Privacy Policy

Download Privacy Policy

Privacy Policy

INTRODUCTION
We understand that your privacy is precious. We commit to making sure that any of your personal data we
collect and process is done so lawfully, only when required and is handled with care at every stage.
This notice describes how we will do this, and what rights you have. If you do not agree with any of these
terms, you should stop using Zero services immediately.
For concerns or questions about how we process your data please email complianceteam@zero.co.uk.
WHAT DATA WE USE
We gather information about you when you use our websites, the Zero mobile app and other related
services that you’ve agreed to, such as marketing or waiting lists. This data may include contact and
identity information, financial usage, device information, marketing preferences, banking information you
allow us to access and carbon usage/impact related to your spending.
HOW WE GET YOUR DATA
3.1. When you give it to us
You give it to us when you use our services, or it is sent to us when you use our services, either
automatically or when you specifically agree to it.
3.1.1. Information you give us
This is data you voluntarily provide or give us permission to use when you apply for or use our
services, or when you contact us with a query/comment or take part in surveys or testing.
3.1.2. Account data includes information you provide to use our services
Such as names, phone numbers, email addresses, passcodes, UK residency status and
delivery or home addresses.
3.1.3. Information you provide when you interact with us
Such as free text information you include in queries, feedback, survey responses, user
testing responses, complaints, or any other direct interaction we have with you including
that information on customer support calls which are recorded.
3.1.4. ID data includes information you provide to confirm your identity
Such as a copy of your photo ID document e.g. passport or driving licence, and the
information contained on it including your date of birth, address and the document reference
number, your photograph on the ID document and a scanned image of your face. It may also
include additional data we may request from you to prove your identity such as proof of
address documents, utility bills, bank statements and other documents we specifically
request which you then provide to us.
3.1.5. Marketing and communications data includes your preferences in relation to marketing
Such as the way in which you prefer to be contacted or any opt-outs you notify us of from
time to time.
3.1.6. Carbon impact data includes information about your carbon footprint and related
activities
This could include your carbon usage via spending and any impactful life choices you tell us
about e.g., being vegetarian.
3.1.7. Banking data includes identifying information about other accounts you link to your
Zero account via open banking
This could mean partial card numbers, bank or account names you link to help you identify
your carbon impact score.
3.1.8. Face Data
This could be face data used as part of the onboarding process as well as to access the Zero
app or approve payments.
All personal information that you provide to us must be true, complete and accurate, and you must
notify us of any changes to such personal information in order to ensure that we hold the most up to
date information about you.
3.2. When it is sent to us when you use our services
We will collect transaction data from the business who issue your Zero Debit card, provide
your Zero e-wallet, plus any Open Banking connections you voluntarily make through our
app. This is to ensure we can categorise your spending and calculate your carbon score for
you in our app.
3.2.1. Transaction data includes Zero Debit Card transaction data. We use your Zero
debit card and e-wallet information to collect and display to you in our app, dates,
merchants and locations. This also means we can calculate your carbon score and
offer you appropriate offsetting and impact reduction services.
• The Zero debit card and e-money account are provided by Transact Payments
Limited who are an authorised Electronic Money Institution regulated by the
Gibraltar Financial Services Commission. Transact Payments Limited provide
Zero with transaction information relating to your activity on the Zero Card and
their privacy policy can be found here.
3.2.2. Transaction data also includes Open Banking transaction data. If you choose to
link your Zero app to other bank accounts, we use an open banking account
information service, provided by Plaid Financial Ltd. Plaid are an authorised payment
institution regulated by the Financial Conduct Authority (firm reference number
804718) under the Payment Services Regulations 2017. Plaid will provide Zero with
account, balance, transaction and merchant data for accounts you give express
permission to link to our service, to enable us to display your spending and balance,
and allow us to calculate your carbon score. You can view Plaid’s privacy policy here.
3.3. When the information is automatically collected
Some information is collected automatically when you visit our website, use our App or any
of our services through cookies or similar technologies. This information is needed to
maintain the security and operation of our Website and App, for troubleshooting and for our
internal analytics and reporting.
3.3.1. Usage data. We automatically collect certain information about how and when you
use our services so that we can maintain security of our services and for internal
reporting and analytic purposes. This information includes from which URL you
arrived at our site (website only), which pages on our website or application you visit,
for how long, and which links or actions you have clicked.
3.3.2. Device data. We collect device data such as information about your computer,
phone, tablet or other device you use to access the website and application including
information about your operating system and a partial IP address (or proxy server).
Depending on the method of interaction used, this device data may include the
following information:
• Website only: Browser type and version, operating system.
• Mobile App only: Mobile device ID, hardware model and manufacturer, language
preferences, internet service provider and/or mobile carrier, type of mobile used
and device name.
3.4. Information we receive from other sources including third parties
In addition to the third parties, we expressly name above, we will receive personal data about
you from various other third parties as set out below:
3.4.1. Contact, financial and transaction data from providers of payment services whom we
make you aware of at the time of requesting payment from you.
HOW WE USE YOUR DATA
We process your information for specific purposes based on legitimate business interests, to fulfil
our contract with you, compliance with our legal obligations, and/or your consent and we may
decide to use your data where it’s closely related to one of the purposes below. We will always
contact you to let you know in advance if we decide to process data for a new purpose that is
unrelated to the below listed purposes, or where we think you won’t expect us to process data for
that new purpose.
We use the information we collect or receive for the purposes in bold text below and on the legal
basis we’ve underlined:
4.1. To open your account and allow you to log in
We use your account and ID Data alongside Face Data to create your unique account and to have
means of checking who you are, verifying your device and email address and contacting you. We do
this to provide our Services under our agreed contract and to comply with our legal obligations
(including those of our third parties who are subject to certain regulations).
4.2. To manage your Zero account
We may use transaction data and climate impact data to calculate your carbon score to fulfil our
contract with you and we may make further use of that information on the basis of the legitimate
interest of society as a whole in reducing carbon emissions (for example, statistical, research and
educational purposes as described below). By using your Zero Debit Card to make purchases or
linking other accounts/cards to your Zero app via Open Banking links, or by providing identifying
bank names and partial card numbers to help you identify linked cards, you are directly providing
this information to us.
4.3. To respond to your inquiries/offer support
In order to fulfil our contract and other obligations to you, we may use your account, usage, device,
and/or carbon Impact data and any other relevant information about your Zero account to respond
to your inquiries and to try to resolve any potential queries or complaints you might have with the
use of our App or Services generally.
4.4. Push Notifications
We may request to send you push notifications if you consent regarding your account or certain
features of the App. If you wish to opt-out from receiving these types of communications, you may
turn them off in your device settings.
4.5. To protect our business and our users
We may use your information as part of our efforts to keep our App and Services safe and secure
generally for all users (for example, for fraud and money laundering/terrorist financing monitoring
and prevention). We will check your name regularly against lists of sanctioned individuals, adverse
media and politically exposed people and monitor your transactions to comply with our legal
obligations in combating crime. These are both a legal obligation and contract requirement to
ensure the security of our App and Services and to protect our users, but it’s also in our legitimate
commercial interests to provide a safe and secure service generally because if we couldn’t do that,
we would likely lose business. Please note that this is not a credit check and will in no way affect
your credit score.
4.6. To enforce our terms, conditions and policies in order to protect our business
We monitor your account usage as part of our contract requirement and our legitimate interest in
protecting our business and acting in its best interests.
4.7. To comply with legal and regulatory requirements (legal obligation)
Such as carrying out identity and verification checks including via our third-party providers.
4.8. To update or provide notice to you in connection with our contract
Such as a change to our Terms & Conditions
4.9. To respond to legal requests and prevent harm (legal obligation)
If we receive a witness summons or other legal request from a law enforcement agency for
example, we may need to inspect the data we hold to determine how to respond. We will consider
each request on its merits and judge that against our users right to privacy in each case by limiting
the information we share to only that which we consider necessary, and we will record our decision
internally in order to create an auditable trail (legal obligation).
4.10. Administer 'Community Share Options’.
We may use your information to administer your shares in our ‘community option’ scheme when
you elect to participate in it (contract). We will keep you updated about the scheme progress
regularly as a potential shareholder in Zero.
4.11. To send you marketing and promotional communications.
We may use the personal information you send to us for our own marketing purposes if this is in
accordance with your marketing preferences on the basis of our legitimate interest in sending you
offers as our customer that are closely related to our Services and we think would legitimately be of
interest to you. For example, when expressing an interest in obtaining information about us or our
Services, subscribing to marketing or otherwise contacting us, we will collect personal information
from you, and we will gain some insight into what you are interested in. We will give you the
opportunity to opt-out of marketing at the time, and you can always later decide to opt-out of our
marketing emails if you change your mind (see YOUR PRIVACY RIGHTS below).
4.12. To post testimonials
We may post testimonials on our Services (either by directly requesting your permission or from an
external review website e.g., Trustpilot) that may contain the name of the person providing the
testimonial. By submitting a testimonial for this purpose, we presume this to be with your consent
(which you can withdraw at any time).
4.13. Request feedback.
We may use your name and mobile number/email address to request your feedback and to contact
you about your use of our Services on the basis that we have a legitimate interest in asking users to
provide feedback for the purpose of improving and marketing our products and services. We will not
contact you if you have opted out of marketing.
4.14. To improve our own products and Services generally
Including improving customer experience or to inform how we develop new products and services.
This means data analysis, identifying usage and general customer behavioural trends (such as
carbon scores, but this doesn’t involve “profiling” you individually), measuring effectiveness of any
promotional campaigns, to evaluate and improve our Services, products and better tailor our
marketing and your experience.
HOW AND WHEN WE SHARE YOUR DATA
We only share information with third parties where a legal basis allows us to do that, which will be
with your consent, to comply with laws, to provide you with contractual services, to protect you or
your rights, or where our legitimate interests don’t unfairly conflict with your right to privacy and
where we have explained that interest to you on an appropriate policy or notice (legitimate
interests).
This includes the following circumstances:
5.1. Identity Checks
Because of the nature of our Services and regulations that we must comply with, we must
utilize identity checks when you sign-up and when you access our services thereafter.
Providing these identity checks is a complex function and so we use a reputable third-party
provider (Onfido) to perform these checks on our behalf. They perform checks on your name
and address via credit reference agencies (this is not a credit check), voters roll, telephone
check and mortality register. Onfido also perform a validity check on the identity document
you provide and the live face scan you record. Onfido use a sub-processor (Comply
Advantage) to screen the name on your ID document and year of birth against global
Sanctions lists, adverse media lists and lists of politically exposed individuals. These are
measures we take in order to help us comply with anti-fraud, anti-money laundering and
counter terrorist financing regulations that we and third parties are subject to.
5.1.1. Onfido act as a processor entirely upon Zero’s instruction. Zero remains the controller
of your data and continue to be responsible for it, ensuring that Onfido are
contractually obliged to process personal data with at least the same degree of
protection as we set out in this policy.
5.1.2. The personal information Onfido collect may be transferred to and processed outside
the UK. They may subcontract the processing of your data to, or otherwise share your
data with, its affiliates or third parties in the United States or countries other than the
UK. The data protection laws in these countries may be different from, and less
stringent than those in the UK however, Onfido only transfer your personal information
to countries where the EU Commission has decided that they have an adequate level
of data protection, or where they take measures to ensure that all recipients provide
an adequate level of data protection. Onfido do this for example by entering into
appropriate data transfer agreements based on Standard Contractual Clauses as
approved by the UK or the EU (as applicable) from time to time.
5.1.3. Biometric Checks and Authentication
When providing biometric checks as part of Onfido’s Identity Services, we’ll ask for an
image or video (including an audio recording) of a user’s face (a “Selfie”), as well as an
image or video to use as a reference image (for example, an image of their identity
document). We generate two scans of the user’s face (one from the Selfie, and one
from the reference image) and we compare those two scans to assess whether the
person in the Selfie is likely to be the same person pictured in the reference image.
Additionally, as part of the Identity Services, we will also evaluate the authenticity of
the images and videos (including audio recordings) and identity documents, including
detecting whether there is a genuine human or physical document in your
photos/videos, and identifying signs of tampering, coercion or social engineering.
5.1.4. When using the authentication service, Onfido will store a reference image for each
relevant user. This image is retained for 3 years and subject to any maximum retention
periods specified by Onfido or in applicable laws. We store the face image for this
time in order to enable you to access your money and payment services in a timely
fashion without needing to go through a lengthy reauthentication process. When
Onfido is asked to authenticate a user, they will generate two face scans - one using a
new image of the user and one using the reference image they have stored. If the two
images match, the authentication is confirmed.
5.1.5. Information collected: images or videos (including audio recordings) of a user and/or
of their identity document, metadata extracted from those images or videos, and data
extracted from those images or videos that may be construed as a scan of face
geometry or a voiceprint and which may be considered to be biometric identifiers or
biometric information by applicable US biometric privacy laws.
5.1.6. Fraud checks, including device integrity and fraud signals
Onfido leverages a number of different fraud detection capabilities. For example,
Onfido will analyze the metadata associated with the user’s Selfie and the image or
video of their identity document (to identify whether any editing software can be
detected) to assess the likelihood that the user is genuine.
5.1.7. For more information about Onfido’s processing activities generally, Onfido’s privacy
policy can be found here: https://onfido.com/privacy/
5.1.8. Comply Advantage’s privacy policy: https://complyadvantage.com/privacy-notice/
5.2. Card Issuing
The Zero debit card is issued by Transact Payments Limited and physical cards are created and sent
to you by TagNitecrest. When you sign up to the card via the Zero app, we will provide Transact
Payments Limited with your contact information, date of birth and address/delivery address so that
Transact Payments Limited can create your card details and send them to TagNitecrest to make
your card and deliver it to you. In relation to the Zero debit card issuing, Transact Payments Limited
is the controller of your data in relation to the Zero debit card only and Zero is the controller of your
data in relation to any data you provide which is not related to the Zero debit card.
5.3. Card Processing
The Zero debit card transactions you make are processed by Marqeta. When you sign up to the card
via the Zero app, we will provide Marqeta with your contact information, date of birth and ewallet/debit card information so that they can process your card payments. Their privacy policy can
be found at https://www.marqeta.com/privacy
5.4. E-Wallet creation
We use Transact Payments Limited to provide you with an e-wallet which you can use to
send/receive funds and make card payments from as per our contract with you. We provide you
with an account number and sort code via the Zero app, Transact Payments Limited is the controller
of your data you provide in relation to your e-wallet only and Zero is the controller of your data in
relation to any data you provide which is not related to the e-wallet.
5.5. Payment Monitoring
As part of our regulatory obligations, we will monitor transactions for potentially suspicious activity
to protect our customers and meet our regulatory obligations. This monitoring is performed on a
platform provided by Flagright Data Technologies, GmbH, company number HRB 242205 B,
address Torstr. 201, Berlin, 10115, Germany https://www.flagright.com/privacy-policy
5.6. Business Transfers
We may share or transfer your information in connection with, or during negotiations in anticipation
of, any merger, financing, or acquisition of all or a substantial portion of our business to another
business. Where your data is subject to a business transfer such as this, that won’t affect the level
of protection your personal data receives, and it will still be processed subject to this privacy notice
unless we inform you otherwise.
5.7. Verifying your email address and mobile number
In order to verify your email address, we will share your name and email address with Postmark who
will send you an email on which you have to verify your email address. To verify your mobile number,
we will share your mobile number with ClickSend who will send you an SMS with a onetime
passcode (OTP) which may be required to verify you for security purposes. ClickSend and
Postmark’s privacy policy can be found respectively at: https://www.clicksend.com/gb/legal,
https://postmarkapp.com/privacy-policy
5.8. Fraud Prevention Agencies
The personal information we have collected from you will be shared with fraud prevention agencies
who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected,
you could be refused certain services, finance, or employment. Further details of how your
information will be used by us and these fraud prevention agencies, and your data protection rights,
can be found at www.cifas.org.uk/fpn.
COOKIES
Zero obtains explicit consent from a user for the use of cookies when first visiting the Zero website. This
consent can be revoked at any time.
We use cookies to personalise content and ads, to provide social media features and to analyse our
traffic. We also share information about your use of our site with our social media, advertising and
analytics partners who may combine it with other information that you’ve provided to them or that
they’ve collected from your use of their services.
HOW LONG WE KEEP YOUR INFORMATION
We keep your information for as long as necessary to fulfil the purposes outlined in this privacy notice
unless otherwise required by law.
We will only keep your personal information for as long as it is necessary for the purposes set out in this
privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting,
or other legal requirements). We have a data retention policy which sets out how long we keep different
data for, and we provide this on request if you contact us to ask for it.
When we have no ongoing legitimate business need to process your personal information, we will either
delete or anonymise such information, or if this is not possible (for example, because your personal
information has been stored in backup archives), we will securely store your personal information and
isolate it from any further processing until deletion is possible.
HOW WE KEEP YOUR INFORMATION SAFE
We aim to protect your personal information through a system of organisational and technical security
measures.
We have implemented appropriate technical and organisational security measures designed to protect
the security of any personal information we process. However, despite our safeguards and efforts to
secure your information, no electronic transmission over the Internet or information storage technology
can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals,
or other unauthorised third parties will not be able to defeat our security, and improperly collect,
access, steal, or modify your information, but we will promise to do our best to protect your personal
information. Transmission of personal information to and from our Services, including your use of Wi-Fi
and unsecured network environments, is at your own risk. You should only access the Services within a
secure environment.
INFORMATION FROM MINORS
We do not knowingly solicit data from or market to children under 13 years of age. This is the age that
the UK government considers that you are old enough to consent to processing of your personal data.
By using the Services, you represent that you are at least 18. If we learn that personal information from
users less than 13 years of age has been collected, we will deactivate the account and take reasonable
measures to promptly delete such data from our records. If you become aware of any data we may have
collected from children under age 13, please contact us at complianceteam@zero.co.uk
YOUR PRIVACY RIGHTS
You have rights that allow you access to, and control over, your personal information. You may review,
change, or terminate your account at any time.
Under UK data protection laws you have rights which include the right (i) to request access and obtain a
copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing
of your personal information; (iv) if applicable, to data portability; (v) to withdraw consent at any time
(where consent is the relevant legal basis we rely on); and (vi) the right to complain to the Information
Commissioner's Office. In certain circumstances, you may also have the right to object to the processing
of your personal information. To make any such a request, please contact operationsteam@zero.co.uk
We will consider and act upon any request in accordance with UK data protection law requirements and
timelines.
10.1. Withdrawing your consent
If we are relying on your consent to process your personal information, you have the right to
withdraw your consent at any time. Please note however that this will not affect the lawfulness of
the processing before its withdrawal, nor will it affect the processing of your personal information
conducted in reliance on lawful processing grounds other than consent.
10.2. Changing your data
If you would at any time like to review or change the information in your account or terminate
your account, you can log in to your account settings and update your user account or contact us
at operationsteam@zero.co.uk
10.3. Closing your account
Upon your request to terminate your account, we will deactivate your account. We will hold your
account details for a period allowing you to re-activate and have access to transaction history
then delete or completely anonymise all data from our active databases. In some cases, we may
retain some information in our files to prevent fraud, troubleshoot problems, assist with any
investigations, enforce our Terms and Conditions and/or comply with applicable legal
requirements, however this is only when necessary and in compliance with UK GDPR regulations.
10.4. Opting out of email marketing
You can unsubscribe from our marketing email list at any time by clicking on the unsubscribe link
in the emails that we send or by contacting us using the details provided below. You will then be
removed from the marketing email list — however, we may still communicate with you, for
example to send you service-related emails that are necessary for the administration and use of
your account, to respond to service requests, or for other non-marketing purposes. To otherwise
opt-out, you may:
* Contact us using the contact information provided.
* Access your account settings and update your preferences.
10.5. Accessing your data
You can request a copy of the data we hold and process about you by contacting our support
team on operationsteam@zero.co.uk. You will need to tell us what information you want access
to and verify your identity before we are able to fulfil this request.
WHEN WE MAKE UPDATES TO THIS NOTICE
Yes, we will update this notice as necessary to stay compliant with relevant laws or whenever we think
we can improve it.
We may update this privacy notice from time to time. The updated version will be indicated by an
updated "Revised" date and the updated version will be effective as soon as it is accessible. If we make
material changes to this privacy notice, we may notify you either by prominently posting a notice of such
changes or by directly sending you a notification. We encourage you to review this privacy notice
frequently to be informed of how we are protecting your information.
12. HOW YOU CAN CONTACT US ABOUT THIS NOTICE
If you have questions or comments about this notice, you may contact our Data Protection Officer by
emailing: complianceteam@zero.co.uk