This Customer Privacy Notice describes how HeidiPay Ltd (“HeidiPay”) collects and uses your personal data when you use any of HeidiPay’s services (the “Services”). Examples of use of our Services are when you pay in instalments at the store of one of our merchant partners (“the Merchant”) which uses our platform, when you contact us, or when you use the HeidiPay shoppers web-portal. This Customer Privacy Notice also describes your rights in relation to our use of your personal data, and how to exercise those rights. The person whose data is processed pursuant to this Customer Privacy Notice may be referred to as “you”, “your”, “the data subject” or “the Customer”.
This Customer Privacy Notice applies to all Customer personal data that HeidiPay processes. It is therefore important that you read and understand this Customer Privacy Notice.
Some of our Services will provide you access to content and functionality offered by other companies or organizations than HeidiPay (“Third Party Services”). This is for example the case when we link to third party sites from our websites. This Customer Privacy Notice does not apply to the collection and use of your personal data in Third Party Services, and HeidiPay is not responsible for such third parties’ processing of your personal data.
"We", "our" or "us" means Heidi Pay Ltd registered in England and Wales under the registration number 12814340 and with our main office located at Suite 4, 82 Cornwall Gardens, London, SW7 4AZ, United Kingdom. For the purposes of UK data protection laws (such as EU Regulation 2016/679 as incorporated and amended into UK domestic law (the “UK GDPR”) and the Data Protection Act 2018), we are the data controller in respect of the personal data we receive from you, or otherwise collect about you, and we are responsible for ensuring that we use your personal data in compliance with applicable data protection laws.
1. What information do we use?
Information you give us
You may give us information about yourself when you use one of HeidiPay’s Services, for example when you choose to pay with one of HeidiPay’s payment methods, contact us, or use the HeidiPay Shopper’s Portal. Please note that you are only allowed to provide your own personal data when using the Services, for the Services to be provided correctly.
Depending on which Service you choose to use, this personal data will be:
- Contact and identification information – name, date of birth, national ID number, title, billing and shipping address, email address, mobile phone number, nationality, employment, audio recordings, photos recordings of you and your ID card, etc;
- Payment information – credit and debit card data (card number, validity date, and CVV code).
You can at any time change your profile information such as your contact information and other editable settings. This can be done either in the HeidiPay Shopper’s Portal or by contacting us.
Information we collect about you
Depending on which Services you choose to use, we may collect the following information about you, either ourselves or via third parties (for example business information and fraud prevention agencies, webshop, stores, or public databases):
- Contact and identification information: name, date of birth, national ID number, title, billing and shipping address, email address, mobile phone number, nationality, residence status, photos and video recordings of you and your ID card etc.
- Payment information: credit and debit card data (card number, validity date, and CVV code)
- Information on goods/services: details about the goods/services you purchase or order, including merchant name, value, type of goods and delivery status
- Identity & business information: financial information collected from third parties.
- Information about the interaction between you and HeidiPay – how you use the Services, including information on outstanding and historical debts and your repayment history with HeidiPay; technical data such as page response times, download errors, personal preferences; your interactions with the HeidiPay customer service, etc.
- Device information – e.g. IP address, language settings, browser settings, time zone settings, operating system and platform and screen resolution. To learn more about how we may collect information from your device, or store information on your device, please see Section 10 below.
2. What personal data do we process, for what purpose, and why is it lawful for us to do so?
Depending on which Services you use, HeidiPay may process your personal data for the purposes listed below, based on the legal bases stated for each respective purpose:
- carrying out activities necessary for the performance of the Services, such as administering your payment plans requested to the Merchant (article 6, no. 1, lett. b) of the GDPR);
- communicating your data to the Merchant, for the performance of your contractual relationship with the Merchant (article 6, no. 1, lett. b) of the GDPR);
- communicating your data to external providers, namely providers of identity verification and business information services, in order to allow the Merchant to assess whether to grant you access to the Services, based on HeidiPay’s and the Merchant’s legitimate interest (article 6, no. 1, lett. f) of the GDPR). The external providers may, following the circumstances, act as a data processor on behalf of Heidipay or as a data controller, and in the latter case they shall provide you with their own privacy notice;
- collecting payments on behalf of the Merchant, including communicating your data to a collecting agency, in case of default on the Payment Plan, based on Heidipay and the Merchant’s legitimate interest (article 6, no. 1, lett. f) of the GDPR);
- keeping Heidipay’s platform safe and secure, improving our services, training and quality assurance, conducting anonymous customer satisfaction surveys related to the Services and carrying out product improvement and research based on Heidipay’s legitimate interest (article 6, no. 1, lett. f) of the GDPR);
- anonymising your data to carry out further analysis for product improvement and research purposes, carried out internally or externally (e.g. by universities) based on Heidipay’s legitimate interest (article 6, no. 1, lett. f) of the GDPR);
- compliance with applicable laws, such as consumer rights legislation, banking- and anti-money laundering legislation and bookkeeping rules, based on article 6, no. 1, lett. c) of the GDPR, and enforcement of Heidipay’s rights, based on Heidipay’s legitimate interest (article 6, no. 1, lett. f) of the GDPR).
You can find more specific information about how we process your data in some of our Services in Section 3 below.
3. Service-specific processing of personal data in some of HeidiPay’s Services
This Section sets out certain processing of your personal data which is specific for certain Services. To learn more about our Services, and their included features, please consult the terms and conditions of the respective Service.
Payment Plan processed by HeidiPay on behalf of the Merchant
To provide a Payment Plan, we do an ID and business assessment of you. The assessment is based on contact and identification information you have provided, information about the interaction between you and HeidiPay, and business information. The business information includes externally obtained information from business information agencies. You can read more about our use of business information agencies in Section 6.4 below.
The HeidiPay Shopper’s Portal
If you use the HeidiPay Shopper’s Portal, additional personal data will be processed to provide the Services you choose to use within the HeidiPay Shopper’s Portal. In the Shopper’s Portal you may be able to view your purchase history, update your payment method or make prepayments on your plans.
When you contact the HeidiPay customer service through the HeidiPay Shopper’s Portal we will have access to the information you provide.
If we recognise during the on-boarding process that you already have made purchases with HeidiPay in the past and you have successfully identified yourself with us, we may speed up the process for a new transaction.
4. Revoking consent
In cases where HeidiPay processes your personal data based on your consent, you can at any time revoke this consent by contacting us. Revoking consent will not lead to any detriment for you, as we do not require this type of information to provide our Services.
5. HeidiPay’s profiling and automated decision making
“Profiling” means automated processing of personal data to evaluate certain personal aspects relating to you, for example in order to analyse or predict aspects of your eligibility for the Services. We use profiling based on the personal data we have about you in order to make individual or automated decisions about you.
Automated decision making with legal effects, or automated decisions with similarly significant effect, means that some decisions in our Services are solely based on automatic means, without any interaction from any of our employees, and carry a significant impact on you as a consumer with them. By making such decisions in an automated fashion, HeidiPay increases objectivity and transparency in the decisions when offering those Services. Due to the immediateness of the response to your request for the Services, HeidiPay is unable to take care of any individual request with non-automated means. Therefore, the automated-decision process is necessary to enter into the contract.
We use this type of automated decision making when we:
- Decide to approve your application to obtain a Payment Plan;
- Decide not to approve your application to obtain a Payment Plan;
- Decide whether you pose a fraud- or money laundering risk, if our processing reveals that you display behaviour consistent with money laundering or fraudulent conduct, that your behaviour is inconsistent with your previous use of our Services, or that you appear to have deliberately hidden your true identity. In relevant cases, HeidiPay also checks whether or not a specific customer is listed on a so called sanction list.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details in Section 12 below.
See Section 3 for further information on the types of personal data processed for these purposes.
You always have the right to challenge an automated decision which carries a legal or similarly significant effect (together with the profiling connected to it), by contacting us using the email address referred to in Section 13 below. A HeidiPay employee will then look at your case.
6. Who might we share your personal data with?
We may share your personal data with the categories of recipients listed below, for the purposes listed below. Exactly which recipients we share your personal data with, and for which purposes, will depend on which Service you use. When we share your personal data, we take all reasonable contractual, legal, technical, and organisational measures to ensure that your personal data is treated with an adequate level of protection and in accordance with applicable law.
- The Merchant: HeidiPay shares personal data with the Merchant you visit or purchase from (which may include the stores’ group companies if you have been informed about this by the store). This is done in order to allow the Merchant to execute and administer your purchase, administer your relationship with the store or its company group - for example by verifying your identity - send you the goods, manage questions and disputes, send relevant marketing and prevent fraud. The personal data shared with a store will be subject to the store’s privacy notices and practices.
- Suppliers and subcontractors: HeidiPay may share personal data with the suppliers and subcontractors we use in order to provide our Services to you. Suppliers and subcontractors are companies who are only entitled to process the personal data they receive from HeidiPay on HeidiPay’s behalf. Examples of such suppliers and subcontractors are software- and data storage providers, payment processing services, and business consultants.
- Payment service providers (“PSPs”): PSPs provide Merchants with services for accepting electronic payments through debit and credit cards. HeidiPay shares your information with the Merchant’s PSP for the processing of payments. PSPs collect and use your information in accordance with their own privacy notices.
- Business Information Agencies: If you apply to use a Payment Plan (see Section 4.1 above for a specification of our Payment Plan Services), your personal data may be shared with Business Information Agencies to assess your eligibility to the Services in connection with your application, to confirm your identity and your contact information, and to protect you and other customers from fraud. Please note that, for certain services, these companies process your data in line with their own privacy notices.
- Fraud prevention agencies and companies that supply identity lookups: Your personal data may be shared with fraud prevention agencies and companies that supply identity lookups in order to verify your identity, the accuracy of the data you have provided us with, and to prevent criminal activities. The companies we cooperate with in the UK are listed here
- Experian Ltd (https://www.experian.co.uk/consumer/privacy.html)
- LexisNexis Risk Solutions Group (DPO@lexisnexisrisk.com - https://risk.lexisnexis.com/group/privacy-policy)
Please note that these companies process your data in line with their own privacy notices.
Fraud prevention agencies can hold your personal data for different periods of time, indicated in their privacy notices. We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
- Debt Collection Agencies: On behalf of the Merchant, HeidiPay may share your information on your overdue payment plans to debt collection agencies. This sharing of personal data is based on our legitimate interest in collecting overdue payments for the Merchant. The debt collection agencies may process your personal data in line with their own privacy notices, or on HeidiPay or the Merchant’s behalf.
- Authorities: HeidiPay may disclose necessary information to authorities such as the police, tax agencies or other authorities if we are required to do so by law, or under some circumstances if you have requested us to do so. One example of such legally required disclosures is disclosure for purposes of anti-money laundering and counter terrorist financing.
- HeidiPay group: Your information may be shared with companies within the HeidiPay group, based on HeidiPay’s legitimate interest to conduct its business.
- Social media companies: If you contact us through social media such as Facebook or Twitter, your data will be recorded and processed by those companies, in accordance with their privacy notices.
- A person holding a power of attorney of your affairs: HeidiPay will share your data with a person holding a power of attorney from you, allowing the person holding the power of attorney to receive such data. This sharing will be done based on your consent.
- Affiliate Networks: HeidiPay may share the information that you have clicked on a link that is sponsored (i.e. links that promote stores, products or services) with so-called “affiliate networks”. This sharing takes place when you click on a link that is sponsored as you will then be redirected to the store’s website through the “affiliate network”. The affiliate network might place a tracking technology on your device that contains the information that you clicked on such a link in one of HeidiPay’s interfaces, in order to track your visit to a store in order to calculate potential commission to HeidiPay. The affiliate networks may process your personal data in line with their own privacy notices.
- Divestment: In the event that HeidiPay sells or buys any business or assets, HeidiPay may disclose your personal data to the prospective seller or buyer of such business or assets. If HeidiPay or substantially all of its assets are acquired by a third party, personal data about HeidiPay’s customers may be disclosed and shared.
7. Where do we process your personal data?
We always strive to process your personal data within the UK/EU/EEA. In certain situations, such as when we share your personal data with a HeidiPay group company or a supplier or subcontractor located outside the UK/EU/EEA, your personal data may however be transferred to, and processed in, a destination outside of the UK/EU/EEA. If the store where you shop is located outside the UK/EU/EEA, our sharing of your personal data with the store will also mean that your data is transferred outside the UK/EU/EEA.
We ensure that an adequate level of protection is maintained, and that suitable safeguards are adopted in line with applicable data protection legislation requirements, such as the UK GDPR, when we transfer your data outside the UK/EU/EEA.
8. How long do we process your personal data?
We will process your personal data for the time period needed to fulfil the respective purpose of our processing. These purposes are described in this Customer Privacy Notice. This means that even though we stop processing your personal data for one purpose, we may still need to keep your personal data, if the data is needed for another purpose, using it only for that other purpose. In particular:
- For as long as you have accepted the Merchant’s Payment Plan T&Cs, and until those terms expire due to the completion of all payments in your Payment Plan or for an early termination cause (including any requests on your side for us to delete data, for example by way of a right to erasure request), we will process the personal data we need to be able to deliver the Services to you (purposes under art. 2, letters a, b, and f). Following the term above, we may continue processing the related data for three years, including but not limited to data relating to your previous purchases, in order to provide for a better user experience for you by way of our “speedy check-out” procedure (see art. 3.4 above).
- We process personal data related to the Customer’s previous use of HeidiPay Services and adherence to previous Payment Plans, only when such data creates a positive effect for the Customer, for a time period of three (3) years following the last payment of the relevant Payment PlanWhen the data related to the Customer’s previous use of HeidiPay’s Services creates a negative effect (e.g. data related to missed payments of the Payment Plan) we will only keep such data for as long as the Payment Plan is still ongoing and only for purposes linked to processing that Payment Plan or other requests for Payment Plans related to the same Merchant (purpose under art. 2, letter d).
- We process the personal data included in business and identity verification, obtained from external providers, for the purpose of new verifications for a time period of 30 days, following the date when the verification was done (purpose under art. 2, letter c).
- We process the recordings of telephone conversations for a time period of 180 days for quality assurance purposes, but may keep the recordings for up to two years for fraud investigation purposes. We may also retain recordings of outbound calls for up to two years, in order to document what has been decided on the call (purpose under art. 2, letter e);
- We process personal data for the purpose of complying with applicable laws, such as consumer rights legislation, banking- and anti-money laundering legislation and bookkeeping rules. Depending on the applicable legislation, your personal data may be processed up to ten years after the end of the customer relationship (purpose under art. 2, letter g).
9. Your rights in regard to the personal data
Right to be informed. You have the right to be informed about how we process your information. We do this through this Customer Privacy Notice, other information on our website, and by answering questions sent to us.
Right to access your data. You may request a copy of your data if you would like to know what personal data we process about you. This copy of your personal data can also be transmitted in a machine readable format in order to ensure your right to data portability.
Right to rectification. You have the right to correct inaccurate or incomplete information about yourself.
Right to erasure. You have the right to request deletion of your personal data, for example when it is no longer necessary for us to process the data for the purpose it was collected, or when you have withdrawn your consent. As described in more detail in Sections 3 and 8 above, HeidiPay however needs to adhere to certain legal obligations preventing us from immediately deleting some of your personal data.
Right to restrict processing of your data or object to our processing. If you believe your information is incorrect or you believe we use your data unlawfully, you have the right to ask us to stop the processing. You may also object to our processing where you believe there are circumstances that would make such processing unlawful. Furthermore, you can always object to us using your data for direct marketing.
Right to challenge an automated decision. You have the right to challenge an automated decision made by HeidiPay if this decision carries with it legal or similarly significant effects. See Section 6 for more information on how HeidiPay uses automated decisions.
Right to withdraw consent. As set out in Section 5, where we process your data based on consent or explicit consent, you may withdraw this consent at any time.
Right to lodge a complaint. You have the right to lodge a complaint with your national supervisory data protection authority.
10. What about cookies and other tracking technologies?
11. Updates to this Customer Privacy Notice
We constantly work to improve our Service offerings, in order for you to get an even smoother user experience. This includes both changes in existing Services and new Services over time. It’s therefore important that you read this Customer Privacy Notice each time you use a HeidiPay Service, since the processing of your personal data can differ since you last used one of our Services.
12. Contact details.
HeidiPay Ltd is registered in England & Wales under the registration number 12814340 with our main office located at Suite 4, 82 Cornwall Gardens, SW7 4AZ.
You can contact HeidiPay’s Data Protection Officer at email@example.com.
HeidiPay Ltd is subject to EU and UK data protection legislation. Visit www.heidipay.com for further information on HeidiPay.
Last updated 13th December 2021.