Privacy and data policy
“Atom bank”, “Atom” and “Digital Mortgages by Atom bank” are trading names of Atom bank plc. Atom bank plc is a company registered in England and Wales with company number 08632552. Atom bank plc is authorised by the Prudential Regulation Authority (PRA) and regulated by the Financial Conduct Authority and the PRA. Our Financial Services Register number is 661960.
For the purposes of the General Data Protection Regulation (‘GDPR’), Atom bank will be the ‘controller’ of the personal data you provide to us.
Please read the following information very carefully in order to understand our practices in relation to our treatment of your personal data. If you have any questions, please email us at firstname.lastname@example.org.
2. Data Privacy Principles
- All personal data will be processed lawfully, fairly and in a transparent manner.
- Personal data will only be collected for the specified purposes outlined within “How will we use the information we hold about you” and will not be further processed in a manner that is incompatible with those purposes.
- Personal data that we collect will be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed. The information we collect is outlined in the section below “What information do we collect about you”.
- We will take all reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date.
- Personal data will be kept in a form that permits identification for no longer than is necessary for the purposes for which the personal data has been collected for processing, in line with the Atom Bank Data Retention Policy.
- We will hold and process personal data in a manner that ensures appropriate security. We outline this in the “how do we store personal data” section of this policy.
3. What information do we collect about you?
This policy applies to personal information collected via the app, through the website, or through one of our affiliated intermediaries (where applicable).
Sensitive Personal Data
In the course of providing products and services to you, we may collect information that may reveal your racial or ethnic origin, physical or mental health, religious beliefs or alleged commission or conviction of criminal offences. Such information is considered ‘sensitive personal data’ and we will only collect this where it is entirely necessary, or you have deliberately made it public. If you do not allow us to process any sensitive personal data, this may mean that we are unable to provide some or all of the products or services you have requested from us. You may inform us if you remove consent for us to process such personal data.
When you apply to become an Atom customer, we’ll ask you for some personal information in order to verify your identity and operate your account.
We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify your identity, in order to protect our business and customers and to comply with laws that apply to us. This processing of your personal data is also a requirement of your engagement with us. This will vary depending on the type of product you apply for, but will generally include:
Personal information such as your name, address and date of birth, passport information (or other identification information), financial information and employment information, in order to verify your identity and meet our regulatory obligations.
Contact information including your telephone number and email address.
Your biometrics in order to allow you to log-in, in other words your photo and a recording of your voice. This is stored as an algorithm.
Device information such as device type, IP address, geolocation and how you use your device.
Information relating to your tax responsibilities, so that we can comply with our obligations under the Foreign Account Tax Compliance Act (‘FATCA’) and the Common Reporting Standards.
Details of a nominated bank account where you choose to have your interest paid-away, choose to withdraw your funds after your account has matured, or pay your mortgage direct debit.
Business Information, in order to support any business lending applications and serve your account. This will include financial information directly from your bank. We will ask you to link both your personal current account and business current account via Open Banking so we can securely receive the most up-to-date transactional history. This may also include information extracted from your accountancy package. Where required, we will ask you to link your accountancy package to our platform in order to receive your latest balance sheet and profit and loss statements.
For mortgage customers, we may collect information relating to affordability to support your application and assist our lending decisions.
4. How will we use the information we hold about you?
The data we collect will be used to set up your customer record and operate your account. This will enable us to comply with our legal and regulatory requirements and look at ways we can continue to improve our products and services. We will not collect any personal data from you that we do not need.
We will use your personal data in order to verify your identity. In order to do this, we may need to share some or all of your data with third parties, which may include fraud prevention, anti-money laundering and credit reference agencies, law enforcement departments, regulators, government departments (e.g. HMRC) and the providers of our sales or servicing platforms.
The Credit Reference Agency Information Notice (‘CRAIN’) describes how the three main credit reference agencies in the UK use and share personal data. The CRAIN is available on the credit reference agencies’ websites.
We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
We will use your personal data to prevent fraud and money laundering – e.g. the information provided to fraud prevention agencies may be used when checking applications for credit, credit-related or other facilities or for managing these accounts; for recovering debt; for checking insurance proposals or claims; and for checking details of job applicants or employees. Other organisations may also use your information for these purposes.
We will use your personal data to carry out credit reference agency searches, and develop credit scoring profiles, where it is appropriate to do so. For business lending applications we will extract data from your accounting platform and bank account for the purpose of processing your application and ongoing monitoring. This may involve sharing your information with third parties, however we will only do this where we have obtained your explicit consent.
We will use your personal data to communicate with you about your account and provide service-related updates and notifications. Where possible we will communicate with you via the app, however there may be times where regulation requires us to contact you in a specific way.
We may use your information for marketing purposes; however, we will only do this where you specifically ask us to do so. This might include using your data to identify products and services that may be of use to you.
We will use your biometric information for security purposes, specifically in order for you to log-in to the app, and in order to step-up security to access certain features.
We will use your information to comply with the law, in order to protect ourselves, our customers, or others. Where required we will share information to respond to a court order or other lawful request from a public authority.
We will use your data to complete troubleshooting, data analysis, testing, research, and for statistical and survey purposes. Please note that any calls, emails and social media contact with Atom may also be used for training and monitoring purposes.
5. How do we store personal data?
The measures we use to keep your personal data safe and secure include: data encryption and digital signatures to ensure the continuing integrity of your data; firewalls, intrusion detection systems, 24/7 physical protection of facilities where your data is stored; background checks for personnel that access physical facilities; and strong security procedures across all service operations.
We encrypt the transmission and storage of your personal data using the highest standards of security technologies and procedures. Wherever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
When you register your biometric data, and every time you use it to log in or step up, it is encrypted and remains accessible to us for a limited period of time. It is then transmitted internally and stored as an algorithm so it cannot be accessed as an identifiable piece of personal data.
6. How long do we keep your personal data?
Atom will not retain your personal information for longer than is necessary for the practices described in this policy.
Regulatory requirements dictate that we should retain your personal information for seven years following the closure of your account. In certain circumstances, we may have to store this data for a longer period. Please note that fraud prevention agencies may hold your personal data for up to six years if you are considered to pose a fraud or relevant conduct risk.
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or way may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details provided below.
Any personal data we use for marketing purposes will be retained until you notify us that you no longer wish to receive this information.
7. Your Rights
Once you have registered your details with us, you have certain rights which apply, depending on the stage of your application, the information you’ve shared with us and our regulatory obligations relating to it. These include your right to, under certain circumstances, object to our processing of your personal data, request that your personal data is erased or corrected, and request access to your personal data.
You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information, please email us at email@example.com. We will provide this information to you within 30 days, free of charge.
You have the right to request that the information we hold about you is erased, where there are no additional legal and/or regulatory requirements for us doing so.
You have the right to request that any information we hold about you be provided to another company in a commonly used and machine-readable format, otherwise known as ‘data portability’.
You have the right to ensure that your personal information is accurate and up to date, or where necessary rectified. Where you feel that your personal data is incorrect or inaccurate and should be updated, please contact firstname.lastname@example.org
You have the right to object or to restrict the processing of your information, for example for direct marketing purposes, and.
You have the right to object to any decisions based on the automated processing of your personal data, including profiling.
8. Changes to this Policy
From time to time, we will review and update this policy. We will notify you of any material changes and update an updated version on our website.
9. Contact Us
If you have any questions about the practices contained within this policy, please email email@example.com. Alternatively you may write to us at:
FAO The Data Protection Officer
The Rivergreen Centre
If you wish to raise a complaint on how we have handled your personal data, you can contact us to have the matter investigated. Our Complaint Handling Policy can be found on our website. However, the best way to get in touch is to email us at firstname.lastname@example.org or in app. You may also write to us at the above address.
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office https://www.ico.org.uk.
November 2020 revision