Permalink
Switch branches/tags
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
119 lines (119 sloc) 12.2 KB
{
"organisationInformation": {
"name": "Castlight",
"number": "06793893",
"registrationCountry": "gb",
"description": "Castlight allows customers to share transactional data from their bank accounts as an alternative to a credit score"
},
"organisationUrls": [
"https://castlightfinancial.com/"
],
"privacyNoticeUrl": {
"url": "https://castlightfinancial.com/privacy/"
},
"dataProtectionOfficer": {
"present": "present",
"name": "Murdo Thomson",
"role": "Data Protection Officer",
"contactInfo": {
"postalAddress": "6th Floor, 133 Finnieston Street, Glasgow G3 8HB",
"emailAddress": "dpo@castlightfinancial.com",
"telephoneNumber": "+44 0800 193 3547"
}
},
"rights": {
"isMissing": false,
"general": {
"contactInfo": {
"emailAddress": "dpo@castlightfinancial.com"
},
"observations": "They may need to request specific information from you to help confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights)."
},
"access": {
"contactInfo": {}
},
"rectification": {
"contactInfo": {}
},
"erasure": {
"contactInfo": {}
},
"restrictProcessing": {
"contactInfo": {}
},
"dataPortability": {
"contactInfo": {}
},
"object": {
"contactInfo": {}
},
"automatedDecisionMaking": {
"contactInfo": {}
}
},
"dataCategoriesCollected": {
"isMissing": false,
"list": [
"bank_transactions",
"date_of_birth",
"device_information",
"email_address",
"gender",
"names",
"postal_address",
"telephone_number"
],
"observations": "They also collect marital status.\n\nThey explicitly specify that they do not collect any Special Categories of Personal Data.\n\nThey also collect information about you from Credit Reference Agencies.",
"sourceText": "To register to use the Service, we require you to supply us with personal data, or personal information, which means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).\n\nWe may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:\n\nIdentity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.\nContact Data includes billing address, email address and telephone numbers.\nFinancial Data includes bank account details, account transactions, account features, benefits, debits and credits.\nTransaction Data includes details about payments to and from you and other details of products and services you have purchased.\nTechnical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.\nProfile Data includes your username and password, purchases made by you, your interests, preferences, feedback and survey responses.\nUsage Data includes information about how you use our website, products and services.\nMarketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.\nWe also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature, or anonymise and aggregate your Financial Data to conduct market research that we may share, sell or licence to third parties . However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.\n\nYodlee Inc. are able to take Financial Data in order to create Aggregated Data which it can then use, sell and/or distribute. Yodlee Inc. do not disclose, and have no rights to disclose, your personal information to any third party. It only uses Account Data and your Personal Information to the extent necessary to provide data to enable Castlight to provide the Service and to create Aggregated Data.\n\nWe do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.\n\nIf you fail to provide personal data\n\nWhere we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.\n\nWhere you begin the process to create an Affordability Passport with us and the form is not completed for a period of five days thereafter, the Affordability Passport and personal data relating to it shall be automatically erased from our system. You can also choose to delete any draft or completed Affordability Passport on your profile at any time, which shall have the effect of erasing that Affordability Passport and personal data relating to it from our system (though we will keep a record of a unique identification number relating to that Affordability Passport which will be linked to your profile)."
},
"unusualProcessingPurposes": {
"isMissing": false,
"present": "present",
"observations": "It appears that when you use Castlight you share your bank login details to a third party called Yodlee so they can access your financial transaction data."
},
"thirdParties": {
"isMissing": false,
"list": [
"Yodlee",
"Credit Reference Agencies"
],
"specificity": "general",
"observations": "It appears that when you use Castlight you share your bank login details to a third party called Yodlee so they can access your financial transaction data. They say Yodlee will not store this information for longer than is necessary to allow them to access your Financial Data for the purpose of providing the Service.\n\nCastlight says it has a contract with Yodlee which requires Yodlee to be bound by their privacy policy and to meet the requirements of the Data Protection Act and General Data Protection Regulations in just the same way it applies to Castlight.",
"sourceText": "We use a company called Yodlee Inc. (https://www.yodlee.com/yodlee/emea/) to provide software that allows us to access Transaction Data and Financial Data in relation to the internet banking accounts nominated by you. When you select to add a bank account to your Affordability Passport, Yodlee collects and securely stores the login credentials you share. This information is never stored by, or disclosed to, us and Yodlee will not store this information for longer than is necessary to allow us to access your Financial Data for the purpose of providing the Service.\n\nFor further information on how Yodlee keeps your information secure, please visit https://www.yodlee.com/legal/yodlee-security/ . Yodlee are headquartered in the USA. They have provided account aggregation to top UK And USA financial institutions for more than 15 years. Castlight has a contract with Yodlee which requires Yodlee to be bound by our privacy policy and to meet the requirements of the Data Protection Act and General Data Protection Regulations in just the same way it applies to us.\n\nWe collect information from Credit Reference Agencies on your behalf. If you register to use our services, we will obtain your credit report from one or more Credit Reference Agencies on your behalf. This information will be provided inside your Affordability Passport. If you require further information on the Credit Reference Agency we use to obtain your credit report, please contact us on the details set out in clause 1.\n\nCredit Reference Agencies collect and maintain information about consumers’ and businesses’ credit behaviour. This includes Electoral Register, fraud prevention, and credit information (including details of previous applications and the conduct of your bank accounts) and public information such as County Court Judgements, decrees, and bankruptcies. Credit Reference Agencies may form a link between any previous or subsequent names that you use in the records they hold about you\n\nIf you would like details of the credit reference agencies from which we obtain information about you, please contact us."
},
"retentionRules": {
"isMissing": false,
"specificityCategory": "general",
"specificityTime": "general",
"sourceText": "We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.\n\nTo determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.\n\nAn Affordability Passport expires 30 days after it has been created and is thereafter automatically erased from the Castlight system, though we may retain a unique identification number relating to that Affordability Passport which will be linked to your profile. In some circumstances we may anonymise and aggregate your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.\n\nIn some circumstances you can ask us to delete your data: see Request erasure below for further information."
},
"lawfulBases": {
"isMissing": false,
"contract": "- To register you as a new customer and create and store an “Affordability Passport”\n- To manage their relationship with you\n- Notifying you about changes to their terms or privacy policy",
"legalObligation": "- Notifying you about changes to our terms or privacy policy\n- To administer and protect our business and this website ",
"legitimateInterests": "- Asking you to leave a review or take a survey\n- To administer and protect their business and this website\n- To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising\n- To use data analytics to improve their website, products/services, marketing, customer relationships and experiences\n- To make suggestions and recommendations to you about goods or services that may be of interest",
"observations": "They appear often rely on several lawful bases for the same activity which isn't wrong but is unusual in the sector."
},
"securityStandards": {
"specificity": "general"
},
"dataProcessingAddendum": {
"present": "not_present"
},
"privacyShield": {},
"dataProtectionRegister": {},
"automatedDecisionMaking": {
"usesAutomatedDecisionMaking": "unknown"
},
"complaintInformation": {
"present": "present",
"observations": "Castlight says they would like you to contact them first before approaching the Information Commissioner. This is reasonable.",
"specificity": "specific",
"sourceText": "You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance."
},
"presentation": {
"plainLanguage": "pass",
"easyToFind": "pass",
"easyToFindInside": "pass"
}
}