CRIF RealTime Limited Privacy Policy


    This privacy policy aims to give you information on how we collect and process your personal data through your use of the App.

    It is important that you read this privacy policy together with any other fair processing notice or privacy policy we may provide on specific occasions when we collect or process personal data about you, so you are fully aware how and why we are using your data. This privacy policy supplements such other notices and does not replace them.

    We have appointed a data protection manager who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this policy, including any request to exercise any of your legal rights, please contact the data protection manager using the contact details below.

    CRIF Realtime Ltd
    Federico Ciampolini
    Email address:
    Postal address: 55 Old Broad Street, London, EC2M 1RX

    This version was last updated on []. We may change this privacy policy from time to time and any changes will be posted on this page. Please check the App regularly to keep informed of updates or changes to this privacy policy.

    It is important that the personal data we hold about you is accurate and up-to-date. Please let us know if any of your personal data changes during your relationship with us.

    The App may include links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third parties and are not responsible for their privacy policies. When you leave this page we recommend that you read the privacy policy of every website you visit and every plug-in or application you use.


    Personal data means any information about a living individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

    • Identity data including your first name, last name, username or other identifier, title;
    • Contact data including your business registered address, billing address, email address, telephone numbers;
    • Bank account data, being transaction and other account data from all of the SME’s business banking accounts which is accessible online and which is submitted to us via the App where such data may identify you directly or indirectly;
    • Additional data in respect of the SME’s business and financial position such as documents, books, reports, accounts, balance sheets, records, correspondence, papers and behavioural and payments information where such data may identify you directly or indirectly;
    • Technical data including your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other details about the devices you use to access the App;
    • Usage data including information about how you use the App, products and services; and
    • Marketing and communications data including your preferences in receiving marketing material from us and our third parties, and your communication preferences.

    We also collect, use and share aggregated data such as statistical or demographic data. Aggregated data may be derived from your personal data but is not considered to be personal data in law as it does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific feature of the App. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, the combined data is personal data and we deal with it in accordance with this privacy policy.

    If we need to collect personal data in order to comply with law or under the terms of any contract we have with the SME, and you fail to provide this data when requested, we may not be able to perform the contract we have or are trying to make with the SME (e.g. to provide the SME with services). In this situation, we may need to cancel an order placed on behalf of the SME or stop providing a service to the SME, but we will notify the SME if this is the case.


    We collect data from and about you in in different ways, including by:

    • Direct interaction with you. You may give us identity, contact and/or financial data by filling in forms or by communicating with us by email or via the App. This includes data you provide when you order our products or services or create an account on behalf of the SME, request marketing information, use interactive features on the App or give us feedback.
    • Automated technologies. When you use the App, we may automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data using cookies, server logs and other similar technologies. We may also receive technical data about you if you visit other websites using our cookies. Please see below for further information.
    • Third parties and publicly available sources. We may receive personal data about you from other people and/or from public sources, as set out below:
      • technical data from:
        • analytics providers such as Google;
        • advertising networks;
        • search information providers;
      • contact, financial and transaction data from providers of technical, payment and delivery services:
      • identity and contact data from data brokers or aggregators;
      • identity, financial and transaction data from credit reference and fraud prevention agencies such as VisionNet and/or CreditSafe;
      • identity and contact data from publicly available sources such as Companies House.

    We will only use your personal data when the law allows us to do so. Our most common uses of your personal data will be:

    • in order for us to perform a contract we are about to make or have made with the SME (or to take steps at your request before entering such a contract);
    • if it is necessary to do so for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; and/or
    • in order for us to comply with a legal or regulatory obligation

    We do not generally rely on your consent as a legal basis for processing your personal data except in relation to marketing. You have the right to withdraw your consent to marketing at any time by contacting us.

    The table below sets out all the ways in which we plan to use your personal data, which of the legal bases we rely on to do so and, where relevant, what the legitimate business interests are. We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

    Purpose/activity Type of data Lawful basis for processing
    To register you as a new user Identity Contact

    Performing a contract with the SME

    To process & deliver the SME’s order for our services, including:

    (a) Collecting and processing data relevant to the SME’s business and financial position

    (b) Managing payment, fees & charges

    (c) Collecting and recover money due to us

    Identity Contact Financial Transaction Marketing & communications

    Performing a contract with the SME

    Our legitimate business interests (recovering debts due to us)

    To manage our relationship with the SME, including:

    (a) Notifying you of changes in our terms

    (b) Asking you to leave a review or take part in a survey

    Identity Contact Profile Marketing & communications

    Performing a contract with the SME

    Complying with our legal obligations

    Our legitimate business interests (keeping our records up-to-date, studying how customers use our products/services)

    To administer & protect our business and the App (including troubleshooting, data analysis, testing, system maintenance, support, reporting & hosting data)

    Identity Contact Technical

    Our legitimate business interests (running our business, providing admin & IT services, network security, preventing fraud, for a business reorganisation or group restructuring)
    Complying with our legal obligations

    To deliver relevant App content & advertisements to you

    To understand &/or measure the effectiveness of the advertising we serve to you

    Identity Contact Profile Usage Marketing & Communications Technical

    In relation to delivering marketing to you – consent. Otherwise - our legitimate interests (studying how customers user our products/services, developing our products/services, growing our business, & informing our marketing strategy)

    To use data analytics to improve our App, products/services, marketing, customer relationships & experiences

    Technical Usage

    Our legitimate interests (defining customer types for our products/services, keeping our App up-dated & relevant, developing our business & informing our marketing strategy

    To suggest products/services which may be of interest to you and/or the SME

    Identity Contact Profile Technical Usage

    Our legitimate interests (developing our products/services, growing our business)

    [To deliver services to the SME under the App, such as providing you with a Credit Passport]


    Performing a contract with the SME

  5. Cookies

    We use the following categories of cookies:

    • Strictly necessary cookies: These are cookies that are required for the operation of our App. They include, for example, cookies that enable you to load webpages.
    • Analytical/performance cookies: These cookies allow us to recognise and count the number of visitors to our website and to see how visitors move around our Platform. This helps us to improve the way our App works, for example by ensuring that visitors can easily find what they are looking for.
    • [Functionality cookies. These are used to recognise you when you return to our App. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).]
    • [Targeting cookies
    • . These cookies record your visit to our App, the pages you have visited and the links you have followed. We will use this information to make our App and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.]

    More information about the individual cookies we use and the purposes for which we use them is set out in the table below:

    Cookie name Category Description Expiry Period
    [insert name of individual cookie]. Strictly necessary cookies [insert description and purpose of individual cookie] [insert expiry period of individual cookie (eg 1 year)]
    [insert name of individual cookie]. Analytical/performance cookies [insert description and purpose of individual cookie] [insert expiry period of individual cookie (eg 1 year)]
    [insert name of individual cookie]. Functionality cookies [insert description and purpose of individual cookie] [insert expiry period of individual cookie (eg 1 year)]
    [insert name of individual cookie]. Targeting cookies [insert description and purpose of individual cookie] [insert expiry period of individual cookie (eg 1 year)]

    Third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control.

    You can set your browser to refuse some or all browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, some parts of our App may become inaccessible or may not function properly.


    When and where your personal data may be transferred outside the UK/EU

    Some of the third parties with whom we work may be based outside both the United Kingdom and the European Union so their processing of your personal data will involve a transfer of this data outside both the United Kingdom and the European Union. The countries to which your personal data may be transferred are the United States, in respect of transfers to our shareholder company Moody’s Analytics.

    If we use cloud-based platforms to store personal data, this may involve the use of geographically-distributed data centres including data centres outside both the United Kingdom and the European Union.

    How we protection your personal data outside the UK/EU

    We will not transfer your personal data to any country (other than the United Kingdom) which is outside the European Union, except:

    • to a country which has been found by the European Commission to provide an adequate level of protection for personal data;
    • to an entity in the United States which is part of the EU-US Privacy Shield which requires it to provide similar protection to personal data shared between the European Union and the United States. For further information see:;
    • where we have ensured your personal data benefits from a similar degree of protection by using clauses approved by the European Commission which give personal data the same protection it has in the European Union. For further information see: ;
    • where the transfer is necessary to perform a contract between you and us (or to take steps at your request before entering such a contract) or to conclude or perform a contract in your interest, or for important reasons of public interest or to establish, exercise or defend legal claims, or to protect your or anyone-else’s vital interests where you cannot give consent; or
    • with your explicit consent to the transfer, after we have notified you of the possible risks of such transfer.

    Please contact us if you want further information on the specific mechanism we use when transferring your personal data out of the United Kingdom and the European Union.


    We have put in place appropriate security measures to protect your personal data from being accidentally or unlawfully destroyed, lost or altered or disclosed or accessed in an unauthorised way. For example, we limit access to this information to authorised employees and contractors who need to know that information in order to operate, develop or improve our App. Please be aware that although we endeavour to provide reasonable security for information we process and maintain, no security system can prevent all potential security breaches.

    We have put in place procedures to deal with any suspected personal data breach and will notify you and any relevant regulator of a breach if we are legally required to do so.


    We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of complying with any legal, accounting and/or reporting obligations. Details of retention periods for different types of data and processing purposes are set out in our data retention policy – please contact us if you would like a copy of this.


    As a result of us collecting and processing your personal data, you may have the following legal rights:

    • to access personal data held about you;
    • to request us to make any changes to your personal data if it is inaccurate or incomplete;
    • to request your personal data is erased where we do not have a compelling reason to continue to process such data in certain circumstances;
    • to receive your personal data provided to us as a controller in a structured, commonly used and machine-readable format where our processing of the data is carried out by automated means and is based on: (i) your consent; (ii) our necessity for performance of a contract to which you are a party; or (iii) steps taken at your request prior to entering into a contract with us;
    • to object to, or restrict, our processing of your personal data in certain circumstances;
    • if we use your personal data for direct marketing, you can ask us to stop and we will comply with your request;
    • if we use your personal data on the basis of having a legitimate interest, you can object to our use of it for those purposes, giving an explanation of your particular situation, and we will consider your objection;
    • to object to, and not be subject to a decision which is based solely on, automated processing (including profiling), which produces legal effects or could significantly affect you; and
    • to lodge a complaint with a data protection supervisory body. The supervisory authority in the UK is the Information Commissioner who may be contacted at, although we would like the prior opportunity to respond to any complaint.

    To exercise any of your rights set out above, including to withdraw your consent where we have stated we are processing your personal data based on your consent, please contact us using the contact details above.