Tully Privacy Policy

Welcome to Tully’s privacy policy.  This document sets out everything you need to know about what type of data we hold on you, why we have it and how we use it.  When we say “we”, “Tully”, “us” or “ours” we are talking about Tully, a trading name of Fair Way Forward Limited, a company incorporated and registered in England and Wales with company number 11308960 whose registered office is at 1 Hammersmith Broadway, London, W6 9DL.  When we say “you” or “yours” we are talking about you, our customer or potential customer.

We are the data controller of your information; our data controller registration number is ZA100119. You can check our registration details with the Information Commissioner’s Office (ICO) at https://www.ico.org.uk/esdwebpages/search.

1. What information do we collect about you?

    We may collect the following types of data about you:

    • Your name & dob
    • Your address
    • Your contact details
    • Your credit report
    • Your bank statement data
    • Technical information about how you use our website/apps
    • Answers to any questions we ask you directly in order to provide our services to you

    We get this information from you, your mobile phone, cookies, your bank, credit reference agencies or other third parties such as our partners, service providers, advertising networks, analytics providers, search information providers and social media.

    We may also record or monitor telephone conversations or other communications between you and us, which is another source of how we get data about you.

    2. How do we use that information?

    We use this information to provide you with our services, to improve our services to you, to administer your account and communicate with you.  We also use anonymised information collected from all of our customers for research, profiling and analytical purposes.

    The table below details exactly how we use the different types of data fields we collect and which lawful basis we rely on (see section 4 below for more details).
     

     
    UseWhich data fields?Authorisations needed / legal basis relied on
    Share your data with creditors in order to negotiate payment plans on your behalfYour name & dob
    Your address
    Your contact details
    Your budget
    Your debts
    Your proposed repayment
    Consent
    Send you product recommendations from third parties using your contact detailsYour name
    Your contact details
    Consent
    Share your details with credit reference agencies to obtain information from your credit reportYour name and DOB
    Your address
    Performance of a contract (cannot be opted out of)
    Share your data with Modulr if you choose to open a Modulr account as part of entering a repayment planYour name
    Your contact details
    Consent
    Share your data with OpenWrks (Bizfitech) if you choose to use OpenWrks to securely share your financial information with us as part of building your budgetYour name
    Your contact details
    Consent
    Share your data with Debt Solution Providers if you choose to be referred for a formal debt solutionYour name & dob
    Your address
    Your contact details
    Your credit report
    Your bank statement data
    Technical information about how you use our website/apps


    Performance of a contract (cannot be opted out of)

    Storing your data on Tully’s systems to manage your Tully account including calculating your budgetYour name & dob
    Your address
    Your contact details
    Your credit report
    Your bank statement data
    Technical information about how you use our website/apps
    Answers to any questions we ask you directly in order to provide our services to you
    Performance of a contract (cannot be opted out of)
    Send you content communications such as tips, research, features and news, coaching programmes on how to keep on top of their money and other related contentYour name
    Your contact details
    Legitimate interests and soft-opt in rule (meaning they have the chance to opt-out)
    Send you core communications such as their budget report, alerts whenever there is a change in their finance report, significant changes which may impact Tully’s service and other such related contentYour name
    Your contact details
    Telephone number
    Performance of a contract (cannot be opted out of)
    Use anonymised data to improve our servicesNo personal dataN/a because not personal data

       

    3. Who may we share your information with?

    We may share your data with other members of our group and with other third parties, such as our service providers, advertisers, credit reference agencies and fraud prevention agencies. This is to enable us to provide you with the products, services and information you request. As such, your data may be shared with the third parties listed below. These third parties act on our instructions and are processors of your information.
     

     
    ProcessorsActivities
    Credit reference agencies such as Callcredit, Equifax & Experian (the CRAs)As part of our services we need to obtain credit information about you and as such we will need to ask the CRAs to provide us with this data. The CRAs will:

    • search their systems using your name, address and date of birth to retrieve information for us;
    • send us your credit information via a secure data transfer known as SOAP API where they match you to their database; and
    • record the request for information we made on your behalf. This will only be visible to you if you obtain credit report and will be classed as an Unregistered Enquiry. This means that the search will not be visible to any other companies who carry out a credit search on you and will not affect your credit score in any way.
    Fraud prevention agencies such as CIFAS (UK’s Fraud Prevention Service), Crimestoppers and ActionFraud (the FPAs)In certain circumstances we may be required to provide your data to the FPAs to ensure you are not involved in fraudulent activities. The FPAs will use your data by:

    • running a search against your name, address and date of birth to retrieve information for us;
    • make your information available to us either through their secure system which we will log onto or passing data securely to us with your credit information via the CRA; and
    • record any notes we make about actual or potential instances of fraud that we see and make these available to their other members for the purposes of helping to prevent fraud.
    Blenheim Chalcot LTF Limited (BC)BC provide us with ad hoc legal, tax and finance advice. There may be instances where we share your data with BC to enable them to provide their services to us. BC will only use your data as instructed by us.
    L&ZL&Z enable you to set up a direct debit to make repayments into your Modulr payment account
    IntercomIntercom provides the technology to enable and store our non-voice consumer communications (web chat, email etc)
    VIAVIA provides the technology to enable and store our voice based consumer communications
    Cloud Based ServicesAssociated technologies and cloud based services required to provide Tully services. All data is processed securely, encrypted in transmission and at rest.

     

    We may share information about you with third parties that will be joint data controllers of your information. As such, we encourage you to read their respective privacy policies as these will apply. These third parties are: 

     

    Third party acting as data controllerActivities
    Business Finance Technology Group Limited t/a OpenWrksOpenWrks enables you to share your financial information with us securely and directly from your bank account so we can understand your income and expenditure as part of building your Tully budget without you having to manually upload your bank statements.
    Modulr Finance LimitedModulr enables you to open a payment account which enables us to collect a single payment from you and in turn make payments to your creditors on your behalf to make sure you are in control of your repayments.
    Christians Against PovertyFree consumer debt charity focused on assisting cases of extreme financial hardship
    Johnson GeddesInsolvency Practitioner with the capability to set up Individual Voluntary Arrangements (IVAs).
    Grant ThorntonInsolvency Practitioner with the capability to set up Protected Trust Deeds.
    Financial Conduct Authority (the FCA)The FCA may, as our regulator, require us to share information with them and this information may include your data.
    CreditorsCreditors will need to identify you and review your budget and in order to justify halting interest and fees in exchange of the set-up of a flexible payment arrangement.

      

    In the majority of the above cases we will obtain your consent before sharing your data with these third parties who also act as data controllers. There may, however, be instances where we are required to share your data, but we will not obtain your consent beforehand (i.e. when required by the FCA).

     

    4. What is the legal basis for processing your information?
     

    As you will see from the table in section 2 above, we rely on three (3) different lawful bases for processing your data. These are:

    1. Performance of a contract – we rely on this basis when we need to fulfil our obligations in our customer terms and conditions.
    2. Consent – we rely on this basis when we need your permission to pass on your details to a third party where you will need to sign up to that third party’s terms and conditions after selecting a certain product or service on our website or app.
    3. Legitimate interests – we rely on this basis when we process your personal data for the purposes of our legitimate interests or for the legitimate interests of our product providers or other suppliers, provided that such processing does not outweigh your rights and freedoms. A few examples of when we may rely on this basis are when we need to:
      1. display or notify you of tailored product offers for you or recommended payment plans;
      2. provide you with our service, including quality control and analysis;
      3. protect you and us from fraud or other threats;
      4. comply with laws that apply to us;
      5. conduct analysis, segmentation and profiling of your data in order to provide you with direct marketing communications; and/or
      6. improve our service and manage our customer relationships.

    The above list is not exhaustive. Where we rely on legitimate interests, you have the right to object at any time by contacting us at the details listed in section 12 below.

     

    5. Direct marketing and how you can change your preference  

    We may reach out to you directly by email, phone or post for the following purposes:

    (A) Product recommendations from third parties – we’ll get in touch with personalised, timely product recommendations from our third party partners that can help you improve your financial situation. We will only ever send these if you explicitly consent to receiving them and you can unsubscribe whenever you like either by clicking on the unsubscribe button on the email or by telling us (see section 12 below).

    (B) Product recommendations from us – we’ll get in touch with news about our products and services if we feel they will be of interest to you. Where such products or services are similar to what you’ve already purchased on our platform, we rely on the legitimate interests’ legal basis of our need to grow our business. Otherwise we will only send these communications to you if you have provided your explicit consent. Either way, you can always unsubscribe whenever you like by clicking the unsubscribe button on the email of by telling us (see section 12 below).

    (C) Content communications – we’ll send you content such as tips, research, features and news, coaching programmes on how to keep on top of your money and other related content. We rely on the legitimate interests’ legal basis of the need to provide you with information about financial planning matters so that you can keep on top of your repayments and financial affairs. You can unsubscribe from these communications at any time.

    (D) Core communications – we’ll send you key information about our product and services including alerts when a creditor accepts a payment plan we have put forward for you or when a creditor suggests a payment plan to you, when there are changes to your credit information, security announcements regarding the Tully platform and your account and significant changes which may impact our service and other related content. These communications are core to the delivery of our services and cannot be opted-out of.

     
    6. How do we protect your information?

    We protect your information by adhering to internationally recognised Information Security best practices and standards.
    We take the security of your data very seriously and use strict procedures to protect it. Whenever we transfer personal data outside of the UK/ European Economic Area, we ensure that appropriate safeguards are in place to protect the data.
    All information you provide to us is stored in UK data centres which provide secure cloud infrastructure that are designed by Information Security professionals. We adhere to best practices which among many include defence in depth, security by design, least privilege principles and providing both physical and logical access controls.
    We do our best to protect your personal data, but we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access, loss or damage.
    Where possible, we try to only process your information within the UK and European Economic Area (EEA). If we or our service providers transfer personal data outside of the UK or EEA, we always require that appropriate safeguards are in place to protect the information when it is processed.

     
    7. How long do we keep your information for? 

    We keep your information for as long as you have an account on the Tully platform. All of your personal data will be removed within six (6) months of you terminating your Tully account. After which point we will only retain anonymised data which cannot identify you and is aggregated with anonymised data of other users. We use this aggregated anonymised data for data analysis, profiling and research purposes. We may also keep your email address to ensure that you no longer receive any communications from us and your name, date of birth and latest address for fraud prevention purposes and for the exercise or defence of a legal claim.

    8. Do we use Automated Decision Making? 

    Yes. We use an automated decision making system to make automated decisions based on personal information we have about you. This helps us to make sure our decisions are quick and fair, based on what we know.

    • Identity verification. We use an automated decision making system to verify the details you provide against those held by third party providers. If you do not pass the check using the automated system, we cannot provide our services to you without being able to verify your identity.
    • Building your budget. We use the financial information you share with us to build your budget and identify what you can afford to pay;
    • Presenting potential solutions. To identify debt solutions you may be eligible for based on your unique circumstances and present these to you;
    • Providing useful information. To provide you with useful advice and information on how you can stay on top of your finances and solutions which may enable you to take control of your debt.
    • Tailored communications. We want to make sure we’re only sending you emails that are relevant to you, and so we will use your personal information to determine which content you may be more interested in receiving.

     You have the right not to be subject to a decision based solely on automated processing, including profiling. We understand that not everyone is comfortable with decisions being left entirely up to machines. If you have any questions about automated decision making, please contact us at the details listed in section 12 below.
     

    9. Do we use cookies?

    Yes. Please see our Cookie Policy here.
     

    10. What are your rights?
     

    You are able to:

    (A) request access to your data from us;

    (B) ask us to correct the data that we hold on you if it’s incorrect;

    (C) object to the use of your data by us;

    (D) restrict the use of your data by us;

    (E) ask us to erase the data we hold on you;

    (F) have your data transferred to you or another third party; and

    (G) withdraw your consent regarding processing where we have obtained your consent.

    If you wish to exercise any of your rights, please contact us at the details listed in section 12 below.

     

    11. Changes to this Privacy Policy

    We may change any of the terms in this Privacy Policy at any time. The updated privacy policy will be posted on this webpage and, where we decide it is appropriate, notified to you by email. However, there may be instances where we don’t email you about a change if, for example, we feel that the changes are minor. So please regularly check this webpage to see any updates or changes to our privacy policy.

     

    12. Contact us 

    You can contact us at any time if you have any questions, complaints or requests regarding this Privacy Policy at [email protected].

    13. Complaints to the ICO

    You have the right to inform the ICO if you feel we have breached our obligations under this Privacy Policy or if you believe we aren’t processing your information in accordance with data protection law – please see the ICO’s website for further information (available at: https://ico.org.uk/make-a-complaint/). However, we respect your rights and would like the chance to rectify any concerns you may have before you refer the matter to the ICO.