Privacy Policy

Last updated July 2025 - Privacy Policy

We are committed to protecting the information we hold about you. This Privacy Policy is to let you know how Lendable gathers and processes your personal information. This privacy notice also explains how others, such as third parties, and other companies in the Lendable Operations Ltd group will process your personal information.

If you have any questions or want to exercise any of your rights set out in this Privacy Policy, please contact us at contact@lendable.co.uk.

Certain sections of this Privacy Policy may only apply to customers who hold certain accounts with us (for example, a Zable or thimbl credit card account, or a Zable loan account). If this is the case, we have made this clear in this Privacy Policy.

Who are we?

We are Lendable Limited, trading as Zable. Our registered office is at Telephone House, 69-77 Paul St, London, EC2A 4NW and we are registered in England and Wales under company number 08828186. We are registered on the Information Commissioner's Office (ICO) Register of Data Controllers under registration number ZA041704.

We can be contacted:

by post at Lendable, Telephone House, 69-77 Paul St, London, EC2A 4NW; or

For cards: by email at cards@zable.co.uk or thimbl@zable.co.uk by phone on 020 3322 9128.

For loans: by email at loans@zable.co.uk or by phone on 020 3835 6030; and

Our Data Protection Officer can be contacted by post at the address above.

How do we collect personal information?

We collect personal data about you in the following ways:

• directly from you when you fill in forms on our site, use the Zable app or correspond with us by email, phone or otherwise;
• by observing how you access and use our products and services. For example, how you use our website or how you manage your accounts with us;
• from organisations that have your consent to share your data with us or for a separate legal basis for a specific or defined purpose. This could include for direct marketing or assessing your eligibility for a partner's product which may be suitable for you;
• from public sources, for instance the Companies House register, the individual insolvency register, the ‘Open Register' part of the electoral register
• from search engine results, or your interactions with us (for example, through social media);
• from third party organisations such as Credit Reference Agencies and Fraud Prevention Agencies. The Credit Reference Agencies provide information on your financial behaviour. This is referred to as your credit history and gives lenders information on how you manage your finances (including things like your mortgage, credit cards overdrafts, loans, mobile phone contracts, and utilities)

What personal information do we collect?

We may hold and use various types of personal information collected at the start of, and during your relationship with us. We will limit the collection and processing of these personal data to what is necessary to achieve the purposes identified in this notice.

The information you provide to us must be correct, accurate, complete and not misleading.

Personal information may include:

• personal details including your name, address, previous address, phone numbers, email address, date of birth, employment status and home ownership details;
• financial and banking information including account details and transactional information;
• demographic and lifestyle information;
• behavioural biometrics (including biometric data and information such as the way you use your device for any App we make available to you, or online service, or when making online payments or payments through our app, or your monthly data usage and other device metadata);
• information collected from Credit References and Fraud Prevention agencies. We will collect this information at the point you first enquire about your Zable or thimbl credit card or your Zable loan and on a continuing basis as we manage your card;
• details of the Zable and/or thimbl credit card(s) and/or the Zable loan(s) that you hold and have held with us;
• details of any contacts that we have had with you;
• details of how you applied for your Zable or thimbl credit card or your Zable loan (for example which browser you applied with);
• details of any contact with us including any telephone, email or other communication with you;
• information collected through customer feedback surveys;
• tenancy related data if the rent reporting feature is made available to you in the Zable App and you give authorisation for such reporting. Tenancy data includes but is not limited to: tenancy start date, contract length, tenants named on the contract, rent information, and contact data;
• open banking data that you have authorised us to access;
• credit score and credit report related data from Equifax if you instruct them to provide us with this data on your behalf, to allow us to provide you with insights into your credit history and the factors affecting your score; and
• in some circumstances we may also collect and process special categories of personal information. In particular, we may process personal data that relates to your health (such as your medical history), biometric data, and any other information relating to criminal convictions and offences. This is to help ensure that our services are accessible and so that we can offer appropriate levels of support where required.

How do we use your personal information?

We may use your information:

• to process and complete your application for a Zable or thimbl credit card or a Zable loan;
• to supply services to you, including through the Zable App;
• to search Credit Reference Agencies' ("CRAs") and Fraud Prevention Agencies' records. For example, if you apply for a product with us, we may make periodic searches at CRAs to offer you other products and services which we consider to be of interest to you;
• to make an initial lending decision and to assess your eligibility for additional borrowing;
• to set up and process payments and prevent fraudulent transactions;
• to communicate effectively with you when applying for, agreeing to and undertaking the Zable or thimbl credit card and/or Zable loan agreement(s),
• to effectively answer and manage any questions, concerns or complaints you may have;
• to update our records and maintain your account with us;
• to offer you products and/or services that may be of interest to you, where you have consented to be contacted for such purposes. This may us include making periodic searches at Credit Reference Agencies;
• to monitor, review and improve the content and appearance of our website, to ensure it is presented in the most effective manner for you;
• to maintain and develop our business systems, including without limitation, testing and upgrading them;
• to trace your whereabouts if we cannot contact you;
• to recover any money you owe us;
• to comply with our legal and regulatory obligations;
• for any other specific purpose which we notify you of at the time your personal information is collected;
• to pre-populate fields on our site to make it easier for you to navigate when you return to our website and login as an existing customer;
• to help us analyse our business and develop marketing strategies, develop products and improve our advertising materials; and
• to share your personal information (for example, your mobile number and email address), in a secure format, with advertising companies who can match this to personal information they already hold about you for the purposes of measuring advertising effectiveness, and to display or suppress messages to you about our products or services. If you do not want us to share your personal information with advertising companies for this purpose, you can tell us not to.

We may monitor and record calls, emails, SMS and other communications to ensure transactions are executed correctly, detecting any vulnerabilities you may have, and for security, quality control, training and fraud prevention purposes.

If we cannot offer you a product, we may check your eligibility for loans and/or other relevant credit products from our panel of trusted lenders and brokers. We will always seek your consent to do this and in assessing eligibility our partners will always use soft checks which will not impact your credit file.

Our partners include:

• Aro Finance Limited https://aro.co.uk/terms-and-conditions/, https://aro.co.uk/privacy-policy/
• Creditec Limited https://legal.creditec.co.uk/terms-and-conditions/, https://legal.creditec.co.uk/privacy-policy/

Why do we process your personal information?

We will only collect and use your personal information where it is necessary for us to carry out our lawful business activities. Our grounds for processing your data are as follows

Contractual necessity

We may process your information where it is necessary to enter into a contract with you or to perform our obligations under that contract or any service you have given us authorisation to carry out. Please note that if you do not agree to provide us with the requested information, it may not be possible for us to continue to operate your account and/or provide products and services to you.

This may include processing to:

• assess your eligibility for the products and services we provide;
• sharing information to assess your creditworthiness with credit reference agencies, fraud prevention agencies, and account information service providers;
• assess your eligibility for similar products including new loans and credit cards. This may include making periodic searches at credit reference agencies; and
• provide and administer the products we offer, including:
  • setting up your account;
  • verifying your contact information;
  • collecting and providing to you required information and documents including statements and formal notices;
  • disbursing money and processing payments;
  • to manage fees, charges and interest due on your account;
  • to send you service communications and notices required by law;
  • to collect and recover outstanding sums owed to us;
  • to provide you with insights into your credit history and the factors affecting your credit score; and
  • to address any enquiries or complaints we receive from you or a representative you have appointed.

Legal obligation

We may process your data where it is a legal or statutory obligation on us.

This may include processing to:

• confirm your identity;
• detect, investigate and report transactions in order to comply with laws relating to money laundering, financial crime and international sanctions;
• assess affordability of any credit products for which you apply;
• detecting, investigating and reporting financial crime, and taking measures to prevent this;
• maintain records of our business as required by law, e.g. creating and keeping record of company accounts;
• complying with laws which require us to provide information, directly or indirectly to any national authority, for the purpose of calculating and collection of tax;
• responding to enquiries and requests for information by any of our Regulators including the Financial Conduct Authority and Information Commissioner's Office;
• creating and submitting reports required by any of our regulators;
• to otherwise meet our obligations under all laws and regulations based on law which apply to our business activities; and
• where we have a duty to protect vulnerable customers and provide them with support.

Legitimate interest

We may process your information when we have a business or commercial reason to do so. If we do, it must not unfairly go against what is right and best for you. If we rely on our legitimate interest, we will tell you what that is.

This may include processing to:

• develop new products and services and identifying which may be of interest to you;
• give you information about our products and services that you may be interested in;
• share information with you about our products or services that may be of interest to you by using social media companies;
• contacting you to make you aware of such products and services, where we have the relevant permission to do so. This may include a reasonable period after your relationship has ceased with us;
• collect information in order to perform statistical analysis, analytics and profiling, for example, to create scorecards, models and variables in connection with the assessment of credit, fraud, vulnerabilities, risk or to verify identities, to monitor and predict market trends, and for analysis such as loss forecasting;
• monitor, review and improve the content and appearance of our website or app(s), to ensure that content from our website or app(s) is presented in the most effective manner for you assess how our customers use our website, products and services;
• maintain and develop our business systems, including without limitation, testing and upgrading them;
• share information with organisations who introduce you to us under a commercial agreement;
• share information to assess your creditworthiness;
• assess your eligibility for credit line increases;
• assess your eligibility for other products including fixed term loans. This may include making periodic searches at Credit Reference Agencies and using data from account information service providers;
• recover monies owed;
• sell debts to other firms;
• share with third parties for the purpose of preventing fraud and financial crime; and
• obtain finance for the products we provide.

Who do we share your personal information with?

We may share your personal information with third party companies who provide services on our behalf, and/or third party companies who provide services to us. This may require these organisations to access and process your personal data.

These may include:

• auditors;
• credit reference agencies;
• fraud prevention agencies including CIFAS;
• account information service providers;
• our service providers and agents (including their subcontractors). This may include but is not limited to:
  • debt collection agencies and debt management companies and companies specialising in customer reconnection and general information gathering visits;
  • communications service providers offering mail, email and SMS text services. For example, we may use a third-party tool to enhance our service and assist in responding to your enquiries sent via live chat or email. Your personal data will only be shared with this tool if you disclose it. Lendable will not directly share any account-specific information with this tool; and
  • third parties providing services to us which are necessary for our legitimate interests and where permitted by law, e.g. AI-powered assistant tools to help enhance our service offering, or to support us with the delivery of services to you.
• debt purchasers;
• customer survey providers in order to receive feedback and improve our services (including Trustpilot who will invite you to share your opinion about your service experience with us);
• IT service providers;
• data security providers for debugging and product improvement purposes;
• legal services;
• digital and direct marketing service providers;
• payment processors;
• trusted lenders and brokers who will assess your eligibility for products;
• prospective assignees of your account;
• providers of payment-processing services and other businesses that help us process your payments, as well as other financial institutions that are members of the payment scheme (for example, Visa). For example, where you have taken out a loan with us, we use GoCardless to process your Direct Debit payments. More information on how GoCardless processes your personal data and your data protection rights, including your right to object, is available at https://gocardless.com/legal/privacy;
• anyone we transfer or delegate (or may transfer or delegate) our rights or obligations to, as allowed under the terms and conditions of any contract you have with us; and
• your advisers (such as accountants, lawyers and other professional advisers) who you have authorised to represent you, or any other person you have told us is authorised to give instructions, or use the account, products or services, on your behalf (such as under a power of attorney); and

Sending personal data outside of the EEA

To deliver services to you, we, or one of our service providers, may transfer your personal data to countries outside either the UK or the European Economic Area (“EEA”), whose personal data protection laws are less strict than in the UK or the EEA.

Where we or one of our service providers do so, we will make sure suitable safeguards are in place to protect your personal data, in line with data protection law. The safeguards we use will depend on the circumstances and the third party who we transfer data to, but include relevant clauses in contracts or the ICO’s International Data Transfer Agreement to make sure the personal data is sent and received in line with any laws that apply.

Please contact contact@lendable.co.uk if you want to know more details about the above safeguards or obtain a copy of the standard contractual clauses we use to transfer data outside the UK and the EEA.

How do we use Credit Reference Agencies?

If you instruct Equifax to provide us with your credit score and credit report through the Zable App, we will provide you with insights into your credit history and the factors affecting your credit score.

If you choose to apply for a product with us, we will perform credit and identity checks on you with one or more credit reference agencies (“CRAs”) to allow us to process your application. Where you take services from us we may also make periodic searches at CRAs to manage your account with us and assess eligibility for new loan products after your loan has ended. To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.

We will use this information to:

• assess your creditworthiness and whether you can afford to take the product;
• verify the accuracy of the data you have provided to us;
• prevent criminal activity, fraud and money laundering;
• manage your account(s);
• trace and recover debts;
• ensure any offers provided to you are appropriate to your circumstances and
• assess your eligibility for a similar loan product after your loan has ended.

We will continue to exchange information about you with CRAs while you have a relationship with us. (Periods after where will have an obligation to report) We will also inform the CRAs about your accounts including settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt and payment performance. This information may be supplied to other organisations by CRAs.

When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.

Where you have a financial association with someone your records may be linked, so you should discuss your application with them before you make it. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully file for a disassociation with the CRAs to break that link.

The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail at https://www.transunion.co.uk/crain. If you’d like to understand how credit reference agencies use and share personal data (including the legitimate interests they pursue) please read the Credit Reference Agency Information Notices (CRAIN) is also accessible from each of the three CRAs

Clicking on any of these three links will also take you to the same CRAIN document:

• TransUnion: https://www.transunion.co.uk/crain
• Experian: https://www.experian.co.uk/crain
• Equifax: https://www.equifax.co.uk/crain

Rent Reporting Feature:

When using the Zable App, and provided this feature is made available to you, you may ask us to report your rental payments and track record as a tenant with Equifax. Equifax will add this information to the credit reference data it holds about you and use it as a controller, in accordance with its fair processing notice (a copy of which can be found at https://www.equifax.co.uk/About-us/Privacy_policy.html), including so that it can be used to assist other landlords and organisations to:

• assess and manage any new tenancy agreements you may enter into;
• assess your financial standing to provide you with suitable products and services;
• manage any accounts that you may already hold, for example reviewing suitable products or adjusting your current product in light of Your current circumstances;
• contact you in relation to any accounts you may have and recovering debts that you may owe;
• verify your identity and address to help them make decisions about services they offer;
• help prevent crime, fraud and money laundering;
• screen marketing offers to make sure they are appropriate to Your circumstances;
• for Equifax to undertake statistical analysis, analytics and profiling; and
• and for Equifax to conduct system and product testing and database processing activities, such as data loading, data matching and data linkage.

Please be aware that Equifax may continue to hold and use your information following any termination of your credit card or loan agreement with us.

How do we work with Fraud Prevention Agencies?

The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. The Fair Processing Notices for Cifas provides further details on how your information will be used by us and these fraud prevention agencies, and your data protection rights.

How do we use Account Information Service Providers?

We use a tool provided by TrueLayer Limited (www.truelayer.com) ("TrueLayer") that allows you to send information on your payment accounts to us and other service providers. In order to use this service, you will be asked to agree to their Terms of Service and enter your payment account details with TrueLayer or, for Open Banking connections, you will be redirected to your bank by TrueLayer in order to authenticate yourself.

The Terms of Service set out the terms on which you agree to TrueLayer accessing information on your payment accounts for the purposes of transmitting that information to us.

TrueLayer is subject to UK and EU data protection laws and is required to treat your data in accordance with those laws, as well as the Terms of Service and TrueLayer’s Privacy Policy.

TrueLayer is authorised by the UK Financial Conduct Authority under the Payment Services Regulations 2017 to provide account information services and payment initiation services (Firm Reference Number: 901096). We may also obtain Open Banking data from other third parties which may include details of your transactions with other financial institutions.

Consequences of Processing

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.

Data Transfers

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks' intended to enable secure data sharing.

How can you amend your preferences?

When we first collect your data we will give you the opportunity to amend your preferences. Any electronic marketing communications we send you will include clear and concise instructions to follow should you wish to unsubscribe at any time. You may also amend your contact preferences in the following ways or by logging into your online account and amending details there;

• by logging into your online account and amending details there;
• by emailing us at cards@zable.co.uk; or thimbl@zable.co.uk or
• by calling us on 020 3322 9128.

What are your personal data rights?

As a data subject, you have a number of rights:

• the right to access the personal data we hold about you;
• the right to rectify inaccurate personal data or complete it if it is incomplete;
• the right to have your personal data deleted;
• the right to request restriction of or suppression of your personal data;
• the right to obtain and make use of your personal data for your own purposes across different services (“portability”);
• the right to object to the processing of your personal data in certain circumstances;
• rights related to automated decision-making including profiling, and
• the right to withdraw consent at any time. In certain circumstances, we may need to get your consent before we can access or process your personal data. If this happens, we will always ask for your consent first. If you have given us consent in the past but subsequently change your mind, you can withdraw your consent at any time by emailing cards@zable.co.uk or thimbl@zable.co.uk.

Your data protection rights are subject to certain restrictions and conditions and financial organisations are required to retain a range of your information for legal and regulatory reasons including responsible lending and the prevention of financial crime. We are required to keep a record of the information reported to the Credit Reference Agencies about you and will therefore retain repayment information regarding your account for six years from the end of the relationship (where your account settled and closed). If your account is recorded as defaulted, the data is kept for six years from the date of the default. This may be extended where we require this to bring or defend legal claims.

If you think that any of the personal data we hold about you is wrong or incomplete you have the right to challenge it.

We will not make a charge for handling your rights request, unless we consider it to be manifestly unfounded or excessive involving a disproportionate effort (particularly if this is repeated request). If you would like to exercise any of the rights outlined above, you can make a request by calling 020 3322 9128 or in writing by emailing cards@zable.co.uk or thimbl@zable.co.uk.

We will assess your request and if we decide not to act upon it or place certain restrictions on it, we will inform you of our reasons for this.

You have the right to complain to us and to the data protection regulator, the Information Commissioner's Office. Their address is: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. They can be contacted by phone on 0303 123 1113 (local rate) or 01625 545745 if you prefer to use a national rate number.

You can find details on how to report a concern at: https://ico.org.uk/make-a-complaint

‘Special categories' of personal data

We will not typically ask you for any ‘special categories' of personal data. This is also referred to as ‘sensitive personal data' and includes information revealing an individual's political opinions, racial or ethnic origin, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning an individual's sex life or sexual orientation.

We may process personal data about your health or medical conditions, where we need to understand this to provide you with support, or to make adjustments in how we provide you with information or provide you with additional services that you may need. Companies acting on our behalf specialising in identifying vulnerable customers or customer reconnection and information gathering visits may also process personal data about your health or medical conditions for this purpose. If we process such data, we will do so to comply with our legal obligations to support you if you are, or become a vulnerable customer, and to establish, take or defend any legal action.

How long do we keep your personal information?

We will retain your personal data for as long as we are required to under relevant legislation and regulation, and where no specific rules apply, for no longer than it is necessary for our lawful purposes. This will usually be no more than six years from the end of our relationship with you. The retention period of your personal data may need to be extended where we require this to bring or defend legal claims.

We may also retain data for longer periods for statistical purposes, and if so we will anonymise this.

How do we protect your information?

We use leading cloud services that have adopted industry security best practice frameworks to protect your data in transit and at rest.

How do we use automated decisions?

We may use your personal data in automated processes to make decisions about you. You have the right not to be subject to a decision based on solely automated processing, if this will have a legal or other significant effect on you (certain exceptions apply).

We use automated decision making in:

• credit scoring and affordability assessment. We use data collected from yourself through online forms, your use of our site and Credit Reference Agencies and other third parties to assess your creditworthiness and affordability of the product applied for. If you do not agree with the decision you have the right to appeal the outcome of these automated decisions and ask for them to be reconsidered manually. Lendable may require additional relevant information to be provided by you before human oversight of a specific decision will take place;
• managing fraud and money laundering risk identification. If our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with information that you have provided previously, or you appear to have deliberately hidden your true identity we may decide that you pose a fraud and money laundering risk;
• profiling to identify whether you are suitable for products and services we offer and to inform you of these. This profiling will be conducted by ourselves when assessing suitability of existing customers for new loans or credit limit increases on the Zable or thimbl credit card. We will use profiling in conjunction with our partners when developing new prospect marketing campaigns; and
• determining appropriate action to take, where your account has gone into arrears or default. You have the right for this to be reconsidered manually

How do we link to other sites?

Our website may contain hyperlinks to websites that are not operated by us. We urge you to review any privacy policy posted on any site you visit before using the site or providing any personal information about yourself.

What Cookies and other technologies do we use?

We may use cookie technology on our website to collect some of the information detailed in this Privacy Policy. Cookies are small text files stored on your device or internet browser when you visit us. We use cookies mainly to improve the performance of the Autolend website and our service for our customers. Our Cookie Policy explains in more detail what types of cookies we use, why we use them and how to identify and disable them. You can access our Cookie Policy here.

Changes to our Privacy Notice

You can ask us for a copy of this Privacy Notice using the contact details set out above. We may change or update this Privacy Notice from time to time. If changes to this Privacy Notice will have a major effect on what we do with your personal data or on you personally, we will give you enough notice to allow you to exercise your rights (for example, to object to the processing).

Additional information relating to Zable and thimbl Credit Card Customers:

If you are a Zable or thimbl credit card customer, please note that our partner, Transact Payments Limited (“TPL”), is the issuer of your payment card and is the independent Data Controller for the personal data which you provide to us in relation to processing undertaken to enable you to use the card.

TPL Privacy Policy

This policy explains when and why we collect personal information about you, how we use it, the conditions under which we may disclose it to others and how we keep it secure.

TPL is committed to safeguarding the privacy of your information. By “your data”, "your personal data”, and “your information” we mean any personal data about you which you or third parties provide to us.

We may change this Policy from time to time so please check this page regularly to ensure that you’re happy with any changes.

Who are we?

Transact Payments Limited (“TPL”, “we”, “our” or “us”) is the issuer of your card and is an independent Data Controller for the personal data which you provide to us to enable us to issue and maintain the card services. TPL is an e-money institution, authorised and regulated by the Gibraltar Financial Services Commission. Our registered office address is 6.20 World Trade Center, 6 Bayside Road, Gibraltar, GX11 1AA and our registered company number is 108217.

Lendable Limited (trading as ‘Zable’) is the Program Manager for your card program and is an independent Data Controller for any personal data which you provide which is related to facilitating the management of the card program. Lendable Limited is incorporated in England and Wales under company number 08828186 with its registered office at Telephone House, 69-77 Paul St, London EC2A 4NW.

How do we collect your personal data?

We collect information from you when you apply online or via a mobile application for a payments card which is issued by us. We also collect information when you use your card to make transactions. We may also process information from Program Manager, other third- party payment partners and service providers. We also obtain information from third parties (such as fraud prevention agencies) who may check your personal data against any information listed on an Electoral Register and/or other databases. When we process your personal data, we rely on legal bases in accordance with data protection law and this privacy policy. For more information see: On what legal basis do we process your personal data?

On what legal basis do we process your personal data?

Contract

Your provision of your personal data and our processing of that data is necessary for each of us to carry out our obligations under the contract (known as the Cardholder Agreement or Cardholder Terms & Conditions or similar) which we enter into when you sign up for our payment services. At times, the processing may be necessary so that we can take certain steps, or at your request, prior to entering into that contract, such as verifying your details or eligibility for the payment services. If you fail to provide the personal data which we request, we cannot enter into a contract to provide payment services to you or will take steps to terminate any contract which we have entered into with you.

Legal/Regulatory

We may also process your personal data to comply with our legal or regulatory obligations.

Legitimate Interests

We, or a third party, may have a legitimate interest to process your personal data, for example:

• To analyse and improve the security of our business;
• To anonymise personal data and subsequently use anonymized information.

Consent

If it is legally required, we or Program Manager will obtain your consent to share your personal data with third-party providers.

What type of personal data is collected from you?

When you apply for a card, we, or our partners or service providers, collect the following information from you: full name, physical address, email address, mobile phone number, phone number, date of birth, gender, login details, IP address, identity and address verification documents.

When you use your card to make transactions, we store that transactional and financial information. This includes the date, amount, currency, card number, card name, account balances and name of the merchant, creditor or supplier (for example a supermarket or retailer). We also collect information relating to the payments which are made to/from your account. If we are required by law to process additional personal data (for example, if we suspect that there may be fraud related to the use of your card or the payment services linked to it), we will also process that extra personal data.

How is your personal data used?

We use your personal data to:

• set up your account, including processing your application for a card, creating your account, verifying your identity and printing your card.
• maintain and administer your account, including processing your financial payments, processing the correspondence between us, monitoring your account for fraud and providing a secure internet environment for the transmission of our services.
• comply with our regulatory requirements, including anti-money laundering obligations.
• improve our services, including creating anonymous data from your personal data for analytical use, including for the purposes of training, testing and system development.

Who do we share your information with?

When we use third-party service partners, we have a contract in place that requires them to keep your information secure and confidential.

We may receive and pass your information to the following categories of entity:

• identity verification agencies to undertake required verification, regulatory and fraud prevention checks;
• information security services organisations, web application hosting providers, mail support providers, network backup service providers and software/platform developers;
• document destruction providers;
• Mastercard, Visa, digital payment service partners or any third-party providers involved in processing the financial transactions that you make;
• anyone to whom we lawfully transfer or may transfer our rights and duties under this agreement;
• any third party as a result of any restructure, sale or acquisition of TPL or any associated entity, provided that any recipient uses your information for the same purposes as it was originally supplied to us and/or used by us.
• regulatory and law enforcement authorities, whether they are outside or inside of the United Kingdom (UK) or European Economic Area (EEA), where the law requires us to do so.

Sending personal data overseas

To deliver services to you, it is sometimes necessary for us to share your personal information outside the UK/Gibraltar e.g.:

• with service providers located outside these areas;
• if you are based outside these areas;
• where there is an international dimension to the services we are providing to you.

These transfers are subject to special rules under Gibraltar data protection law.

These countries do not have the same data protection laws as Gibraltar. We will, however, ensure the transfer complies with data protection law and all personal information will be secure. We will send your data to countries where the Gibraltar Government has made a ruling of adequacy, meaning that they have ruled that the legislative framework in the country provides an adequate level of data protection for your personal information. You can find out more about adequacy regulations here and here.

Where we send your data to a country where no adequacy decision has been made, our standard practice is to use standard data protection contract clauses that have been approved by the United Kingdom government and/or the European Commission. You can obtain a copy of the European Commission’s document here and the UK’s document here.

If you would like further information, please contact our Data Protection Officer on the details below.

How long do we store your personal data?

We will store your information for a period of five years after our business relationship ends in order that we can comply with our obligations under applicable legislation such as anti-money laundering and anti-fraud regulations. If any applicable legislation or changes to this require us to retain your data for a longer or shorter period of time, we shall retain it for that period. We will not retain your data for longer than is necessary.

Your rights regarding your personal data?

You have certain rights regarding the personal data which we process:

• You may request a copy of some or all of it.
• You may ask us to rectify any data which we hold which you believe to be inaccurate.
• You may ask us to erase your personal data (where applicable).
• You may ask us to restrict the processing of your personal data.
• You may object to the processing of your personal data (where applicable).
• You may ask for the right to data portability.
• If you would like us to carry out any of the above, please email your request to the Data Protection Officer at DPO@transactpay.com.

How is your information protected?

We recognise the importance of protecting and managing your personal data. Any personal data we process will be treated with appropriate care and security.

These are some of the security measures we have in place:

• We use a variety of physical and technical measures to keep your personal data safe.
• We have detailed information and security policies to ensure the confidentiality, integrity, and availability of information.
• Your data is stored securely on computer systems with control over access on a limited basis.
• Our staff receives data protection and information security training on a regular basis.
• We use encryption to protect data at rest and anonymization where applicable.
• We have adequate security controls to protect our IT infrastructure and staff computers including but not limited to Identity and Access Management, Firewalls, VPN, Antivirus, Advanced Email Threat Protection and more.
• We conduct regular audits such as PCI-DSS to ensure we are following adequate security controls to protect your data.

While we take all reasonable steps to ensure that your personal data will be kept secure from unauthorised access, we cannot guarantee it will be secure during transmission by you to the applicable mobile app, website or other services over the internet. However, once we receive your information, we make appropriate efforts to ensure its security on our systems.

Complaints

We hope that our Data Protection Officer can resolve any query or concern you may raise about our use of your personal information.

The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in Gibraltar is the Gibraltar Regulatory Authority. Their contact details are as follows:

Gibraltar Regulatory Authority,

2nd floor, Eurotowers 4, 1 Europort Road, Gibraltar.

(+350) 20074636/(+350) 20072166 info@gra.gi

Other websites

Our website may contain links to other websites. This privacy policy applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.

Changes to our Privacy Policy

We keep our Privacy Policy under review and we regularly update it to keep up with business demands and privacy regulation. We will inform you about any such changes. This Privacy Policy was last updated on 9th July 2025.

How to contact us

If you have any questions about our Privacy Policy or the personal information which we hold about you or, please send an email to our Data Protection Officer at DPO@transactpay.com.

version: 1.2