Introduction

Monument Bank Limited respects your privacy and is committed to protecting your personal data. This Privacy Notice sets out how we look after and use your personal data, as a client, or potential client, the representative of one of our clients, or as a member of a Monument community or Monument programme that you agree to join. It also provides information about your privacy rights under relevant laws and explains how the law provides protection for you.

By using or accessing www.monument.co and any of its pages (“Website”), or the Monument App (“app”), you agree to the collection, use and disclosure of information in accordance with this Privacy Notice. This may change from time to time so please check this page periodically for updates, as any changes may become effective immediately.

Important information and who we are

This Privacy Notice gives you information on how we collect and process your personal data if we provide a product or service to you or a legal entity to which you are financially linked, including any data you may provide when you apply for, purchase or use a financial product or other service from us.

Our products and services are not intended for children and we do not knowingly collect data relating to children.

If you are an applicant for a role with us or a colleague, please refer to our Applicant and Colleague Privacy Notice. If you are a third-party, please refer to our Third-Party Privacy Notice.

If your application is on behalf of a business, or you require another individual to have access to your products or services, we will also require personal data about relevant individuals linked to the business or you. This includes guarantors, directors, officers, powers of attorney holders and beneficial owners. You must provide this privacy notice to all of the relevant individuals and ensure they know that you are sharing their personal data for the purposes of providing a product or service to you.

Without sufficient personal data we may be unable to provide you with a product or service or to process your application. This includes collecting information as required by law. Where we already have your information, we will endeavour to avoid collecting it again, but there will be times when we ask you to confirm that your information remains up to date.

We have drafted this Privacy Notice to be as clear and concise as possible. In some sections we have written a short summary followed by further detail. Please read it carefully.

Our Website and app may contain links to other websites or applications. If you follow these links, please note that each destination may allow third parties to collect or share data about you and each may have their own ways of handling your information. We do not control these third-party websites and are not responsible for their privacy notices. We therefore recommend that you review their privacy notices as we cannot be responsible or accept liability for these.

We are Monument Bank Limited, registered in England (10921940) and our registered office is 33 Cavendish Square, London, W1G 0PW. We are registered with the UK Information Commissioner’s Officer (ICO) as a as a data controller (Registration number ZA475288). We are the controller and responsible for your personal data.

Our approach to privacy

We appreciate the value of your personal information. We respect your privacy and reflect that in the way we handle and protect your data.

We will never send you direct marketing without your permission. We will seek your permission and you will always have the option to ‘opt-out’ or change your preferences.

We use cookies and similar technologies in our app and website, so please ensure you have read our Cookie Policy.

Please also review our Website Terms (on our Website) and our General Savings Terms (in our app) which set out the terms on which we allow use of our Website and app respectively, and also the applicable disclaimers and limitations of liability.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

We keep our Privacy Notice under regular review. This page was last updated on 24th January 2023.

What personal information do we collect?

Summary: We may collect, use, store and transfer information about you through our interactions. For example, when visiting and using our Website, when you open, register with and use the app, if you get in touch with us by e-mail or other channels or if you have an account with us. The type and volume of information we collect will depend on the nature of our interaction and can include personal information.

The details:

• We may collect, use, store and transfer different kinds of personal data about you. Personal data is any information that we can use to identify you for example your name, date of birth or address. It does not include data where the identity has been removed (anonymous data).
• We collect the following data:
  • Basic Personal Information. Including name and address, contact details and date of birth.
  • Financial information. This includes information about your financial position, status and history, including your tax residency. It also includes the sort code and account number for your other UK bank accounts.
  • Account activity data. This includes information about your relationship with us, including the products and services you use, and your transactions.
  • Know your client information. This includes documentary evidence we may ask you to provide and information from investigations we conduct such as due diligence checks, sanctions and anti-money laundering checks.
  • Chat and call recordings. This includes chat, audio and video conversations when you contact our client servicing team.
  • Diagnostic data. This includes analytics related to the performance and stability of our app.
  • Device and location data. Information about your approximate location using details like your IP address and device ID for security reasons. Technical information about your device including unique device identifiers, device model information, mobile browser information and operating system version.
  • User research data. Information about your financial experience disclosed through your participation in a research study.
• You are required to keep your important information with us up to date – for example your contact and identity details and your tax residency.
• There may be times when the information we collect, use, store or transfer about you includes sensitive personal data, such as information relating to racial or ethnic background, criminal convictions or legal proceedings. We will only hold this data when we need to for the purposes of the product or services we provide or where we are legally required to do so. We will always seek your explicit consent to process sensitive personal data.
• Personal information that we will collect from you during the account opening process will be shared with fraud prevention agencies. They will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found below.

How we use this information and why?

Summary: We collect and use your data to consider your application to access our products and services, to provide those products and services, and to provide you access to any community or programme we establish from time and which you join, . We also use cookies to improve our website. In all circumstances, we will comply with data protection laws.

The details:

• Applicable Data Protection and Privacy Legislation require that we ensure that your personal data is processed lawfully, fairly, and transparently, without adversely affecting your rights.
• We will only process your personal data:
  • to fulfil a contract with you (this includes any steps prior to entering a contract), for example:
    • to consider your application to open an account with us;
    • provide you with services in line with our terms and conditions;
  • to meet our legal obligations, for example:
    • to know our clients which includes assisting with the prevention of fraud and money laundering, and to verify your identity;
    • to fulfil our regulatory obligations and business requirements by keeping records of calls, correspondence and our business activities and archiving and backing up data;
    • to meet tax, legal and auditing obligations;
  • for our legitimate interest (or those of a third party), when this does not override your privacy rights, for example:
    • to respond to any questions and queries you may have when you contact us;
    • to improve our Website's performance, security and functionality in order to enhance your browsing experience;
    • to maintain the security of your products and services in our app;
    • to analyse how our app works and resolve any issues;
    • to assess, improve and monitor the use, performance and effectiveness of our products and services;
    • to prevent fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us;
    • to analyse market trends and user preferences to test and evaluate our existing products, and research potential new products and services;
    • to support in the development of our staff so that we can maintain the quality of our products and services;
  • if we have your consent, for example:
    • to keep you up to date with our latest news and updates including introduction of new products and services, should you wish to stay in touch;
    • to communicate with you by email as a participant in any community or programme we establish from time to time and which you join with the purpose of keeping updated on our news, products and services ; you can always unsubscribe;
    • to conduct user research interviews, with you or through a partnership with our research partners. We anonymise all our notes, which means that your personal data will not be linked with the notes we take. We may also publish research reports that include your comments, but no personal data will be included;
  • where necessary to protect the vital interests of you or of another natural person. We do not anticipate processing your personal data routinely on this basis, however there may be rare occasions where it is necessary to process your personal data to protect someone’s life.
• In some instances, it may be appropriate for us to combine your information with other information that we may be holding about you, such as combining your e-mail address with your browsing history.

Automated decision.

We may use your data (including data we collect from third parties) to make automated decisions about you.

• As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making: if you want to know more please contact us at service@monument.co.
• If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services, financing or in the future employment to you, or we may stop providing existing services to you.
• A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, servicing or employment to you. If you have any questions about this, please contact us at service@monument.co.

Where do we collect your information from?

We may use different methods to collect or receive your information including:

• When you visit our Website or download and use the app:
  • if you apply for any products and services from us;
  • if you sign up to receive updates from us;
  • through cookies.
• From brokers and other third parties that are acting on your behalf.
• If you interact with us through a social media platform.
• From third parties whose products and services you have or may have used following an introduction to them by Monument or through use of our products and services more generally.
• From other organisations such as credit reference and fraud prevention agencies, providers of identity and verification checks, security providers, data aggregators, comparison websites..
• When you write to us by letter, e-mail, chat or contact us by telephone (including in-app audio and video calls).
• Where you provide information about other people to which you are financially linked.
• When we search public sources, such as the internet or news reports, social networks, the electoral register and Companies House.
• From regulators or law enforcement agencies.
• If you take part in a competition or promotion.
• Information we get from analysing your financial situation and transaction history.
• If you participate in our surveys or research, including remote or face to face interviews.
• If you join our community by signing up through our website.

Who do we share your information with?

Summary: In order to conduct our business and provide services and products to you, we may need to share your data with other people and businesses that assist us. We may also need to share your data in order to identify potential financial crime or where we are under legal or regulatory obligation to do so.

We do not sell your information to any third party organisations.

The details:

• We may disclose your personal information to:
  • Credit Reference Agencies;
  • Fraud Prevention Agencies;
  • Know your customer (KYC) service providers including to verify your identity;
  • Third parties you give us permission to share it with including those third parties whose products and services you have or may have used following an introduction to them by Monument or through use of our products and services more generally;
  • Suppliers that are required for the functionality of our Website;
  • HM Revenue and Customs, government, legal, regulatory and other statutory bodies and authorities;
  • Market research agencies acting on our behalf;
  • Anybody else that we’ve been instructed by you to share your information with, or anybody else who provides instructions or operates any of your accounts on your behalf;
  • Cloud computing power and storage providers;
  • Google Analytics and Google Tag Manager, provided we have your consent to store cookies. By default, tracking logs are retained for up to 14 months;
  • Firebase by Google when you opt to use push notifications in our app or when we are analysing app diagnostics or usage data.
  • Software companies who power our technology and enable us to deliver our products and services such as our client relationship manager provider;
  • Software that helps us get in touch and support you such as our client engagement channel;
  • Direct Debit Scheme, if you use direct debits;
  • Other lenders who also hold a charge on the asset, if you have a secured loan with us;
  • Companies that help us with functional analytics (to help us solve technical issues with the Website for instance);
  • Other companies that assist in recovering debt; and
  • Our professional advisors and auditors.
• We may also share your information with other organisations if we sell, transfer, or merge parts of the business or our assets, or if we seek to acquire other businesses or merge with them. If any such change to our business happens, these other parties may then use your information in the same way as set out in this privacy notice.
• Where we share your data, we will take reasonable steps to ensure that your data will be handled safely, securely, and in accordance with your rights, our obligations, and the obligations of the third party under relevant Data Protection Legislation.
• Fraud prevention agencies
  • The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment.
  • Fraud prevention agencies like Cifas, may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
  • Where we share personal data about you with Cifas, it will process that personal data in accordance with its Fair Processing Notice, a copy of which can be found at: https://www.cifas.org.uk/fpn.
  • Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
• Credit reference agencies
  • If you apply for a new product or service from us, we may perform credit and identity checks on you and certain individuals connected to you or your business with one or more credit reference agencies (“CRAs”) or data aggregators. We may also make periodic searches at CRAs to manage your account with us and to detect and prevent fraud.
  • To do this, we will supply your personal information to CRAs and they will give us information about you. This may include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
  • We'll use this information to comply with our legal duties or our requirements to:
    • verify the accuracy of the information you have provided to us;
    • help detect and prevent fraud and money laundering;
    • assess your application for a credit product against our lending criteria;
    • confirm identities;
    • manage your account(s) with us;
    • trace and recover debts;
  • We will go on sharing your personal information with CRAs for as long as you have a lending relationship with us. This will include details of your repayments and whether you repay in full and on time. We will also tell the CRAs when you settle your accounts with us. The CRAs may give this information to other organisations that want to check your financial status.
  • When we ask CRAs about you or your business, they will note it on your credit file, they will place a search footprint on your credit file that may be seen by other organisations. The type of footprint left is dependent upon the search that is conducted. This is called a credit search.
  • If you are making a joint loan application, or tell us that you have a spouse or financial associate, we may link your records together, so you should make sure you discuss this with them, and share with them this information, before submitting the application.
  • Once you register with us as a client and for as long as you’re a client, we’ll exchange details about you with CRAs to help detect fraud and money-laundering risks.
  • We or a CRA (in their fraud prevention role) may allow law enforcement agencies to access your personal information. This is to support their duty to detect, investigate, prevent and prosecute crime.
  • CRAs use and control your personal data for their own purposes in accordance with their own privacy policies. To find out more about how they use your information, including how your data is shared and your data protection rights with them, Equifax Credit Reference Agency Information Notices.

Where do we store your information?

Summary: We try to ensure that we do not send your information outside the UK and EEA, however, sometimes this is not possible.

The details:

• If we do store or transfer data outside the EEA, we will take all reasonable steps to ensure that your data is treated as safely and securely as it would be within the EEA and under the Data Protection Legislation. Such steps may include, but not be limited to, legally binding contractual terms between us and any third parties we engage with and the use of the standard contractual clauses.
• By giving us your personal data, you agree to this arrangement.

Data security

Summary: Data security is of great importance to us, and to protect your data we have put in place strict procedures and security features to try to prevent unauthorised access.

The details:

• We have put in place strict procedures and appropriate security features to try to prevent unauthorised use of or access to your data and to prevent your personal data from being lost. This includes physical, electronic and managerial procedures to safeguard and secure data collected, including back up procedures, usernames and passwords. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality and, where applicable, data processing agreements.
• We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
• Notwithstanding the security measures that we take, it is important to remember that the transmission of data via the internet may not be completely secure. You are advised to take suitable precautions when transmitting to us data via the internet and you take the risk that any sending of that data turns out to be not secure despite our efforts.

How long do we store your information?

Our policy is to store personal data for no longer than needed for the purposes for which we collect it; unless we are required to keep it for a longer period of time to ensure we comply with our legislative and regulatory requirements as a bank. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

This means the exact length of time will depend on our relationship and the type(s) of interaction we are involved in:

• If you browse our website, we will hold your cookie data for a maximum of 90 days
• If you have an account with us, we will keep your information for as long as you have any open account and for a further 6 years after its closure (and in some cases for longer, but only if we have a lawful basis to do so).
• If you submit an application for a Monument account and/or service but do not accept the relevant terms and conditions to become a client, we will keep your information for 6 months (or in some cases for longer, but only if we have a lawful basis to do so).
• If you use our app, device and technical identifiers are stored for 180 days and usage data for 14 months.
• If you participate in our research and surveys, we will hold your information for a maximum of 6 months after which it will be anonymised or be deleted.
• If you participate in a recorded research interview, we will hold the audio recording for a maximum of 6 months.
• If you subscribe to receive by email our latest news and updates, including the introduction of new products and services, as a member of any community or programme we establish and you join, we will ask for subscription renewals every 2 years. If we do not hear from you, we will take reasonable steps to delete your data as soon as we can.
• If you have e-mailed us for feedback or to inquire about a particular matter, we will hold your personal information for a maximum of 6 months since our last interaction.
• Credit Reference agencies and fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
• In some circumstances you can ask us to delete your data: see Section 9 “Your rights” below for further information.
• In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Your rights

Summary: You have certain rights under data protection legislation. This includes the right to request access to your information, to manage it and to request us to delete or transfer information about you or restrict the way it is used. You also have a right to complain. To do any of these things, please contact us by e-mail on service@monument.co. Please also contact us whenever your circumstances change – having accurate data enables us to deliver the best possible client service.

The details:

• When you submit information to us, including via our Website or the app, you may be given options to restrict our use of your data. We aim to give you strong controls on our use of your data (including the ability to opt-out of receiving communication, other than service communications, from us which you may do by unsubscribing using the email address provided above and/or through your app settings). Please note that this may, however, impact your experience.
• Under data protection legislation you have the right to:
  • request access to, deletion of or correction of, your personal data held by us at no cost to you;
  • request that your personal data be copied or transferred to another person (data portability);
  • be informed of what data processing is taking place;
  • restrict processing, for example, withdrawing any consent you have given us;
  • object to processing of your personal data;
  • complain to a supervisory authority; and
  • ask a member of staff to review a computer-made (automated) decision.
• You have the right to ask us not to process your personal data for marketing purposes and in certain other ‘legitimate interest’ circumstances. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes.
• Please note that there may be a few circumstances where we cannot ‘delete’ or block your data, for example:
  • where we are required to retain it by law;
  • where your information may be impossible to permanently delete. If this is not reasonably possible, we will put that information beyond reasonable use; and
  • where you have shared your information with others and therefore made it public.
• You will not have to pay us a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
• We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
• We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

How to contact us or make a complaint?

If you have any questions about this Privacy Notice or any of our privacy practices, the personal data we hold on you, or you would like to exercise one of your legal rights in relation to your personal data, please do not hesitate to contact us on service@monument.co.

If you have a complaint about how we use your personal information, we will do our best to fix the problem. If you are still not happy, you can refer your complaint to a data protection supervisory authority in the EU, country you live or work, or where you think a breach has happened. The UK’s supervisory authority is the Information Commissioner’s Office (ICO). For more details, you can visit their website at ico.org.uk.

For the purposes of the data protection laws, the data controller is Monument Bank Limited, company number 10921940, and we have our registered office at 33 Cavendish Square, London, W1G 0PW.