Now available on iOS. Download today to get started.
How we use, and protect, personal information
Privacy and trust are everything. So, we’re committed to keeping your personal information safe and confidential. Online and offline.
Version 1.1. This Policy was last updated on 3 May 2019.
1. Who we are
This Policy applies to the Asto mobile app, Asto website and any other method or device through which you get our services. For simplicity, we’ll call these the Asto App from now on. Sometimes the Asto App will link to services that have their own privacy practices, so you should check the privacy policies/notices of other service providers too.
We’ve tried to make this Policy as short and clear as possible – but if there’s anything that’s not clear enough, or you want to know more – please get in touch with us at: firstname.lastname@example.org.
This Policy will be updated from time to time. If we make changes we think are important, we’ll let you know through the app, the website, by email or SMS.
2. Other people's personal information
If you give us someone else’s personal information, you must tell them what you’ve shared with us and get them to read this Policy. For example, you might share copies of fellow directors’ passports, so we can complete the background checks we have to do for new customers, such as for compliance and anti-money laundering purposes (AML).
If you share third party personal information with us when you use our invoice financing product, we will use the information you provide to us to perform our obligations under the Invoice Finance Terms and Conditions.
3. How we use your personal information
The Asto App is only as good as the information that goes into it. To provide you with our services, we need to collect your personal information, store it, transfer it, and share it with trusted partners.
We only use your personal information to provide our services to you, comply with our legal or contractual obligations, where you have provided consent (which you can withdraw at any time) or if we believe it is in our legitimate interest to do so and your rights and freedoms are not negatively impacted.
We want to be clear about how we use your personal information, so you can make an informed choice about whether the Asto App is right for you.
4. Creating an account and registering on the Asto app
When you create your account, we ask for your first and last name, mobile number and email address. We use these to set up and run your Asto App account, give you technical and customer support (and for our internal training), verify your identity, and send you important account and service information.
5. What personal documents we store and who can see them
One of Asto App’s features is that it can store your data and certain documents. Personal information, like directors’ details, financial and banking information and other information which is generated about your use of the Asto App and products.
Only you, and people you allow, can access, control and manage this information. Sometimes, people we authorise (like members of our team) may need to access it as well – to give you technical support, for example.
6. Identity and credit checks we might make
Depending on the services you use, we may be legally required to verify your identity and carry out certain background checks.
If you apply for any finance product through us we will also carry out certain credit checks – these checks are on-going. As we will regularly review your Finance Pot, we will periodically use your personal information and carry out credit checks to ensure that the Finance Pot remains right for you.
In order to do this we send the information you provide us to third parties, including Equifax Limited and TransUnion.
Equifax Limited and TransUnion process your personal information as data “controllers”. To understand more about how these agencies use your information, please see the relevant privacy notices below:
If you do not want us to send your personal information to Equifax or TransUnion to carry out these checks, we will not be able to offer you any of our finance products.
7. Linked bank accounts
If you choose to link your bank accounts to us, we can see which accounts you hold with other banks and information to do with those accounts – like your transactions. We won’t see this information unless you’ve given us your permission (and confirmed this with your bank).
We’ll only use this information to give you the account views and services you’ve asked for.
8. Automated decisioning
When you apply for a finance product we carry out a credit check through automated processing. This means there is no human intervention. We use the result of this credit check to determine the amount which we think is suitable for your Asto Finance Pot based on the information you provided to us when applying, information we have collected about you from third party agencies, and information we have collected from your use of the Asto App. This processing is necessary to perform our obligations under an existing contract with you, or, in order to enter into a contract with you.
You can request further information about this processing or request that we review the decision in relation to your particular Asto Finance Pot through human analysis by emailing us at: email@example.com.
9. Invoice financing
If you use our invoice finance product, it is your responsibility to comply with any obligations under data protection laws including applicable notification requirements to third parties informing them that you are sharing their personal information with us. You should only submit invoices and details of related third parties to us if you have appropriate lawful authority to do so.
10. Fraud and financial crime monitoring
We may monitor your account including payments and other activity, for suspicious activity. This monitoring is in our legitimate interest and is carried out for security purposes and to prevent fraud.
Asto is a member of CIFAS and we share personal information we have collected from you, or we have received from third parties to prevent fraud and money laundering, and to verify your identity.
Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details and device identifiers including IP address.
We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal information to detect, investigate and prevent crime.
We process your personal information on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you may request.
Fraud prevention agencies can hold your personal information for different periods of time, and if you are considered to pose a fraud or money laundering risk, your personal information can be held for up to six years.
As part of the processing of your personal information, decisions may be made by automated means. This means we may decide that you pose a fraud or money laundering risk if our automated processing reveals your behaviour to be consistent with money laundering, known fraudulent conduct, or is inconsistent with your previous submissions, or, you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making; if you want to know more please contact us at: firstname.lastname@example.org.
If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services or financing. If you have any questions about this, please contact us at: email@example.com.
Whenever fraud prevention agencies transfer your personal information outside of the European Economic Area, they impose contractual obligations on the recipients to protect your personal information to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
11. Keeping you updated
When you sign up to the Asto App we will add you to our email marketing list to make sure you don’t miss out on Asto news, invites to exclusive events and Asto podcasts. You can of course opt-out of receiving these email communications at any time by clicking on the “unsubscribe link” in the relevant email or by emailing us at: firstname.lastname@example.org.
In some cases you may specifically request to receive our newsletters and updates. If you have signed up for any newsletters or updates about our products and no longer wish to receive these emails you can let us know at any time, and we will stop sending them to you. You can do this by emailing us at: email@example.com or by clicking the “unsubscribe” link at the bottom of an email.
12. Other features
Sometimes we may offer you additional services, which could mean that we need to process your personal information differently. As soon as we offer you these, we’ll let you know how we’ll process your personal information, so you can make informed choices about how it is used. In some cases, if you choose not give us your personal information, we may not be able to provide you with these services.
13. Contacting us for help, by email or Live Chat
When you get in touch, we may ask you for personal information, like your name, address, or phone numbers. This is to help us answer your questions. Emails are not always secure, so we recommend keeping personal information to a minimum in emails.
You must never transmit your Asto account information by email. We will never ask you to.
14. What we have to do - by law
We may have to use and keep personal information for legal and compliance reasons, such as the prevention, detection or investigation of a crime; loss prevention; or fraud. We may also use personal information to meet our internal and external audit requirements, for information security purposes and as we believe to be necessary or appropriate: (a) under applicable law; (b) to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities; (c) to enforce our terms and conditions; or (d) to protect our rights, privacy, safety, property, or those of other people.
15. When we share your personal information
The list below shows who we share your information with and why. We only share your personal information when it helps us give you the services you’ve asked for.
Occasionally, we might also share non-personal, anonymous, statistical data with third parties.
The Santander group: Santander’s businesses are supported by a variety of Santander teams and functions. Since we’re backed by Santander, we may share your information with Santander group companies to help them administer your account, give you services, for sales and marketing, for the prevention of fraud and financial crime and customer and technical support. Everyone we share your personal information with follows appropriate data privacy and security policies. If you would like to receive a list of these Santander group companies please contact us at: firstname.lastname@example.org.
Third-party service providers: Some of the partners and service providers we work with are located outside of the European Economic Area (EEA). We’ll only share personal information with them when they need it for the services they give us, such as software, system, security and platform support; cloud hosting services; advertising; data analytics; and marketing. Our third-party service providers are not allowed to share or use your personal information unless it’s in connection with the services they provide to us. If you would like to receive a list of these third-party services providers please email us at: email@example.com.
Third parties for legal reasons: We share personal information when we believe it is required, such as:
To comply with legal obligations and respond to requests from government agencies, including law enforcement and other public authorities. Both in, and outside, of the UK.
In the event of a merger, sale, restructure, acquisition, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or shares (including in connection with any bankruptcy or similar proceedings).
To protect our rights, users, systems and services.
16. Social media and analytics
To help us assess how the Asto App, Asto Website and certain promotional campaigns perform we use a few third-party tools, such as Facebook pixels, Appsflyer and Google analytics. The information from these third-party tools is anonymised and is only used to help us internally, for example to assess the effectiveness of our promotional campaigns and the performance of the Asto App and website. We may also use these tools (or similar) in our marketing email messages or newsletters to determine whether the email is opened or if links are clicked. We cannot identify you from the information collected.
17. Anonymised statistics
We also carry out our own internal analytics to see how we can improve our services and determine what new functions or features will benefit you the most. In order to do this, we look at information such as the types of receipts and invoices uploaded, the average value of your receipts and invoices, average payment terms and the most popular log in time.
18. Third-party links
Within the Asto App, or the Asto website, there may be links to third-party websites or applications. You should check those websites or applications for their privacy notices and the terms that apply to the use of the relevant third-party website or application. Asto is not responsible for the content or privacy compliance of third party websites or applications.
19. How to see your information and correct mistakes
Your personal information belongs to you. If you want a copy of it, or to make suitable changes, we are here to help.
See your information: We’ll help you see your personal information, get a copy, or send it to another provider – unless legal requirements or other exemptions mean that we can’t. You’ll just need to show us proof of your identity and give us enough information about how you use our services, so that we can find your information.
Make corrections: You have the right to correct or amend your personal information if it’s incorrect or out of date.
Deleting: You may also have the right to ask us to delete your personal information. We’ll try to help, but sometimes this isn’t possible because of legal and regulatory requirements, and other obligations about keeping records.
Objecting. If we are relying on legitimate interest to process your personal information you have the right to object to such processing activities. Where you object to such processing we will respond in accordance with your rights under data protection laws. We will either permanently stop using your personal information for those purposes or we will provide you with our justification as to why we need to continue using your personal information. You may object to us using your personal information for direct marketing purposes and we will comply with your request to stop using your personal information for marketing purposes. You may also contest a decision made about you based on automated processing.
If you would like to exercise any of your information rights, please email us at: firstname.lastname@example.org.
To find out more about your information rights, visit the Information Commissioner’s website at: https://.ico.org.uk
20. Where we store and process your data
We transfer personal information from the European Economic Area to other countries where their laws do not offer the same level of data privacy protection as the EEA. So we take other legal measures to protect the privacy of your personal information – such as approved standard contractual clauses and intragroup agreements.
21. How we keep your data secure
Keeping your personal information safe and secure is essential. Data security is built into the way we work – not an afterthought. We protect your personal information with both technology and security policies and procedures that follow the widely-accepted international standards. We review and update them regularly, as necessary, to meet our business needs, changes in technology and regulatory requirements.
22. How long we keep your information
We keep your personal information for only as long as we need to for legal and business purposes – taking into account local laws, contractual obligations, and the needs of our customers. When we no longer need personal information, we securely delete or destroy it.
23. How to contact us about this notice or make a complaint
If you’d like to contact us for more information or make a complaint about how we’ve handled your personal information, please contact us at: email@example.com
If you’re not satisfied with our response, or think we’re not processing your personal information in accordance with the law, you can escalate your complaint to the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Or visit their website https://ico.org.uk