1.1. Knoma is the trading name of Knoma Ltd (we, us, Knoma). This Policy describes the privacy practices of Knoma and its subsidiaries and affiliated companies in accordance with the Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR) with respect to information relating to you that you or third parties provide to Knoma, including information collected or provided on the Knoma website www.knoma.io (the Website).
1.2. Knoma is a data controller and is registered in the UK with the Information Commissioner's Office (the ICO) under registration number ZA519575. By visiting and using our Website, you acknowledge and agree to the practices described in this Policy.
2.1. We may collect personal information about you when you visit our Website, when you apply for a loan from us and throughout our contract with you. This information may be given on our Website or when you contact us directly, for example through our customer service department, either online or by telephone (as our calls are recorded for training and monitoring purposes).
2.2. Bank transaction data
2.2.1. In order to be eligible for a Knoma loan to fund your educational course, you must agree to give us access to see your transaction data and bank balance for your current bank account held with your main bank (and where you hold any savings accounts, credit cards or any personal accounts with the same bank, balance and transaction data for these accounts) in real time via an open banking facility, through our partners, Truelayer Limited (TrueLayer) and Pave FinTech Limited (Pave). Open Banking is the secure way to give us access to your bank transaction data; if you provide us with your permission your bank has to allow you to share your transaction data with us.
2.2.4. We will view (but do not have the ability to transact) your bank account history in order to:
confirm the income and expense data you submit as part of your application;
assess your creditworthiness;
carry out an affordability assessment both at the point of application and on an ongoing basis to determine your suitability for credit;
to make collection decisions;
to monitor your risk of financial hardship/vulnerability; and
to assess your ability to enter repayment plans.
2.2.5. Your raw transaction data is treated as confidential and will not be passed to any third parties other than members of our group (which means our subsidiaries, our ultimate holding company and its subsidiaries in each case as defined in section 1159 of the UK Companies Act 2006), or our business partners, suppliers and sub-contractors for the performance of services under any contract we enter into with them or you.
2.2.6. For the avoidance of doubt, we will not pass your payment account details or transaction data to any other third parties. In this Policy, where we refer to sharing your information with third parties, this does not include your payment account details or transaction data.
2.3. Other personal data
2.3.1. In addition to your bank account and transaction data identified above, we may collect and process your name, email address, home address, date of birth, employment information and other information such as demographic information when you complete forms, loan applications and/or surveys.
2.4. Information we collect about you and your device:
2.4.1. Each time you visit the Website we may automatically collect information such as:
details of your usage of the Website, including what pages of the Website you have visited and whether you have clicked on images or links on those pages (this may be user specific or aggregate); and
technical information (including the type of device you are using, your IP address, and type of web browser) and cookie information, unless you disable cookies on your device (see the Cookies Policy);
2.5. Information we receive from other sources
We work closely with third parties and may receive information about you from those third parties, for example, information about your enrolment and course from your educational institution, your credit history from Credit Reference Agencies (CRAs) and/or employment history from your current or former employers. We may view any records about you which are in the public domain (for example electoral roll or social media accounts). We do not seek or knowingly collect any personal data about children under 18 years of age.
3.1. We use your information in various ways, such as:
to process your loan application and assess your creditworthiness;
verifying your identity and credit record to enable us to consider and underwrite your application to borrow;
assessing the validity of your debit card or bank account details by processing one or more test transactions (which would not result in any money being taken from your account and would not affect your credit history);
for administrative purposes, for example to process payments, make collections, trace you where necessary, update/maintain our records, prevent fraud and money laundering and enforce our loan terms;
to communicate with you by telephone, email, SMS, social media or post using the details you have provided in relation to your application/agreement with us or we have obtained from publicly-available sources;
to enhance your experience of our Website and of our services, for example by conducting statistical analysis or for editorial or feedback purposes for our advertiser affiliates; and
to provide you with marketing communications from us (subject to the consents you provide to us which you can withdraw by opting out at any time).
4.1. We may share your information with selected third parties including:
Service Providers: we contract with service providers to perform certain functions on our behalf. Examples include database providers who assist in identity verification and site analysis providers. Their access is limited only to the personal data needed to perform the functions carried out on our behalf as our agent, and only for the purpose of performing those functions; and
Credit Reference Agencies: in order to process your application, we will perform credit and identity checks on you with one or more credit reference agencies ("CRAs"). Where you take banking services from us we may also make periodic searches at CRAs to manage your account with us. To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
4.2. We will use this information to:
assess your creditworthiness and whether you can afford to take the product;
verify the accuracy of the data you have provided to us;
prevent criminal activity, fraud and money laundering;
manage your account(s);
trace and recover debts; and
ensure any offers provided to you are appropriate to your circumstances.
4.3. We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs. When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link. More information about CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail in the CRA information notice (CRAIN) available at https://www.equifax.co.uk/crain; and
Other disclosures: We use the information you provide to us to engage employers to verify the accuracy of your self-reported income and expenditure and to engage your educational institution to verify the details of your enrolment.
4.4. We may also disclose your personal information to third parties:
in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
if we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets;
to our professional advisers where required to advise us from time to time and always subject to a duty of confidentiality;
to other members of our group where required for management information and forecasting purposes; and
if we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation or request, this includes exchanging information with other companies and organisations for the purposes of fraud prevention.
Educational Providers: we may be required to share your information with Educational Providers to:
5.1. We process your data using automated decision-making software. This software is used to underwrite your loan application. Our automated decision-making systems include, but is not limited to, the following inputs:
credit model algorithms
enrolment and employment verification
anti-fraud and anti-money laundering databases
other data sources that provide inputs that show your creditworthiness, affordability or fitness to receive credit
5.2. The use of automated decision-making software is a requirement to enter into a loan agreement with us. You have the right to request that we do a manual review of the results of the automated decision rendered.
5.3. We use your personal information for a variety of reasons, upon different legal bases including:
for the performance of our agreement with you or to take steps at your request prior to entering into an agreement with you. This is necessary for us to lend to you. If you do not provide such information we will be unable to provide you with a loan;
where necessary for our legitimate interests, for example in managing and monitoring our website operation, preventing fraud and for our business compliance purposes; and
where necessary in order to comply with a legal obligation, for example making reports to our regulatory authority or to law enforcement agencies.
5.4. Where our use of your data is not necessary for one of the purposes outlined above we may seek your consent to use it in a particular way, for example if we ask you to complete a customer survey. Where we ask for your consent you are free to refuse our use of the data for those purposes and you may withdraw your consent at any time by contacting us using the details set out below.
5.4.1. Direct Marketing - when you provide your information to us for the purposes of obtaining a quote or making an application for credit we will advise you that we may contact you by telephone, SMS, email or by post to provide you with information about similar products and services that we may provide. We give you the opportunity to change your consent preferences for receiving such marketing communications when you provide your information to us and at any time afterwards in the following ways:
via email: Click the "Unsubscribe" link in any email communication and submit your email address on the next screen or email us at firstname.lastname@example.org;
via our Website: Update your contact preferences in the customer account section; or
via telephone: Call us on 0800 037 0289.
If you opt-out of our use of your information for marketing purposes, we will process your request as soon as possible. Please note, that we reserve the right to take reasonable steps to authenticate your identity with respect to any such request.
6.1. We have measures in place to protect the security and confidentiality of your information and we strive to keep it accurate. We only keep your information for as long as is necessary. We generally keep records of any transactions that you enter into for a minimum of six years. Some of the security measures include:
we work to protect the security of your personal data during transmission by using Secure Sockets Layer (SSL) software, which encrypts personal data you input;
we store personal data in an encrypted database;
we transmit personal data in an encrypted format; and
our networks are secured with certified firewalls in a multi-layered fashion with redundancy.
7.1. We only keep your personal information for as long as is necessary to fulfil the purposes for which we use it. We will normally retain your personal data for 6 years after our last business interaction with you to comply with our regulatory requirements. We will delete all data after 6 years from our last business interaction with you unless we are subject to a legal requirement to retain it for longer.
8.1. Your personal information is protected under data protection law and you have a number of rights (explained below) which you can seek to exercise. Please contact us using the details shown below if you wish to do so, or if you have any queries in relation to your rights. If you seek to exercise your rights, we will explain to you whether or not the right applies to you; these rights do not apply in all circumstances.
8.2. Right of access
subject to certain exceptions, you have the right of access to information that we hold about you upon request. You can exercise this right by making a request in writing, by email or telephone using the contact details in the contact section below.
8.3. Right to rectify your personal information
if you discover that the information we hold about you is inaccurate or incomplete, you have the right to have this information rectified (i.e. corrected).
8.4. Right to be forgotten
you may ask us to delete information we hold about you in certain circumstances, this is often referred to as the 'right to be forgotten'. This right is not absolute and only applies in particular circumstances. It may not therefore be possible for us to delete the information we hold about you, for example, if we have an ongoing contractual relationship or are required to retain information to comply with our legal obligations or to exercise or defend legal claims.
8.5. Right to restriction of processing
in some cases you may have the right to have the processing of your personal information restricted. For example, where you contest the accuracy of your personal information, its use may be restricted until the accuracy is verified. You have the right to ask us not to use your information for marketing purposes. We will ask for your consent to use your information for these purposes when we collect it and you can exercise your right to prevent such processing by checking certain boxes on our Website or other forms we use to collect your data. You can also exercise the right at any time by contacting us by post or email using the details in the contact section of this Policy (see below)
8.6. Right to object to processing
you may object to the processing of your personal information (including profiling) when it is based upon our legitimate interests. You may also object to the processing of your personal information for the purposes of direct marketing (including profiling to the extent it relates to direct marketing) and for the purposes of statistical analysis.
8.7. Right to data portability
you have the right to receive, move, copy or transfer your personal information to a controller which is also known as 'data portability'. You have the right to this when we are processing your personal information based on consent or on a contract and the processing is carried out by automated means. You should note that this right is different from the right of access (see above) and the types of information you can obtain under the two separate rights may be different.
9.1. Ifyou have any questions about how we treat your personal data and protect your privacy or if you have any comments or wish to seek to exercise any of your rights as outlined above, please contact us:
by post to Knoma Ltd, Runway East, London Bridge, 18 Crucifix Lane, London, SE1 3JW.
by email to email@example.com
by telephoning us on 0800 037 0289
10.1. If you have a complaint, please contact us and we will investigate it and give reasonable redress if we consider it appropriate to do so. You also have the right to complain to your local data protection supervisory authority. If you are in the UK, this is the Information Commissioner's Office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, telephone 0303 123 1113. www.ico.org.uk/ .