Tully

Tully Privacy Policy

Welcome to Tully’s privacy policy. This document sets out everything you need to know about what type of data we hold on you, why we have it and how we use it. When we say “we”, “Tully”, “us” or “ours” we are talking about Tully, a trading name of Fair Way Forward Limited, a company incorporated and registered in England and Wales with company number 11308960 whose registered office is at 1 Hammersmith Broadway, London, W6 9DL. When we say “you” or “yours” we are talking about you, our customer or potential customer.

We are the data controller of your information; our data controller registration number is ZA100119. You can check our registration details with the Information Commissioner’s Office (ICO) at https://www.ico.org.uk/esdwebpages/search.

1. What information do we collect about you?

We may collect the following types of data about you:

Your name and date of birth
Your address
Your contact details (email and telephone)
Your credit report
Your bank statement data
Technical information about how you use our website/apps
Answers to any questions we ask you directly in order to provide our services to you

We get this information from you, your mobile phone, cookies, your bank, credit reference agencies or other third parties such as our partners, service providers, advertising networks, analytics providers, search information providers and social media.

We may also record or monitor telephone conversations or other communications between you and us, which is another source of how we get data about you.

2. How do we use that information?

As you will see from the table below, we rely on the legitimate interests lawful basis for processing your data in most cases. We rely on this basis when we process your personal data for the purposes of our legitimate business interests or for the legitimate business interests of our product providers or other suppliers, provided that such processing does not outweigh your rights and freedoms. We will rely on this basis when we need to:

display or notify you of recommended payment plans;
provide you with our service, including quality control and analysis;
to verify your identity and to otherwise protect you and us from fraud or other threats;
share your budget and circumstance data with creditors, creditors’ representative organisations and/ or debt solution providers in order for them to evaluate payment plan proposals including registration for payment relief and
conduct analysis, segmentation and profiling of your data in order to provide you with direct marketing communications; and/or
improve our service and manage our customer relationships.

Where we rely on legitimate interests, you have the right to object at any time by contacting us at the details listed in section 12 below.

Specifically when dealing with non-core processes, such as tailored product offerings or sharing sensitive situational information we will rely on explicit consent.

3. How do we use that information?

We use this information to provide you with our services, to improve our services to you, to administer your account and communicate with you. We also use anonymised information collected from all of our customers for research, profiling and analytical purposes.

The table below details exactly how we use the different types of data fields we collect and which lawful basis we rely on (see section 4 below for more details).

Use	Which data fields?	Authorisations needed / legal basis relied on
Share your data with creditors in order to suspend collections activity and negotiate payment plans on your behalf including registering you for payment relief	Your name and date of birth Your address Your contact details Your budget Your debts Your proposed repayment	Performance of a contract
Share your data with UK based business process outsourcers acting on behalf of Tully to help guide you through the system and validate you budget	Your name and date of birth Your address Your contact details Your budget Your debts	Performance of a contract
Send you product recommendations from third parties using your contact details	Your name Your contact details	Consent
Share your details with credit reference agencies to verify identity and obtain information from your credit report	Your name and date of birth Your address	Legitimate Interests
Share your data with Modulr if you choose to enter a repayment plan that requires opening a modulr account	Your name Your contact details	Legitimate Interests
Share your data with OpenWrks (Business Finance Technology Group Limited) if you choose to use OpenWrks to securely share your financial information with us as part of building your budget	Your name Your contact details	Legitimate Interests
Share your data with Debt Solution Providers if you choose to be referred for a formal debt solution	Your name and date of birth Your address Your contact details Your Budget	Legitimate Interests
Storing your data on Tully’s systems to manage your Tully account including calculating your budget	Your name and date of birth Your address Your contact details Your credit report Your bank statement data Technical information about how you use our website/apps Answers to any questions we ask you directly in order to provide our services to you	Legitimate interests
Send you communications on how to keep on top of your money	Your name Your contact details	Legitimate interests (with opt-out)
Send you core communications such as your budget report, alerts whenever there is a change in your finance report, significant changes which may impact Tully’s service and other such related content	Your name Your contact details	Legitimate interests
Automated processing for the purposes of verifying your identity, building your budget, presenting debt solutions, providing interesting content and tailored communications (please refer to Section 8 below for further information)	Your name and date of birth Your address Your contact details Your credit report Your bank statement data Technical information about how you use our website/apps Answers to any questions we ask you directly in order to provide our services to you	Performance of a contract

4. Who may we share your information with?

We may share your data with other members of our group and with other third parties, such as our service providers, advertisers, credit reference agencies and fraud prevention agencies. This is to enable us to provide you with the products, services and information you request. As such, your data may be shared with the third parties listed below.

Processors	Activities
Blenheim Chalcot LTF Limited (BC)	BC provide us with ad hoc legal, tax and finance advice. There will be instances where we share your data with BC to enable them to provide their services to us. BC will only use your data as instructed by us.
Business Finance Technology Group Limited trading as OpenWrks	OpenWrks enables you to share your financial information with us securely and directly from your bank account so we can understand your income and expenditure as part of building your Tully budget without you having to manually upload your bank statements.
Cloud based service providers	Associated technologies and cloud based services required to provide Tully services. All data is processed securely, encrypted in transmission and at rest.
Credit reference agencies such as Callcredit, Equifax and Experian (the CRAs)	As part of our services we need to obtain credit information about you and as such we will need to ask the CRAs to provide us with this data. The CRAs will: search their systems using your name, address and date of birth to retrieve information for us; send us your credit information via a secure data transfer known as SOAP API where they match you to their database; and record the request for information we made on your behalf. This will only be visible to you if you obtain credit report and will be classed as an Unregistered Enquiry. This means that the search will not be visible to any other companies who carry out a credit search on you and will not affect your credit score in any way.
Financial Conduct Authority (the FCA)	The FCA may, as our regulator, require us to share information with them and this information may include your data.
Fraud prevention agencies such as CIFAS (the UK’s leading Fraud Prevention Service), Crimestoppers and ActionFraud (the FPAs)	In certain circumstances we may be required to provide your data to the FPAs to ensure you are not involved in fraudulent activities. The FPAs will use your data by: running a search against your name, address and date of birth to retrieve information for us; make your information available to us either through their secure system which we will log onto or passing data securely to us with your credit information via the CRA; and record any notes we make about actual or potential instances of fraud that we see and make these available to their other members for the purposes of helping to prevent fraud.
Intercom inc.	Intercom provides the technology to enable and store our non-voice consumer communications (web chat, email etc.).
Johnson Geddes	Insolvency Practitioner with the capability to set up Individual Voluntary Arrangements.
London & Zurich plc	L&Z enable you to set up a direct debit to make repayments into your Modulr payment account.
Modulr Finance Limited	Modulr enables you to open a payment account which enables us to collect a single payment from you and in turn make payments to your creditors on your behalf to make sure you are in control of your repayments.
Smart Hosted Solutions Ltd (VIA)	VIA provides the technology to enable and store our voice based consumer communications.
Your creditors	Creditors will need to identify you and review your budget and in order to provide you with payment relief or forgiveness including justifying halting interest and fees in exchange of the set-up of a flexible payment arrangement.

In relation to the above cases we will, where necessary, obtain your consent before sharing your data with these third parties. There may, however, be instances where we are required to share your data, but we will not obtain your consent beforehand (i.e. when required by the FCA, or because we can do so in reliance on another lawful basis that does not require your consent (see section 2, above)).

5. Direct marketing and how you can change your preferences

We may reach out to you directly by email, phone or post for the following purposes:

Product recommendations from third parties - We'll get in touch with personalised, timely product recommendations from our third party partners that can help you improve your financial situation. We will only ever send these if you explicitly consent to receiving them, and you can unsubscribe whenever you like either by clicking on the unsubscribe button on the email or by telling us (see section 12 below).
Product recommendations from us - We’ll get in touch with news about our products and services if we feel they will be of interest to you. Where such products or services are similar to what you’ve already purchased on our platform, we rely on the legitimate interests legal basis of our need to grow our business. Otherwise we will only send these communications to you if you have provided your explicit consent. Either way, you can always unsubscribe whenever you like by clicking the unsubscribe button on the email or by telling us (see section 12 below).
Content communications - We’ll send you content such as tips, research, features and news, coaching programmes on how to keep on top of your money. We rely on the legitimate interests legal basis of the need to provide you with information about financial planning matters so that you can keep on top of your repayments and financial affairs. You can unsubscribe from these communications at any time either by clicking on the unsubscribe button on the email or by telling us (see section 12 below).

Core communications

We’ll send you key information about our product and services including the remaining steps in your budget building journey, questions related to your budget, alerts when a creditor accepts a payment plan we have put forward for you or when a creditor suggests a payment plan to you, when there are changes to your credit information, when there are changes to any payments you are expected to make, security announcements regarding the Tully platform and your account and significant changes which may impact our service and other related content. These communications are core to the delivery of our services, do not constitute direct marketing, and so cannot be opted-out of.

6. How do we protect your information?

We protect your information by adhering to internationally recognised Information Security best practices and standards.

We take the security of your data very seriously and use strict procedures to protect it. Whenever we transfer personal data outside of the UK/ European Economic Area, we ensure that appropriate safeguards are in place to protect the data.

All information you provide to us is stored in UK data centres which provide secure cloud infrastructure that are designed by Information Security professionals. We adhere to best practices which among many include defence in depth, security by design, least privilege principles and providing both physical and logical access controls.

We do our best to protect your personal data, but we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access, loss or damage.

Where possible, we try to only process your information within the UK and European Economic Area (EEA). If we or our service providers transfer personal data outside of the UK or EEA, we always require that appropriate safeguards are in place to protect the information when it is processed.

7. How long do we keep your information for?

We keep your information for as long as you have an account on the Tully platform. All of your personal data will be removed within six (6) months of you terminating your Tully account. After which point we will only retain anonymised data which cannot identify you and is aggregated with anonymised data of other users. We use this aggregated anonymised data for data analysis, profiling and research purposes. We may also keep your email address for up to five (5) years, to ensure that you no longer receive any communications from us, and your name, date of birth and latest address for up to five (5) years, for fraud prevention purposes and for the exercise or defence of a legal claim.

8. Do we use Automated Decision Making?

Yes. We use an automated decision making system to make automated decisions based on personal information we have about you. This helps us to make sure our decisions are quick and fair, based on what we know.

Identity verification. We use an automated decision making system to verify the details you provide against those held by third party providers. Your name, address and DoB is passed to a credit reference agency top match against their records. If you do not pass the check using the automated system, we cannot share your credit file with you and you will need to input your debts manually.
Building your budget. Your banking transactions are downloaded by Openwrks, categorised, grouped and questions formed that we will ask in order to verify and fill gaps to ensure your budget is complete. This then enables us to determine how much you can afford to pay off your debts each month
Presenting potential solutions. Based on your budget and the circumstances you disclose we will use an algorithm to determine all of the debt solutions you are eligible for and the solution we recommend as being best for you.
Providing useful information. We will analyse your banking transactions to identify and provide you with useful advice and information on how you can stay on top of your finances and solutions, which may enable you to take control of your debt.
Tailored communications. We want to make sure we’re only sending you emails that are relevant to you, and so we will use your personal information to determine which content you may be more interested in receiving.

You have the right not to be subject to a decision based solely on automated processing, including profiling. We understand that not everyone is comfortable with decisions being left entirely up to machines. If you have any questions about automated decision making, please contact us at the details listed in section 12 below.

9. Do we use cookies?

Yes. Please see our Cookie Policy here.

10. What are your rights?

You are able to:

request access to your data from us;
ask us to correct the data that we hold on you if it’s incorrect;
object to the use of your data by us;
restrict the use of your data by us;
ask us to erase the data we hold on you;
have your data transferred to you or another third party; and
withdraw your consent regarding processing where we have obtained your consent.

If you wish to exercise any of your rights, please contact us at the details listed in section 12 below.

11. Changes to this Privacy Policy

We may change any of the terms in this Privacy Policy at any time. The updated privacy policy will be posted on this webpage and, where we decide it is appropriate, notified to you by email. However, there may be instances where we don’t email you about a change if, for example, we feel that the changes are minor. So please regularly check this webpage to see any updates or changes to our privacy policy.

12. Contact us

You can contact us at any time if you have any questions, complaints or requests regarding this Privacy Policy at [email protected], addressed to the Data Protection Officer.

13. Complaints to the ICO

We respect your rights and would like the chance to rectify any concerns you may have before you refer the matter to the ICO. However, you do have the right to inform the ICO if you feel we have breached our obligations under this Privacy Policy or if you believe we aren’t processing your information in accordance with data protection law – please see the ICO’s website for further information (available at: https://ico.org.uk/make-a-complaint/).