Privacy

2.2 Personal Data we collect about you, including from other sources:

Each time you access or use Spend Services we may automatically collect the following information:

• Technical information, including the type of device you use, a unique device identifier, network information, the type of operating system and browser you use, time zone settings, and other device-related information.
• Device identification information for fraud prevention purposes (referred to in the application at the time of installation of a device).
• Details of your access or use of any of Spend International Ltd’s Services including, but not limited to traffic data, weblogs and other communication data, whether this is required for our own purposes or otherwise and the resources that you access.
• Login details.
• Date, time and duration of access including pages viewed.
• Event logs (e.g., changes in passwords).

2.3 Personal Data collected from third parties:

We work closely with third parties (e.g., business partners, sub-contractors in technical, delivery services, advertising networks, analytics providers and search information providers) and as such may collect the following information:

• *Identity Verification. We will verify your corporate address and personal data of your directors, your authorized persons, as well as any partner, persons with significant control over your business, or beneficial owners in order to confirm your identity. We may also pass the aforementioned personal data to credit reference agency, which may keep a record of that information. This is done only to confirm your identity and does not contain information from Credit Reporting Agencies. We do not perform credit checks and therefore your credit rating will be unaffected.
• Information related to legal requirements. Financial institutions are required to assist in the fight against money laundering activities and the funding of terrorism by obtaining, verifying, and recording identifying information about all customers. We may therefore legally consult other sources to obtain information about you, any sender, and any recipient.
• Providing services to Spend Ltd.. In order to provide Services to you, Spend Ltd. works with suppliers and correspondent banking service providers from whom we may collect Personal Data. This includes our banking and financial services partners, Visa and Mastercard in order to help us provide our services to you, including (i) banking and lending partners, banking intermediaries and international payment- service providers; or (ii) suppliers who provide us with IT, payment and card delivery services, which includes Sum and Substance Limited, 4STOP, Cratech Limited and Blackthorn Cards Services Limited.
• We also use cookies to distinguish you from other users of Spend Ltd.’s Services. This helps us to provide you with an enhanced experience when you access or use Spend Ltd.’s Services to assist in continuous improvement. Please refer to our Cookie Policy.

3.1 Personal Data processing for pre-contractual and contractual purposes

We may process your Personal Data that we consider necessary to fulfil our pre-contractual and contractual obligations to you and without which you will not be able to use the Service. These generally include the following necessary categories of Personal Data:

• Registration and contact information and identification.
• Personal details including name and contact information when you
• contact us or to use the Service.
• Complying with legal obligations.
• Transaction information, information connected to your account.
• Information from credit reviewing agencies and other financial
• institutions.
• Technical usage data, device information and location data.
• The specific data processing purposes are determined in accordance with specific Services and the underlying contractual terms and conditions.

3.2 Personal Data processing for our legitimate interestss

We may process your personal data for our own legitimate interests, including for the following purposes:

• To prevent fraud, carry out risk analysis and management.
• To ensure network and information security, including, but not limited to preventing unauthorized access to our computer and information systems.
• To support internal administration with our affiliated entities.
• To determine your eligibility for, and to communicate with you about pre-approval of Services you may qualify or that may be of interest for you.
• To use your Personal Data to allow us to further evaluate, improve and promote our business and Spend International Ltd’s Services.

3.3 Anonymized Personal Data processing.

We may also use your Data on an aggregate or anonymous basis (such that it does no longer identify any individual clients) for various purposes, where permissible under applicable laws and regulations.

3.4 Additional processing of your Personal Data

Notwithstanding the above, we will use your personal data for the following purposes:

• We may associate any category of information with any other category of information and will treat the combined information as Personal Data in accordance with this Policy for as long as it is combined.
• If we have received your Personal Data from someone who asked for your consent to share that information with us, we may rely on that consent (to what extent we are allowed to by law), or one of the other grounds noted above.

4.1 The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your Data protection rights, can be found by at www.cifas.org.uk/fpn

4.2 Additional processing of your Personal Data

• We may associate any category of information with any other category of information and will treat the combined information as Personal Data in accordance with this Policy for as long as it is combined.
• If we have received your Personal Data from someone who asked for your consent to share that information with us, we may rely on that consent (to what extent we are allowed to by law), or one of the other grounds noted above.

4.2.1 Sharing of Personal Data for legitimate purposes

We may be required from time to time to disclose or share information with regulatory and law enforcement authorities and judicial bodies if necessary to comply with legal requirements or required by applicable law:

• If we are under obligation to disclose or share your Personal Data in order to comply with any legal or regulatory obligation or request. When we disclose your personal aforementioned reasons, we will take reasonable steps to ensure that we only disclose the minimum Personal Data necessary for the specified purpose and circumstances.
• In the event of a novation of the Services from Spend International Ltd to another.
• If we sell or buy any business or assets, in which case we will disclose your Personal Data to the prospective seller or buyer of such business or assets, if necessary to complete the transaction. In these circumstances, we will limit Data sharing to what is absolutely necessary, and we will anonymize the data where possible.
• Where the Data is publicly available.

4.2.2 Sharing of Personal Data to carry out our contractual obligations.

We may also share your data to carry out our obligations arising from any contracts entered into between you and us:

• To notify you about changes to our Services.
• To ensure that content from Spend Ltd.’s Services is presented in the most effective manner for you and for your devices.
• To administer Spend Ltd.’s Services and for internal operations, including troubleshooting, data analysis, testing research, statistical and survey purposes.
• As part of our efforts to keep Spend Ltd.’s Services safe and secure
• To maintain our own accounts and records
• To support and manage our employees, as our use of your information for all of these purposes will be necessary for our legitimate interests of providing Spend International Ltd’s Services appropriately and efficiently, maintaining accurate records and ensuring our systems run correctly
• We may also process your Personal Data for us to comply with a legal obligation.

4.2.3 Sharing of Personal Data due to business acquisition and External Parties

We may enter into agreements with external parties, including but not limited to business partners, service providers who perform functions on our behalf (including external consultants and professional advisers such as lawyers, auditors and accountants), outsourced IT providers, analytics and search engine providers, necessary for our activity. Such third-party outsourcing may include solutions such as software as a service, cloud computing, external hosting, deployment management, technical service provision or similar solutions. Under these agreements we may share your information with these external parties, to the extent that use of your information for these purposes is necessary for our legitimate interests or for the legitimate interests of those external parties. If Spend Ltd. is acquired by a third party, substantially all of its assets are likewise acquired, in which case Personal Data held by it about its customers will be one of the transferred assets, in order to:

• Protect against fraud.
• Enforce or apply the Terms of Use or to investigate potential breaches
• Protect the rights, property, or safety of Spend International Ltd, our members or others (which may include exchanging information with other companies or organisations for purposes of fraud protection and credit risk reduction)

4.2.4 Sharing of Personal Data to comply with Legal Requirements

Sharing of Personal Data to comply with Legal Requirements We may be required from time to time to disclose or share information with regulatory and law enforcement authorities and judicial bodies if necessary to comply with legal requirements.

4.2.5 Key Suppliers

In order to help us provide you with the best service, we share your personal data with a few key suppliers and correspondent banking service providers to process your information on our behalf. These key suppliers and service providers are (but not limited to):

IT, payment, and card delivery services:

• Sum & Substance Limited (‘SumSub’)
• Decta Limited
• 4StopGMBH
• Akurateco Limited
• Paysafe Limited
• Blackthorn Card Services Limited
• AllPay
• Cratech OU
• Paysafe Limited
• PPRO Financial

Banking and financial-services partners and payments networks:

• VISA and Mastercard
• CDAX Forex
• Our Correspondent Banking Network (Blackthorn Finance Ltd and Monavate Ltd)

4.2.6 Other third parties

As mentioned above, we may share your personal information with other third parties where it is necessary to provide you with our services and to manage our relationship with you. These include:

• Analytics providers and search information providers to help us improve our website or app.
• Customer-service providers, survey providers and developers, to help us provide our services to you.
• Communications service providers, to help us send you emails, push notifications and text messages.

4.2.7 Transfer of personal data outside the UK and Europe

Your Data may be transferred to, and stored at, a destination within and outside the European Economic Area (EEA). It may also be processed by staff operating outside of the United Kingdom or EEA who work for us, our affiliates, or partners. These staff may be engaged in the fulfillment of your request, order or reservation, the processing of your details and provision of support services. By submitting your personal data or using Spend International Ltd’s Services, you agree to this transfer, storing or processing.

We utilize standard contract clauses approved by the European Commission, adopt other means under European Union Law, and obtain your consent to legitimize data transfers from the EEA to and destinations outside the EEA. Spend International Ltd will take all the steps reasonably necessary to ensure that your personal information is treated securely and in accordance with this Policy.

All information you provide to us is stored on our secure servers. We use, and our third-party suppliers use, encrypted transport layer security technology in our transactions.

4.2.8 Transfer of Personal Data outside of the United Kingdom

Transfer of Personal Data outside of the United Kingdom The aforementioned external parties may be located anywhere in the world and may require the transfer of information to countries which do not have data protection laws as strict as those in the United Kingdom. The Customer may, upon request, obtain a list of countries concerned. Such list may change from time to time.

The aforementioned solutions provided by external parties will be governed by applicable law relevant to the jurisdiction in which they are carried out or where the third-party provider may be located. This may lead to additional obligations and responsibilities including, but not limited to, the disclosure of information.

The Company has put in place policies and internal risk procedures to ensure that the necessary steps are taken to assess and manage any risks that arise from such outsourcing. Amongst other things, the Company ensures that security measures are in place to maintain the confidentiality and integrity of its information and data.

4.2.9 Personal Data Access or Correction

Individuals wishing to access or correct the information that we hold about them can do so by contacting our Data Protection Officer at Spend Ltd., 142 Central Street, Clerkenwell, London, EC1V 8AR.

5. Data Retention

5.1 We will hold your information for as long as necessary to fulfill the purpose we collected it for, as required by our statutory, accounting, or reporting obligations and in accordance with our legitimate interests as a data controller.

5.2 We will not retain your personal information for longer than is necessary for the practices described in this policy. To determine the appropriate period for personal data, we consider applicable legal requirements, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes we process your personal data for, and whether we achieve those purposes through other means. We specify the retention periods for your personal data in our data retention policy.

5.3 Under some circumstances we may anonymise your personal data so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent. Once you are no longer using our services, we will retain and securely destroy your personal data in accordance with our data retention policy and applicable laws and regulations.

6. Data Security

6.1 We maintain physical and electronic safeguards that comply with applicable legal standards to secure the confidentiality of your information, including personal information from unauthorized access and use, alteration and destruction.

6.2 We maintain strict security systems designed to prevent unauthorized access to your personal data by anyone, including our staff.

6.3 We will strive at all times to ensure that your personal data will be protected against unauthorised or accidental access, processing, or erasure. We maintain this commitment to data security by implementing appropriate physical, electronic and managerial measures to safeguard and secure your personal data.

6.4 Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your Data transmitted to Spend International Ltd’s Services; any transmission is at your own risk. Once we have received your Data, we will use strict procedures and security features to try to prevent unauthorized access.

6.5 It is your responsibility to ensure that all of your users accessing Spend Ltd.’s Services are aware of your security obligations in doing so. We may require your users to provide certain security credentials and/or to answer certain questions (e.g. a memorable word) in order to validate such user and grant access to Spend Ltd’s Services. You are responsible for ensuring that all users possess valid security credentials.

7. Recruitment

7.1 We will process your Data for the purpose of handling the whole recruitment process, assessing your application through to successful hiring. We keep all your Data confidential in full compliance with applicable privacy laws. We will not share your Data with third parties outside of Spend Ltd., with the exception of:

• service providers such as HR Management services.
• agents, advisors, and other third parties providing services to support our business operations, such as recruitment agencies, background screening agencies, and law firms.
• governmental, judicial, regulatory, and other bodies and authorities where required by applicable law.

7.2 Under European data protection laws, at least one of the following legal bases will apply when we use your Data:

• Contractual duty: we need the information to process your application and enter into an employment (or other) contract with you (e.g. get references and vet the information you give us in your CV).
• Legal duty: law or regulation states we must collect the information to see if we can enter into an employment (or other) contract with you (e.g. ensure you have the right to work in the UK).
• Legitimate interest: we need to use your Data for our (or a third party’s) legitimate interests in a way expected and which does not override your privacy rights (e.g. run our recruitment process).
• Public interest: we need the information to perform a specific task in the public interest set out in law (e.g. run criminal background checks).
• Vital individual interest: we need to use your information to protect your life and cannot ask for your permission.
• We have your consent.

7.3 If your application for employment is unsuccessful, we will generally hold your Data for six months after the end of the recruitment process.

7.3.1 If you have consented to keeping your Data on file in case of future suitable employment opportunities, Spend International Ltd will hold your Personal Data for a further six months after the end of the relevant recruitment period, or until you withdraw your consent earlier.

7.3.2 At the end of this period, we will delete or destroy your Data, unless you have already withdrawn your consent to our processing of your Data, in which case it will be deleted or destroyed upon withdrawal of consent. However, this is subject to the following:

• Any minimum statutory or other legal, tax, health and safety, reporting or accounting requirements for particular data or records.
• Legal duty: law or regulation states we must collect the information to see if we can enter into an employment (or other) contract with you (e.g. ensure you have the right to work in the UK).
• The retention of some types of personal information for up to six years to protect against legal risk (e.g., if it might be relevant to a possible legal claim).

7.4 Your Data will not be kept longer than required for the recruitment process needs, unless Spend Ltd. needs to keep the data (for example, in case of confirmed employment) on the history of the employee (in which case, the data will be deleted as per legal retention period applicable to HR files).

8. Your rights of Access, Correction, Erasure and Objection

8.1 It is important that the Personal Data we hold about you is accurate and current. You have the right to be informed about the processing of your personal information in order to exercise your rights. Please keep us informed if your personal data changes during our Service to you. By law you may have the right to request access to, correct and erase the Personal Data that we hold about you, or object to the processing of your Personal Data under certain circumstances. You have the right to move, copy or transfer your personal information (“data portability”) in a machine-readable format. For any of these, please email or write to us using the contact details within this Policy. We may request specific information from you to help us confirm your identity and your right to access, and to provide you with the Personal Data that we hold about you or make your requested changes.

8.2 You have the right to object to the processing of your personal information if it is being used because:

• we deem it necessary for our legitimate interests,
• we use it to enable us to perform a task in the public interest or exercise official authority,
• we use it to send you direct marketing materials, or
• we use it for scientific, historical, research, or statistical purposes.

8.3 If you notify us that you object, using the contact details at the end of this Policy, we will respond within thirty (30) calendar days (subject to any extensions to which we are lawfully entitled). If your objection relates to us processing your personal information because we deem it necessary for your legitimate interests, we must act on your objection by ceasing the activity in question unless:

• we think that we have a compelling legitimate ground for processing which overrides your interests; or
• We are processing your information for the establishment, exercise, or defense of a legal claim. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal data that we hold about you, or we may have destroyed, erased, or made your personal data anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal data, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

8.4 Spend Ltd.’s Services may, from time to time, contain links to and from the websites of our partners, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these websites.

8.5 Data Protection Legislation gives you the right to review personal information that we keep about you. You can request an overview of the personal information that we keep about you free of charge by emailing or writing to us using the contact details at the end of this Policy. We may ask you to verify your identity and for more information about your request. We will seek to act on your request within thirty (30) days (subject to any extensions to which we are lawfully entitled).

You are free at any time to withdraw consent for the processing of your personal data. The consequence might be that we can’t proceed with certain activity.

9. Other Provisions

We reserve the right, in our sole discretion, to modify this Policy at any time by posting such changes via the or through our App. If we would like to use your previously collected personal data for different purposes than those we notified you about at the time of collection, we will provide you with notice and, where required by law, seek your consent, before using your personal data for a new or unrelated purpose. Please check back regularly to see any updates or changes to this Policy. We may process your personal data without your knowledge or consent where required by applicable law or regulation.

If you have any questions on how we handle your personal data or would like to request access to your personal data or other specific requests, please contact the Data Protection Officer at the address referenced in the introduction or alternatively via e-mail at compliance@spend.com .

If you wish to raise a complaint on how we have handled your personal data, you can contact us to have the matter investigated.

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the Information Commissioner’s Office at the following web address: www.ico.org.uk