Last reviewed: June 2023
Please read this policy carefully to understand our practices regarding information we hold relating to you (known as ‘personal data’). Under the Data Protection Act (2018) and the European Union’s General Data Protection Regulation 2016/679 (GDPR), and the California Consumer Privacy Act (CCPA) you have new rights and we have new responsibilities in ensuring that your personal data is stored and managed properly. This Privacy Notice is designed to meet the requirements of the GDPR.
Cleo (‘we’ or ‘us’ throughout this document) is a data controller of the information that you provide to us or that we collect, along with Facebook Inc. ‘Data controller’ refers to a company that collects or stores personal information, and that accordingly takes on responsibilities regarding the security of that data.
Please note that our chat functionality is a chatbot, not a human; however you may be routed to a human depending on the reason for your contact. Your conversation may be monitored and recorded for training or other purposes, such as to resolve a complaint or to provide services to you.
NAME AND ADDRESS OF DATA CONTROLLERS
- Cleo AI Limited, 3rd Floor, 1 Ashley Road, Altrincham, Cheshire, WA14 2DT
- If you have any questions about this policy, please contact our customer operations team at email@example.com, or 07379277245. If you are U.S. based you can contact our team at +833-313-3171.
- Facebook Incorporated Ireland Ltd. at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland
- You can contact Facebook at the address above, or online: https://www.facebook.com/help/contact/1461223320847982
- There are clear terms on the nature of our relationship with Facebook, set out here: https://developers.facebook.com/policy
- Cleo is responsible for the stability and functionality of our chat interface in Facebook Messenger.
- If you request that your account be deleted, both Facebook and Cleo will delete all retained information on you, in line with the deletion policies outlined below.
- Neither Facebook nor Cleo will directly or indirectly transfer any data for any monetization-related service.
HOW AND WHY WE COLLECT DATA
In the course of using Cleo, engaging with Cleo websites, or corresponding with the team at Cleo, you provide us with or we collect various pieces of personal data.
We collect and use the data outlined below to provide a contracted service to you or to further operate and develop our business.
Your personal data will not be sold, distributed, or leased to any third parties. We only share your personal data in cases in which it is necessary for us to provide our services.
We do not collect information regarding your race, ethnicity, religious or philosophical beliefs, political beliefs, sexual orientation, genetic information, or information about your health.
OTHER RELEVANT POLICIES AND TERMS
This Privacy Notice should be read alongside:
THE DATA WE COLLECT
We may gather or you may provide various kinds of personal information in the course of using Cleo, visiting our websites, or interacting with the team.
i) Contact details, such as but not limited to your name, email address, and phone number.
ii) Identity data to enable you to use optional ancillary service Cleo wallet, provided by Mangopay, in line with Know Your Customer regulation. This may include but is not limited to name, postal address, email address, and phone number.
iv) Transaction data, provided through third-party provider Plaid, such as but not limited to transaction dates and amounts, and merchant types and descriptions.
v) Facebook data enabling you to chat to Cleo in Facebook Messenger, such as but not limited to name and email address.
INFORMATION WE COLLECT ABOUT YOU, EITHER DIRECTLY OR INDIRECTLY
We collect the following personal information from you automatically when you visit our websites or use our online services:
- The Internet Protocol (IP) address used to connect your computer or access device to the internet
- Your login information
- Your geographic location
- Your browser information, and
- Your operating system.
You can read more about how we gather Cookie data in our Cookies Policy.
INFORMATION WE COLLECT OR RECEIVE FROM OTHER SOURCES
We may receive the following personal information about you from third-party service providers, in accordance with your legitimate interests.
- Our third-party provider Plaid: such as but not limited to bank account number, sort code, balances, and transaction data.
- Facebook: name, unique identifier, and aggregated analytics information.
- Mangopay: payment details required for receiving, handling, and solving complaints, both regulatory and non-regulatory.
INFORMATION WE SHARE WITH OTHER SOURCES
Below is a list of the people with whom we share your personal data, the data types, and why we share it.
We require third-party providers and services to respect your privacy and the security of your personal data.
- Plaid provides transaction processing services and issue resolution services to Cleo and yourself, using your login and bank account details.
- Facebook Inc. provide you with access to Cleo via Facebook Messenger, using your contact details.
- Mangopay provide our Cleo wallet services in the UK, which entails processing contact details, financial data, and Know Your Customer data, as required.
- Dwolla provides our Cleo wallet services in the US, which entails processing contact details, financial data, and Know Your Customer data as required
- SynapseFi provides cash advance services, which entails processing contact details, financial data, and Know Your Customer data, as required
- Stripe provides card and general payment services, which entails processing contact details, financial data, and Know your Customer data, as required
- I2c provides credit builder card services which entails processing contact details, financial data, and Know your Customer data, as required
- Intercom Inc. provide Cleo and yourself with online customer support messaging services, using your contact details.
- Twilio Inc provide us with text message, and email services and we may share your phone number and email address with them so that we can contact you via these channels
- Heroku/Amazon Web Services provide us with data storage facilities, for the supply of your personal, transaction, status verification, and online conversation data.
- Google Inc. provide us with email and data storage facilities (via Google Drive) for suppliers’ contact details and financial data, as well as customer contact details and transaction data where required for product testing and development.
- Tabapay provides our cash advance services, which entails processing contact details, financial data, and Know Your Customer data, as required
- Socure provides our Know Your Customer and fraud services, which entails processing contact details, and Know Your Customer data
- WebBank is our issuer of our Credit Builder Card, which entails processing contact details, financial data, and Know Your Customer Data, as required
- Equifax, TransUnion and Experian are our credit scoring providers, which entails processing contact details, financial data, and Know Your Customer Data, as required
- Idemia provides us with plastics for our Credit Builder Card, which entails processing contact details, and Know Your Customer Data, as required
- Open AI: Open AI, also known as Chat GPT, provides us with certain chat and NLP (Natural Language Processing) functionality.
HOW LONG DO WE KEEP INFORMATION ABOUT YOU?
When you choose to delete Cleo, we delete all information about you from our database and our backup database within 24 hours, except that which is required for fraud detection or any other legitimate business purpose.
The deletion policies of Facebook, Plaid, and Mangopay are linked below, and form part of the basis of our contracts with them.
Facebook’s deletion policy can be found here: https://www.facebook.com/policy.php
Mangopay retains records as required for regulatory purposes. https://www.mangopay.com/en_UK/
Plaid’s deletion policy can be found here: https://plaid.com/legal/
THE SECURITY OF YOUR PERSONAL INFORMATION
We encrypt personal data appropriately and use proper technical and organisational measures across the business.
All of the personal data we hold is hosted on Heroku’s cloud platform and AWS directly, which provides us with a wide range of resilience, scaling and security features. Heroku’s cloud platform is hosted on the Amazon Web Services’ platform. Heroku is accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402, FISMA Moderate, and Sarbanes-Oxley (SOX).
All third-party interactions with the Cleo service are made through a secure socket layer (SSL), the standard security technology for establishing an encrypted link between a web server and a browser.
We have written contracts with each of those third-party processors which contain safeguards for your information.
You have the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully, or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal information where we are relying on a legitimate interest (of our own or of a third-party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal information in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact us on the details above. We aim to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request to speed up our response.
YOUR RIGHT TO LODGE A COMPLAINT WITH THE ICO
If you feel that we have not handled information relating to you properly, or if you have contacted us about how we use that information and are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner’s Office.
By phone: 0303 123 1113.
If we change the Policy and collect more information from you, we will notify you at the time we collect that information of what our policy is at that time.
Your trust is a top priority to us and as such we take privacy extremely seriously. This policy applies to the entire Cleo AI ecosystem. If you do not accept this policy, you may not use the service.
We collect personal information from you (such as name, address, telephone number, email address etc) when you fill in registration forms, submit comments to the Site, or send emails to us. Please do not submit your personal information to us if you do not wish us to collect it.
USE OF YOUR INFORMATION
By using this Site, you agree that we may collect, hold, process and use your information (including personal information) for the purpose of providing you with the Site services, developing our business and enabling us to share financial products with you, which includes (without limitation):
- Personalising your visits to the Site to improve the services provided to you.
- Informing you about the latest changes to the Site, products, services or promotional offers that you might find interesting.
- To notify you about changes to the Service.
- Communicating (and personalising such communication) with you and personalizing your experience within the application
- For identity verification and fraud mitigation Enabling you to share our content with others e.g. using an ‘Email a friend’ or ‘Share this’ functionality.
- Conducting market research.
- Carrying out technical and statistical analysis to measure the performance of our services and the Site.
- Improving Cleo’s chat functionality
If you cancel your user account for the Service, we will promptly and securely delete all of the Personal Information we hold about you. However, we reserve the right to retain any Anonymous Data collected up to the point of cancellation and to continue using it in accordance with this policy.
SHARING YOUR INFORMATION
We may share information about you with suppliers that we engage to help us provide certain services and/or functionality e.g. online payment processing and credit bureaus. We will use reasonable endeavours to control and be responsible for the use of your information by such suppliers.
Furthermore, by using the Site, you consent to the transfer of your personal information outside of the European Economic Area to the United States (which may not provide the same protection for such information as the European Economic Area provides) in the event that the processing of your information involves such a transfer.
KEEPING YOUR PERSONAL INFORMATION SECURE
We take the security of your personal information very seriously and have appropriate physical, technical and administrative procedures in place to help protect your personal information from unauthorized access, use or disclosure as required by law in England. Once we have received your User Information, we will use strict procedures and security features to try to prevent unauthorised access including:
- by encrypting any Personal Information which we transfer to Plaid; and
- having in place an agreement with Plaid which requires it to have in place appropriate measures to safeguard the security of the Personal Information we send to them.
Full information on Plaid’s security policy can be found at https://plaid.com/legal
ACCESSING YOUR PERSONAL INFORMATION
If you wish to review or receive copies of the personal information we hold about you, change your marketing preferences, have any other privacy queries or wish to take advantage of your privacy rights, please write to us (including full details of your request) at the following email address: firstname.lastname@example.org.
CHANGES TO THIS POLICY
If we change this policy, we will post the revised policy here with an updated effective date. If we make significant changes to the policy, we may also notify you by other means such as sending an email or posting a notice on our home page.
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.
We use the following cookies:
- Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.
- Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
- Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
- Targeting/retargeting cookies. These cookies record your visit to our website, the pages you visit and have visited, and the links that you follow when browsing the Internet. We will use this information to make our website and the advertising we show you, both during and after your visit, more relevant to your interests. We may also share this information with third parties for this purpose.
You can find more information about the individual cookies we use and the purposes for which we use them in the table below:
Cookie type - Cookie name - Purpose
Marketing - _mkto_trk - Used by Marketo to identify users who have arrived via an email marketing campaign.
Security - __cfduid - Used to identify a user if you're behind a shared IP address and apply security settings on an individual basis.
Security - _cleo_session - Used to identify a Cleo user.
Security - plaid_link_persistent_id - Used by Plaid (a service to connect to a bank account) so that users can be identified.
Security - rack.session - Used to identify a Cleo user.
Support - intercom-id - Used by Intercom (a live chat support system) to identify a user so that conversations can be retrieved.
Support - intercom-lou - Used by Intercom so that users can be identified.
Support - intercom-session - Used by Intercom so that users can be identified.
Support - mp_ - Used by Intercom Mixpanel to analyse user behaviour.
Usage tracking - ajs_anonymous_id - Used by Google Analytics to identify returning users.
Usage tracking - ajs_group_id - Used by Google Analytics to track users through Cleo.
Usage tracking - _ga - Used by Google Analytics to identify users.
Usage tracking - _gat - Used by Google Analytics to throttle the request rate.
Usage tracking - _gid - Used by Google Analytics to identify users.
Usage tracking - _hjincludedInSample - Used by Hotjar to decide whether a user is included in a testing sample.
Usage tracking - _hp2_id - Used by Heap Analytics to identify a user.
- You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.
Notice to CA, CO, CT, NV, and VA Residents
This Notice (“Notice”) is intended to inform you that users, users, customers, and visitors (“consumers” or “you”) who reside in certain US states (California, Colorado, Connecticut, Nevada, or Virginia) may have certain rights afforded under the California Consumer Privacy Act of 2018 together with any subsequent amendments or acts including but not limited to, the California Privacy Rights Act (the amendment “CPRA”, together, “CCPA”), Colorado Privacy Act (“CPA”), Connecticut Data Privacy Act (“CTDPA”) Virginia’s Consumer Data Protection Act (“VCDPA”), and Nevada Chapter 603A (“N603”). It is important to note that certain laws such as the Gramm-Leach-Bliley Act, Bank Secrecy Act, the CCPA and other applicable laws may allow and/or require us to keep certain forms of data for recordkeeping purposes and/or to complete any transactions that you began prior to requesting a change or deletion. There may also be data that we may not allow you to review for legal, security, or other reasons.
For information regarding our collection, use, and disclosure of your Personal Information, please refer to the Cleo Privacy Notice.
1. California Consumer Privacy Rights
Under the CCPA, consumers have certain rights regarding their Personal Information, as described below.
- Right of Access: You have the right to request, twice in a 12-month period, that we disclose to you the following information about you, limited to the preceding twelve (12) months:
- The categories of Personal Information that we collected about you;
- The categories of sources from which the Personal Information is collected;
- The business or commercial purpose for collecting or selling Personal Information;
- The categories of third parties with whom we share Personal Information;
- The specific pieces of Personal Information that we have collected about you;
- The categories of Personal Information that we disclosed about you for a business purpose or sold to third-parties; and
- For each category of Personal Information identified, the categories of third parties to whom the information was disclosed or sold.
- Right of Deletion: You have the right to request that we delete any Personal Information about you which we have collected from you, subject to exceptions within the law.
- Right to Opt-Out: You have the right to opt-out of the disclosure of Personal Information about you for monetary or other valuable consideration.
- Right to Opt-In: You must be over 18 to use our services. Therefore, we do not have actual knowledge that we collect, share, or sell the Personal Information of minors under the age of 16.
- Right to Limit Use and Disclosure of Sensitive Personal Information: You may request specific limitations on further sharing, use, or disclosure of your Sensitive Personal Information that is collected or processed for uses outside of those legally allowed by statute. However, we do not collect or process Sensitive Personal Information for this purpose.
- Right to Correction: You have the right to request that we maintain accurate Personal Information about you and correct any Personal Information about you which we have collected from you, subject to exceptions within the law.
2. Virginia Resident Privacy Rights
“Personal Information,” for purposes of this section regarding the rights of Virginia residents, does not include de-identified information or publicly available information.
Virginia provides residents with specific rights regarding Personal Information, including:
- To confirm whether or not we are processing your Personal Information and to access such Personal Information.
- To correct inaccuracies in your Personal Information which we have collected, taking into account the nature of the Personal Information and the purposes of processing the Personal Information.
- To request deletion of Personal Information for which we have collected, subject to legal exemptions.
- To obtain a copy of your Personal Information.
- Virginia residents also have the right to opt out of the processing of Personal Information for purposes of targeted advertising, the sale of Personal Information, or profiling in furtherance of decisions that produce legal or similarly significant effects.
3. Nevada Resident Privacy Rights
- You have the right to request that we not sell the Personal Information we currently have about you or that we might collect about you in the future.
- If you use the Services, you may review and request changes to any of your personal information that is collected.
4. Colorado Resident Privacy Rights
This section is applicable to residents of Colorado beginning July 1, 2023. “Personal Information” for purposes of this section regarding the rights of Colorado residents, means information that is linked or reasonably linkable to an identified or identifiable natural person and does not include de-identified information or publicly available information.
Under CPA, Colorado provides residents with specific rights regarding their Personal Information, including:
- Right of Access: You have the right to confirm whether or not we are processing your Personal Information and to access such information.
- Right to Correction: You have the right to correct inaccuracies in your Personal Information which we have collected, taking into account the nature of the Personal Information and the purposes of processing the Personal Information.
- Right to Deletion: You have the right to request deletion of Personal Information concerning you, subject to legal exemptions.
- Right to Data Portability: You have the right to obtain a copy of your Personal Information in a portable and technically feasible, readily usable format. You may not exercise this right more than two times per calendar year.
- Right to Opt Out: You have the right to opt out of the processing of Personal Information for purposes of (1) targeted advertising; (2) the sale of Personal Information; or (3) profiling in furtherance of decisions that produce legal or similarly significant effects.
5. Connecticut Resident Privacy Rights
This section is applicable to residents of Connecticut beginning July 1, 2023. “Personal Information,” for purposes of this section regarding the rights of Connecticut residents, means information that is linked or reasonably linkable to an identified or identifiable natural person and does not include de-identified information or publicly available information.
Connecticut provides residents with specific rights regarding Personal Information, including:
- Right of Access. You have the right to confirm whether or not we are processing your Personal Information and to access such information.
- Right to Correction. You have the right to correct inaccuracies in your Personal Information which we have collected, taking into account the nature of the Personal Information and the purposes of processing the Personal Information.
- Right to Deletion. You have the right to request deletion of Personal Information provided by or obtained about you, subject to legal exemptions.
- Right to Data Portability. You have the right to obtain a copy of your Personal Information in a portable and technically feasible, readily usable format.
- Right to Opt-Out. You have the right to opt out of the processing of Personal Information for purposes of (1) targeted advertising; (2) the sale of Personal Information; or (3) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning you.
Please also note that if collected, we will take reasonable measures to protect the confidentiality of Social Security numbers and limit access to those with a need for such information. We prohibit the unlawful disclosure of Social Security Numbers.
- To exercise your rights under applicable laws, please refer to the “Accessing your Personal Information” Section above.
- Right to Non-Discrimination. Cleo will not discriminate against you because you exercise any of your rights, including, but not limited to:
- Denying goods or services to you;
- Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
- Providing a different level or quality of goods or services to you; or
- Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.
- Identity Verification for Consumer Requests: Prior to processing your request Cleo will require you to undergo identity verification. This is to help protect your identity and account security. We will attempt to comply with your request as soon as reasonably practicable and consistent with applicable law and will notify you if additional time is needed to verify your information.
- Authorized Agents. You may designate an authorized agent to request any of the above rights on your behalf. You may make such a designation by providing the agent with written permission, signed by you, to act on your behalf.
- Virginia, Colorado, and Connecticut Appeal Process. If you have made a request to access, correct, or delete your Personal Information under VCDPA, CPA or CTDPA, and we have declined to take action, you may appeal our decision within 45 days of the denial.
Rakuten Advertising may collect personal information when you interact with our digital property, including IP addresses, digital identifiers, information about your web browsing and app usage and how you interact with our properties and ads for a variety of purposes, such as personalization of offers or advertisements, analytics about how you engage with websites or ads and other commercial purposes. For more information about the collection, use and sale of your personal data and your rights, please use the below links.
Your Rights/Opt Out : https://rakutenadvertising.com/legal-notices/services-privacy-rights-request-form/