Last updated May 2022
This privacy notice aims to give you information on how Thistle Initiatives collects, uses, discloses, transfers, stores and processes your information when you use our services, including any data you may provide through your use of our services.
At Thistle Initiatives, we understand that your privacy is important. We respect and value the privacy of everyone who visits thistleinitiatives.co.uk (the “Site”) or uses any of our applications on their devices. We only collect and use your Data as described in this Privacy Notice (“Notice”) and as permitted by Data Protection Legislation.
It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing information about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.
To navigate through our Privacy Notice just click on the links below. Capitalised terms used in this Notice are defined in the Glossary below.
1. Who does this privacy notice apply to?
This notice applies to:
- our service users who access our services such as our website or content anywhere on the web, participate in our surveys and focus groups and other users;
- our clients, suppliers and business partners; and
- other persons who interact with us, when you call us or email us.
This notice applies to you whether you act in your personal capacity or as an employee or agent of an organisation.
2. Who are we?
Our Site is owned and operated by Thistle Initiatives Limited.
This privacy notice explains how we, Thistle Initiatives Limited, a company registered in England at 2nd Floor, 4 St Paul’s Churchyard, London, EC4M 8AY. (“Thistle”, “we”, “us”, or “our”) and our affiliated companies Resolution Compliance Limited, Compliance Star Limited and Absolute Cover Limited trading as Resolution Compliance, Absolute Cover and other brands process your personal data (“you”, “your”) when you use our website, content or other services.
We are a member of the Thistle Group of companies. For the purposes of the Data Protection Legislation, we are the data controller which means that we are responsible for determining the purposes for which and means of how your Data is Processed.
If you have any concerns about how we Process or protect your Data or would like to contact us about any aspect of this Notice, please get in touch with our Group Data Protection Officer, who oversees our handling of Data, and who can be contacted at firstname.lastname@example.org
3. What Data do we collect about you?
We will collect Data about you from the following sources:
- From you (for example, when you create an account, make a payment, tell us about your preferences or respond to our campaigns, communicate with us, or use our Site or Apps);
- From when we host social events;
- From public sources of information such as public records or social media postings;
- From providers about your interactions on the Site and from cookies and tracking devices on your devices where you have permitted their use;
- from third parties, advertisers, and other companies in the Thistle Group. We may also receive information from other parties in accordance with our responsibilities as a regulated financial services business.
We will collect the following types of information:
|Type of Data||Description|
|Your personal and contact details||Information including your name, home address, email address, telephone number, username and password.|
|Account information||Information about your account with us, including your login details for our Site, date of birth, unique account number, unique customer identification, payment method information, marketing preferences, complaints details and any notes added to your account.|
|Visual images||Such as videos and photographs of you provided in your interactions with us in social events we host and your profile image on social media if you choose to enable this through your social media account.|
|Financial information||Such as information that allows us to understand your creditworthiness or your payment method, including bank account or payment card details.|
|Transactions, and account history||Such as transactions you have made. We will also receive information about you when you register with us|
|Lifestyle and demographic||Such as information available publicly on your social media profile where you connect with or contact us through your social media account.|
|Your communications via our Site and Apps||Such as chat conversations via the Site, your recorded telephone conversations with our customer support staff and emails.|
|General Location information||The device or computer you use to access the Site will provide us with your IP address. The IP address tells us which city, county or country you are accessing the Site from but does not give us detailed information about your location.|
|Device and other technical information||Such as the unique device identifier and other information about the device’s hardware and software.|
|Sensitive Information||We may also Process Data about you that is sensitive in order to meet our legal and regulatory obligations and to protect our business. This includes Data as required by the Financial Conduct Authority (FCA), the Anti-Money Laundering Regulations and the Proceeds of Crime Act and otherwise any other information to fulfil our legal and regulatory obligations as a regulated financial services business.
This also includes biometric data (such as through photographs and CCTV) and information about suspected fraud, theft or offences. If you come to an event that we host, this also includes information you provide (such as dietary preferences or disability information).
4. How do we use your Data?
We use your Data in the following ways, and for the following reasons:
|What we use your Data for||The basis on which we can use your Data|
|To register you as a new user on the Site.||We need to Process this information to meet our contractual obligations.|
|To allow you to use our services (including managing your payments).||We need to Process this information to meet our contractual obligations and to comply with our legal and regulatory obligations.|
|To communicate with you about updates to the Site, our services, and any changes to our terms and conditions or Privacy Notice.||We need to Process this Data to meet our contractual obligations; to comply with our legal and regulatory obligations; and it is in our legitimate business interests to keep accurate records.|
|To receive feedback from you on our products and services.||We need to Process this Data to meet our contractual obligations and it is in our legitimate business interests to understand how we can improve our products and services. You do not have to provide us with this information.|
|To run our promotional events such as competitions and offers which may be of interest to you.
We may send you marketing material about our offers and events via email or text. You may opt-out of direct marketing at any time (see below).
|We need to Process this Data as it is in our legitimate business interests to provide you with a personalised experience when you use our services.
Where necessary, we Process this Data based on your consent.
|To provide customer support services.||It is in our legitimate business interests to respond to any communications we receive from you. If you do not wish to provide us with this information, we may not be able to respond fully to your queries.|
|To train our staff (for example our call staff).||It is in our legitimate business interests to provide you with a helpful service.|
|To maintain and administer our Site and Apps.||It is in our legitimate business interests to maintain our IT services and network security, to maintain our system; and we need to Process this information to comply with our legal and regulatory obligations.|
|To improve our Site, products and services, and experiences, such as by understanding analytics.||It is in our legitimate business interests to better understand your preferences, update our Site and develop our business strategy.|
|To comply with our legal and regulatory obligations as a financial services business.
This may involve verifying your identity and age.
|We need to Process this information to comply with our legal and regulatory obligations and it is in our legitimate business interests to prevent fraud and illegal activities on our Site.|
|To protect our business from money laundering, terrorist financing and other illegal activities.
We may identify you electronically using technology such as cookies.
|We need to Process this information to comply with our legal and regulatory obligations under financial services, anti-money laundering, anti-fraud, and anti-terrorism laws.
We also Process this information in the public interest and it is in our legitimate business interests to protect our business from any illegal or abusive use of our Site.
|To provide you with advertising which is relevant to you, and to understand your advertising preferences.||It is in our legitimate business interests to understand how you use our Site and how we should develop our marketing strategy.|
|In relation to legal action, or when acquiring or selling a business.||It is in our legitimate business interest to be able to protect ourselves through legal action and to develop the business through acquiring or selling parts of our business.|
We will not share any of your Data with any other organisation or third parties for any purposes other than storage on an email and/or web hosting server without your consent.
5. Who do we share your Data with?
In some cases, we may share your Data with third parties in order to support your needs, provide you with services, or comply with our legal obligations. We may also share Data with third parties if it is in the public interest or the sharing is in our legitimate interest or the legitimate interest of another organisation.
The other organisations we may share your Data with are typically:
- Members of the Thistle Group for the purposes in section 4
- Third-party suppliers and service providers for the purposes identified above – in particular, we work with platform services (to provide financial services and account management functions), cloud providers (to host the Site), affiliate platform services, customer support software services, data storage services, payment service providers, know-your-customer and anti-money laundering services as well as enhanced due diligence and anti-fraud services, financial services regulators (such as the FCA), data matching services (to ensure we receive accurate information if you register with us) and click fraud detection and protection services.
- Business partners and other organisations to help us meet our contractual and regulatory obligations, including audit, legal and compliance services.
- Affiliates and third parties whom you have opted out of marketing communications with, have been barred or have self-excluded so that we can ensure that you do not receive unsolicited promotional material.
- Identity verification and fraud prevention agencies such as other financial services businesses, banks, credit card companies and similar agencies which investigate and prevent underage, fraudulent, criminal or suspicious activity, or any other behaviour we are legally required to investigate. We will also pass on your information if we have reason to believe you have undertaken such activity.
- Analytics and search engine providers and other selected organisations which provide us with feedback about our Site or Apps and aid us in improving their optimisation.
- Statutory authorities when we are required to comply with a request for information, a court order to disclose your Data, a regulatory investigation from a relevant governmental or financial or regulatory authority, our legal obligations including our requirement to report suspicious behaviour.
- Regulator, law enforcement or fraud prevention agencies as well as legal professionals, courts and other adjudication services to investigate any actual or suspected criminal activity.
We may also share your Data with third parties:
- If we consider selling or acquiring businesses or assets, in which case we will share your Data with the counterparty.
- If Thistle, or any of its group companies, becomes insolvent (i.e., becomes subject to administration or liquidation processes).
- If we, or substantially all of our assets, are acquired by a non-Thistle Group entity.
- When we check your identity when you first become a customer, we share information with a Credit Reference Agency and this will leave a “soft” footprint on your credit file.
- If we need to enforce our terms and conditions.
- To protect our safety, rights or property, or the safety, rights or property of our customers, staff and others by sharing information with other companies and organisations such as the local police.
- Where we are required by law, we may share your Data with regulators or other financial services organisations.
6. How long do we retain your Data?
We will not keep your Data for longer than is required for the purposes for which we collected it, including for the purposes of satisfying any legal requirements. The length of time for which we retain your Data will depend on what we are using it for as set out in this Notice, the nature of the Data and how sensitive it is. For example, we will keep your email address while dealing with your enquiries but, even when you unsubscribe, we are required to continue to retain your email address to ensure that we do not send you any email communications in the future and for our know-your-customer (“KYC”) purposes.
Please note, however, that we may be subject to legal and regulatory requirements to keep your Data for a longer period. We may also extend the retention times where the Data is needed to investigate a crime, handle a claim or resolve a complaint. As a general rule, we keep your Data based on the criteria below:
|Type of Data||Typical Retention Time||Information|
|Marketing consents||Until you no longer consent||If you withdraw consent, we will keep this information on a ‘suppression list’ so we don’t contact you|
|Customer call recordings|| Months||Extended retention may be applied on a case by case basis|
|Customer Data||Seven years from the date your account is closed||We will only continue to retain this Data where this is:
(i) Legally required under financial services regulations or tax legislation or other regulations; or
(ii) Required to exercise or defend our legal rights
Where it is no longer necessary to Process your Data, we will delete it or anonymise or aggregate it by removing all details that identify you in accordance with Data Protection Legislation.
7. Where do we transfer your Data?
We primarily store and Process our Account data within the UK. However, if we transfer your Data outside the UK, we ensure a similar degree of protection is afforded to it to safeguard your Data in accordance with Data Protection Legislation, which can include by: (i) ensuring that your Data is only processed in countries which provide adequate data protection laws (in accordance with the Data Protection Legislation); (ii) requiring recipients to sign up to strong contractual commitments that ensure the protection of your Personal Data (such as the EU Model Clauses); (iii) taking any other measures that comply with Data Protection Legislation.
8. Keeping your Data safe
While the nature of the internet means that the transmission of information may not be totally secure, we have implemented security measures to prevent your Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Where you use a password to access certain services or features of our Site, please keep this confidential and do not share it with anyone. Unfortunately, we cannot guarantee the complete security of the information transmitted via the internet. While we have implemented security measures, any transmission is at your own risk.
You can tell us whether or not you wish to be contacted for marketing purposes and, if so, how we can contact you. We will obtain this information from you when we first collect your Data and we may ask you what kind of communication you would like to receive from us.
You can opt-out of receiving marketing communications from us at any time by following the instructions below:
- Email marketing: to opt-out from emails, use the unsubscribe link provided within any email you receive or manage your preferences by emailing email@example.com or by telephoning 0207 436 0630.
- SMS Marketing: to opt-out from SMS, you can use the STOP code provided in any SMS you receive or manage your preferences by emailing firstname.lastname@example.org or by telephoning 0207 436 0630.
- Call Marketing: to opt-out of being contacted by telephone for marketing purposes, you can manage your preferences by emailing email@example.com or by telephoning 0207 436 0630
- Post Marketing: to opt-out of receiving marketing by post, you can manage your preferences by emailing firstname.lastname@example.org or by telephoning 0207 436 0630.
- Push notifications: to opt-out of receiving push notifications, you can disable push notifications on your device or browser settings.
Please be aware it may take up to 28 days for your request to take effect. Please note you will still receive other important information about our product and services.
11. Your rights
Under Data Protection Legislation, you have a number of rights in relation to your Data. We have listed these below, but please note that some only apply in certain specific circumstances (detailed in the Data Protection Legislation):
|Your rights||How to exercise your rights|
|Right to access and receive a copy of the Data we hold about you.||It is generally free for you to request access to your Data by contacting our data protection representative by emailing email@example.com or by telephoning 0207 436 0630.
If your request is repetitive or excessive, we may refuse to comply or we may charge you a fee.
|Right to correct any inaccurate Data we hold about you.||You can amend, correct, delete or edit your Data if you wish to, please contact our customer support team by telephoning 0207 436 0630
|Right to require us to erase your Data if (for example): (i) we no longer need the Data for the purpose we originally collected it for; (ii) we only collected it with your consent, and you now withdraw your consent; or (iii) you object to how we are Processing your Data.||You can request erasure of your Data by contacting our customer support team by telephoning 0207 436 0630.
This process is not reversible.
|Right to request that we restrict the Processing of your Data if (for example): (i) you believe that the Data we hold on you is inaccurate; (ii) you have the right to request that we erase your Data but would prefer us to restrict our Processing instead; or (iii) we no longer need the Data for the purpose we originally collected it for but you require the Data for legal actions.||You can request the restriction of Processing of your Data by contacting our customer support team by telephoning 0207 436 0630. Once you have requested this you can change your mind at any time by contacting us again. Your account will not be accessible while the restriction is in place.|
|Right to request a copy of the Data we hold on you in a structured, commonly used and machine-readable format. You can also request that we transfer this to a third party on your request. Please note that this right may not apply to all of your Data.||In some circumstances, you can request the transfer of your Data to a third party by email to firstname.lastname@example.org The request must include which Data you would like to be transferred, to whom it should be transferred and by which method.|
|Right to object to our Processing of your Data, including for marketing purposes. Please note that in some cases, we may demonstrate that we have legitimate grounds to Process your information which overrides this right.||You can object to Processing of your Data by contacting our customer support team by telephoning 0207 436 0630 Once you have objected you can change your mind at any time by contacting us again. Your account will not be accessible while the restriction is in place.|
|Right to not be subject to a decision based solely on an automated process, such as profiling, which results in you being significantly affected or produces legal effects concerning you.||You can exercise this right by contacting our customer support team by telephoning 0207 436 0630|
|Right to withdraw your consent where we only Process your Data based on your consent. You can withdraw your consent to receive marketing communications from us at any time and for free.||To exercise your right to withdraw your consent to receive marketing communications please see section 10 above.|
12. Privacy Notices of other websites
Our Site or Apps may contain links to other websites. This Notice only applies to our Site and Apps. If you click on a link to another website, you should read their privacy and cookie policies to understand how they Process your information.
13. Changes to this Privacy Notice
We may, from time to time, change or update this Privacy Notice in line with legal requirements or if our business changes. All changes to this Privacy Notice will be published on this page of the Site. Each change will become effective on publication. We recommend that you revisit and read this Privacy Notice regularly to ensure that you are up-to-date with the current terms.
This Notice was last reviewed and updated in May 2022.
If you have any questions or comments about this Notice, want to know more about how we use your Data, or want more information on your rights, please contact our Data Protection representative by emailing: email@example.com
If you have a complaint about how we Process your Data, please contact us at firstname.lastname@example.org and will try to resolve this. However, if you feel that we haven’t addressed your concern in a satisfactory manner, you have the right to complain to the Information Commission (“ICO”) (ico.org.uk).
|Term||What this means|
|Data||Information relating to an identifiable person, who can be directly or indirectly identified in particular by reference to an identifier, or which is otherwise defined as ‘Personal Data’ under Data Protection Legislation.|
|Data Protection Legislation||Data Protection Act 2018 (UK GDPR), EU General Data Protection Regulation 2018 (GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any other applicable laws relating to the protection of Data.|
|Process, Processing or Processed||Accessing, collecting, obtaining, recording, holding, disclosing, using, altering, deleting, erasing or destroying Data, or carrying out any operation(s) on the Data or as otherwise defined under applicable Data Protection Legislation.|