nimbl Limited is part of the Caxton Group.
Caxton Holding Company Limited through its subsidiaries including [but limited to] nimbl Limited and Caxton Payments is engaged in the design, development, sales, marketing, supply, operation and maintenance of: in the case of nimbl Limited, youth banking, payment and debit card issuing services; in the case of Caxton Payments Limited, payment collection, payment processing and Software as a Financial Services.
This notice explains to nimbl Users (“you/your”) how Caxton Group (“we/us”) use your personal information.
nimbl® is an electronic money product issued by PrePay Technologies Ltd under licence from Mastercard® International Incorporated. PrePay Technologies Ltd is regulated by the Financial Conduct Authority (FRN 900010). We are therefore obliged to comply with a number of legal requirements.
We process your personal data for the following purposes:
If we plan to introduce further purposes for the use of your information, we will provide information about that purpose prior to such processing.
We will never share your personal data with third parties for marketing without your consent. If you have opted to receive marketing communications, you can opt-out at any time from your Account Profile within the Portal or App or by e-mailing us at [email protected].
Under Data Protection Law, our legal basis for the processing is based on:
‘Processing is necessary for the performance of a contract’
In order to carry out these services, we obtain and process the following information:
| Data Subject (Who) | Data Category (What) | Description |
| Parent \ Guardian | Name | Required for us to validate your identity for anti-money laundering purposes and to verify that you are not listed on any Politically Exposed Persons or Global Sanctions list |
| Parent \ Guardian | Address | |
| Parent \ Guardian | Date of birth | |
| Parent \ Guardian | Gender | |
| Parent \ Guardian | Mobile telephone number | To verify access to your account in the event that you need to contact our customer services team. Your mobile telephone number may also be used to contact you directly in the event we detect suspicious or potentially fraudulent activity on your account. |
| Parent \ Guardian | Email address | Used as part of your credentials to access the nimbl® services. Your email address is also checked against known fraudulent email addresses as part of our anti-fraud measures. Your email address is also used to send you receipts, invoices and other communications. |
| Parent \ Guardian | Photograph | Photograph is not required, however if you wish you can personalise your nimbl® account with a profile photograph |
| Parent \ Guardian | Debit card details. | Used to take payment for our services in line with our terms and conditions. Your debit card details are also used to allow you to add funds to your nimbl® account. |
| Parent \ Guardian | IP address, cookies and browser agent details. | Recorded as part of our use of analytics tools on our websites and applications. Your IP address is also used as part of our anti-fraud measures |
| Parent \ Guardian | Identity Verification Documents where applicable | Used as part of our security and anti-fraud measures |
| Parent \ Guardian | Helpdesk call recordings and support correspondence | Used for quality, training and security purposes when you make contact with our customer services team. |
| Parent \ Guardian | Web Analytics | Generalised information about browsing behaviour and page statistics |
| Child | names | Your children’s names and date of birth are required to personalise their nimbl® cards and to verify that they meet our minimum age requirements. |
| Child | date of birth | |
| Child | gender | Your children’s gender is required so that we can personalise our service to you and your children, we also perform statistical analysis of gender data that we hold |
| Child | mobile telephone number | Your children’s mobile telephone number is not required, however if supplied we use it to help verify access to your children’s account in the event that they need to contact our customer services team |
| Child | email address | Your children’s email address is not required, however if you wish to allow your children to access their own account then it is used as part of their credentials to access the nimbl® services. |
| Child | photograph | Your children’s photograph is not required, however if you wish you can personalise yours and their nimbl® account with the addition of a profile photograph |
Your personal data is processed in our head office (nimbl Limited, 2 Leman Street, London, E18FA, UK) located in the UK. Hosting and storage of your data takes place in our data centres which are located in the UK.
We use your personal information, and some of our employees have access to such information, only to the extent required to carry out the services for you.
We have introduced appropriate technical and organisational measures to protect the confidentiality, integrity and availability of your personal information during storage, processing and transit.
The nimbl® product only processes your personal information in the UK.
Some of our supporting services (for example ZenDesk), might use cloud platforms that operate from countries outside of the EEA. Where this is the case, we ensure that adequate safeguards are established to protect your data.
Our Website, Portal and App places cookies, which are small data files, on your computer or mobile device. This is a common practice for most websites. Cookies help us provide you with a good experience when you browse our site and also allow us to improve our site. Cookies cannot be used to identify you personally. When using our website, we will only use strictly necessary cookies unless you explicitly consent to the use of other optional cookies.
Please note that it is also possible to disable cookies being stored on your computer by changing your browser settings, however our Website, Portal and App may not function properly, and/or some features may not be available to you in that case. To read more about cookies and how to disable them see Wikipedia.org or www.aboutcookies.org.
Caxton purchased nimbl from ParentPay in May 2023 and not all marketing preference data was able to be transferred. A property titled ‘opted out of all email’ has been included in the data transfer and email addresses including this property will never be emailed, except for legally required service emails.
In order to offer choice of cadence and content, three previously existing marketing preference categories will be superseded with two, for ‘Back to School’ and ‘Financial Education’. Recipients will be able to unsubscribe from selected or all marketing communications from the link in the email or via the web login. Customers are also able to choose notification preferences via the web login to receive transaction notification emails. From time to time, we will be required to send service messaging, including but not limited to updates to Privacy Policies or Pricing, to all customers which cannot be unsubscribed from.
We use a range of trusted service providers to help deliver our services. All of our suppliers are subject to appropriate safeguards, operating in accordance with our specific instructions and limitations, and in full compliance with Data Protection Law.
These service providers include:
If we need to change or add additional third parties, we will always update our Privacy Notice accordingly.
We will only disclose your information to other parties in the following limited circumstances:
We will never share your personal data with third parties for marketing without your consent. If you have opted to receive marketing communications, you can opt-out at any time from your Account Profile within the Portal or App, from unsubscribe links provided in any marketing messages, or by e-mailing us at [email protected]
We will only retain information for as long as is necessary to deliver the service safely and securely. As an electronic money product, we need to retain some records to maintain compliance with applicable legislation – for example finance, taxation, fraud and money laundering law requires certain records to be retained for an extended duration, usually seven years. After this period, your personal data will be irreversibly destroyed.
If you only partially complete the sign-up process, we may get in touch with you to ask about any problems with the sign-up process. If we can’t reach you, or if you aren’t interested in the product, we automatically remove your information after 90 days.
You have the right of access to your personal information that we process and details about that processing.
You can usually access that information directly within the product (self-service). However, should this not be possible, you can raise a Data Subject Access Request (DSAR) to receive this information in another format.
You have the right to request that information is corrected if it’s inaccurate. You can usually update your own information using the product (self-service). However, should this not be possible, you can contact us to make the changes on your behalf.
You have the right to request that your information is removed; depending on the circumstances, we may or may not be obliged to action this request.
You have the right to object to the processing of your information; depending on the circumstances, we may or may not be obliged to action this request.
You have the right to request that we restrict the extent of our processing activities; depending on the circumstances, we may or may not be obliged to action this request.
You have the right to receive the personal data which you have provided to us in a structured, commonly used and machine readable format suitable for transferring to another controller.
If you think we have infringed your privacy rights, you can lodge a complaint with the relevant supervisory authority. You can lodge your complaint in the country where you live, your place of work or place where you believe we infringed your right(s).
You can exercise your rights by sending an e-mail to [email protected]. Please state clearly in the subject that your request concerns a privacy matter and provide a clear description of your requirements.
Note: We may need to request additional information to verify your identity before we action your request.
This policy will be reviewed regularly and updated versions will be posted on our websites.
We have appointed a Data Protection Officer (DPO); their contact details are as follows:
or
Data Protection Officer
nimbl Limited
2 Leman Street
London, E18FA, UK.
Who is Prepay Solutions and how do they protect my personal data?
Prepay Technologies Ltd, trading as PrePay Solutions, (“PPS”) is a company registered in England and Wales with number 04008083 and a registered office at 6th Floor, 3 Sheldon Square, Paddington, London, W2 6HY, United Kingdom. You can email PPS at [email protected] or you can call PPS on 0845 303 5303 (+44 845 303 5303 from outside the UK).
PPS is a separate Data Controller in relation to your Card and all necessary activities relating to the operation of the Card: allowing you to receive, activate and use your Card (activating, managing and using your online account where applicable, making and receiving payment transactions, meeting legal requirements, answering requests, providing information to you).
PPS’ Data Protection Officer can be contacted at PO Box 3883, Swindon SN3 9EA or at [email protected].
Why does PPS handle my personal data?
Processing is necessary for the performance of your contract for the issue and operation of Cards and is necessary for compliance with legal obligations applicable to PPS. PPS does not use your personal information for marketing purposes and will not share your information with third parties for marketing purposes.
| Type of personal information | Description |
| Personal Details | Full name and date of birth |
| Contact Details | Where you live and how to contact you including phone numbers and e-mail addresses |
| Transactional and Card Data | Details about your Card, use of your Card and payments to and from your accounts |
| Documentary Data | Details about you that are stored in documents in various formats, or copies of them. This could include things like your passport, drivers licence or birth certificate collected to fulfil customer due diligence requirements. |
Personal information will only be collected directly and voluntarily from you as part of the application process, or, as a result of transactions relating to your Cards. Some personal information may be verified by PPS with use of publically accessible sources to fulfil customer due diligence.
PPS will only send your personal information outside of the European Economic Area (EEA) to:
In relation to personal information processed by Mastercard certain processors are located outside of Europe. Personal information processed by Mastercard is subject to Mastercard Binding Corporate Rules which you have enforcement rights under as a third-party beneficiary.
Does PPS send my personal data to any third parties?
PPS is committed to ensuring that your information is secure with us and with third parties who act on our behalf. These third parties include MasterCard, card manufacturers, suppliers of identity validation services, IVR and call recording (telephone) suppliers and to nimbl. PPS uses many tools to make sure that your information remains confidential and accurate.
How long does PPS hold my personal data?
PPS does not keep your information for longer than we need to, which is usually up to 7 years after termination of your contract unless we/they are required to keep it longer (for example due to a court order or investigation by law enforcement agencies or regulators).
You have the same rights as apply to personal data controlled by nimbl. To exercise any of your legal rights, you can email PPS at [email protected] or you can write to PPS DPO at PO Box 3883, Swindon SN3 9EA.
If you wish to raise a complaint on how PPS has handled your personal information, you can contact PPS’ Data Protection Officer and if PPS fails to address your complaint you can contact the Information Commissioner’s Office (https://ico.org.uk/).