CURVE UK & EEA PRIVACY POLICY
Updated: 14 September 2023
At Curve, we’re committed to protecting your data. This privacy policy describes what data we process about you, what we do with it and why.
Curve is made up of more than one company. The company you’ll have a relationship with is dependent on where you’re based. We’ll tell you who you have a relationship with when you first sign up for or use a Curve product or service. In short:
-
Curve UK Limited (UK) controls your data if you’re based in the UK.
-
Curve Europe UAB (Lithuania) controls your data if you’re based in the European Economic Areas.
-
Curve Credit Limited (UK) controls your data if you use our credit services in the UK.
- Thackeray DAC (Ireland) may process your data if you’re based in the European Economic Areas as the merchant on record.
-
Curve US, Inc. (US) is our US company. If you’re based in the US, this policy is not applicable. Curve US, Inc. controls Crypto Rewards data, for EEA & UK customers who enrol in the Crypto Rewards programme. You can find the Curve US privacy policy here, which provides you with transparent information on this data processing.
What data do we process about you?
Identity Data |
|
Financial Data |
|
Contact Data |
|
Transaction Data |
|
Device Data |
|
Profile Data |
|
How do we get your data?
There are a number of ways in which we obtain your data.
From direct interactions we have with you, including: |
|
From our automatic collection, including: |
|
From third parties or publicly available information, including: |
|
What do we use your data for?
We use your data to provide the best experience possible. We always have a lawful basis to process your data. This section provides you with information about our use of your data.
Purpose: Sign you up as a Curve customer and create your account
Data: How you signed up, Identity, Contact, Financial, Device
Lawful basis: Contract, Legal obligation (the law requires us to verify your identity)
Purpose: Confirm your identity and help prevent financial crime
Data: Identity, Contact, Financial, Transaction, Device
Lawful basis: Legal obligation, Legitimate interests (to ensure we use the best financial crime prevention providers when performing our services)
Purpose: Provide you with Curve products and services and manage your account
Data: Identity, Contact, Financial, Transaction
Lawful basis: Contract, Legitimate interests (to provide you with services and recover fees)
Purpose: Conduct credit checks, verify your identity and provide Curve credit products and services
Data: Identity, Contact, Financial, Transaction
Lawful basis: Contract, Consent, Legitimate interests (to provide you with relevant services only)
Purpose: Process your payment transactions
Data: Identity, Contact, Financial, Transaction, Device
Lawful basis: Contract, Legal obligation, Legitimate interests (to facilitate transactions and maintain integrity of Curve systems)
Purpose: Provide you with third-party services, including Samsung Pay+
Data: Identity, Financial, Transaction, Profile
Lawful basis: Contract, Consent (for profile data)
Purpose: Manage our relationship, including updates to our terms of service and providing top-notch customer support
Data: Identity, Contact, Transaction, Profile, Device
Lawful basis: Contract, Legal obligation, Legitimate interests (to keep our records updated and improve our product)
*Please note that we may record your calls with our customer services team for training and monitoring purposes.
Purpose: Improve our services and troubleshoot
Data: Identity, Contact, Device
Lawful basis: Legitimate interests (to improve our products)
Purpose: Suggest goods, services, programmes or activities that may be of interest to you
Data: Identity, Contact, Device, Profile, Financial, Transaction, Survey Responses
Lawful basis: Consent, Legitimate interests (to develop our product offering and grow our business)
Purpose: Send you marketing communications
Data: Identity, Contact, Profile, Device, Transaction
Lawful basis: Consent, Legitimate interests (to ensure you are kept up to date with our services)
Purpose: Comply with regulatory and legal obligations
Data: Identity, Contact, Financial
Lawful basis: Legal obligation
We only use your personal data for the purpose we collected it or a similar, connected purpose. If we ever need to use your information for an unrelated purpose, we’ll inform you and explain why. We may also be required by law to process your personal data without your knowledge or consent.
Who do we share your data with and why?
When we share data with third parties, they can only process it for specific purposes and in accordance with our instructions.
Here’s who we may share data with and why:
The Curve Group.
We share personal data within the Curve group of companies in order to provide you with the best service(s) and perform necessary activities, as described above.
Identity checking and financial crime prevention partners.
To perform sign-up and verification checks.
When Curve shares data with identity and financial crime prevention partners, they may become a joint controller of your data to determine how your data will be used to best provide their services.
IT vendors including cloud storage providers.
Hosting and IT services; IT vendors including cloud storage providers to securely store your personal data.
Card manufacturing, personalisation and delivery companies.
To make and send your Curve card.
Insurance Provider
(Curve Black & Metal customers only)
Information is shared with insurance provider Inter Partner Assistance SA, member of the AXA Assistance group, Avenue Louise 166, 1050, Brussels, Belgium, insurance company regulated by the National Bank of Belgium under the number 0487, Company number 0415 591 055 (AXA).
You will enter into a separate agreement with AXA to enable them to provide you with insurance. This means AXA is wholly responsible, as an independent controller, for your data for insurance purposes (rather than Curve). Further information is available here.
Social media sites.
Social media sites, for the purposes of conducting market research and running marketing campaigns. When sharing data with these sites, we ensure that your data is only used in accordance with our instructions.
If you don’t want us to use your information in this way, you can contact us at privacyrequests@imaginecurve.com.
Financial services providers.
To facilitate payment processing, we share your data with certain financial services providers, including card issuers, payment processors and banking partners to facilitate payment transactions.
Our payment processing activities for customers in the EEA is carried out by Curve Europe UAB as it is authorised to provide financial services in the EEA in accordance with EEA financial regulations.
Companies that you transfer money to from your Curve card.
Where you make a payment from your Curve account (if applicable), we will share your first and last name with the recipient in their transaction history.
Third-party payment partners.
Third party payment service partners, including Apple Pay and Samsung Pay+.
Curve will only share your data with a third-party payment partner if you have opted to use their service with your Curve card. When we share your data with third-party payment partners, they will become an independent controller of your data to determine how your data will be used to best provide their services.
Open banking partners, including TrueLayer.
We partner with TrueLayer to allow you to view account information from certain other payment providers on our app. If you would like to use this feature, TrueLayer will prompt you to connect your other payment accounts to the Curve app. This data will be sent to Curve to display in the app. This allows you to see your various account transactions and balances in one place.
When you consent to the use of your data and enable this feature, both Curve and TrueLayer will become independent controllers of your data as we will independently determine the best means of processing your data to deliver the service to you.
We may also anonymise the data collected from TrueLayer to improve our products and services.
For more information on how TrueLayer will use your data, please see their Privacy Policy.
We also share your data with Software as a Solution partners who provide open banking compliance solutions, such as partners providing a gateway which allows you to securely provide Third Party Providers with access to your Curve account for the purposes of retrieving financial account data. Where you consent to such access, your account, transaction and account holder details will be processed to the extent that you request that such information is made available to the relevant Third Party Provider.
Credit reference agencies.
If you apply, use or register for credit products, we may perform credit and identity checks on you with one or more credit reference agencies (CRAs). We may also make periodic soft credit checks on you to manage your account with us or fulfil our services.
To do this, we may supply your personal information to CRAs and they will give us information about you.
We will use this information to:
-
Assess your creditworthiness and whether you are suitable for Curve products;
-
Verify the accuracy of the data you have provided to us;
-
Confirm your identity and prevent criminal activity, fraud and money laundering;
-
Manage your account;
-
Trace and recover debts;
-
Ensure any offers provided to you are appropriate to your circumstances;
-
Provide you with access to your credit bureau data where you have asked us to.
The Credit Reference Agency Information Notice (CRAIN) describes how the three main credit reference agencies in the UK each use and share personal data. The CRAIN is available on the credit reference agencies’ websites:
If you are a Lithuanian customer, you can find more information about this processing by visiting:
Further information relating to Lithuanian credit offerings and data sharing is set out in the below row (Credit Bureau UAB - Creditinfo Lietuva).
We may continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.
Hard credit checks will appear on your credit file and may affect your credit rating. Soft credit checks will not appear on your file and will not affect your credit rating.
We may also request information on your other payment accounts to perform an affordability check. You will be prompted to connect your other payment accounts on the Curve app. This information will be shared directly with Plaid and subsequently shared with Curve (see “Open banking partners, including Plaid”).
SME credit products
When you apply for SME credit products, we will conduct commercial credit checks on your business and you, as a director or equivalent, using one or more CRAs.
We will use this information to assess your creditworthiness and the affordability of repayments.
We will continue to exchange information about your business with CRAs while you have a relationship with us. We will also inform the CRAs about your business’ settled accounts and if your business has any outstanding debt. This information may be supplied to other organisations by CRAs.
Credit Bureau - UAB Creditinfo Lietuva
If you are a Lithuanian customer using a credit product and fail to meet the relevant obligations for more than 30 days, your data (identity, contact information and credit history, i.e. financial and property-related obligations and fulfilment, debts and repayment) will be provided to the Credit Bureau UAB Creditinfo Lietuva (Company Reg. No.: 111689163, address: A. Goštauto St. 40A, LT 01112 Vilnius, Lithuania, https://www.manocreditinfo.lt/, phone (+370 5) 2394131).
The Credit Bureau shall process and provide to third parties (financial establishments, telecommunications companies, providers of insurance services, suppliers of electricity and utility services, retail companies, etc.) your information in order to pursue its purpose, i.e. to evaluate your credit rating and manage debts. Evaluation of your credit rating shall involve the evaluation of your personal aspects in an automated manner (profiling), which in the future may affect your opportunity to conclude transactions. The evaluation in an automated manner helps to lend responsibly and involves evaluation of the credit information provided by the respective person, his credit history, public information, etc. The automated evaluation methods shall be regularly reviewed to ensure they are fair, effective and impartial.
The credit history data shall be processed for 10 years after the fulfilment of the respective obligation. You can consult your credit history by directly contacting the Credit Bureau or by means of the Finpass app.
You have the right to request that your data be corrected or deleted or that the processing of your data be restricted as well as the right to disagree to the processing of your data, demand human involvement in the automated decision-taking process, present your view and contest a decision, and the right to have the data transferred. For further information about the implementation of these rights, the restrictions applicable to them and the evaluation of aspects in an automated manner (profiling), please visit www.manocreditinfo.lt. You may contact their Data Protection Officer by e-mailing duomenu.apsauga@creditinfo.lt or by calling the above phone number. You can lodge a complaint with the State Data Protection Inspectorate in relation to Credit Bureau UAB Creditinfo Lietuva.
Financial crime prevention agencies.
The personal data we have collected from you will be shared with financial crime prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity.
If financial crime is detected, you could be refused certain services, finance, or employment. Further information can be found here.
Samsung Pay+.
If you register your Curve card on Samsung Pay+, we will share your data with Samsung to authorise payments, display transactions, prevent and detect fraud, comply with legal requirements and industry standards.
If you participate in the Curve-Samsung referral program, your data will be used to verify that you are a Samsung Pay+ customer and to facilitate the provision of your reward.
For more information on how Samsung will use your data, please see their Privacy Policy. Please note that Curve is not responsible for the security of Samsung Pay or any third party provider to Samsung. Any information you give them is covered by their own Terms and Conditions.
Support tools.
Support tools include analytics and search engine service providers and customer experience support platforms which we use to optimise and improve our services.
If you contact our customer services line out of hours, our external team will manage your enquiries. We will become joint controllers of your data as they will determine the means of collecting your data on our behalf.
Curve Vendors, Partners, and Contractors
We may share your information with other vendors, partners, and contractors that perform certain services on our behalf / help us to provide our services and products or that may prepare anonymous datasets about your spending patterns for forecasting purposes or to understand how you use your Curve card and/or funding sources. Such data will never be linked back to you as an individual.
Third parties we may sell the business to or acquire.
In the event of a business reorganisation or sale, we may share your data to third parties we sell the business to or acquire.
We may also share anonymised, aggregated data with selected e-wallet and data analytics service providers. This means your data is bundled up with other people’s data and you aren’t identifiable as an individual.
What are your rights?
You have rights over your personal data.
-
Access the personal data we process about you.
-
Rectify your personal data by asking us to correct it for you.
-
Delete your data, by asking us to delete it. There are times when we may not be able to delete data for legal purposes.
-
Restrict or object to our processing of your data for direct marketing.
-
Withdraw any consent you’ve given us to use your personal data in a specific way.
-
Request a review of any automated decision made by technology.
If you want to do any of the above, or if you have questions relating to Curve’s data processing please get in touch with us at privacyrequests@imaginecurve.com.
We have one month to respond unless your request is complicated, in which case we may need more time. If that’s the case, we’ll let you know.
This is almost always free but we’re allowed to charge a reasonable fee or refuse your request if it’s clearly unfounded, repetitive or excessive.
How can you opt-out of marketing?
You can ask us to stop sending you marketing emails at any time by following the “unsubscribe” links at the bottom of any Curve marketing message. You’ll still receive operational emails we need to send you, such as updates to our terms and conditions.
If you would like to stop receiving Curve receipt emails (for each of your payments), you can change your preferences for each of your funding sources on the Curve app.
Do we make automated decisions about you?
Depending on the Curve products or services you use, we may make automated decisions about you.
This means that we may use technology that can evaluate relevant factors about you and your circumstances to predict risks or outcomes. We do this for the efficient running of our services and to make sure that the decisions we make are fair, consistent and based on the correct information.
Where we make an automated decision about you, you have the right to ask that it is manually reviewed by a human.
For example, we may make automated decisions about you that relate to:
The approval of credit applications
-
Credit and affordability checks to see whether we can accept your credit application.
-
Setting credit limits.
Opening a Curve account
-
Anti-money laundering and sanctions checks.
-
Identity and address checks.
Detecting fraud
-
Monitoring your account to detect fraud and financial crime.
Our legal basis for our use of automated decision making is to enable us to fulfil our contract with you or because we have a legal obligation to do so.
How long do we keep your data?
The period for which we may retain data about you will depend on:
-
the purposes for which the data was collected,
-
whether you have requested deletion of the data, and;
-
whether we have any legal or regulatory obligation to retain the data.
We will not retain data about you for longer than is necessary to fulfil the purposes for which the data was collected. We will typically keep your data for up to 10 years after you last completed onboarding or had an active account or product with us.
We may keep your personal data for a longer period where it is necessary for legal, regulatory or operational purposes.
Do we transfer data internationally?
We may transfer and store your data outside the European Economic Area (EEA) and the United Kingdom (UK). When we do this, we ensure that:
-
The country or organisation processing the data has adequate data protection laws in place, in accordance with the European Commission or the UK Information Commissioner’s Office (as applicable);
-
Curve and the other organisation(s) have formally agreed to data protection clauses in a written contract, as approved by the European Commission or the UK Information Commissioner’s Office (as applicable).
You can contact us to obtain more information about the safeguards we have in place to enable compliant international data transfers.
How can you contact us?
You’re most welcome to drop us an email at privacyrequests@imaginecurve.com to exercise a right, ask a question, lodge a complaint or offer a suggestion.
How can you submit a complaint?
We encourage you to contact us directly if you aren’t happy with how we’ve handled a request or another data protection matter.
Should you wish to contact our Data Protection Officer, you can email them at DPO@imaginecurve.com.
You also have the right to lodge a complaint with the UK’s Information Commissioner’s Office or the Lithuanian State Data Protection Inspectorate, depending on which Curve entity is the subject of your complaint.