Canopy Privacy Policy

Dated: 8th May 2018

PLEASE READ THIS POLICY CAREFULLY BEFORE USING CANOPY’S SERVICES

Protecting your data, privacy and personal information is very important to InsureStreet Limited (trading as Canopy) (“Canopy”, “us”, “our” or “we”). It is vitally important to us that our customers feel secure when using the Services.

This policy (together with our terms of use at https://findyourcanopy.com/terms-of-service/ and any other documents referred to in it), sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by Canopy. Please read this privacy policy carefully to understand the types of information we collect from you, how we use that information, the circumstances under which we will share it with third parties, and your rights in relation to the personal data you provide to us.

When visiting Canopy’s website at https://findyourcanopy.com/ (our “Website”), using our application: “Canopy” (our “App”) or using any of the services offered via the Website or the App (the “Services”), you will be asked to indicate your acknowledgment of, and where applicable your consent to, the practices described in this policy.

Our Website contains links to third party websites. If you follow a link to any of those third party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you submit any personal information to such third-party websites.

Information we may collect
.We may collect and process the following data about you:

Information that you provide to us.
You will be asked to provide us with your information when you:

  • fill in forms on our Website or App, or correspond with us by phone, email or otherwise;
  • register to use our Services, subscribe to our newsletter, promotional emails or other marketing materials;
  • use the Services;
  • report a problem with our Services; or
  • complete any surveys we ask you to fill in that we use for research purposes (although you do not have to respond to these if you do not want to).

The information you will be asked to provide to us for these purposes will include your name, address, previous addresses (up to three years), date of birth, nationality, e-mail address, gross income, pay slips, references from landlords, phone number, national insurance number, passport number, credit records, personal description and photograph, payment details and banking and open banking information, or further information required to verify your identity, rent affordability assessment, provide access to financial and non-financial products including tracking your rental payments.

Information we collect about you.
With regard to each of your visits to our Website or our App we may automatically collect the following information; however, this information cannot be used to identify you:

  • device-specific information, such as your hardware model, operating system version, unique device identifiers, and mobile network information;
  • technical information about your computer, including where available, your IP address, operating system and browser type, for system administration and analytical purposes;
  • details of your visits to our Website and App, including the full Uniform Resource Locators (URL) clickstream to, through and from our Website and App (including date and time), length of visits to certain pages, and page interaction information (such as scrolling, clicks, and mouse-overs); and
  • information showing us from which app store you downloaded our App.

Information we receive from other sources.
When using our Services, we will be in contact with third parties who may provide us with certain information about you in order to enable your use of the Services.

If when using our Services you input any personal data of a third party, you must have obtained clear permission from the individuals whose data you provide us with before sharing that data with us.

For the avoidance of any doubt, any reference in this privacy policy to your data shall include data about other individuals that you have provided us with.

How we use your information and justification of use.
Use of personal information under EU data protection laws must be justified under one of a number of legal “grounds” and we are required to set out the ground in respect of each use of your personal data in this policy. These are the principal grounds that justify our use of your information:

  • Consent: where you have consented to our use of your information (you are providing explicit, informed, freely given consent, in relation to any such use and may withdraw your consent in the circumstance detailed below by notifying us);
  • Contract performance: where your information is necessary to enter into or perform our contract with you;
  • Legal obligation: where we need to use your information to comply with our legal obligations;
  • Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights; and
  • Legal claims: where your information if necessary for us to defend, prosecute or make a claim against you or a third party.

We use information held about you (and information about others that you have provided us with) in the following ways:

APPLICABLE TO ALL USERS:

Types of Information Collected

(a) Email address, name

(b) Email address, name

(c) Email address

Uses of that Information

(a) To provide you with access to our Website, App and any other information which you request from us, and to use our Services.

(b) For marketing products and services that we believe will be of interest to you.

(c) To notify you about changes to our Services.

Use Justification

(a) Contract performance

(b) Legitimate interest (for marketing our own similar products and services and any re-engagement campaigns)
Consent (for marketing unrelated products or services or products or services of third parties).

(c) Legitimate interests (to update our Services from time to time)

APPLICABLE TO RENTERS:

Types of Information Collected

(a) Email address, name, date of birth, current address and previous addresses

(b) Information from linked accounts such as social networking sites

(c) Identity confirmation, right to reside in the UK, date of birth, current and previous addresses, gross income, pay slips, credit records, payment details, banking and open banking information, education history employment history, legal and regulatory warnings issued against you, and your appearance on any global watchlists

(d) Email address, name

(e) Email address, name, payment details and bank account information

(f) Email address

Uses of that Information

(a) To provide you with access to our Website, App and any other information which you request from us, and to use our Services.

(b) To administer our Services and identify more appropriate products and services that we may be of interest to you.

(c) To provide you with the Services, specifically our RentPassportTM (which is your digital renter identity and rental history, which you can share with Landlords) and our TrustScoreTM based on the information you provide to us. This includes using an artificially defined algorithm in order to create you TrustScoreTM. The same information will be used to identify a range of personalised insurance non-insurance based services which are tailored to you.

(d) For marketing products and services that we believe will be of interest to you.

(e) To administer our Services including payment processing services such as MangoPay and for internal operations, including research, data analysis and data statistics, and to create derived, anonymised and aggregated data to improve our Services.

(f) To notify you about changes to our Services.

Use Justification

(a) Contract performance

(b) Consent

(c) Legitimate interests; consent (in respect of open banking information); contract performance (to the extent required to provide the services e.g. to track rental payments or Renter income verification as required by Landlords / Agents before a rental contract between Agent / Landlord and Renter can be executed)

(d) Legitimate interest (for marketing our own similar products and services and any re-engagement campaigns)
Consent (for marketing unrelated products or services or products or services of third parties).

(e) Contract performance (in respect of payment processing); Legitimate interests (to administer and improve our Services)

(f) Legitimate interests (to update our Services from time to time)

APPLICABLE TO LANDLORDS / Build-2-Rent (Institutional Landlords)

Types of Information Collected

(a) Email address, name

(b) Email address, name

(c) Email address, name, payment details and bank account information

(d) Email address

Uses of that Information

(a) To provide you with access to our Website, App (including having a Canopy Account) and any other information which you request from us, and to use our Services.

(b) For marketing products and services that we believe will be of interest to you.

(c) To administer our Services including Renter Screening services, payment processing services such as MangoPay and for internal operations, including research, data analysis and data statistics, and to create derived, anonymized and aggregated data to improve our Services.

(d) To notify you about changes to our Services.

Use Justification

(a) Contract performance

(b) Legitimate interest (for marketing our own similar products and services and any re-engagement campaigns)
Consent (for marketing unrelated products or services or products or services of third parties).

(c) Contract performance (in respect of Renter screening, payment processing); Legitimate interests (to administer and improve our Services)

(d) Legitimate interests (to update our Services from time to time)

We will not sell your personal data (or any other data you provide us with) to third-parties, however, we reserve the right to share any data, which has been anonymised and/or aggregated. You acknowledge and accept that we own all right, title and interest in and to any derived data or aggregated and/or anonymised data collected or created by us.

Marketing

We may use information for marketing products and services to you in the following ways:

Type of marketing activity

(a) Newsletters and marketing emails relating to our own similar services and products. Where required by law, we will ask for your consent at the time we collect your data to conduct any of these types of marketing.

(b) To send you details about unrelated services or products or special offers and discounts which are being provided by our selected business partners. Where required by law, we will ask your consent at the time we collect your data to conduct any of these types of marketing.

Use Justification

(a) Legitimate interest (to market our products and services - you have the right to unsubscribe at any time)

(b) Consent (which can be withdrawn at any time)

We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you or you may opt out by contacting us.

Where we store your personal information
The personal data that we collect from you (including email addresses that form part of our prospective marketing database) is processed in the European Economic Area (“EEA”) and stored on Amazon Web Services (Europe) Cloud Servers This data may however be processed by staff operating outside of the EEA who work for us or for one of our business partners or service providers. A full list of our third party sub-processors and details of their privacy policies can be found here: findyourcanopy.com/partnerprivacy. Countries outside the EEA may not provide the same level of adequate protection for the rights and freedoms of data subjects in relation to the processing of personal data. In countries which do not provide appropriate safeguards, we shall transfer your data subject only to your consent except for transfers to and from: (i) any country with a valid adequacy decision from the European Commission; or (ii) any organisation which ensures an adequate level of protection in accordance with applicable data protection laws.

Your passwords are stored on Canopy’s servers in encrypted form. We do not disclose your account details. It is your responsibility to keep your password secure. Unfortunately, the transmission of information via the internet is not completely secure. Although Canopy will do its best to protect your personal data, we cannot guarantee the security of your data transmitted to our Website, any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent any unauthorised access.

Please contact us if you would like further details on the specific safeguards applied to the export of your personal information outside EEA.

Disclosure of your information
We may also disclose your personal information to third parties in the following circumstances:

Purpose of disclosure and third party(s) to which disclosure might be made

(a) We may disclose your personal information to our service providers and business partners, including payments processors, database tool providers and insurance providers (to assist us in performing any contract we enter into with them or you, including providing the Website and the Services it enables), analytics providers, (to assist us in the improvement and optimisation of the Website) and/or a member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

We also share your personal information with third party payment processor MangoPay which manages payment of rent, splitting bills between tenants and facilitates a pay-as-you-go service for Renters. Further information in relation to MangoPay can be found in our terms of service: https://findyourcanopy.com/terms-of-service/.

(b) If we sell or buy any business or assets, we may disclose your personal information to the prospective seller or buyer of such business or assets.

(c) If Canopy or substantially all of its assets are acquired by a third party, personal information about our customers will be one of the transferred assets.

(d) If we are under a duty to disclose or share your personal data in order to comply with any legal obligation or to protect the rights, property, or safety of Canopy, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

(e) Fraud Prevention and other checks. We and other organisations may also access and use your personal information to conduct credit checks and checks to prevent fraud. If false or accurate information is provided and fraud is identified or suspected, details may be passed to fraud prevent agencies.

(f) We may disclose your personal information to third parties, the court service and/or regulators or law enforcement agencies in connection with proceedings or investigations anywhere in the world where compelled to do so. Where permitted, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime.

(g) As a Renter we will share your following personal information with Letting Agents and Landlords: name, email address, date of birth, previous and current addresses (up to three years), nationality, TrustScoreTM, income, country court judgments, any insolvency issues, mortality, legal and regulatory warnings, if politically exposed person, subject to international financial sanctions and RentPassportTM information.

As a Landlord we will share your following personal information with Renters and Letting Agents: name, email address, bank account information for payments.

As a Letting Agent, Build-2-Rent Operator we will share your following personal information with Renters and Landlords: name, email address, bank account information for payments (including branch address).

(h) As part of our Services, we offer Renters a service provided by Experian Limited of Sir John Peace Building, Experian Way, NG2 Business Park, Nottingham, NG80 1ZZ, with company number 653331 (“Experian”) which processes rental data through a rental exchange database tool. We will share your personal information (banking and rental payment information) with Experian if you permit us to do so by authorising rent tracking through your Canopy Account. If you request to stop rent tracking through your Canopy Account we shall notify Experian of your request. We are not responsible for, and take no liability for, the acts and omissions of Experian. Experian’s privacy policy shall apply to their processing and can be found here: https://www.experian.co.uk/consumer/privacy.html.

(i) As part of our Services, we offer Renters a service provided by TrueLayer Limited (“TrueLayer”) which provides us with a portal through which Renters can authorise TrueLayer to share Renter’s information with us and Experian. Once we receive such information, we shall process such personal data in accordance with this privacy policy. We are not responsible for, and take no liability for, the acts and omissions of TrueLayer. TrueLayer’s privacy policy shall apply to their processing and can be found here: https://truelayer.com/privacy.

Use Justification

(a) Contract performance, legitimate interest, (to allow our Service providers to provide the necessary services).

(b) Legitimate interest (to sell our business or assets); and where required by applicable law, consent (for sensitive personal data).

(c) Legitimate interest (to sell our business or assets); and where required by applicable law, consent (for sensitive personal data).

(d) Legal obligation.

(e) Legitimate interest (to assist with the prevention of fraud and to assess your risk profile).

(f) Legal obligation (to cooperate with law enforcement and regulatory authorities).

(g) Consent.

(h) Consent.

(i) Consent.

How long we retain your personal data
We will hold the above information for as long as is necessary in order to provide you with the Services, deal with any specific issues that may raise, or otherwise as is required by law or any relevant regulatory body. Once your account is terminated or deactivated, we shall delete the personal data relating to your account within 72 hrs. If your account is inactive for 2 years, we may contact you to assess whether you want to continue to use the Services. Some personal data may need to be retained for longer than this (a minimum of 5 years) to ensure Canopy can comply with applicable laws, regulatory requirements and internal compliance procedures, including retaining your email address for marketing communication suppression if you have opted not to receive any further marketing.

If information is used for two purposes, we will retain it until the purpose with the latest period expires but we will stop using it for the purpose with a shorter period when that period expires.

We restrict access to your personal information to those persons who need to use it for the relevant purpose(s). Our retention periods are based on business needs and your information that is no longer needed is either irreversibly anonymized (and the anonymized information may be retained) or securely destroyed.

Your rights
Under the General Data Protection Regulation (EU) 2017/676, you have various rights in relation to your personal data. All of these rights can be exercised by contacting us at [email protected]

You have the following rights in relation to your personal data:

Rights

(a) Right to Rectification

(b) Right to erasure / ‘Right to be forgotten’

(c) Right to restriction of processing

(d) Right to data portability

(e) Right to complain

(f) Right to object to discussions based solely on automated processing

Right of Access

You have the right to obtain from us information as to whether your personal data is being processed, and, where that is the case, access to such personal data.

Details

(a) We will use reasonable endeavors to ensure that your personal information is accurate. In order to assist us with this, you should notify us of any changes to the personal information that you have provided to us by sending us a request to rectify your personal data where you believe the personal data we have is inaccurate or incomplete.

(b) Asking us to delete all of your personal data will result in Canopy deleting your personal data without undue delay (unless there is a legitimate and legal reason why Canopy is unable to delete certain of your personal data, in which case we will inform you of this in writing).

(c) You have the right to ask us to stop processing your personal data at any time.

(d) You have the right to request that Canopy provides you with a copy of all of your personal data and to transmit your personal data to another data controller in a structured, commonly used and machine-readable format, where it is technically feasible for us to do so.

(e) You have the right to lodge a complaint to a supervisory authority such as the Information Commissioner’s Office in the UK (see www.ico.org.uk). Although we encourage our customers to engage with us in the event they have any concerns or complaints.

(f) You have the right to not be subject to a decision based solely on automated processing which produces legal effects concerning your or similarly significant effects and to obtain human intervention, to express your point of view or contest the decision.

Canopy will not ordinarily charge you in respect of any requests we receive to exercise any of your rights detailed above; however, if you make excessive, repetitive or manifestly unfounded requests, we may charge you an administration fee in order to process such requests or refuse to act on such requests. Where we are required to provide a copy of the personal data undergoing processing this will be free of charge; however, any further copies requested may be subject to reasonable fees based on administrative costs.

Asking us to stop processing your personal data or deleting your personal data will likely mean that you are no longer able to use Canopy’s Services, or at least those aspects of the Services which require the processing of the types of personal data you have asked us to delete, which may result in you no longer being able to use the Services.

Where you request Canopy to rectify or erase your personal data or restrict any processing of such personal data, Canopy may notify third parties to whom such personal data has been disclosed of such request. However, such third party may have the right to retain and continue to process such personal data in its own right, for example payment processing or insurance companies.

Changes to this policy
Any changes we make to our privacy policy in the future will be posted on this page, and where appropriate, notified to you by email or notifications via the App. We therefore encourage you to review it from time to time to stay informed of how we are processing your information.

Contact
Questions, comments and requests regarding this privacy policy are welcome and should be addressed to [email protected].

For the purpose of the relevant data protection legislation, the data controller is InsureStreet Limited (trading as Canopy) (company no. 10287920) with registered address at Jag Shaw Baker, 5th Floor Berners House, 47-48 Berners Street, London, W1T 3NF.

Our data protection officer is Curran McKay, Director of Business Development.

Cookie
Canopy uses cookies to distinguish you from other users. This helps us provide you with a good experience when you use our Website, and also allows us to improve our Services. Please note that it is possible to disable cookies being stored on your computer by changing your browser settings. However, our Website may not perform properly or some features may not be available to you if you disable cookies.

For detailed information on the cookies we use and the purposes for which we use them see our Cookie policy at https://findyourcanopy.com/cookie-policy.

Appendix A

NOTICE FOR NEW TENANCIES

In order to process your application, we may perform credit and identity checks with Experian. Where you take services from us we may also make periodic searches with Experian to manage your account with us. 

To do this, we will supply your personal information to Experian and they will give us information about you. This will include information from your application and about your financial situation and financial history. Experian will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.

We will use this information to:

  • Assess your creditworthiness and whether you can afford to take the product;
  • Verify the accuracy of the data you have provided to us;
  • Prevent criminal activity, fraud and money laundering;
  • Manage your account(s);
  • Trace and recover debts; and
  • Ensure any offers provided to you are appropriate to your circumstances.

When Experian receive a search from us they will place a search footprint on your credit file that may be seen by other organisations.

We have teamed up with Experian to take part in The Rental Exchange. The Rental Exchange is a way to strengthen your credit report without you needing to take on new credit. The scheme enables us to share details about the rent you pay with Experian on a monthly basis. This is then included in your credit report, meaning you will then be recognised for paying your rent on time.

Homeowners with a mortgage have an advantage as their mortgage payment history can count towards their credit history and we strongly believe that your rent payment history should be used in the same way to help you access more affordable credit. There is a legitimate interest in the sharing of data into Rental Exchange for these purposes, which forms our legal ground for the sharing of this data into the Rental Exchange. Organisations who share data into Rental Exchange will have a legitimate interest in being able to make use of this data to support better informed tenancy decisions.

Not only will we be able to work with you more closely to manage your existing tenancy agreement, your track record as a tenant will enable Experian to use the information supplied to them to assist other landlords and organisations to:

  • assess and manage any new tenancy agreements you may enter into;
  • assess your financial standing to provide you with suitable products and services;
  • manage any accounts that you may already hold, for example reviewing suitable products or adjusting your product in light of your current circumstances;
  • contact you in relation to any accounts you may have and recovering debts that you may owe;
  • verifying your identity, age and address, to help other organisations make decisions about the services they offer;
  • help to prevent crime, fraud and money laundering;
  • screen marketing offers to make sure they are appropriate to your circumstances;
  • for Experian to undertake statistical analysis, analytics and profiling,
  • and for Experian to conduct system and product testing and database processing activities, such as data loading, data matching and data linkage.

If you would like to see more information on these, and to understand how the credit reference agencies each use and share rental data as bureau data (including the legitimate interests each pursues) this information is provided in this link: www.experian.co.uk/crain (Credit Reference Agency Information Notice (CRAIN)). (For a paper copy, please get in touch with us or with Experian using the contact details in this letter).

We will continue to exchange information about you with Experian while you have a relationship with us. We will also inform Experian when your tenancy has ended and if you have outstanding rental arrears Experian will record this outstanding debt. This information may be supplied to other organisations by Experian.

Experian will hold your rental data for the time limits explained in CRAIN (section 7). Rental data falls into the Identifiers (e.g. your name, address, date of birth) and financial account categories (i.e. tenancy account, rental payment information).

We and Experian will ensure that your information is treated in accordance with UK data protection law, so you can have peace of mind that it will be kept secure and confidential and your information will not be used for prospect marketing purposes.

If you would like advice on how to improve your credit history you can access independent and impartial advice from www.moneyadviceservice.org.uk (you can get a copy of your Statutory Credit Report by visiting www.experian.co.uk/consumer/statutory-report).

If you are unhappy with anything relating to Rental Exchange, please contact us on the contact details above. You also have the ability to get in touch with the Information Commissioner’s Office. More information about this can be found using this link here: https://ico.org.uk/concerns/.