Privacy Policy

Updated On

September 10, 2020

Karma Technologies International Limited

Protecting personal data is a priority for everyone. This policy tells you the types of information we collect when you visit our website (www.getkarma.co.uk) (“Website”) and/or use our services and applications, how we use that information, and when we may share that information. This policy may change from time to time so please check it every so often.

This Privacy Policy relates to the data we collect from you which includes “personal data” (being any information which identifies a person or which allows that person to be identified when combined with other information) and data which is otherwise recognised as sensitive data.

‍

WHO ARE WE?

We are Karma Technologies International Limited of 18 Finsbury Square, London, United Kingdom, EC2A 1AH (“we”, “us”, “our” or “Karma”).

We are the controller of personal data for the purposes of this Privacy Policy.

If you have any questions about this Privacy Policy, including requests to exercise your legal rights, please contact us using the details set out below:

Attn: Chief Risk Officer]

Karma Technologies International Limited 18 Finsbury Square,

London,

United Kingdom, EC2A 1AH

Email: chiefriskofficer@getkarma.co.uk

WHAT DATA DO WE COLLECT FROM YOU?

We collect and use data relevant to your use of our services and applications, and your contact with us via the Website or through other means. In respect of this personal data, we are the Controller.

If you are signing up to use our services, if you are enquiring about using our services or if you are an employer enquiring about our services, it may be necessary for you to provide certain data to us.

The data you provide or may provide is listed below.

If you are passing data to us that belongs to someone else (such as an employer passing employee data) you must ensure you are lawfully permitted to transfer such data to us.

We may collect, use, store and transfer different kinds of personal data as follows:

• Identity Data includes your name, email address, username, title, date of birth, gender, photographic identification or similar identifier.

Contact Data includes billing address, delivery address, email address and telephone numbers.

Financial Data includes bank account and payment card details.

Transaction Data includes details about payments to and from you and other details of any payments made by you whilst using our services or purchasing services or goods from us.

Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting, location, browser plug-in types and versions, operating system and platform, screen resolution and other technical characteristics of your device, your use of our services and applications and connection to the Website, (as applicable to the device you are using).

Profile Data includes your username and password, your user ID and preferences and feedback.

Usage Data includes information about your visit, including the website that referred you to the Website (if applicable), the path that you take through and from the Website (including date and time); pages that you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.

Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

Photographic identification data is biometric data and is a Special Category of personal data and where we collect this data:

We only do so with your express consent;
We do so to make sure you are who you say you are;
We only use it to check your identity.

We also collect, use and share Aggregated Data, such as statistical or demographic data, for any purpose. Aggregated Data may be derived from your data but is not considered personal data as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

Apart from the photographic identification data, we do not collect any Special Categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and

biometric data). Nor do we collect any information about criminal convictions and offences.

HOW DO WE COLLECT DATA?

We use different methods to collect data from you including as follows:

Enquiring about our services or subscribing to our services

If you contact us to ask about our service or about us generally, either through the Website or otherwise, we will collect and process Identity, Contact and Financial Data.

Signing up for our service

If you sign up for our service and/or download our application, we will collect and process Identity, Contact, Financial, Transaction, Technical, and Profile Data.

Correspondence

If you correspond with us using our contact form or through our ‘contact us’ or help features, we will collect and process Identity and Contact Data.

Browsing

We collect some Technical and Usage Data.

Candidates applying for a role at Karma Technologies International Limited

We will collect your Identity, Contact Data and Profile Data and information relating to your employment history.

We will also collect data about you during telephone calls, in emails, during face to face interviews and from recruitment companies, head-hunters and social sites.

We would always like to keep in touch with excellent candidates regarding any future vacancies and as a result, your consent also includes the ability for Karma Technologies International Limited to retain your personal details.

HOW DO WE USE DATA COLLECTED FROM YOU?

We will only use your data when the law allows us to. Most commonly, we use it in the following circumstances:

Where we need to perform the contract, we are about to or have entered into with you.
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests).
Where we need to comply with a legal or regulatory obligation.

Generally, we only rely on consent as a legal basis for processing your data where we need to obtain the consent to provide you with our services or to send you third party direct marketing communications to via email or text message. You have the right to withdraw your consent at any time.

We have set out below the ways we use data and the legal basis for doing so. We have also identified what our legitimate interest is, where appropriate.

Purpose/Activity Type of Data

Lawful basis for processing including basis of legitimate interest

To register you as a new (a) Identity

(a) Performance of a contract with you

customer

To perform the contract and provide you with services:

Manage payments, fees and charges
Collect and recover money owed to us

(b) Contact

Identity
Contact
Financial
Transaction
Technical
Marketing and Communications

(b) Necessary for our legitimate interest (for running our business and provide you with services)

Performance of a contract with you
Necessary for our legitimate interests (to recover debts due to us)

To process a job application and keep you informed of employment opportunities

Identity
Contact
Financial
Profile

Performance of a contract with you
Necessary to comply with a legal obligation
Necessary for our legitimate interests (to recruit good candidates for our business)

To manage our relationship with you which will include:

Notifying you about changes to our terms or privacy policy
Asking you to provide feedback on our services

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system

Identity
Contact
Profile
Marketing and Communications

Identity
Contact
Technical

Performance of a contract with you
Necessary to comply with a legal obligation
Necessary for our legitimate interests (to keep our records updated and to study how customers use our services and applications)

(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of

maintenance, support, reporting and hosting of data)

To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you

To use data analytics to improve the Website, services, applications, marketing, customer relationships and experiences

Identity
Contact
Profile
Usage
Marketing and Communications
Technical

Technical
Usage

a business reorganisation or group restructuring exercise)

(b) Necessary to comply with a legal obligation

Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

Necessary for our legitimate interests (to define types of customers for our products and services, to keep the Website updated and relevant, to develop our business and to inform our marketing strategy)

To make suggestions

Identity
Contact

Necessary for our legitimate

and recommendations to (c) Technical you about services that

may be of interest to you (d) Usage

(e) Profile

interests (to develop our products/services and grow our business)

We may process data for more than one lawful ground depending on the specific purpose for which we are using data. Please contact us if you want further details about the specific legal ground we are relying on to process your data.

Where we need to collect data by law, or under the terms of a contract and you do not provide that data when requested, we may not be able to perform the contract. In this case, we may have to cancel a service you have with us.

WHO DO WE SHARE YOUR DATA WITH?

We may share your data within Karma (i.e. our officers, staff and contractors) and with our service providers; for example, to service your requests or provide you with information. We may also share your data if a change happens in our business such as a merger or acquisition. If that happens, the new owners may use your data in the same way as set out in this Privacy Policy.

We may also share your data with service providers who we engage to help us run our business or deliver our services to you.

We may also share your data with our appointed Electronic Money Institution (which is a company registered with the Financial Conduct Authority to process payments) so that you can open a payment account with the Electronic Money Institution which is necessary in order to use our service.

We may also share your data with other organisations or individuals when it is reasonably necessary to:

Meet any applicable law, regulation, legal process or request of a suitable governmental body or public authority e.g. under a relevant court production order.
Enforce applicable legal terms and conditions or our other legal rights, including investigation of potential violations.
Detect, prevent, or otherwise address financial crime.
Protect against or prevent harm to the rights, property or safety of Karma, our customers or the public as required or permitted by law.

WHERE IS YOUR DATA STORED AND PROCESSED?

We will process and store your data on the Website servers, email and other servers and equipment that are needed to provide the services as applicable.

We do not ordinarily transfer your data outside of the European Economic Area except as follows:

Analytics providers

Our service providers, such as Google Analytics (Google Inc. and its affiliates), may process your data in the course of providing analytical information to us about the use of the Website. These service providers may collect and/or transfer your data outside of the European Economic Area.

For more information on how Google Analytics processes your data you can visit here: https://support.google.com/analytics/answer/6004245?hl=en-GB

Technical support

Sometimes we need to engage the assistance of our affiliated companies to provide technical support for your use of our service. The individuals providing the support may be based outside of the European Economic Area and will only have access to your data when they need to in order to provide support.

Whenever we transfer data out of the EEA or UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

We will only transfer data to countries that have been deemed to provide an adequate level of protection for data by the European Commission. For further details, see European Commission: Adequacy of the protection of data in non- EU countries.

• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.

Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to data shared between the Europe and the US or are subject to approved standard contract clauses. For further details, see European Commission: EU- US Privacy Shield.

HOW LONG DO WE KEEP YOUR DATA?

We will not keep your data longer than reasonably necessary to fulfil the purposes described in this Privacy Policy or as we reasonably need to in order to meet our legal and governance obligations.

WHAT DIRECT MARKETING DO WE CONDUCT?

If you provide your contact details, we might contact you individually in the future if we think that our services may be of interest to you.

If we think it appropriate, we might also add you to our regular email marketing list.

You can ask us to remove your personal details from our marketing lists using the contact details listed at the top of this Privacy Policy.

SECURITY OF YOUR DATA

We have put in place appropriate security measures to prevent data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to data to those of our staff and other third parties who have a business need to know. They will only process data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data breach and will notify you and any applicable regulator of any breach where we are legally required to do so.

DATA RETENTION

We will retain data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of data, the purposes for which we process data and whether we can achieve those purposes through other means, and the applicable legal requirements.

For example, if you are a customer, we will generally keep your data for the longer of six years from the date of the last interaction with you or until the applicable statutory limitations period has expired.

We regularly review the data we hold taking into account the lawful purpose for which we hold it and any data that is deemed no-longer relevant or required is deleted where it is practicable to do so.

YOUR LEGAL RIGHTS

Under certain circumstances, you have rights under data protection laws in relation to your personal data.

Request access to your personal data (commonly known as a "data subject access request"). This enables you to confirm with us whether your personal data is processed and, if it is to receive a copy of the personal data we hold about you.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where it is no longer necessary for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your personal data unlawfully or where we are required to erase your personal data to comply with applicable law. However, the right to erasure is not an absolute right and we may not always be required to comply with your request for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party). In some cases, we may demonstrate that we have compelling legitimate grounds to process your personal data which override your rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.
Request restriction of processing of your personal data in certain circumstances. This enables you to ask us to suspend the processing of your personal data in the following circumstances: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your personal data when relying on a legitimate interest but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only

applies to personal data processed by automated means which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Right to complain: You also have the right to lodge a complaint with the competent data protection supervisory authority, which in the UK is the Information Commissioner's Office.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

‍