Privacy Notice for nimbl Users | nimbl
Trustpilot

Privacy Notice for nimbl Users

nimbl Limited is part of the ParentPay Group.

ParentPay (Holdings) Limited through its subsidiaries nimbl Limited, ParentPay Limited, Cypad Limited and Just Education Limited (together “ParentPay Group”) is engaged in the design, development, sales, marketing, supply, operation and maintenance of: in the case of nimbl Limited, youth banking, payment and debit card issuing services; in the case of ParentPay Limited and Cypad Limited, payment collection, payment processing, school meal management, parent communication and management information systems and services for the education market; and, in the case of Just Education Limited, education recruitment services, (together the “Group Products and Services”).

This notice explains to nimbl Users ("you/your") how ParentPay Group ("we/us") use your personal information.

This privacy notice covers:

  • Why we use your personal information
  • The legal basis for processing
  • What personal information we use
  • How we use your personal information
  • Your rights under data protection legislation
  • Sharing personal information with third parties
  • How long we may keep your information
  • Changes to our privacy notice
  • Contact details for our Data Protection Officer

Why we use your personal information

nimbl® is an electronic money product issued by PrePay Technologies Ltd under licence from Mastercard® International Incorporated.  PrePay Technologies Ltd is regulated by the Financial Conduct Authority (FRN 900010).  We are therefore obliged to comply with a number of legal requirements.

We process your personal data for the following purposes:

  • to provide you with the service activated and registered for
  • the verification of your identity where required
  • for the prevention and detection of crime, fraud and anti-money laundering
  • for the ongoing administration of the service
  • to allow us to improve the products and services we offer to our customers
  • to ask for your opinion about our products
  • for research and statistical analysis including payment and usage patterns
    • We only use the data in an anonymized manner when we use your data for this purpose.
  • to enable us to comply with our legal and regulatory obligations
  • where you give us permission, we may use your contact information to provide you with information about Group Products and Services which we feel may interest you, but only to the extent that would be reasonably expected.

If we plan to introduce further purposes for the use of your information, we will provide information about that purpose prior to such processing.

We will never share your personal data with third parties for marketing without your consent.  If you have opted to receive marketing communications, you can opt-out at any time from your Account Profile within the Portal or App or by e-mailing us at help@nimbl.com.

The legal basis for processing

Under Data Protection Law, our legal basis for the processing is based on:
              ‘Processing is necessary for the performance of a contract

What personal information we process

In order to carry out these services, we obtain and process the following information:

Data Subject (Who)

Data Category (What)

Description

Parent \ Guardian

Name

Required for us to validate your identity for anti-money laundering purposes and to verify that you are not listed on any Politically Exposed Persons or Global Sanctions list

Parent \ Guardian

Address

Parent \ Guardian

Date of birth

Parent \ Guardian

Gender

Parent \ Guardian

Mobile telephone number

To verify access to your account in the event that you need to contact our customer services team.  Your mobile telephone number may also be used to contact you directly in the event we detect suspicious or potentially fraudulent activity on your account.

Parent \ Guardian

Email address

Used as part of your credentials to access the nimbl® services.  Your email address is also checked against known fraudulent email addresses as part of our anti-fraud measures. Your email address is also used to send you receipts, invoices and other communications.

Parent \ Guardian

Photograph

Photograph is not required, however if you wish you can personalise your nimbl® account with a profile photograph

Parent \ Guardian

Debit card details.

Used to take payment for our services in line with our terms and conditions. Your debit card details are also used to allow you to add funds to your nimbl® account.

Parent \ Guardian

IP address, cookies and browser agent details.

Recorded as part of our use of analytics tools on our websites and applications.  Your IP address is also used as part of our anti-fraud measures

Parent \ Guardian

Identity Verification Documents where applicable

Used as part of our security and anti-fraud measures

Parent \ Guardian

Helpdesk call recordings and support correspondence

Used for quality, training and security purposes when you make contact with our customer services team.

Parent \ Guardian

Web Analytics

Generalised information about browsing behaviour and page statistics

 

 

 

Child

names

Your children’s names and date of birth are required to personalise their nimbl® cards and to verify that they meet our minimum age requirements.

Child

date of birth

Child

gender

Your children’s gender is required so that we can personalise our service to you and your children, we also perform statistical analysis of gender data that we hold

Child

mobile telephone number

Your children’s mobile telephone number is not required, however if supplied we use it to help verify access to your children’s account in the event that they need to contact our customer services team

Child

email address

Your children’s email address is not required, however if you wish to allow your children to access their own account then it is used as part of their credentials to access the nimbl® services.

Child

photograph

Your children’s photograph is not required, however if you wish you can personalise yours and their nimbl® account with the addition of a profile photograph

 

How we process your personal information

Your personal data is processed in our head office (nimbl Ltd, Ricoh Arena, Phoenix Way, Coventry CV6 6GE) and our finance office (nimbl Ltd, The Exchange, Express Park, Bristol Road, Bridgewater, Somerset TA6 4RR) located in the UK. Hosting and storage of your data takes place in our data centres which are located in the UK.

We use your personal information, and some of our employees have access to such information, only to the extent required to carry out the services for you.

We have introduced appropriate technical and organisational measures to protect the confidentiality, integrity and availability of your personal information during storage, processing and transit.

We operate an ISO27001 compliant security programme to help protect your data at all times.

The nimbl® product only processes your personal information in the UK.

Some of our supporting services (for example ZenDesk), might use cloud platforms that operate from countries outside of the EEA. Where this is the case, we ensure that adequate safeguards are established to protect your data.

Use of Cookies

Our Website, Portal and App places cookies, which are small data files, on your computer or mobile device. This is a common practice for most websites.  Cookies help us provide you with a good experience when you browse our site and also allow us to improve our site. Cookies cannot be used to identify you personally.  By using our Website, Portal and App you agree to our use of cookies.

Please note that it is possible to disable cookies being stored on your computer by changing your browser settings, however our Website, Portal and App may not function properly, and/or some features may not be available to you in that case.  To read more about cookies and how to disable them see Wikipedia.org or www.aboutcookies.org.

Sharing personal information with third parties

We use a range of trusted service providers to help deliver our services. All of our suppliers are subject to appropriate safeguards, operating in accordance with our specific instructions and limitations, and in full compliance with Data Protection Law.

These service providers include:

  • PrePay Technologies Ltd t/a PrePay Solutions (“PPS”) – for the processing of nimbl accounts and MasterCard Scheme transactions
  • Gemalto – for the secure production of nimbl debit cards
  • W2 Global Data and Capita Identity Solutions for ID verification and related fraud protection services
  • Payment Processors – to securely process your card payments (we do not see, or store payment card details)
  • Hosting Providers – to manage our secure enterprise datacentres
  • Security Providers – to protect our systems from attack
  • Email Providers – to send out our email notifications or messages sent by Customers using PPL Products and Services
  • Telephony Providers – we might record calls for training, quality and security purposes
  • Support Portal (ZenDesk) – so that you can easily ask for help
  • Trustpilot – so that we can ask for your opinion about our products

If we need to change or add additional third parties, we will always update our Privacy Notice accordingly.

We will only disclose your information to other parties in the following limited circumstances

  • where we are legally obliged to do so, e.g. to law enforcement and regulatory authorities
  • where there is a duty to disclose in the public interest
  • where disclosure is necessary to protect our interest e.g. to prevent or detect crime and fraud
  • where you give us permission to do so e.g. by providing consent within the Group Products and Services or via an online application or consent form

We will never share your personal data with third parties for marketing without your consent.  If you have opted to receive marketing communications, you can opt-out at any time from your Account Profile within the Portal or App or by e-mailing us at help@nimbl.com

How long we may keep your personal information

We will only retain information for as long as is necessary to deliver the service safely and securely. As an electronic money product, we need to retain some records to maintain compliance with applicable legislation – for example finance, taxation, fraud and money laundering law requires certain records to be retained for an extended duration, usually seven years. After this period, your personal data will be irreversibly destroyed.

If you only partially complete the sign-up process, we may get in touch with you to ask about any problems with the sign-up process. If we can’t reach you, or if you aren’t interested in the product, we automatically remove your information after 90 days.

Your rights under Data Protection Law

Right to Access

You have the right of access to your personal information that we process and details about that processing.
You can usually access that information directly within the product (self-service). However, should this not be possible, you can raise a Data Subject Access Request (DSAR) to receive this information in another format.

Right to Rectification

You have the right to request that information is corrected if it’s inaccurate.  You can usually update your own information using the product (self-service). However, should this not be possible, you can contact us to make the changes on your behalf.

Right to Erasure (Right to be Forgotten)

You have the right to request that your information is removed; depending on the circumstances, we may or may not be obliged to action this request.

Right to Object

You have the right to object to the processing of your information; depending on the circumstances, we may or may not be obliged to action this request.

Right to Restriction of Processing

You have the right to request that we restrict the extent of our processing activities; depending on the circumstances, we may or may not be obliged to action this request.

Right to Data Portability

You have the right to receive the personal data which you have provided to us in a structured, commonly used and machine readable format suitable for transferring to another controller.

Right to lodge a complaint with a supervisory authority

If you think we have infringed your privacy rights, you can lodge a complaint with the relevant supervisory authority. You can lodge your complaint in the country where you live, your place of work or place where you believe we infringed your right(s).

You can exercise your rights by sending an e-mail to dpo@nimbl.com. Please state clearly in the subject that your request concerns a privacy matter and provide a clear description of your requirements.

Note: We may need to request additional information to verify your identity before we action your request.

Changes to our Privacy Notice

This policy will be reviewed regularly and updated versions will be posted on our websites.

Contact details for our Data Protection Officer

We have appointed a Data Protection Officer (DPO); their contact details are as follows:

dpo@nimbl.com

or

Data Protection Officer
nimbl Limited
Ricoh Arena
Phoenix Way
Coventry
CV6 6GE

 

Personal Data held and used by PPS

Who is Prepay Solutions and how do they protect my personal data?

Prepay Technologies Ltd, trading as PrePay Solutions, (“PPS”) is a company registered in England and Wales with number 04008083 and a registered office at 6th Floor, 3 Sheldon Square, Paddington, London, W2 6HY, United Kingdom. You can email PPS at contact@prepaysolutions.com or you can call PPS on 0845 303 5303 (+44 845 303 5303 from outside the UK).

PPS is a separate Data Controller in relation to your Card and all necessary activities relating to the operation of the Card: allowing you to receive, activate and use your Card (activating, managing and using your online account where applicable, making and receiving payment transactions, meeting legal requirements, answering requests, providing information to you).

PPS’ Data Protection Officer can be contacted at PO Box 3883, Swindon SN3 9EA or at dpo@prepaysolutions.com.

Why does PPS handle my personal data?

Processing is necessary for the performance of your contract for the issue and operation of Cards and is necessary for compliance with legal obligations applicable to PPS. PPS does not use your personal information for marketing purposes and will not share your information with third parties for marketing purposes.

What personal data does PPS process?

Type of personal information

Description

Personal Details

Full name and date of birth

Contact Details

Where you live and how to contact you including phone numbers and e-mail addresses

Transactional and Card Data

Details about your Card, use of your Card and payments to and from your accounts

Documentary Data

Details about you that are stored in documents in various formats, or copies of them. This could include things like your passport, drivers licence or birth certificate collected to fulfil customer due diligence requirements.

Personal information will only be collected directly and voluntarily from you as part of the application process, or, as a result of transactions relating to your Cards. Some personal information may be verified by PPS with use of publically accessible sources to fulfil customer due diligence.

Sending personal information outside of the EEA
PPS will only send your personal information outside of the European Economic Area (EEA) to:
  • Follow your instructions
  • Comply with a legal duty

In relation to personal information processed by Mastercard certain processors are located outside of Europe. Personal information processed by Mastercard is subject to Mastercard Binding Corporate Rules which you have enforcement rights under as a third-party beneficiary.

Does PPS send my personal data to any third parties?

PPS is committed to ensuring that your information is secure with us and with third parties who act on our behalf. These third parties include MasterCard, card manufacturers, suppliers of identity validation services, IVR and call recording (telephone) suppliers and to nimbl. PPS uses many tools to make sure that your information remains confidential and accurate.

How long does PPS hold my personal data?

PPS does not keep your information for longer than we need to, which is usually up to 7 years after termination of your contract unless we/they are required to keep it longer (for example due to a court order or investigation by law enforcement agencies or regulators).

What are my rights?

You have the same rights as apply to personal data controlled by nimbl. To exercise any of your legal rights, you can email PPS at dpo@prepaysolutions.com or you can write to PPS DPO at PO Box 3883, Swindon SN3 9EA.

Your right to lodge a complaint

If you wish to raise a complaint on how PPS has handled your personal information, you can contact PPS’ Data Protection Officer and if PPS fails to address your complaint you can contact the Information Commissioner’s Office (https://ico.org.uk/).

Trustpilot

nimbl® is provided by nimbl ltd part of the ParentPay group of companies.  Registered office: 11 Kingsley Lodge, 13 New Cavendish Street, London, W1G 9UG.  Registration in England and Wales with number 09276538. Correspondence should be sent to: nimbl ltd, Ricoh Arena, Phoenix Way, Coventry, CV6 6GE.  nimbl® is issued by PrePay Technologies Ltd pursuant to license by Mastercard® International Incorporated.  nimbl® is an electronic money product.  PrePay Technologies Ltd is regulated by the Financial Conduct Authority (FRN 900010) for the issuance of electronic money. Mastercard® and the Mastercard® Brand Mark are registered trademarks of Mastercard® International Incorporated.