Updated 25 November 2019
This policy covers the following topics:
- Who we are and how to contact us
- Information we collect
- Using and sharing your personal information
- Automated decision making and credit reference agencies
- Protection and storage of your personal information
- Access to your personal information and your rights
- Information that we Share
- Data Transfers
- PCI DSS Policy
- Changes to this policy
1. Who we are and how to contact us
We are Zip Co Finance Limited, trading as Zip, registered in England and Wales with company number 11502649. For the purposes of data protection law, we are a controller of the personal information we hold about you. This means we make decisions about how and why your information is used, and have a legal duty to make sure that your rights are protected when we use it. We are part of the Zip group, which includes Zip Co Payments UK Limited (registered in England and Wales under company number 11471609), Zip Co NZ Limited (registered in New Zealand under company number NZBN 9429044961862) and Zip Co Limited (registered in Australia under company number ACN 139 546 428).
2. Information we collect
When using or seeking to use our services we collect the information you provide to us including:
- Personal information such as your name, address, date of birth or other identification data
- Contact information such as your phone number and email address
- Financial information such as partial card numbers and card expiry dates (we do not collect or hold full card numbers, which are held by the payment gateway), and your repayment and default (if any) history.
In addition, we may collect information from you when you communicate with us or our service providers (in writing or verbally) such as communicating with our customer support or when you participate in any survey, promotion or competition we may run.
As part of our assessment of fraud and credit suitability, we also utilise third parties and may collect information from third parties such as credit agencies and identity verification providers and other commercial information service providers. We may also access information that is available publicly, such as on public and subscribed registers, and details you have shared publicly on social media platforms, which may be used to supplement our customer database.
We may also collect information from any retailer where you are seeking to use our services including personal information, what you are purchasing, cost of purchase, shipping details, etc.
We may also collect information from your computer or device in relation to your use of our website or Zip Platform such as IP address, activity logs, cookie and browser identifiers, operating system identifiers and location identifiers.
We do not collect any sensitive personal information about you (such as your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, criminal convictions or offences, information about your health and genetic and biometric data).
We use the following cookies:
- Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
- Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
- Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
4. Using and sharing your personal information
We will process your personal information to the extent necessary to:
- Make decisions to provide you with our services, including evaluating your creditworthiness or verifying your identity;
- Enter into, or perform, a contract with you e.g. to provide you with interest free credit;
- Conduct an identity and credit check prior to entering into a contract;
- Provide you with our services, including the arrangement of the instalment plan and responding to any queries and providing any information about us;
- Improve, customise and enhance our services, platform and website;
- Manage your scheduled instalment payments and default fees (if any) and manage the services we provide;
- Communicate with you via phone, text message, notifications, email or post and otherwise to manage our relationship with you;
- Manage and prevent fraud and other risks to our business;
- Provide you with information about changes or updates to Zip services which affect your rights and obligations;
- Provide you with marketing materials and other news updates and promotions with respect to our products and services, where you have consented to receiving such information. You may elect to opt out of any marketing information we send to you by following the link in any relevant information;
- Comply with any relevant law; and
- Contribute to statistical and analytical data relating to your buying habits.
We do not sell or provide access to your personal information to third parties for them to market direct to you. However, we may share your personal information with third parties for the following purposes:
- Provide to payment system providers or retailers in order to manage a transaction or respond to a query or complaint or improve their service offering;
- Provide to third party cloud based storage service providers, who may be located overseas;
- Enforcing our rights including debt collection and assigning debts to third party debt collection agencies;
- Providing your information to our investors, potential acquirers and/or financiers;
- Provide to our commercial partners to enable them to improve their services to us and to you;
- Provide to credit agencies information relating to your instalment arrangements with us including your repayment history and any non- compliance or default history. A credit reporter may hold such information on their database and use it for providing credit reporting services to other users of the credit bureau.
Where your personal information has been utilised in the development of any statistical or analytical data and has been anonymised so that it is no longer personal information, we may sell, distribute and disclose such data to retailers and other third parties.
The GDPR bases we rely on for processing your information are (in order of precedence):
- Legal obligation – for personal information that relates to the credit, legal, financial or accounting aspect of a contract;
- Contract – for personal information that relates to a contract
- Consent – for personal information used for marketing, news, updates and promotions
- Legitimate interest – in all other cases not listed above
We will only keep your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any credit, legal, financial or accounting requirements (in the UK, this is approximately 7 years).
We will primarily use your information in order for us to provide our services to you or assess your suitability for us to provide such services.
5. Automated decision making and credit reference agencies
For speed, ease and convenience, our credit and identity decisions are automated. Per Article 22 of GDPR, you may request a manual, human review of such decisions made about you by contacting us as set out above.
For information on the privacy and personal information policies of the credit reference agencies, who we may use (Equifax, Experian and TransUnion (formerly CallCredit)), see:
6. Protection and storage of your personal information
Your personal information will predominantly be stored in electronic form in secure cloud based data centres located in the United Kingdom or overseas that may be owned by third parties. Your personal information may also be stored in paper form. All such information whether electronically or physically stored is kept secure using generally accepted standards of security (e.g. encryption).
7. Access to your personal information and your rights
You can request access to your personal information by contacting us using the details in section 1. We do not charge for such access, unless you make excessive requests.
We want you to remain in control of your personal information. Part of this is making sure you understand your legal rights, which are summarised as follows:
- Where your personal information is processed on the basis of consent, the right to withdraw that consent;
- The right to confirmation as to whether or not we are holding any of your personal information and, if we are, to obtain a copy of it;
- The right to have certain information provided to you in a portable electronic format;
- The right to have inaccurate information rectified;
- The right to object to your information being used for marketing or profiling, or on the basis of our or a third party’s legitimate interests;
- The right to restrict how your information is used; and
- The right to be forgotten, which allows you to have your information erased in certain circumstances (though this is not an absolute right and will not apply if we need to continue using it for a lawful reason).
If you want to use any of these rights, please contact us using the details given in section 1. There are exceptions to the rights above and, though we will always try to respond to your satisfaction, there may be situations where we are unable to do so.
If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you should contact the UK Information Commissioner’s Office, which oversees data protection compliance in the UK. Details of how to do this can be found at www.ico.org.uk.
8. Information that we Share
We do not share personal information with any other companies, organisations or outside individuals unless one of the following conditions applies:
- We have your consent – we will share personal information with third party companies, organisations or individuals outside of Zip only for legitimate business purposes and only with your prior consent e.g. when performing a credit check on you.
- The sharing relates to the sale of the company – if our company or substantially all of its assets are acquired by a third party, personal information held by it about its customers and employees will be one of the transferred assets.
- The sharing is necessary for legal reasons – we will share personal information with companies, organisations or individuals outside of Zip where such a disclosure is deemed reasonably necessary to:
- Meet any applicable law, regulation, legal process or lawful governmental request;
- Enforce applicable terms of service, including investigation of potential violations;
- Detect, prevent or otherwise address fraud, security or technical issues; or
- Protect against harm to the rights, property or safety of Zip and its users as permitted by law.
We may also share non-personally identifiable information publicly and with our retail partners, for example information to show trends about the general use of our service. However, it will not be possible to personally identify you from this information.
9. Data Transfers
Except as set out below, we normally only store personal information within the UK and/or European Economic Area (EEA). If one of our subcontractors (such as a payment processor) needs to transfer it outside of the EEA then we will take steps to make sure adequate levels of privacy protection, in line with GDPR. These safeguards will usually be contractual (for example, in the case of Australia and New Zealand) and/or the result of a European Union decision which allows the transfer (for example, a US organisation which is certified under the EU-US Privacy Shield framework).
10. PCI DSS Policy
For security purposes, Zip does not keep or hold your full debit or credit card data. We use Payment Express, an established payment gateway provider. Payment Express adhere to a comprehensive set of requirements created by the Payment Card Industry Security Standards Council for ensuring the safe handling of sensitive customer debit and credit card data. Payment Express is a Level 1 Service Provider and is compliant to PCI DSS Version 3.2 standard. More information can be found here.
11. Changes to this policy