We are the controller of the personal data provided to us for the purposes of applicable data protection legislation.
What personal data do we collect?
By personal data we mean identifiable information about you. These fall into the following categories:
- Contact Data includes data such as your name, email address, telephone number, geographical address;
- Identity Data includes data such as your date of birth, gender, first name, last name, username or similar identifier to access your account on our website, date of birth, ID, photograph;
- Financial Data includes card details you provide to us so that we can process your payments;
- Transaction Data includes details of funding you have applied for and received;
- Technical Data includes data such as internet protocol (IP) address, your login data, browser type and version, cookies, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website and any communications we may send to you.
- Usage Data includes information about how you use our website such as information about your visit to our website, including the full Uniform Resource Locators (URL) clickstream to and through, pages you viewed or searches you made, page response times, download errors, length of visit, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
- Marketing Data includes your preferences in receiving marketing from us.
You and your data
From time to time you may provide to us personal data. This may be because:
- You access and interact with our website;
- You make a funding application;
- You access services for businesses that have received funding from us;
- You or your employer purchases services from us;
- You or your employer provides services to us;
- You apply to work with us as an employee or a consultant;
- You provide feedback or reviews to us;
- You sign up for our marketing emails;
- You otherwise contact us including with queries, comments or complaints.
All personal data that you provide to us must be true, complete and accurate. If you provide us with inaccurate or false data, and we suspect or identify fraud, we will record this and we may also report this to the appropriate authorities.
When you contact us by email or post, we may keep a record of the correspondence and we may also record any telephone call we have with you.
We do not knowingly collect personal data of any individual under the age of 18 years old. Where you share personal data which is not about yourself, for example, about an employee, business partner, director, owner, you must have the permission of the other person and confirm that they understand how we’ll use their data.
How we collect the information we hold about you
Information from direct Interactions
Information we hold about you and people connected to your business will often come from you directly (for example, when you apply for funding). That information will include:
- Our own records of your shareholders (including beneficial owners), suppliers and companies you use or may have agreements with
- Other directors, partners, beneficial owners, signatories or employees in your business
- People appointed to act on your behalf
Information shared through our website
Details you give when you see if you qualify for funding or make an application such as your name, home address, date of birth, email, phone number, geographical location, ID, photograph.
Details about your business including industry, business size, financial information to determine eligibility for funding.
The login details and settings you choose for the website and your card, so that you can use these securely.
Your IP address for security reasons.
When you use mobile versions of our site, we may collect your device ID, so we can share it with companies that help us with advertising online.
Information we collect if you get in touch
We collect the following information so we can answer your questions or take any action:
- The phone number you’re calling from and information you give us during the call (we record all calls).
- The email address you use and the contents of your email (and any attachments).
Information we collect when you use our services
We collect this information to give you services in a safe and lawful way, and to keep improving them. This includes:
- Details about payments to and from your Bloom account
- Details about services from us and our partners that you express interest in
- Details about how you use our website.
Information we get from external sources
When you apply for funding:
- We’ll need to verify your identity and search your record with fraud prevention agencies, Anti Money Laundering (AML), and Know Your Customer (KYC) service providers
- We may request access to the platforms you use to run your business (such as banking, sales, advertising, and accounting) and use the data shared to determine eligibility and monitor performance.
- In order to process your application, we will supply your personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness and product suitability, check your identity, manage your account, trace and recover debts and prevent criminal activity. We will also continue to exchange information about you with CRAs on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at http://www.experian.co.uk/crain/index.html
Legal basis for processing your personal data
- Performance of a contract with you;
- Compliance with legal requirements;
- Legitimate interests. When we refer to legitimate interests we mean our legitimate business interests in the normal running of our business which do not materially impact your rights, freedom or interests; and
- Consent (where you choose to provide it);
In this section, we explain which one we rely on to use your data in a certain way.
We need to use your data for a contract we have with you, or to enter into a contract with you. We use details about you to:
- Consider your application
- Give you the services we agreed to in line with our terms and conditions
- Send you messages about your account and other services you use if you get in touch, or we need to tell you about something
- Exercise our rights under contracts we’ve entered into with you, like managing, collecting and recovering money you owe us
- Investigate and resolve complaints and other issues
We need to use your data to comply with the law. We:
- Confirm your identity when you sign up or get in touch
- Check your record at fraud prevention agencies
- Prevent illegal activities like money laundering, tax evasion and fraud
- Keep records of information we hold about you in line with legal requirements
- protect the rights, property or safety of us, our customers or others
- Adhere to banking laws and regulations (these mean we sometimes need to share customer details with regulators, law enforcement or other third parties)
When it’s in our ‘legitimate interests’. We
- Tell you about products and services through the website or other channels, like social media companies, based on how you use our products and services and other information we hold about you. We do this so that we can make sure our marketing is useful.
- Track, analyse and improve the services we give you and other customers and how you respond to ads we show. We may ask for feedback if you’ve shown interest in a service. We do this so that we can make our products better and understand how to market them.
- Carry out security and maintenance checks to make sure our website and other services run smoothly for you
- Manage Bloom’s business and financial affairs and protect our customers and staff
- Share information with credit bureaus so we can benefit from up-to-date information when we make lending decisions, and other companies so they can help us provide our services
- During negotiations of, any merger, sale of assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or into another company. Any buyer of our business or assets will then be able to use your personal data to continue to provide services to you.
We’ll ask for your consent to:
Tell you about our products and services, and those of our partners if we think they’re of interest to you. For more information see ‘Marketing’ below. Share information about you with companies we work with when we need your permission (see ‘Who we share your data with’ below)
Who we share your data with
For our legitimate interests, we may share any of personal data with our service providers, sub-contractors, consultants and agents that we may appoint to perform functions on our behalf and in accordance with our instructions, including IT service providers, accountants and lawyers.
We shall provide our service providers, sub-contractors, consultants and agents only with such of your personal data as they need to provide the service for us and if we stop using their services, we shall request that they delete your personal data or make it anonymous within their systems.
The following is a list of examples:
- Companies that give services to us. Here we mean companies that help us provide services you use, and need to process details about you for this reason. We share as little information as we can and encrypt and/or make it impossible for you to be identified by the recipient where possible (for instance by using a User ID rather than your name).
- Companies that make our Bloom cards, like MasterCard and Visa.
- Know Your Customer (KYC) and Anti-Money Laundering (AML) service providers that help us with identity verification or fraud checks such as Sum&Substance
- Cloud computing power and storage providers like Amazon Web Services (AWS) and Google Cloud
- Our business intelligence and analytics platform provider
- Companies that help us with marketing (but we won’t share identifiable personal data with third parties for their own direct marketing unless you give us permission, and you can opt-out any time)
- Software companies that we use for emailing you
- Companies that help us with customer support
- Companies that offer benefits or rewards through special programmes you sign up to via the website
- Companies that print written statements and notices
- Companies that manage our CCTV and security if you visit our offices
Anyone you give us consent to share it with.
- Companies that introduce their own services via the Bloom website
- Tools to transmit information relating to payment accounts such as TrueLayer or Salt Edge
- Your own banking, sales, advertising, accounting or other business platforms to determine eligibility and monitor performance such as Shopify, Google, or Xero
- People you’ve asked to represent you, such as solicitors
Law enforcement and other external parties.
We may share your details with:
- Authorities that spot and stop financial crime, money laundering, terrorism, and tax evasion if the law says we have to, or if it’s necessary for other reasons the police, courts or dispute resolution bodies if we have to other banks to help trace money if you’re a victim of fraud or other crimes or if there’s a dispute about a payment any other third parties where necessary to meet our legal obligations.
- We may also share your details with people or companies if there’s a corporate restructure, merger, acquisition or takeover.
When we make automated decisions.
We sometimes use computers to make decisions. We do this for things like deciding if we can make you a funding offer based on information we hold about you. This includes details on whether you’ve kept up to date with payments on any credit accounts, and if you’ve been to court. You can ask for a member of the team to review a decision by emailing email@example.com.
You may consent to receive marketing email messages from us about our website and our services. You can choose to no longer receive marketing emails from us by contacting us or clicking unsubscribe from a marketing email. Please note that it may take us a few days to update our records to reflect your request.
If you ask us to remove you from our marketing list, we shall keep a record of your name and email address to ensure that we do not send to you marketing information. If you still have an account with us, we shall continue to email you in relation to your account only.
Where we hold and process your personal data
Some or all of your personal data may be stored or transferred outside of the United Kingdom for any reason, including for example, if our email server is located in a country outside the United Kingdom or if any of our service providers are based outside of the United Kingdom.
Where your personal data is transferred outside the United Kingdom, it will only be transferred to countries that have been identified as providing adequate protection for personal data or to a third party where we have approved transfer mechanisms in place to protect your personal data.
We shall process your personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. In particular, access is restricted to employees who need to know your personal data, and we use appropriate password protection and appropriate strong encryption electronic measures within our electronic data management systems.
However, unfortunately, because of the nature of electronic storage, we cannot promise that your personal data or any other data you provide to us will always remain secure. If there is a security breach, we will do all that we can as soon as we can to stop the breach and minimise the loss of any data.
How long we keep your information
We keep most of your data as long as you’re using Bloom, and for 5 years after that to comply with the law and if we face a legal challenge. In some circumstances, like cases of anti-money laundering or fraud, we may keep data longer if we need to (that’s in our legitimate interest) and/or the law says we have to.
To work out how long we keep different categories of data, we consider why we hold it, how sensitive it is, how long the law says we need to keep it for, and what the risks are.
You have a number of rights under applicable data protection legislation. Some of these rights are complex, and not all of the details have been included below. Further information can be found here
- Right of access: You have the right to obtain from us a copy of the personal data that we hold for you.
- Right to rectification: You can require us to correct errors in the personal data that we process for you if it is inaccurate, incomplete or out of date.
- Right to portability: You can request that we transfer your personal data to another service provider if you initially provided consent for us to use the personal data or where we used the personal data to perform a contract with you.
- Right to restrict or object to processing: In certain circumstances, you have the right to require that we restrict the processing of your personal information. If you believe our processing impacts on your fundamental rights and freedoms. However, we may demonstrate that we have legitimate grounds to process your personal data not withstanding your rights and freedoms.
- Right to be forgotten: You also have the right at any time to require that we delete the personal data that we hold for you, where it is no longer necessary for us to hold it. However, whilst we respect your right to be forgotten, we may still retain your personal data in accordance with applicable laws and when we respond to your request we shall notify you of any specific legal reasons that we have to retain your personal data
- Right to stop receiving marketing information: You can ask us to stop sending you information about our services, but please note we shall continue to contact you in relation to any matters relating to your account with us, if you have one.
We reserve the right to charge an administrative fee if your request in relation to your rights is manifestly unfounded or excessive, and we may ask for identification from you before we can fully respond to your request.
How to make a complaint
If you have a complaint about how we use your personal information, please send an email to firstname.lastname@example.org and we’ll do our best to fix the problem. You can also reach our Data Protection Officer in these ways.
If you’re still not happy, you can refer your complaint with a data protection supervisory authority in the EU country you live or work, or where you think a breach has happened. The UK’s supervisory authority is the Information Commissioner’s Office (ICO). For more details, you can visit their website at ico.org.uk.