Tappily (a trading name of Indigo Michael Ltd) are committed to protecting and respecting your privacy at all times.

This policy sets out the basis on which any personal data we collect from you, or that you provide to us when you use or make an application to use the facility, visit our website https://www.tappily.co.uk/terms-of-use or otherwise communicate with us will be processed. In this policy, we will also outline the lawful basis for processing your data, why we wish to collect the data, and what your rights are in regard to the data.

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

The data controller of the personal data we collect from your or that you provide to us is Indigo Michael Limited. Registered office 10 Brick Street, Mayfair, London, W1J 7HQ Registered number: 07721420

    We will use your personal data for some or all of the reasons set out in this policy. Examples of the personal data we use for the facility may include:
      Bank transaction data
    1. As part of the application, you give us consent to access, view, represent and copy up to 366 days of your online banking transaction history from your chosen bank account, and subsequently on a daily basis thereafter. This will include the transaction history of any joint accounts you hold, and the joint account holder name.
    2. Indigo Michael is approved by the Financial Conduct Authority (FCA) to perform Account Information Services (AIS) as a regulated activity under licence number 918778.
    3. Other personal data
    4. Facility application data - your name, address, email address, date of birth, telephone numbers, residential status, time at address, employment details and financial information including income and expenditure.
    5. Correspondence, or a record of it, if you should contact us or we contact you and recordings of telephone calls between us.
    6. Voluntary surveys that we use for research purposes, should you choose to respond to them.
    7. Credit reference and fraud prevention data pertaining to you and any financial associates.
    8. Publicly available information including, but not limited to, electoral roll, county court judgements, bankruptcy and insolvency information.
    9. Proof of identification or details required to confirm or verify your identity, address, bank account or payment card.
    10. Details of your visits to our website (including, but not limited to, traffic data, location data, IP address, weblogs and other communication data, whether this is required for our own billing purposes or otherwise) and the resources that you access.
    11. Information from third parties in respect of you which may include information from a lead provider/credit broker, if you have applied to them for a loan and they pass your information to us.
    12. Personal data about other named individuals as required. You must have their authority to provide their personal data to us and share this privacy policy with them beforehand together with details of what you’ve agreed on their behalf.
    13. We may also ask you for information when you report a problem with our website.
    14. Sensitive Data
    15. In some circumstances we may also collect and process special categories of personal information such as health data. This is to help ensure that our services are accessible and so that we can identify vulnerability and offer appropriate levels of support where required.
    You are responsible for the accuracy of any information you provide to us. If the data is inaccurate or incomplete, you have the right to request it to be corrected (see Your Rights below).
    We will only use your personal data where we have a lawful basis to use it. We will only use your data where it is necessary for us to perform our contract with you (for example, to fulfil your loan agreement), or in a way which might reasonably be expected as part of running our business and which does not materially impact your interests, rights or freedoms. Please get in touch with us using the contact details provided at the end of this policy if you would like further information about this

    We may sometimes need to use data to comply with our legal obligations (for example to pass on details related to fraud). In other instances, we will ask for your consent to use your data, for example, where you sign-up to receive marketing from us or consent to use accessing your online banking transaction history.

    Further details of how we use your personal information and the legal bases we rely on are provided below.

    How we use your Information Legal Basis
    We will use your Bank Transaction Data to assess your credit worthiness, and to make on-going lending and collecting decisions. You consent for us to access and process bank data.
    We will use the financial information you provide to us (e.g. income and expenditure) to ascertain your ability to meet prospective repayments in an affordable and sustainable manner. Compliance with legal obligations
    If you consent to us accessing and processing your Bank Transaction Data, we will use bank transaction data about your joint accounts, including the name of the joint account holder, to to verify your identity, help make our lending decisions and prevent fraud and/or money laundering. Compliance with legal obligations
    To provide and manage your facility and our relationship with you. Performance of a contract
    We will use the information provided to us by credit reference and fraud prevention agencies to verify your identity, help make our lending decisions, prevent fraud and/or money laundering and to manage accounts once we begin our relationship.
    We will search credit reference and fraud prevention agencies for information on all applicants. If you give us false or inaccurate information and we identify fraud, details may be passed to credit reference and fraud prevention agencies.
    Compliance with legal obligations
    To communicate with you by telephone, email, SMS or post using the details you have provided in relation to your application/agreement with us. Performance of a contract
    To help us analyse and improve our business, to develop marketing strategies, to develop products and improve our customer services to you. Where it’s in our legitimate interests to improve business and our service to you
    To keep you informed about products and services you hold with us. Performance of a contract
    Subject to applicable data protection law, we may share your personal data with third parties in the following circumstances:
    1. To those who provide a service/act as our agents/give professional advice, to prepare any communications to you or to assist us in connection with any of our business functions. For example, legal service providers, IT service providers and payment processors. These third parties will be subject to contractual or other legal obligations to keep your personal data confidential and only use it for the purpose of providing the service to us. Wherever possible, we will anonymise your personal data before it is transferred to these third parties.
    2. To Credit Reference Agencies and Fraud Prevention Agencies (see section 5).
    3. With your consent, to the Vulnerability Registration System (VRS) in order to allow other lenders and organisations, with which you may already have a relationship, to be aware of your change in circumstances when, for example, dealing with any repayment issues you may have (see Section 6).
    4. To a third party such as a debt collection agency if repayments are not met as outlined on your contract for a prolonged period of time (you will be notified prior to the transfer).
    5. In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets and/or their and our legal advisors.
    6. To other members of our group where required for management information and forecasting purposes or where they provide services to us.
    7. To law enforcement (such as the police) or other public bodies if there is a legal obligation and we are formally required to do so.
    Some of our group companies and service providers are located in countries outside of the UK and the EU. For example, our group company Account Technologies US LLC deals with some of our customer queries and complaints on our behalf.

    As a result, it may be necessary for the personal data that we collect from you to be transferred to or accessed from outside the UK or the EU in order for us to provide our services.

    If we do this, we have procedures in place to ensure your data receives the necessary protections. Where we transfer your personal information to countries deemed to provide an adequate level of data protection by the European Commission or the UK Government as applicable, we rely on that decision to transfer your personal information. For transfers to group companies and service providers outside the UK or the EEA where no adequacy decision applies, we use standard contractual clauses or other transfer tools provided for in the applicable data protection legislation to protect your personal information. Any transfer of your personal data will follow applicable laws and we will treat the information according to the principles set out in this policy.

    If you would like further information or a copy of the standard contractual clauses we use, please get in touch with us using the contact details provided at the end of this policy.
    1. We use Credit Reference Agencies (CRAs) to assess your application for credit and fulfil our legal obligations (e.g.e.g. to assess affordability and verify your identity to prevent money laundering). We may also make periodic searches at CRAs to manage your account with us.
    2. When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders. Information on credit applications and details of how you manage your account with us will be sent to CRAs and will be recorded by them. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. If false or inaccurate information is provided and fraud is identified, details will be passed to fraud prevention agencies.
    3. If you tell us that you have a spouse or financial associate, we will link your records together so you must be sure that you have their agreement to disclose information about them. CRAs also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
    4. The information held by CRAs may be supplied by them to other organisations which make searches of your credit record such as lenders, debt recovery agents, law enforcement agencies and insurers. Records remain on file for 6 years after they are closed, whether settled by you or defaulted.
    5. More information about CRAs and, their additional role as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs is provided in the Credit Reference Agency Information Notice (CRAIN) available at https://www.equifax.co.uk/crain.html . You can also contact the major CRAs directly:
    6. We are a member of Cifas who allows us to use your data to search the National Fraud Database for fraud prevention purposes. The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found in the Cifas full Fair Processing Notice here: https://www.cifas.org.uk/fpn.
    1. We are a member of the Vulnerability Registration System (VRS). The VRS is a service which offers individuals control over the risk of running up debt or financial stress.
    2. The VRS allows lenders and organisations with which you may already have a relationship, to be aware of any change in your circumstances which affects your financial circumstances.
    3. One way of helping you do this is to register with the VRS. Registration with the VRS would ensure that any lender or organisation using the service must first check with the register if you were to apply to them for a loan or other credit or financial facility, or when dealing with any repayment problems you may have. Lenders or organisations then know to take your personal circumstances into account without you having to explain it to them.
    4. More information about the VRS can be found at www.vulnerabilityregistrationservice.co.uk.
    5. In order to register with the VRS, we’ll need to provide them with some of your personal data. To know more about how this works, please read the VRS Privacy Notice which you can access at https://www.vulnerabilityregistrationservice.co.uk/privacy-policy/.
    6. If you do register with the VRS, lenders/organisations will see your name and address and the fact that you have registered with the VRS together with your vulnerability flag so that users of the VRS know to best to treat your application. A list of current members of the service can be accessed at https://www.vulnerabilityregistrationservice.co.uk/members/.
    7. By providing your consent when applying for a facility, you are consenting to the processing of your personal data by VRS and those lenders/organisations that use the service for the reasons identified above. You can revoke your consent at any time by contacting VRS and your registration will expire automatically after 3 months.
    We use automated decision-making software to underwrite your loan. Our automated decision-making systems includes but is not limited to the following inputs:
    1. Credit model and affordability algorithms – calculations to decide credit limits and affordable repayment levels
    2. Employment verification
    3. Anti-fraud and Anti-money laundering databases
    4. Other data sources that provide inputs that show your creditworthiness, affordability or fitness to receive credit
    The use of automated decision-making software is a requirement to enter into a loan agreement with us. You have the right to request that we undertake a manual review of the results of the automated decision rendered by contacting us on 0800 180 8400.
    1. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access. We ask you not to permit anyone to use your profile.
    2. We will only keep your personal data for as long as we need to for the reason we collected it, as set out in this privacy policy. For example, for as long as needed to allow us to fulfil your loan agreement or to provide any customer services support you have requested. We may also keep hold of some of your personal data if we are required to do so for legal purposes, for example, to meet our legal or regulatory requirements or to prevent fraud and abuse. For example, we will keep your details of our lending to you for at least six years after you apply for a loan agreement with us to allow us to comply with our legal obligations.
    1. Where we have obtained your contact details during the course of applying for our products and services, we may contact you using these details by electronic methods including telephone, e-mail, or SMS with information about similar products and services we provide, unless you have opted out of receiving such marketing communications.
    2. You may opt-out at any time from receiving any marketing communications from us by contacting us using the details at the end of this policy. You may also opt-out of any SMS marketing by following the instruction in the message itself. Likewise, you can opt-out of any email marketing by responding to any of our email communications with “remove” in the subject line, or by sending us an email to help@tappilymail.co.uk or writing to us at Indigo Michael Ltd t/a Tappily, PO Box 1515, High Wycombe, HP11 9JE. We are not responsible for stopping unwanted communications from sources beyond our control. If you opt-out of receiving marketing communications, we will honour such choice once we have had a reasonable opportunity to process your request. We reserve the right to take reasonable steps to authenticate your identity with respect to any such request or other enquiry.
    3. Where you have provided your consent, we may share your personal information with named third parties for marketing purposes (for example if we decline your loan application and you agree we can pass you information to another lender or credit broker who may be able to assist you in finding a loan).
    4. For the avoidance of doubt, we will never use Bank Transaction Data or special categories of personal information such as health data for marketing purposes..
    You have rights relating to the way that we use your information and can make certain choices. For example, you can request:
    1. Access to the personal data we hold about you (commonly known as a "data subject access request") including a copy of it;
    2. The correction of the personal information that we hold about you if it is incomplete or inaccurate;
    3. The deletion or removal of personal data we hold about you where there is no good reason for us continuing to process it or where you have exercised your right to object to processing (see below);
    4. For our processing of your personal information to be restricted in certain circumstances, for example if you want to establish its accuracy or the reason for processing it; and
    5. To obtain a copy of the personal information you’ve provided us with and to reuse it elsewhere or to ask us to transfer it to a third party of your choice.
    Where we are relying on your consent (for example, to send you marketing), you can withdraw your consent at any time.

    To use any of the rights set out above, or to discuss any other issue relating to your information, please contact us using the details at the end of this policy.

    If you have any concerns about the way we use your information, you also have the right to complain to the Information Commissioner's Office, which regulates the use of personal information in the UK, by calling 0303 123 1113 or via www.ico.org.uk/make-a-complaint/. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please do contact us in the first instance.
    From time to time we may make changes to this policy and how we use your information in the future. If we do this, we’ll post an updated version of this policy on our website.

    From time to time, our website may contain links to third parties. These third parties have their own privacy policies and we do not accept responsibility or liability for these policies.

    If you have any questions about this privacy policy, how we treat your personal data and protect your privacy or if you have any other concerns please contact the Data Protection Officer at Indigo Michael Ltd t/a Tappily, PO Box 1515, High Wycombe, HP11 9JE or email to DPO@tappilymail.co.uk.