of informing the relevant lender and seeking their clarity as to the validity of the data. While this process is undertaken, Experian will make a note on your file that a rectification request has been made. For more details on your rights please review the Experian Information Notice at www.experian.co.uk/legal/crain/

9.4. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the UK data protection regulator. More information can be found on the ICO website at ico.org.uk

10. How to contact us

10.1. If you have any questions about this privacy notice or our use of your personal data, please contact us through the in app messenger or via email us at help@hellopillar.com

TPL PRIVACY POLICY

This policy explains when and why we collect personal information about you, how we use it, the conditions under which we may disclose it to others and how we keep it secure.

TPL is committed to safeguarding the privacy of your information. By “your data”, "your personal data”, and “your information” we mean any personal data about you which you or third parties provide to us.

We may change this Policy from time to time so please check this page regularly to ensure that you’re happy with any changes.

Who are we?

Transact Payments Limited (“TPL”, “we”, “our” or “us”) is the issuer of your card and is the Data Controller for the personal data which you provide to us in relation to the card only. TPL is an e-money institution, authorised and regulated by the Gibraltar Financial Services Commission. Our registered office address is 6.20 World Trade Center, 6 Bayside Road, Gibraltar, GX11 1AA and our registered company number is 108217.

Affinitech Ltd (t/a Pillar) is the Program Manager for your card program and is the Data Controller for any personal data which you provide which is not related to the card. Pillar is incorporated and registered in England & Wales with company number 13637649 whose registered office is at Co-Foundry, 11-13 Cowgate, Peterborough, United Kingdom, PE1 1LZ (the “Program Manager”).

How do we collect your personal data?

We collect information from you when you apply online or via a mobile application for a payments card which is issued by us. We also collect information when you use your card to make transactions. We may also process information from Program Manager, other third party payment partners and service providers. We also obtain information from third parties (such as fraud prevention agencies) who may check your personal data against any information listed on an Electoral Register and/or other databases. When we process your personal data we rely on legal bases in accordance with data protection law and this privacy policy. For more information see: On what legal basis do we process your personal data?

On what legal basis do we process your personal data?

Contract

Your provision of your personal data and our processing of that data is necessary for each of us to carry out our obligations under the contract (known as the Cardholder Agreement or Cardholder Terms & Conditions or similar) which we enter into when you sign up for our payment services. At times, the processing may be necessary so that we can take certain steps, or at your request, prior to entering into that contract, such as verifying your details or eligibility for the payment services. If you fail to provide the personal data which we request, we cannot enter into a contract to provide payment services to you or will take steps to terminate any contract which we have entered into with you.

Legal/Regulatory

We may also process your personal data to comply with our legal or regulatory obligations.

Legitimate Interests

We, or a third party, may have a legitimate interest to process your personal data, for example:
- To analyse and improve the security of our business;
- To anonymise personal data and subsequently use anonymized information.

What type of personal data is collected from you?

When you apply for a card, we, or our partners or service providers, collect the following information from you: full name, physical address, email address, mobile phone number, phone number, date of birth, gender, login details, IP address, identity and address verification documents.

When you use your card to make transactions, we store that transactional and financial information. This includes the date, amount, currency, card number, card name, account balances and name of the merchant, creditor or supplier (for example a supermarket or retailer). We also collect information relating to the payments which are made to/from your account.

How is your personal data used?

We use your personal data to:
  - set up your account, including processing your application for a card, creating your account, verifying your identity and printing your card.
  - maintain and administer your account, including processing your financial payments, processing the correspondence between us, monitoring your account for fraud and providing a secure internet environment for the transmission of our services.
  - comply with our regulatory requirements, including anti-money laundering obligations.
  - improve our services, including creating anonymous data from your personal data for analytical use, including for the purposes of training, testing and system development.

Who do we share your information with?

When we use third party service partners, we have a contract in place that requires them to keep your information secure and confidential.

We may receive and pass your information to the following categories of entity:
  - identity verification agencies to undertake required verification, regulatory and fraud prevention checks;
  - information security services organisations, web application hosting providers, mail support providers, network backup service providers and software/platform developers;
  - document destruction providers;
  - Mastercard, Visa, digital payment service partners or any third party providers involved in processing the financial transactions that you make;
  - anyone to whom we lawfully transfer or may transfer our rights and duties under this agreement;
  - any third party as a result of any restructure, sale or acquisition of TPL or any associated entity, provided that any recipient uses your information for the same purposes as it was originally supplied to us and/or used by us.
  - regulatory and law enforcement authorities, whether they are outside or inside of the United Kingdom (UK) or European Economic Area (EEA), where the law requires us to do so.

Sending personal data overseas

To deliver services to you, it is sometimes necessary for us to share your personal information outside the UK/Gibraltar e.g.:
  - with service providers located outside these areas;
  - if you are based outside these areas;
  - where there is an international dimension to the services we are providing to you.

These transfers are subject to special rules under Gibraltar data protection law.

These countries do not have the same data protection laws as Gibraltar. We will, however, ensure the transfer complies with data protection law and all personal information will be secure. We will send your data to countries where the Gibraltar Government has made a ruling of adequacy, meaning that they have ruled that the legislative framework in the country provides an adequate level of data protection for your personal information. You can find out more about adequacy regulations here and here.

Where we send your data to a country where no adequacy decision has been made, our standard practice is to use standard data protection contract clauses that have been approved by the United Kingdom government and/or the European Commission. You can obtain a copy of the European Commission’s document here and the UK’s document here.

If you would like further information, please contact our Data Protection Officer on the details below.

How long do we store your personal data?

We will store your information for a period of five years after our business relationship ends in order that we can comply with our obligations under applicable legislation such as anti-money laundering and anti-fraud regulations. If any applicable legislation or changes to this require us to retain your data for a longer or shorter period of time, we shall retain it for that period. We will not retain your data for longer than is necessary.

Your rights regarding your personal data?

You have certain rights regarding the personal data which we process:
  - You may request a copy of some or all of it.
  - You may ask us to rectify any data which we hold which you believe to be inaccurate.
  - You may ask us to erase your personal data (where applicable).
  - You may ask us to restrict the processing of your personal data.
  - You may object to the processing of your personal data (where applicable).
  - You may ask for the right to data portability.
  - If you would like us to carry out any of the above, please email your request to the Data Protection Officer at DPO@transactpaymentsltd.com.

How is your information protected?

We recognise the importance of protecting and managing your personal data. Any personal data we process will be treated with appropriate care and security.

These are some of the security measures we have in place:
  - We use a variety of physical and technical measures to keep your personal data safe.
  - We have detailed information and security policies to ensure the confidentiality, integrity, and availability of information.
  - Your data is stored securely on computer systems with control over access on a limited basis.
  - Our staff receives data protection and information security training on a regular basis.
  - We use encryption to protect data at rest and anonymization where applicable.
  - We have adequate security controls to protect our IT infrastructure and staff computers including but not limited to Identity and Access Management, Firewalls, VPN, Antivirus, Advanced Email Threat Protection and more.
  - We conduct regular audits such as PCI-DSS to ensure we are following adequate security controls to protect your data.

While we take all reasonable steps to ensure that your personal data will be kept secure from unauthorised access, we cannot guarantee it will be secure during transmission by you to the applicable mobile app, website or other services over the internet. However, once we receive your information, we make appropriate efforts to ensure its security on our systems.

Complaints

We hope that our Data Protection Officer can resolve any query or concern you may raise about our use of your personal information.

The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in Gibraltar is the Gibraltar Regulatory Authority. Their contact details are as follows:

Gibraltar Regulatory Authority,
2nd floor, Eurotowers 4, 1 Europort Road, Gibraltar.
(+350) 20074636/(+350) 20072166 info@gra.gi

Other websites

Our website may contain links to other websites. This privacy policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.

Changes to our Privacy Policy

We keep our Privacy Policy under review and we regularly update it to keep up with business demands and privacy regulation. We will inform you about any such changes. This Privacy Policy was last updated on 10 July 2023.

How to contact us

If you have any questions about our Privacy Policy or the personal information which we hold about you or, please send an email to our Data Protection Officer at DPO@transactpaymentsltd.com.

‍