Security

Data Protection Policy

Updated 8th March 2024

Bippit Ltd. is the data controller of your data, as defined in the Data Protection Act 2018 (DPA 2018) and General Data Protection Regulation (GDPR).

It is the policy of Bippit that all data collected and processed must follow strict rules to ensure privacy, security and compliance with various legal frameworks including the Data Protection Act 2018 (DPA 2018) and General Data Protection Regulation (GDPR).

Bippit is committed to protecting all data. As part of the firm’s commitment to GDPR, Bippit documents the type of data held on customers, where it came from and who within the firm has access to it. In complying with the principles of GDPR, the firm will also process personal data in a legal manner and respond to data breaches as per the Information Commissioner’s Office (ICO) guidelines.

Bippit ensures the security of your data via our information security management system (ISMS), and is certified and audited to the ISO27001:2022 security standard. A copy of our certification is available on request.

1. Personal Data

Bippit collects personal data to provide its service. Only data relevant to the functioning of the service is collected and processed. The type of personal data collected differs depending on the type of service provided. This includes the use of Bippit’s website, the use of Bippit’s application (web application and iOS application) and being a customer of Bippit.

Data required to use the service

Bippit collects the following data from users during the signup process. This data is required to provide the service.

  • Gender
  • Marital status
  • Residency
  • Dependants
  • Living situation
  • Employment status
  • Gross salary
  • Mobile phone number

Optional data collected

Users may also choose to provide extra data to ensure the service can deliver value and be tailored to individual user’s circumstances. This data includes:

  • Financial data (including debt details)
  • Assets (including property)

Reporting and Service Improvement

Bippit may anonymise and aggregate this data to report to employers, coaches, and internal members of the Bippit team, to provide data on:

  • Service availability
  • Service effectiveness and value
  • Areas for improvement

2. Data Retention

Personal data is stored as long as the user and/or customer is using Bippit, and may be stored for 6 years after that in order to comply with the law. In some circumstances, like cases of anti-money laundering or fraud, the firm may keep data longer if needed, or if the law requires it.

We will retain data (like name and email address) that can be used to identify you, as part of our contractual obligations with employers, and to enable and support any future investigations or audits as may be required by law.

3. Third Parties

We do not disclose any Personal Data to any third-party other than to our contracted service providers and business partners that help us deliver the Service.

A number of third party processors and sub processors are used to process data on behalf of Bippit. The third parties are used for data storage, data analytics, and account information processing. Every third party entity undergoes a security and data protection review before being used by the firm to process data.

Where security and data protection procedures are not explicitly detailed, an agreement between the firm and the third party is drawn up and signed to cover all scenarios.

Data is not transferred outside of EEA.

4. Training and monitoring

Bippit’s appointed Data Privacy Officer (DPO) is responsible for making sure all employees of Bippit are familiar with the data protection procedures set out in this document. This will be done through an onboarding session for new employees, and a yearly training course for existing employees.

The DPO also has the responsibility to conduct a yearly audit of the firm’s data protection procedures to ensure compliance.

As part of any new features planned, the data requirements are reported to the DPO to confirm the legitimacy of the required data, and to update this policy. Feature development in Bippit’s platform should be built with data protection in mind. This will be monitored and enforced by Bippit’s CISO.

All Bippit employees’ access to systems and devices will be monitored to ensure the principle of least privilege is maintained. Where an employee accesses data that is not needed for the role, access will be removed and an audit will be conducted.

5. GDPR

Bippit adheres to the regulatory framework set out by the EU General Data Protection Regulation and the Data Protection Act 2018 set out by the Information Commissioner’s Office. The DPO ensures compliance with the requirements.

All procedures for data processing are documented and reviewed. This includes:

  • Internal data protection policy
  • Privacy Policy
  • Employee Privacy Policy
  • Data Retention Policy
  • Data Retention Schedule
  • Data Subject Rights Procedures
  • Supplier Data Processing Agreement where applicable
  • Data Breach and Response Procedures

6. Data subject rights

Under GDPR, the rights that you have regarding the information we hold about you include the following.

  • Access the personal data we hold or to get a copy of it
  • Oblige us to correct inaccurate data
  • Ask us to delete, ‘block’ or suppress your data, though for legal reasons we may not always be able to grant this
  • Object to us using your data for direct marketing, and in certain circumstances ‘legitimate interests’, research, and analysis
  • Withdraw any consent you’ve previously given us regarding the Service

Where a request for data access, deletion, or correction under either the DPA or GDPR is received, the DPO will respond as soon as possible, and not more than 30 days from the initial request date.

Unless prohibited by law, the steps set out in Data Subject Rights Procedures will be carried out in accordance with the data subject’s request.

If you are a user of our service, and you request that your data be deleted, we will no longer be able to provide you with our services, and your account will be closed.

To request access or deletion of your data, contact Bippit’s DPO via email at [email protected]

7. More information

If you require more information including Bippit’s full Data Protection documentation, please contact [email protected]

Ready to explore how Bippit can support your team?

Built as a force for good