Keeping your data safe
- Please click on the headings below for full information about how your personal data is processed.
Who's in control of my personal data?
What data do you collect?
- When you register for an Ozan account, we collect the following information (Account
- full name;
- telephone number (this is used as your unique identifier to ensure that you do not set up several accounts);
- email address;
- date of birth;
- your answers to your chosen security questions; and
- if we ask for it, a photograph.
- We collect the following information to enable you to make payments using Ozan
- credit and/or debit card details of any cards you attach to your account (including your card number, expiry date and CVC); and/or
- your bank account details, such as your sort code, account number, IBAN and/or Swift code (the details we ask for will vary depending on where you are located).
- To comply with our regulatory obligations, we need to verify your identity. To do this, we
will ask you to provide one or more of the following (KYC Information):
- a copy of your identity card (such as a driving licence) together with a photo of yourself;
- a photo of yourself holding your identity card; and/or
- a scan of your passport chip (if you are using an Android phone and have a biometric passport).
- Sometimes we need to ask you for information to verify the source of your funds or to conduct enhanced due diligence in accordance with our legal requirements (DD Information). This will depend on the situation and we will make it clear to you at the time what information we require from you. Examples include a copy of a shareholder's agreement, copies of bank statements or proof of gambling winnings.
- We will collect any other personal data that you voluntarily provide to us if you communicate with us, for example by corresponding with us (by phone, email, post or social media) or by taking part in competitions, promotions or surveys (Voluntary Information).
- When you register for an Ozan account, we collect the following information (Account Information):
What do you use my personal data for?
- Providing Ozan to you and allowing you to use Ozan
- We use your Account Information to set up and administer your account, allow you to log into your account and make sure that you can use Ozan and all its features.
- We use your email address and device information to contact you with transactional and service messages (including by push notifications), for example to provide you with password reminders or to let you know if Ozanis experiencing technical issues. You can turn off push notifications at any time using your device settings.
- We use your date of birth to verify your age, as you need to be over 18 to use Ozan. If you are underage, we will not be able to open an account for you.
- If you choose to use your device's fingerprint recognition to log into your account instead of, or as well as, a password, we will receive confirmation from your device provider of whether your fingerprint is a match or not, but we will never be able to view or hold a copy of your fingerprint. We will use this confirmation to log you into your account if there is a match.
- We use your Payment Information to carry out your instructions to add and/or save a card or bank account to your account, upload funds to (or withdraw funds from) your account and allow you to make and receive payments through Ozan.
- Identity verification and due diligence
- We use your Account Information, KYC Information and DD Information to comply with our legal and regulatory obligations. This includes verifying your identity; conducting anti-money laundering checks; transaction monitoring; sanctions and politically exposed persons screening; fraud prevention, detection and reporting; and cooperating with regulatory investigations where required.
- If you fail one of our identity verification or screening checks as set out above, we may not be able to open an account for you or continue providing services to you.
- To verify your identity, we use facial recognition technology to match your photo with the photo on your ID card. If there is no match, we will carry out a manual review to confirm your identity. If we provide the option to verify your identity by scanning your passport chip, and you choose to verify your identity this way, we will also use the information contained within the chip to verify your identity. This type of information is biometric information, which is considered to be "special category personal data" and is subject to higher levels of protection. Please see section 7 below for more information.
- Corresponding with you
- We use your Account Information and Voluntary Information to enable us to respond to your queries, complaints or comments and to make sure that these are appropriately dealt with. We also use this information to enable you to participate in any competitions or promotions that you enter and to collate responses to surveys that you have responded to.
- Analysing and improving Ozan
- We use your Account Information, Voluntary Information and Technical Information to help us to monitor trends so that we can analyse and improve Ozan. This helps us to make sure that we are providing you with the best possible service.
- Where you have consented to us doing so, we will use your email address, telephone number and/or postal address (depending on the method(s) of marketing you choose) to send you direct marketing communications about our products and services and those of our group companies.
- We will obtain your consent in a way that is compliant with data protection laws, either by asking you for your express consent, or by obtaining an implied consent where you are an existing customer and we are marketing our own, similar products and services to you.
- Providing Ozan to you and allowing you to use Ozan
I'm using Ozan on behalf of a merchant. What does this mean for my personal data?
- Where users sign up to use Ozan on behalf of a merchant, we collect much of the same information as set out above for individual customers. It will be clear from the data collection forms what information is collected about you when you sign up and use Ozan on behalf of a merchant.
- If you are using Ozan on behalf of a merchant, instead of using your personal data to provide Ozan to you, we will use it to run and manage the account that you set up to use Ozan on behalf of the merchant. We may also market to you in a different way if you sign up on behalf of a merchant. If you use Ozan on behalf of a merchant, any payment information submitted will not be personal data as this will relate to the merchant's business.
- We carry out credit checks on our merchants to ensure that we are able to contract with them. If you are a user on behalf of a merchant that is a limited partnership or company,this does not require the use of any personal data as we only use information about the business. However, if the merchant is a sole trader or unlimited partnership merchant, information about the merchant's business counts as "personal data". Credit checks involve us passing your data to a credit reference agency, which will carry out a check against the data they hold on your business and provide us with a score to help us assess our risk in contracting with the business.
What is your legal basis for using my personal data?
- Data protection law says that we have to tell you the "legal basis" that we rely on to process your personal data for the purposes that we have notified to you. The table below tells you what that legal basis is in relation to each of the purposes set out above.
Purpose Personal data used Legal basis Providing Ozan to you and allowing you to use Ozan Account Information, Payment Information and confirmation of fingerprint match We process this personal data for this purpose on the basis that this information is necessary in order to perform our contract with you to provide Ozan and to allow you to use Ozan and/or to run and manage your user account. Identity Verification and Due Diligence Account Information, KYC Information and DD Information
We process this personal data for this purposes on the basis that this information is necessary to enable us to comply with legal obligations, including compliance with anti-money laundering legislation and obligations to prevent and detect fraud.
If we do not have a legal obligation to process personal data for any of these purposes, we process the data on the basis that it is necessary to do so in our legitimate interests. We have an interest in complying with regulatory guidelines and investigations and ensuring that we protect our business against risks of criminal activity. You may have a right to object to your personal data being used in these ways, but please note that this right will not apply in a number of circumstances, including where the processing is necessary to prevent or detect crime.
Corresponding with you Account Information and Voluntary Information We process this personal data for this purpose on the basis that it is necessary to do so for our legitimate interests. We have an interest in making sure that comments and queries are handled appropriately so that they can be resolved for our users. We also have an interest in running and allowing participation in competitions, promotions and surveys in order to promote and improve our business.You may have a right to object to your personal data being used for these purposes, but please note that we may not be able to handle your correspondence appropriately if you exercise this right. Monitoring trends, analysing and improving Ozan Account Information, Voluntary Information and Technical Information, Payment Information We process this personal data for this purpose on the basis that this information is necessary for our legitimate interests. We have an interest in ensuring that we continue to improve Ozan and provide our users with the best and most effective service possible. You may have a right to object to your personal data being used for these purposes. Marketing Your email address, telephone number and/or postal address.
We process this personal data for this purpose on the basis that it is necessary in our legitimate interests to do so. We have an interest in promoting and marketing our business so that our business continues to grow.You always have a right to opt out of receiving direct marketing communications. If you wish to do so, please follow the instructions in each marketing communication to unsubscribe.
Special categories of personal data
- Some types of personal data are designated as special categories of personal data in data protection laws. This means that they are more sensitive types of personal data and we therefore need to take additional steps to protect this data.
- The only special category of personal data we collect is biometric data, in the following
- when we use facial recognition to verify your identity by matching your photo with the photo on the identity document you provide to us; and
- if you choose to verify your identity by scanning your biometric passport chip.
What happens if I don't provide you with my data?
- We need the majority of the information we collect from you to perform our contract with you and/or to comply with legal obligations. This means that if you refuse to provide us with any of the information that we ask for, it is likely that we will be unable to provide Ozan to you.
Who do you share my personal data with?
- Ozan Limited is part of the OpenPayd group of companies. We share personal data with our group companies in the UK, the EEA and Turkey to provide customer support services, software development and IT services. Please see section 10 below for more information about transfers of personal data to Turkey.
- We share personal data with third parties in the following circumstances:
- with providers within our payment network to enable you to upload funds, make and receive transactions and withdraw funds; these providers include banks, acquirers, alternative payment providers, our card issuer, our card processor and our card manufacturer;
- with third party service providers who provide a range of services to us to enable us to run our business; this includes our IT and hosting providers, cloud storage providers, email platforms, card tokenisation providers (who host your credit/debit card information), our contact relationship management system, suppliers who provide screening and transaction monitoring services, credit reference agencies (to carry out credit checks), URL monitoring providers, our facial recognition technology provider and notification/communication providers;
- regulators and fraud prevention agencies where we are required to share personal data under legal or regulatory obligations; and
- other third parties, such as the police or HMRC, in response to ad hoc data sharing requests. In these circumstances we will only share personal data if we are satisfied that we are legally allowed to do so and the sharing of data is justified.
Whereabouts is my personal data kept?
- Our cloud storage provider hosts personal data within the UK and the EEA, so your information is generally stored within this area.
- As mentioned above, we do share personal data with our OpenPayd group company in Turkey (Codespace Software and Consultancy Services Limited) for the purposes of customer support, software development and provision of IT services. We have put in place model contract clauses (MCCs) with this company to protect your personal data. MCCs are a standard set of clauses that are approved by the European Commission and/or the UK authorities to allow the transfer of personal data to countries whose data protection laws are not as strict as those in the UK and the EEA. They require our Turkish group company to treat personal data in the same way as it is treated by us in the UK. For more information, please contact us using the contact details below.
- Some of our other service providers will transfer personal data outside of the UK and the EEA. Generally, this is done on the basis of MCCs (either between us and our service providers or between our service providers and their own suppliers) or under the Privacy Shield framework. This is an arrangement between the EU and the USA which allows the transfer of personal data to US companies that agree to certain principles governing how they handle personal data.
How long do you keep my personal data for?
- We will keep all your personal data for as long as your account remains open and for seven years thereafter. Occasionally we may need to keep your personal data for longer than this, for example to deal with any ongoing claims, complaints or issues.
What rights do I have?
- You have a number of rights under data protection law. These rights and how you can exercise them are set out in this section. We may need to ask you for proof of your identity before we can respond to a request to exercise any of the rights in this section and we may need to ask you for more information, for example to help us to locate the personal data that your request relates to.
- We will respond to any requests to exercise your rights as soon as we can and in any event within one month of receiving your request and any necessary proof of identity or further information. If your request is particularly difficult or complex, or if you have made a large volume of requests, we may take up to three months to respond. If this is the case we will let you know as soon as we can and explain why we need to take longer to respond.
- If you want to exercise any of these rights, please contact us using the contact details below.
- A right to access your information
- You have a right to ask us to send you a copy of all the personal data that we hold about you (subject to some exceptions).
- A right to an electronic copy of your information
- You can also ask us to send you the mandatory Account Information that we hold about you in a common electronic format, or to ask us to transfer that data to a third party if you want us to and if it is technically feasible for us to do so.
- A right to object to us processing your information
- You have a right to object to us processing any personal data that we process where we are relying on legitimate interests as the legal basis of our processing (as set out in section 5 above). Your objection must be based on grounds that relate to your particular situation.
- If you make a request to exercise your right to object, if we have compelling legitimate grounds to carry on processing your personal data, we will be able to continue to do so. Otherwise, we will cease processing your personal data.
- A right to ask us not to market to you
- You can ask us not to send you direct marketing. You can do this by following the "unsubscribe" instructions in any marketing emails.
- A right to have inaccurate data corrected
- You have a right to ask us to correct inaccurate data that we hold about you. If we are satisfied that the new data you have provided is accurate, we will correct your personal data as soon as possible.
- A right to have your data erased
- A right to have processing of your data restricted
- You can ask us to restrict processing of your personal data in some circumstances, for example if you think the personal data is inaccurate and we need to verify its accuracy, or if we no longer need the data but you require us to keep it so that you can exercise your own legal rights.
- Restricting your personal data means that we only store your personal data and don't carry out any further processing on it unless you consent or we need to process the data to exercise a legal claim or to protect a third party or the public.
How can I contact you?
your personal data, you can contact us by using the contact form on our website or by using
the following details:
Address: Ozan Limited, 9th Floor, The Shard, London Bridge Street, LondonSE1 9SG
What if I have a complaint?
- We work hard to ensure that we protect our customers' personal data in accordance with our legal obligations. If you are unhappy with how you think we have processed your personal data, please contact us using the details above and we will do our best to resolve your complaint.
- If you do not think we have been able to resolve your complaint, you can complain to the Information Commissioner's Officer (ICO), which regulates data protection compliance in the UK.
- You can find out how to do this by visiting www.ico.org.uk.
What if this policy changes?
Last updated 12 April 2019