Last reviewed: January 2023
Please read this policy carefully to understand our practices regarding information we hold relating to you (known as ‘personal data’). Under the Data Protection Act (2018) and the European Union’s General Data Protection Regulation 2016/679 (GDPR), and the California Consumer Privacy Act (CCPA), you have new rights and we have new responsibilities in ensuring that your personal data is stored and managed properly. This Privacy Notice is designed to meet the requirements of the GDPR.
Cleo (‘we’ or ‘us’ throughout this document) is a data controller of the information that you provide to us or that we collect, along with Facebook Inc. ‘Data controller’ refers to a company that collects or stores personal information, and that accordingly takes on responsibilities regarding the security of that data.
Name and address of data controllers
- Cleo AI Limited, 3rd Floor, 1 Ashley Road, Altrincham, Cheshire, WA14 2DT
- If you have any questions about this policy, please contact our customer operations team at firstname.lastname@example.org, 07379277245, or 1-833-313-3171 in the US. You can also contact our Data Protection Officer, Michael Hauser-Raspe, by emailing email@example.com.
- Facebook Incorporated Ireland Ltd. at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland
- You can contact Facebook at the address above, or online: https://www.facebook.com/help/contact/1461223320847982
- There are clear terms on the nature of our relationship with Facebook, set out here: https://developers.facebook.com/policy
- Cleo is responsible for the stability and functionality of our chat interface in Facebook Messenger.
- If you request that your account be deleted, both Facebook and Cleo will delete all retained information on you, in line with the deletion policies outlined below.
- Neither Facebook nor Cleo will directly or indirectly transfer any data for any monetization-related service.
How and why we collect data
In the course of using Cleo, engaging with Cleo websites, or corresponding with the team at Cleo, you provide us with or we collect various pieces of personal data.
We collect and use the data outlined below to provide a contracted service to you or to further operate and develop our business.
Your personal data will not be sold, distributed, or leased to any third parties. We only share your personal data in cases in which it is necessary for us to provide our services.
We do not collect information regarding your race, ethnicity, religious or philosophical beliefs, political beliefs, sexual orientation, genetic information, or information about your health.
Other relevant policies and terms
This Privacy Notice should be read alongside:
The data we collect
We may gather or you may provide various kinds of personal information in the course of using Cleo, visiting our websites, or interacting with the team.
i) Contact details, such as but not limited to your name, email address, and phone number.
ii) Identity data to enable you to use optional ancillary service Cleo wallet, provided by Mangopay, in line with Know Your Customer regulation. This may include but is not limited to name, postal address, email address, and phone number.
iv) Transaction data, provided through third-party provider Plaid, such as but not limited to transaction dates and amounts, and merchant types and descriptions.
v) Facebook data enabling you to chat to Cleo in Facebook Messenger, such as but not limited to name and email address.
Information we collect about you, either directly or indirectly
We collect the following personal information from you automatically when you visit our websites or use our online services:
- The Internet Protocol (IP) address used to connect your computer or access device to the internet
- Your login information
- Your geographic location
- Your browser information, and
- Your operating system.
You can read more about how we gather Cookie data in our Cookies Policy.
Information we collect or receive from other sources
We may receive the following personal information about you from third-party service providers, in accordance with your legitimate interests.
- Our third-party provider Plaid: such as but not limited to bank account number, sort code, balances, and transaction data.
- Facebook: name, unique identifier, and aggregated analytics information.
- Mangopay: payment details required for receiving, handling, and solving complaints, both regulatory and non-regulatory.
Information we share with other sources
Below is a list of the people with whom we share your personal data, the data types, and why we share it.
We require third-party providers and services to respect your privacy and the security of your personal data.
- Plaid provides transaction processing services and issue resolution services to Cleo and yourself, using your login and bank account details.
- Facebook Inc. provide you with access to Cleo via Facebook Messenger, using your contact details.
- Mangopay provide our Cleo wallet services in the UK, which entails processing contact details, financial data, and Know Your Customer data, as required.
- Dwolla provide our Cleo wallet services in the US, which entails processing contact details, financial data, and Know Your Customer data, as required.
- SynapseFi provide cash advance services, which entails processing contact details, financial data, and Know Your Customer data, as required.
- Stripe provide card payment services, which entails processing contact details, financial data, and Know Your Customer data, as required.
- i2c provides credit builder card services which entails processing contact details, financial data, and Know Your Customer data, as required.
- Intercom Inc. provide Cleo and yourself with online customer support messaging services, using your contact details.
- Twilio Inc. provide us with text message, and email services and we may share your phone number and email address with them so that we can contact you via these channels.
- Heroku/Amazon Web Services provide us with data storage facilities, for the supply of your personal, transaction, status verification, and online conversation data.
- Google Inc. provide us with email and data storage facilities (via Google Drive) for suppliers’ contact details and financial data, as well as customer contact details and transaction data where required for product testing and development.
How long do we keep information about you?
When you choose to delete Cleo, we delete all information about you from our database and our backup database within 24 hours, except that which is required for fraud detection.
The deletion policies of Facebook, Plaid, and Mangopay are linked below, and form part of the basis of our contracts with them.
Facebook’s deletion policy can be found here: https://www.facebook.com/policy.php
Plaid's deletion policy can be found here: https://plaid.com/legal/
Mangopay retains records as required for regulatory purposes. https://www.mangopay.com/en_UK/
The security of your personal information
We encrypt personal data appropriately and use proper technical and organisational measures across the business.
All of the personal data we hold is hosted on Heroku’s cloud platform, which provides us with a wide range of resilience, scaling and security features. Heroku’s cloud platform is hosted on the Amazon Web Services’ platform. Heroku is accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402, FISMA Moderate, and Sarbanes-Oxley (SOX).
All third-party interactions with the Cleo service are made through a secure socket layer (SSL), the standard security technology for establishing an encrypted link between a web server and a browser.
We have written contracts with each of those third-party processors which contain safeguards for your information.
You have the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully, or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal information where we are relying on a legitimate interest (of our own or of a third-party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal information in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact us on the details above. We aim to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request to speed up our response.
Your right to lodge a complaint with the ICO
If you feel that we have not handled information relating to you properly, or if you have contacted us about how we use that information and are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner’s Office.
By phone: 0303 123 1113.
If we change the Policy and collect more information from you, we will notify you at the time we collect that information of what our policy is at that time.
We collect personal information from you (such as name, address, telephone number, email address etc) when you fill in registration forms, submit comments to the Site, or send emails to us. Please do not submit your personal information to us if you do not wish us to collect it.
Use of Your Information
By using this Site, you agree that we may collect, hold, process and use your information (including personal information) for the purpose of providing you with the Site services and developing our business which includes (without limitation):
- Personalising your visits to the Site to improve the services provided to you.
- Informing you about the latest changes to the Site, products, services or promotional offers that you might find interesting.
- To notify you about changes to the Service.
- Communicating (and personalising such communication) with you.
- Enabling you to share our content with others e.g. using an ‘Email a friend’ or ‘Share this’ functionality.
- Conducting market research.
- Carrying out technical and statistical analysis to measure the performance of our services and the Site.
If you cancel your user account for the Service, we will promptly and securely delete all of the Personal Information we hold about you. However, we reserve the right to retain any Anonymous Data collected up to the point of cancellation and to continue using it in accordance with this policy.
Sharing Your Information
We may share information about you with suppliers that we engage to help us provide certain services and/or functionality e.g online payment processing and credit bureaus. We will use reasonable endeavours to control and be responsible for the use of your information by such suppliers. Furthermore, by using the Site, you consent to the transfer of your personal information outside of the European Economic Area to the United States (which may not provide the same protection for such information as the European Economic Area provides) in the event that the processing of your information involves such a transfer.
Keeping Your Personal Information Secure
We take the security of your personal information very seriously and have appropriate physical, technical and administrative procedures in place to help protect your personal information from unauthorized access, use or disclosure as required by law in England. Once we have received your User Information, we will use strict procedures and security features to try to prevent unauthorised access including:
- by encrypting any Personal Information which we transfer to Plaid; and
- having in place an agreement with Plaid which requires it to have in place appropriate measures to safeguard the security of the Personal Information we send to them.
Full information on Plaid's security policy can be found at https://plaid.com/legal/
Accessing Your Personal Information
If you wish to review or receive copies of the personal information we hold about you, change your marketing preferences or have any other privacy queries, please write to us (including full details of your request) at the following email address: firstname.lastname@example.org. Any access request may be subject to a fee of £10 to meet our costs in providing you with details of the Personal Information we hold about you.
Changes To This Policy
If we change this policy, we will post the revised policy here with an updated effective date. If we make significant changes to the policy, we may also notify you by other means such as sending an email or posting a notice on our home page.
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.
We use the following cookies:
- Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
- Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
- Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
- Targeting/retargeting cookies. These cookies record your visit to our website, the pages you visit and have visited, and the links that you follow when browsing the Internet. We will use this information to make our website and the advertising we show you, both during and after your visit, more relevant to your interests. We may also share this information with third parties for this purpose.
You can find more information about the individual cookies we use and the purposes for which we use them in the table below:
Cookie type - Cookie name - Purpose
Marketing - _mkto_trk - Used by Marketo to identify users who have arrived via an email marketing campaign.
Security - __cfduid - Used to identify a user if you're behind a shared IP address and apply security settings on an individual basis.
Security - _cleo_session - Used to identify a Cleo user.
Security - plaid_link_persistent_id - Used by Plaid (a service to connect to a bank account) so that users can be identified.
Security - rack.session - Used to identify a Cleo user.
Support - intercom-id - Used by Intercom (a live chat support system) to identify a user so that conversations can be retrieved.
Support - intercom-lou - Used by Intercom so that users can be identified.
Support - intercom-session - Used by Intercom so that users can be identified.
Support - mp_ - Used by Intercom Mixpanel to analyse user behaviour.
Usage tracking - ajs_anonymous_id - Used by Google Analytics to identify returning users.
Usage tracking - ajs_group_id - Used by Google Analytics to track users through Cleo.
Usage tracking - _ga - Used by Google Analytics to identify users.
Usage tracking - _gat - Used by Google Analytics to throttle the request rate.
Usage tracking - _gid - Used by Google Analytics to identify users.
Usage tracking - _hjincludedInSample - Used by Hotjar to decide whether a user is included in a testing sample.
Usage tracking - _hp2_id - Used by Heap Analytics to identify a user.
You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.
Rakuten Advertising may collect personal information when you interact with our digital property, including IP addresses, digital identifiers, information about your web browsing and app usage and how you interact with our properties and ads for a variety of purposes, such as personalization of offers or advertisements, analytics about how you engage with websites or ads and other commercial purposes. For more information about the collection, use and sale of your personal data and your rights, please use the below links.
Your Rights/Opt Out : https://rakutenadvertising.com/legal-notices/services-privacy-rights-request-form/