Privacy Notice
We understand that your privacy is precious. We commit to making sure that any of your personal data we collect and process is done so lawfully, only when required and is handled with care at every stage.
This notice describes how we will do this, and what rights you have. If you do not agree with any of these terms, you should stop using Zero services immediately.
If you have any concerns or questions about how we process your data, you can contact complianceteam@zero.co.uk.
The data we use:
We gather information about you when you use our website https://www.zero.co.uk/, use the Zero mobile app and card, and other related services you agree to, such as marketing or waiting lists. This data may include contact and identity information, financial usage, device information, marketing preferences, banking information you allow us to access and carbon usage/impact related to your spending.
1. How we get your data
a. You give it to us
You give it to us when you use our services, or it is sent to us when you use our services, either automatically or when you specifically agree to it.
· Information you give us. This is data you voluntarily provide or give us permission to use when you apply for or use our services, or when you contact us with a query/comment or take part in surveys or testing.
· Account data includes information you provide to use our services, such as names, phone numbers, email addresses, passcodes, UK residency status and delivery or home addresses.
· Information you provide when you interact with us, such as free text information you include in queries, feedback, survey responses, user testing responses, complaints, or any other direct interaction we have with you including that information on customer support calls which are recorded.
· ID data includes information you provide to confirm your identity, such as a copy of your photo ID document e.g. passport or driving licence, and the information contained on it including your date of birth, address and the document reference number, your photograph on the ID document and a scanned image of your face. It may also include additional data we may request from you to prove your identity such as proof of address documents, utility bills, bank statements and other documents we specifically request which you then provide to us.
· Marketing and communications data includes your preferences in relation to marketing, such as the way in which you prefer to be contacted or any opt-outs you notify us of from time to time.
· Carbon impact data includes information about your carbon footprint and related activities. This could include your carbon usage via spending and any impactful life choices you tell us about e.g., being vegetarian.
· Banking data includes identifying information about other accounts you link to your Zero account via open banking. This could mean partial card numbers, bank or account names you link to help you identify your carbon impact score
All personal information that you provide to us must be true, complete and accurate, and you must notify us of any changes to such personal information in order to ensure that we hold the most up to date information about you.
b. It is sent to us when you use our services
We will collect transaction data from the business who issue your Zero Debit card, provide your Zero e-wallet, plus any Open Banking connections you voluntarily make through our app. This is to ensure we can categorise your spending and calculate your carbon score for you in our app.
· Transaction data includes Zero Debit Card transaction data. We use your Zero debit card and e-wallet information to collect and display to you in our app, dates, merchants and locations. This also means we can calculate your carbon score and offer you appropriate offsetting and impact reduction services.
o The Zero debit card and e-money account are provided by Transact Payments Limited who are an authorised Electronic Money Institution regulated by the Gibraltar Financial Services Commission. Transact Payments Limited provide Zero with transaction information relating to your activity on the Zero Card and their privacy policy can be found here.
· Transaction data also includes Open Banking transaction data: If you choose to link your Zero app to other bank accounts, we use an open banking account information service, provided by Plaid Financial Ltd. Plaid are an authorised payment institution regulated by the Financial Conduct Authority (firm reference number 804718) under the Payment Services Regulations 2017. Plaid will provide Zero with account, balance, transaction and merchant data for accounts you give express permission to link to our service, to enable us to display your spending and balance, and allow us to calculate your carbon score. You can view Plaid’s privacy policy at https://plaid.com/legal/#consumers
c. Information automatically collected
Some information is collected automatically when you visit our website, use our App or any of our services through cookies or similar technologies. This information is needed to maintain the security and operation of our Website and App, for troubleshooting and for our internal analytics and reporting.
· Usage data. We automatically collect certain information about how and when you use our services so that we can maintain security of our services and for internal reporting and analytic purposes. This information includes from which URL you arrived at our site (website only), which pages on our website or application you visit, for how long, and which links or actions you have clicked.
· Device data. We collect device data such as information about your computer, phone, tablet or other device you use to access the website and application including information about your operating system and a partial IP address (or proxy server). Depending on the method of interaction used, this device data may include the following information:
o Website only: Browser type and version, operating system.
o Mobile App only: Mobile device ID, hardware model and manufacturer, language preferences, internet service provider and/or mobile carrier, type of mobile used and device name.
d. Information we receive from other sources including third parties.
In addition to the third parties, we expressly name above, we will receive personal data about you from various other third parties as set out below:
· Contact, financial and transaction data from providers of payment services whom we make you aware of at the time of requesting payment from you.
2. How we use your data
We process your information for specific purposes based on legitimate business interests, to fulfil our contract with you, compliance with our legal obligations, and/or your consent and we may decide to use your data where it’s closely related to one of the purposes below. We will always contact you to let you know in advance if we decide to process data for a new purpose that is unrelated to the below listed purposes, or where we think you won’t expect us to process data for that new purpose.
We use the information we collect or receive for the purposes in bold text below and on the legal basis we’ve underlined:
· To open your account and allow you to log in. We use your account and ID Data to create your unique account and to have means of checking who you are, verifying your device and email address and contacting you. We do this to provide our Services under our agreed contract and to comply with our legal obligations (including those of our third parties who are subject to certain regulations).
· To manage your Zero account. We may use transaction data and climate impact data to calculate your carbon score to fulfil our contract with you and we may make further use of that information on the basis of the legitimate interest of society as a whole in reducing carbon emissions (for example, statistical, research and educational purposes as described below). By using your Zero Debit Card to make purchases or linking other accounts/cards to your Zero app via Open Banking links, or by providing identifying bank names and partial card numbers to help you identify linked cards, you are directly providing this information to us.
· To respond to your inquiries/offer support. In order to fulfil our contract and other obligations to you, we may use your account, usage, device, and/or carbon Impact data and any other relevant information about your Zero account to respond to your inquiries and to try to resolve any potential queries or complaints you might have with the use of our App or Services generally.
· Push Notifications. We may request to send you push notifications if you consent regarding your account or certain features of the App. If you wish to opt-out from receiving these types of communications, you may turn them off in your device settings.
· To protect our business and our users. We may use your information as part of our efforts to keep our App and Services safe and secure generally for all users (for example, for fraud and money laundering/terrorist financing monitoring and prevention). We will check your name regularly against lists of sanctioned individuals, adverse media and politically exposed people and monitor your transactions to comply with our legal obligations in combating crime. These are both a legal obligation and contract requirement to ensure the security of our App and Services and to protect our users, but it’s also in our legitimate commercial interests to provide a safe and secure service generally because if we couldn’t do that, we would likely lose business. Please note that this is not a credit check and will in no way affect your credit score.
· To enforce our terms, conditions and policies in order to protect our business interests. We monitor your account usage as part of our contract requirement and our legitimate interest in protecting our business and acting in its best interests.
· To comply with legal and regulatory requirements (legal obligation) such as carrying out identity and verification checks including via our third-party providers.
· To update or provide notice to you in connection with our contract.
· To respond to legal requests and prevent harm (legal obligation). If we receive a witness summons or other legal request from a law enforcement agency for example, we may need to inspect the data we hold to determine how to respond. We will consider each request on its merits and judge that against our users right to privacy in each case by limiting the information we share to only that which we consider necessary, and we will record our decision internally in order to create an auditable trail (legal obligation).
· Administer 'Community Options’. We may use your information to administer your shares in our ‘community option’ scheme when you elect to participate in it (contract). We will keep you updated about the scheme progress regularly as a potential shareholder in Zero.
· To send you marketing and promotional communications. We may use the personal information you send to us for our own marketing purposes if this is in accordance with your marketing preferences on the basis of our legitimate interest in sending you offers as our customer that are closely related to our Services and we think would legitimately be of interest to you. For example, when expressing an interest in obtaining information about us or our Services, subscribing to marketing or otherwise contacting us, we will collect personal information from you, and we will gain some insight into what you are interested in. We will give you the opportunity to opt-out of marketing at the time, and you can always later decide to opt-out of our marketing emails if you change your mind (see the "WHAT ARE YOUR PRIVACY RIGHTS" below).
· To post testimonials. We may post testimonials on our Services (either by directly requesting your permission or from an external review website e.g., Trustpilot) that may contain the name of the person providing the testimonial. By submitting a testimonial for this purpose, we presume this to be with your consent (which you can withdraw at any time).
· Request feedback. We may use your name and mobile number/email address to request your feedback and to contact you about your use of our Services on the basis that we have a legitimate interest in asking users to provide feedback for the purpose of improving and marketing our products and services. We will not contact you if you have opted out of marketing.
· To improve our own products and Services generally, including improving customer experience or to inform how we develop new products and services. This means data analysis, identifying usage and general customer behavioural trends (such as carbon scores, but this doesn’t involve “profiling” you individually), measuring effectiveness of any promotional campaigns, to evaluate and improve our Services, products and better tailor our marketing and your experience.
3. When and how we share your data
We only share information with third parties where a legal basis allows us to do that, which will be with your consent, to comply with laws, to provide you with contractual services, to protect you or your rights, or where our legitimate interests don’t unfairly conflict with your right to privacy and where we have explained that interest to you on an appropriate policy or notice (legitimate interests).
This includes the following circumstances:
· Identity checks. Because of the nature of our Services, we use a third-party provider (Onfido) to perform a check on your name and address via credit reference agencies (this is not a credit check), voters roll, telephone check and mortality register. Onfido will also perform a validity check on the identity document you provide and the live face scan you record. Onfido also use a sub-processor (Comply Advantage) to screen the name on your ID document and year of birth against global Sanctions lists, adverse media lists and lists of politically exposed individuals. These are measures we take in order to help us comply with anti-fraud, anti-money laundering and counter terrorist financing regulations that we and third parties we work with may be subject to.
o Onfido act as a processor entirely upon Zero’s instruction. Zero remains the controller of your data and continue to be responsible for it, ensuring that Onfido are contractually obliged to process personal data with at least the same degree of protection as we set out in this policy.
o The personal information Onfido collect may be transferred to and processed outside the UK. They may subcontract the processing of your data to, or otherwise share your data with, its affiliates or third parties in the United States or countries other than the UK. The data protection laws in these countries may be different from, and less stringent than those in the UK however, Onfido only transfer your personal information to countries where the EU Commission has decided that they have an adequate level of data protection, or where they take measures to ensure that all recipients provide an adequate level of data protection. Onfido do this for example by entering into appropriate data transfer agreements based on Standard Contractual Clauses as approved by the UK or the EU (as applicable) from time to time.
o For more information about Onfido’s processing activities generally, Onfido’s privacy policy can be found here: https://onfido.com/privacy/
o Comply Advantage’s privacy policy: https://complyadvantage.com/privacy-notice/
· Card Issuing. The Zero debit card is issued by Transact Payments Limited and physical cards are created and sent to you by TagNitecrest. When you sign up to the card via the Zero app, we will provide Transact Payments Limited with your contact information, date of birth and address/delivery address so that Transact Payments Limited can create your card details and send them to TagNitecrest to make your card and deliver it to you. In relation to the Zero debit card issuing, Transact Payments Limited is the controller of your data in relation to the Zero debit card only and Zero is the controller of your data in relation to any data you provide which is not related to the Zero debit card.
· Card Processing. The Zero debit card transactions you make are processed by Marqeta. When you sign up to the card via the Zero app, we will provide Marqeta with your contact information, date of birth and e-wallet/debit card information so that they can process your card payments. Their privacy policy can be found at https://www.marqeta.com/privacy
· E-wallet creation. We use Transact Payments Limited to provide you with an e-wallet which you can use to send/receive funds and make card payments from as per our contract with you. We provide you with an account number and sort code via the Zero app, Transact Payments Limited is the controller of your data you provide in relation to your e-wallet only and Zero is the controller of your data in relation to any data you provide which is not related to the e-wallet.
· Payment monitoring. As part of our regulatory obligations we will monitor transactions for potentially suspicious activity to protect our customers and meet our regulatory obligations. This monitoring is performed on a platform provided by Salv Technologies OÜ, a private limited company based in Estonia, whose registered office is Veerenni 38b, 10135 Tallinn, Estonia, and company registry code is 14518700. Their privacy policy can be found at https://salv.com/privacy-policy/
· Business Transfers. We may share or transfer your information in connection with, or during negotiations in anticipation of, any merger, financing, or acquisition of all or a substantial portion of our business to another business. Where your data is subject to a business transfer such as this, that won’t affect the level of protection your personal data receives, and it will still be processed subject to this privacy notice unless we inform you otherwise.
· Verifying your email address and mobile number. In order to verify your email address, we will share your name and email address with Postmark who will send you an email on which you have to verify your email address. To verify your mobile number, we will share your mobile number with ClickSend who will send you an SMS with a onetime passcode (OTP) which may be required to verify you for security purposes. ClickSend and Postmark’s privacy policy can be found respectively at:
https://www.clicksend.com/gb/legal, https://postmarkapp.com/privacy-policy
4. Cookies
We use cookies to collect and store your website activity information.
We often use cookies to access or store information about usage of our Website. Specific information about how we use such technologies and how you can refuse certain cookies is set out in our cookie notice for website users.
5. How long do we keep your information?
We keep your information for as long as necessary to fulfil the purposes outlined in this privacy notice unless otherwise required by law.
We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). We have a data retention policy which sets out how long we keep different data for, and we provide this on request if you contact us to ask for it.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise such information, or if this is not possible (for example, because your personal information has been stored in backup archives), we will securely store your personal information and isolate it from any further processing until deletion is possible.
6. How do we keep your information safe?
We aim to protect your personal information through a system of organisational and technical security measures.
We have implemented appropriate technical and organisational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorised third parties will not be able to defeat our security, and improperly collect, access, steal, or modify your information, but we will promise to do our best to protect your personal information. Transmission of personal information to and from our Services, including your use of Wi-Fi and unsecured network environments, is at your own risk. You should only access the Services within a secure environment.
7. Information from minors
We do not knowingly solicit data from or market to children under 13 years of age. This is the age that the UK government considers that you are old enough to consent to processing of your personal data. By using the Services, you represent that you are at least 18. If we learn that personal information from users less than 13 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 13, please contact us at compliancetam@zero.co.uk
8. Your privacy rights
You have rights that allow you access to, and control over, your personal information. You may review, change, or terminate your account at any time.
Under UK data protection laws you have rights which include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; (iv) if applicable, to data portability; (v) to withdraw consent at any time (where consent is the relevant legal basis we rely on); and (vi) the right to complain to the Information Commissioner's Office. In certain circumstances, you may also have the right to object to the processing of your personal information. To make any such a request, please contact operationsteam@zero.co.uk We will consider and act upon any request in accordance with UK data protection law requirements and timelines.
· Withdrawing your consent. If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before its withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
· Changing your data. If you would at any time like to review or change the information in your account or terminate your account, you can log in to your account settings and update your user account or contact us at operationsteam@zero.co.uk
· Closing your account. Upon your request to terminate your account, we will deactivate your account. We will hold your account details for a period allowing you to re-activate and have access to transaction history then delete or completely anonymise all data from our active databases. In some cases, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our Terms and Conditions and/or comply with applicable legal requirements, however this is only when necessary and in compliance with UK GDPR regulations.
· Opting out of email marketing. You can unsubscribe from our marketing email list at any time by clicking on the unsubscribe link in the emails that we send or by contacting us using the details provided below. You will then be removed from the marketing email list — however, we may still communicate with you, for example to send you service-related emails that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes. To otherwise opt-out, you may:
o Contact us using the contact information provided.
o Access your account settings and update your preferences.
· Accessing your data. You can request a copy of the data we hold and process about you by contacting our support team on operationsteam@zero.co.uk. You will need to tell us what information you want access to and verify your identity before we are able to fulfil this request.
9. Do we make updates to this notice?
Yes, we will update this notice as necessary to stay compliant with relevant laws or whenever we think we can improve it.
We may update this privacy notice from time to time. The updated version will be indicated by an updated "Revised" date and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to be informed of how we are protecting your information.
10. How can you contact us about this notice?
If you have questions or comments about this notice, you may contact complianceteam@zero.co.uk.
Privacy Policy v1.3. August 2024