Privacy Policy
Privacy Policy
Effective 1st October 2024
At PayPlan, we’re committed to protecting your privacy.
We want to make it easy for you to find out how we use your information. We’ve tried our best to explain things in a simple and clear way and welcome your questions and comments on this policy.
We know that there’s a lot of information here, but we want you to be fully informed about your rights, and how PayPlan uses your data.
The following data privacy notice explains the circumstances in which PayPlan will collect personal data from you, why it is being collected, how we will use it and to whom we might disclose it to if necessary. This includes our online systems, for example PlanFinder, which helps us gather information about your circumstances and income and expenditure, which is needed to be able to recommend a debt solution.
This privacy policy covers the following companies:
Totemic Ltd t/a PayPlan
Company Number: 2789854
Registered Office: Kempton House, Kempton Way, Dysart Road, Grantham, NG31 7LE
Authorised and Regulated by the Financial Conduct Authority
Financial Conduct Authority Number: 681263
PayPlan Partnership Limited
Register Number: 07199691
Registered Office: as above
PayPlan Bespoke Solutions Limited
Company Number: 07079646
Registered Office: as above
PayPlan Scotland Limited
Company Number: SC400113
Registered Office: Edinburgh Quay, 133 Fountainbridge, Edinburgh, EH3 9BA
The Data Controller
PayPlan is committed to complying with the UK’s Data Protection Act 2018 (UK GDPR) for the protection of personal data, as well as the principles of data security in the configuration of our services.
As a “Data Controller”, PayPlan are responsible for deciding how we store and use personal information about you. We are required to inform you of the information contained in this privacy policy.
At times PayPlan acts as a “Data Processor”. When we are a “Data Processor” we are processing personal information about you on behalf of another Data Controller. We only do this where the Data Controller has explicit consent to share your information with us for a specified purpose(s).
If you have any questions about this privacy notice or how we use your personal data, please contact:
Data Protection Officer – Dale Stringer
Totemic Limited t\a PayPlan
Kempton House, Kempton Way, Dysart Road
Grantham
Lincolnshire, NG31 7LE
Phone: 0800 0094 148
Email: dpo@totemic.co.uk
What data is being collected and processed?
In order to enter into an agreement with PayPlan, we will collect, store and use elements of your personal data. The processing of this personal data is necessary by PayPlan in order to administer your account and to provide the products and services you have requested from us.
When you approach PayPlan, we may recommend possible solutions through other providers (either with the PayPlan companies listed above, or through an external source). To help with advising you with a debt solution, PayPlan will usually need you to disclose the following:
Types of Data Collected
Type of Data | Examples | How it is Obtained |
---|---|---|
Contact | Full Name, Address, Date of Birth, Contact Telephone Numbers, E-mail Address | From you – over the phone/email in conversation with our agents as well as our online systems |
Personal | Previous names, previous address(es), gender, marital status, property details, etc. | From you – over the phone/email in conversation with our agents as well as our online systems |
Budget | Your income and expenditure details, existing credit arrangements, etc. | From you – over the phone/email in conversation with our agents as well as our online systems |
ID & Credit Checks | Full Name, Date of Birth, Address history | From you – over the phone/email in conversation with our agents as well as our online systems |
Medical | Health-related information | From you – over the phone/email in conversation with our agents as well as our online systems |
Documents | Passport, driver’s license, utility bills, credit arrangements | Provided by you when you take up a recommended solution |
Behavioural | Device information (e.g., IP address) | From your use of our website/online systems |
Correspondence | Records of communications, including emails, live chat, phone calls | From you and generated by us during service provision |
What other information do you collect about me?
During the process of setting up and administering some of our debt solutions, we may receive information from creditor(s) and debt recovery agencies about you and your debts that enable us to better manage your debt solution.
What do you use my personal data for?
What we use it for |
Lawful reason for processing |
To initially contact you to provide you with information on the products and services available from us |
Legitimate Interest – the provision of this information will generally be due to a request made by yourself about our products and services. |
To provide you with advice and recommendations on the products and services available from us |
Legitimate Interest – the provision of advice and recommendation for a debt management solution requires us to process your data to ensure we have an understanding of your personal and financial situation in order for us to be able to help you effectively and meet our regulatory requirements. This also includes when you are in a debt management solution with us and we believe PayPlan may be able to further support you. This does not include where we partner with 3rd parties (see Marketing section below). If you don’t wish to know about our services that don’t relate to debt advice or management of your solution then you can contact us at any point to withdraw your consent. Explicit Consent – we will ask you to give explicit consent to process data relating to your physical and mental health at the time we ask for it, if it is relevant to support you with the service we are providing. We also seek explicit consent when gathering data relating to ethnicity where we use it for research and/or evaluation purposes. |
To set up and administer a Debt Management Plan or Debt Arrangement Scheme |
Legitimate Interest – the set up and ongoing management of a Debt Management Plan/Debt Arrangement Scheme requires us to process your data to ensure the plan is effective and serviced in a timely way to meet our regulatory requirements. |
Setting up and administering a Debt Relief Order, an Individual Voluntary Arrangement or a Trust Deed |
Legal Obligations – these debt solutions form a legally-binding agreement and we are therefore required to process your data to ensure we meet these legal and regulatory requirements. |
To make and manage your payments |
Legitimate Interests – where you make payments to us as part of a debt solution, we have a requirement to process these in line with regulatory requirements. |
To verify your identity |
Consent – we will seek consent to check that it is you we are dealing with. |
To contact you in connection with any enquiries that you raise |
Legitimate Interests – responding to questions and comments raised when you contact us while we are providing a service to you. |
To contact you in connection to the service we are providing to you |
Legitimate Interests – to check if you require additional support with any requests we have made and/or need additional advice in relation to your recommendations or managed solution. Consent – We will seek consent to contact you in the event we need to provide you with additional information or check to see if you need additional support. |
Record Keeping |
Legitimate Interest – We need to retain information to comply with regulatory rules and to ensure we are implementing quality-checking and compliance processes. |
Monitoring and recording of telephone calls, email communications and other digital communication channels (such as WhatsApp) where necessary for compliance with regulatory rules or self-regulatory practices or procedures relevant to our business including quality and training purposes and customer satisfaction surveys |
Legitimate interests – to monitor and improve the quality of the products and services we offer and to ensure we comply with regulatory requirements. Legal Obligation – for Individual Voluntary Arrangements and Trust Deeds we have a legal obligation to ensure monitoring and recording of communications takes place. |
Financial Crime Matters |
Legal Obligation– we are required by law to detect, investigate, report and seek to prevent financial crime. |
Marketing |
Consent – We will ask you for your consent to contact you about services we offer with 3rd parties. You can provide consent at any point you wish and also withdraw it at any point. Simply contact us to let us know. |
Research and analysis |
Legitimate Interest – to enable PayPlan to better understand the issues faced by its clients in relation to the impact of debt on their lives and wellbeing. We will use anonymised data to support our work in influencing the government and policy makers to help reduce/support people falling into financial difficulty. |
Improving our products and services |
Legitimate Interest – to enable PayPlan to better understand your situation and preferences so we can provide you with the best advice and a service that takes your needs into account. |
If you fail to provide personal information
If you fail to provide certain information when requested, we may not be able to provide our services. For example, debt management plans may need to be cancelled or revoked and applications for debt relief orders, individual voluntary arrangements may be delayed or terminated.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Do I have the right to withdraw consent?
The majority of our processing of your personal data is not based on consent however, where we do rely on your consent to process personal data, you have the right to withdraw this at any time. You can do this via phone, email or post.
How long will you keep my data for?
We will only retain your personal information for as long as necessary.
If you did not enter into a solution with us or did not complete an Income & Expenditure review then we will delete your data after 12 months.
If you proceed with setting up a debt solution, we will normally keep your core data for a period of six years from the end of your debt solution.
We may however need to retain some information for a longer period where we need to comply with regulatory, legal, accountancy or reporting requirements. There may be some information however that we do not need to retain for this period of time, and we may destroy, delete or anonymise it more promptly.
If you would like a copy of our data retention policy please email dpo@totemic.co.uk
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Protecting your privacy
In order to protect the personal data collected from you by PayPlan against accidental or deliberate manipulation, loss, destruction or the access of unauthorised persons, technical and organisational security measures are constantly improved as part of our technological development. In addition, our employees, subcontractors and other support staff are obligated to observe confidentiality and data privacy.
Wherever possible, we have tried to create a secure and reliable website for our users. However, you recognise that your use of the Internet and our website is entirely at your own risk and we have no responsibility or liability for the security of personal information transmitted via the Internet.
All passwords and usernames allocated to you must be kept secret and must not be disclosed to anyone without our prior written authorisation. You must not use any false identity in email or other network communications and you must not attempt or participate in the unauthorised entry or viewing of another user’s account or into another system.
You must not use the services and/or network systems or any part thereof for fraudulent activities, or to breach another organisation’s security (cross-network hacking). This is an illegal act and prosecution under criminal law may result. You must not use any computers, computer equipment, network resources or any services provided by us for any illegal purpose, or for accessing, receiving or transmitting any material deemed illegal, indecent, offensive or otherwise unacceptable under UK law.
We will monitor network traffic from time to time for the purposes of backup and problem solving and in order to ensure that you are not misusing any of the services provided to you.
Breaches
If at any time we become aware that your data has been compromised, or that a breach of our systems and controls has occurred, which has an impact on the security of your data, we will notify the Information Commissioner’s Office, and you, without undue delay.
Is any of my data transferred outside the EEA?
We do not routinely transfer personal information we collect outside of the European Economic Area (EEA). However, in the event that we did, to ensure that your personal information does receive adequate protection, we will put in place protective measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the UK laws on data protection.
Appropriate specific protective measures include for example, model clauses in data sharing contracts or via the UK Extension to the EU-US Data Privacy Framework and ongoing security assessments. If you require further information about these measures you can request it from dpo@totemic.co.uk.
Credit reference agencies
To be able to offer you a debt solution we need to know who you owe money to.
To help us capture this information correctly and quickly, we ask your permission to use a credit reference agency to source this information. This information is provided by Experian. This is an optional service.
Completing a credit reference check with PayPlan will not affect your credit rating and it is known as a soft search which means that you’ll see the search if you check your file, but your creditors won’t.
We will also seek to perform an electronic identity check, again with your explicit consent to do so. This information/service is also provided by Experian.
Information held about you by the credit reference agency may be linked to records relating to other people that you have a financial association.
If you are a joint applicant or if you have told us of some other financial association with another person, you have a legal right to know the details of credit reference and fraud prevention agencies we use and to whom we pass information about you. To obtain this information, please contact our Data Protection Officer.
Sharing of data with other data controllers
At PayPlan we take your privacy seriously and the information we hold about you is confidential. We have legitimate interest, and with some solutions a legal obligation, to share your data with certain third parties in order to deliver the services to assist you. This includes, where applicable to your advice/solution :
- Where we need to obtain professional advice (e.g. legal advice)
- Where we or others need to investigate or prevent crime (e.g. to fraud prevention agencies)
- Where the law permits or requires it
- Where regulatory or governmental body requests or requires it, including arm’s length bodies of these organisations we are contracted with or
- Where there is a duty to the public to reveal the information
- In order to meet the audit requirements of some or all of your creditors
- In order to allow independent auditors who are under contract to us or have signed a Non-Disclosure Agreement, to review our processes and controls
- To third parties under contract with us who provide services to you on our behalf such as payment processing and the sending out of documentation
- To notify creditors and their partners of the status of your progress through our advice service.
In order to provide you with advice and recommendations on a debt solution as well as administer your debt solution should you choose us to manage it, we may need to share some of your personal information with other data controllers. This is necessary for the purposes of delivering specific services to you. Other data controllers which we may share this information with may include:
- credit reference agencies
- other debt solution providers
- your creditors or their agents
- Specialist PPI Claims Management Companies
- The Insolvency Service and other Government Agencies
- Accountant in Bankruptcy
- Insurers and other financial institutions
- Valuation organisations
Should we be required to share your information with 3rd parties that do not fall into the above cases, we will obtain your explicit consent beforehand in order to do so.
How secure is my information with third-party service providers?
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions. A data sharing agreement that sets out how we expect third parties to handle any data we share with them is required to be in place before we share any data. Ongoing checks are carried out on these arrangements at regular intervals.
Right to be Forgotten
Under the GDPR, you have the right to ‘block’ or request the deletion or removal of personal data to prevent further processing. This right to erasure is also known as ‘the right to be forgotten’. Specific circumstances in which you can request the deletion or removal of personal data includes:
- where the personal data is no longer necessary for the purposes for which it is collected or otherwise processed
- where you withdraw consent
- when you object to the processing and there is no overriding legitimate interest for continuing the processing
- where the personal data was unlawfully processed (i.e. otherwise in breach of the GDPR)
- where the personal data has to be erased in order to comply with a legal obligation
in case a deletion is not possible due to legal, statutory or contractual retention periods, or if it requires disproportionate efforts or prejudices your legitimate interests, the data will be blocked instead of deleted.
Subject Access Requests
You have the right to request access to a copy of the personal information that we hold about you. This is also known as a ‘Subject Access Request’. This information is provided to you free of charge however, we can refuse to respond or charge a ‘reasonable fee’ when a request is manifestly unfounded, excessive, or repetitive.
If you would like a copy of the information we hold on you, or believe that we are holding information about you which is incorrect or incomplete, please write to:
Totemic Limited t\a PayPlan
Kempton House, Kempton Way, Dysart Road, Grantham, NG31 7LE
Grantham
Lincolnshire. NG31 7LE
Email: dpo@totemic.co.uk
We will respond to your request without delay and at the latest, within one month of receipt of your request.
Rectifying or updating personal data
If you believe the personal data we hold about you is inaccurate or incomplete, you have the right to rectification. You can let us know about any changes to your personal data. Where possible, we will also inform any third parties to whom we have disclosed the personal data in question to so they can rectify their records.
If you have a PayPlan Plus account, you may be able to amend certain information through your online portal.
We will typically respond to your request within one month, although this can be extended by two months if your request for rectification is complex.
Right to complain
If you have a complaint about any aspect of data protection or if you feel your privacy has been breached by us, we would like to hear from you. To help us investigate and resolve your concerns as quickly as possible, please contact:
Data Protection Officer – Dale Stringer
Totemic Limited t\a PayPlan
Kempton House, Kempton Way, Dysart Road, Grantham, NG31 7LE
Grantham
Lincolnshire. NG31 7LE
Phone: 800 0094148
Email: dpo@totemic.co.uk
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Your rights in full
The UK Data Protection Act 2018 provides rights to an individual with regard to their data. While these rights have been included in this privacy policy for further information on them visit the Information Commissioner’s Office:
Individual Right |
Link |
The right to be informed |
|
The right of access |
|
The right to rectification |
|
The right to erasure |
|
The right to restrict processing |
|
The right to data portability |
|
The right to object |
|
Rights in relation to automated decision making and profiling |
Changes to the Privacy Policy
Due to the further development of our website, government regulations or the implementations of new technologies, this policy will be reviewed, and may change, from time to time. PayPlan reserves the right to change this data protection information at any time with effect for the future.
The revised policy will be posted to this page so that you are always aware of the information we collect, how we use it and under what circumstances we disclose it. We therefore recommend you read the current data protection information again from time to time.