Privacy Policy
Plum Fintech CY Limited and Plum Money CY Limited (we, our, us, Plum) are committed to protecting and respecting your privacy. This Privacy Policy (Privacy Notice) describes how we collect, use, process, and disclose your information, including personal information, as you use, and access the Plum app. This Privacy Notice is designed to help you understand what kind of personal data we collect, and how we process and use this data. It also sets out your rights in relation to how we look after your personal data.
For the purpose of the General Data Protection Regulation (GDPR) the data controller is Plum Fintech CY Limited registered at Libra House, 6th Floor, 21 Panteli Katelari, 1097 Nicosia, Cyprus. If you have any further questions, you can reach our Data Protection Officer on dpo@withplum.com.
We process data collected from you, your bank, and third parties, to make Plum work for you, and comply with regulatory obligations. In short, most importantly we use:
We share your data with other companies to fulfil our contract with you, or comply with regulation:
GDPR gives you the right to see, erase, or challenge the data we hold about you (among other rights). Our support team can help with this. Read the full Privacy Policy for further details on how we use your information.
You may give us information about yourself by accessing our website withplum.com, by using the app service or by corresponding with us by email, in app or otherwise.
This is information necessary to provide the Plum Service (means the products and services made available to you by or through Plum, or through third party provider(s) to fulfil the contract between us) and to comply with regulatory obligations to 'Know Your Customer' (KYC):
Certain additional information may be collected depending if you have asked for certain services to be offered or provided to you, e.g. occupation, name of employer.
This is information we require to unlock additional features upon your request and to fulfil the associated contract, or information we might request from you to perform our regulatory obligations:
When you use Plum, or visit our website, we automatically collect information, including personal information, about the parts of the Plum Service you use, and how you use them. This information is necessary for the adequate performance of the contract between us, to enable us to fulfil our regulatory requirements, and given our legitimate interest in being able to provide the Plum Service:
We receive the following personal information about you from our third party service providers who assist us in providing some or all of the Plum Service:
We only process your information where we have a lawful basis for doing so.
To provide and improve the Plum product — we process the information we collect given our legitimate interest in improving the Plum Service, and in order to fulfil the contract we have with you:
To prevent misuse and fraud, and ensure compliance with laws and regulatory obligations — we process the information we collect given our legitimate interest to protect us from fraud, and to comply with our regulatory obligations:
Service providers — In order to fulfil the contract we have with you, we use certain trusted service providers. These providers will each handle your personal data in accordance with their own Privacy Policy. The most important service providers are highlighted below:
Other Plum users — in providing a referral programme there is a legitimate interest in sharing your Plum name with the person who invited you, to let them know the invite was successful and in order to fulfil the invite terms.
Aggregated Data — we may also share aggregated information (information about our users that we combine together so that it no longer identifies or references an individual user) and non-personally identifiable information for industry and market analysis, demographic profiling, marketing and advertising, and other business purposes. This is not considered personal data under GDPR as it can’t be used to directly or indirectly identify you.
Business Transfers — in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets. If Plum Fintech CY Limited or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
Co-branded and Promotional — From time to time we may work with other partners to offer you co-branded services or promotional offers, and we will share some of your personal data with those partners.
We generally retain your information for as long as it is necessary for the performance of the contract we have with you, or to comply with our regulatory obligations. If you no longer want us to use your information you can send a request to dpo@withplum.com. Please note that if you request erasure of your personal data, we will keep relevant personal information for at least 5 (five) years following the end of our business relationship with you to comply with our regulatory obligations as specified below.
A great thing about the GDPR is that consumers have much more control over how companies like Plum use your data. See below how you can assert those rights with Plum.
Getting a copy of your data — you have the right to get a copy of the data we hold about you. This is free of charge. To do this, please reach out to complaints@withplum.com, or talk to our support team by typing 'chat to human' in the Plum App.
Rectification of inaccurate or incomplete information — you have the right to ask us to update any information we hold which may be inaccurate, and which you can't change yourself through the Plum App.
Erasure of data or the right to be 'forgotten' — you have the right to ask us to erase personal information we hold on you, and close your Plum account. In order to exercise this right and request the erasure of your personal data, you should reach out to complaints@withplum.com, or talk to our support team by typing 'chat to human' in the Plum App. If you do this, we will maintain personal information we hold on you which is necessary to comply with our regulatory obligations, or to reduce fraud. In particular, under the anti-money laundering rules we are obliged to keep the following records for five (5) years from the date on which your last transaction has completed or the business relationship with Plum has come to an end:
Withdrawing consent, and restricting processing — to withdraw consent or restrict processing you may contact customer support. If you withdraw consent to share your financial transaction data, we will be unable to provide the Plum Service to you. Some information you have provided us will be retained after you withdraw consent to comply with regulatory obligations as explained above.
Lodging complaints — you have the right to lodge a complaint with the Information Commissioner's office for any processing carried out by Plum. You can contact the Office of the Commissioner for Personal Data Protection contact information can be found here.
We may send you certain direct marketing communications if it is in our legitimate interests to do so for marketing and business development purposes, or you have provided us with your consent to do so.
You can withdraw this consent by contacting us in app or by email at complaints@withplum.com.
All information you provide to us is stored on our secure servers. Any transmission of information to our partners (including information to facilitate payments) are encrypted using TLS technology, the current standard in secure communications over the Internet. Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.
Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. Information we deem sensitive (like your bank account number and sort code and your national insurance number if provided) are stored using state-of-the-art symmetric encryption (AES). We will only send your data outside of the European Economic Area ('EEA') to comply with a legal obligation, or when we work with third parties in providing you the Plum Service. If we do transfer your personal information outside the EEA to our suppliers, we will make sure that it is protected to the same extent as in the EEA.
Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by e-mail or by any instant messaging service we use to provide the Plum Service. Please check back frequently to see any updates or changes to our Privacy Policy.
It is important that you read the Privacy Policies of our third party service providers and partners.
Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to dpo@withplum.com.