Privacy Notice to Our Customers

1. Who we are

   We are Incendia Group Limited (“IGL”) (Co.# 06973824)

2. What is this notice?

   This notice sets out how we process the personal data of individuals who are customers, potential customers, users of our website, or recipients of payments by our customers (“merchants”).

3. Contact us

   Privacy Department

   Please direct all questions and requests you have about privacy and data protection to our privacy department below.

   IGL can be contacted by:

   1. post – Privacy Department, Incendia Group Limited., PO Box 1967, Liverpool, L69 3HR
   2. email – [email protected]

   Data Protection Officer

   If you are unhappy with the responses of our privacy department you may contact our Data Protection Officer by:

   1. post – Data Protection Officer, Incendia Group Limited., PO Box 1967, Liverpool, L69 3HR
   2. email – [email protected]

4. Why we process your personal data

   We are a provider of payment services.

   The types of processing we do are:

   • Collection.
   • Storage.
   • Processing to enable the issuing, transfer and redemption of electronic money (“e-money”), i.e. the buying, the use and the cashing out of e-money on your prepaid cards.
   • Processing to facilitate a payment transaction, i.e. using the e-money on your prepaid card to buy goods or services.
   • Processing to facilitate access to and the services offered on our website.
   • Transfer of personal data into and out of the European Economic Area (“EEA”).
   • Transfer of personal data to and from third parties who perform the processing listed above on our behalf.

   Services- fulfilment of contractual obligations

   Our services are:

   • The issuing of electronic money.
   • Payment services.
   • The provision of our website for both customers and visitors.

   In order to provide our services to you under a contract between us (or for us to take steps at your request with a view to entering into a contract) we must process your personal data, which is a lawful basis under which to process your personal data Article 6(1)(b) of General Data Protection Regulation (“GDPR”)]).

   Statutory provisions

   Furthermore, IGL is required by law to process your Data in order to meet our compliance and legal obligations - including Anti-Money Laundering obligations - which is a lawful basis under which to process your personal data (Article 6 (1)(c) GDPR).

   Direct marketing and consent

   We may process your personal data for the purposes of marketing our services to you. In order to process your personal data for marketing purposes we will obtain your consent to do so in advance, which is a lawful basis under which to process your personal data Article 6(1)(a) GDPR.

   We will not process your personal data for the purposes of marketing the services of third parties.

   Categories of personal data

   The categories of personal data about you we will process are:

   • Name
   • Residential address
   • Date of birth
   • Email
   • Mobile number
   • Landline number
   • Gender
   • Occupation
   • Employment status
   • Business address
   • Employer name and contact details
   • Political affiliations
   • Sanctions checks
   • Tax Registration
   • Source of funds
   • Source of Wealth

5. Sharing your data

   We will not share your personal data with third parties outside the Incendia Group and the issuers mentioned below except for the purposes of issuing e-money, making payment transactions and the provision of our website. In this respect, we may share your personal data with our partners which provide on our behalf the Services mentioned above in Section 4.

   We will share data due to our legal obligation under the terms of your contract or Cardholder Terms and Conditions (Please see for Issuer) will state for the purposes of issuing e-money, making payment transactions and the provision of our website.

   We will share your personal data with our issuers Corner Banca S.A., Via Canova 16, 6901 Lugano, Switzerland (“Corner Banca”), Corner Card UK LTD 19 Eastbourne Terrace, London, W2 6LG (‘’CCUK’’) a Corner group company. Your personal data will be transferred outside the EEA because Corner Banca is in Switzerland. The European Commission has determined that Switzerland has a data protection regime offering an adequate level of data protection, a copy of this decision can be found here.

   And/ Or

   Valitor hf., Dalshruan 3, 220, HAfnarfjordur, Iceland (“Valitor”) and Valitor Payment Services Limited (“VPS”), Paternoster House, 65 St Pauls Churchyard, 2nd Floor, London, EC4M 8AB (http://valitor.com/about-us/privacy-notice/).

   We may share your personal data with participants of the MasterCard and Visa card scheme networks but only to the extent necessary to facilitate making your payments to and receiving your refunds from the merchants. If the merchants or their payment service providers are located outside the EEA, your personal data may be transferred outside the EEA. This would only be done for the purposes of our contractual obligations to you to facilitate making your payments to and receiving your refunds from the merchants, which is lawful basis by which to transfer personal data outside the EEA ([Paragraph 2 Schedule 4 DPA 1998] [Article 49(10(b) GDPR)

6. Storage of your data

   We will not store your personal data any longer than we need to store it. We will store your personal data for the duration of your contractual relationship with us and for a further maximum period of five years beginning when that relationship ends. We will, retain the personal information so that:

   • We can allow you to redeem any e-money that you have not spent on your prepaid card.
   • We can provide you with the necessary information regarding payment transactions if you wish to make a legal claim against us regarding our services.

7. Your data rights

   You have the following data rights:

   • The right of access.
   • The right to rectification (correction).
   • The right to erasure (i.e. the right to be forgotten).
   • The right to restriction of processing.
   • The right to data portability.
   • The right to object

   In order to process your request to exercise your data rights we will require you provide us with such information or documents we request in order to verify your identify before we can process your access request. Your request will be deemed to be received on the date we verify your identity.

   We will respond to requests within one month of our receipt of your request. If your requests are complex or numerous, we will inform you within the initial one-month response period that we will require a further two months in which to respond, i.e. we will respond within three months of our receipt of your request.

   You may request to exercise your data rights by email, or by post. Where you make a request electronically we will respond electronically by email or by granting you remote access to a secure self-service system, which would provide you with direct access to your information.

   Right of access

   You may request the following information:

   • confirmation that your personal data is being processed;
   • a copy of the personal data held about you excluding any personal data that is prohibited from providing such as data that would adversely affect the rights or freedoms of others; and
   • a copy of this privacy notice.

   The information will be provided free of charge except where:

   • the request is manifestly unfounded or excessive, particularly if it is repetitive;
   • the request is for further copies of the same information.

   In these cases, we will charge a fee of £10 which will cover our administrative cost for providing you with the information.

   Please note that if we find your access request to be manifestly unfounded or excessive, we may refuse to provide the requested information. In this case we will inform you why we are not providing you with the information set out above, that you have the right to complain to our supervisory authority for data protection purposes, the Information Commissioner’s Office (“ICO”), and that you have a right to file a case with the courts.

   Right to rectification (correction)

   You have the right to have any personal data corrected if it is inaccurate or incomplete. We will require you to provide documents or information to demonstrate that the personal data is inaccurate or incomplete.

   If we have disclosed such personal data to third parties, we will contact each third party and inform them of the correction unless this proves impossible or involves disproportionate effort. If you expressly request us to do so, we will inform you about these third parties.

   If we refuse to comply with your request, we will inform you why we are not making the corrections, that you have the right to complain to the ICO and that you have a right to file a case with the courts.

   Right to erasure

   The right to erasure only applies when:

   • the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
   • you withdraw consent for the processing of personal data where consent is the sole legal basis of the processing;
   • you object to the processing and there is no overriding legitimate interest for continuing the processing;
   • the personal data is being unlawfully processed;
   • the personal data has to be erased in order to comply with a legal obligation;

   We may refuse to erase the personal data if the following conditions apply:

   • the personal data is processed to comply with a legal obligation for the performance of a public interest task or exercise of official authority; or
   • the personal data is processed for the exercise or defence of legal claims.

   If we have disclosed personal data that is to be erased to third parties, we will contact each third party and inform them of the erasure unless this proves impossible or involves disproportionate effort. If you expressly request us to do so, we will inform you about these third parties.

   Right to restriction of processing

   We will restrict the processing of personal data in the following circumstances

   • Where you contest the accuracy of the personal data, we will restrict the processing until we have verified the accuracy of the personal data.
   • Where you have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our legitimate grounds override your interest, rights and freedoms.
   • When processing is unlawful, and you oppose erasure and request restriction instead.
   • If we no longer need the personal data but you require the data to establish, exercise or defend a legal claim.

   If we have disclosed personal data that is to be subject to restriction to third parties, we will contact each third party and inform them of the restriction unless this proves impossible or involves disproportionate effort. If you expressly request us to do so, we will inform you about these third parties.

   We will inform you if we decide to lift the restriction on processing.

   Right to data portability

   The right to data portability only applies:

   • to personal data that you have provided to us;
   • where the processing is based on your consent or for the performance of a contract; and
   • when the processing is carried out by automated means.

   We will provide you with this personal data in form of a .CSV file or another file format that is agreed upon in advance and presents the personal data in a structured, commonly used and machine-readable form.

   We will provide this information free of charge. If you so request, we transmit the information directly to another information if this is technically feasible. If we refuse to comply with your request, we will inform you why we are not providing the information, that you have the right to complain to the ICO and that you have a right to file a case with the courts.

   Right to object

   You have the right to object to our processing of your personal data based on our legitimate interests on grounds relating to your particular situation except:

   • where we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
   • the processing is for the establishment, exercise or defence of legal claims.

   You have the right to object to our processing of your personal data for direct marketing purposes.

   We will comply with your objections unless an exception applies.

8. Complaining to the ICO

   You have the right to contact the ICO to complain about our processing of personal data.

   The ICO can be contacted by:

   • live chat (Monday to Friday, 9am to 5pm) – http://ico.org.uk/global/contact-us/live-chat
   • email – [email protected]
   • web form – http://ico.org.uk/global/contact-us/email/
   • phone – 0303 123 1113 (calls from within the UK) or +44 1625 545 700 (calls from outside the UK)
   • post – Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK.

9. Source of personal data

   We will collect personal data from:

   • you;
   • Programme Managers or Partners;
   • credit reference agencies;
   • third party databases for the know your customer (“KYC”) purposes;
   • Employers

10. Automated processing

    We will make decisions solely on the basis of automated process when deciding whether to enter into a contract with you to provide you with a prepaid card. This decision will be based on the information collected from the sources list in clause 9 and risk factors assigned to each piece of relevant information.

    You may challenge our decision by contacting us and asking us to reconsider your application using a manual process involving an individual to make the decision.