Pay4Later Limited, trading as Deko (“we”, “us” or “our”), is a company incorporated in England and Wales with company number 06447333. Our registered office is 100 Liverpool Street, London, EC2M 2AT.
For the purpose of data protection laws, we are a data controller and we are registered as a controller with the Information Commissioner’s Office under number ZA003197. We are committed to maintaining the privacy and protection of all personal data that we process in connection with our business.
1.1 We will collect and process the following personal data about you.
1.2 Information you give us: This is information about you that you give us when filling in forms on our website or by corresponding with us by phone, e-mail or otherwise. It includes information provided when you use our services to apply for credit, register for our newsletter and when you report a problem with our website. The information you give us may include names, addresses, email addresses and phone numbers.
1.2.1 We may allocate a unique reference number to you and/or your application, which we may use as a reference number to track data or other information with lenders or merchants.
1.3 Online Information we collect: With regard to each of your visits to our website we will automatically collect the following information:
1.3.1 technical information, including the Internet protocol (IP) address used to connect your computer to the internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, screen resolution, operating system and platform; and
1.3.2 information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our website (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs) and methods used to browse away from the page. This information is stored and processed by Hotjar Ltd (www.hotjar.com) on our behalf – the data transferred is anonymous (so that it can’t be used to identify you) but we and they may store your email address or other personal data if you specifically enter it in response to, for example, a survey or feedback request. This will be clear to you whenever you are invited to do so, and you are never under any obligation to do so.
1.4 We do not process any special categories of personal data, meaning personal data revealing:
1.4.1 racial or ethnic origin;
1.4.2 political opinions; religious or philosophical beliefs or trade union membership;
1.4.3 genetic or biometric data that uniquely identifies you; or
1.4.4 data concerning your health, sex life or sexual orientation.
1.5 We do not collect data relating to criminal convictions or offences or related security measures.
Sections 1.1 – 1.3 below explain how and why we process your personal data, as well as the legal basis on which we carry out this processing.
2.1 Retail Consumers
2.1.1 To facilitate your application for credit: Where you apply for a credit product in connection with a purchase from a merchant, or otherwise, as a credit broker, we collect and process the personal data you provide in your application form in order to provide you with credit brokerage services. We make it quick and easy for you to apply for credit, both at the point of purchase (be it when you are buying in-store, online, on your mobile or over the phone), and by other means you agree to. We review your application for credit to validate, format and process your information.
(a) (where appropriate) select a suitable credit product for you (based upon the finance offers available from our lending partners);
(b) facilitate the completion of your application for credit and the agreement between you and the lender, on behalf of a lender;
(c) may obtain a copy of the proof of delivery of your goods to provide the lender with satisfactory confirmation that you have received the goods before they make payment to the merchant, and
(d) also provide your personal data to the merchant, if applicable, in order to confirm payments made by the lender to the merchant in connection with your purchase and to enable the merchant to provide goods and/or services to you.
Your personal data will be shared with the merchant you are purchasing from, lenders and credit reference agencies and may be shared with other agencies for specific purposes as set out in sections 3 and 4).
Such processing is necessary in order to take steps, at your request, prior to entering into a contract with a lender for credit and this forms the legal basis for the processing. If you do not wish to provide us with your personal data in this way, we will be unable to provide you with our credit brokerage services.
2.1.2 To improve your customer experience: From time to time we may conduct data and system analytics, including research to optimise our technology and improve our products and/or services, which may also involve resubmitting historic applications that we have received from you to test our technology’s decision results. This will not have an adverse impact on your credit records or credit history.
We may also liaise with potential new lending partners and provide them with anonymised transaction datasets so that they can make an initial assessment of whether there are available opportunities for them to work with us. The legal basis on which we process any personal data in these circumstances is our legitimate interest to enhance our internal processes and enrich the products and/or services we can offer you in the future. In each case, we will only use anonymised and/or aggregated data from which individuals’ identities cannot be determined.
2.1.3 To make our website better: We may process your personal data in order to provide you with a more tailored user experience. We may also use your personal data to make sure our website is displayed in the most effective way for the device you are using. This processing means that your experience of our site will be more tailored to you. We also use various cookies to help us improve our website (more details are set out in our Cookies Policy) and share your personal data with the third party analytics and search engine providers that assist us in the improvement and optimisation of our website.
We will also process personal data for the purposes of making our website more secure, to administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.
The legal basis on which we process personal data in these circumstances is our legitimate interest to provide you with the best customer experience we can, and to ensure that our website is kept secure.
2.1.4 To provide customer services to you: We may process your personal data in order to provide various supporting customer services to you (such as where you contact us with a question in connection with a product or service and/or request certain information from us). The legal basis on which we process your personal data in these circumstances is our respective legitimate interests in dealing with customer service requests and responding to communications. If you do not provide us with the personal data we request from you for customer services purposes, we may not be able to fully answer your queries.
2.2 Retailers and Merchants:
2.2.1 In a business-to-business context where you are employed or engaged to work for a retailer, lender or supplier we may make contact with you to provide or seek information in connection with our products and/or services. The legal basis we rely on for making contact with you and processing your personal data is our shared legitimate interests in doing business together. You are able to exercise your right to object to such contact from us (please see sections 9 and 13).
2.2.2 Where you have expressly opted in to receive marketing communications from us, we will process your personal data to provide you with marketing communications in line with the preferences you have provided.
2.2.3 Where you provide your personal information to us in order to enter into a prize draw at a conference, exhibition or similar event, you will be given the option to opt into our marketing communications. We will process your personal data to provide you with marketing communications in line with the preferences you have provided.
2.2.4 Where we are in the process of entering into a contract with a merchant and you are a Director, Owner or controller of the merchant, we will ask you to provide your personal information to help us verify your identity and undertake screening checks to comply with our legal and regulatory obligations.
2.3 All individuals
2.3.1 Where you have expressly opted in via our website to receive marketing communications from a third party, we will process your personal data by transferring it to the relevant third party. In respect of sections 2.2.2 and 2.2.3, the legal basis on which we process your personal data is your consent. You are not under any obligation to provide us with your personal data for marketing purposes, and you can withdraw your consent to your personal data being processed in this way at any time by contacting us (please see section 12) or, where relevant, by following the unsubscribe link in every marketing communication you receive from us. If you do choose to withdraw your consent, this will not mean that our processing of your personal data before you withdrew your consent was unlawful.
We will transfer your personal data to a third party:
2.3.2 if our business is sold; or
2.3.3 in the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets (at all times in accordance with all applicable data protection laws); or
2.3.4 if Deko or substantially all of its assets are acquired by a third party, in which case personal data held by Deko about its customers will be one of the assets transferred to the purchaser.
In each case, the legal basis on which we process your data in these circumstances is our legitimate interest to ensure our business can be continued by a purchaser. In such an event, we will assess whether our legitimate interests are outweighed by the risks to your rights and freedoms by us sharing your personal data in this way and only proceed with a data transfer if we believe they are not.
2.3.5 In certain circumstances we may also need to share your personal data if we are under a duty to disclose or share personal data in order to comply with any legal obligation.
3.1 We work with sub-contractors, business partners, advertising networks, analytics providers, hosting providers and search information providers who may process personal data on our behalf.
3.2 We are responsible for such third parties’ processing as they do so under our authority. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Please also note that you have the right to access personal data Teads hold about you and to ask that your personal data be corrected, erased or transferred. You may also have the right to object to, or request that Teads restricts certain processing by addressing your request at email@example.com.
3.4 We work with third party providers of analytics software, namely Heap Analytics, which help us to understand and analyse your use of our website and the Deko platform. After obtaining your consent, cookies will be run to help us monitor your journey within our website or platform. Neither Deko, nor any third party analytics provider, will obtain or process your personal data in undertaking such analytics. Information from this analysis may be aggregated to inform our roadmap for product improvements and customer experience enhancements.
3.5 We have partnered with Consumer Credit Solutions Limited (“CCS”) to provide access to finance products in the home improvements sector. We may share limited personal data with CCS during the course of our business to enable reporting and monitoring of customer outcomes.
3.6 Further information regarding such third parties can be requested by contacting us (please see section 12).
4.1 Nobody has a right to receive credit. Credit is subject to: status; telephone contact information; confirmation of name and address; whether or not you already hold credit agreement(s) with the lender; no reasonable suspicion of fraud and is only available to UK residents who are at least 18 (eighteen) years of age and are not legally restricted from obtaining credit. Therefore, to process your application, your personal data may be shared by us with categories of recipients that include lenders, credit reference agencies, other agencies and merchants.
4.2 The details in this policy relating to the third parties in this section are for your information only. We are not responsible for the privacy policies or practices of such third party recipients of your personal data. Please ensure you read any information those third parties provide you about their processing of your personal data and make your own enquiries in respect of them.
4.3 Lenders: Credit is always granted at the discretion, and subject to the terms of business, of lenders. Where we share your personal data with lenders, this is to allow lenders to assess your application.
When assessing your suitability and creditworthiness for any credit application, lenders may use different methods of credit scoring or other automated decision making facilities and in so doing may provide your personal data to credit reference agencies or other agencies (please see section 4.4). In respect of credit reference agencies, it is the lender, not us, who chooses and/or dictates the choice of which credit reference agency is used. Any assessment by a lender will consider a number of different factors.
Where your application for credit is successful, the lender may keep information about you as a customer in their own records. This may include all the initial information given by you to us and/or extra information about how your account has been run and any other dealings between you and the lender. A lender may wish to use your personal data for statistical analysis about credit, insurance and/or fraud. Equally, in order to fulfil their legal obligations or for other legitimate interests, a lender may also need to give information about you to their bankers, other providers, insurers and/or re-insurers of funding for their lending (or any other product they may have offered to you).
Where your application for credit is refused by a particular lender, that lender may provide the general reason for the refusal but they are not obliged to tell you exactly why your application has been refused. However, if that decision was made on the basis of information obtained from a credit reference agency (please see section 4.4.1), the lender can provide you with the name and address of any credit reference agency used free of charge.
In the event you do not become a customer straightaway, a lender may wish to retain and use your personal data for business analytics, or to assess whether you would be eligible for alternative or similar products or services (which if available they may contact you about from time to time), or for marketing or for other purposes.
4.4 Credit Reference Agencies and other agencies: Depending on the type of credit that you have applied for we (on behalf of and as directed by a lender) and/or the lenders themselves, may check your personal details with a credit reference agency and/or with other agencies in order to get confirmation that all the details submitted by you on your application are true and that the application has genuinely been made by you.
Please ensure the information you provide about yourself is true as it will be checked. If it is suspected that any of the information is false or inaccurate this may be reported to and likely checked by a fraud prevention agency. If you give false or inaccurate information and fraud is suspected, this may be recorded by the fraud prevention agency.
4.4.1 Credit reference agencies
One or more of the main credit reference agencies may be used:
Customer Service Centre
PO Box 10036
Consumer Help Services
PO Box 9000
Credit reference agencies keep a wide range of information. This includes information from the electoral roll (sometimes known as the voters roll) and records of most county court judgments and bankruptcies. They also retain information relating to previous and existing credit and a record of searches made against the file. The lenders also share information through the agencies providing a history of how punctually payments are being made or have been made. Loan information is usually held on file for six (6) years.
Details of the voters roll may be held for much longer. Information about credit searches is kept for up to two (2) years.
4.4.2 Other agencies:
Where your personal data is provided to other agencies (including but not limited to those listed below), this is in order to help lenders (and other subscribers to those agencies) trace debtors, recover debt, prevent fraud and to check your identity to prevent money laundering. Agencies are not permitted to keep “blacklists” nor should they give any opinion about whether or not credit should be granted to you – this for the lender to decide.
Agencies with whom your personal data may be shared for the purposes of processing your application include:
Credit Industry Fraud Avoidance System (Cifas): Cifas is a fraud prevention service in the United Kingdom. Reports from Cifas relating to fraud and fraud avoidance are also available to its members (most lenders) – these reports contain information indicating that fraud, or attempted fraud, has been notified by a lender. The information might not directly relate to you, it might relate to someone who has tried to impersonate you. Data available to members of Cifas may also be used to help make decisions on household, motor, credit, life and other insurance proposals for you and/or members of your household. Cifas information is intended to warn lenders and act as protection for innocent customers. www.cifas.org.uk.
Gone Away Information Network (GAIN): GAIN is an information database (administered by Cifas) that stores information obtained from lenders and Royal Mail about individuals with overdue outstanding debts who have moved without giving their lender a forwarding address. Data from GAIN includes an individual’s old address(es) and any known new addresses that may be recorded on the relevant credit file. This information is only available to other organisations who are members of GAIN.
National Hunter (Hunter): Hunter is an anti-fraud data sharing system used principally by lenders and credit card companies. It is owned by N Hunter Limited, a not-for-profit company, operated by Experian Decision Analytics and aims at tracing fraudsters who use different combinations of information to obtain credit dishonestly. Members of Hunter submit each and every detail given by consumers on credit applications. These details are subsequently counter checked against all other applications made (including those made with other members) to identify inconsistencies that may indicate fraud. www.nhunter.co.uk.
4.4.3 Accessing your file: If you wish to see the information contained on an agency file you can do so by writing to the relevant agency. If your file contains information about you which is incorrect (or contains information about other people with whom you have no financial connection) you can request for the applicable information to be corrected, removed or have a note put on the file explaining why you think the information is wrong. The agency will not remove correct information.
4.5 Merchants: Where your personal data is shared with a merchant this is in order to confirm with that merchant the result of your credit product application. Where that application has been successful your personal data is shared so that the merchant can confirm and receive payment and to enable the merchant to provide goods and/or services to you.
5.1 We do not perform any automated decision making using your personal data. The lender will combine the information you provide to us with information they collect about you in order to make decisions regarding your application. This is an automated process carried out by the lender with the information we provide. The decision will contain the contact details of the lender, should you wish to express your view on the decision or to contest the decision.
6.1 The data that we collect from you will be stored in (and will not be transferred out of) the European Economic Area (EEA).
6.2 If we transfer personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
6.2.1 Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
6.2.2 Where we use providers based in the US, we will conduct a transfer risk assessment and enter into contract addendums that incorporate additional clauses, protections and obligations in line with the European Standard Contractual Clauses or the UK’s International Data Transfer Agreement as appropriate.
6.3 If further information on the specific mechanism used by us when transferring your personal data out of the EEA is required, please contact us directly (please see section 12).
7.1 Where you receive credit as a result of our credit brokerage services, we will retain your data for a period of 7 (seven) years after the services performed, to ensure that we are able to assist you should you have any questions or feedback in relation to our products and/or services or to protect, or defend our legal rights.
7.2 Where you apply for credit but your application is unsuccessful, we will retain your data for a period of no longer than 16 (sixteen) months from the date of your application.
7.3 Where we have processed your personal data to provide you with marketing communications with consent, we may contact you at least every twelve (12) months to ensure you are happy to continue receiving such communications. If you tell us that you no longer wish to receive such communications, your personal data will be removed from our lists.
7.4 Where we have processed your data for any other reason (such as where you have contacted us with a question in connection with our products and/or services), subject to section 7.1, we will retain your data for twelve (12) months from such contact.
7.5 Further details of retention periods for different aspects of your personal data are available in our Data Retention Policy which is available on request (please see section 12).
8.2 The transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
8.3 All information you provide to us is stored on secure servers and all our systems are password protected to help ensure there is no unauthorised access to personal data. Where we have given you a password (or where you have subsequently changed that default password and chosen your own password), the password enables you to access certain parts of our website and you are responsible for keeping this password confidential. You must not share your password with anyone.
8.4 Where we need to transfer your personal data to a third party, such as those referred to in sections 3 and 4, we will ensure we apply strict security protocols and robust encryption to protect the data in transit.
Right to object
9.1 You have the right to object to us processing your personal data where we are processing personal data:
9.1.1 based on our legitimate interests (as set out at sections 1.2, 1.3, 1.4, 1.5.1 and 1.6 above). If you ask us to stop processing your personal data on this basis, we will stop processing your personal data unless we can demonstrate compelling grounds as to why the processing should continue in accordance with data protection laws; and
9.1.2 for direct marketing purposes. If you ask us to stop processing your personal data on this basis, we will stop. In each case please do so by making contact with us directly (please see section 12).
Right of access
9.2 You have the right to receive confirmation as to whether your personal data is being processed by us, as well as various other information relating to our use of your personal data. You also have the right to access your personal data which we are processing. You can exercise this right by making contact with us directly (please see section 12).
Right to rectification
9.3 You have the right to require us to rectify any inaccurate personal data we hold about you. You also have the right to have incomplete personal data we hold about you completed, by providing a supplementary statement to us. Right to restriction
Right to restrict processing
9.4 You have the right to restrict our processing of your personal data where:
9.4.1 The accuracy of the personal data is being contested by you;
9.4.2 the processing by us of your personal data is unlawful, but you do not want the relevant personal data erased;
9.4.3 we no longer need to process your personal data for the agreed purposes, but you want to preserve your personal data for the establishment, exercise or defence of legal claims; or
9.4.4 we are processing your data on the basis of our legitimate interest (as set out at sections 1.2, 1.3, 1.4, 1.5.1 and 1.6 above) and you:
a) object to our processing on the basis of our legitimate interest under section 9.1.1 above; and
b)want processing of the relevant personal data to be restricted until it can be determined whether our legitimate interest overrides your legitimate interest.
9.4.5 Where any exercise by you of your right to restriction determines that our processing of particular personal data is to be restricted, we will then only process the relevant personal data in accordance with your consent and, in addition, for storage purposes and for the purpose of legal claims.
Right to data portability
9.5 You have the right to receive your personal data in structured, standard machine readable format and the right to transmit such personal data to another controller.
Right to erasure
9.6 You have the right to require we erase your personal data which we are processing where one of the following grounds applies:
9.6.1 the processing is no longer necessary in relation to the purposes for which your personal data was collected or otherwise processed;
9.6.2 our processing of your personal data is based on your consent, you have subsequently withdrawn your consent and there is no other legal ground we can use to process your personal data;
9.6.3 you object to the processing of your personal data as set out in section
9.6.4 the personal data has been unlawfully processed; and
9.6.5 the erasure is required for compliance with a law to which we are subject.
9.7 If you have cause to complain about our processing of your personal data, please contact us in the first instance, so that we can look to resolve the matter for you promptly.
You have the right to lodge a complaint with the Information Commissioner’s Office (“ICO”), the supervisory authority for data protection issues in England and Wales. The ICO’s address is:
Information Commissioner’s Office
Helpline number: 0303 123 1113
9.8 Exercising your rights: You can exercise your rights by making contact with us directly (please see section 12). You will not generally be charged a fee for exercising any of your data protection rights and we must provide our response within one month of your request.
Our website may, from time to time, contain links to and from the websites or platforms of our partner networks, affiliates and other third parties. Our service connects you to different websites or platforms. If you follow a link to any of these websites or platforms or use our service, please note that you have left our website and these websites and platforms have their own privacy policies and may collect or share personal data about you. We do not accept any responsibility or liability for these policies, websites or platforms. Please check these policies before submitting any personal data to these websites or platforms.
You can contact us by telephoning our Support team on 0800 294 5891 or by writing to our Data Protection Officer using the email address firstname.lastname@example.org or via our postal address Deko, 100 Liverpool Street, London, EC2M 2AT.
The following changes have been made to this policy:
We have introduced Teads cookies to support our marketing communications
We have introduced Heap analytics to help us monitor, analyse and improve our products and services
We have included capturing marketing consent when providing details to enter a prize draw at events
We have included our new commercial partnership with CCS and that we may need to transfer limited personal data to them to enable reporting and monitoring
We have added that we apply robust security controls to any personal data that we transfer outside of our company’s systems.