1. Introduction
This privacy policy (the “Privacy Policy”) applies to all personal
information Kestrl uses. Our principal address is City Point, 1 Ropemaker
Street, London, England, EC2Y 9HT. This policy is tailored to comply with
the General Data Protection Regulation ((EU) 2016/679) (GDPR) and the Data
Protection Act 2018 (DPA 2018).
We provide you account and platform to help you spend smarter, save more,
manage and grow your money better. This Privacy Policy explains how we
collect and use your personal information to provide you with our products
and services.
Keeping your personal information secure and safeguarding your privacy are
really important to us. So is making sure you understand what personal
information we use, and how we use it, where we get it from, who we share
it with and what rights you have to control how we use it.
From time to time we may need to update this Privacy Policy. When we do,
we will let you know and publish the updated version in the Kestrl app and
website. Please ensure you read the Privacy Policy every time we make
changes to it, so you know exactly how we use your data and what your
rights are.
2. How we use your personal information
- To provide our products and services to you
- To meet our legal obligations
- To run our business
We have described these in greater detail in Schedule A below.
3. The information we use and where it comes from
-
personal information you supply through the Kestrl app or website (for
example, when you sign up to Kestrl or when you use your account or get
in touch with us). This includes your name, address, email and other
contact details, ID and visual images (such as selfie or copy of
passport photo) and nationality;
-
transactional and other information which we use to learn how you use
the Kestrl app, your card, your account, and any other third-party bank
accounts you have allowed us to access through account aggregation /
Open Banking;
-
information we receive from third parties, such as those providing
services to us or you e.g. ID verification services, credit reference
agencies, fraud prevention or government agencies, and other banks;
-
device information including your location, mobile phone network, IP
address and telephone number and how you use your mobile to access
Kestrl;
-
information about your family, lifestyle and social circumstances (such
as dependents, marital status, next of kin and their contact details);
-
information about your financial circumstances, including personal
wealth, assets and liabilities, proof of income and expenditure, credit
and borrowing history and needs and goals;
-
where you provide further consent - online profile and social media
information and activity, based on your interaction with us and our
websites and app, including for example, your banking profile and login
information, Internet Protocol (IP) address, smart device information,
location coordinates, online and mobile banking security authentication,
mobile phone network information, searches, site visits and spending
patterns;
-
information from publicly available sources including social media
profiles, the electoral register, the media and online search engines;
and
-
information from our Marketplace partners where services are integrated
between us and them.
- information about racial or ethnic origin;
- religious or philosophical beliefs; or
-
physical or psychological health details or medical conditions;
information, relating to the physical, physiological or behavioural
characteristics of a person, including, for example, using voice
recognition or similar technologies to help us prevent fraud and money
laundering.
Where permitted by law, we may use information about criminal convictions
or offences and alleged offences for specific and limited activities and
purposes, such as to perform checks to prevent and detect crime and to
comply with laws relating to money laundering, fraud, terrorist financing,
bribery and corruption, and international sanctions. It may involve
investigating and gathering intelligence on suspected financial crimes,
fraud and threats and sharing data between banks and with law enforcement
and regulatory bodies.
Your transaction history and account information may also contain special
categories of personal data. For example, if you have a payment for a
membership a particular political party, this could reveal your political
beliefs. We will not profile you on the basis of this data or otherwise
use this data for any other purposes other than providing our services.
4. Your Rights
Your rights in relation to the personal information we hold on you are set
out in the table below. If you wish to exercise any of these rights, or if
you have any queries about how we use your personal information which is
not answered here, you can contact us atinfo@kestrl.co.uk
Please note that in some cases, if you don’t agree with how we use your
information, it may not be possible for us to continue to operate your
Kestrl account and/or provide certain products and services to you.
Rights |
Description |
Access
|
You have the right to a copy of the personal information we hold on
you and can request it by contacting us atinfo@kestrl.co.uk
|
Erasure
|
You have the right to request we delete your personal information if
you believe that:
-
we no longer need to use it for the purposes for which it was
provided;
-
you wish to withdraw your consent and we have no other lawful
basis to use the data; or
- we are not using your information in a lawful manner.
|
Restriction
|
You have the right to request use to restrict how we use your
information if you believe that:
- the information that we hold about you is inaccurate;
-
we no longer need to use your information for the purposes for
which it was provided, but you require the information to
establish, exercise or defend legal claims; or
- we are not using your information in a lawful manner.
|
Portability
|
You have a right to receive any personal information you provided to
us directly in an electronically and/or request that we send it to a
third party, if technically feasible and secure. If you would like
to do this please contact our support team atinfo@kestrl.co.uk
|
Objection
|
You have the right to object to how we are using your information
for the purposes described in table (C), (which can be found at the
end of this document), unless we can demonstrate overriding
compelling and legitimate grounds for the processing or where we
need to use your information to investigate and protect us or others
from legal claims.
|
Marketing
|
You have a right to object to us using your personal information for
direct marketing purposes, including profiling you for direct
marketing. For more information seeSection 10.
|
Lodge complaints
|
If you want to make a complaint about how we have handled your
personal information, you can contact our Data Protection Officer
who will investigate the matter. Please contact us atinfo@kestrl.co.ukor 020 71531087.We hope that we can address any concerns you may
have, but if you are not satisfied, you can always contact the
Information Commissioner’s Office (ICO). For more information,
visithttps://ico.org.uk/.
|
5. Changing How We Use Your Information
From time to time, we may change the way we use your information. When
this happens, the new policy shall be posted onto our website, where you
will be able to access and read it.
6. Who We Share Your Information With
We will only use and share your information where it is necessary for us
to lawfully carry out our business activities. Your information will be
shared with our other Kestrl group companies and there are some
circumstances where we will also share your personal information with
third parties outside of the Kestrl group including fraud prevention
agencies, government entities and other third parties who we are required
or permitted by law to disclose to. In addition, by agreeing to this
Privacy Policy, you agree to us sharing your information with our
Marketplace Partners where you choose to access the Marketplace through
the Kestrl app. We will not share your information with anyone outside the
Kestrl group except:
- where we have your permission;
- where required for your product or service;
-
where we are required by law and by law enforcement agencies, judicial
bodies, government entities, tax authorities or regulatory bodies around
the world;
-
with other banks, individuals or organisations so that we can help
recover funds that have entered your account as a result of a payment
sent in error by one of the above;
-
with companies providing services to us, such as market analysis and
benchmarking, correspondent banking, and agents and sub-contractors
acting on our behalf, such as ID verification services;
-
when you agree to receive marketing from us, we may use social media
companies or other third-party advertisers to display relevant messages
to you about our products and services. Third party advertisers may also
use information about your previous web activity to tailor adverts which
are displayed to you;
-
with other banks to help trace funds where you are a victim of suspected
financial crime and you have agreed for us to do so, or where we suspect
funds have entered your account as a result of a financial crime;
- with debt collection agencies;
- with credit reference and fraud prevention agencies;
-
with external guarantors or other companies that provide you with
benefits or services (such as insurance cover) associated with your
product or service;
-
where required for a proposed sale, reorganisation, transfer, financial
arrangement, asset disposal or other transaction relating to our
business and/or assets held by our business;
-
in anonymised form as part of statistics or other aggregated data shared
with third parties;
-
where necessary for our legitimate interests (e.g. to help us provide
and improve our products and services to make them better for you) or
those of a third party, and it isnot inconsistent with the purposes
listed above.
If you ask us to, we will share information with any third party that
provides you with account information or payment services. If you ask a
third party provider to provide you with account information or payment
services, you’re allowing that third party to access information relating
to your account. We’re not responsible for any such third party’s use of
your account
information, which will be governed by their agreement
with you and any privacy statement they provide to you.
Kestrl uses Smartlook to record sessions for the purpose of improving the
user experience. However, we do not record PII. For more info on Smartlook
please visit www.smartlook.com or
read more here.
In the event that any additional authorised users are added to your
account, we may share information about the use of the account by any
authorised user with all other authorised users.
7. Transferring Information Overseas
We may transfer your information to organisations in other countries
(including to other Kestrl group companies) on the basis that anyone to
whom we pass it protects it in the same way we would and in accordance
with applicable laws.
In the event that we transfer information to countries outside of the
European Economic Area (which includes countries in the European Union as
well as Iceland, Liechtenstein and Norway), we will only do so where we
are satisfied your information is adequately protected based on the
European Commission’s assessment of the countries in question, the
transfer has been authorised by the relevant data protection authority or
a suitable contract with the organisation we are sharing your information
with. You can contact us atinfo@kestrl.co.ukto get a copy of the relevant data protection clauses in the contract.
8. Marketing
When you have told us that you want to hear from us via the app, email,
social media or other electronic means, we may contact you from time to
time about new products and services that we think could be of interest to
you via email, text and other forms of communication. You can adjust your
marketing preferences anytime you want via contacting us atinfo@kestrl.co.uk
9. Communicating With You About Your Account
When we contact you, we may do so via the Kestrl app, as well as email,
text message, post and/or telephone. To help us get in touch with you
please keep your contact details in the app up to date.
We may monitor or record our communications with you in accordance with
applicable laws.
10. Credit Reference, Fraud Prevention, Identification and Verification
Partners
We may access and use information from credit reference and fraud
prevention agencies when you open your account and periodically to:
-
manage and make decisions about your accounts, including assessing your
credit worthiness and checks to avoid you becoming over-indebted;
- prevent criminal activity, fraud and money laundering;
-
check your identity and verify the accuracy of the information you
provide to us; and 4. trace debtors and recover debts.
The decision to provide you with a Kestrl account may be taken based
solely on automated checks of information from credit reference and fraud
prevention agencies and internal Kestrl group records. To work out your
credit score, we look at information you give us when you apply;
information from credit reference agencies that will show us whether
you’ve kept up to date with payments on any credit accounts (that could be
any mortgages, loans, credit cards or overdrafts), or if you’ve had any
court action such as judgments or bankruptcy; your history with us such as
maximum level of borrowing; and affordability, by looking at your
available net income and existing debts. You have rights in relation to
automated decision making, including a right to appeal the decision.
We will continue to share information with credit reference agencies about
how you manage your account including your account balance, payments into
your account, the regularity of payments being made, credit limits and any
arrears or default in making payments, while you have an account with us.
This information will be made available to other organisations (including
fraud prevention agencies and other financial institutions) so that they
can take decisions about you, your associates and members of your
household.
If false or inaccurate information is provided and/or fraud is identified
or suspected, details will be passed to fraud prevention agencies. Law
enforcement agencies and other organisations may access and use this
information. If we, or a fraud prevention agency, determine that you pose
a fraud or money laundering risk, we and others may refuse to provide the
services and financing you have requested, to employ you, or we may stop
providing existing services to you.
A record of any fraud or money laundering risk will be retained by the
fraud prevention agencies, and may result in others refusing to provide
services, financing or employment to you. Fraud prevention agencies can
hold your information for different periods of time, and if you are
considered to pose a fraud or money laundering risk, your data can be held
for up to six years.
Please also be aware that, to make verifying your identity as part of the
account opening process easy as possible, we will send required
identification that you provide to us to a third party ID verification
service provider.
When the credit reference and fraud prevention
agencies, and our identity and verification provider use your information,
they do so, on the basis that they have a legitimate interest in
preventing fraud and money laundering, and to verify identity, in order to
protect their business and to comply with laws that apply to them.
Further, they are independent controllers of your data when they use your
personal information. If you want further details of how your information
will be used, you can contact them using the relevant details below.
11. How Long We Keep Your Information For
By providing you with products or services, we create records that contain
your information, such as customer account records, activity records, tax
records and lending and credit account records. Records can be held on a
variety of media (physical or electronic) and formats.
We manage our records to help us to serve our customers well (for example
to help us deal with any queries you may have about your account) and to
comply with legal and regulatory requirements. Records help us demonstrate
that we are meeting our responsibilities and to keep as evidence of our
business activities.
How long we keep records depends on the type of record, the nature of the
activity, product or service and the applicable local legal or regulatory
requirements. We (and other Kestrl group companies) normally keep customer
account records for up to six years after you close your account, whilst
other records are retained for shorter periods. How long we retain your
information for may change based on business or legal and regulatory
requirements.
We may in certain circumstances retain your information for longer
periods, particularly where we need to withhold destruction or disposal
based on an order from the courts or an investigation by law enforcement
agencies or our regulators. This is to make sure that we will be able to
produce records as evidence, if they're needed.
If you would like more information about how long we keep your
information, please contact us atinfo@kestrl.co.uk
12. Security
At Kestrl, making sure that we and any third parties who act on our behalf
keep your personal information secure is really important to us.
We will only use and share your information where it is necessary for us
to carry out our lawful business activities. Your information may be
shared with and used by other KESTRL group companies and our Marketplace
Partners. We want to ensure that you fully understand how your information
may be used. We have described what we may use your information for below:
We may use your information where it is necessary to enter into a contract
with you to provide you with our products or services or to perform our
obligations under that contract. Without this information, we may not be
able to continue to operate your Kestrl account and/or provide products
and services to you. This may include processing to:
Keeping your information secure is really important to us, which is why we
have strict technical and administrative procedures in place which keep
your information safe from unauthorised access.
Your information, as extracted by us from Truelayer, is encrypted using
the Advanced Encryption Standard/AES 256-bit encryption. Communication
between us and Truelayer’s database is securely encrypted and only
accessible through servers which are protected by firewalls. This
guarantees protection for all of the information that is processed by
Truelayer.
Please see ourTerms of Usefor
more information on Truelayer and our partnership with them.
Your user information and transaction history processed by us are
anonymised and encrypted.
Information that is processed by our Marketplace providers is under each
Marketplace provider’s control. Please read our Marketplace providers’
privacy policies/notices before purchasing their products.
Schedule A
Table A: Contractual Necessity
- assess and process applications for products or services;
-
provide and administer those products and services throughout your
relationship with Kestrl, including opening, setting up or closing your
account or products, collecting and issuing all necessary documentation,
following your instructions, processing transactions, including
transferring money between accounts, making payments to third parties,
resolving any queries or discrepancies and administering any changes,
including in relation to Aggregated Accounts;
-
manage and maintain our relationships with you and for ongoing customer
service. This may involve sharing your information with other Kestrl
group companies to improve the availability of our services;
-
communicate with you about your account(s) or the products and services
you receive from us. Calls with our support team and online
communications may be recorded and monitored for these purposes; and
-
pass onto our Marketplace providers where you choose to access their
products and services through our app. Our Marketplace consists of
investment products including securities, commodities, and all other
products we may add in the future. These products are provided by our
Marketplace affiliates who we have collaborated with to bring you this
service. Once you have signed onto a Marketplace affiliate’s product on
Kestrl and the Marketplace affiliate’s co-branded landing page, all
information you provide will be processed by the Marketplace affiliate.
Please ensure you read the privacy policy for each Marketplace affiliate
you give your details to.
Table B: Legal Obligations
When you apply for a product or service (and throughout your relationship
with us), we are required by law to collect and use certain personal
information about you. Without this information we may not be able to
continue to operate your account and/or provide products and services to
you. This may include processing to:
-
confirm your identity, including using face-recognition technology and
other identification procedures, for example fingerprint verification;
-
perform checks and monitor transactions and location data for the
purpose of preventing and detecting crime and to comply with laws
relating to money laundering, fraud, terrorist financing, bribery and
corruption, and international sanctions. This may require us to use
information about criminal convictions and offences, to investigate and
gather intelligence on suspected financial crimes, fraud and threats and
to share data with law enforcement and regulatory bodies;
-
share data with other banks and third parties to help recover funds that
have entered your account as a result of a misdirected payment by such a
third party;
-
share data with police, law enforcement, tax authorities or other
government and fraud prevention agencies where we have a legal
obligation, including reporting suspicious activity and complying with
production and court orders;
-
deliver mandatory communications to customers or communicating updates
to product and service terms and conditions;
- investigate and resolve complaints;
-
conduct investigations into breaches of conduct and corporate policies
by our employees;
-
manage contentious regulatory matters, investigations and litigation;
-
perform assessments and analyse customer data for the purposes of
managing, improving and fixing data quality;
-
provide assurance that the bank has effective processes to identify,
manage, monitor and report the risks it is or might be exposed to;
-
investigate and report on incidents or emergencies on bank’s properties
and premises; and
-
coordinate responses to business disrupting incidents and to ensure
facilities, systems and people are available to continue providing
services.
Table C: Legitimate Interests of Kestrl
We may use your information where it is in our legitimate interests to do
so as an organisation and without prejudicing your interests or
fundamental rights and freedoms.
A.We may use your information in the day to day running
of our business, to manage our business and financial affairs and to
protect our customers and employees. It is in our interests to ensure that
our processes and systems operate effectively and that we can continue
operating as a business. This may include processing your information to:
-
monitor, maintain and improve internal business processes, information
and data, technology and communications solutions and services;
-
ensure business continuity and disaster recovery and responding to
information technology and business incidents and emergencies;
-
ensure network and information security, including monitoring authorised
users’ access to our information technology for the purpose of
preventing cyber-attacks, unauthorised use of our telecommunications
systems and websites, prevention or detection of crime and protection of
your personal data;
-
provide assurance on our material risks and reporting to internal
management and supervisory authorities on whether we are managing them
effectively;
-
perform general, financial and regulatory accounting and reporting; 6.
protect our legal rights and interests; and
-
enable a sale, reorganisation, transfer or other transaction relating to
our business.
B.It is in our interest as a business to ensure that we
provide you with the most appropriate products and services and that we
continually develop and improve as an organisation. This may require
processing your information to enable us to:
-
identify new business opportunities and to develop enquiries and leads
into applications or proposals for new business and to develop our
relationship with you;
-
send you relevant marketing information (including details of other
products or services provided by us or other Kestrl group companies
which we believe may be of interest to you). We may show or send you
marketing material online (on our own and other websites including
social media platforms), in our app, or by email, sms or post;
-
understand your actions, behaviour, preferences, expectations, feedback
and financial history in order to improve our products and services,
offer you insights into your spending and potential actions you could
take and to develop new products and services and to improve the
relevance of offers of products and services by Kestrl group companies
and our Marketplace Partners;
-
monitor the performance and effectiveness of products and services;
-
assess the quality of our customer services and to provide staff
training. For these purposes we may record and monitor our interactions
with you;
-
perform analysis on customer complaints for the purposes of preventing
errors and process failures and rectifying negative impacts on
customers;
-
compensate customers for loss, inconvenience or distress as a result of
services, process or regulatory failures;
-
identify our customers’ use of third-party products and services in
order to facilitate the uses of customer information detailed above; and
-
combine your information with third party data, such as economic data in
order to understand customers’ needs better and improve our services. We
may perform data analysis, data matching and profiling to support
decision making with regards to the activities mentioned above. It may
also involve sharing information with third parties who provide a
service to us.
C.It is in our interest as a business to manage our risk
and to determine what products and services we can offer and the terms of
those products and services. It is also in our interest to protect our
business by preventing financial crime. This may include processing your
information to:
- carry out financial, credit and insurance risk assessments;
- manage and take decisions about your accounts;
-
carry out checks (in addition to statutory requirements) on customers
and potential customers, business partners and associated persons,
including performing adverse media checks, screening against external
databases and sanctions lists and establishing connections to
politically exposed persons;
-
share data with credit reference agencies, fraud prevention agencies,
law enforcement agencies and identification verification service
providers;
-
trace debtors and recovering outstanding debt; and for risk reporting
and risk management.