Effective Date: 19 May 2018
Introduction and Purpose
Prodigy Finance Limited of Palladium House, 1-4 Argyll Street, London, W1F 7LD, United Kingdom (Company No. 5912562) (“Prodigy Finance” or “we” or “us”) is committed to protecting and respecting your privacy. Our United Kingdom Data Protection registration number is Z9851854. Prodigy Finance acts as a lender and administrator of loans. In the United Kingdom it acts as a consumer credit broker and administers loans, funded by alumni, universities, financial institutions and others (the “Lenders”).
Our full details are:
Full name of legal entity: Prodigy Finance Limited
Email address: email@example.com
Postal address: Hardy House, 16-18 Beak Street, W1F 9RD, London
Telephone number: +44 20 7193 2832
You have the right to make a complaint at any time to the Data Commissioner’s Office (ICO), the United Kingdom supervisory authority for data protection issues (https://ico.org.uk/). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Table of Contents
- What Personal Data we collect
- Updating your Personal Data
- How we collect your Personal Data
- Where we store your Personal Data
- How we use your Personal Data
- Disclosure of your Personal Data
- Data Retention
- Fraud prevention agencies and credit agencies
- Your rights with respect to your Personal Data
- Community Lending
- Children’s Privacy
- Do Not Track
1. What Personal Data we collect
Personal Data means any information or data about an individual from which that person can be identified. It does not include data or information where the identity has been removed (anonymous data).
Prodigy Finance may collect and process the following information about you (together “Personal Data”) through your use of the Site or Services:
- information that you provide by filling in forms on our Site, which may include personal information provided at the time of registering for an account, subscribing to our Services, applying for employment with us, participating in surveys, competitions or other programs, posting material, or requesting further Services or any personal information we request when you report a problem with our Site;
- information about your income, expenses, assets, debts, account balances, or payment history;
- your contact details, including your email address, physical address, telephone numbers, and (where applicable) the contact details of your next of kin;
- copies of passports or other identification evidence that you provide;
- a photograph that you provide;
- records of any correspondence between you and us;
- records of any surveys that we may ask you to complete that we use for research purposes, although you do not have to respond to them;
- details of transactions you carry out through our Site and of the fulfillment of your loan repayments;
- your citizenship or country of residence or similar data;
- information relating to any criminal proceedings in which you have been involved;
- credit checks to comply with obligations to assess your creditworthiness;
- information relating to your performance of any obligations under any loan we make to you; and
- any other information that you choose to provide to us or that you consent to us collecting.
We may also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your Personal Data but is not considered Personal Data in law as this data does not directly or indirectly reveal your identity. Except in extreme circumstances such as death or a medical illness and only if there is a Legitimate Business Interest (see definition in section 5) for us to do so, we do not collect any special categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, data about your health and genetic and biometric data).
Personal Data may be given to us directly by you or by people or companies authorized by you to act on your behalf (for example, a potential lender, a university, or an alumni association you are a member of). We may also collect Personal Data about you from third parties in connection with our Services (for example, a credit reporting agency). No Personal Data about you will be collected without your consent for us to do so.
Where we need to collect Personal Data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with the Services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
Please note that you are not required to provide any Personal Data for publication on the public areas of our Site.
2. Updating your Personal Data
You must notify us by emailing firstname.lastname@example.org within thirty days of any change in your name, physical address, telephone number, email address, or any other information that is necessary for us to provide Services to you.
You must also immediately notify us of your withdrawal or dismissal from your university or school.
3. How we collect your Personal Data
We use different methods to collect Personal Data from and about you including through:
Direct interactions. You may give us your Personal Data by corresponding with us by post, phone, email or otherwise. This includes Personal Data you provide when you:
- apply for any of the Services;
- create an account on our website;
- subscribe to our publications;
- request marketing to be sent to you;
- apply for employment with us;
- enter a competition, promotion or survey; or
-give us some feedback.
We may use third-party service providers that collect data about users over time and across different websites in order to serve advertisements on our behalf that are more targeted and relevant to your interests. Prodigy Finance complies with the Digital Advertising Alliance (“DAA”) Principles for Online Behavioral Advertising. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly, such as by clicking on the “Ad Choices” icon in or around the advertisement. The DAA provides a single location where you can opt out of certain types of data collection and use or out of receiving targeted ads from member companies. To opt out, please visit www.aboutads.info to exercise choice with respect to participants of the DAA.
We also use Google Analytics, which is a service provided by Google. Google utilizes the data collected to track and examine the use of our Site and may share this data with other Google services. You can learn more about Google’s privacy practices by visiting their website at http://www.google.com/policies/privacy/partners/.
Similarly, our Site may, from time to time, contain links to and from the websites of our partner networks, advertisers, or affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any Personal Data to these websites.
- Credit Reference Agencies. In order to process your application, we may perform credit and identity checks on you with one or more credit reference agencies (“CRAs”). See section 8 for further detail.
4. Where we store your Personal Data
We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. The transmission of Personal Data via the Internet is not completely secure and, while we will do our best to protect your Personal Data, we cannot guarantee the security of your Personal Data transmitted to our Site; any transmission is at your own risk.
5. How we use your Personal Data
Prodigy Finance acts as a Data Controller when using your Personal Data in providing you with Services and as a Data Processor on behalf of the Lenders.
We use Personal Data held about you in the following ways:
- to ensure that content from our Site is presented in the most effective manner for you and for your computer;
- to provide you with data about our Services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes;
- for statistical analysis or market research;
- to develop and improve our Services;
- to update our records;
- to identify which of our, or others’, products or services might interest you;
- to assess lending and insurance risks;
- to arrange, underwrite, and administer insurance and handle claims;
- to detect, investigate, prevent, or tackle illegal activities, fraud, or situations involving potential threats to the rights, property, or personal safety of any person;
- to ensure our compliance with applicable laws and regulations;
- to carry out our obligations arising from and exercise our rights under any agreements between you and us;
- to allow you to participate in interactive features of our Services, when you choose to do so;
- to notify you about changes to our Services;
- to provide you with customer service;
- for any Legitimate Business Interest (defined below) permitted by law;
- to process and assess your application for employment with us; and
- in any other way that you have specifically consented to.
A “Legitimate Business Interest” means the interest of our business in conducting and managing our business to enable us to give you the best service or product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your Personal Data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
6. Disclosure of your Personal Data
We may disclose your Personal Data to a parent company, affiliates, franchisees, subsidiaries, joint ventures, or other companies under common control with us, based in the United Kingdom, in any part of the European Economic Area (EEA), or elsewhere. We ensure your Personal Data is protected by requiring all our group companies to follow the same rules when processing your personal data. We transfer Personal Data to South Africa and India for processing. The ICO is aware of this transfer and we have ensured that the recipient parties (including our subsidiary in South Africa) comply with the relevant United Kingdom data privacy laws.
We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions. Some of our external third parties are based outside the EEA so their processing of your Personal Data will involve a transfer of data outside the EEA. Whenever we transfer your Personal Data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission.
- Where we use certain service providers outside the EEA, we have ensured that each of these specific contracts are in line with standards prescribed by the European Commission or where required include model clauses which give Personal Data the same protection it has in Europe.
- Where we use providers based in the United States, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to Personal Data shared between the Europe and the United States.
Please contact us at email@example.com if you want further information on the specific mechanisms used by us when transferring your Personal Data outside of the EEA or if you would like details on third parties outside the EEA with whom we share your Personal Data.
- in connection with a merger, acquisition, consolidation, change of control, sale of all or a portion of our assets, if we undergo bankruptcy or liquidation, or in connection with any other corporate change;
- in our discussions with potential Lenders or investors, in which case we may disclose your Personal Data to such prospective Lenders or investors;
- if we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation; in order to enforce or apply any agreements we have entered with you; or to protect the rights, property, or safety of Prodigy Finance, our customers, or others, including exchanging Personal Data with other companies and organizations for the purposes of fraud protection and credit risk reduction;
- if you request or give your permission for us to do so;
- to a credit reporting agency or CRA (see section 8) or other third-party service provider to check your identity and to prevent fraud;
- to tell credit reporting agencies that you have an account and how you run that account;
- to a school or university to confirm the details of your loan/(s) with us;
- to a 3rd party service provider for the purpose of obtaining or verifying a particular category of information, including for example your academic records, Graduate Management Admission Test (GMAT) score and contact information;
- to our service providers or Lenders’ service providers, whose services may include any part of the origination or lending process, operating the lending and collections business, or obtaining payments under the loan;
- to investigate, prevent, or detect fraud, money laundering, or other illegal activities;
- to a loan broker in the event that Prodigy Finance is not able to provide you with the Services you applied for, and Prodigy Finance reasonably believes that the loan broker may be able to help you obtain a loan;
- for audit purposes and to meet obligations to any relevant regulatory authority or taxing authority; and
- to search engines and social profile networks for advertising and marketing purposes.
7. Data Retention
To ensure fair processing, Personal Data will not be retained by us for longer than necessary in relation to the purposes for which it was originally collected. To determine the appropriate retention period for your Personal Data, we will consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which it was processed and whether the purpose can be achieved through other means as well as the applicable legal requirements.We categorise any identified or identifiable individual person or “Data Subject” into:
someone that has successfully completed an application for a loan and received funding from us or an application for a bond investment product;
someone that has created an account or registered on the platform (and has no other products with Prodigy causing him or her to fall within category 1), but who’s application is in a state other than disbursed or settled due to:
- it having been deemed unsuccessful;
- it having been withdrawn by the Data Subject; or
- it currently being in a pending state.
someone that has applied for employment with us and submitted his/her CV and supporting documents through the Site; or
a visitor to our Site.
In the case of category 1, we will retain all Personal Data for a period of 6 years subsequent to the account having been settled or the completion of the bond investment term. In the case of categories 2 and 3, we will retain all Personal Data for a period of 3 years unless the Data Subject formally requests that their Personal Data be erased. In the case of 4, we collect the visitor’s IP Address for security and audit tracking purposes as well as maintaining digital records of what the visitor did on the website. This data is retained for a period of 90 days.
In some circumstances you can ask us to delete your Personal Data (see Right to Erasure in section 9 below for further information). We may anonymise your Personal Data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
8. Fraud prevention and credit agencies
In order to process your application, we may perform credit and identity checks on you with one or more credit reference agencies (“CRAs”). To do this, we will supply your Personal Data to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
We will use this information to:
- assess your creditworthiness and whether you can afford a Prodigy Loan or related Service;
- verify the accuracy of the data you have provided to us;
- prevent criminal activity, fraud and money laundering for example, when:
- checking details on applications for credit and credit related or other facilities;
- managing credit and credit-related accounts or facilities; and
- checking details of job applicants and employees.
- manage your account(s);
- trace and recover debts; and
- ensure any offers provided to you are appropriate to your circumstances.
We will continue to exchange Personal Data about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs. Importantly, we will only be sharing information about your debt with us and your repayment thereof with CRAs in the jurisdiction that, according to our records, you are resident in. If you would like CRAs in other jurisdiction to also receive this information, you need to arrange that yourself.
When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders. The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share Personal Data, data retention periods and your data protection rights with the CRAs are explained in more detail at www.callcredit.co.uk/crain.
Any CRA we use for a search will keep a record of any search, and other lenders may use it to assess applications they receive from you in the future. As a general rule, we will give you at least 28 days’ notice of any decision to file notice on your credit reference file of any default by you in your obligation to make repayments. However, we may not always give you notice beforehand, for example, if an enforcement action is planned.
If you are attending a school in the United States or are a United States resident at the time of making the loan application, then the provisions relating to credit reference and fraud agencies consumer reporting agencies and fraud prevention services shall be set out in the loan agreement that we enter into with you and other legal disclosures that we provide to you.
9. Your rights with respect to your Personal Data
You have the right to:
Request access to your personal data by making a data subject access request. This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it. Access requests may be subject to a fee to meet our costs in providing you with details of the Personal Data we hold about you in accordance with the provisions of the Data Protection Act 1998 (as amended).
Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. Please advise us of any changes by emailing firstname.lastname@example.org or by updating your profile online on https://prodigyfinance.com.
Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your Personal Data where we are relying on a Legitimate Business Interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have Legitimate Business Interest to process your information which override your rights and freedoms.
Request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact us at email@example.com.
The manner in which we use Personal Data for marketing purposes in the United States is set out in our Privacy Notice (LINK). We will usually inform you (before collecting your Personal Data) if we intend to use your Personal Data for such purposes or if we intend to disclose your Personal Data to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data or by contacting us.
10. Community Lending
Prodigy Finance may communicate with your university to verify your most recent physical address and contact details during the servicing of your loan.
11. Children’s Privacy
Our Site is not intended for use by children. We do not knowingly collect Personal Data from children under the age of 13 years. If we become aware that a child under 13 years of age has provided us with Personal Data, we take immediate steps to delete such Personal Data.
12. Do Not Track
The Site is not currently configured to respond to Do Not Track signals sent by Internet browsers.
You agree that we may call you, leave you a message, or send you a text, email, or other electronic message for any purpose related to your expression of interest in our Site, your loan with us, our Services, or surveys or research (each a “Communication”), to the extent permissible by law. You agree that we may call or text you at any telephone number associated with your loan, including cellular telephone numbers and may send an email to any email address associated with your loan. You also agree that we may include your Personal Data in a Communication. In addition, you understand and agree that we may communicate with you in any manner permissible by law that does not require your prior consent.