5. How do we protect your data when we transfer it outside of the UK and EEA? 

Wherever possible, we keep the processing of your personal data to the UK or European Economic Area (“EEA”). However, in certain situations, such as when we share your information with a supplier or subcontractor, your personal data may be transferred outside the UK/EEA. Blumepay always ensures that the same high level of protection applies to your personal data according to the UK GDPR, even when the data is transferred outside of the UK/EEA. Your rights in relation to your personal data (described in Section 2), are not affected when data is transferred outside of the UK/EEA.  

Measures which blumepay uses when transferring personal data outside of the UK/EEA 

Countries outside of the UK/EEA may have laws that allow public authorities to request access to personal data stored in the country for the purpose of combating crime or safeguarding national security. Regardless of whether we or any of our providers process your personal data, we will ensure that a high level of protection is guaranteed when transferring that data and that appropriate protection measures have been taken, in accordance with applicable data protection requirements (such as the UK GDPR). Such appropriate safeguards include, but are not limited to, ensuring: 

• if the European Commission or UK authority has decided that the country outside of the UK/EEA to which your personal data are transferred has an adequate level of protection, which corresponds to the level of protection afforded by the UK GDPR. This means for example that the personal data is still protected from unauthorised disclosure, and that you may still exercise your rights in relation to your personal data, or 

• the European Commission’s standard clauses (with required UK addendums) have been entered into between blumepay and the recipient of the personal data outside the UK/EEA. This means that the recipient guarantees that the level of protection for your personal data afforded by the UK GDPR still applies, and that your rights are still protected. In these cases, we also assess whether there are laws in the recipient country that affects the protection of your personal data. Where necessary, we take technical and organisational measures so that your data remain protected during the transfer to the relevant country outside the UK/EEA, or 

• that the transfer is covered by the EU-US Data Privacy Framework, with the UK extension. This is an opt-in certification scheme for US companies, administered by the US Department of Commerce. This Privacy Framework includes a set of enforceable principles and requirements that must be certified to by the US company, ensuring that your data is still being sufficiently protected. 

6. How we use Profiling and Automated Decision Making 

1. Profiling that does not have a legal or similarly significant effect on you 

“Profiling” means any automated processing of personal data to evaluate certain personal matters, for example, by analysing or predicting your personal preferences such as buying interests, or analysing your financial information.  

The purpose of profiling and the personal data types used are described in detail in section 3 above. The profiling for these purposes does not have a significant impact on you as a customer. 

We use profiling for the following purposes: 

• to assess credit and hire applications for affordability and suitability - this helps us determine whether you can afford the product or service you are applying for 

• to help manage your account by predicting your needs and preferences, ensuring that we provide you with the most relevant services 

• to deliver customised marketing to you across both our own and external platforms and services ensuring that you receive relevant offers and promotions 

2. Automated Decision Making with legal or significant effect on you (ADM) 

Certain decisions in our services are completely automated, without a human being involved, and the decisions made have a legal or similarly significant effect on you. By making such decisions automatically, blumepay increases its objectivity, consistency and transparency in the decision to offer you these services. At the same time, you have the right to object to these decisions. You can read about how to object to these decisions at the end of this section 6. When doing these assessments we utilise machine learning models and artificial intelligence models in order to ensure as high quality as possible in our decisions.   

In the process of these automated decisions that significantly affect you, profiling is performed based on your data. This profiling is made to assess your financial situation (before the decision to offer or grant credit, or initiate a payment), to identify whether your use of our services involves a risk of fraud or money laundering or to decide whether you are liable for a purchase. We profile your user behaviour and financial standing and compare this data with behaviours and conditions that indicate different risk levels for us. 

The different user behaviour and conditions are evaluated and weighted into our automated decision-models, so that we end up with a totalling score, which then results in either accepting or rejecting your use of our Services. We can also choose to request further identification from you, if we are not sure who you are. 

We make this kind of automated decision when we: 

• decide to approve your application, or to offer you, to use a credit service. 

• decide not to approve your application, or not to offer you, to use a credit service. 

These automated credit decisions are based on the data you provide to us, data from external sources such as credit reference agencies, and blumepay’s own internal information about you if we have an existing relationship with you. In addition to information about you, blumepay’s credit model includes a large number of other factors, such as blumepay’s internal credit risk levels and our customers’ general repayment rates. 

• decide whether you pose a risk of fraud, if our processing shows that your behaviour indicates possible fraudulent conduct, that your behaviour is not consistent with previous use of our services, or that you have attempted to conceal your true identity. Automated decisions whereby we assess whether you constitute a fraud risk are based on information you have provided yourself, data from fraud prevention agencies (see section 4 for details of which ones we use), and blumepay’s own internal information. Blumepay continuously develops our fraud models to keep our services secure, and closely investigate how fraudsters operate on different markets. 

• decide whether there is a risk of money laundering, if our processing shows that your behaviour indicates money laundering. In relevant cases, blumepay also investigates whether specific customers are listed on sanction lists. 

• decide whether you are liable for a purchase that you have disputed as “unauthorised” based on whether the information you provide, or we have about the purchase, point towards potential fraudulent behaviour or not. This by comparing what has happened in your case to other transactions indicating fraudulent behaviour. 

If you are not approved under the automated decisions described above, you will not have access to, or will not be able to use blumepay’s services. Blumepay has several safety mechanisms to ensure the decisions are appropriate and fair. These mechanisms include ongoing overviews of our decision models and random sampling in individual cases. If you have any concern about the outcome, you can always contact us, and we will determine whether the procedure was performed appropriately. You can also object in accordance with the following instructions. 

You always have the right to object to an automated decision with legal consequences or decisions which can otherwise significantly affect you (together with the relevant profiling) by sending an e-mail message to blumepaylegal@libertyglobal.com. A blumepay employee will then review the decision, taking into account any additional information and circumstances that you provide to us. 

7. How long do we keep your personal data? 

How long blumepay stores your personal data depends on the purposes for which blumepay uses the personal data.  See the table in Section 3 for detailed information about how long we keep your data for in relation to each purpose. 

• Personal data used for the contractual relationship between you and blumepay is generally stored for the duration of the contractual relationship and thereafter for a maximum of up to 6 years based on statutes of limitations rules.  However, on termination of your contract with us, we undertake reviews of the data we hold and, in accordance with our retention policies, delete, mask, anonymise or archive relevant personal data so that you can be assured we only retain data that is justified. 

• Personal data that blumepay is under a legal obligation to retain, for example under anti-money laundering laws, is generally retained for 6 years. 

• We process the recordings of telephone conversations for a time period of at least 6 months for quality assurance purposes.  All recordings are transcribed and the recordings are then deleted. 

• Personal data which is not used for the purposes of your contractual relationship with blumepay or where blumepay does not have a legal obligation to retain the data is only retained as long as necessary to fulfil the respective purpose for our data processing. 

8. Your rights in relation to your data and how to exercise them. 

You have several rights under the UK GDPR related to you having control of your personal data and to receive information directly from us on how we process personal data about you. In the following you can read about your rights. To exercise any of your rights, you can email us at blumepaylegal@libertyglobal.com.  Please include your telephone number and if applicable your Account/Agreement number (on your statement) on any correspondence and we’ll contact you by phone to verify your identify and go through the details of your request. 

Your rights 

• Right to have personal data deleted (“Right to be forgotten”). In some cases, you have the right to have us delete personal data about you.  

• Right to be informed. You have the right to be informed of how we process your personal data. We do this through this privacy notice, and by answering your questions. 

• Right to receive access to your personal data (“Data Subject access”). You have the right to know if blumepay processes personal data about you, and to receive a copy of such data, known as data subject access. Your right of access may be limited in some cases by laws and regulations. This is the case with regulation relating to anti-money laundering and countering the financing of terrorism, which prohibits us from giving you direct access to your personal data processed for this purpose. 

• Right to access, and request a transfer, of your personal data to another recipient (“Data portability”). This right means that you can request a copy of the personal data relating to you that blumepay holds for the performance of a contract with you, or based on your consent, in a machine-readable format. This will allow you to use this data somewhere else, for example to transfer your personal data to another controller/recipient.  

• Right to rectification. You have the right to request that we rectify inaccurate information or complete information about you that you consider is inaccurate or incomplete. 

• Right to restrict processing. If you believe that your personal data is inaccurate, that our processing is unlawful or that we do not need the information for a specific purpose, you have the right to request that we restrict the processing of such personal data. You also have the possibility to request that we stop processing your personal data while we assess your request. If you object to our processing per your right described directly below, you may also request us to restrict processing of that personal data while we make our assessment. 

• Right to object against our processing of your personal data. You have the right to object to processing of your personal data which is based on our legitimate interest (Article 6(1)(f) UK GDPR), by referencing your personal circumstances. You can also always object to our use of your personal data for direct marketing purposes. When you let us know that you no longer wish to receive direct marketing from us, we will turn off marketing for you, and stop sending it to you. 

• Right to object to an automated decision that significantly affects you. You have the right to object to an automated decision made by blumepay if the decision produces legal effects or significantly affects you in a similar way. See Section 6 on how blumepay makes use of automated decisions. 

• Right to withdraw your consent. Where we process your personal data based on your consent or explicit consent, you have the right to revoke that consent at any time. When you revoke your consent we will stop processing your data for such purposes.  To revoke your consent, email us at blumepaylegal@libertyglobal.com  

• Right to lodge a complaint. If you have complaints about blumepay’s processing of your personal data, you may lodge a complaint with (the Information Commissioner’s office (the UK’s data protection authority), which can be reached using this link: https://ico.org.uk/. 

9. How we use cookies and other types of tracking technology 

Please visit our Cookies Notice for information about how we use cookies and other tracking technologies in the provision of our services. [xxx]. 

10. Do you want to contact us? 

The Company processing your data is Liberty Global Financial Solutions Ltd (trading as ‘blumepay’), with registered company address: 

120 King’s Road, London, SW3 4TR, United Kingdom.

You can contact our Data Protection Officer by writing to the following address: 

blumepay Data Protection Officer 
120 Kings Road 
London 
SW3 4TR 

If you are unhappy with how we have used your personal information, you can contact us  via email. 

blumepaylegal@libertyglobal.com 

11. Updates to our Privacy Statement 

We may make changes to this Privacy Notice, to adjust it to new services and market updates. In that case, we will publish any new version of this Privacy Notice on our website.