Welcome to OneZero-me's Privacy Notice. OneZero-me respects your privacy and is committed to protecting your personal data. This notice describes how we collect and use that personal data when you visit our website or use our services along with the reasons why we may need to disclose your personal data to others and how we store your personal data securely and in a way which is compliant with applicable law. This website is not intended for children and we do not knowingly collect data relating to children.
It is important that you read this privacy notice together with any other privacy notice or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements other notices and privacy policies and is not intended to override them.
Changes to this Privacy Notice
Who has access to your personal data?
OneZero-me.com and any platforms we make available (together the "Site") are owned and operated by OneZero-me Limited ("We" or "OneZero-me") a company registered in England and Wales as a limited company under registration number 11241759 and our registered office is at 37 Warren Street, London, W1T 6AD.
We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions regarding this notice or would like further information about the personal data we hold on you and the way in which we may process that data, please contact the DPO using the details set out below.
Full name of legal entity: |
OneZero-me Limited |
DPO: |
Chief Data Officer |
Email address: |
DPO@OneZero-me.com |
Postal address: |
37 Warren Street, London, W1T 6AD |
Telephone number: |
+44 20 7632 7559 |
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
We want to put you in charge of any data that can help you to gain access to affordable financial services. In order to achieve this,
Personal data accounts (PDAs) use a new technology called a "HAT Microserver" that enables you to own and control your data in the cloud. PDAs are issued by Dataswift and governed by the Hat Community Foundation to ensure the ethical use of data on behalf of the PDA owners.
We use PDAs to give you full control over your data. In particular, we cannot access your PDA without your explicit consent; you can delete or block any data we have stored in your PDA without contacting or informing us.
For more information, see https://hubofallthings.com
As a result of your use of our Site and your PDA, we will obtain the following information which will include personal data (i.e. information that can identify you directly (e.g. by name) or indirectly (e.g. by personal characteristics or an IP address). While we do process personal data, as defined under current data protection laws, we do not store any personally-identifying information in our servers. Any information such as email address, full name, identity documents, IP addresses etc will be stored in your PDA.
Data we process
Account data - we may get access to your email address when you sign up or sign in to your PDA. This will be the case only if we can help you to pre-fill your email address field. We do not store your email address or any other Personal Data in our servers
PDA data - we may ask you to share data that you previously stored in your PDA. This can be data that you type in (such your name or address), data you pulled from external services (such as social or bank data) or data that we wrote into your PDA.
Third-party data - we may ask you to interact directly with third-party providers to collect data; This can be questionnaires, identity verification data, publicly available data or any data that may be relevant for your insurance of financial applications.
Questionnaire data - we may ask you to fill in different questionnaires
Data we store in our database
Metadata - we will collect technical information about the way you interact with the Site. This may include information about your equipment, browsing actions and patterns. We collect this data by using cookies, server logs and other similar technologies. We also collect information about you from third parties such as analytics providers, advertising networks and search information providers
Derived data - we store derived data from your personal data that was used either by OneZero-me or third parties to calculate your scores; We also keep records of the scores you shared with third parties.
Cryptographic keys - we create and store cryptographic keys used to encrypt and protect data we store in your PDA.
Anonymous, aggregated data - aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Metadata to calculate the percentage of users accessing a specific website feature.
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
The person who is primarily responsible for complying with data protection law in respect of the processing of personal data is called a "controller". Who the controller is depends on the type of personal data that is being processed and the purpose for that processing.
The third party which refers you to our services will be the data controller with respect to the personal data which you may choose to be stored in your PDA. OneZero-me will only collect personal data, verify it or turn it into risk scores following a referral from the relevant insurer/lender and only in accordance with your explicit instructions. The data we do not store in our servers but which may be collected through your interactions with us includes Account data , PDA data, Third party data, Questionnaire data.
We will only use your personal data where we are permitted to do so by law. This will most commonly include using data for the following purposes which describe the lawful basis we rely on for the processing of your personal data.
Account data , PDA data, Third party data, Questionnaire data - we use this to provide you the products and services that you have requested, including:
Metadata, Derived data, Cryptographic keys and Anonymous, aggregated data - we use this to improve our services, by:
We may also process your personal data without your knowledge or consent, in accordance with this notice, where we are legally required or permitted to do so.
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
Purpose/Activity |
Type of data |
Lawful basis for processing including basis of legitimate interest |
To register you as a new customer |
Account data |
Performance of a contract with you |
To provider our services to you
|
PDA data, Third party data, Questionnaire data |
(a) Performance of a contract with you
|
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) |
Metadata, Cryptographic keys and Anonymous, aggregated data |
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation |
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you |
Metadata, PDA data |
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy) |
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences |
Metadata |
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) |
To make suggestions and recommendations to you about goods or services that may be of interest to you |
PDA data, Derived data |
Necessary for our legitimate interests (to develop our products/services and grow our business) |
Your PDA data - you decide how long to retain such data since you are in control of its deletion.
Your pseudonymised Data is retained for as long as required by the purpose they have been collected for.
Data may be retained for a longer period if required by any:
Once the retention period expires, the personal data shall be deleted and hence all relevant rights regarding e.g. access of data cannot be enforced.
The security of your data is very important for us - we took reasonable security measures to prevent your data from being accidentally lost or accessed in an unauthorised way.
As we use PDAs to store personal data, we cannot access any personal information without your explicit consent. In order to further protect your sensitive data in your PDA, we encrypt it; meaning that even in a case of breach, your data will not be compromised.
This also applies to data we store in our servers. Since we do not store any personally identifiable information, in case of breach, any data stored in our servers cannot be associated with you.
Other than that, we follow a privacy by design approach where we store different types of data in different databases. We only combine data for a specific purpose and retain such data for a limited time.
In addition, access to data is limited to employees, contractors and other third parties and only to the specific data points they are required to process.
We may update this privacy notice from time to time. Any changes will be notified to you via our website. In case we make a material change to this privacy notice we may also update you via e-mail if you have provided one. This version was last updated on 8 November 2018.
We will only use your personal data for either the original purpose it was collected for or compatible purposes. If we need to use your personal data for any other reason, we will notify you and explain the legal basis which allows us to do so before doing so.
Personal data is only accessed from your PDA - which we do not have direct access to. We restrict the access to pseudonymised data to people in the organisation who require access in order for us to fulfil our services.
We may share pseudonymised information with third parties where we are required by law, a regulator or have another legitimate interest in doing so (e.g. protect your safety or safety of others, protect or exercise our right).
Some of our activities may be carried out by third parties. These include cloud and IT services, administration services and marketing services. In all cases, the activity is conducted for specific purposes, in accordance with our guidance and required to be taken with appropriate security measures.
Other than that, personal data may be shared in the context of the possible sale or restructuring of the business
We will not transfer the personal data we collect about you outside of the EEA.
For the avoidance of doubt, we will never sell your personal data to third parties for marketing, advertising or other purposes. We will only share, with your explicit consent observations which were derived based on your data.
IBM Watson API. This helps us to derive some of the observations we share with you. IBM Watson do not keep any record of the data used to derive these observations. No personally identifiable information is shared with IBM Watson.
Our cookies policy is available to view here.
Our site includes links to third party websites. As we do not have control over the privacy notices on these websites we encourage you to carefully read them before sharing any personal information. We have no control over information shared with these sites and cannot be responsible for the privacy policies or practices of these sites.
As a basic principle, we aim to be transparent about the use, processing and services we provide. If, for whatever reason, you are unhappy with our services/use of your personal data, please let us know and we will aim to accommodate any reasonable request you might have.
We will always ask for your explicit consent before receiving or processing your personal data. We will not share your personal data with third parties - we only share, with your explicit consent, our derived observations.
You have the right to withdraw the consent you've given in the past. To withdraw your consent please send an email to DPO@OneZero-me.com. Once we have confirmed your request, we will no longer process your data - unless there is another legitimate basis for doing so under law (e.g. related to an existing contract). If this is the case, we will inform you about this and stop processing any unrelated personal data.
You have the right to ask us to delete and stop using any of your personal data - this is called 'the right to be forgotten'. Unless there are legal reason not to do so, we will delete any of your information within 7 days upon request.
Your other rights include:
Please email DPO@OneZero-me.com to exercise any of the rights or ask us any other related questions. Please bear in mind that we might need to ask you to provide us with more information in order to verify your identity before handling your request. Whilst we aim to handle any of these requests (including transfer and access to data) free of charge and quickly, in certain circumstances (e.g. unfounded or excessive requests), we might ask you for a reasonable processing fee to fulfil your request.
Please email DPO@OneZero-me.com for any question you have about this Privacy Notice or any other questions related to the way we process your information.