Mydus (MSSD Ltd) Privacy Policy

Last Updated: 9th August 2022
INTRODUCTION

MSSD Ltd (“we” or “us”), is a company registered in England and Wales whose registered office is at Flat 9 Dawson Building, 52 Prospect Row, London, E15 1GU, and whose registered number is 13278742. We are committed to protecting and respecting your privacy and to providing clear information about the use of your data We are the data controllers for the personal data we collect via our website and for the performance of the services listed under the usages of your personal data, below (together, the “Services’). We are registered with the Information Commissioner’s Office (the ICO) with registration number: ZB326033.

If you have any questions or concerns about this Policy, please contact us at help@mydus.co.uk.

HOW WE COLLECT YOUR DATA

When you use our Services, we will have access to your personal data that you submit to us and personal data held by Account Servicing Payment Service Providers (i.e., any payment service provider, such as a bank or a credit card issuer that maintains an online payment account on your behalf) (“ASPSPs”) (“Transaction Data”) for the duration of the transmission. We may collect, use, store and transfer the following different kinds of personal data about you: Account data, transaction data, financial data, usage and device data, marketing and communications data and banking data. The manner in which we access, use, process, and store this for the provision of the Services is set out below.

Personal information you disclose to us
  • “Account data” includes information you provide to use our services, such as names, phone numbers, email addresses, passcodes, UK residency status and delivery or home addresses.
  • Information you provide when you interact with us, such as free text information you include in queries, feedback, survey responses, user testing responses, complaints, or any other direct interaction we have with you.
  • “Marketing and communications data” includes your preferences in relation to marketing, such as the way in which you prefer to be contacted or any opt-outs you notify us of from time to time.
  • “Banking data” includes identifying information about accounts you link to your Mydus app through open banking. This could mean partial card numbers, bank or account names you input to help you identify which linked accounts you have in your Mydus app.

All personal information that you provide to us must be true, complete and accurate, and you must notify us of any changes to such personal information in order to ensure that we hold the most up to date information about you.

Information sent to us when you use our services

In order to access and use the main functionality of our Services, we will direct you to use one of our trusted service providers or an ASPSP that implements Open Banking in order to transmit and access information (including personal data) relating to payment accounts (“Transaction Data”) that you hold with ASPSPs to us.

  • “Transaction data” includes open banking transaction data. We use an open banking account information service, provided by Plaid Financial Ltd. Plaid are an authorised payment institution regulated by the Financial Conduct Authority (firm reference number 804718) under the Payment Services Regulations 2017. Plaid will provide Mydus with account, balance, transaction and merchant data for accounts you give express permission to link to our service, to enable us to display your spending and balance, and other insights. You can view Plaid’s privacy policy at https://plaid.com/legal/#consumers.
  • “Transaction data” also includes financial asset data. We use data provided by Yodlee, Inc. Yodlee are an authorised payment institution regulated by the Financial Conduct Authority (firm reference number 820700) under the Payment Services Regulations 2017. Yodlee will provide Mydus with account, balance, holdings, transaction and merchant data for financial assets you give express permission to link to our service, to enable us to display your spending and balance, and other insights. You can view Yodlee’s privacy policy at https://www.yodlee.com/europe/company/clients-consumers.
Information automatically collected
  • “Usage data” We automatically collect certain information about how and when you use our services so that we can maintain security of our services and for internal reporting and analytic purposes. This information includes from which URL you arrived at our site (website only), which pages or our website/app you visit, for how long, and which links you click.
  • “Device data” We collect device data such as information about your computer, phone, tablet or other device you use to access the website and app including information about your Operating system and a partial IP address (or proxy server). Depending on the method of interaction used, this device data may include the following information:
  • Website only: Browser type and version
  • App only: Mobile device ID, model and manufacturer, language preferences, hardware model, internet service provider and/or mobile carrier, phone network, type of mobile used and device name.
HOW WE USE YOUR DATA

We use the information we collect or receive for the following Purposes in bold text below and on the legal basis we’ve underlined:

  • To facilitate account creation and login process. We use your Account and ID Data to create your unique account and to have means of checking who you are, verifying your device and email address and contacting you. We need this information to perform our Services as agreed with you under our contract and to comply with our legal obligations (including those of our third parties who are subject to certain regulations).
  • To manage your Mydus account. We may use Transaction Data to provide analytics to you in order to fulfil our contract with you and we may make further use of that information on the basis of the legitimate interest of society as a whole in managing finances (for example, statistical, research and educational purposes as described below). By linking accounts/cards to your Mydus app via Open Banking links, or by providing identifying bank names and partial card numbers to help you identify linked cards, you are directly providing this information to us.
  • To respond to your inquiries/offer support. In order to fulfil our contract and other obligations to with you, we may use your Account, Usage, Device Data, and any other relevant information about your Mydus account to respond to your inquiries and to try to resolve any potential issues or complaints you might have with the use of our App or Services generally.
  • Push Notifications. We may request to send you push notifications (consent) regarding your account or certain features of the App. If you wish to opt-out from receiving these types of communications, you may turn them off in your device’s settings.
  • To protect our business and our users. We may use your information as part of our efforts to keep our App and Services safe and secure generally for all users (for example, for fraud and money laundering/terrorist financing monitoring and prevention). We are legally (legal obligation) and contractually (contract) obliged to ensure the security of our App and Services and to protect our users, but it’s also in our legitimate commercial interests to provide a safe and secure service generally because if we couldn’t do that, we would likely lose business.
  • To enforce our terms, conditions, and policies in order to protect our business interests (contract and our legitimate interest in protecting our business and acting in its best interests).
  • To comply with legal and regulatory requirements (legal obligation) such as carrying out ID Checks including via our third-party providers.
  • To update or provide notice to you in connection with our contract.
  • To respond to legal requests and prevent harm (legal obligation). If we receive a witness summons or other legal request from a law enforcement agency for example, we may need to inspect the data we hold to determine how to respond. We will consider each request on its merits and judge that against our users right to privacy in each case by limiting the information we share to only that which we consider necessary, and we will record our decision internally in order to create and auditable trail wherever legally possible (legal obligation).
  • To send you marketing and promotional communications. We may use the personal information you send to us for our own marketing purposes if this is in accordance with your marketing preferences or if we pass on any third-party marketing on the basis of our legitimate interest in sending you offers as our customer that are closely related to our Services and we think would legitimately be of interest to you. For example, when expressing an interest in obtaining information about us or our Services, subscribing to marketing or otherwise contacting us, we will collect personal information from you, and we will gain some insight into what you are interested in. We will give you the opportunity to opt-out of marketing at the time, and you can always later decide to opt-out of our marketing emails if you change your mind (see the “WHAT ARE YOUR PRIVACY RIGHTS” below).
  • To post testimonials. We may post testimonials on our Services (either by directly requesting your permission or from an external review website e.g., Trustpilot) that may contain the name of the person providing the testimonial. By submitting a testimonial for this purpose, we presume this to be with your consent (which you can withdraw at any time).
  • Request feedback. We may use your name and mobile number/email address to request your feedback and to contact you about your use of our Services on the basis that we have a legitimate interest in asking users to provide feedback for the purpose of improving and marketing our products and services. We will not contact you if you have opted out of marketing.
  • Deliver targeted advertising to you. We may use your Account, or Transaction Data to advertise marketplace providers relevant to your interests and to measure its effectiveness. We do this on the basis of our legitimate interest in making sure your experience in using our Services is relevant and productive, and also on the basis of our legitimate interest in marketing further services to you, and in the legitimate interest of society as a whole in making good financial decisions.
  • To improve our own products and Services generally, including improving customer experience or to inform how we develop new products and services. This means data analysis, identifying usage and general user behavioural trends (such as how many people are spending, but this doesn’t involve “profiling” you individually), determining the effectiveness of our promotional campaigns, to evaluate and improve our Services, products, and better tailor our marketing and your experience. We may use and store this information in aggregated and anonymised form so that it is not associated with individual end users and does not include personal information but it will initially be based upon a snapshot of your account, transaction, marketing communications and preferences data and we use that data on the basis of our legitimate interest in furthering our business as set out in this paragraph, and on the basis that we make sure you can’t be identified once we’ve aggregated this data so that it doesn’t unfairly prejudice your right to privacy.
  • For statistics, research, and educational purposes. We may share anonymised or pseudonymised information (for example, aggregated data) with third party statistical, research and educational institutions. Where we do this, the data we share won’t be personally identifiable, but it will be based upon the information available to us at the time. This means that we don’t need any legal basis to process the data because it is not personal data to which the UKGDPR or EUGDPR applies. This data might be used to produce reports, research papers, white papers or other documents prepared for government consultation, to assist with financial analysis or to otherwise support the UK Finance agency’s objectives from time to time or other social calls to action that are relevant to the data we collect.
CONSENT

We will be able to access your Account Information (including any Personal data), if you give us explicit consent.

How do I withdraw my consent?

If after you provided your consent, you change your mind, you may withdraw your consent by contacting us at our address or at the email address set out in the contact information above.

Deletion of personal data

We will not keep your Personal Data for longer than necessary. We will delete your Personal Data as soon as it is no longer needed to provide the Services to you or upon termination of the Terms of Services. To request your data to be deleted, please use the delete function in your settings page in the app or send us an email at help@mydus.co.uk. Your data will be deleted in full after 30 days from your request.

DISCLOSURE

We may share your Personal Data with selected third parties, including business partners, suppliers, subcontractors that assist us in the provision of our Service to you. The third-party providers used by us will only collect, use and disclose your information as instructed by us to provide Services to you.

RETENTION

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. We will convert your personal data into anonymous aggregated information, at regular intervals, that we will use indefinitely for statistical and research purposes. Where we create this kind of aggregated information, we make sure that you can’t be identified from that pool of information and so this is no longer classified as “personal data” by law.

KEEPING YOUR PERSONAL INFORMATION SECURE

We have implemented appropriate technical and organisational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security, and improperly collect, access, steal, or modify your information, but we will promise to do our best to protect your personal information. Transmission of personal information to and from our Services, including your use of Wi-Fi and unsecured network environments, is at your own risk. You should only access the Services within a secure environment.

YOUR RIGHTS
Subject Access Request

You have the right to ask us to provide any personal data we have collected about You, to You. Should you wish to do so, please email us at help@mydus.co.uk to make a subject access request detailing:

  • your name,
  • your address,
  • the period of data you'd like access to.
Making a complaint to a supervisory authority

Should you be dissatisfied with the service we provide, You have the right to file a formal complaint to the Information Commissioner’s Office at www.ico.org.uk.

ANALYTICS

n order to collect the information as described above, we may use analytics technology on our website, including Google Analytics, among others. This technology collects information, usually in an anonymous form about how Users use our website. This is accomplished by placing a small text file or ‘cookie’ on a User’s computer. This allows the website to remember convenient information that will allow for a better website experience.

Users can also opt out of Google’s advertising tracking cookie here, or use a browser plugin to opt out of all Google Analytics tracking software found here.

CHANGES TO THIS POLICY

If we change this policy, we will post the revised policy here with an updated effective date. If we make significant changes to the policy, we may also notify you by other means such as sending an email or posting a notice to our home page.

Ellipsol

© 2023 MSSD Ltd. All Rights Reserved.

Mydus is registered and incorporated in England and Wales.

Mydus provides you with regulated account information services as an agent of Plaid Financial Ltd., an authorised payment institution regulated by the Financial Conduct Authority under the Payment Services Regulations 2017 (Firm Registration Number: 804718) for the provision of payment services, including account information services.

Company Registration Number: 13278742.

Data Protection Register Number: ZB326033.