Curve UK & EEA Privacy Policy

Updated: 31 May 2022

At Curve, we’re committed to protecting your data. This privacy policy describes what data we process about you, what we do with it and why. 

Curve is made up of more than one company. The company you’ll have a relationship with is dependent on where you’re based and what you’re using Curve for. We’ll tell you who you have a relationship with when you first apply for or use a Curve product or service. In short:

  • Curve UK Limited (UK) controls your data if you’re based in the UK.

  • Curve Europe UAB (Lithuania) controls your data if you’re based in the rest of Europe.

  • Curve Credit Limited (UK) controls your data if you use our credit services.

  • Curve US, Inc. (US) is our US company. If you’re based in the US, this policy is not applicable.

What data do we process about you?

Identity Data:

  • Full name

  • Date of birth

  • ID document details

  • Selfie photograph

  • Employment status and industry

Financial Data:

  • Details of the funding card(s) added to your Curve account

  • Curve card data (including card number, expiring date, CVV number, name and billing address)

  • Details of your credit history held at credit reference agencies

Contact Data:

  • Home address,

  • Shipping address,

  • Billing address,

  • Email address,

  • Mobile number.

Transaction Data:

  • Information about your transactions,

  • Rewards,

  • Purchases.

Device Data

  • Internet Protocol (IP) address,

  • Model of your phone,

  • Geo-location.

Profile Data

  • Communication preferences,

  • Social media handles,

  • Feedback,

  • Survey / questionnaire responses.

How do we get your data? 

There are a number of ways in which we obtain your data. 

From direct interactions we have with you, including:

  • Creation of an account

  • Use of one of our products

  • Subscription to marketing

  • Contacting Curve

  • Providing feedback

  • Using Curve Community

From our automatic collection, including:

  • Technical data from your electronic devices, browsing actions and patterns. Collected using cookies, server logs and similar technologies.

From third parties or publicly available information, including: 

  • Analytics providers

  • Payment services and e-wallet providers

  • Customer service providers

  • Electoral register

  • Governmental agencies

  • Credit reference agencies

What do we use your data for? 

We use your data to provide the best experience possible. We always have a lawful basis to process your data. This section provides you with information about our use of your data.

Purpose:  Sign you up as a Curve customer and create your account

Data: How you signed up, Identity, Contact, Financial, Device

Lawful basisContract, Legal obligation (the law requires us to verify your identity)

Purpose:  Confirm your identity and help prevent fraud

Data: Identity, Contact, Financial, Transaction, Device

Lawful basis: Legal obligation, Legitimate interests (to ensure we use the best fraud prevention providers when performing our services)

Purpose:  Provide you with Curve products and services and manage your account

Data:  Identity, Contact, Financial, Transaction

Lawful basis: Contract, Legitimate interests (to provide you with services and recover fees)

Purpose:  Conduct credit checks and provide Curve credit products and services

Data: Identity, Contact, Financial, Transaction

Lawful basis: Contract, Consent, Legitimate Interest (to provide you with relevant services only)

Purpose: Process your payment transactions

Data: Identity, Contact, Financial, Transaction, Device

Lawful basis: Contract, Legal obligation, Legitimate interests (to facilitate transactions and maintain integrity of Curve systems)

Purpose:  Provide you with third-party services, including Samsung Pay

Data: Identity, Financial, Transaction, Profile

Lawful basisContract, Consent (for profile data)

Purpose:  Manage our relationship, including updates to our terms and providing top-notch customer support

Data:  Identity, Contact, Transaction, Profile, Device

Lawful basis: Contract, Legal obligation, Legitimate interests (to keep our records updated and improve our product)

*Please note we may record your calls with our customer services team for training and monitoring purposes.

Purpose:  Improve our services and troubleshoot

Data: Identity, Contact, Device

Lawful basis: Legitimate interests (to improve our products)

Purpose: Suggest goods, services, programmes or activities that may be of interest to you

Data: Identity, Contact, Device, Profile, Financial, Transaction, Survey Responses

Lawful basis: Consent, Legitimate interests (to develop our product offering and grow our business)

Purpose: Send you marketing communications

Data: Identity, Contact, Profile, Device, Transaction

Lawful basis: Consent, Legitimate interests (to ensure you are kept up to date with our services)

Purpose: Comply with regulations and legal obligations

Data: Identity, Contact, Financial

Lawful basis: Legal obligation

We only use your personal data for the purpose we collected it or a similar, connected purpose. If we ever need to use your information for an unrelated purpose, we’ll inform you and explain why. We may also be required by law to process your personal data without your knowledge or consent.

 

Who do we share your data with and why? 

When we share data with third parties, they can only process it for specific purposes and in accordance with our instructions. 

Here’s who we may share data with and why:

The Curve Group.

We share personal data within the Curve group of companies in order to provide you with the best service(s) and perform necessary activities, as described above.

Identity checking and fraud prevention partners.

To perform sign-up and verification checks.

When Curve shares data with identity and fraud prevention partners, they will become a joint controller of your data to determine how your data will be used to best provide their services.


IT vendors including cloud storage providers.

Hosting and IT services; IT vendors including cloud storage providers to securely store your personal data.

Card manufacturing, personalisation and delivery companies.

To make and send your Curve card.

Insurance Provider (Curve Black & Metal customers only)

Information is shared with insurance provider Inter Partner Assistance SA, member of the AXA Assistance group, Avenue Louise 166, 1050, Brussels, Belgium, insurance company regulated by the National Bank of Belgium under the number 0487, Company number 0415 591 055 (AXA). 

You will enter into a separate agreement with AXA to enable them to provide you with insurance. This means AXA is wholly responsible for your data for insurance purposes (rather than Curve). Further information is available here.

Social media sites.

Social media sites, for the purposes of conducting market research and running marketing campaigns. When sharing data with these sites, we ensure that your data is only used in accordance with our instructions.

If you don’t want us to use your information in this way, you can contact us at privacyrequests@imaginecurve.com.


Financial services providers.

To facilitate payment processing, we share your data with financial services providers, including card issuers, payment processors and banking partners to facilitate payment transactions.

Our payment processing activities for customers in Europe will be carried out by Curve Europe UAB as it is licensed to provide financial services in Europe in accordance with EU financial regulations.


Companies that you transfer money to from your Curve card.

Where you make a payment from your Curve account, we will share your first and last name with the recipient in their transaction history.


Third-party payment partners.

Third party payment service partners including Apple Pay, Samsung Pay and Airplus.

Curve will only share your data with a third-party payment partner if you have opted to use their service with your Curve card. When we share your data with third-party payment partners, they will become an independent controller of your data to determine how your data will be used to best provide their services.


Open banking partners, including Plaid.

We partner with Plaid to allow you to view account information from other payment providers on our app. If you would like to use this feature, Plaid will prompt you to connect your other payment accounts to the Curve app. This data will be sent to Curve to display on the app. This allows you to see your various account transactions and balances in one place.

When you consent to the use of your data and enable this feature, both Curve and Plaid will become independent controllers of your data as we will independently determine the best means of processing your data to deliver the service to you.

We may also anonymise the data collected from Plaid to improve our products and services.

For more information on how Plaid will use your data, please see their Privacy Policy.


We also share your data with Software as a Solution partners who provide open banking compliance solutions, such as partners providing a gateway which allows you to securely provide Third Party Providers with access to your Curve account for the purposes of retrieving financial account data. Where you consent to such access, your account, transaction and account holder details will be processed to the extent that you request that such information is made available to the relevant Third Party Provider.

Credit reference agencies.

If you apply, use or register for credit products, we may perform hard credit and identity checks on you with one or more credit reference agencies (CRAs). We may also make periodic soft credit checks on you to manage your account with us or fulfil our services.

To do this, we may supply your personal information to CRAs and they will give us information about you. 

We will use this information to:

  • Assess your creditworthiness and whether you are suitable for Curve products;

  • Verify the accuracy of the data you have provided to us;

  • Confirm your identity and prevent criminal activity, fraud and money laundering;

  • Manage your account;

  • Trace and recover debts;

  • Ensure any offers provided to you are appropriate to your circumstances;

  • Provide you with access to your credit bureau data where you have asked us to.


The Credit Reference Agency Information Notice (CRAIN) describes how the three main credit reference agencies in the UK each use and share personal data. The CRAIN is available on the credit reference agencies’ websites:


If you are a Lithuanian customer, you can find more information about this processing by visiting:

Further information relating to Lithuanian credit offerings and data sharing is set out in the below row.

We may continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.

Hard credit checks will appear on your credit file and may affect your credit rating. Soft credit checks will not appear on your file and will not affect your credit rating.

We may also request information on your other payment accounts to perform an affordability check. You will be prompted to connect your other payment accounts on the Curve app. This information will be shared directly with Plaid and subsequently shared with Curve (see “Open banking partners, including Plaid”). 


SME credit products

When you apply for SME credit products, we will conduct commercial credit checks on your business and you, as a director, using one or more CRAs.

We will use this information to assess your creditworthiness and the affordability of repayments.

We will continue to exchange information about your business with CRAs while you have a relationship with us. We will also inform the CRAs about your business’ settled accounts and if your business has any outstanding debt. This information may be supplied to other organisations by CRAs.


Credit Bureau UAB 

Creditinfo Lietuva

If you are a Lithuanian customer using a credit product and fail to meet the relevant obligations for more than 30 days, your data (identity, contact information and credit history, i.e. financial and property-related obligations and fulfilment, debts and repayment) will be provided to the Credit Bureau UAB Creditinfo Lietuva (Company Reg. No.: 111689163, address: A. Goštauto St. 40A, LT 01112 Vilnius, Lithuania,www.manocreditinfo.lt, phone (8 5) 2394131). 

The Credit Bureau shall process and provide to third parties (financial establishments, telecommunications companies, providers of insurance services, suppliers of electricity and utility services, retail companies, etc.) your information in order to pursue its purpose, i.e. to evaluate your credit rating and manage debts. Evaluation of your credit rating shall involve the evaluation of your personal aspects in an automated manner (profiling), which in the future may affect your opportunity to conclude transactions. The evaluation in an automated manner helps to lend responsibly and involves evaluation of the credit information provided by the respective person, his credit history, public information, etc. The automated evaluation methods shall be regularly reviewed to ensure they are fair, effective and impartial.

The credit history data shall be processed for 10 years after the fulfilment of the respective obligation. You can consult your credit history by directly contacting the Credit Bureau or by means of the Finpass app.

You have the right to request that your data be corrected or deleted or that the processing of your data be restricted as well as the right to disagree to the processing of your data, demand human involvement in the automated decision-taking process, present your view and contest a decision, and the right to have the data transferred. For further information about the implementation of these rights, the restrictions applicable to them and the evaluation of aspects in an automated manner (profiling), please visit www.manocreditinfo.lt. You may contact their Data Protection Officer by e-mailing  duomenu.apsauga@creditinfo.lt or by calling the above phone number. You can lodge a complaint with the State Data Protection Inspectorate in relation to Credit Bureau UAB Creditinfo Lietuva.

Business verification agency.

We may also use DueDil to collect and verify your business information. When we receive information from DueDil, both Curve and DueDil will become independent controllers of your data as we will independently determine the means of processing your data.

Please note that this service is only available to Curve customers who self-attest as a company director. 

For more information on how DueDil uses your data, please refer to their Privacy Policy.

Fraud prevention agencies.

The personal data we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity.

If fraud is detected, you could be refused certain services, finance, or employment. Further

information can be found here.

Samsung Pay.

If you register your Curve card on Samsung Pay, we will share your data with Samsung to authorise payments, display transactions, prevent and detect fraud, comply with legal requirements and industry standards. If you consent to marketing from Samsung, you consent to Curve sharing your profile data with Samsung for their marketing purposes. 

If you participate in the Curve-Samsung referral program, your data will be used to verify that you are a Samsung Pay customer and to facilitate the provision of your reward.

For more information on how Samsung will use your data, please see their Privacy Policy. Please note that Curve is not responsible for the security of Samsung Pay or any third party provider to Samsung. Any information you give them is covered by their own Terms and Conditions.

Support tools.

Support tools include analytics and search engine service providers and customer experience support platforms which we use to optimise and improve our services.

If you contact our customer services line out of hours, our external team will manage your enquiries. We will become joint controllers of your data as they will determine the means of collecting your data on our behalf.


Third parties we may sell the business to or acquire.

In the event of a business reorganisation or sale, we may share your data to third parties we sell the business to or acquire. 

We may also share anonymised, aggregated data with selected e-wallet and data analytics service providers. This means your data is bundled up with other people’s data and you aren’t identifiable as an individual.
 

What are your rights? 

You have rights over your personal data. 

  • Access the personal data we process about you.

  • Rectify your personal data by asking us to correct it for you.

  • Delete your data, by asking us to delete it. There are times when we may not be able to delete data for legal purposes.

  • Restrict or object toour processing of your data for direct marketing.

  • Withdraw any consent you’ve given us to use your personal data in a specific way.

  • Request a review of any automated decision made by technology.

If you want to do any of the above, or if you have questions relating to Curve’s data processing please get in touch with us at privacyrequests@imaginecurve.com

We have one month to respond unless your request is complicated, in which case we may need more time. If that’s the case, we’ll let you know. 

This is almost always free but we’re allowed to charge a reasonable fee or refuse your request if it’s clearly unfounded, repetitive or excessive.

How can you opt-out of marketing? 

You can ask us to stop sending you marketing emails at any time by following the “unsubscribe” links at the bottom of any Curve marketing message. You’ll still receive operational emails we need to send you, such as updates to our terms and conditions.

If you would like to stop receiving Curve receipt emails (for each of your payments), you can change your preferences for each of your funding cards on the Curve app.

Do we make automated decisions about you?

Depending on the Curve products or services you use, we may make automated decisions about you.

This means that we may use technology that can evaluate relevant factors about you and your circumstances to predict risks or outcomes. We do this for the efficient running of our services and to make sure that the decisions we make are fair, consistent and based on the correct information.

Where we make an automated decision about you, you have the right to ask that it is manually reviewed by a human. 

For example, we may make automated decisions about you that relate to:

The approval of credit applications 

  • Credit and affordability checks to see whether we can accept your credit application.

  • Setting credit limits.

Opening a Curve account

  • Anti-money laundering and sanctions checks.

  • Identity and address checks.

Detecting fraud

  • Monitoring your account to detect fraud and financial crime.

Our legal basis for our use of automated decision making is to enable us to fulfil our contract with you or because we have a legal obligation to do so.

How long do we keep your data? 

The period for which we may retain data about you will depend on:

  •  the purposes for which the data was collected, 

  • whether you have requested deletion of the data, and; 

  • whether we have any legal or regulatory obligation to retain the data. 

We will not retain data about you for longer than is necessary to fulfil the purposes for which the data was collected. We will typically keep your data for up to 10 years after you last completed onboarding or had an active account or product with us. 

We may keep your personal data for a longer period where it is necessary for legal, regulatory or operational purposes. 

Do we transfer data internationally?

We may transfer and store your data outside the European Economic Area (EEA) and the United Kingdom (UK). When we do this, we ensure that:

  • The country or organisation processing the data has adequate data protection laws in place, in accordance with the European Commission / UK; 

  • Curve and the other organisation(s) have formally agreed to data protection clauses in a written contract, as approved by the European Commission / UK.

 How can you contact us? 

You’re most welcome to drop us an email at privacyrequests@imaginecurve.com to exercise a right, ask a question, lodge a complaint or offer a suggestion. 

 

How can you escalate a complaint?

We encourage you to contact us directly if you aren’t happy with how we’ve handled a request or another data protection matter. 

Should you wish to contact our Data Protection Officer, you can email them at DPO@imaginecurve.com

You also have the right to lodge a complaint with the UK’s Information Commissioner’s Office or the Lithuanian State Data Protection Inspectorate, depending on which Curve entity is the subject of your complaint.


Version History

  • 13-07-2022
  • 19-01-2022