Version 4.0, 21 November 2022
Coconut (“we”, “us”, “our”) takes your privacy seriously and we are committed to best practices in respect of your personal data and complying with data protection laws.
This policy applies to Coconut as a whole; including our website and mobile app, and is written for visitors to our website and our prospective and existing customers. This policy also applies to various storage mediums including physical and digital.
Coconut is a company registered in England and Wales with number 09904418 (our registered name is Coconut Platform Ltd). Our registered office is 27 Old Gloucester Street, London WC1N 3AX.
We deliver the Coconut product and service, including designing and developing the Coconut app and providing ongoing customer support.
In respect of GDPR, we are the data controller, meaning we collect your personal information and choose how to process it and who we need to share it with for further processing.
In order to offer our service which is to operate, maintain and support our current account we need to collect various personal data for various reasons. These reasons are:
The following summarises which data is collected and on which bases it is processed:
We use an Account Information Services Provider (Truelayer) to connect your other accounts to Coconut. When you connect, Truelayer gains read-only access and stores transaction data associated with the connected accounts. This lets us display your account information and transactions within Coconut. All your details are encrypted and protected by bank level security.
Personal information will only be collected directly and voluntarily from you as part of the sign up or as a result of transactions relating to your accounts and card connected to Coconut.
We store your data primarily in the European Economic Area (EEA) however there are some aspects of operating our service that require us to transfer and store parts of your personal data with 3rd parties in non-EEA countries. We only send your personal information outside of the non-EEA countries with your permission, on your instructions or to comply with a legal duty.
Where this is the case we have ensured that we have the necessary agreements in place with those 3rd parties to the level expected by European data protection law.
Some of the kinds of 3rd parties that receive your personal data are in the areas of:
We operate a “Secure by Design” approach to protecting your data. This involves the use of best practices such as intrusion detection systems, firewalls, access control, encryption and key rotation and policies that ensure only those who need access to data do.
3rd parties holding your personal data are expected to apply the same level of security and controls.
Whilst we issue notifications for key changes in your profile, if you suspect anything suspicious please let us know.
If we become aware of unauthorised access to your data we will contact you promptly.
We do not and will never sell your personal data.
Your personal data are retained so long as you remain an active customer of Coconut, i.e. you have an open account with us.
In the event that you wish to close your Coconut account we don’t keep your information for longer than we need to, which is usually 7 years after the end of the relationship or upon termination of the contract, unless we are required to keep it longer (for example due to a court order or investigation by law enforcement agencies or regulators). This is so that we meet our legal obligations, e.g. the Money Laundering Regulations 2017.
After this time has elapsed your data will be deleted from all Coconut and 3rd parties systems.
Under the General Data Protection Regulation 2018 you have enhanced rights in respect of your personal data and special category data.
To exercise any of your legal rights, you can email us at email@example.com.
For a more detailed explanation of each of these rights we would encourage interested readers to visit the Information Commissioner’s Office on GDPR.
You can use the Profile area of the app to view or update some of your personal data.
Big Data means processing and analysis of large amounts of data to identify patterns, trends and associations that can be used to make decisions.
Coconut shall only ever perform such Big Data processing on anonymised data, i.e. data that is not linked to a specific person.
Example: we might want to understand how age groups of our customers relate to the usage of Coconut features so that we can tailor our product better.
If you aren’t happy with how we’ve handled your personal information, please email us at firstname.lastname@example.org and we’ll try our best to make it right.
(For complaints relating to how our former e-money account services provider, PPS, have handled your personal information, you can contact their Data Protection Officer at email@example.com).
If you’re still not happy, you can contact the Information Commissioner’s Office
The expression of some of your rights such as erasure, restricting and objection may lead to a need for you to close your account with us.
If you want to close your account for any reason, just write to us and we will get this processed for you. Once your account is closed, you will lose access to your account. We’ll talk you through how to export your records before closing your account.
This policy may change from time to time and is effective from date of posting to our website and app. For significant changes we will also let you know by email or through the Coconut app.