NESTER PRIVACY POLICY
1. Introduction
This privacy policy (“Privacy Policy”) is agreed as part of the Nester Service Terms; that govern the use of the peer-to-peer finance service operated by Nester Platform Limited (“Nester”, “we”, “us”, “our”) at https://nester.com/ (“Service”). Capitalised terms not otherwise defined in this Privacy Policy shall have the meanings given in the Nester Service Terms.
We and Nester Security Limited (“NST”) jointly determine the purposes and means of processing of personal data that is collected about Clients (“you”, “your”) when they apply to register and use the Service. NST’s and our details are in Clause 2.11 of the Service Terms. We and NST are committed to protecting and respecting your privacy in relation to the Service in accordance with the principles relating to the processing of personal data under the Data Protection Act 1998/2018 (including the General Data Protection Regulation (EU) 2016/679, and any replacement statute from time to time (the “Act”). For the purpose of the Act, we and NST are joint “controllers”. This Privacy Policy and the Nester Service Terms determine our respective responsibilities for compliance under the Act and explains what types of personal data is collected, the purposes for which it is collected and processed, the legal basis for that and the organisations or types of organisations, if any, to which we may provide your personal data. It is necessary to enter into the Nester Service Terms, including the Privacy Policy, and to collect, process, share and store the personal data as described in order for us to be able to provide the Service to you.
The Payment Service Provider you agree to use in conjunction with the Service has its own privacy policy, which you agree directly with the Payment Service Provider. The Payment Service Provider’s details are also set out in Clause 2.11 of the Service Terms.
In addition, the Service may from time to time contain links to and from the websites of partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and we do not accept any responsibility or liability for those policies. Please check those policies and any relevant service terms and conditions before you submit any personal data to those websites. We are not responsible for the content of any other websites or services.
2. What personal data do we collect?
We may collect, store and use the following kinds of personal data for processing on the basis specified in the table in Annex A to this Privacy Policy. Personal data will be stored in accordance with Clause 6 of this Privacy Policy.
We aim to keep your personal information up-to-date, so you must promptly notify us by updating your Nester Account or emailing compliance@nester.com if you change your name, residential address or contact details.
3. Personal data provided to us by third parties
We must carry out customer due diligence and transaction monitoring under certain Applicable Law, which involves verifying your identity against our own records and certain third party databases and checking whether you appear on any sanctions list. If you apply to be a Buyer, we will carry out credit and fraud checks on you, your director(s) and your business and check the personal and business data about the director, partner, or member who agrees to the Nester Service Terms on behalf of the applicant. The third party databases are:
- records of CRA’s (Credit Reference Agencies);
- records of FPA’s (Fraud Reference Agencies).
The above agencies will link your records to those of your financial associate(s) (e.g. someone with whom you have a joint credit account), including any previous and subsequent names of parties to the account. These links will remain on your, and their, credit reference files until you or they successfully files for a disassociation with the agency. When assessing the affordability of your repayments, we may take into account information about your financial associates in your credit reference.
When CRAs receive a search from us they will place a search on the credit file of the applicant(s) that may be seen by other finance providers. The CRAs supply to us both public (including the electoral register) and shared credit and fraud prevention information. If you are a director, we may also seek confirmation, from credit reference agencies, that the residential address that you provide is the same as that shown on the restricted register of director’s usual addresses at Companies House.
We will give you at least 28 days’ notice if any decision to file notice of any default by you in your obligation to make repayments on your credit reference file. However, we may not always give you notice beforehand, for example, if enforcement action is planned.
If you give false or inaccurate information and we identify fraud, this will be recorded and may be shared by those agencies with other organisations and us, so that we and those other organisations, including law enforcement agencies and debt collection agencies, may access, use and search these records to:
- help make decisions about credit and credit related services, for you and members of your household;
- make decisions on motor, household, credit, life and other insurance proposals and insurance claims, for you and members of your household;
- debtors, recover debt, prevent fraud, and to manage your accounts or insurance policies;
- fraud and money laundering, for example, when:
- Checking details on applications for credit and credit related or other facilities;
- Managing credit and credit related accounts or facilities;
- Checking details on proposals and claims for all types of insurance; and
- Checking details of job applicants and employees.
The main CRA we use is Business Solutions Limited (“Creditsafe”) a company incorporated in England and Wales under registered number 3836192 at the registered address Bryn House, Caerphilly Business Park, Van Road, Caerphilly, CF38 3GG.
Please contact us at compliance@nester.com if you want to receive details of the relevant fraud prevention agencies.
Please note that we may use third-party advertising companies to serve advertisements when you visit our Service. These companies may use information about your visits to the Service and other websites in order to provide advertisements about goods and services of interest to you. This information does NOT include information like your name, address, email address, or telephone number.
4. When may we disclose your personal data?
We will not disclose your personal data to any third party, except as explained in Clause 3.1 and the table in Annex A to this Privacy Policy.
If substantially all of our assets are acquired by a third party, personal data held by us will be one of the transferred assets and may be disclosed to the prospective seller or buyer of such business or assets under the same conditions as this Privacy Policy. This is necessary for the purposes of the legitimate interests pursued by us and the third party, and would not be overridden by your interests or fundamental rights and freedoms which require protection of personal data.
5. Cookies and web beacons
Generally:
- “Cookies” are text files stored, either on a temporary or persistent basis, on the browser or hard drive of your computer when you visit a website; and are used for authenticating, session-tracking or maintaining specific information about the use and users of the site;
- “Web beacons” are a small string of software code that represents the request for a graphic image on a web page or email. There may or may not be a visible image associated with the web beacon itself, as often it is designed to blend into the background of a page or email. They are used for many purposes such as site traffic reporting, unique visitor counts, advertising auditing and reporting, and personalization; but collect only anonymous data about the image requested.
There are four different types of cookies used on the Service:
- Necessary cookies: those required for the operation of the Service – these do not gather information about you that would be used for marketing or remembering where you have been on the internet;
- Analytical/performance cookies: those which allow us to collect information about how you use the Service, such as how you move from page to page or around a page or if you experience errors. These cookies do not collect personal data at all, and is just anonymous data that helps us improve how the Service works, understand which things interest users generally and to measure how effective any advertising is. Performance cookies could be part of services provided by third parties (e.g. Google Analytics).
- Functionality cookies: those which recognise you when you return to the Service, which enables us to personalise content for you, greet you by name and remember your preferences and otherwise improve your visit to the Service.
- Targeting cookies: these record your visit to the Service, pages you have visited and the links you have followed, such as “Like” and “Share” buttons. They are set by, and linked to, services provided by third parties in return for recognising that you have visited the Service. The third party may subsequently use the information from the cookie to display advertising to you that you may be interested in on other websites.
Cookies cannot harm your computer. You can delete all cookies on your computer’s hard drive by searching for files with “cookie” in it and deleting them. In addition, if you want to stop cookies from being stored on your computer or browser, you can edit your browser settings so that cookies are blocked. Unfortunately, if you block “necessary” or “functionality” cookies you may not be able to use the full functionality of the Service.
You may also have heard of “log files”. Log files are not cookies; they do not contain any personal data; and they are not used to identify your personal use of the Service. When you request any web page from the Service, web servers automatically obtain your domain name and IP address, but they reveal nothing personal about you and that data is only used to examine Service traffic in aggregate, to investigate abuse of the Service and its users, including cooperating with law enforcement agencies investigating such things. We may also be able to collect information about Service usage from data contained in “log files” from third parties’ servers. Such data is not disseminated to third parties, except in aggregate or on specific investigation by law enforcement agencies.
6. Where and for how long we store your personal data
All information you provide to us is stored on our secure servers, which are located in the United Kingdom.
We use all reasonable endeavours to ensure that appropriate technical and organisational measures are in place to protect your personal data from unauthorised or unlawful processing and against accidental loss, destruction or damage in the Service.
Your personal data will be stored for the duration of the Nester Service Terms and for such time thereafter as required by Applicable Law or six years after the date of termination of the Nester Service Terms (which is the legal limitation period for bringing contractual claims).
Please note that the transmission of information via the internet is not completely secure, so we cannot guarantee the security of your data transmitted between your device(s) and the Service. Any such transmission is at your own risk.
7. Your rights
Under the Act, you have a number of rights that are set out in Clause 7.2 and Annex B to this Privacy Policy. The first right is to receive confirmation as to whether or not any of your personal data is being processed and certain other information, as we have set out in this Privacy Policy.
The table in Annex B at the end of this Privacy Policy explains the following rights which the Act gives you in relation to your personal data, and any exceptions to those rights:
- Right of access
- Right to rectification
- Right to erasure
- Right to request the restriction of processing concerning you
- Right to data portability
- Right to object to processing
- Right to ask us not to process your personal data for direct marketing purposes
- Right not to be subject to automated individual decision-making, including profiling.
Please note that you may exercise these rights (subject to any applicable exceptions) by emailing us at compliance@nester.com.
8. Changes to our privacy policy
We reserve the right to amend this Privacy Policy. Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by e-mail.
9. Regulatory and Contact details
The full company and registration details of Nester and NST are set out in Clause 2.11 of the Nester Service Terms. Questions, comments and requests regarding this Privacy Policy are welcomed and should be addressed to compliance@nester.com. For more information about data protection and the protection of personal data, please visit the Information Commissioner’s website at www.ico.org.uk.
10. Complaints
In addition to the complaints process specified in Clause 14 of the Nester Service Terms, you can complain to the ICO if you consider there has been a breach of the Data Protection Legislation in connection with your personal data.
11. General
This Privacy Policy shall be governed by and construed in accordance with English law and the parties agree that the courts of England shall have exclusive jurisdiction to decide any dispute arising under it.
Annex A
Personal Data Collected | Purpose | Basis for processing |
If you decide to register as a Client of the Service, you will be asked to complete a form which will require you to provide your name, address and email address |
To disclose to third parties for:
|
|
Information about your computer, mobile device or other item of hardware through which you access the Service and your visits to and use of the Service (including without limitation your IP address, geographical location, browser/platform type and version, Internet Service Provider, operating system, referral source/exit pages, length of visit, page views, website navigation and search terms that you use) |
To disclose to third parties for:
|
|
Information relating to your previous browsing habits on the Service |
To disclose to third parties for:
|
|
Information that you provide by filling in forms on the Service. This includes information provided at the time of registering to use the Service, posting material or requesting further services. We may also ask you for information when you report a problem with the Service. |
To disclose to third parties for:
|
|
Copies of passports or other identification evidence |
To disclose to third parties for:
|
|
Credit checks to assess the creditworthiness of any Buyer or the counterparty to any Security Document |
To disclose to third parties for:
|
|
Details of transactions you carry out through the Service |
To disclose to third parties for:
|
|
Records of any telephone, email or other communication with you |
To disclose to third parties for:
|
|
Information about your physical or mental health or condition (where necessary and appropriate to comply with regulatory requirements relating to customers with such conditions) |
To disclose to third parties for:
|
|
Annex B
Rights | Exception |
Right of Access: To obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) of the GDPR and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. Right to rectification: to obtain from us without undue delay the rectification of inaccurate personal data concerning you. We must communication to each recipient to whom the rectified personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We shall inform you about those recipients if you request that information. | |
Right to erasure: to obtain from us the erasure of personal data concerning you without undue delay where:
We must communication to each recipient to whom the erased personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We shall inform you about those recipients if you request that information. | Processing is necessary for
|
Right to request the restriction of processing concerning you: to obtain from us restriction of processing where:
We must communication to each recipient to whom the restricted personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We shall inform you about those recipients if you request that information. | Where processing has been restricted under this right, such personal data shall, with the exception of storage, only be processed:
|
The right to data portability: to receive the personal data concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us, where:
You have the right to have the personal data transmitted directly from us to another controller, where technically feasible. The exercise of this right shall be without prejudice to the right to erasure. | That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us. |
The right to object to processing: to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on processing necessary for the purposes of the legitimate interests pursued by us or a third party (except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data), including profiling. | Where:
|
The right to ask us not to process your personal data for direct marketing purposes: to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at compliance@nester.com. | |
The right not to be subject to automated individual decision-making, including profiling: to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. | If the decision:
In the cases referred to in points (a) and (c) we shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on our part, to express his or her point of view and to contest the decision. |