Privacy Policy

  1. INTRODUCTION
    We understand that your privacy is precious. We commit to making sure that any of your personal data we 
    collect and process is done so lawfully, only when required and is handled with care at every stage. 
    This notice describes how we will do this, and what rights you have. If you do not agree with any of these 
    terms, you should stop using Zero services immediately.
    For concerns or questions about how we process your data please email complianceteam@zero.co.uk.
  2. WHAT DATA WE USE
    We gather information about you when you use our websites, the Zero mobile app and other related 
    services that you’ve agreed to, such as marketing or waiting lists. This data may include contact and 
    identity information, financial usage, device information, marketing preferences, banking information you 
    allow us to access and carbon usage/impact related to your spending.
  3. HOW WE GET YOUR DATA
    3.1. When you give it to us
    You give it to us when you use our services, or it is sent to us when you use our services, either 
    automatically or when you specifically agree to it.
    3.1.1. Information you give us
    This is data you voluntarily provide or give us permission to use when you apply for or use our 
    services, or when you contact us with a query/comment or take part in surveys or testing.
    3.1.2. Account data includes information you provide to use our services
    Such as names, phone numbers, email addresses, passcodes, UK residency status and 
    delivery or home addresses.
    3.1.3. Information you provide when you interact with us
    Such as free text information you include in queries, feedback, survey responses, user 
    testing responses, complaints, or any other direct interaction we have with you including 
    that information on customer support calls which are recorded.
    3.1.4. ID data includes information you provide to confirm your identity
    Such as a copy of your photo ID document e.g. passport or driving licence, and the 
    information contained on it including your date of birth, address and the document reference 
    number, your photograph on the ID document and a scanned image of your face. It may also 
    include additional data we may request from you to prove your identity such as proof of 
    address documents, utility bills, bank statements and other documents we specifically 
    request which you then provide to us.
    3.1.5. Marketing and communications data includes your preferences in relation to marketing
    Such as the way in which you prefer to be contacted or any opt-outs you notify us of from 
    time to time.
    3.1.6. Carbon impact data includes information about your carbon footprint and related 
    activities
    This could include your carbon usage via spending and any impactful life choices you tell us 
    about e.g., being vegetarian.
    3.1.7. Banking data includes identifying information about other accounts you link to your 
    Zero account via open banking
    This could mean partial card numbers, bank or account names you link to help you identify 
    your carbon impact score.
    3.1.8. Face Data
    This could be face data used as part of the onboarding process as well as to access the Zero 
    app or approve payments.
    All personal information that you provide to us must be true, complete and accurate, and you must 
    notify us of any changes to such personal information in order to ensure that we hold the most up to 
    date information about you.
    3.2. When it is sent to us when you use our services
    We will collect transaction data from the business who issue your Zero Debit card, provide 
    your Zero e-wallet, plus any Open Banking connections you voluntarily make through our 
    app. This is to ensure we can categorise your spending and calculate your carbon score for 
    you in our app.
    3.2.1. Transaction data includes Zero Debit Card transaction data. We use your Zero 
    debit card and e-wallet information to collect and display to you in our app, dates, 
    merchants and locations. This also means we can calculate your carbon score and 
    offer you appropriate offsetting and impact reduction services. 
    • The Zero debit card and e-money account are provided by Transact Payments 
    Limited who are an authorised Electronic Money Institution regulated by the 
    Gibraltar Financial Services Commission. Transact Payments Limited provide 
    Zero with transaction information relating to your activity on the Zero Card and 
    their privacy policy can be found here.
    3.2.2. Transaction data also includes Open Banking transaction data. If you choose to 
    link your Zero app to other bank accounts, we use an open banking account 
    information service, provided by Plaid Financial Ltd. Plaid are an authorised payment 
    institution regulated by the Financial Conduct Authority (firm reference number 
    804718) under the Payment Services Regulations 2017. Plaid will provide Zero with 
    account, balance, transaction and merchant data for accounts you give express 
    permission to link to our service, to enable us to display your spending and balance, 
    and allow us to calculate your carbon score. You can view Plaid’s privacy policy here.
    3.3. When the information is automatically collected
    Some information is collected automatically when you visit our website, use our App or any 
    of our services through cookies or similar technologies. This information is needed to 
    maintain the security and operation of our Website and App, for troubleshooting and for our 
    internal analytics and reporting.
    3.3.1. Usage data. We automatically collect certain information about how and when you 
    use our services so that we can maintain security of our services and for internal 
    reporting and analytic purposes. This information includes from which URL you 
    arrived at our site (website only), which pages on our website or application you visit, 
    for how long, and which links or actions you have clicked.
    3.3.2. Device data. We collect device data such as information about your computer, 
    phone, tablet or other device you use to access the website and application including 
    information about your operating system and a partial IP address (or proxy server). 
    Depending on the method of interaction used, this device data may include the 
    following information:
    • Website only: Browser type and version, operating system.
    • Mobile App only: Mobile device ID, hardware model and manufacturer, language 
    preferences, internet service provider and/or mobile carrier, type of mobile used 
    and device name.
    3.4. Information we receive from other sources including third parties
    In addition to the third parties, we expressly name above, we will receive personal data about 
    you from various other third parties as set out below:
    3.4.1. Contact, financial and transaction data from providers of payment services whom we 
    make you aware of at the time of requesting payment from you.
  4. HOW WE USE YOUR DATA
    We process your information for specific purposes based on legitimate business interests, to fulfil 
    our contract with you, compliance with our legal obligations, and/or your consent and we may 
    decide to use your data where it’s closely related to one of the purposes below. We will always 
    contact you to let you know in advance if we decide to process data for a new purpose that is 
    unrelated to the below listed purposes, or where we think you won’t expect us to process data for 
    that new purpose. 
    We use the information we collect or receive for the purposes in bold text below and on the legal 
    basis we’ve underlined:
    4.1. To open your account and allow you to log in
    We use your account and ID Data alongside Face Data to create your unique account and to have 
    means of checking who you are, verifying your device and email address and contacting you. We do 
    this to provide our Services under our agreed contract and to comply with our legal obligations 
    (including those of our third parties who are subject to certain regulations). 
    4.2. To manage your Zero account
    We may use transaction data and climate impact data to calculate your carbon score to fulfil our 
    contract with you and we may make further use of that information on the basis of the legitimate 
    interest of society as a whole in reducing carbon emissions (for example, statistical, research and 
    educational purposes as described below). By using your Zero Debit Card to make purchases or 
    linking other accounts/cards to your Zero app via Open Banking links, or by providing identifying 
    bank names and partial card numbers to help you identify linked cards, you are directly providing 
    this information to us. 
    4.3. To respond to your inquiries/offer support
    In order to fulfil our contract and other obligations to you, we may use your account, usage, device, 
    and/or carbon Impact data and any other relevant information about your Zero account to respond 
    to your inquiries and to try to resolve any potential queries or complaints you might have with the 
    use of our App or Services generally. 
    4.4. Push Notifications
    We may request to send you push notifications if you consent regarding your account or certain 
    features of the App. If you wish to opt-out from receiving these types of communications, you may 
    turn them off in your device settings.
    4.5. To protect our business and our users
    We may use your information as part of our efforts to keep our App and Services safe and secure 
    generally for all users (for example, for fraud and money laundering/terrorist financing monitoring 
    and prevention). We will check your name regularly against lists of sanctioned individuals, adverse 
    media and politically exposed people and monitor your transactions to comply with our legal 
    obligations in combating crime. These are both a legal obligation and contract requirement to 
    ensure the security of our App and Services and to protect our users, but it’s also in our legitimate 
    commercial interests to provide a safe and secure service generally because if we couldn’t do that, 
    we would likely lose business. Please note that this is not a credit check and will in no way affect 
    your credit score.
    4.6. To enforce our terms, conditions and policies in order to protect our business
    We monitor your account usage as part of our contract requirement and our legitimate interest in 
    protecting our business and acting in its best interests.
    4.7. To comply with legal and regulatory requirements (legal obligation) 
    Such as carrying out identity and verification checks including via our third-party providers.
    4.8. To update or provide notice to you in connection with our contract
    Such as a change to our Terms & Conditions
    4.9. To respond to legal requests and prevent harm (legal obligation)
    If we receive a witness summons or other legal request from a law enforcement agency for 
    example, we may need to inspect the data we hold to determine how to respond. We will consider 
    each request on its merits and judge that against our users right to privacy in each case by limiting 
    the information we share to only that which we consider necessary, and we will record our decision 
    internally in order to create an auditable trail (legal obligation).
    4.10. Administer 'Community Share Options’. 
    We may use your information to administer your shares in our ‘community option’ scheme when 
    you elect to participate in it (contract). We will keep you updated about the scheme progress 
    regularly as a potential shareholder in Zero.
    4.11. To send you marketing and promotional communications. 
    We may use the personal information you send to us for our own marketing purposes if this is in 
    accordance with your marketing preferences on the basis of our legitimate interest in sending you 
    offers as our customer that are closely related to our Services and we think would legitimately be of 
    interest to you. For example, when expressing an interest in obtaining information about us or our 
    Services, subscribing to marketing or otherwise contacting us, we will collect personal information 
    from you, and we will gain some insight into what you are interested in. We will give you the 
    opportunity to opt-out of marketing at the time, and you can always later decide to opt-out of our 
    marketing emails if you change your mind (see YOUR PRIVACY RIGHTS below).
    4.12. To post testimonials
    We may post testimonials on our Services (either by directly requesting your permission or from an 
    external review website e.g., Trustpilot) that may contain the name of the person providing the 
    testimonial. By submitting a testimonial for this purpose, we presume this to be with your consent 
    (which you can withdraw at any time). 
    4.13. Request feedback. 
    We may use your name and mobile number/email address to request your feedback and to contact 
    you about your use of our Services on the basis that we have a legitimate interest in asking users to 
    provide feedback for the purpose of improving and marketing our products and services. We will not 
    contact you if you have opted out of marketing.
    4.14. To improve our own products and Services generally 
    Including improving customer experience or to inform how we develop new products and services. 
    This means data analysis, identifying usage and general customer behavioural trends (such as 
    carbon scores, but this doesn’t involve “profiling” you individually), measuring effectiveness of any 
    promotional campaigns, to evaluate and improve our Services, products and better tailor our 
    marketing and your experience.
  5. HOW AND WHEN WE SHARE YOUR DATA
    We only share information with third parties where a legal basis allows us to do that, which will be 
    with your consent, to comply with laws, to provide you with contractual services, to protect you or 
    your rights, or where our legitimate interests don’t unfairly conflict with your right to privacy and 
    where we have explained that interest to you on an appropriate policy or notice (legitimate 
    interests).
    This includes the following circumstances:
    5.1. Identity Checks
    Because of the nature of our Services and regulations that we must comply with, we must 
    utilize identity checks when you sign-up and when you access our services thereafter. 
    Providing these identity checks is a complex function and so we use a reputable third-party 
    provider (Onfido) to perform these checks on our behalf. They perform checks on your name 
    and address via credit reference agencies (this is not a credit check), voters roll, telephone 
    check and mortality register. Onfido also perform a validity check on the identity document 
    you provide and the live face scan you record. Onfido use a sub-processor (Comply 
    Advantage) to screen the name on your ID document and year of birth against global 
    Sanctions lists, adverse media lists and lists of politically exposed individuals. These are 
    measures we take in order to help us comply with anti-fraud, anti-money laundering and 
    counter terrorist financing regulations that we and third parties are subject to.
    5.1.1. Onfido act as a processor entirely upon Zero’s instruction. Zero remains the controller 
    of your data and continue to be responsible for it, ensuring that Onfido are 
    contractually obliged to process personal data with at least the same degree of 
    protection as we set out in this policy. 
    5.1.2. The personal information Onfido collect may be transferred to and processed outside 
    the UK. They may subcontract the processing of your data to, or otherwise share your 
    data with, its affiliates or third parties in the United States or countries other than the 
    UK. The data protection laws in these countries may be different from, and less 
    stringent than those in the UK however, Onfido only transfer your personal information 
    to countries where the EU Commission has decided that they have an adequate level 
    of data protection, or where they take measures to ensure that all recipients provide 
    an adequate level of data protection. Onfido do this for example by entering into 
    appropriate data transfer agreements based on Standard Contractual Clauses as 
    approved by the UK or the EU (as applicable) from time to time. 
    5.1.3. Biometric Checks and Authentication
    When providing biometric checks as part of Onfido’s Identity Services, we’ll ask for an 
    image or video (including an audio recording) of a user’s face (a “Selfie”), as well as an 
    image or video to use as a reference image (for example, an image of their identity 
    document). We generate two scans of the user’s face (one from the Selfie, and one 
    from the reference image) and we compare those two scans to assess whether the 
    person in the Selfie is likely to be the same person pictured in the reference image. 
    Additionally, as part of the Identity Services, we will also evaluate the authenticity of 
    the images and videos (including audio recordings) and identity documents, including 
    detecting whether there is a genuine human or physical document in your 
    photos/videos, and identifying signs of tampering, coercion or social engineering. 
    5.1.4. When using the authentication service, Onfido will store a reference image for each 
    relevant user. This image is retained for 3 years and subject to any maximum retention 
    periods specified by Onfido or in applicable laws. We store the face image for this 
    time in order to enable you to access your money and payment services in a timely 
    fashion without needing to go through a lengthy reauthentication process. When 
    Onfido is asked to authenticate a user, they will generate two face scans - one using a 
    new image of the user and one using the reference image they have stored. If the two 
    images match, the authentication is confirmed.
    5.1.5. Information collected: images or videos (including audio recordings) of a user and/or 
    of their identity document, metadata extracted from those images or videos, and data 
    extracted from those images or videos that may be construed as a scan of face 
    geometry or a voiceprint and which may be considered to be biometric identifiers or 
    biometric information by applicable US biometric privacy laws. 
    5.1.6. Fraud checks, including device integrity and fraud signals
    Onfido leverages a number of different fraud detection capabilities. For example, 
    Onfido will analyze the metadata associated with the user’s Selfie and the image or 
    video of their identity document (to identify whether any editing software can be 
    detected) to assess the likelihood that the user is genuine.
    5.1.7. For more information about Onfido’s processing activities generally, Onfido’s privacy 
    policy can be found here: https://onfido.com/privacy/
    5.1.8. Comply Advantage’s privacy policy: https://complyadvantage.com/privacy-notice/
    5.2. Card Issuing
    The Zero debit card is issued by Transact Payments Limited and physical cards are created and sent 
    to you by TagNitecrest. When you sign up to the card via the Zero app, we will provide Transact 
    Payments Limited with your contact information, date of birth and address/delivery address so that 
    Transact Payments Limited can create your card details and send them to TagNitecrest to make 
    your card and deliver it to you. In relation to the Zero debit card issuing, Transact Payments Limited 
    is the controller of your data in relation to the Zero debit card only and Zero is the controller of your 
    data in relation to any data you provide which is not related to the Zero debit card.
    5.3. Card Processing
    The Zero debit card transactions you make are processed by Marqeta. When you sign up to the card 
    via the Zero app, we will provide Marqeta with your contact information, date of birth and ewallet/debit card information so that they can process your card payments. Their privacy policy can 
    be found at https://www.marqeta.com/privacy
    5.4. E-Wallet creation
    We use Transact Payments Limited to provide you with an e-wallet which you can use to 
    send/receive funds and make card payments from as per our contract with you. We provide you 
    with an account number and sort code via the Zero app, Transact Payments Limited is the controller 
    of your data you provide in relation to your e-wallet only and Zero is the controller of your data in 
    relation to any data you provide which is not related to the e-wallet.
    5.5. Payment Monitoring
    As part of our regulatory obligations, we will monitor transactions for potentially suspicious activity 
    to protect our customers and meet our regulatory obligations. This monitoring is performed on a 
    platform provided by Flagright Data Technologies, GmbH, company number HRB 242205 B, 
    address Torstr. 201, Berlin, 10115, Germany https://www.flagright.com/privacy-policy 
    5.6. Business Transfers
    We may share or transfer your information in connection with, or during negotiations in anticipation 
    of, any merger, financing, or acquisition of all or a substantial portion of our business to another 
    business. Where your data is subject to a business transfer such as this, that won’t affect the level 
    of protection your personal data receives, and it will still be processed subject to this privacy notice 
    unless we inform you otherwise. 
    5.7. Verifying your email address and mobile number
    In order to verify your email address, we will share your name and email address with Postmark who 
    will send you an email on which you have to verify your email address. To verify your mobile number, 
    we will share your mobile number with ClickSend who will send you an SMS with a onetime 
    passcode (OTP) which may be required to verify you for security purposes. ClickSend and 
    Postmark’s privacy policy can be found respectively at: https://www.clicksend.com/gb/legal, 
    https://postmarkapp.com/privacy-policy
    5.8. Fraud Prevention Agencies
    The personal information we have collected from you will be shared with fraud prevention agencies 
    who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, 
    you could be refused certain services, finance, or employment. Further details of how your 
    information will be used by us and these fraud prevention agencies, and your data protection rights, 
    can be found at www.cifas.org.uk/fpn.
  6. COOKIES 
    Zero obtains explicit consent from a user for the use of cookies when first visiting the Zero website. This 
    consent can be revoked at any time. 
    We use cookies to personalise content and ads, to provide social media features and to analyse our 
    traffic. We also share information about your use of our site with our social media, advertising and 
    analytics partners who may combine it with other information that you’ve provided to them or that 
    they’ve collected from your use of their services.
  7. HOW LONG WE KEEP YOUR INFORMATION
    We keep your information for as long as necessary to fulfil the purposes outlined in this privacy notice 
    unless otherwise required by law.
    We will only keep your personal information for as long as it is necessary for the purposes set out in this 
    privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, 
    or other legal requirements). We have a data retention policy which sets out how long we keep different 
    data for, and we provide this on request if you contact us to ask for it. 
    When we have no ongoing legitimate business need to process your personal information, we will either 
    delete or anonymise such information, or if this is not possible (for example, because your personal 
    information has been stored in backup archives), we will securely store your personal information and 
    isolate it from any further processing until deletion is possible.
  8. HOW WE KEEP YOUR INFORMATION SAFE
    We aim to protect your personal information through a system of organisational and technical security 
    measures.
    We have implemented appropriate technical and organisational security measures designed to protect 
    the security of any personal information we process. However, despite our safeguards and efforts to 
    secure your information, no electronic transmission over the Internet or information storage technology 
    can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, 
    or other unauthorised third parties will not be able to defeat our security, and improperly collect, 
    access, steal, or modify your information, but we will promise to do our best to protect your personal 
    information. Transmission of personal information to and from our Services, including your use of Wi-Fi 
    and unsecured network environments, is at your own risk. You should only access the Services within a 
    secure environment.
  9. INFORMATION FROM MINORS
    We do not knowingly solicit data from or market to children under 13 years of age. This is the age that 
    the UK government considers that you are old enough to consent to processing of your personal data. 
    By using the Services, you represent that you are at least 18. If we learn that personal information from 
    users less than 13 years of age has been collected, we will deactivate the account and take reasonable 
    measures to promptly delete such data from our records. If you become aware of any data we may have 
    collected from children under age 13, please contact us at complianceteam@zero.co.uk
  10. YOUR PRIVACY RIGHTS
    You have rights that allow you access to, and control over, your personal information. You may review, 
    change, or terminate your account at any time.
    Under UK data protection laws you have rights which include the right (i) to request access and obtain a 
    copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing 
    of your personal information; (iv) if applicable, to data portability; (v) to withdraw consent at any time 
    (where consent is the relevant legal basis we rely on); and (vi) the right to complain to the Information 
    Commissioner's Office. In certain circumstances, you may also have the right to object to the processing 
    of your personal information. To make any such a request, please contact operationsteam@zero.co.uk 
    We will consider and act upon any request in accordance with UK data protection law requirements and 
    timelines.
    10.1. Withdrawing your consent
    If we are relying on your consent to process your personal information, you have the right to 
    withdraw your consent at any time. Please note however that this will not affect the lawfulness of 
    the processing before its withdrawal, nor will it affect the processing of your personal information 
    conducted in reliance on lawful processing grounds other than consent.
    10.2. Changing your data
    If you would at any time like to review or change the information in your account or terminate 
    your account, you can log in to your account settings and update your user account or contact us 
    at operationsteam@zero.co.uk
    10.3. Closing your account
    Upon your request to terminate your account, we will deactivate your account. We will hold your 
    account details for a period allowing you to re-activate and have access to transaction history 
    then delete or completely anonymise all data from our active databases. In some cases, we may 
    retain some information in our files to prevent fraud, troubleshoot problems, assist with any 
    investigations, enforce our Terms and Conditions and/or comply with applicable legal 
    requirements, however this is only when necessary and in compliance with UK GDPR regulations.
    10.4. Opting out of email marketing
    You can unsubscribe from our marketing email list at any time by clicking on the unsubscribe link 
    in the emails that we send or by contacting us using the details provided below. You will then be 
    removed from the marketing email list — however, we may still communicate with you, for 
    example to send you service-related emails that are necessary for the administration and use of 
    your account, to respond to service requests, or for other non-marketing purposes. To otherwise 
    opt-out, you may:
    * Contact us using the contact information provided.
    * Access your account settings and update your preferences.
    10.5. Accessing your data
    You can request a copy of the data we hold and process about you by contacting our support 
    team on operationsteam@zero.co.uk. You will need to tell us what information you want access 
    to and verify your identity before we are able to fulfil this request.
  11. WHEN WE MAKE UPDATES TO THIS NOTICE
    Yes, we will update this notice as necessary to stay compliant with relevant laws or whenever we think 
    we can improve it.
    We may update this privacy notice from time to time. The updated version will be indicated by an 
    updated "Revised" date and the updated version will be effective as soon as it is accessible. If we make 
    material changes to this privacy notice, we may notify you either by prominently posting a notice of such 
    changes or by directly sending you a notification. We encourage you to review this privacy notice 
    frequently to be informed of how we are protecting your information.
    12. HOW YOU CAN CONTACT US ABOUT THIS NOTICE
    If you have questions or comments about this notice, you may contact our Data Protection Officer by 
    emailing: complianceteam@zero.co.uk