Version: 1.0 - 17th Aug 2020
Who are we?
We’re Curve OS Limited, registered in the UK with company number 09523903 (we, us, our), but you’ll know us better as Curve. When you choose Curve, you choose a company that is committed to protecting your data. As well as bringing you financial freedom, we’re here to provide transparency about your personal information - which is just what this privacy notice is for.
Curve is your data controller which means we’re responsible for your data. We’re registered with the UK Information Commissioner’s Officer with reference ZA135276 and our Data Protection Officer is Electra Japonas, email address.
Got questions? Just drop our friendly customer support team a line at email@example.com or get in touch via the Curve app.
What information do we collect about you?
Date of birth
ID document details
Employment status and industry
Details of the underlying payment card(s) added to your Curve account and your Curve card including your card number, expiring date, CVV number, name and billing address
Details of your credit history held at credit reference agencies
Home and shipping address
Information about your transactions and purchases
Internet Protocol (IP) address used to connect your computer/mobile device to the internet location, model of your phone, Geo-location
Your communication preferences, social media handles, feedback, survey and questionnaire responses.
When you connect your Curve account with a non-Curve (third party) service, your account username held at the third-party service
Aggregated data such as statistical or demographic data. This means your data is bundled up with other people’s data and you aren’t identifiable as an individual. However, if you are identifiable, that information will be treated in accordance with this policy
Where do we get your information from?
Direct interactions, including when you:
Create an account
Use the product, including features like Curve Send
Contact us or provide feedback
Automatic collection by us, including:
Technical data from your electronic devices, browsing actions and patterns.
This is collected using cookies, server logs and similar technologies.
From third parties or publicly available information, including:
Payment services and e-wallet providers
Customer service providers
Credit reference agencies
What do we use your information for?
We’ll only use your data to help provide the best product experience possible and where it's lawful to do so:
Purpose: Signing you up as a Curve customer and creating your account.
Data: Identity, Contact, Financial, Device
Lawful basis: Contract, Legal obligation (the law requires us to verify your identity)
Purpose: Confirm your identity and help prevent fraud
Data: Identity, Contact, Financial, Transaction, Device, Third-party service
Lawful basis: Legal obligation, Legitimate interests (to ensure we use the best fraud prevention providers when performing our services)
Purpose: Provide you with Curve products and services and manage your account
Data: Identity, Contact, Financial, Transaction, Third-party service
Lawful basis: Contract, Legitimate interests (to provide you with services and recover fees)
Purpose: Process your payment transactions, including Curve Send
Data: Identity, Contact, Financial, Transaction, Device, Third-party service
Lawful basis: Contract, Legal obligation, Legitimate interests (to facilitate transactions and maintain integrity of Curve systems)
Purpose: Provide you third-party services, including Samsung Pay
Data: Identity, Financial, Transaction, Third-party service, Profile
Lawful basis: Contract, Consent (for profile data)
Purpose: Manage our relationship, including updates to our terms and providing top-notch customer support
Data: Identity, Contact, Transaction, Profile, Device
Lawful basis: Contract, Legal obligation, Legitimate interests (to keep our records updated, delight our customers and improve our product)
*Please note we may record your calls with our customer services team for training and monitoring purposes.
Purpose: Improve our services and troubleshoot
Data: Identity, Contact, Device
Lawful basis: Legitimate interests (to delight our customers and improve our products)
Purpose: Suggest goods, services, programmes or activities that may be of interest to youData: Identity, Contact, Device, Profile, Financial
Lawful basis: Legitimate interests (to develop our product offering and grow our business).
Purpose: Send you marketing communications
Data: Identity, Contact, Profile
Lawful basis: Legitimate interests (to ensure you are kept up to date with our services)
Purpose: Comply with regulations and legal obligations
Data: Identity, Contact, Financial
Lawful basis: Legal obligation
We’ll only ever use your personal data for the purpose we collected it or a similar, connected purpose. If we ever need to use your information for an unrelated purpose, we’ll let you know and explain why. We may also be required by law to process your personal data without your knowledge or consent.
Who do we share your data with and why?
When we share data with third parties, they can only process it for specific purposes and in accordance with our instructions. Here’s who we share data with and why:
Sign-up and verification checks
Identity checking and fraud prevention partners.
When Curve shares data with identity and fraud prevention partners, they will become a joint controller of your data to determine how your data will be used to best provide their services.
Hosting and IT services
IT vendors including cloud storage providers to securely store your personal data.
Making and sending your Curve card
Card manufacturing, personalisation and delivery companies.
Financial services providers, including card issuers, payment processors and banking partners to facilitate payment transactions.
We may share your data with other customers when you use Curve Send. You can turn off your discoverability at any time - although others won’t be able to see you on the app, you can still make and receive payments as usual. You will also see the senders details on your bank statement.
Insurance (Curve Black & Metal only)
For Curve Black & Metal customers, your information is shared with insurance provider Inter Partner Assistance SA, member of the AXA Assistance group, Avenue Louise 166, 1050, Brussels, Belgium, insurance company regulated by the National Bank of Belgium under the number 0487, Company number 0415 591 055 (‘AXA’).
You will enter into a separate agreement with AXA to enable them to provide you with insurance. This means AXA is wholly responsible for your data for insurance purposes (rather than Curve). Further information is available here.
Social media marketing for targeted marketing purposes
Social media sites, for the purposes of conducting market research and running marketing campaigns. When sharing data with these sites, we ensure that your data is only used in accordance with our instructions.
If you don’t want us to use your information in this way, you can contact us at firstname.lastname@example.org or via the app.
Credit Reference Agencies and Fraud Prevention Agencies
When you apply, use or register for our services or credit products, we may perform credit and identity checks on you with one or more credit reference agencies ("CRAs"). We may also make periodic credit checks on you to manage your account with us or fulfil our services.
To do this, we may supply your personal information to the CRAs and they will give us information about you.
We will use this information to:
Assess your creditworthiness and whether you are suitable for Curve products
Verify the accuracy of the data you have provided to us
Confirm your identity and prevent criminal activity, fraud and money laundering
Manage your account
Trace and recover debts
Ensure any offers provided to you are appropriate to your circumstances
Provide you with access to your credit bureau data where you have asked us to.
The Credit Reference Agency Information Notice (CRAIN) describes how the three main credit reference agencies in the UK each use and share personal data. The CRAIN is available on the credit reference agencies’ websites:
We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.
If you register your Curve card on Samsung Pay, we will share your data with Samsung to authorise payments, display transactions, prevent and detect fraud, comply with legal requirements and industry standards. If you consent to marketing from Samsung, you consent to Curve sharing your profile data with Samsung for their marketing purposes.
When Curve shares data with Samsung, they will become a joint controller and an independent controller of your data to determine how your data will be used to best provide their services and send you marketing material with your consent.
Analytics and search engine service providers and customer experience support platforms to optimise and improve our services.
If you contact our customer services line out of hours, our external team will manage your enquiries. We will become joint controllers of your data as they will determine the means of collecting your data on our behalf.
Third-party payment partners
Third party payment service partners including Apple Pay, Samsung Pay and Airplus.
Curve will only share your data with a third-party payment partner if you have opted to use their service with your Curve card. When we share your data with third-party payment partners, they will become a joint controller of your data to determine how your data will be used to best provide their services.
Business reorganisation / sale
Third parties we may sell the business to or acquire.
We may share anonymised, aggregated data with selected e-wallet and data analytics service providers. This means your data is bundled up with other people’s data and you aren’t identifiable as an individual.
What are your rights?
Access the personal data we hold about you and/or in some circumstances, have it sent to another person
Correct make us correct inaccurate data
Request deletion of your data, although for legal reasons we might not always be able to do it
Restrict or object to our processing for direct marketing
Withdraw any consent you’ve given us
Request a review of any automated decision made by a computer.
If you want to do any of these things, drop our friendly customer support team a line at email@example.com or via the Curve app. We have one month to respond. This is almost always free but we’re allowed to charge a reasonable fee or refuse your request if it’s clearly unfounded, repetitive or excessive.
What about marketing?
You can ask us to stop sending you marketing emails at any time by following the unsubscribe links at the bottom of any Curve marketing message. You’ll still receive operational emails we need to send you, such as updates to our terms and conditions.
If you would like to stop receiving Curve receipt emails (for each of your payments), you can change your preferences for each of your underlying payment cards on the Curve app.
Do you use artificial intelligence or machine learning?
If we need to process your personal data with machine learning, we will only use data necessary for the purpose.
Any automated decisions made by machine learning algorithms will be reviewed by a human before we offer or deny you a service.
How long do we keep your data?
The period for which we may retain data about you will depend on the purposes for which the data was collected, whether you have requested deletion of the data, and whether we have any legal or regulatory obligation to retain the data. We will not retain data about you for longer than is necessary to fulfil the purposes for which the data was collected. We will typically keep your data for up to 10 years after you last had an active account or product with us, or 7 years after you made or started an application. We may keep your personal data for a longer period where it is necessary for legal, regulatory or operational purposes.
International data transfers
We may transfer and store the data we collect from you to organisations outside the European Economic Area (‘EEA’). When we do this, we make sure that your data is protected and that:
the European Commission says the country or organisation has adequate data protection laws in place, or
we’ve agreed to standard data protection clauses in a written contract with the organisation, approved by the European Commission.
How can you complain?
We hope you don’t ever need to, but if you do want to complain, you have the right to do so to the Information Commissioner's Office (ICO) however we’d love to try and sort it out first. Drop us an email on firstname.lastname@example.org.
How can you contact us?