At Token we are fully committed to protecting and respecting your privacy. This Policy explains how we collect personal information about people who use our services, how we use the data and the conditions in which we may disclose it to others, and how we keep it secure.
We may change this policy from time to time, so please make sure that you check this page occasionally just to make sure that you are still happy with it. By using our services and consenting to Token processing your data, you are agreeing to the conditions below. We are the data controller for the purposes of the data that we collect from our website and for the performance of the services that we deliver on your behalf.
If you have any questions, please email the following address firstname.lastname@example.org or by writing to The Data Protection Officer, 15 Bishopsgate, London EC2N 3AR.
Who are we?
When we say ‘we’ we mean that we are Token.io Ltd (London - UK), Token GmbH (Berlin) and Token, Inc. (San Francisco - USA). Token was started to create an open banking platform that allows a global ecosystem of banks, bank customers and developers to move money and information securely, instantaneously and without friction across the globe. Money and transaction information move as a unit instantly, securely, and at a low cost. This goal is achieved through groundbreaking innovation, attention to detail and a passion for customer success. We are also registered as a Data Controller with the ICO and our registration number is ZA314995 and as Payment Initiation Service Provider and Account Information Service Provider with the Financial Conduct Authority and our reference number is 795904.
How do we collect data from you?
We collect information about you from different places including:
- directly from you when you use any Token service – but only once you have explicitly consented to your information being shared with us
- from a third party (such as your bank) acting on your behalf, where you have given your explicit consent for your information being shared with Token
- from other organisations (such as Linkedin) where you have already explicitly consented to your information being shared
- from publicly available sources (such as Google)
- when we generate it ourselves using any of the above sources
We’ll only collect your information in line with relevant regulations and laws, and this may relate to any of our services that you use, or have used in the past. You’re responsible for making sure you give us accurate and up to date information.
What type of information do we collect from you?
We will only collect the data that you need us to collect in order to provide the services that you asked for. We will not collect any data from you that is not needed to fulfill those services.
Data that we collect from you includes, but is not limited to, the list below:
- Business Name
- Business Address
- Email address
- Bank Account information
- Credit Card details (PAN)
- IBAN account number
- Transaction details
Protecting the privacy of young children is especially important to Token.io. We do not process any data for persons under the age of 18. If Token becomes aware that we are collecting data for under 18’s we will investigate the issue and ensure that all such data is identified, processing is stopped immediately and all data is deleted following our security processes.
How is your information used?
We may use your information to:
- Initiate payments/refunds for goods or services.
- Provide information to you allowing you to benefit from other services.
- Carry out any contractual obligations between us.
- Seek your views and comments on the service that we are providing.
- Notify you of any changes to our services.
We review our data retention periods regularly and we are legally obliged to retain some personal information as part of our statutory requirements. We will only hold your personal information in our systems for as long as is necessary for the relevant activity, or as long as it is set out in any contract you have agreed with us.
Our legal basis for processing personal data is:
- For the performance of a contract with You;
- For the purpose of furthering Token.io Ltd legitimate interests, including providing better products, services, websites and applications.
Who has access to your information?
We will not sell or rent your information to any third parties. We will not share your details to anyone for marketing purposes.
Third Party service providers working on our behalf:
We may pass your information to our third party service providers, agents, subcontractors and any other associated organisations for the purpose of completing tasks and providing services to you on our behalf (for example processing a payment or transferring money as you requested). However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service that you need, and we have contracts in place that requires each third party provider to keep your information secure and not to use it for their own direct marketing purposes or any other purpose. We will not release your information to third parties beyond those that we have such a contractual relationship with - unless you have specifically requested us to do so, or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime. In such circumstances, we will take steps with the aim of ensuring that your privacy rights continue to be protected.
Third Party Product Providers we work in association with:
If you have any questions regarding secure transactions, please contact us at: email@example.com.
What are Your choices?
You have a choice about whether or not you wish to receive information from us. If you do not want to receive direct marketing communications from us about our products and services, then you can opt out by ticking the relevant box on the form on which we collect your information.
We will not contact you for marketing purposes by email, phone or text message unless you have given your prior consent. You can change your marketing preferences at any time by contacting us at: firstname.lastname@example.org.
What are your rights as a data subject?
As a data subject whose personal information we hold, you have certain rights. If you wish to exercise any of these rights, please email email@example.com or use the information supplied in the How you can access and update your information section below. To process your request, we will ask you to provide two valid forms of identification for verification purposes.
Your rights are as follows:
- The right to be informed
- The right of access
You may request a copy of the personal data we hold about you free of charge. Once we have verified your identity and, if relevant, the authority of any third-party requestor, we will provide access to the personal data we hold about you as well as the following information:
a) The purposes of the processing
b) The categories of personal data concerned
c) The recipients to whom the personal data has been disclosed
d) The retention period or envisioned retention period for that personal data
e) When personal data has been collected from a third party, the source of the personal data
If there are exceptional circumstances that mean we can refuse to provide the information, we will explain them. If requests are frivolous or vexatious, we reserve the right to refuse them. If answering requests is likely to require additional time or occasions unreasonable expense (which you may have to meet), we will inform you.
- The right to rectification
When you believe we hold inaccurate or incomplete personal information about you, you may exercise your right to correct or complete this data. This may be used with the right to restrict processing to make sure that incorrect/incomplete information is not processed until it is corrected.
- The right to erasure (the ‘right to be forgotten’)
Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data. This includes personal data that may have been unlawfully processed. We will take all reasonable steps to ensure erasure.
- The right to restrict processing
You may ask us to stop processing your personal data. We will still hold the data, but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies you may exercise the right to restrict processing:
a) The accuracy of the personal data is contested.
b) Processing of the personal data is unlawful.
c) We no longer need the personal data for processing but the personal data is required for part of a legal process.
d) The right to object has been exercised and processing is restricted pending a decision on the status of the processing.
- The right to data portability
You may request your set of personal data be transferred to another controller or processor, provided in a commonly used and machine-readable format. This right is only available if the original processing was on the basis of consent, the processing is by automated means and if the processing is based on the fulfilment of a contractual obligation.
- The right to object
You have the right to object to our processing of your data where
a) Processing is based on legitimate interest;
b) Processing is for the purpose of direct marketing;
c) Processing is for the purposes of scientific or historical research; or
d) Processing involves automated decision-making and profiling.
How you can access and update your information
The accuracy of your information is important to us. We’re working on ways to make it easier for you to review and correct the information that we hold about you. In the meantime, if you change email address, or any of the other information we hold is inaccurate or out of date, please email us at: firstname.lastname@example.org, or write to us at: The Data Protection Officer, 15 Bishopsgate, London EC2N 3AR. Alternatively, you can telephone +44 203 934 6664. You have the right to ask for a copy of the information Token hold about you and you can contact us at email@example.com where we will provide you with the details you have requested. Before we release any confidential data to you we will, of course, need to verify your identity first.
Security precautions in place to protect the loss, misuse or alteration of your information
When you give us personal information, we take steps to ensure that it’s treated securely. Any sensitive information (such as name, address, email, mobile/cell number or bank details) is encrypted and we utilize secure web-based data collection technology, including industry standard SSL, with 2048-bit RSA keys, facilitating up to 256-bit AES encrypted sessions. We utilise appropriate measures to safeguard data against unauthorised access, disclosure, alteration, or destruction. These measures may include, among others, encryption, physical access security, auditing, and other appropriate technologies.
When you are on a secure page, a lock icon will appear on the web browsers such as Microsoft Internet Explorer or Safari. Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
We may make use of additional information about you when it is available from external sources to detect and reduce criminal activity, including fraud risk.
Cookies and Cookie Types
Cookies are small text files that are stored on your computer by websites you visit. They allow the website to do things such as keep track of your preferences as you move around the site so that the website can personalise pages for you and store little bits of information about your visit for use on future visits. Cookies stay on your computer for varying amounts of time depending on their type and the parameters the website sets whilst creating them.
Cookies come in three different types. The cookies themselves vary very little between the types but their effect and use is different.
First Party Cookies
First party cookies are created by the website you are visiting. They can only be read and used by that website.
Third Party Cookies
Third party cookies are not set by the website you are visiting. They are set by a different organisation whose features are being used by the website you are visiting. This is common practice if sites use analytical systems supplied by a third party (as most are) to track the usage and load on their website. These may also be created by embedded content in the web page, a YouTube video for instance, as these need their own cookies to work.
These enable a website to track your use throughout the site, storing choices you have made and any information you have provided. They are a type of first party cookie that only remain stored on your computer until you close your browser when they are then deleted.
Each browser has settings which allow you to elect not to allow websites to store cookies on your machine. As each browser is a little different, we advise you to check your browser's help functionality for this option or search for instructions that are specific to your browser.
If you choose to disable cookies, some aspects of this website may not function as intended.
Transferring your information outside of European Economic Area (“EEA”)
As part of the services offered to you through this website, the information which you provide to us may be transferred to countries outside the European Economic Area (“EEA”). By way of example, this may happen if any of our servers are from time to time located in a country outside of the EU. These countries may not have similar data protection laws to the UK. By submitting your personal data, you’re agreeing to this transfer, storing and/or processing. If we transfer your information outside of the EEA in this way, we will take steps to ensure that appropriate security measures are taken and we remain compliant with the General Data Protection Regulation, with the aim of ensuring that your privacy rights continue to be protected as outlined in this Policy.
If you use our services while you are outside the EU, your information may be transferred outside the EEA in order to provide you with those services.
Our web site may also use a website recording service. This product may record mouse clicks, mouse movements, page scrolling and any text keyed into website forms. The information collected does not include bank details or any sensitive personal data. Data collected is for Token’s internal use only. The information collected is used to improve our website usability and is stored and used for aggregated and statistical reporting.
Review of this Policy
We keep this Policy under regular review. This Policy was last updated in September 2020.