Privacy Policy for Credit Karma Customers

  1. Intro
  2. Who we are
  3. What data we collect about you;
  4. How we collect your data;
  5. How we use your data;
  6. Our legal bases for processing your personal data;
  7. How we share your personal data with others;
  8. How we store your personal data;
  9. Your legal rights;
  10. How to contact us;

The details

1. Intro

TotallyMoney helps Credit Karma customers check their eligibility for and compare credit cards and loans. Our software ‘powers’ these Credit Karma comparison services, to provide customers with credit card and/or loan offers.

If you compare credit cards or loans on Credit Karma, we will process your personal data in accordance with this privacy notice. We will carry out eligibility checks on you and show you offers. We will also send you a results email, on Credit Karma’s behalf. If you choose to apply for a product we will pass you through to the relevant lender.

We value your privacy. We want to be accountable and fair to you and transparent about how we collect and use your personal data. This privacy notice tells you what to expect when we collect and use personal data about you. You should also read our Credit Karma Terms and Conditions and our Cookie Policy carefully before you decide to use our services.

Any changes we make to this privacy notice will be posted on this page, so please check back frequently.

This privacy notice applies only to the personal data that we collect in relation to our services. Our website may contain links to and from third party websites. For example, we may link to and from the websites of lenders, credit reference agencies, our partner networks, advertisers or affiliates. We can’t be responsible for personal data that these third parties collect, store and use through their website without our involvement. You should always read the privacy notice of each website you visit carefully and before you submit any personal data to them.

2. Who we are

We are TotallyMoney Limited. We act as an independent credit broker, not a lender.

TotallyMoney Limited is a company registered in England (No. 06205695) with VAT number 974859255. Our registered office is at Chapter House, 16 Brunswick Place, London N1 6DZ. We are an appointed representative of our sister company, MI Money Limited, which is authorised and regulated by the Financial Conduct Authority in respect of consumer credit related activities including credit broking and the provision of credit information services (FCA FRN 511936).

Data protection law applies to our collection and use of personal data and TotallyMoney Limited is the controller of that personal data (ICO Registration Number Z1096594), save when we send results emails to Credit Karma customers, when we are acting as Credit Karma’s processor.

If you have any questions about this privacy notice, please contact us or email us at help@totallymoney.com. If you wish to contact our Data Protection Officer you can email them at dpo@totallymoney.com, or you can write to them at Chapter House, 16 Brunswick Place, London N1 6DZ.

3. What data we collect about you

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you. In this privacy notice we’ve used the following definitions to refer to some of this data:

Credit Karma data means the data that Credit Karma gives us to help you check your eligibility for and compare credit products and to send you a results email (e.g. title, name, date of birth, annual income, employment status, email address, house name or number and postcode, residential status and your marketing preferences). Please note that this data is either deleted as soon as we have used it or kept in an encrypted format and periodically deleted, in accordance with our records retention policy. TotallyMoney staff do not have direct access to your Credit Karma data.

Correspondence data means any personal data that you give us if you correspond with us directly (for example, by contacting our customer service team).

Eligibility data means information about your eligibility for the products featured on our website, such as your likelihood of being accepted for a particular product and the actual or indicative rates of interest and term of borrowing that will apply. This information is given to us by Experian and the lenders with whom we perform direct-to-lender eligibility checks (see section 7.2 for more details).

Product application data means data about the outcome of product applications you make as a result of using our services, which is given to us by some lenders, lender’s agents and third party brokers so that we can calculate the commission that is due to us from those lenders.

Technical and behavioural data means details of your visits to the website including the actual pages you visit, IP address (from which we may derive your location) and details of the resources that you access. We also capture information about your computer or device including, where available, your operating system and browser type.

We also collect, use and share aggregated data such as statistical or demographic data. Aggregated data may be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific service. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

4. How we collect your data

We use different methods to collect data from and about you, including:

Credit Karma give us Credit Karma data so that we can help you check your eligibility for and compare credit products and so that we can send you a results email on their behalf.

Direct interactions. You may give us correspondence data if you give us feedback or contact us (for example by post, phone, email or via our website or app).

Experian. The credit reference agency that we work with, Experian, will give us eligibility data.

Lenders. The lenders, lenders’ agents and third party credit brokers that we work with give us eligibility data and, in some cases, product application data.

Automated technologies or interactions. We’ll automatically collect technical and behavioural data as you interact with our services.

5. How we use your data

5.1 Eligibility checking service

Our eligibility checking service works to find you offers. We then sort your offers based on their features and what's best for your credit profile. Although we may be paid commission, this never influences how your offers are ranked.

To do this, we use automated technology that assesses your personal data to create a profile of you (including your credit eligibility). We then use this information to search for and find suitable products for your credit profile. Your results are based on our unique “Match Factor” algorithm, which considers factors such as:

  • your credit profile;

  • your eligibility score;

  • the features of the products; and

  • lender reliability.

This is a type of automated decision making and, depending on how you use the information provided, may have a significant effect on you as it relates to your access to credit. Whilst we do not make credit decisions about you, we do this automated decision making because it is necessary for us to provide the services to you.

You have the right to object to and not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects you. If you wish to object to automated decision making and profiling, we’ll not be able to provide the services to you.

Checking or refreshing your offers will prompt Experian and some of the lenders that we work directly with to soft search your credit file. Some of these soft searches will leave ‘footprints’ on your credit file. For more information about soft searches and footprints, see section 5.2.

5.2 Soft searches and ‘footprints’ on your credit report

Some of our services involve soft searching your credit file. A soft search is like a quick peek at your credit file. Soft searches will not harm your credit rating or affect the way lenders see you.

Soft searching your credit file allows us to assess your eligibility for products. You may see these soft searches as ‘footprints’ on your credit report in either our name or the name of one of the lenders or credit reference agencies that we work with. Soft searches on your credit file will be given different markings, depending on their purpose, such as:

  • Affordability

  • Anti-Money Laundering

  • Consumer Credit File Request

  • Identity Check

  • Quotation/Preliminary Search

You may see multiple footprints on your credit file because soft searches will be carried out:

  • when you check or refresh your offers (e.g. when you click on ‘see my matches’);

  • If you interact with your results email (e.g. if you click on ‘show all results’); and

  • If you revisit your results table.

Here are some examples footprints you might see on your credit file as a result of using our services:

  • Avant Credit Of Uk Llc (Ar) or Avant Credit Of Uk Llc (Cval)

  • Bamboo Limited (Cval Tac Cr R)

  • Capital One Bank (Europe) Plc (Ml, Sa, Sr, Cval)

  • Hitachi Capital (Uk) Plc

  • Lendable Limited (Sr, Ar, Cval)

  • Likely Loans

  • Likely Loans (TotallyMoney.com)

  • Madison Cf Uk LTD T/A 118 118 Money (Cval Sr Tac)

  • Marbles.com

  • Marbles (TotallyMoney.com)

  • Shawbrook Bank Limited (Sr, Tac, Cval, Sa, Cosmos)

  • Totallymoney Limited (Cval)

  • Totallymoney.com with Capital One

  • Vanquis Bank Limited (Sa Sr, Ct, Tac, Cval)

  • Zopa Limited (Tac)

5.3 Results emails

We will send you a results email showing your loan or credit card offers, on Credit Karma’s behalf.

5.4 Correspondence

If you contact us, we’ll keep a record of that correspondence for up to 6 years.

5.5 Credit Report Services

We use technical and behavioural data:

  • for system administration;

  • to measure and analyse traffic to our website or app; and

  • to enable us to analyse behaviour and trends on the website and app. This is statistical data about our users’ browsing actions and patterns and does not identify any individual.

5.6 To meet legal or regulatory requirements

We and our third-party service providers are required to comply with certain legal and regulatory requirements including:

  • complying with our regulatory obligations to the Financial Conduct Authority and the Information Commissioner; and

  • addressing enquiries or complaints from you or from a regulator.

5.7 Fraud prevention

TotallyMoney and the credit reference agencies and lenders that we work with will process and share your data for the purposes of fraud prevention.

6. Our legal bases for processing your personal data

We’ve set out below, the legal bases on which we process your personal data. We’ve also identified what our legitimate interests are, where appropriate.

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest
To help you check your eligibility for and compare credit products Credit Karma data

Eligibility data
Necessary for our legitimate interests (to allow us to provide eligibility and credit comparison services to Credit Karma customers)
Correspondence with you (customer queries) Correspondence data

Technical and behavioural data
Legitimate interest (to ensure customer satisfaction and to answer queries about the service, to monitor trends in queries to improve the services)
To use data analytics to improve products/services
To ensure and monitor the security of our website and app
Technical and behavioural data Necessary for our legitimate interests (to provide you with customer and technical support, to define types of customers for our products and services, to keep our services updated and relevant, to develop our business and to inform our marketing strategy)
To meet legal or regulatory requirements Correspondence data

Technical and behavioural data
Compliance with a legal or regulatory requirement to which we are subject
To assist the wider industry with fraud prevention Technical and behavioural data Necessary for our legitimate interests (as a company working in this industry)
To calculate any commission payments due to us from lenders as a result of your application Product application data Necessary for our legitimate interests (to calculate commission due to us)

7. How we share your personal data with others

7.1. Sharing your personal data with credit reference agencies (Experian)

A credit reference agency is a company that collects personal information from various sources and provides that personal information for a variety of uses (including to prospective lenders for the purposes of making credit decisions).

We share your personal data with Experian Ltd (“Experian”), who conduct pre-screening searches and eligibility checking on our behalf. Experian uses your personal data:

  • so that they can check your eligibility for the credit products listed on our site; and

  • for fraud prevention purposes.

Please read Experian’s terms by clicking here).

Experian will use the information you provide while using our services for the purposes of operating as a credit reference agency. This will include using such data for statistical purposes, to assist with identity verification, prevention of fraud / money laundering, tracing and collection of debt, service delivery and process implementation.

7.2. Sharing your personal data with lenders

We share your personal data with a range of lenders and other service providers:

  • so that they can check your eligibility for their products (including whether you’re an existing customer);

  • to pre-populate any lender or service provider’s application form you chose to complete; and

  • for fraud prevention purposes.

If you would like any more information about lenders that we currently work with, please email us – help@totallymoney.com.

We may also share limited details about you with lenders or their agents to verify any commission payments due to us as a result of your application.

If you apply for a lender’s product as a result of using our service, they will provide you with the terms and conditions for that product. They will also carry out their own identification and validation checks (including fraud prevention procedures), affordability and credit application checks in accordance with their own criteria. Any full credit check carried out by a lender or service provider will be visible on your credit file to all lenders in the future. The basis on which a lender or other service provider uses your personal data should be set out in their privacy notice.

7.3. Sharing your personal data with group companies

We work with and are an appointed representative of MI Money Limited to provide our services to you. This requires us to share your personal data with MI Money Limited, so that MI Money Limited can meet its regulatory obligations as the regulated principal.

We may also disclose your personal data to any member of the TotallyMoney group, which means our subsidiaries, as well as our ultimate holding company and its subsidiaries. For example, way may share your personal data with group companies:

  • if another group company is helping us deliver the services;

  • where we have regulatory reporting requirements that mean we need to share personal data; or

  • in the event of a corporate restructure.

7.4. Sharing your personal data with other third parties

We may share your personal data with:

  • the Financial Conduct Authority, the Information Commissioner’s Office or any other legal, regulatory or governmental body that we are required to disclose information to;

  • our suppliers of technical and support services, insurers, logistic providers, and cloud service providers;

  • the analytics and search engine providers that assist us in the improvement and optimisation of our website.

We may consider corporate transactions such as a merger, acquisition, reorganisation or asset sale. We may share information with third parties in relation to that transaction. If we are acquired in whole or part, customer personal data may be one of the assets transferred.

We may disclose or share your personal data with third parties (e.g. professional advisors or public bodies) if it is necessary to:

  • enforce or apply our terms of use and other agreements;

  • protect the rights, property or safety of our staff, customers or other people.

This includes exchanging information with other companies and organisations for the purposes of identity verification and validation, fraud protection and credit risk reduction.

7.5. Transferring your personal data internationally

The data that we collect from you may be transferred to, and stored at, a destination outside of Europe (for these purposes “Europe” means the European Economic Area ("EEA") and the UK if the UK is no longer part of the EEA) in connection with the above purposes. For example:

  • we use an American email service provider to send our service and marketing emails;

  • we use an American software provider to supply the software platform we use to manage customer queries;

  • the credit reference agencies and lenders that we work with may also transfer your personal data outside of Europe (for more details, please read their privacy notices).

If we transfer any of your personal data outside of Europe, we’ll take steps necessary to ensure that your data is treated securely and in accordance with this privacy notice and all relevant statutory requirements. These measures include:

  • in the case of US based entities, entering into European Commission approved standard contractual arrangements with them, or ensuring they have signed up to the EU-US Privacy Shield (see further https://www.privacyshield.gov/welcome); or

  • in the case of entities based in other countries outside Europe, entering into European Commission approved standard contractual arrangements with them.

Further details on the steps we take to protect your personal data in these cases is available from us on request by contacting us by email at mailto:help@totallymoney.com at any time.

8. How we store your personal data

8.1. What we do to keep your personal data safe

All the information that you give us is stored on secure servers. The internet is not a secure medium, but we’ve put in place various security procedures to protect your information. We use firewalls to block unauthorised traffic to the servers. The actual servers are located in a secure location which can only be accessed by authorised personnel. We use industry-standard encryption technology to ensure that all your personal and transactional information is encrypted before transmission to certain lenders or third-party service providers. Our security policies are in place to safeguard your privacy from unauthorised access or improper use. We’ll continue to enhance our security as and when new technology becomes available.

8.2. How long we keep your personal data for

We keep your personal data for no longer than necessary for the purposes for which the personal data is processed. For example, we delete Credit Karma customer email addresses from our email service platform on a quarterly basis.

We may retain personal data where we need to for:

  • the purposes of complying with our legal and regulatory responsibilities;

  • responding to legal and regulatory enquiries; and

  • our own required record keeping.

For example, if you contact our customer service team, we will keep that correspondence for six years.

9. Your legal rights

You have various rights in respect of our use of your personal data, including:

9.1. Your right to be informed

You have the right to be informed about the collection and use of your personal data. This is a key transparency requirement under the General Data Protection Regulation (“GDPR”). We must provide you with information including:

  • our purposes for processing your personal data;

  • our retention periods for that personal data; and

  • details of who it will be shared with.

This information is set out in the transparency notices that are shown to you when you use Credit Karma to compare cards and loans and in this privacy notice.

9.2. Your right to access

You have the right to access the personal data that we hold that relates to you. This is commonly referred to as a subject access request or “SAR”. You can make a SAR and view the personal data TotallyMoney holds on you. Please note that the personal data won’t include information about your Credit Karma account (you will need to contact Credit Karma for this information, because we don’t have direct access to it).

This right lets you correct or change any personal data we hold on you that’s wrong or out of date. Please note that we can’t correct information on your Credit Karma account. You will need to contact Credit Karma directly if you want to correct or change any personal data that Credit Karma holds on you.

9.3. Your right to rectification

This right lets you correct or change any personal data we hold on you that’s wrong or out of date. Please note that we can’t correct information on your Credit Karma account. You will need to contact Credit Karma directly if you want to correct or change any personal data that Credit Karma holds on you.

9.4. Your right to erasure

Your right to erasure (or ‘the right to be forgotten’) is a right to ask for your personal data to be erased. We can do this — no problem — but we can’t immediately delete everything. Some information about how you used our services must be kept for a limited period, for legal and regulatory purposes (see section 8 for more details).

9.5. Your right to restrict processing

You have the right to request that we restrict or suppress the processing of your personal data. This is not an absolute right and only applies in certain circumstances, including where:

  • you contest the accuracy of your personal data and we are verifying the accuracy of the data

  • ;
  • the data has been unlawfully processed and you oppose erasure and request restriction instead

  • ;
  • we no longer need the personal data, but you need us to keep it in order to establish, exercise or defend a legal claim; or

  • you have objected to us processing your data under Article 21(1) of GDPR (e.g. an objection to processing on the grounds of legitimate interest), and we are considering whether our legitimate grounds to process your data override your rights and interests.

9.6. Your right to data portability

The right to portability lets customers transfer data easily from one system to another. It’s safe and secure and doesn’t impact the data’s credibility. You can request a copy of the data that you have provided to TotallyMoney in a re-usable format. This right relates to personal data you have provided to us where our legal basis for processing is performance of a contract or consent.

9.7. Your right to object

You have the right to object to our processing of your personal data. This effectively allows you to ask us to stop processing your personal data. The right to object only applies in certain circumstances. Whether it applies depends on our purpose for processing and our lawful basis for processing.

You have the absolute right to object to the processing of your personal data for direct marketing purposes. Please note, we don’t do direct marketing for Credit Karma, no do we market our own services to Credit Karma customers.

You can also ask us to consider any valid objections which you have to our use of your personal data where we process your personal data based on our, or another person's, legitimate interest. This is not an absolute right, and we can continue processing your personal data if:

  • we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or

  • the processing is for the establishment, exercise or defence of legal claims

  • .

9.8. Your rights related to automated decision making, including profiling

We use automated decision making to tailor your offers (see section 5 for more details). You have the right to object to and not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects you. If you wish to object to automated decision making and profiling, we’ll not be able to provide the services to you.

9.9. Your right to withdraw consent

If we rely on consent to use your personal data in a particular way, but you later change your mind, you may withdraw your consent by contacting us at help@totallymoney.com and we’ll stop doing so.

9.10. How to exercise your rights

To exercise the rights outlined above in respect of the personal data processed by us as a controller contact us or email us at help@totallymoney.com. We may need further information to verify your identity before we can respond to your request. We’ll consider all requests and provide our response within a reasonable period (and in any event any period required by applicable law). Certain personal data may be exempt from such requests in certain circumstances. If an exception applies, we’ll tell you this when we respond to your request.

9.11. Your right to complain

If you have any complaints about our collection, use or storage of your personal data please contact us at help@totallymoney.com. We’ll investigate and attempt to resolve your complaint. You may also make a complaint to the UK Information Commissioner (www.ico.org.uk). Alternatively, you may seek a remedy through local courts if you believe your rights have been breached.

10. How to contact us

If you have any questions about this privacy notice or our use of your personal data, please contact us or email us at help@totallymoney.com.

Published: 9 July 2019