Introduction

Your right to privacy is important to us. We take the security of your information seriously and have strict policies and processes in place to ensure it remains safe. This Privacy Policy describes the way we collect your information, how we use it and why.

Citysave Credit Union Ltd, will manage your data in line with the requirements of the Data Protection Act 2018. Citysave Credit Union Limited will act as the ‘data controller’ for your personal data if you apply for or hold an account or service with us. Under the Data Protection Act, the ‘data controller’ is responsible for ensuring that your information is lawfully and properly processed.

The information we hold about you

To enable us to provide you with accounts and services, we require certain details about you. We will ask you to provide most of this information yourself, however, we may also seek further data using external sources, such as credit reference agencies.

There may be occasions where you provide us with information about another person, for example, if you are applying for an account on behalf of a child. In this case, we will assume that you have permission to provide this information and that the other person understands how we will use their information and has no objection.

We will not be able to provide you with an account or service if you do not supply us with the necessary information to do so, or if you do not give us your permission to process your information.

The type of personal information you might expect us to hold about you includes:

Your personal details, for example, your name, date of birth, address, telephone number, email address, National Insurance number and, in some instances, sensitive data such your financial circumstances.

Information about the accounts you hold with us (or have previously held with us)and the transactions on those accounts.

Records of our contact with you, for example:

Notes on our systems, emails or other electronic communications and written correspondence. We will record and monitor telephone calls for training purposes and to check and improve the quality of our service.

Depending on the accounts or services you apply for, or hold with us, we may also record additional personal information such as your income, employment details, financial commitments, or details of a credit search.

All the data we hold is stored in line with the organisation’s data retention policy as well as our obligations under law.

How we use your information

We use your information to assess every application you make for an account or service, to manage your accounts, develop our services and ensure that we complywith the legislation that governs our activities. We will use your information specifically to:

• Confirm your identity when you apply for an account or service
• Assess your application for an account or service. Depending on the type of account you apply for, this may include assessing lending and fraud risks and credit scoring, for example, if you apply for credit.
• Set up and provide the accounts you have requested and keep our records up to date
• Meet our legal and regulatory obligations and for crime prevention/detection
• Test computer systems to ensure the continuing security and integrity of our systems
• Provide members with important updates regarding the business
• Carry out customer surveys and statistical analysis to enable us to improve our products and services

Who we share your information with

We will only share your information with other organisations for the reasons detailed below, and will not provide your personal details to third party organisations for marketing purposes.

Confirming your identity
All financial institutions are required by law, under Money Laundering legislation, to confirm a customer’s identity. We may, therefore, supply your information to a specialist external agency to help us confirm your identity. We may occasionally need you to re-confirm your identity. For example, if you move address, change your name or during the process of screening accounts to protect the business from financial crime

We will request details about a nominated beneficiary, you are required to contact us to inform of any changes to the nominations. Where you are not able to provide us with this information, we may not be able to open an account for you. Please note: The nomination cannot be overruled by the contents of the member’s will unless they also formally change their nomination with the credit union prior to their death.

Managing your payroll deduction requests
If you ask us to request your Employer to make payments to us from your net pay, we will share certain personal data with your Employer to facilitate the payroll deduction and periodic settlement of amounts to your Citysave account.

Credit checking
In order to process credit applications you make we will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity.

We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. Your data will also be linked to the data of your spouse, any joint applicants or other financial associates. This may affect your ability to get credit. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at:

• Transunion at www.transunion.co.uk/crain
• Equifax at www.equifax.co.uk/crain
• Experian at www.experian.co.uk/crain

They may retain information for up to 6 years after any credit agreement between us has ended. When we share this information all parties conform to industry standards. Credit Reference Agencies also share information about people with many financial organisations. Their records can tell us:

• whether you have kept up with paying your bills, rent or mortgage, and other debts
  such as loans, phone and internet contracts;
• your previous addresses;
• information on any businesses you may own or have owned or directed;
• whether you are financially linked to another person, for example by having a joint
  account or shared credit;
• whether you have changed your name;
• whether you have been a victim of fraud.

Where you are financially linked to another person their records can provide us with details about that person’s credit agreements and financial circumstances.

They also use publicly available information to record information about people, including information from:

• The Royal Mail Postcode Finder and Address Finder;
• The Electoral Register;
• Companies House;
• The Accountant in Bankruptcy and other UK equivalents;
• The Insolvency Service and other UK equivalents;
• County Court Records.

This tells us, among other things:

• Your age, address and whereabouts;
• whether you are on the Electoral Register;
• whether you have been declared bankrupt;
• whether you are insolvent; and
• whether there are any County Court Judgements against you.

Credit Reference Agencies may also be Fraud Prevention Agencies. We use this information to help us make sure we are lending our money responsibly and to help us decide whether a loan is appropriate for you. We cannot do this without:

• confirming your identity;
• verifying where you live;
• making sure what you have told us is accurate and true;
• checking whether you have overdue debts or other financial commitments; and
• confirming the number of your credit agreements and the balances outstanding together with your payment history.

We also have a duty to protect the Credit Union and the wider society against loss and crime, so we use and share Credit Reference Agency information:

• to identify, prevent and track fraud;
• to combat money laundering and other financial crime; and
• to help recover payment of unpaid debts.

We use information in this way to fulfil our contract to you, to meet our legal and regulatory responsibilities relating to responsible lending and financial crime, to protect the Credit Union from loss, to pursue our legitimate interests and to prevent crime.

Automated assessment
We may use automated decision making in processing your personal and financial information to make credit decisions. 

It is our policy to manually review automated decisions whenever possible. However, you have the right to request a manual review of the accuracy of any decision we make if you are unhappy with it. The Credit Union uses a company called NestEgg Ltd to process this data on our behalf. NestEgg Ltd provides an automated ‘decision’ to help the Credit Union make it easy for members to apply for loans and savings accounts. NestEgg Ltd is not responsible for making decisions, they do not see your personal information. Their software makes a recommendation to a loans officer. When you apply for a loan and / or savings account up to five searches may appear on your credit file. For the purposes of credit scoring, this will typically only affect your credit score as if one credit application were made. Each of these five ‘footprints’ relate to the different sources of data being used to assess an application; these include the credit report itself and an affordability check. The Credit Union needs to prove the information belongs to you which is when an ID check is required. In cases where an application is made by a new member; the Credit Union will use an ID check and may also run a report to check ownership of any bank account details you may give us. These checks are required by law to prevent money laundering. Some of these footprints will be in the name of NestEgg Ltd and others in the name of the Credit Union.

Fraud Prevention Agencies
We use your information to carry out checks for the purposes of preventing fraud and money laundering. These checks require us to process and share personal data about you.

The personal data can include information that you have shared with us in making your loan application, other information we have collected or hold about you, or information we receive from third parties such as Credit Reference Agencies.

We will share your:

• name;
• address;
• date of birth;
• contact details;
• financial information;
• employment details;
• Device identifiers, including IP address; and
• Any other information that it is in our legitimate interest to share in order to prevent or detect fraud, or that we are legally obliged to provide.

We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime. We process your data in these ways because we have a legitimate interest in preventing fraud and money laundering in order to protect our business and to comply with laws that apply to us. Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, for up to six years. If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the loan or any other services you have asked for. We may also stop providing existing services to you. A record of any fraud or money laundering risk will be retained by fraud prevention agencies and may result in others refusing to provide services, financing or employment to you. If you have any questions about this then please contact us.

Fraud reporting
All financial institutions are required by law, under Money Laundering legislation, to report any suspicious transactions to the National Crime Agency, the police and other law enforcement agencies for crime detection and prevention purposes. If we suspect fraudulent activity on any application or account we will notify the appropriate fraud prevention agencies, such as Action Fraud, CIFAS, National Hunter, SIRA, as well as law enforcement agencies.

Tax reporting
We are required to provide information about you and your savings accounts to HMRC for tax reporting.

Our suppliers and third parties that provide services to you

Examples of suppliers we use or third parties we appoint to provide services to you are:

• Mailing, our mobile app, data management and information technology suppliers.

Please note that from time to time, we may change the suppliers or third parties we use or appoint to provide services. Where we appoint a supplier to provide a service on our behalf, they must meet our stringent requirements regarding the security and privacy of our customers’ data. Occasionally we, or our suppliers, may transfer data to countries outside of the European Economic Area. These countries may not have the same standard of data protection laws as we do here in the UK. In these circumstances, we will take the necessary steps to ensure that the transfer of your data is in line with the UK data protection requirements, and that your information is treated securely, and protected to a similar standard. Organisations based outside of the EEA may be required to provide your information to foreign authorities.

Other occasions we may be required to share your information with:

• A legal representative acting either for us or you
• Debt counselling advisors, Debt collection agents or other specialist service providers, should you fall into payment difficulties or be unable to repay your outstanding loan balance
• Your landlord. Typically, this will be under an express data share consent to validate information you provide regarding your property tenancy.

We may also share your information with:

• The Financial Ombudsman Service, for example, if you have made a complaint
• Our regulators
• Another organisation, should we ever sell or transfer our business.
• to anyone in connection with a reorganisation or merger of the credit union’s
  business

Visitors to our website

Use of Cookies by our website

Our website uses a content management system to allow us to update content and images. Our site is hosted at Rackspace in London and uses Cloudflare to provide a secure barrier that provides complete DDoS protection. These include (but are not limited to) ingress filtering by the hosting ISP and also unlimited global anycasted DDoS protection provided by Cloudflare

Citysave and their development and hosting partners MAXX Design and Kovalent Systems host Citysave public website services only on leading, established and trusted networks including Amazon AWS, Digital Ocean and Cloudflare.

We use Google Analytics to collect anonymous information about users’ activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it. The User and Event Data Retention within Google Analytics is set to ‘Do Not Automatically Expire’. Google Analytics data will be stored indefinitely, subject to acceptance and interaction of Google Analytics cookies.

A list of the Cookies we use can be found below:

Google Analytics
Our website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help us analyse how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for our website operators and providing other services relating to website activity and internet usage.

Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser. However, please note that if you do this you may not be able to use the full functionality of this website.

To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout

Links to other websites
Our website may contain links to other websites run by other organisations. This privacy policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.

In addition, if you linked to our website from a third-party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site.

How to access or change the information we hold

You have the right to access the personal information we hold about you under the Data Protection Act 2018; this is called a Subject Access Request. The request can be made regardless of the communication method. With effect from 25th May 2018 such requests can be made under the provisions of GDPR and will be free of charge. However, Citysave reserves the right to charge a reasonable fee to cover administrative costs associated with the request or refuse to provide information at all if the request is deemed manifestly unfounded or excessive.

If you have any questions about the way in which we collect or process your information, please contact us. Similarly, if the information we hold about you is incorrect or out of date, please let us know and we will investigate further to correct any inaccuracies.

You can also find out more about your rights under the Data Protection Act and GDPR by visiting the Information Commissioner’s Office website at ICO.org.uk or by writing to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

Changes to this privacy policy

We can update this Privacy Policy at any time and ideally you should check it regularly updates by visiting www.citysave.org.uk . We won’t alert you for every small change, but if there are any important changes to the Policy or how we use your information we will let you know and where appropriate ask for your consent.

If you wish to learn more about the Data Protection Act 2018 you can visit: https://www.gov.uk/data-protection

If you wish to lean more about the Information Commissioners Office you can visit: https://ico.org.uk/for-the-public/

Retaining your information

We will need to hold your information for various lengths of time depending on what we use your data for. In many cases we will hold this information for a period of time after you have left the credit union in line with our legal requirements.

Any discussions via the digital chatbot will be held for a total of 30 days, after this point the chats will be removed from the archive