Security

Data Protection Policy 🔍 Updated 19 March 2023

It is the policy of Bippit that all data collected and processed must follow strict rules to ensure privacy, security and compliance with various regulatory bodies including the Data Protection Act 2018 (DPA 2018) and General Data Protection Regulation (GDPR). 

Bippit is committed to protecting all data. As part of the firm’s commitment to GDPR, Bippit documents the type of data held on customers, where it came from and who within the firm has access to it. In complying with the principles of GDPR, the firm will also process personal data in a legal manner and respond to data breaches as per the Information Commissioner’s Office (ICO) guidelines.

1. Personal Data

Bippit collects personal data to provide its service. Only data relevant to the functioning of the service is collected and processed. The type of personal data collected differs depending on the type of service provided. This includes the use of Bippit’s website, the use of Bippit’s application (web application and iOS application) and being a customer of Bippit.

2. Data Retention

Personal data is stored as long as the user and/or customer is using Bippit, and may be stored for 6 years after that in order to comply with the law. In some circumstances, like cases of anti-money laundering or fraud, the firm may keep data longer if needed, or if the law requires it.

3. Third Parties

A number of third party processors and sub processors are used to process data on behalf of Bippit. The third parties are used for data storage, data analytics, and account information processing. Every third party entity undergoes a security and data protection review before being used by the firm to process data.

Where security and data protection procedures are not explicitly detailed, an agreement between the firm and the third party is drawn up and signed to cover all scenarios.

Data is not transferred outside of EEA.

4. Training and monitoring

Bippit’s appointed DPO is responsible for making sure all employees of Bippit are familiar with the data protection procedures set out in this document. This will be done through an onboarding session for new employees, and a yearly training course for existing employees.

The DPO also has the responsibility to conduct a yearly audit of the firm’s data protection procedures to ensure compliance.

As part of any new features planned, the data requirements are reported to the DPO to confirm the legitimacy of the required data, and to update this policy. Feature development in Bippit’s platform should be built with data protection in mind. This will be monitored and enforced by the CTO.

All Bippit employees’ access to systems and devices will be monitored to ensure the principle of least privilege is maintained. Where an employee accesses data that is not needed for the role, access will be removed and an audit will be conducted.

5. GDPR

Bippit adheres to the regulatory framework set out by the EU General Data Protection Regulation and the Data Protection Act 2018 set out by the Information Commissioner’s Office. The DPO ensures compliance with the requirements.

All procedures for data processing are documented and reviewed. This includes:

• Internal data protection policy
  
• Privacy Policy
  
• Employee Privacy Policy
  
• Data Retention Policy
  
• Data Retention Schedule
• Data Subject Rights Procedures
• Supplier Data Processing Agreement where applicable
• Data Breach and Response Procedures

6. Data subject rights

Under GDPR, the data subject can request for access or deletion of the data shared with Bippit. Where such a request is received, the DPO will respond as soon as possible, and not more than 30 days from the initial request date.

Unless prohibited by law, the steps set out in Data Subject Rights Procedures will be carried out in accordance with the data subject’s request.

7. More information

If you require more information including Bippit’s full Data Protection documentation, please contact [email protected]