Privacy Policy
Effective 1st October 2024
At PayPlan, we’re committed to protecting your privacy.
We want to make it easy for you to find out how we use your information. We’ve tried our best to explain things in a
simple and clear way and welcome your questions and comments on this policy.
We know that there’s a lot of information here, but we want you to be fully informed about your rights, and how
PayPlan uses your data.
The following data privacy notice explains the circumstances in which PayPlan will collect personal data from you,
why it is being collected, how we will use it and to whom we might disclose it to if necessary. This includes our
online systems, for example PlanFinder, which helps us gather information about your circumstances and income and
expenditure, which is needed to be able to recommend a debt solution.
This privacy policy covers the following companies:
Totemic Ltd t/a PayPlan
Company Number: 2789854
Registered Office: Kempton House, Kempton Way, Dysart Road, Grantham, NG31 7LE
Authorised and Regulated by the Financial Conduct Authority
Financial Conduct Authority Number: 681263
PayPlan Partnership Limited
Register Number: 07199691
Registered Office: as above
PayPlan Bespoke Solutions Limited
Company Number: 07079646
Registered Office: as above
PayPlan Scotland Limited
Company Number: SC400113
Registered Office: Edinburgh Quay, 133 Fountainbridge, Edinburgh, EH3 9BA
The Data Controller
PayPlan is committed to complying with the UK’s Data Protection Act 2018 (UK GDPR) for the protection of personal
data, as well as the principles of data security in the configuration of our services.
As a “Data Controller”, PayPlan are responsible for deciding how we store and use personal information about you. We
are required to inform you of the information contained in this privacy policy.
At times PayPlan acts as a “Data Processor”. When we are a “Data Processor” we are processing personal information
about you on behalf of another Data Controller. We only do this where the Data Controller has explicit consent to
share your information with us for a specified purpose(s).
If you have any questions about this privacy notice or how we use your personal data, please contact:
Data Protection Officer – Lee-Ann Taylor
Totemic Limited t\a PayPlan
Kempton House, Kempton
Way, Dysart Road
Grantham
Lincolnshire, NG31 7LE
Phone: 01476 851007
Email: dpo@payplan.com
What data is being collected and processed?
In order to enter into an agreement with PayPlan, we will collect, store and use elements of your personal data. The
processing of this personal data is necessary by PayPlan in order to administer your account and to provide the
products and services you have requested from us.
When you approach PayPlan, we may recommend possible solutions through other providers (either with the PayPlan
companies listed above, or through an external source). To help with advising you with a debt solution, PayPlan will
usually need you to disclose the following:
Types of Data Collected
| Type of Data | Examples | How it is Obtained |
|---|---|---|
| Contact | Full Name, Address, Date of Birth, Contact Telephone Numbers, E-mail Address | From you – over the phone/email in conversation with our agents as well as our online systems |
| Personal | Previous names, previous address(es), gender, marital status, property details, etc. | From you – over the phone/email in conversation with our agents as well as our online systems |
| Budget | Your income and expenditure details, existing credit arrangements, etc. | From you – over the phone/email in conversation with our agents as well as our online systems |
| ID & Credit Checks | Full Name, Date of Birth, Address history | From you – over the phone/email in conversation with our agents as well as our online systems |
| Medical | Health-related information | From you – over the phone/email in conversation with our agents as well as our online systems |
| Documents | Passport, driver’s license, utility bills, credit arrangements | Provided by you when you take up a recommended solution |
| Behavioural | Device information (e.g., IP address) | From your use of our website/online systems |
| Correspondence | Records of communications, including emails, live chat, phone calls | From you and generated by us during service provision |
What other information do you collect about me?
During the process of setting up and administering some of our debt solutions, we may receive information from
creditor(s) and debt recovery agencies about you and your debts that enable us to better manage your debt solution.
What do you use my personal data for?
What we use it for | Lawful reason for processing |
To initially contact you to provide you with information on the products and services available from | Legitimate Interest – the provision of this information will generally be due to a |
To provide you with advice and recommendations on the products and services available from us | Legitimate Interest – the provision of advice and recommendation for a debt If you don’t wish to know about our services that don’t relate to debt advice or management of your Explicit Consent – we will ask you to give explicit consent to process data relating |
To set up and administer a Debt Management Plan or Debt Arrangement Scheme | Legitimate Interest – the set up and ongoing management of a Debt Management |
Setting up and administering a Debt Relief Order, an Individual Voluntary Arrangement or a Trust Deed | Legal Obligations – these debt solutions form a legally-binding agreement and we are |
To make and manage your payments | Legitimate Interests – where you make payments to us as part of a debt solution, we |
To verify your identity | Consent – we will seek consent to check that it is you we are dealing with. |
To contact you in connection with any enquiries that you raise | Legitimate Interests – responding to questions and comments raised when you contact |
To contact you in connection to the service we are providing to you | Legitimate Interests – to check if you require additional support with any requests Consent – We will seek consent to contact you in the event we need to provide you |
Record Keeping | Legitimate Interest – We need to retain information to comply with regulatory rules |
Monitoring and recording of telephone calls, email communications and other digital communication | Legitimate interests – to monitor and improve the quality of the products and Legal Obligation – for Individual Voluntary Arrangements and Trust Deeds we have a |
Financial Crime Matters | Legal Obligation– we are required by law to detect, investigate, report and seek to |
Marketing | Consent – We will ask you for your consent to contact you about services we offer |
Research and analysis | Legitimate Interest – to enable PayPlan to better understand the issues faced by its |
Improving our products and services | Legitimate Interest – to enable PayPlan to better understand your situation and |
If you fail to provide personal information
If you fail to provide certain information when requested, we may not be able to provide our services. For example,
debt management plans may need to be cancelled or revoked and applications for debt relief orders, individual
voluntary arrangements may be delayed or terminated.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider
that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use
your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which
allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the
above rules, where this is required or permitted by law.
Do I have the right to withdraw consent?
The majority of our processing of your personal data is not based on consent however, where we do rely on your
consent to process personal data, you have the right to withdraw this at any time. You can do this via phone, email
or post.
How long will you keep my data for?
We will only retain your personal information for as long as necessary.
If you did not enter into a solution with us or did not complete an Income & Expenditure review then we will
delete your data after 12 months.
If you proceed with setting up a debt solution, we will normally keep your core data for a period of six years from
the end of your debt solution.
We may however need to retain some information for a longer period where we need to comply with regulatory, legal,
accountancy or reporting requirements. There may be some information however that we do not need to retain for this
period of time, and we may destroy, delete or anonymise it more promptly.
If you would like a copy of our data retention policy please email href=”mailto:dpo@payplan.com”>dpo@payplan.com
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of
the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the
purposes for which we process your personal data and whether we can achieve those purposes through other means, and
the applicable legal requirements.
Protecting your privacy
In order to protect the personal data collected from you by PayPlan against accidental or deliberate manipulation,
loss, destruction or the access of unauthorised persons, technical and organisational security measures are
constantly improved as part of our technological development. In addition, our employees, subcontractors and other
support staff are obligated to observe confidentiality and data privacy.
Wherever possible, we have tried to create a secure and reliable website for our users. However, you recognise that
your use of the Internet and our website is entirely at your own risk and we have no responsibility or liability for
the security of personal information transmitted via the Internet.
All passwords and usernames allocated to you must be kept secret and must not be disclosed to anyone without our
prior written authorisation. You must not use any false identity in email or other network communications and you
must not attempt or participate in the unauthorised entry or viewing of another user’s account or into another
system.
You must not use the services and/or network systems or any part thereof for fraudulent activities, or to breach
another organisation’s security (cross-network hacking). This is an illegal act and prosecution under criminal law
may result. You must not use any computers, computer equipment, network resources or any services provided by us for
any illegal purpose, or for accessing, receiving or transmitting any material deemed illegal, indecent, offensive or
otherwise unacceptable under UK law.
We will monitor network traffic from time to time for the purposes of backup and problem solving and in order to
ensure that you are not misusing any of the services provided to you.
Breaches
If at any time we become aware that your data has been compromised, or that a breach of our systems and controls has
occurred, which has an impact on the security of your data, we will notify the Information Commissioner’s Office,
and you, without undue delay.
Is any of my data transferred outside the EEA?
We do not routinely transfer personal information we collect outside of the European Economic Area (EEA). However, in
the event that we did, to ensure that your personal information does receive adequate protection, we will put in
place protective measures to ensure that your personal information is treated by those third parties in a way that
is consistent with and which respects the UK laws on data protection.
Appropriate specific protective measures include for example, model clauses in data sharing contracts or via the UK
Extension to the EU-US Data Privacy Framework and ongoing security assessments. If you require further information
about these measures you can request it from dpo@payplan.com.
Credit reference agencies
To be able to offer you a debt solution we need to know who you owe money to.
To help us capture this information correctly and quickly, we ask your permission to use a credit reference agency to
source this information. This information is provided by Experian. This is an optional service.
Completing a credit reference check with PayPlan will not affect your credit rating and it is known as a soft search
which means that you’ll see the search if you check your file, but your creditors won’t.
We will also seek to perform an electronic identity check, again with your explicit consent to do so. This
information/service is also provided by Experian.
Information held about you by the credit reference agency may be linked to records relating to other people that you
have a financial association.
If you are a joint applicant or if you have told us of some other financial association with another person, you have
a legal right to know the details of credit reference and fraud prevention agencies we use and to whom we pass
information about you. To obtain this information, please contact our Data Protection Officer.
Sharing of data with other data controllers
At PayPlan we take your privacy seriously and the information we hold about you is confidential. We have legitimate
interest, and with some solutions a legal obligation, to share your data with certain third parties in order to
deliver the services to assist you. This includes, where applicable to your advice/solution :
- Where we need to obtain professional advice (e.g. legal advice)
- Where we or others need to investigate or prevent crime (e.g. to fraud prevention agencies)
- Where the law permits or requires it
- Where regulatory or governmental body requests or requires it, including arm’s length bodies of these
organisations we are contracted with or - Where there is a duty to the public to reveal the information
- In order to meet the audit requirements of some or all of your creditors
- In order to allow independent auditors who are under contract to us or have signed a Non-Disclosure Agreement,
to review our processes and controls - To third parties under contract with us who provide services to you on our behalf such as payment processing and
the sending out of documentation - To notify creditors and their partners of the status of your progress through our advice service.
In order to provide you with advice and recommendations on a debt solution as well as administer your debt solution
should you choose us to manage it, we may need to share some of your personal information with other data
controllers. This is necessary for the purposes of delivering specific services to you. Other data controllers which
we may share this information with may include:
- credit reference agencies
- other debt solution providers
- your creditors or their agents
- Specialist PPI Claims Management Companies
- The Insolvency Service and other Government Agencies
- Accountant in Bankruptcy
- Insurers and other financial institutions
- Valuation organisations
Should we be required to share your information with 3rd parties that do not fall into the above cases, we will
obtain your explicit consent beforehand in order to do so.
How secure is my information with third-party service providers?
All our third-party service providers are required to take appropriate security measures to protect your personal
information in line with our policies. We do not allow our third-party service providers to use your personal data
for their own purposes. We only permit them to process your personal data for specified purposes and in accordance
with our instructions. A data sharing agreement that sets out how we expect third parties to handle any data we
share with them is required to be in place before we share any data. Ongoing checks are carried out on these
arrangements at regular intervals.
Right to be Forgotten
Under the GDPR, you have the right to ‘block’ or request the deletion or removal of personal data to prevent further
processing. This right to erasure is also known as ‘the right to be forgotten’. Specific circumstances in which you
can request the deletion or removal of personal data includes:
- where the personal data is no longer necessary for the purposes for which it is collected or otherwise processed
- where you withdraw consent
- when you object to the processing and there is no overriding legitimate interest for continuing the processing
- where the personal data was unlawfully processed (i.e. otherwise in breach of the GDPR)
- where the personal data has to be erased in order to comply with a legal obligation
in case a deletion is not possible due to legal, statutory or contractual retention periods, or if it requires
disproportionate efforts or prejudices your legitimate interests, the data will be blocked instead of deleted.
Subject Access Requests
You have the right to request access to a copy of the personal information that we hold about you. This is also known
as a ‘Subject Access Request’. This information is provided to you free of charge however, we can refuse to respond
or charge a ‘reasonable fee’ when a request is manifestly unfounded, excessive, or repetitive.
If you would like a copy of the information we hold on you, or believe that we are holding information about you
which is incorrect or incomplete, please write to:
Totemic Limited t\a PayPlan
Kempton House, Kempton Way, Dysart Road, Grantham, NG31 7LE
Grantham
Lincolnshire. NG31
7LE
Email: dpo@payplan.com
We will respond to your request without delay and at the latest, within one month of receipt of your request.
Rectifying or updating personal data
If you believe the personal data we hold about you is inaccurate or incomplete, you have the right to rectification.
You can let us know about any changes to your personal data. Where possible, we will also inform any third parties
to whom we have disclosed the personal data in question to so they can rectify their records.
If you have a PayPlan Plus account, you may be able to amend certain information through your online portal.
We will typically respond to your request within one month, although this can be extended by two months if your
request for rectification is complex.
Right to complain
If you have a complaint about any aspect of data protection or if you feel your privacy has been breached by us, we
would like to hear from you. To help us investigate and resolve your concerns as quickly as possible, please
contact:
Data Protection Officer – Lee-Ann Taylor
Totemic Limited t\a PayPlan
Kempton House, Kempton Way, Dysart
Road, Grantham, NG31 7LE
Grantham
Lincolnshire. NG31 7LE
Phone: 01476
851007
Email: dpo@payplan.com
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Your rights in full
The UK Data Protection Act 2018 provides rights to an individual with regard to their data. While these rights have
been included in this privacy policy for further information on them visit the Information Commissioner’s Office:
Individual Right | Link |
The right to be informed | |
The right of access | |
The right to rectification | |
The right to erasure | |
The right to restrict processing | |
The right to data portability | |
The right to object | |
Rights in relation to automated decision making and profiling |
Changes to the Privacy Policy
Due to the further development of our website, government regulations or the implementations of new technologies,
this policy will be reviewed, and may change, from time to time. PayPlan reserves the right to change this data
protection information at any time with effect for the future.
The revised policy will be posted to this page so that you are always aware of the information we collect, how we use
it and under what circumstances we disclose it. We therefore recommend you read the current data protection
information again from time to time.