When you are a customer of ours

To service your account, we process the following information. 

Account Set-up and Management

Account

• Your Zempler Bank username known as your ‘customer number’ (this is random and is automatically assigned to you when a new account is opened with us).
• Details of your bank account, including the account number, sort code and IBAN.
• Details of your Zempler Bank pre-paid card and credit cards, including the card number, expiry date and CVC (the last three digits of the number on the back of the card)
• Information on transactions and your use of Zempler Bank products (for example, payments into and out of your account), including the date, time, amount, currencies, exchange rate, beneficiary details, details of the merchant or ATMs associated with the transaction (including merchants’ and ATMs’ locations), IP address of sender and receiver, sender's and receiver's name and registration information, messages sent or received, details of device used to arrange the payment and the payment method used.

App Usage: when you use our app we use the following information:

• Technical Data: Your IP (Internet Protocol) address, geographical location, login and browser details, operating system, device information, pages visited, time spent, and other technical details gathered during your interaction with our online services.
• Usage Data: Information on how you use and operate your account, including transaction details and account activity.

Additional Purposes

Service Delivery: to provide you with our products and services, process transactions, and respond to your inquiries.

Customer support: to communicate with you and handle any issues or queries related to your account.

Communication: details you provide when you communicate with us via phone (including recorded calls) email, letters, web chat, social media, or other channels.

Online Interactions: information collected when you use our website or Zempler Bank app, participate in customer surveys or competitions, focus groups, feedback sessions, prize draws, or other promotions.

Legal and Regulatory compliance

• Identity Verification: to verify your identity and prevent fraud and money laundering activities.
• Regulatory Obligations: to comply with applicable laws, regulations, and guidelines from regulatory authorities.
• Fraud and Crime Prevention: to detect, investigate, and prevent fraud, financial crimes, and other illegal activities.

Business Interests and Service Improvements

• Performance analysis: to monitor and analyse the usage and effectiveness of our services, website, app, and communications.
• Product Development: To develop and test new products and services, ensuring they meet your needs.
• Marketing: with your consent, to provide you with information about products and services that may interest you. You can update your marketing preferences at any time through our online banking portal or by contacting Customer Service.

Automated Decision Making

We may use automated processes to make decisions about your application and account, such as credit scoring and fraud detection.

Legal Basis for processing - Summary

We must have a legal basis (a valid legal reason) for using your personal data. Our legal basis will be one of the following:

• Performance of a contract: processing is necessary to enter into and fulfil our contract with you.
• Legal Obligations: Compliance with legal and regulatory requirements, including fraud and money laundering prevention.
• Legitimate Interest: To pursue our legitimate business interests such as improving services and ensuring security, provided these do not override your rights and freedoms.
• Consent: For specific purposes like marketing communications and eligibility checks, where you have given explicit consent. You can withdraw your consent at any time.
• Substantial Public Interest: Where we process your personal data, or your sensitive personal data (sometimes known as special category personal data), to adhere to government regulations or guidance, such as our obligation to prevent fraud or support you if you are or become a vulnerable customer

Third Parties

We may share your personal data with trusted third parties under the following circumstances:

Service providers and partners

• Operational Support: processors, agents, and advisers who assist in delivering our services, including payment processing, customer support and IT services. For example, we partner with Wise for international payments, for details on Wise’s data handling practices, please visit https://wise.com/privacy-policy.
• Credit and Fraud Agencies: CRAs and fraud prevention agencies for credit checks, identity verification, and fraud prevention. For example:
• CIFAS, whose fair processing notice can be found here: http://www.cifas.org.uk/fpn.
• Equifax Limited for credit referencing and risk assessment purposes under a contractual agreement. Equifax processes this data in accordance with its own privacy policy, which can be found at https://www.equifax.co.uk/privacy.html
• Insurance and Professional services: Insurers, product analysis companies, legal advisors, and auditors for managing claims and ensuring compliance.

Legal and Regulatory Authorities

• Compliance and enforcement: Government bodies, regulatory authorities, HM Revenue & Customs, and law enforcement agencies as required by law or for the prevention and detection of crimes.

With your Consent

• Third Party Requests: When you have provided explicit consent to share your data with other organisations or for specific purposes.

Security

As a bank, we take the security of your data extremely seriously. We use the latest technical and organisational measures, in line with industry best practice, to safeguard the information we collect against unauthorised access, disclosure, or misuse.

For more detailed information on how we keep your data safe, and what steps you can take to do the same, please visit our security page.

Your Rights

You have several rights regarding your personal data. These rights are not always absolute, but generally include: 

If you have any concerns about how we handle your personal data, please contact us first using the details in the ‘contact’ section of this notice so that we can address your concerns. If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO), the UK’s independent authority set up to uphold information rights. For more information, visit:

https://ico.org.uk/make-a-complaint/

Fees for Access Requests

You have the right to request access to your personal data. In most cases, we will provide this information free of charge. However, in accordance with the Data Use and Access Act 2025, we may charge a reasonable fee if your request is manifestly unfounded, excessive, or repetitive, or if it involves significant administrative effort. Any applicable fees will be clearly communicated in advance and will reflect the actual cost of processing your request. You will have the opportunity to revise or narrow your request to avoid incurring a fee.

Your right to complain

Under the Data Use and Access Act 2025, you have a statutory right to complain if you believe your personal data has been mishandled or your rights under UK data protection law have been infringed. We are committed to handling complaints fairly, transparently and promptly. If you wish to raise a concern about how we process your personal data, please follow the steps below.

You can submit a complaint to us using any of the following methods:

• Email: [email protected]
• Post: Cottons Centre, Cottons Lane, London, SE1 2QG
• Telephone: Zempler - Contact us

We will acknowledge your complaint within 30 days of receipt, and:

• Take appropriate steps to investigate your complaint without undue delay
• Keep you informed of the progress of the investigation
• Notify you of the outcome once the investigation is complete

If you are not satisfied with our response, you may escalate your complaint to the information commissioner's office. You can contact the Information Commission via their website: https://ico.org.uk

International Data Transfers

We primarily store and process your personal data within the United Kingdom (UK) or the European Economic Area (EEA). However, in certain circumstances, we may need to transfer your personal data to countries outside of the UK or EEA, for example, if:

• Our Service Providers or business partners have operations in third countries
• Cloud hosting or IT support services are provided from international data centres

Where we transfer your personal data to a country outside of the UK (meaning its data protection laws may not be equivalent to those in the UK), we put appropriate safeguards in place to ensure your rights and freedoms remain protected. These may include:

1. International data transfer agreements (IDTAs) or Standard Contractual Clauses (SCCs) approved by the UK (or, where applicable, the European commission) that contractually bind the recipient to protect your personal data.
2. Additional technical and organisational measures, such as encryption, restricted access protocols, or data minimisation.
3. Reliance on a country specific adequacy decision, if applicable, which recognises that the country provides a sufficient level of data protection.

Data Retention

We will retain your information as long as it is necessary to service your account and fulfil our legal obligations. Please see the ‘After You Are a Customer of Ours’ section to see more detail on how long we will retain your data for after your account has been closed.