Privacy Policy

Privacy Notice SecOre

CarbonPay Limited (trading as "SecOre") (company number 12934414) is committed to respecting the privacy of individuals, including its clients. Our registered office is at Nightingale House 46-48 East Street Epsom Surrey, KT17 1HQ. We are the data controller for the purposes of UK data protection law.

SecOre is a service providing businesses with prepaid cards and related financial services.

SecOre owns and operates this site: https://secorepay.com. SecOre collects your personal data as explained below, when you access our site and you create your user account for becoming a user and then using the SecOre card.

This Privacy Notice ("Notice"), together with our website terms and conditions and any other documents referred to in it, sets out the basis on which SecOre processes such personal data. Please read the following carefully to understand our views and practices regarding how we handle personal data.

Data Controller Roles

SecOre acts in different capacities depending on the service you use:

1. Data Controller (Direct Services)

For the purposes of applicable data protection law (in particular, the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) ("UK GDPR") and the Data Protection Act 2018), SecOre is the "data controller" of your personal data when you are an individual and you contract with us directly.

2. Data Processor (Corporate Client Services)

When we contract with a corporate client (e.g. your employer) and they share your personal data with us as part of the provisions of services to this corporate client, we act as "data processors" on behalf of and under the instructions of our corporate clients, which are the "data controllers" of your personal data. Please refer to their respective privacy policies for more information regarding the processing of your personal data in this context.

3. Joint Controller (SecOre Payout and Partnership Services)

For certain services, including SecOre Payout, we act as joint controllers with other entities:

• SecOre Payout Service: We act as joint controllers with our corporate clients, and regulated payment service providers to facilitate payments from our clients via SecOre Payout and enable you to spend such amounts with your Card.

• Programme Manager Role: SecOre acts as the Programme Manager, owning and operating the technical platform and providing customer services.

• Data Sharing: Your personal data is processed and shared between joint controllers as necessary to provide the service, meet regulatory obligations, and prevent fraud.

• Contact Point: For joint controller services, SecOre handles all privacy rights requests as the designated contact point.

• Separate Notice: These joint arrangements are governed by our Joint Privacy Notice, available via the relevant product websites. 

Service-Specific Privacy Arrangements

This Privacy Notice applies to our general prepaid card services. For SecOre Payout and other joint services, additional privacy arrangements apply as detailed in our Joint Privacy Notice.

Contact Information

Data Protection Enquiries: [email protected]
Customer Service: [email protected]
Data Protection Officer: [email protected]

Personal Data We Collect

We may collect and process the following personal data:

Information you or our corporate client gives us

In order to set up your account with us and for us to perform our contract with you or our corporate client, we may process the following personal data which you or our corporate client provides to us:

• Identity data - including first name, last name, role in organisation (in case of corporate applications) and date of birth.

• Contact data - including address, e-mail address and phone number.

• Profile data - including your account password, preferences, feedback and survey responses.

• Financial data - including payment card details, transaction history, and account balances.

Information we collect about you

With regard to each of your visits to our site we may collect the following information:

• Technical data - including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;

• Usage data - including information about your visit; products, services or issues you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the site. This information is collected by using cookies and similar technologies. For detailed information about our use of cookies, please see our Cookie Policy.

Information we receive from other sources

We may also receive information about you when our payment service provider settles a payment on your behalf and /or from your bank in the event there is a failed payment.

For joint controller services, we may also receive information from our joint controller partners (as necessary to provide the SecOre Payout service and meet regulatory obligations.

Aggregated Data

We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Notice.

Special Categories of Personal Data

We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

How and Why We Use Your Personal Data

Legal Basis for Processing

We use your personal data on the following legal bases:

1. Contract Performance - Where processing is necessary to perform our contract with you or our corporate client:

  • Managing our contractual relationship with you, enabling you to access and use our site, the SecOre card, processing payments and transactions, providing customer support services, for joint controller services: facilitating SecOre Payout transactions and card account management.

2. Legitimate Interests - Where we have a legitimate interest that is not overridden by your privacy rights:

  • Securing and maintaining your account, improving our services and user experience, fraud prevention and security monitoring, business analytics and reporting, direct marketing (where you have not opted out), risk management and financial crime prevention in joint controller arrangements.

  • You have the right to object to processing based on legitimate interests at any time. We will stop such processing unless we have compelling legitimate grounds that override your interests, rights and freedoms, or the processing is necessary for legal claims

3. Legal Obligation - Where we must process your data to comply with legal obligations:

  • Complying with financial services regulations, responding to law enforcement requests, meeting anti-money laundering and know-your-customer requirements, regulatory reporting obligations, meeting regulatory obligations in joint controller arrangements, including sharing information for compliance purposes.

4. Consent - Where you have given specific consent for certain processing activities, such as marketing communications (where not based on legitimate interests), you can withdraw consent at any time by contacting [email protected].

Automated Decision-Making and Profiling

We do not use solely automated decision making or profiling for our direct services.

However, for joint controller services (SecOre Payout), automated decisions may be used by us and our joint controller partners to detect fraud or other financial crimes, which may include machine learning or artificial intelligence solutions.

Sharing Your Personal Data

Third Party Recipients

We may share your personal data with our subsidiaries and/or affiliates and also with trusted third parties including:

  • Payment service provider and its affiliates, for the purposes of authenticating you, performing the contract we enter into with our corporate client and issuing the SecOre card. Our payment service provider might also use your personal data to mitigate fraud, financial loss, or other harm, and to analyse, develop and improve their products, systems and tools.

  • Platforms, for the purpose of provision of cloud data hosting services.

  • Third party card processing and merchant acquiring companies that will process your debit card payments for us.

  • Analytics and search engine providers that assist us in the improvement and optimisation of our site.

  • Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.

Joint Controller Data Sharing

For SecOre Payout and other joint controller services, we share data with our joint controller partners:

  • for account verification and payment processing;

  • for payout processing, card provision, and regulatory compliance;

Data sharing occurs for regulatory compliance, fraud prevention, know-your-customer checks, and transaction processing as detailed in our Joint Privacy Notice.

We do not sell your personal data to marketing companies.

Other Disclosures

Moreover, we may disclose your personal data to third parties:

  • Business transfers: If we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets. We will notify you of any such transfer and your rights regarding the transfer.

  • Corporate restructuring: If SecOre, its business, or its assets are acquired by a third party, in which case personal data held by it about its users, suppliers, or customers will be one of the transferred assets. You will be notified of such transfers.

  • Legal requirements: If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms and conditions and other agreements; or if we reasonably consider this necessary; or to protect the rights, property, or safety of SecOre, our users, our customers, or others.

Data Security and Storage

Security Measures

We implement appropriate technical and organizational measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit and at rest, access controls and authentication systems, regular security assessments and monitoring, staff training on data protection.

For joint controller services, we and our partners take appropriate technical and organizational measures to protect your data from unauthorized access, disclosure, alteration, or destruction.

Where you have a username or password (or other identification information) which enables you to access certain services or parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

While we implement robust security measures, no method of transmission over the internet is 100% secure. We continuously review and update our security practices to protect your personal data.

Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and provide information about the breach and steps we are taking to address it.

Your Rights

You have various rights with respect to our use of your personal data:

  • Access: You have the right to request a copy of the personal data that we hold about you. 

  • Rectification: You have the right to have inaccurate personal data corrected and incomplete personal data completed. You can update some information directly through your account or contact us at [email protected].

  • Objection: You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will stop such processing unless we have compelling legitimate grounds that override your interests.

  • Data Portability: you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller where technically feasible.

  • Erasure: you have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or when, among other cases, your personal data has been unlawfully processed or you withdraw consent where that was the legal basis for processing.

  • Restriction: you have the right to restrict processing in certain circumstances, including where you contest the accuracy of the data or object to processing.

  • Complaints: If you believe that your data protection rights may have been breached, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) or to seek a remedy through the courts.

ICO Contact Details: Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

Exercising Your Rights

You are not required to pay any charge for exercising your rights. You can exercise any of the above mentioned rights by emailing us at: [email protected].

International Transfers

We do not transfer your personal data outside of the European Economic Area or the United Kingdom.

However, some of our service providers may process data outside the UK/EEA. Where this occurs, we ensure appropriate safeguards are in place, including:

  • Adequacy decisions by the UK government or European Commission, standard contractual clauses approved by the UK government or European Commission, binding corporate rules where applicable.

Data Retention

We retain personal data for different periods depending on the type of data and purpose of processing:

  • Account and identity data: 6 years after account closure 

  • Transaction records: 6 years from transaction date (to comply with financial services regulations) 

  • Marketing preferences: Until you withdraw consent or 3 years of inactivity 

  • Technical and usage data: 12 months from collection 

  • Legal compliance data: As required by applicable law (typically 6-7 years)

Secure Deletion

When retention periods expire, we securely delete or anonymize personal data using industry-standard methods to ensure it cannot be recovered or reconstructed.

Cookies and Similar Technologies

We use cookies and similar technologies to enhance your experience on our website. Please refer to our separate Cookie Policy for more details. 

Changes to This Privacy Notice

Any changes we make to our Privacy Notice in the future will be posted on this page and, where appropriate, notified to you by email. Material changes will be highlighted and, where required by law, we will obtain your consent. Please check back frequently to see any updates or changes to our Privacy Notice.

We may update this Privacy Notice from time to time. Any changes will be posted on our website, and where appropriate, notified to you.

Contact Us

For any questions about this Privacy Notice or our data processing practices, please contact us at:

Email: [email protected]
Customer Service: [email protected]
Address: Nightingale House, 46-48 East Street, Epsom, Surrey, KT17 1HQ

Related Privacy Notices

For comprehensive information about joint controller arrangements and specific services please read our Joint Privacy Notice for SecOre Payout which is published under this link.