Monument Bank Limited respects your privacy and is committed to protecting your personal data. This Privacy Notice sets out how we look after and use your personal data, as a client, or potential client, the representative of one of our clients, or as a member of a Monument community or Monument programme that you agree to join when you use or access www.monument.co and any of its pages (“Website”), or the Monument App (“App”). It also provides information about your privacy rights and explains how the law provides protection for you.
By using or accessing www.monument.co and any of its pages (“Website”), or the Monument App (“app”), you agree to the collection, use and disclosure of information in accordance with this Privacy Notice.
We keep our Privacy Notice under regular review and it may change from time to time so please check this page periodically for updates, as any changes may become effective immediately.
This page was last updated on 16 November 2023.
Important information and who we are
This Privacy Notice gives you information on how we collect and process your personal data if we provide a product or service to you or a legal entity to which you are financially linked, including any data you may provide when you apply for, purchase, or use a financial product or other service from us.
Our products and services are not intended for children, and we do not knowingly collect data relating to children.
If your application is on behalf of a business, you require another individual to have access to your products or services, or as part of our Know Your Customer checks, we may also require personal data about relevant individuals linked to the business or you. This includes guarantors, directors, officers, powers of attorney holders, beneficial owners or other persons financially linked or otherwise connected to you. You must provide this Privacy Notice to all relevant individuals and ensure they know that you are sharing their personal data for the purposes of providing a product or service to you.
Without sufficient personal data we may be unable to provide you with a product or service or to process your application. This includes collecting personal data as required by law. Where we already have your personal data, we will endeavour to avoid collecting it again, but there will be times when we ask you to confirm that your personal data remains up to date.
We have written this Privacy Notice to be as clear and concise as possible. In some sections we have written a short summary followed by further detail. Please read it carefully.
Our Website and App may contain links to other websites or applications. If you follow these links, please note that each destination may allow third parties to collect or share data about you and each may have their own ways of handling your personal data. We do not control these third-party websites and are not responsible for their privacy notices. We therefore recommend that you review their privacy notices as we cannot be responsible or accept liability for these.
We are Monument Bank Limited, registered in England (10921940) and our registered office is 33 Cavendish Square, London, W1G 0PW. We are registered with the UK Information Commissioner’s Officer (ICO) as a data controller (Registration number ZA475288). We are the controller and responsible for your personal data.
Our approach to privacy
We appreciate the value of your personal data. We respect your privacy and reflect that in the way we handle and protect your data.
We will not send you direct marketing without your permission. We will seek your permission and you will always have the option to ‘opt-out’ or change your preferences.
Please also review our Website Terms (on our Website) and our other Terms and Conditions for the relevant products or services which you have with Monument and which set out the terms on which we allow use of our Website and App respectively, and also the applicable disclaimers and limitations of liability.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
What personal data do we collect?
Summary: We may collect, use, store, and transfer personal data about you through our interactions. For example, when visiting and using our Website, when you open, register with and use the App, if you get in touch with us by e-mail or other channels or if you have an account with us. The type and volume of personal data we collect will depend on the nature of our interaction and can include personal data.
- We may collect, use, store and transfer different kinds of personal data about you. Personal data is any information that we can use to identify you for example your name, date of birth or address. It does not include data where the identity has been removed (anonymous data).
- We collect the following data:
- Basic Personal Information. Including name and address, contact details and date of birth.
- Financial information. This includes personal data about your financial position, status and history, including your tax residency. It also includes the sort code and account number for your other UK bank accounts.
- Account activity data. This includes personal data about your relationship with us, including the products and services you use, and your transactions.
- Know Your Customer (KYC) information. This includes documentary evidence we may ask you to provide (which may include personal data about relevant individuals linked to you) and personal data from investigations we conduct such as due diligence checks, sanctions and anti-money laundering checks.
- Chat and call recordings. This includes chat, audio and video conversations when you contact our client servicing team.
- Diagnostic data. This includes analytics related to the performance and stability of our App.
- Device and location data. Personal data about your approximate location using details like your IP address and device ID for security reasons. Technical information about your device including unique device identifiers, device model information, mobile browser information and operating system version.
- User research data. Personal data about your financial experience disclosed through your participation in a research study.
- You are required to keep your important information with us up to date – for example your contact and identity details and your tax residency.
- There may be times when the personal data we collect, use, store, or transfer about you includes sensitive personal data, such as information relating to political opinions, criminal convictions, allegations, investigations and proceedings to conduct our KYC checks. We will only hold sensitive data when we need to for the purposes of the product or services we provide and where we are legally required or permitted to do so.
- Personal data that we will collect from you during the account and product opening process will be shared with fraud prevention agencies. They will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your personal data will be used by us and these fraud prevention agencies, and your data protection rights, can be found below.
How we use this personal data and why?
- Data protection laws require that we ensure that your personal data is processed lawfully, fairly, and transparently, without adversely affecting your rights.
- We will only process your personal data:
- to fulfil a contract with you (this includes any steps prior to entering a contract), and where processing is required as part of that contract for example:
- to consider your application to open an account with us;
- to provide you with services in line with our terms and conditions;
- to meet our legal obligations, for example:
- for Know Your Customer (KYC) purposes which includes assisting with the prevention of fraud and money laundering, and to verify your identity;
- to fulfil our regulatory obligations and business requirements by keeping records of calls, correspondence and our business activities and archiving and backing up data;
- to meet tax, legal and auditing obligations;
- for our legitimate interest (or those of a third party), when this does not override your privacy rights, for example:
- to respond to any questions and queries you may have when you contact us;
- to improve our Website's performance, security and functionality in order to enhance your browsing experience;
- to maintain the security of our products and services in our App;
- to analyse how our App works and resolve any issues;
- to assess, improve and monitor the use, performance and effectiveness of our products and services;
- to prevent fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us.
- to analyse market trends and user preferences to test and evaluate our existing products, and research potential new products and services;
- to support in the development of our staff so that we can maintain the quality of our products and services;
- if we have your consent, for example (and where required):
- to keep you up to date with our latest news and updates including introduction of new products and services, should you wish to stay in touch;
- to communicate with you by email as a participant in any community or programme we establish from time to time and which you join with the purpose of keeping updated on our news, products and services; you can always unsubscribe;
- to conduct user research interviews, with you or through a partnership with our research partners. We anonymise all our notes, which means that your personal data will not be linked with the notes we take. We may also publish research reports that include your comments, but no personal data will be included;
- where necessary to protect the vital interests of you or of another natural person. We do not anticipate processing your personal data routinely on this basis, however there may be rare occasions where it is necessary to process your personal data to protect someone’s life.
- In some instances, it may be appropriate for us to combine your personal data with other personal data that we may be holding about you, such as combining your e-mail address with your use of our Website and App.
Where do we collect your personal data from?
We may use different methods to collect or receive your information including:
We may use different methods to collect or receive your personal data including:
- When you visit our Website or download and use the App:
- if you apply for any products and services from us;
- if you sign up to receive updates from us;
- through cookies.
- From brokers and other third parties that are acting on your behalf.
- If you interact with us through a social media platform.
- From third parties whose products and services you have or may have used following an introduction to them by Monument or through use of our products and services more generally.
- From other organisations such as credit reference and fraud prevention agencies, providers of identity and verification checks, security providers, data aggregators, comparison websites.
- When you write to us by letter, e-mail, chat or contact us by telephone (including in-app audio and video calls).
- Where you provide personal data about other people to which you are financially linked.
- When we search public sources, such as the internet or news reports, social networks, the electoral register and Companies House.
- From regulators or law enforcement agencies.
- If you take part in a competition or promotion.
- Personal data we get from analysing your financial situation and transaction history.
- If you participate in our surveys or research, including remote or face to face interviews.
- If you join our community by signing up through our Website.
Who do we share your personal data with?
Summary: In order to conduct our business and provide services and products to you, we may need to share your data with other people and businesses that assist us. We may also need to share your data in order to identify potential financial crime, where we are under legal or regulatory obligation to do so or when you ask us to.
We do not sell your information to any third party organisations.
- We may disclose your personal data to:
- Credit Reference Agencies;
- Fraud Prevention Agencies;
- Know your customer (KYC) service providers including to verify your identity;
- Third parties you give us permission to share it with including those third parties whose products and services you have or may have used following an introduction to them by Monument or through use of our products and services more generally;
- Suppliers that are required for the functionality of our Website;
- HM Revenue and Customs, government, legal, regulatory and other statutory bodies and authorities;
- Market research agencies acting on our behalf;
- Anybody else that we’ve been instructed by you to share your personal data with, or anybody else who provides instructions or operates any of your accounts on your behalf;
- Cloud computing power and storage providers;
- Google Analytics and Google Tag Manager, provided we have your consent to store cookies. By default, tracking logs are retained for up to 14 months;
- Firebase by Google when you opt to use push notifications in our App or when we are analysing app diagnostics or usage data.
- Software companies who power our technology and enable us to deliver our products and services such as our client relationship manager provider;
- Software that helps us get in touch and support you such as our client engagement channel;
- The Direct Debit Scheme, if you use direct debits;
- Other lenders who also hold a charge on the asset, if you have a secured loan with us;
- Companies that help us with functional analytics (to help us solve technical issues with the Website for instance);
- Other companies that assist in recovering debt; and
- Our professional advisors and auditors.
- We may also share your personal data with other organisations if we sell, transfer, or merge parts of the business or our assets, or if we seek to acquire other businesses or merge with them. If any such change to our business happens, these other parties may then use your personal data in the same way as set out in this Privacy Notice.
- Where we share your data, we will take reasonable steps to ensure that your data will be handled safely, securely, and in accordance with your rights, our obligations, and the obligations of the third party under relevant data protection laws.
- Fraud prevention agencies
- The personal data we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment.
- Fraud prevention agencies like Cifas, may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
- Where we share personal data about you with Cifas, it will process that personal data in accordance with its Fair Processing Notice, a copy of which can be found at: https://www.cifas.org.uk/fpn.
- Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
- Credit reference agencies
- If you apply for a new product or service from us, we may perform credit and identity checks on you and certain individuals connected to you or your business with one or more credit reference agencies (“CRAs”) or data aggregators. We may also make periodic searches at CRAs to manage your account with us and to detect and prevent fraud.
- To do this, we will supply your personal data to CRAs and they will give us personal data about you. This may include personal data from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
- We'll use this personal data to comply with our legal duties or our requirements to:
- verify the accuracy of the personal data you have provided to us;
- help detect and prevent fraud and money laundering;
- assess your application for a credit product against our lending criteria;
- confirm identities;
- manage your account(s) with us;
- trace and recover debts;
- We will go on sharing your personal data with CRAs for as long as you have a lending relationship with us. This will include details of your repayments and whether you repay in full and on time. We will also tell the CRAs when you settle your accounts with us. The CRAs may give this personal data to other organisations that want to check your financial status.
- When we ask CRAs about you or your business, they will note it on your credit file, they will place a search footprint on your credit file that may be seen by other organisations. The type of footprint left is dependent upon the search that is conducted. This is called a credit search.
- If you are making a joint loan application, or tell us that you have a spouse or financial associate, we may link your records together, so you should make sure you discuss this with them, and share with them this personal data, before submitting the application.
- Once you register with us as a client and for as long as you’re a client, we’ll exchange details about you with CRAs to help detect fraud and money-laundering risks.
- We or a CRA (in their fraud prevention role) may allow law enforcement agencies to access your personal data. This is to support their duty to detect, investigate, prevent and prosecute crime.
- CRAs use and control your personal data for their own purposes in accordance with their own privacy policies. To find out more about how they use your personal data, including how your data is shared and your data protection rights with them, please visit Equifax Credit Reference Agency Information Notices.
Where do we store your information?
Summary: Where your personal data is sent outside the UK and EEA, we will apply measures to protect it.
- We may store or transfer data to other countries which have data protection laws that are different to the laws of your country (and in some cases, may not be as protective).
- Where we transfer your personal data to countries and territories outside of the European Economic Area and the UK, we rely on adequacy decisions from the relevant governmental bodies.
- Where the transfer is not subject to an adequacy decision, we have taken all reasonable steps to ensure that your data is treated as safely and securely as it would be within the EEA and the UK under data protection laws. Such steps may include, but not be limited to, legally binding contractual terms (or Standard Contractual Clauses) between us and any third parties we engage with. These are available on request, subject to the redaction of commercially sensitive information.
Summary: Data security is of great importance to us, and to protect your data we have put in place strict procedures and security features to try to prevent unauthorised access and use of your data.
- We have put in place strict procedures and appropriate security features to try to prevent unauthorised use of or access to your data and to prevent your personal data from being lost. This includes physical, electronic and managerial procedures to safeguard and secure data collected, including back up procedures, usernames and passwords. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know and are subject to appropriate agreements.
- We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
- Notwithstanding the security measures that we take, it is important to remember that the transmission of data via the internet may not be completely secure. You are advised to take suitable precautions when transmitting to us data via the internet and you take the risk that any sending of that data turns out to be not secure despite our efforts.
How long do we store your personal data?
Our policy is to store personal data for no longer than needed for the purposes for which we collect it; unless we are required to keep it for a longer period of time to ensure we comply with our legal and regulatory requirements as a bank. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
This means the exact length of time will depend on our relationship and the type(s) of interaction we are involved in:
- If you browse our Website, we will hold your cookie data for a maximum of 90 days
- If you have an account with us, we will keep your personal data for as long as you have any open account and for a further 6 years after its closure (and in some cases for longer, but only if we have a lawful basis to do so).
- If you submit an application for a Monument account and/or service but do not accept the relevant terms and conditions to become a client, we will keep your personal data for 6 months (or in some cases for longer, but only if we have a lawful basis to do so).
- If you use our App, device and technical identifiers are stored for 180 days and usage data for 14 months.
- If you participate in our research and surveys, we will hold your personal data for a maximum of 6 months after which it will be anonymised or be deleted.
- If you participate in a recorded research interview, we will hold the audio recording for a maximum of 6 months.
- If you subscribe to receive by email our latest news and updates, including the introduction of new products and services, as a member of any community or programme we establish and you join, we will ask for subscription renewals every 2 years. If we do not hear from you, we will take reasonable steps to delete your data as soon as we can.
- If you have e-mailed us for feedback or to inquire about a particular matter, we will hold your personal data for a maximum of 6 months since our last interaction.
- Credit reference agencies and fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
- In some circumstances you can ask us to delete your data: see “Your rights” below for further information.
- In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this personal data indefinitely without further notice to you.
Summary: You have certain rights under data protection laws. This includes the right to request access to your personal data, to manage it and to request us to delete or transfer personal data about you or restrict the way it is used. You also have a right to complain. To do any of these things, please contact us. Please also contact us whenever your circumstances change – having accurate data enables us to deliver the best possible client service.
- When you submit personal data to us, including via our Website or the App, you may be given options to restrict our use of your data. We aim to give you strong controls on our use of your data (including the ability to opt-out of receiving communications, other than service communications, from us which you may do by unsubscribing using the email address provided above and/or through the settings in our App). Please note that this may, however, impact your experience.
- Under data protection laws you have the right to:
- request access to, deletion of or correction of your personal data held by us;
- request that your personal data be copied or transferred to another person (data portability);
- be informed of what data processing is taking place;
- ask us to restrict processing,
- withdraw any consent you have given us;
- object to processing of your personal data;
- complain to a supervisory authority; and
- ask a member of staff to review any computer-made (automated) decision.
- You have the right to ask us not to process your personal data for marketing purposes and in certain other ‘legitimate interest’ circumstances.
- Please note that there may be a few circumstances where we cannot ‘delete’ or block your data, for example:
- where we are required to retain it by law;
- where your personal data may be impossible to permanently delete. If this is not reasonably possible, we will put that personal data beyond reasonable use; and
- where you have shared your personal data with others and therefore made it public.
- You will not have to pay us a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
- We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
- We try to respond to all legitimate requests within one month. Occasionally we may need an additional two months if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
How to contact us or make a complaint?
If you have any questions about this Privacy Notice or any of our privacy practices, the personal data we hold on you, or you would like to exercise one of your legal rights in relation to your personal data, please do not hesitate to contact us.
If you have a complaint about how we use your personal data we will do our best to fix the problem. If you are still not happy, you can refer your complaint to a data protection supervisory authority in the EU, country you live or work, or where you think a breach has happened. The UK’s supervisory authority is the Information Commissioner’s Office (ICO). For more details, you can visit their website at ico.org.uk.
Find out more about our complaints process here.
For the purposes of data protection laws, the data controller is Monument Bank Limited, company number 10921940, and we have our registered office at 33 Cavendish Square, London, W1G 0PW.