ABOUT US

1. Tabeo Finance Limited is a private limited company registered in England and Wales under company number 10416530 with its registered office address at C/O Fox Williams LLP, 10 Finsbury Square, London EC2A 1AF. Tabeo Finance Limited is authorised and regulated by the Financial Conduct Authority ("FCA") under Financial Services Register number 777539. Tabeo Finance Limited is also registered with the Information Commissioner’s Office under registration number ZA260247.

2. Tabeo Tech Limited is a private limited company registered in England and Wales under company number 10363602 with its registered office address at C/O Fox Williams LLP, 10 Finsbury Square, London EC2A 1AF. Tabeo Tech Limited is registered with the Information Commissioner’s Office under registration number ZA260299.

3. Tabeo Plans Limited is a private limited company registered in England and Wales under company number 12712093 with its registered office address at C/O Fox Williams LLP, 10 Finsbury Square, London EC2A 1AF. Tabeo Plans Limited is registered with the Information Commissioner’s Office under registration number ZB148062.

4. Tabeo Finance Limited, Tabeo Tech Limited and Tabeo Plans Limited trade as Tabeo. In this Privacy Notice, reference to "Tabeo", "we" or "us" is a reference to Tabeo Finance Limited, Tabeo Tech Limited and Tabeo Plans Limited and any other member of the Tabeo group which provides the Products from time to time, unless we specifically state otherwise.

5. Tabeo Tech Limited operates the website www.tabeo.co.uk, which provides an online platform ("Platform") through which Tabeo Finance Limited, Tabeo Tech Limited and Tabeo Plans Limited and other Tabeo group companies from time to time offer certain products and services to businesses registered on our platform ("Merchants") and their customers ("Customers"). These products and services are described in more detail below.

THIS PRIVACY NOTICE

1. At Tabeo we are committed to protecting your privacy. This Privacy Notice applies to all users of our Platform, including our Customers and prospective Customers, and Merchants. This Privacy Notice sets out the basis on which any personal data about you that you provide to us, that we create, or that we obtain about you from other sources, will be processed by us. Please read this Privacy Notice to understand our practices regarding your personal data and how we will treat it.

2. Where reference is made in this Privacy Notice to our:

   1. Finance or In-House Finance products, Tabeo Finance Limited is the joint controller of your data along with the relevant Merchant;

   2. Plans product, Tabeo Plans Limited is the processor of your data; or

   3. Cards product, Tabeo Tech Limited is the processor of your data.

3. Tabeo Tech Limited is also the controller which is responsible for administering the Platform.

4. The Privacy Notice is provided only in the English language.

5. The Privacy Notice was last updated on 9 August 2024.

AMENDMENTS TO THE PRIVACY NOTICE

We may review and, if appropriate, update this Privacy Notice from time to time. We may place notice of any such amendments on our Platform, unless we make updates in order to comply with law or regulations, or where we make updates which are of an immaterial and routine nature. Please visit https://tabeo.co.uk/privacy-policy for the most recent version of this Privacy Notice.

CONTACT US

If you have any questions about this Privacy Notice or your information, or wish to exercise any of your rights as described in this Privacy Notice, you can contact us as follows:

DATA PROTECTION PRINCIPLES

1. Anyone processing personal data must comply with the principles of processing personal data as follows:

   1. Lawfulness, fairness and transparency – data must be processed lawfully, fairly and in a transparent manner.

   2. Purpose limitation – data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

   3. Data minimisation – data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

   4. Accuracy – data must be accurate and, where necessary, kept up to date.

   5. Storage limitation – data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

   6. Integrity and confidentiality – data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures.

2. This Privacy Notice describes the personal data that we collect, and explains how we comply with these principles.

WHAT INFORMATION DO WE COLLECT?

Technical information we collect

1. You can browse our Platform as a guest without giving us any information, and we won’t know who you are. However, even if you are a guest, please bear in mind that we may:

   1. record your approximate location and device used during live chats on our Platform, together with any other information you choose to provide to us;

   2. record the areas of our Platform which you visit and at what times;

   3. record information about your activities in using our Platform; and

   4. collect information about your computer, such as which browser you are using, your network location, your operating system, your IP address and the type of connection you are using (e.g. broadband, ADSL etc.),

   (referred to as "Technical and Usage Data").

2. We collect the information above (except the information described in section 6.1(a) by using cookies and other tracking technologies ("Cookies"). Cookies are very small text files that are stored on your device when you visit some websites. Please click here to access our Cookie Policy which explains what Cookies we use on our Platform.

3. We collect the information at 6.1(a) above through our partner Heap.io. This information is stored by Heap.io on our behalf and processed according to our instructions pursuant to our GDPR-compliant services agreement with Heap.io.

   Information you give to us

4. You may provide us with personal data when you:

   1. use the Platform (e.g. when filling in forms);

   2. enter information onto your Tabeo Account; or

   3. communicate with us whether through the Platform or otherwise.

5. The information you provide us will largely depend on which Product you interact with. For Products like Finance or In-House Finance, you will be asked to provide more information than for other Products like cards. The information may include but is not limited to:

   1. Biographical information, including your name, your date of birth, your marital status, and the number of dependents you have;

   2. Contact details, including your address, postcode, and other contact information such as email address and telephone/mobile number;

   3. Employment, including your employment status and any directorships you have;

   4. Financial information, your income, your residential status and whether you own certain assets (like a car) which can impact your likely or assumed expenditure;

   5. Account details, including your passwords and security question answers;

   6. Identification information, including answers to questions required by third party credit reference agencies for identification purposes; and

   7. IT and communications information, including recordings of telephone calls you make to Tabeo.

6. In some circumstances, you may also provide us with certain information regarding your health when using certain of our Products, including:

   1. details regarding the treatment you require; and

   2. photographs and medical consent forms, especially if these are provided in connection with a complaint from you,

   ("Health Data").

7. If you apply for any Products on behalf of another individual, it is not reasonably practicable for us to provide to them the information set out in this Privacy Notice. Accordingly, where appropriate you are responsible for providing this information to any such person.

PAYMENT SERVICES PARTNERS

1. Tabeo does not control or process payment information. We can only view this information in a tokenised or redacted format. The Platform uses certain third party payment services companies in order to provide some of the Products to Merchants. These companies will have the necessary regulatory licences which Tabeo may not have but which are needed to deliver the Product. We work with:

   1. Stripe and/or GoCardless, for Finance, to effect payments between Tabeo, our third party lenders, Customers and Merchants;

   2. Stripe and/or GoCardless, for In-house Finance, to collect payments from Customers by card and direct debit, and effect payments between Tabeo and Merchants;

   3. Stripe for Cards, to collect payments from Customers by card (whether card present or not present), and effect payments between Tabeo and Merchants;

   4. Stripe and/or GoCardless, for Plans, to collect payments from Customers by card and direct debit, and effect payments between Tabeo and Merchants; and

   5. Stripe and/or GoCardless, for Px Suite, to collect payments from Merchants.

2. Information on how Stripe processes your personal data and your data protection rights, including your right to object, is available in their Privacy Policy which can be found here: https://stripe.com/gb/privacy

3. Payments securely processed by GoCardless. GoCardless Ltd (company registration number 07495895) is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017, registration number 597190, for the provision of payment services. GoCardless uses personal data as described in their Privacy Notice: https://gocardless.com/legal/privacy

INFORMATION FROM OTHER SOURCES

1. We may obtain information about you from publicly available sources and third parties such as Open Banking and (in the case of Merchants only) social media platforms.

2. We will also check information about you held on our own records and also obtain information from credit reference agencies (https://www.transunion.co.uk/crain) and fraud prevention agencies about you relating to your personal credit behaviour and personal credit accounts.

3. Records searched at credit reference agencies about you may be linked to your spouse/partner, members of your household or other persons to whom you are linked financially. For the purposes of any application or your agreement with us, you may be treated as financially linked and you will be assessed with reference to ‘associated records’.

4. We work with some Merchants who are private healthcare providers, who may provide us with limited health data about you, in respect of a treatment you have financed or paid for by or through the Products. Health data is a special category of personal data. We may also be provided with such limited health data by such Merchants should they contact us in relation to such finance or payment.

IF YOU FAIL TO PROVIDE PERSONAL DATA

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you in relation to the Products. In this case, we may have to cancel a Product or service you have with us but we will notify you if this is the case at the time.

WHAT WE DO WITH THE INFORMATION WE COLLECT

1. As a data controller, we will only use your personal information if we have a legal basis for doing so. The purposes for which we use and process your information and the legal basis on which we carry out each type of processing are explained in the table below.

   Type of data	Purposes for which we will process the information	Legal basis for processing	Relevant Products
   Biographical information, contact details, account details	To provide the Platform to you and with any Products you request from us through the Platform.	Performance of a contract.	All
   Contact details	To send you marketing communications and provide details of the Products and services which you may be interested in.	Either your consent or, where consent is not required under applicable law, on the basis of our legitimate interests to raise awareness of Tabeo and its Product offering.	All
   Contact details, Technical and Usage Data	To deliver to you any administrative notices, alerts and communications relevant to your use of the Products.	It is in our legitimate interests to ensure that any changes to our policies, terms and other such technical updates are communicated to you, or compliance with a legal obligation.	All
   Technical and Usage Data	To enrich your experience and interaction with our Platform by allowing you to store your details so that your preferences are retained when you revisit our Platform.	Consent	All
   Technical and Usage Data, IT and communications information, biographical information, account details and identification information	To troubleshoot problems, and to help protect you against fraud or other criminal activity.	It is in our legitimate interests to carry out such checks to ensure prevention against fraud and other harmful activity and that the Platform are safe and secure.	All
   Financial information (including credit reference checks), identification information, biographical information, employment and education information	To carry out financial and identity checks, fraud prevention checks, regulatory checks and credit checks (including, if you are a Merchant, on your directors, officers and certain controlling shareholders).	Performance of a contract or compliance with a legal obligation.	Finance, In-House Finance
   Account information, biographical information, employment information	To manage your Tabeo Account and update the records we hold about you from time to time	Performance of a contract or compliance with a legal obligation (as applicable).	Finance, In-House Finance
   Biographical information, contact details, identification information	In respect of Customers using, if you do not repay money you have borrowed, to trace your whereabouts and recover debts or enforce a Finance loan agreement.	It is in our legitimate interests to recover any sums that you owe us.	Finance, In-House Finance
   Contact details, biographical information, account details	For customer service, including answering questions and responding to feedback and complaints.	It is in our legitimate interests to respond to your queries and resolve your complaints to maintain our reputation.	All
   Technical and Usage Data	To maintain and administer the Platform, including for the purposes of: · Analysing the Platform and mobile application usage and improve our services; · Statistical and modelling purposes including lifecycle modelling, stress testing, fraud modelling, product development, statistical analysis, market research and to improve our products and services	Consent, compliance with legal obligations (like the Consumer Duty) and, if applicable, our legitimate interests to improve our products and services.	All
   Contact details	To provide you with information about goods or services offered by other companies that we feel may interest you	Consent	All

2. Depending on the Products you sign up for, we may need to process your Health Data to provide you with our services. Health Data falls within the meaning of “special category data” (sometimes referred to as sensitive data) under data protection laws, which means that it is afforded a higher degree of protection than regular personal data. We will only process your Health Data if we have obtained your explicit consent to do so.

3. If you have provided your consent to any of the processing referred to above, you can withdraw your consent at any time, but without affecting the lawfulness of processing based on consent before its withdrawal.

WHO DO WE SHARE YOUR INFORMATION WITH?

1. We may aggregate your personal data in such a manner that it is anonymised (i.e. you can no longer be identified from it) and disclose this to third parties.

2. We may share your personal data when there is a legitimate reason to do so, for example:

   1. with Merchants so that they can contact you in relation to the relevant Products you are using with them. Please note that Merchants are independent controllers of your personal data and Tabeo shall in no way be responsible for their misuse of your data;

   2. with vendors and other third parties performing services on our behalf who will only use the information to provide that service (such as our IT service providers who help us to provide the Platform);

   3. with other members of our corporate group;

   4. with third party funders who provide advances under Finance loan agreements;

   5. if we sell any of our business or assets, we may disclose your personal data to the prospective buyer for due diligence purposes and our legal advisers; and

   6. if we are acquired by a third party, personal data held by us about you will be disclosed to the third-party buyer.

3. We will also add to your record with the credit reference agencies details of our Finance loan agreement with you, the payments you make under it, and any default or failure to keep to the terms.

4. In some circumstances, we may have to disclose your personal data by law, because a court or the police or other law enforcement agency has asked us for it.

5. We will not sell or disclose your data to any third party other than as set out in this Privacy Notice.

   What if you’re a borrower under our Finance or In-House Finance products?

6. If you are a borrower under any of our Finance or In-House Finance products, we may share a your personal data with third parties for the purposes of:

   1. checking details on applications for credit and other facilities;

   2. collecting money owed by you under the relevant loan agreement; and

   3. recovering debts owed by you under the relevant loan agreement.

7. In addition, we may disclose your personal data to:

   1. credit reference and fraud prevention agencies to perform similar checks, trace your whereabouts and recover debts you owe. This may include details of your loans on the Platform, how you manage them and any amounts outstanding; and

   2. debt collection agencies and other legal representatives if required to enforce the terms of any loan agreement.

   What do credit reference and fraud prevention agencies do?

8. This section of the Privacy Notice explains how your personal data will be used by credit reference and fraud prevention agencies. We consider that this use of your personal data is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract. It is also in part necessary for compliance with legal obligations to which we are subject where you interact with our Finance or In-House Finance products.

9. When a credit reference agency receives a search from us they will:

   1. make an administrative call with regard to your credit file without leaving a “footprint” on your credit score;

   2. place a credit search “footprint” on your credit file once you have entered into a loan agreement. If the search was for a credit application the record of that search (but not the name of the organisation that carried it out) may be seen by other organisations when you apply for credit in the future; and

   3. link together the previous and subsequent names advised by you, of anyone that is a party to the account.

10. Credit reference agencies will supply the following information to us:

    1. information about your credit file, including your credit score;

    2. information about you, such as previous applications for credit and similar personal credit information in your name, payment history (including any missed payments), and details of any financial sanctions imposed by the United Kingdom government which are applicable to you;

    3. public information such as County Court Judgments (CCJs) and bankruptcies;

    4. electoral register information on you;

    5. your address history, including how long you have lived at each address;

    6. information about people linked to your credit file; and

    7. fraud prevention information.

11. Credit reference agencies will keep records of outstanding debt on file for six years after they are closed, whether settled by you or defaulted.

12. The information which we and other organisations provide to the credit reference agencies and fraud prevention agencies about you may be supplied by such parties to other organisations and used by them to:

    1. prevent crime, fraud and money laundering by, for example checking details provided on applications for credit and credit related or other facilities;

    2. check the operation of credit and credit-related accounts;

    3. verify your identity if you apply for additional Products;

    4. make decisions on credit and credit related services about you;

    5. manage your personal account(s);

    6. trace your whereabouts and recover debts that you owe;

    7. conduct other checks to prevent or detect fraud; and

    8. undertake statistical analysis and system testing.

13. If false or inaccurate information is provided by you and fraud is identified we will record this and details will be passed to fraud prevention agencies. Law enforcement agencies may access and use this information. We and other organisations may also access and use this information to prevent fraud and money laundering, for example, when:

    1. checking details on applications for credit and credit related or other facilities;

    2. managing credit and credit related accounts or facilities;

    3. recovering debt;

    4. checking details on proposals and claims for all types of insurance; and

    5. checking details of job applicants and employees.

14. Please contact us if you want to receive details of the relevant fraud prevention agencies.

15. We and other organisations may access and use the information about you recorded by fraud prevention agencies from other countries.

TRANSFERS OF PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA

1. The personal data that we collect from you may be transferred to, and stored at, a destination outside the United Kingdom (“UK”), European Economic Area (“EEA”). It may also be processed by staff operating outside of the UK and EEA who work for our affiliates or for one of our suppliers.

2. Where we transfer your personal data outside the UK and the EEA, we will ensure that it is safe and protected in a manner that is consistent with how your personal data would be protected by us in the UK. This can be done in several ways, for instance:

   1. the country that we send the data to might be approved by the European Commission; or UK government as having in place an adequate level of protection for personal data; or

   2. the recipient might have signed up to a contract based on "model contractual clauses" approved by the European Commission or the ICO, obliging them to protect your personal data; or

   3. where the recipient is located in the US, it might be a certified member of the EU-US Privacy Shield scheme.

3. In other circumstances the law may permit us to otherwise transfer your personal data outside the UK and the EEA. In all cases, however, we will ensure that any transfer of your personal data is compliant with data protection law.

MARKETING AND COMMUNICATIONS

1. We would like to provide you with information about our new products, services, promotions, special offers and other information which we think you may find interesting.

2. If you have registered with us or have previously asked us for information on our products or services, provided you have given us your consent, we may send you information on our range of products and services by phone, email, SMS and/or to your Tabeo Account.

3. If you decide at any time that you no longer wish to receive marketing phone calls, emails, SMS or messages from us, please contact us using the details in the ‘Contact Us’ section above.

4. We will always give you an opportunity to unsubscribe from receiving any marketing from us in each communication we send to you.

DATA RETENTION

1. How long we hold your personal data for will vary. The retention period will be determined by various criteria including:

   1. the purpose for which we are using it – we will need to keep the data for as long as is necessary for that purpose; and

   2. legal obligations - laws or regulation may set a minimum period for which we must keep your personal data.

2. We will hold your data for 6 years after the end of our relationship with you. For example, 6 years after your loan is terminated, or your application is declined, or at any point we have contact with you regarding your application or agreement. Your data is held for this long to:

   1. comply with legal obligations (for example to the Financial Conduct Authority under CONC 5 and SYSC 9);

   2. for our legitimate interests, for example if you attempt to apply chargebacks of any payment you make; and

   3. for statistical and modelling purposes including lifecycle modelling, stress testing and fraud modelling.

3. If you provide us with your personal data but do not enter into a Product, then we will only hold your data for a maximum of 12 months from the date such data was received.

YOUR RIGHTS

1. In accordance with applicable privacy law, you have the following rights in respect of your personal information that we hold:

   1. Right of access. You have the right to obtain access to your personal information.

   2. Right of portability. You have the right, in certain circumstances, to receive a copy of the personal information you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal data to another person.

   3. Right to rectification. You have the right to obtain rectification of any inaccurate or incomplete personal information we hold about you without undue delay.

   4. Right to erasure. You have the right, in some circumstances, to require us to erase your personal information without undue delay if the continued processing of that personal information is not justified.

   5. Right to restriction. You have the right, in some circumstances, to require us to limit the purposes for which we process your personal information if the continued processing of the personal information in this way is not justified, such as where the accuracy of the personal information is contested by you.

   6. Right to object. You have a right to object to any processing based on our legitimate interests in certain circumstances. You can also object to our direct marketing activities for any reason by clicking the “unsubscribe” link set out in any marketing communication you receive.

   7. Right to withdraw consent. If you have provided consent to any processing of your personal information, you have a right to withdraw that consent but without affecting the lawfulness of processing based on consent before its withdrawal.

2. Please note that the above rights are not absolute, and we may be entitled to refuse requests, wholly or partly, where exceptions under applicable law apply.

EXERCISING YOUR RIGHTS

1. You can exercise any of your rights as described in this Privacy Notice and under data protection laws by contacting the Data Protection Officer.

2. Save as provided under applicable data protection laws, there is no charge for the exercise of your legal rights. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either: (a) charge a reasonable fee (subject to any limits imposed by applicable law) taking into account the administrative costs of providing the information or taking the action requested; or (b) refuse to act on the request.

3. Where we have reasonable doubts concerning the identity of the person making the request, we may request additional information necessary to confirm your identity.

COMPLAINTS

1. If you feel that you would like to make a complaint regarding our use of your personal data, you have the right to take your complaint to the Information Commissioner’s Office ("ICO") or other applicable data protection supervisory authority. Where you have the right to take your complaint to the ICO, you can report a concern with the ICO by following this link https://ico.org.uk/concerns/ or by calling them on 0303 123 1113.

SECURITY

1. We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Apps; any transmission is at your own risk.

2. Where appropriate, we use pseudonymisation and / or encryption to protect your information.

3. Where data processing is carried out on our behalf by a third party, we will endeavour to ensure that appropriate security measures are in place including to prevent unauthorised disclosure of personal data.

LINKING

1. The Platform makes use of third party solution providers either via direct sourcing of data or via use of third party applications. Your use of those applications is subject to their own privacy policies, which may be amended from time to time. Our current third party solution providers include but are not limited to:

   Provider	Role	Privacy Notice
   TransUnion	We use TransUnion for payment data, analytics, credit software and other business services. TransUnion collects personally identifiable information when you use a link to send TransUnion an email. If, in that email or any attachment to the email, you voluntarily provide TransUnion with personally identifiable information, TransUnion will collect and store that personal data	https://www.transunion.co.uk/legal/privacy-centre
   Stripe	We use Stripe for payment, analytics, and other business services. Stripe collects identifying information about the devices that connect to its services. Stripe uses this information to operate and improve the services it provides to us, including for fraud detection.	https://stripe.com/privacy
   GoCardless	We use GoCardless for payment, analytics and other business services. Payments securely processed by GoCardless. GoCardless Ltd (company registration number 07495895) is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017, registration number 597190, for the provision of payment services. GoCardless uses personal data as described in their Privacy Notice.	https://gocardless.com/legal/privacy
   Onfido	We use Onfido for ID and KYC checks	https://onfido.com/privacy/
   Tink	We use Tink for financial checks authorised by you using Open Banking	https://tink.com/legal/privacy-and-security/
   Trengo	We use Trengo for multi-channel outbound and inbound communications	https://trengo.com/privacy-statement
   Sendgrid	We use Sendgrid for outbound SMS and email communications	https://www.twilio.com/en-us/legal/privacy
   Clicksend	We use Clicksend for outbound SMS and postal communications	https://www.clicksend.com/gb/legal/privacy-policy
   Aircall	We use Aircall for inbound and outbound phone communications	https://aircall.io/en-gb/privacy/
   GCP	We use Google Cloud Platform as our cloud computing software	https://cloud.google.com/terms/cloud-privacy-notice