Privacy Notice


Welcome to OneZero-me's Privacy Notice. OneZero-me respects your privacy and is committed to protecting your personal data. This notice describes how we collect and use that personal data when you visit our website or use our services along with the reasons why we may need to disclose your personal data to others and how we store your personal data securely and in a way which is compliant with applicable law. This website is not intended for children and we do not knowingly collect data relating to children.


It is important that you read this privacy notice together with any other privacy notice or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements other notices and privacy policies and is not intended to override them.

About us

Our mission

Personal data accounts

Data we process about you

Who is the data controller

How we use your data

Data Retention

Data Security

Changes to this Privacy Notice

Who has access to your personal data?

List of APIs we use

Use of Cookies

Links to other websites

Your rights

Contacting us

About us and any platforms we make available (together the "Site") are owned and operated by OneZero-me Limited ("We" or "OneZero-me") a company registered in England and Wales as a limited company under registration number 11241759 and our registered office is at 37 Warren Street, London, W1T 6AD.



We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions regarding this notice or would like further information about the personal data we hold on you and the way in which we may process that data, please contact the DPO using the details set out below.

Full name of legal entity:

OneZero-me Limited


Chief Data Officer

Email address:

Postal address:

37 Warren Street, London, W1T 6AD

Telephone number:

+44 20 7632 7559


You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues ( We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Our mission


We want to put you in charge of any data that can help you to gain access to affordable financial  services. In order to achieve this,

  1. We provide you with a Personal Data Account (PDA)  - a place for you to own and control your data
  2. We enable you to pull different digital data into your PDA
  3. With your instruction, we or our partners turn your digital data into risk and identity scores and store them in your PDA.
  4. With your instruction, we share these scores with third parties that can use them to verify your identity or assess your eligibility for different types of financial services

Personal data accounts

Personal data accounts (PDAs) use a new technology called a "HAT Microserver" that enables you to own and control your data in the cloud. PDAs are issued by Dataswift and governed by the Hat Community Foundation to ensure the ethical use of data on behalf of the PDA owners.

We use PDAs to give you full control over your data. In particular, we cannot access your PDA without your explicit consent; you can delete or block any data we have stored in your PDA without contacting or informing us.

For more information, see

Data we process about you

As a result of your use of our Site and your PDA, we will obtain the following information which will include personal data (i.e. information that can identify you directly (e.g. by name) or indirectly (e.g. by personal characteristics or an IP address).  While we do process personal data, as defined under current data protection laws, we do not store any personally-identifying information in our servers. Any information such as email address, full name, identity documents, IP addresses etc will be stored in your PDA.

Data we process

Account data - we may get access to your email address when you sign up or sign in to your PDA. This will be the case only if we can help you to pre-fill your email address field. We do not store your email address or any other Personal Data in our servers

PDA data - we may ask you to share data that you previously stored in your PDA. This can be data that you type in (such your name or address), data you pulled from external services (such as social or bank data) or data that we wrote into your PDA.

Third-party data - we may ask you to interact directly with third-party providers to collect data; This can be questionnaires, identity verification data, publicly available data or any data that may be relevant for your insurance of financial applications.    

Questionnaire data - we may ask you to fill in different questionnaires

Data we store in our database

Metadata - we will collect technical information about the way you interact with the Site. This may include information about your equipment, browsing actions and patterns. We collect this data by using cookies, server logs and other similar technologies. We also collect information about you from third parties such as analytics providers, advertising networks and search information providers

Derived data - we store derived data from your personal data that was used either by OneZero-me or third parties to calculate your scores; We also keep records of the scores you shared with third parties.

Cryptographic keys - we create and store cryptographic keys used to encrypt and protect data we store in your PDA.

Anonymous, aggregated data - aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Metadata to calculate the percentage of users accessing a specific website feature.

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

Who is the data controller

The person who is primarily responsible for complying with data protection law in respect of the processing of personal data is called a "controller". Who the controller is depends on the type of personal data that is being processed and the purpose for that processing.

The third party which refers you to our services will be the data controller with respect to the personal data which you may choose to be stored in your PDA. OneZero-me will only collect personal data, verify it or turn it into risk scores following a referral from the relevant insurer/lender and only in accordance with your explicit instructions. The data we do not store in our servers but which may be collected through your interactions with us includes Account data , PDA data, Third party data, Questionnaire data. 

How we use your data

We will only use your personal data where we are permitted to do so by law. This will most commonly include using data for the following purposes which describe the lawful basis we rely on for the processing of your personal data.


  • To fulfil the terms of a contract with you;
  • Where use of the data is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
  • Where we are required to comply with a legal obligation.

 Account data , PDA data, Third party data, Questionnaire data - we use this to provide you the products and services that you have requested, including:

  • Administer your account;
  • Calculate alternative scores that could give you access to affordable financial products
  • Verify your identity
  • With your explicit consent, share your scores or data with a third party,
  • Provide you with a dashboard with information about your data and derived scores and who you shared your data with
  • Conduct market research or pilots with partners to test the efficacy of OneZero-me to provide alternative scores

Metadata, Derived data, Cryptographic keys and Anonymous, aggregated data - we use this to improve our services, by:

  • to provide maintenance and technical support
  • to understand the way you use our Site so that we can improve your experience and offer the most relevant communications, services and experiences
  • to protect the security of our network and prevent abusive behaviour
  • to better understand our users, which may include behavioural analytics and/or carrying out profiling based on interactions with your Site and services
  • to comply with our obligations under applicable law and to prevent fraud and other prohibited or illegal activities
  • to be able to monitor the performance of either ours or third party scores
  • To be able to improve the performance of propriety scores
  • Optimise our marketing campaigns through the use of third party data. For example, we may use Facebook pixel to find consumers from Facebook who are likely to be interested in our services and products; 

We may also process your personal data without your knowledge or consent, in accordance with this notice, where we are legally required or permitted to do so.


We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.


Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.



Type of data

Lawful basis for processing including basis of legitimate interest

To register you as a new customer

Account data

Performance of a contract with you

To provider our services to you



PDA data, Third party data, Questionnaire data

(a) Performance of a contract with you


To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

Metadata, Cryptographic keys and Anonymous, aggregated data

(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

(b) Necessary to comply with a legal obligation

To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you

Metadata, PDA data

Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

To use data analytics to improve our website, products/services, marketing, customer relationships and experiences


Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)

To make suggestions and recommendations to you about goods or services that may be of interest to you

PDA data, Derived data

Necessary for our legitimate interests (to develop our products/services and grow our business)

Data Retention


Your PDA data - you decide how long to retain such data since you are in control of its deletion.

Your pseudonymised Data is retained for as long as required by the purpose they have been collected for.


  • Pseudonymised data shared with us is retained for as long as the user account is active. This enables us to provide you with a one-click access to all our observations.
  • Aggregated Data is kept for the period required to complete the specific analysis it was aggregated for.
  • Other data collected in relation to a particular exercise, such as calibration data is retained only for the period required to conclude the exercise.


Data may be retained for a longer period if required by any:


  • Contractual obligations between you and OneZero-me
  • Relevant legitimate interests


Once the retention period expires, the personal data shall be deleted and hence all relevant rights regarding e.g. access of data cannot be enforced.

Data Security


The security of your data is very important for us - we took reasonable security measures to prevent your data from being accidentally lost or accessed in an unauthorised way.

As we use PDAs to store personal data, we cannot access any personal information without your explicit consent. In order to further protect your sensitive data in your PDA, we encrypt it; meaning that even in a case of breach, your data will not be compromised.

This also applies to data we store in our servers. Since we do not store any personally identifiable information, in case of breach,  any data stored in our servers cannot be associated with you.


Other than that, we follow a privacy by design approach where we store different types of data in different databases. We only combine data for a specific purpose and retain such data for a limited time.


In addition, access to data is limited to employees, contractors and other third parties and only to the specific data points they are required to process.

Changes to this Privacy Notice


We may update this privacy notice from time to time. Any changes will be notified to you via our website. In case we make a material change to this privacy notice we may also update you via e-mail if you have provided one. This version was last updated on 8 November 2018.


We will only use your personal data for either the original purpose it was collected for or compatible purposes. If we need to use your personal data for any other reason, we will notify you and explain the legal basis which allows us to do so before doing so.

Who has access to your personal data?

Personal data is only accessed from your PDA - which we do not have direct access to. We restrict the access to pseudonymised data to people in the organisation who require access in order for us to fulfil our services.


We may share pseudonymised information with third parties where we are required by law, a regulator or have another legitimate interest in doing so (e.g. protect your safety or safety of others, protect or exercise our right).


Some of our activities may be carried out by third parties. These include cloud and IT services, administration services and marketing services. In all cases, the activity is conducted for specific purposes, in accordance with our guidance and required to be taken with appropriate security measures.


Other than that, personal data may be shared in the context of the possible sale or restructuring of the business


We will not transfer the personal data we collect about you outside of the EEA.


For the avoidance of doubt, we will never sell your personal data to third parties for marketing, advertising or other purposes. We will only share, with your explicit consent observations which were derived based on your data.

List of APIs we use


IBM Watson API. This helps us to derive some of the observations we share with you. IBM Watson do not keep any record of the data used to derive these observations. No personally identifiable information is shared with IBM Watson.

Use of Cookies


Our cookies policy is available to view here.

Links to other websites

Our site includes links to third party websites. As we do not have control over the privacy notices on these websites we encourage you to carefully read them before sharing any personal information. We have no control over information shared with these sites and cannot be responsible for the privacy policies or practices of these sites.


Your rights


As a basic principle, we aim to be transparent about the use, processing and services we provide. If, for whatever reason, you are unhappy with our services/use of your personal data, please let us know and we will aim to accommodate any reasonable request you might have.


We will always ask for your explicit consent before receiving or processing your personal data. We will not share your personal data with third parties - we only share, with your explicit consent, our derived observations.


You have the right to withdraw the consent you've given in the past. To withdraw your consent please send an email to Once we have confirmed your request, we will no longer process your data - unless there is another legitimate basis for doing so under law (e.g. related to an existing contract). If this is the case, we will inform you about this and stop processing any unrelated personal data.


You have the right to ask us to delete and stop using any of your personal data - this is called 'the right to be forgotten'. Unless there are legal reason not to do so, we will delete any of your information within 7 days upon request.


Your other rights include:


  • The right to be informed - you have the right to be informed on any personal data we hold about you and ensure we process it lawfully
  • The right of access - you have the right to get access to any data you shared with us
  • The right to rectification - in case some of the data that we have about you is inaccurate or incomplete you may request us to correct the information we have
  • The right to erasure - you have the right to ask us to delete any of the data we hold about you in case you feel there are no good reasons for us retaining the data. This is also the case if you exercised your right to restrict processing.
  • The right to restrict processing - you have the right to ask us to stop processing your data if you think we have inaccurate information
  • The right to data portability - you have the right to ask us to transfer the personal data you shared with us to other services.  
  • The right to object - you have the right to ask us to restrict processing your personal information for marketing purposes or whenever you feel that you have some particular situation for which we should not process your information for any other purpose.


Please email to exercise any of the rights or ask us any other related questions. Please bear in mind that we might need to ask you to provide us with more information in order to verify your identity before handling your request. Whilst we aim to handle any of these requests (including transfer and access to data) free of charge and quickly, in certain circumstances (e.g. unfounded or excessive requests), we might ask you for a reasonable processing fee to fulfil your request.

Contacting us


Please email for any question you have about this Privacy Notice or any other questions related to the way we process your information.