We are Incendia Group Limited (“IGL”) (Co.# 06973824)
This notice sets out how we process the personal data of individuals who are customers, potential customers, users of our website, or recipients of payments by our customers (“merchants”).
Please direct all questions and requests you have about privacy and data protection to our privacy department below.
IGL can be contacted by:
If you are unhappy with the responses of our privacy department you may contact our Data Protection Officer by:
We are a provider of payment services.
The types of processing we do are:
Our services are:
In order to provide our services to you under a contract between us (or for us to take steps at your request with a view to entering into a contract) we must process your personal data, which is a lawful basis under which to process your personal data Article 6(1)(b) of General Data Protection Regulation (“GDPR”)]).
Furthermore, IGL is required by law to process your Data in order to meet our compliance and legal obligations - including Anti-Money Laundering obligations - which is a lawful basis under which to process your personal data (Article 6 (1)(c) GDPR).
We may process your personal data for the purposes of marketing our services to you. In order to process your personal data for marketing purposes we will obtain your consent to do so in advance, which is a lawful basis under which to process your personal data Article 6(1)(a) GDPR.
We will not process your personal data for the purposes of marketing the services of third parties.
The categories of personal data about you we will process are:
We will not share your personal data with third parties outside the Incendia Group and the issuers mentioned below except for the purposes of issuing e-money, making payment transactions and the provision of our website. In this respect, we may share your personal data with our partners which provide on our behalf the Services mentioned above in Section 4.
We will share data due to our legal obligation under the terms of your contract or Cardholder Terms and Conditions (Please see for Issuer) will state for the purposes of issuing e-money, making payment transactions and the provision of our website.
We will share your personal data with our issuers Corner Banca S.A., Via Canova 16, 6901 Lugano, Switzerland (“Corner Banca”), Corner Card UK LTD 19 Eastbourne Terrace, London, W2 6LG (‘’CCUK’’) a Corner group company. Your personal data will be transferred outside the EEA because Corner Banca is in Switzerland. The European Commission has determined that Switzerland has a data protection regime offering an adequate level of data protection, a copy of this decision can be found here.
Valitor hf., Dalshruan 3, 220, HAfnarfjordur, Iceland (“Valitor”) and Valitor Payment Services Limited (“VPS”), Paternoster House, 65 St Pauls Churchyard, 2nd Floor, London, EC4M 8AB (http://valitor.com/about-us/privacy-notice/).
We may share your personal data with participants of the MasterCard and Visa card scheme networks but only to the extent necessary to facilitate making your payments to and receiving your refunds from the merchants. If the merchants or their payment service providers are located outside the EEA, your personal data may be transferred outside the EEA. This would only be done for the purposes of our contractual obligations to you to facilitate making your payments to and receiving your refunds from the merchants, which is lawful basis by which to transfer personal data outside the EEA ([Paragraph 2 Schedule 4 DPA 1998] [Article 49(10(b) GDPR)
We will not store your personal data any longer than we need to store it. We will store your personal data for the duration of your contractual relationship with us and for a further maximum period of five years beginning when that relationship ends. We will, retain the personal information so that:
You have the following data rights:
In order to process your request to exercise your data rights we will require you provide us with such information or documents we request in order to verify your identify before we can process your access request. Your request will be deemed to be received on the date we verify your identity.
We will respond to requests within one month of our receipt of your request. If your requests are complex or numerous, we will inform you within the initial one-month response period that we will require a further two months in which to respond, i.e. we will respond within three months of our receipt of your request.
You may request to exercise your data rights by email, or by post. Where you make a request electronically we will respond electronically by email or by granting you remote access to a secure self-service system, which would provide you with direct access to your information.
You may request the following information:
The information will be provided free of charge except where:
In these cases, we will charge a fee of £10 which will cover our administrative cost for providing you with the information.
Please note that if we find your access request to be manifestly unfounded or excessive, we may refuse to provide the requested information. In this case we will inform you why we are not providing you with the information set out above, that you have the right to complain to our supervisory authority for data protection purposes, the Information Commissioner’s Office (“ICO”), and that you have a right to file a case with the courts.
You have the right to have any personal data corrected if it is inaccurate or incomplete. We will require you to provide documents or information to demonstrate that the personal data is inaccurate or incomplete.
If we have disclosed such personal data to third parties, we will contact each third party and inform them of the correction unless this proves impossible or involves disproportionate effort. If you expressly request us to do so, we will inform you about these third parties.
If we refuse to comply with your request, we will inform you why we are not making the corrections, that you have the right to complain to the ICO and that you have a right to file a case with the courts.
The right to erasure only applies when:
We may refuse to erase the personal data if the following conditions apply:
If we have disclosed personal data that is to be erased to third parties, we will contact each third party and inform them of the erasure unless this proves impossible or involves disproportionate effort. If you expressly request us to do so, we will inform you about these third parties.
We will restrict the processing of personal data in the following circumstances
If we have disclosed personal data that is to be subject to restriction to third parties, we will contact each third party and inform them of the restriction unless this proves impossible or involves disproportionate effort. If you expressly request us to do so, we will inform you about these third parties.
We will inform you if we decide to lift the restriction on processing.
The right to data portability only applies:
We will provide you with this personal data in form of a .CSV file or another file format that is agreed upon in advance and presents the personal data in a structured, commonly used and machine-readable form.
We will provide this information free of charge. If you so request, we transmit the information directly to another information if this is technically feasible. If we refuse to comply with your request, we will inform you why we are not providing the information, that you have the right to complain to the ICO and that you have a right to file a case with the courts.
You have the right to object to our processing of your personal data based on our legitimate interests on grounds relating to your particular situation except:
You have the right to object to our processing of your personal data for direct marketing purposes.
We will comply with your objections unless an exception applies.
You have the right to contact the ICO to complain about our processing of personal data.
The ICO can be contacted by:
We will collect personal data from:
We will make decisions solely on the basis of automated process when deciding whether to enter into a contract with you to provide you with a prepaid card. This decision will be based on the information collected from the sources list in clause 9 and risk factors assigned to each piece of relevant information.
You may challenge our decision by contacting us and asking us to reconsider your application using a manual process involving an individual to make the decision.