Armadillo is the [registered] data controller for the purposes of the EU General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (the “Act”) under registration reference: ZA521224.
Information we may collect
We may collect and process the following data about you:
- Data you give us:
- Registration data – When you voluntarily provide us with your personal details in order to create an account or register to our services (for example, your name and email address).
- When you communicate with us – For example when you send us an email, we collect the Personal Data you provided us with.
- A list of banks which hold your accounts that you provide by using our service.
- Data we collect about you:
- Financial Data – by using our service, you authorise us to contact your banks and retrieve information on your behalf including:
- a list of your bank accounts including account name, number and sort code;
- Account balances and transaction history relating to the previous 12 months; and Details of payment instruments such as direct debits and standing orders.
- Data we receive from other sources (these are provided to us by your Trusted Third-Party (TTP)):
- Your name
- Your contact details.
How we use the data
We use information held about you in the following ways:
- to identify you and to request account information from your banks;
- to create consolidated financial analysis which we will provide to you and, subject to your approval, to your advisor;
- To provide the services you have instructed us to perform;
- To respond to your queries;
- To notify you about changes to our products, services and/or our website and mobile applications;
- To comply with legal and regulatory requirements that apply to us.
Disclosure of your data
We will share your personal information with your TTP as part of a financial report that we will help you to prepare. You will be required to review the data and to approve it prior to us sharing it with your TTP.
If you agree, we will share your information with selected third parties including:
- Business partners, suppliers and sub-contractors for the performance of any contract we enter into with [them or] you, including without limitation any data processor (as defined by GDPR) we engage for the purposes of providing data storage, Open Banking connectivity and transaction categorisation services.
- Analytics and search engine providers that assist us in the improvement and optimisation of our site.
We will not disclose your personal information to third parties except:
- In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets.
- In the event that all or substantially all of Armadillo’s assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets.
- If we are under a duty to disclose or share your Information with HM Revenue & Customs, who may transfer It to the government or the tax authorities in another country where you may be subject to tax.
Where we store your personal data
All information you provide to us is stored on our secure servers. Any payment transfers will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site: any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try and prevent unauthorised access.
We will not, without your consent, provide your information to third parties so that such third parties can market their goods or services direct to you.
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Your rights under Data Protection Law
We must ensure that personal data shall be:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; d) Accurate and where necessary kept up to date;
- Kept for no longer than is necessary for the purposes for which the personal data are processed. We operate a data retention policy that ensures we meet this obligation. We only retain personal data for the purposes for which it was collected and for a reasonable period thereafter where there is a legitimate business need or legal obligation to do so. For detail of our current retention policy contact our privacy officer Richard McCall at [email protected]; and
- Processed in a mannerthat ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
We ensure lawful processing of personal data by obtaining consent where there is a contractual obligation to do so and if it is necessary for the purposes of our legitimate interests in providing appropriate products and services.
Under the GDPR you have the following specific rights in respect of the personal data we process:
- The right of access to the personal data we hold. In most cases this will be free of charge and must be provided within one month of receipt.
- The right to rectification where data are inaccurate or incomplete. In such cases we shall make any amendments or additions within one month of your request
- The right to erasure of personal data, but only in very specific circumstances, typically where the personal data are no longer necessary in relation to the purpose for which it was originally collected or processed; or, in certain cases where we have relied on consent to process the data, when that consent is withdrawn and there is no other legitimate reason for continuing to process that data; or when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The right to restrict processing, for example while we are reviewing the accuracy or completeness of data or deciding on whether any request for erasure is valid. In such cases we shall continue to store the data, but not further process it until such time as we have resolved the issue.
- The right to data portability which, subject to a number of qualifying conditions, allows individuals to obtain and reuse their personal data for their own purposes across different services
- The right to object in cases where processing is based on legitimate interests, where our requirement to process the data is overridden by the rights of the individual concerned; or for the purposes of direct marketing (including profiling); or for processing for purposes of scientific / historical research and statistics, unless this is for necessary for the performance of a public interest task
- Rights in relation to automated decision making and profiling
Please contact our privacy officer Richard McCall at [email protected] for more information about the GDPR and your rights under data protection law, or if you have a complaint about data protection at Armadillo.
Alternatively contact the Information Commissioner’s Office (“ICO”) our UK supervisory authority for data protection compliance: www.ico.org.uk:
Information Commissioner’s Office,
Cheshire SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Policy Last updated: 23 March 2020