Privacy Policy

nimbl Limited is part of the Caxton Group.

Caxton Holding Company Limited through its subsidiaries including [but limited to] nimbl Limited and Caxton Payments is engaged in the design, development, sales, marketing, supply, operation and maintenance of: in the case of nimbl Limited, youth banking, payment and debit card issuing services; in the case of Caxton Payments Limited, payment collection, payment processing and Software as a Financial Services.

This notice explains to nimbl Users (“you/your”) how Caxton Group (“we/us”) use your personal information.

This privacy notice covers:

  • Why we use your personal information
  • The legal basis for processing
  • What personal information we use
  • How we use your personal information
  • Your rights under data protection legislation
  • Sharing personal information with third parties
  • How long we may keep your information
  • Changes to our privacy notice
  • Contact details for our Data Protection Officer

Why we use your personal information

nimbl® is an electronic money product issued by PrePay Technologies Ltd under licence from Mastercard® International Incorporated.  PrePay Technologies Ltd is regulated by the Financial Conduct Authority (FRN 900010).  We are therefore obliged to comply with a number of legal requirements.

We process your personal data for the following purposes:

  • to provide you with the service activated and registered for
  • the verification of your identity where required
  • for the prevention and detection of crime, fraud and anti-money laundering
  • for the ongoing administration of the service
  • to allow us to improve the products and services we offer to our customers
  • to ask for your opinion about our products
  • for research and statistical analysis including payment and usage patterns
    • We only use the data in an anonymized manner when we use your data for this purpose.
  • to enable us to comply with our legal and regulatory obligations
  • where you give us permission, we may use your contact information to provide you with information about Group Products and Services which we feel may interest you, but only to the extent that would be reasonably expected..

If we plan to introduce further purposes for the use of your information, we will provide information about that purpose prior to such processing.

We will never share your personal data with third parties for marketing without your consent.  If you have opted to receive marketing communications, you can opt-out at any time from your Account Profile within the Portal or App or by e-mailing us at [email protected].

The legal basis for processing

Under Data Protection Law, our legal basis for the processing is based on:
Processing is necessary for the performance of a contract

What personal information we process

In order to carry out these services, we obtain and process the following information:

Data Subject (Who) Data Category (What) Description
Parent \ Guardian Name Required for us to validate your identity for anti-money laundering purposes and to verify that you are not listed on any Politically Exposed Persons or Global Sanctions list
Parent \ Guardian Address
Parent \ Guardian Date of birth
Parent \ Guardian Gender
Parent \ Guardian Mobile telephone number To verify access to your account in the event that you need to contact our customer services team.  Your mobile telephone number may also be used to contact you directly in the event we detect suspicious or potentially fraudulent activity on your account.
Parent \ Guardian Email address Used as part of your credentials to access the nimbl® services.  Your email address is also checked against known fraudulent email addresses as part of our anti-fraud measures. Your email address is also used to send you receipts, invoices and other communications.
Parent \ Guardian Photograph Photograph is not required, however if you wish you can personalise your nimbl® account with a profile photograph
Parent \ Guardian Debit card details. Used to take payment for our services in line with our terms and conditions. Your debit card details are also used to allow you to add funds to your nimbl® account.
Parent \ Guardian IP address, cookies and browser agent details. Recorded as part of our use of analytics tools on our websites and applications.  Your IP address is also used as part of our anti-fraud measures
Parent \ Guardian Identity Verification Documents where applicable Used as part of our security and anti-fraud measures
Parent \ Guardian Helpdesk call recordings and support correspondence Used for quality, training and security purposes when you make contact with our customer services team.
Parent \ Guardian Web Analytics Generalised information about browsing behaviour and page statistics
Child names Your children’s names and date of birth are required to personalise their nimbl® cards and to verify that they meet our minimum age requirements.
Child date of birth
Child gender Your children’s gender is required so that we can personalise our service to you and your children, we also perform statistical analysis of gender data that we hold
Child mobile telephone number Your children’s mobile telephone number is not required, however if supplied we use it to help verify access to your children’s account in the event that they need to contact our customer services team
Child email address Your children’s email address is not required, however if you wish to allow your children to access their own account then it is used as part of their credentials to access the nimbl® services.
Child photograph Your children’s photograph is not required, however if you wish you can personalise yours and their nimbl® account with the addition of a profile photograph

How we process your personal information

Your personal data is processed in our head office (nimbl Limited, 2 Leman Street, London, E18FA, UK) located in the UK. Hosting and storage of your data takes place in our data centres which are located in the UK.

We use your personal information, and some of our employees have access to such information, only to the extent required to carry out the services for you.

We have introduced appropriate technical and organisational measures to protect the confidentiality, integrity and availability of your personal information during storage, processing and transit.

The nimbl® product only processes your personal information in the UK.

Some of our supporting services (for example ZenDesk), might use cloud platforms that operate from countries outside of the EEA. Where this is the case, we ensure that adequate safeguards are established to protect your data.

Use of Cookies

Our Website, Portal and App places cookies, which are small data files, on your computer or mobile device. This is a common practice for most websites.  Cookies help us provide you with a good experience when you browse our site and also allow us to improve our site. Cookies cannot be used to identify you personally.  When using our website, we will only use strictly necessary cookies unless you explicitly consent to the use of other optional cookies.

Please note that it is also possible to disable cookies being stored on your computer by changing your browser settings, however our Website, Portal and App may not function properly, and/or some features may not be available to you in that case.  To read more about cookies and how to disable them see Wikipedia.org or www.aboutcookies.org.

 

Email communications

Caxton purchased nimbl from ParentPay in May 2023 and not all marketing preference data was able to be transferred. A property titled ‘opted out of all email’ has been included in the data transfer and email addresses including this property will never be emailed, except for legally required service emails.

In order to offer choice of cadence and content, three previously existing marketing preference categories will be superseded with two,  for ‘Back to School’ and ‘Financial Education’. Recipients will be able to unsubscribe from selected or all marketing communications from the link in the email or via the web login. Customers are also able to choose notification preferences via the web login to receive transaction notification emails. From time to time, we will be required to send service messaging, including but not limited to updates to Privacy Policies or Pricing, to all customers which cannot be unsubscribed from.

 

Sharing personal information with third parties

We use a range of trusted service providers to help deliver our services. All of our suppliers are subject to appropriate safeguards, operating in accordance with our specific instructions and limitations, and in full compliance with Data Protection Law.

These service providers include:

  • PrePay Technologies Ltd t/a PrePay Solutions (“PPS”) – for the processing of nimbl accounts and MasterCard Scheme transactions
  • Gemalto (Thales) – for the secure production of nimbl debit cards
  • W2 Global Data for ID verification and related fraud protection services
  • Payment Processors – to securely process your card payments (we do not see, or store payment card details)
  • Hosting Providers – to manage our secure enterprise datacentres
  • Security Providers – to protect our systems from attack
  • Email Providers – to send out our email notifications
  • Telephony Providers – we might record calls for training, quality and security purposes
  • Support Portal (ZenDesk) – so that you can easily ask for help
  • Trustpilot – so that we can ask for your opinion about our products
  • Survey Monkey – so that we can ask for your opinion about our products
  • TrackJS – to help us manage anonymous error tracking from within the nimbl web application code
  • Microsoft (AppCenter) – to help us manage anonymous error tracking and analytics from within the nimbl mobile application code
  • Apple – for our push-message notifications (iPhone users).
  • Google – for anonymous web analytics (with your consent), and push-message notifications (Android users).
  • Hubspot – to deliver service emails and marketing campaigns

If we need to change or add additional third parties, we will always update our Privacy Notice accordingly.

We will only disclose your information to other parties in the following limited circumstances:

  • where we are legally obliged to do so, e.g. to law enforcement and regulatory authorities
  • where there is a duty to disclose in the public interest
  • where disclosure is necessary to protect our interest e.g. to prevent or detect crime and fraud
  • where you give us permission to do so e.g. by providing consent within the Group Products and Services or via an online application or consent form

We will never share your personal data with third parties for marketing without your consent.  If you have opted to receive marketing communications, you can opt-out at any time from your Account Profile within the Portal or App, from unsubscribe links provided in any marketing messages, or by e-mailing us at [email protected]

How long we may keep your personal information

We will only retain information for as long as is necessary to deliver the service safely and securely. As an electronic money product, we need to retain some records to maintain compliance with applicable legislation – for example finance, taxation, fraud and money laundering law requires certain records to be retained for an extended duration, usually seven years. After this period, your personal data will be irreversibly destroyed.

If you only partially complete the sign-up process, we may get in touch with you to ask about any problems with the sign-up process. If we can’t reach you, or if you aren’t interested in the product, we automatically remove your information after 90 days.

Your rights under Data Protection Law

Right to Access

You have the right of access to your personal information that we process and details about that processing.
You can usually access that information directly within the product (self-service). However, should this not be possible, you can raise a Data Subject Access Request (DSAR) to receive this information in another format.

Right to Rectification

You have the right to request that information is corrected if it’s inaccurate.  You can usually update your own information using the product (self-service). However, should this not be possible, you can contact us to make the changes on your behalf.

Right to Erasure (Right to be Forgotten)

You have the right to request that your information is removed; depending on the circumstances, we may or may not be obliged to action this request.

Right to Object

You have the right to object to the processing of your information; depending on the circumstances, we may or may not be obliged to action this request.

Right to Restriction of Processing

You have the right to request that we restrict the extent of our processing activities; depending on the circumstances, we may or may not be obliged to action this request.

Right to Data Portability

You have the right to receive the personal data which you have provided to us in a structured, commonly used and machine readable format suitable for transferring to another controller.

Right to lodge a complaint with a supervisory authority

If you think we have infringed your privacy rights, you can lodge a complaint with the relevant supervisory authority. You can lodge your complaint in the country where you live, your place of work or place where you believe we infringed your right(s).

You can exercise your rights by sending an e-mail to [email protected]. Please state clearly in the subject that your request concerns a privacy matter and provide a clear description of your requirements.

Note: We may need to request additional information to verify your identity before we action your request.

Changes to our Privacy Notice

This policy will be reviewed regularly and updated versions will be posted on our websites.

Contact details for our Data Protection Officer

We have appointed a Data Protection Officer (DPO); their contact details are as follows:

[email protected]

or

Data Protection Officer
nimbl Limited
2 Leman Street
London, E18FA, UK.

Personal Data held and used by PPS

Who is Prepay Solutions and how do they protect my personal data?

Prepay Technologies Ltd, trading as PrePay Solutions, (“PPS”) is a company registered in England and Wales with number 04008083 and a registered office at 6th Floor, 3 Sheldon Square, Paddington, London, W2 6HY, United KingdomYou can email PPS at [email protected] or you can call PPS on 0845 303 5303 (+44 845 303 5303 from outside the UK).

PPS is a separate Data Controller in relation to your Card and all necessary activities relating to the operation of the Card: allowing you to receive, activate and use your Card (activating, managing and using your online account where applicable, making and receiving payment transactions, meeting legal requirements, answering requests, providing information to you).

PPS’ Data Protection Officer can be contacted at PO Box 3883, Swindon SN3 9EA or at [email protected].

Why does PPS handle my personal data?

Processing is necessary for the performance of your contract for the issue and operation of Cards and is necessary for compliance with legal obligations applicable to PPS. PPS does not use your personal information for marketing purposes and will not share your information with third parties for marketing purposes.

What personal data does PPS process?
Type of personal information Description
Personal Details Full name and date of birth
Contact Details Where you live and how to contact you including phone numbers and e-mail addresses
Transactional and Card Data Details about your Card, use of your Card and payments to and from your accounts
Documentary Data Details about you that are stored in documents in various formats, or copies of them. This could include things like your passport, drivers licence or birth certificate collected to fulfil customer due diligence requirements.

Personal information will only be collected directly and voluntarily from you as part of the application process, or, as a result of transactions relating to your Cards. Some personal information may be verified by PPS with use of publically accessible sources to fulfil customer due diligence.

Sending personal information outside of the EEA

PPS will only send your personal information outside of the European Economic Area (EEA) to:

  • Follow your instructions
  • Comply with a legal duty

In relation to personal information processed by Mastercard certain processors are located outside of Europe. Personal information processed by Mastercard is subject to Mastercard Binding Corporate Rules which you have enforcement rights under as a third-party beneficiary.

Does PPS send my personal data to any third parties?

PPS is committed to ensuring that your information is secure with us and with third parties who act on our behalf. These third parties include MasterCard, card manufacturers, suppliers of identity validation services, IVR and call recording (telephone) suppliers and to nimbl. PPS uses many tools to make sure that your information remains confidential and accurate.

How long does PPS hold my personal data?

PPS does not keep your information for longer than we need to, which is usually up to 7 years after termination of your contract unless we/they are required to keep it longer (for example due to a court order or investigation by law enforcement agencies or regulators).

What are my rights?

You have the same rights as apply to personal data controlled by nimbl. To exercise any of your legal rights, you can email PPS at [email protected] or you can write to PPS DPO at PO Box 3883, Swindon SN3 9EA.

Your right to lodge a complaint

If you wish to raise a complaint on how PPS has handled your personal information, you can contact PPS’ Data Protection Officer and if PPS fails to address your complaint you can contact the Information Commissioner’s Office (https://ico.org.uk/).