UK GDPR Privacy Policy

1. About this Policy

  1. InDebted respects your privacy and wants you to understand how we collect, hold, use, and share your personal data about you.
  2. This privacy policy (Privacy Policy) applies to the below related bodies corporate of the InDebted Group (“InDebted” and jointly the "InDebted Group”, we", "us" and "our"): 
    1. InDebted Australia Pty Ltd (ACN 613 132 951);
    2. InDebted New Zealand Ltd (Company Number 7686518);
    3. InDebted Canada Ltd (Corporation Number 1180527-4);
    4. InDebted Platform Co UK Limited (Company Number 12253462);
    5. InDebted USA, Inc. (EIN number 27-0504127); and
    6. any other company which is at any time a related entity or a wholly owned subsidiary of any of the above companies.
  3. The *Data Protection Act 2018 (Data Act), *sets out the framework for data protection law in the United Kingdom (UK), came into effect on 25 May 2018. The Data Act sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner’s functions and powers.
  4. The UK General Data Protection Regulation (UK GDPR) which came into effect on 01 January 2021, sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies.
  5. It is based on the EU GDPR (General Data Protection Regulation (EU) 2016/679) which applied in the UK before that date, with some changes to make it work more effectively in a UK context.
  6. The Data Act, UK GDPR any guidance issued by the Information Commissioner’s Office governs the way in which we must manage your personal data (‘Privacy Laws’).
  7. This Privacy Policy covers our data collection practices and describes your rights to access, correct, or restrict our use of your personal data which is defined in the Data Act* to mean as “any information relating to an identified or identifiable individua*l” (“personal data”). This includes information such as a name, email address, identification number, or any other type of information that can reasonably identify an individual, either directly or indirectly.
  8. This Privacy Policy applies when you visit or use our website, mobile applications, APIs or when we are providing relevant services to you involving debt collection and account recovery services, and if you become an employee, contractor, agent, vendor or service provider to us or we provide those services to you (the “Services”). We are committed to safeguarding the privacy of our website visitors and Service users.
  9. By using our Services, you agree to the terms of this Privacy Policy. You shouldn’t use our Services or visit our website if you don’t agree with this Privacy Policy or any other agreement that governs your use of our Services.
  10. InDebted Platform Co UK Limited (Company Number 12253462) may be a data controller or a data processor of your personal data. The other above named entities will be data processors of your personal data.
  11. Our collection, use, disclosure and processing of your personal data is regulated by the Privacy Laws if:
    1. you interact with InDebted Platform Co UK Limited (Company Number 12253462);
    2. we provide our Services to you whilst you are located in the UK; or
    3. we monitor your behavior whilst you are located in the UK.

2. Collection of personal data

  1. As part of providing any of our Services to you, InDebted Group will, from time to time, collect, hold, process and share your personal data provided to us directly by you or other organisations that you have client relationships with or given to us in other forms.
  2. We will not collect and use any of your sensitive personal data unless it is necessary for us to provide our Services to you and with your prior consent or where a permitted general situation exists. Sensitive personal data includes information relating to your health, sexual orientation, genetic data, biometric data (where used for identification purposes), criminal history, religious or philosophical beliefs, racial or ethnic origin as well as membership of any trade or professional associations.
  3. You may provide basic information such as your name, phone number, address and email address, social media profile name to enable us to communicate with you when we provide our Services to you, when you contact us and when we provide you with updates.
  4. We may collect additional information at other times, including but not limited to, when you provide feedback, make a complaint, when you provide information about your personal or business affairs, change your content or email preference, provide financial or credit card information, communicate with our customer support teams or interact with us through our website, Services applications or digital communication channels.
  5. Additionally, we may also collect any other information you provide while interacting with us and when we manage our customer, client and service provider relationships and whilst employed by us.
  6. We may also collect personal data about you from third parties or organisations including our related companies, publicly available sources of information (i.e. such as public registers), your approved representatives, other organisations, who jointly with us, provide products or services to you, third party websites, applications or platforms containing interactive InDebted content or that interface with our own websites and applications, social media platforms (if you publicly comment or send us a private message) and digital tracking tools such as cookies.
  7. When you visit our offices, CCTV footage may be recorded and other information that may be collected include details provided on a resume sent to us relating to an employment opportunity.
  8. We may also receive your personal data from third parties that we deal with on your behalf and from our clients and service providers.
  9. Any information we receive that we are not lawfully required to hold will be deleted or destroyed.

3. On what basis we use your personal data

  1. Under the Privacy Laws we are allowed to use your personal data in the following circumstances:
    1. to provide our Services to you and to fulfil a contract that we have with our clients and you;
    2. when you provide your consent to our clients or to us;
    3. to comply with our legal and regulatory obligations as well as effectively manage our business risks; and/or
    4. when it is in our legitimate interest.
  2. When we use your personal data for our legitimate interest it means that:
    1. processing your personal data is necessary and we cannot achieve the same outcome in any other way; and
    2. we have undertaken a balancing exercise and ensuring that our interests are not outweighed by your interests, rights and freedoms.

4. Use and disclosure of your personal data

  1. We will use or disclose your personal information held about you as permitted by law and for the business purposes for which it is collected. We may use your personal information on the following basis:
    1. where such processing is necessary for the performance of our contracts and compliance with our contractual arrangements with our clients including where we have contracts with our clients who place your accounts with us for collection;
    2. to provide and manage our Services to you;
    3. the proper management of our client and customer relationships;
    4. to verify your identity and to authenticate you when you contact us;
    5. when we communicate with you by sending you mail, email, telephone, SMS, mobile applications and social media platforms,
    6. for legitimate business purposes;
    7. using your personal information helps us to operate and improve our business, website, systems and minimize any disruption to the services that we may offer to you;
    8. where we are processing information based on your consent;
    9. to comply with our legal and regulatory obligations;
    10. for the establishment, exercise or defence of legal claims, proceedings or in an administrative or out-of-court procedure;
    11. for the purposes of obtaining or maintaining insurance coverage, managing risks and operations or obtaining professional advice;
    12. for the purpose of fraud, crime prevention, suppression, or detection and help us run our business and maintain integrity;
    13. ensuring workplace health and safety of our employees or enforcing our rights, making legal enquiries, or taking legal action; or
    14. record-keeping purposes.
  2. When you are a client of our Services, we may also use your personal information to tell you about our Services we think may be of interest to you.
  3. We do not knowingly collect or process the personal information of anyone under the age of 18 years old.
  4. We may create statistical and anonymized reports, analysis and predictive models, rules and insights using information about you and other customers. Aggregated reports may also be shared with other businesses for business development and to provide insights into collection performance, identify customer demographics or behavioral insights and the information in these reports is not personal and cannot be used to identify you.
  5. We will not process your personal information for direct marketing purposes, and we will not sell your personal information to other companies or organisations.

5. Automated decisions using your personal data

  1. To provide an efficient and helpful customer experience we use automated decisioning in how we communicate with you. For e.g., if you communicate with us via email or SMS our system will automatically tailor communications with you based on your preferred digital method of communication, without any involvement of human intervention. We may also use automated decisions to detect and prevent fraud, detect and prevent money laundering and determine the most efficient and helpful way to provide our Services to you.
  2. You have rights over automated decisions we make about you using your personal data and you can ask us to advise you of how we use your personal data with automatic decisioning. You also have the right to object to automated decisioning of your personal data to the extent that our automated decisions have a significant impact on you.

6. How we keep your personal data

  1. We will keep your personal data securely in either physical or electronic form. The security of your personal data is important to us. We will take appropriate technical and organisational precautions to secure your personal data and to prevent the loss, misuse, unauthorized access, disclosure or alteration of your personal data.
  2. We will store all your personal data on secure servers, personal computers and mobile devices, and in secure manual record-keeping systems.
  3. Much of the information we hold about you will be stored electronically. We store some of your information in secure data centers via our cloud data storage service provider Amazon Web Services.
  4. We use a range of physical, electronic and other security measures to protect the security, confidentiality and integrity of the personal data we hold and protect it from misuse, interference, loss and unauthorised access, modification and disclosure. For example:
    1. access to our information systems is controlled through identity and access management controls;
    2. all of our employees are required to comply with our privacy framework and information security policies;
    3. all of our employees complete training about privacy and information security;
    4. we regularly monitor and review our security measures and compliance with internal policies and industry best practice; and
    5. our contracted service providers are contractually bound to comply with the Privacy Laws and have appropriate information security measures and are obligated to keep the information secure.
  5. You acknowledge that the transmission of unencrypted (or inadequately encrypted) data over the internet is inherently insecure, and we cannot guarantee the security of data sent to us by you over the internet and you do so at your own risk.
  6. Although we take measures to safeguard against unauthorised disclosures of information, we cannot assure you that personal data that we collect will not be disclosed in a manner that is inconsistent with this Privacy Policy. If you are concerned that the security of your interaction with us has been compromised, please contact us immediately by emailing us at privacy@indebted.co.
  7. Also, our website may have links to external websites, and we take no responsibility for the privacy practices or the content of those other sites.

7. InDebted Employees

  1. Access to your information is restricted to authorized employees who have a legitimate business purpose for using it.
  2. Unauthorized use and or disclosure of client and customer information by an employee of InDebted is strictly prohibited. All employees are required to maintain the confidentiality of client and customer information at all times and failing to do so will result in appropriate disciplinary measures, which may include dismissal.

8. Do you have to provide your personal data?

You can withhold your personal information when speaking with us if you are making a general enquiry. However, if you withhold your personal data, it may not be possible for us to provide you with our products and services or for you to fully access our website.

9. Providing your personal data to others

  1. We may disclose your personal information to any member of the InDebted Group of companies (this means our subsidiaries, our ultimate holding company and all of its subsidiaries) insofar as reasonably necessary for the purposes of providing our services and managing our business and on the legal bases allowed under the Privacy Laws.
  2. We may disclose your personal information to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
  3. We may disclose personal information to our suppliers or subcontractors insofar as reasonably necessary for providing our services and managing our business.
  4. In addition to the specific disclosures of personal information set out in this section 9, we may disclose your personal information where such disclosure is necessary for compliance with a legal or regulatory obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
  5. We may also disclose your personal data when we have obtained your consent.

10. Outside Service Suppliers

    1. We may use service providers to perform specialized services on our behalf. Our service providers may at times be responsible for processing or handling personal information. They are provided only the information necessary to perform the services.
    2. In addition, we require them to protect the information in a manner that is consistent with our privacy policies and security practices.
    3. Any disclosure to third parties will be done pursuant to agreements setting out the requirements for use, safeguarding, retention and disposal of such information, or as required by law.

11. Your rights 

  1. You have certain rights as to how your personal data is obtained and used and InDebted complies with your rights under the Privacy Laws as to how your personal data is collected, used and handled.
  2. Except as otherwise provided in the Privacy Laws, you generally have the following rights:
    1. if we rely on your consent to process your personal data, to withdraw your consent where we will stop processing the activities relevant to your consent;
    2. to be informed how we received your personal data and how it is being used;
    3. access your personal data (we will provide you with a free copy of it);
    4. to object to us using your personal data, where we are relying on our legitimate interest to do so and we can challenge your objection and communicate with you in accordance with our legal obligations;
    5. to correct your personal data if it is inaccurate or incomplete;
    6. to delete your personal data (also known as "the right to be forgotten") if there is no need for us to keep it;
    7. to restrict processing of your personal data;
    8. to receive, retain and reuse your personal data for your own purposes;
    9. to object to your personal data being used, if we have no legal reason to use it; and
    10. to object against using your personal data for direct marketing, automated decision making and profiling.
  3. Please contact us at any time to exercise any of your rights under the Privacy Laws at the contact details in this Privacy Policy.
  4. We may ask you to verify your identity and provide us with additional information before acting on any of your requests.
  5. We will respond to you as soon as possible but within 30 days from the date of your request.

12. Countries to Which We Transfer Your Information

  1. Your personal information may be transmitted through, stored or processed in countries other than your home country, in which case the information is bound by the laws of these countries.
  2. InDebted and its Group companies operate in:
    1. United States of America;
    2. Canada;
    3. Australia;
    4. New Zealand;
    5. Philippines; and
    6. United Kingdom.
  3. We made an "adequacy decision" with respect to the Privacy Laws of each of these countries. Transfers to each of these countries will be protected by appropriate safeguards, namely:
    1. with respect of any disclosure to our InDebted Group companies that they will comply with this privacy policy and have the same or similar obligations that we have under the Privacy Laws and will be done pursuant to agreements setting out the requirements for use, safeguarding, retention and disposal of such information, or as required by law;
    2. with respect of any of our service providers:
      1. he overseas recipient does not breach the Privacy Laws; or
      2. the overseas recipient is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the protection under the Privacy Laws; and
      3. any disclosure will be done pursuant to agreements setting out the requirements for use, safeguarding, retention and disposal of such information, or as required by law; or
    3. you have consented to us making the disclosure.

13. Access to your personal data

  1. You may request details of personal data that we hold about you in accordance with the provisions of the Privacy Laws. If you would like a copy of the information which we hold about you or believe that any information we hold on you is inaccurate, out of date, incomplete, irrelevant or misleading, please email us at privacy@indebted.co.
  2. We reserve the right to refuse to provide you with information that we hold about you, in certain circumstances set out in the Privacy Laws or any other applicable law.

14. Retention of your personal data

  1. We will keep your personal data for as long as required by InDebted in compliance with its Privacy Laws and its legal and regulatory obligations. We also generally retain your personal data for at least seven years after we have stopped interacting with you to comply with our legal obligations and so that we can respond to any questions or complaints regarding our interactions with you.
  2. We may also need to keep your personal data for a longer period, where required for legal or regulatory reasons.
  3. We will keep your data safe and secure for as long as we hold it.
  4. If we no longer need to use your personal data for the purposes set out in this policy, we will take reasonable steps to destroy, de-identify or anonymize it so that your identity cannot, by any reasonable means, be revealed from the information that we hold about you.

15. Complaints about privacy

  1. If you have any complaints about our privacy practices, please feel free to send in details of your complaints to privacy@indebted.co. We take complaints very seriously and will respond shortly after receiving written notice of your complaint. We will let you know if we need any additional information from you.
  2. If you are displeased with the way we are or have handled your personal data, you can contact the Information Commissioner’s Office (ICO) and their contact details are available on their website at https://ico.org.uk.

16. Changes to Privacy Policy

  1. This UK GDPR Privacy Policy is Version 2.0 dated 27 April 2021.
  2. Please be aware that we may change this Privacy Policy in the future. We may modify this Policy at any time, in our sole discretion and all modifications will be effective immediately upon our posting of the modifications on our website or notice board. Please check back from time to time to review our Privacy Policy which can be found at indebted.co/en-uk/.