First Private Investment Group UK Ltd (referred to as “First Pay”, “we”, “us” or “our” in this notice) respects your privacy and is committed to protecting your personal data. This privacy notice explains what personal data we collect, what we do with it, who we share it with, how long we keep it for and what legal rights you have.
This includes personal information about you (for example your name, date of birth, residential address, nationality, passport number) and your contact details.
In most cases the information is provided by you during the set up and management of First Pay services, in the form of identity documents, your selfie and any other personal data you have shared with us. In some cases, it may be provided by a third party where you have given your consent for them to share it with us.
We may be provided with additional identity and contact data by third parties that we use to perform due diligence (for example, fraud prevention agencies). In addition, we may source identity and contact data from publicly available sources such as Companies House and Electoral Registers.
This is information about your First Pay accounts, related debit cards and any other products and services that you have obtained from us. It includes things like bank account numbers, account balances and information about transactions. The information is generated as you use our services and in some cases it is shared with us by the organisations, we use to provide our banking services.
Where you have linked your First Pay account to one of our partner services (for example the SAGE accounting programme) we may hold banking data for these services. This will only be when you have provided your consent for us to do so.
This is information stored on your phone that you explicitly permit us to access (for example, your address book, photos and geolocation data).
This is information about the phone you use (for example the browser version, time zone settings, phone operating system, IMEI number, IP address and other technical settings). This information is collected automatically when you use the First Pay app.
This includes information about how you interact with our services. We collect this information automatically when you visit our website or use the First Pay app.
This is information that is considered more sensitive by regulators and includes your race, ethnic origin, political views, religion, trade union membership, genetics, biometrics, health and sexual orientation. With the exception of the selfie and photo ID, that you provide so we can verify your identity, we do not process this category of data. However, it is possible that we may hold special category data when it is included on documentation that you have given us (for example your ID document). When this is the case, we will only process this information in strict accordance with the law.
We only use your personal data in order to provide great banking services and where there is a lawful basis to do so.
Administer and provide our banking services (for example, deposits, payments, direct debits, standing orders and international transfers).
To develop and provide a high-quality user experience through the First Pay app.
We utilise the latest technology to make automated decisions for the verification of identities and the identification of financial crime. If you are rejected or negatively affected on the basis of an automated decision or automated profiling, you will be notified about this and you have the right to appeal.
It is in our legitimate interests to use your personal data to:
When we and fraud prevention agencies process your personal data, we do so on the basis that we have a legitimate interest in preventing fraud and money laundering, in order to protect our business and to comply with the laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or we may stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies and may result in others refusing to provide services, financing or employment to you.
As part of this processing of your personal data, decisions may be made by automated means. If you are rejected or negatively affected on the basis of an automated decision or automated profiling, you will be notified about this and you have the right to appeal.
You may withdraw your consent to receive marketing messages at any time by setting your preferences in the First Pay app settings, or by following the opt-out link contained in marketing emails.
We will share your personal data with organisations and partners that enable the First Pay services you use. This includes:
Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
To provide a truly borderless banking service we partner with and use service providers that are based outside the European Economic Area. We will only partner with organisations that meet the EU Commission’s data privacy requirements and where a contractual agreement is in place to protect our customers’ personal data in accordance with the EU GDPR requirements.
In all cases, we will only share the personal data that is absolutely necessary to provide our services, fulfil our obligations to you and to fulfil any legal or regulatory requirements.
We hold our customers’ personal data for six years following the ending of our business relationship unless:
Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
Your rights under the EU General Data Protection Regulation (GDPR) include:
You may request access to all the personal data we hold about you. This is known as a ‘subject access request’.
You may request that we delete some or all of the personal data that we hold about you. This may not always be possible, as we are required by law to keep some information.
If we fail to resolve your complaint to your satisfaction, you may pursue your complaint via the Information Commissioner’s Office. Details of how to do so can be found at https://ico.org.uk/make-a-complaint/