Privacy Policy

STOA PRIVACY POLICY

Who we are

This privacy policy is issued by The Stoa Corporation Limited (“we”, “us”, “our” or “Stoa”), a company registered in England and Wales with company number 14012846. We are a controller of your personal data and are responsible for ensuring that it is properly protected. We are registered with the Information Commissions Office in the UK with reference [C1606543].

We collect, use and are responsible for certain personal data about you. When we do so we are subject to the UK data protection laws.

Please see the 'How to contact us' section at the end of this privacy policy if you have any questions about this privacy policy or the data we hold about you.

This privacy policy

Please read this privacy policy carefully as it contains important information about who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.

Our collection and use of your personal data

Personal data means any information about an individual from which they can be identified, whether directly or indirectly.

How your personal data is collected

We collect personal data about you in difference ways, including:

Direct interactions. You may give us your personal data when you access the www.stoa.money website (“Site”), register with us for an account, contact us, send us feedback, or complete a survey that we provide to you.
Automated technologies or interactions. As you interact with our Site, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.
Third parties. some text
- We will receive Financial and Transaction Data from your chosen bank account, using the open banking platform that we partner with to provide our services, Yapily Ltd (“Yapily”). Yapily is regulated by the UK Financial Conduct Authority under registration number 827001 and helps us access your Financial and Transaction Data securely. You will be asked to consent to Yapily’s open banking access within your banking app and we can only provide our services to you if you choose to provide consent to this. You can find out more about how Yapily will collect and process your personal data in its privacy policy.
- We will receive Identity Data and Contact Data from Google and Apple if you choose to use Google or Apple sign in authentication.

Personal data we collect about you

The personal data we collect about you depends on how and why you engage with us. We may collect and use the following data about you:

Identity Data - full name, date of birth, gender and geographic location.
Contact Data - address, email address.
Financial and Transaction Data – bank account details of the bank account that you choose to connect to your Stoa account and a maximum of 13 months’ transaction history for that bank account for the purpose of generating your Savings Score. We partner with Yapily our open banking platform provider to obtain transaction information and we securely retain it for 30 days after we have generated your Savings Score. This is to enable you to query how or why your Savings Score was generated. It also enables us to analyse and improve the Service by understanding how and why different savings scores are generated for our users. After 30 days we will permanently delete your transaction information and will only retain aggregated anonymised user insights.
Savings Score – the savings score that we generate for you based on your Financial and Transaction Data.
Technical Data - internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our Site.
Profile Data - your username and password, your interests and preferences.
Usage Data - data about how you use our Site and services, including survey responses.
Marketing and Communications Data - your preferences in receiving marketing from us and your communication preferences.

We need this personal data to provide you with our services. If you do not provide the personal data we ask for, it may delay or prevent us from providing services to you.

Our Site is not intended for use by children and we do not knowingly collect or use personal data relating to children.

We will also generate, collect and use Aggregated Data such as aggregated insights generated from your Identity Data, Financial and Transaction Data and Profile Data. Aggregated Data is derived from your personal data but is not considered personal data in law as it does not include information that can directly or indirectly identify you. We will use this Aggregated Data for various purposes, including to share insights about our userbase with our chosen third party partners and merchants.

How and why we use your personal data

Under data protection law, we can only use your personal data if we have a lawful basis for doing so, which includes:

Contract: where our use of your personal data is necessary to fulfil a contract we have with you, or because you have asked us to take specific steps before entering into a contract;
Legal obligation: where our use of your personal data is necessary for us to comply with the law (not including contractual obligations);
Legitimate interests: where our use of your personal data is necessary for our legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect your personal data which overrides our legitimate interests) and these can include business interests, individual interests or broader societal benefits; or
Consent: where you have given us clear consent for us to process your personal data for a specific purpose.

The table below explains what we use your personal data for and why, as well as what our legitimate interests are where we are relying on our legitimate interests as the lawful basis to process your personal data:

Purpose/Activity

Type of data

Lawful basis for processing including basis of legitimate interest

To create and provide you with your Savings Score or register you for an account with us

(a) Identity

(b) Contact

(d) Financial and Transaction Data

(a) Performance of a contract with you.

(b) Necessary for our legitimate interests (to set up and manage our relationships with our users, allow us to develop and grow our business and understand the saving habits of our userbase)

To enable you to query or challenge your Savings Score – we securely retain your Transaction Data for 30 days for this purpose

(a) Identity

(b) Profile

(d) Financial and Transaction Data

(a) Performance of a contract with you.

(b) Necessary for our legitimate interests (to manage our relationships with you and analyse and improve the accuracy of the Service and savings scores that it generates)

To allow us to give you recommendations on how to improve your Savings Score and maintain a high Savings Score

(a) Identity

(b) Contact

(d) Financial and Transaction Data

(a) Performance of a contract with you.

(b) Necessary for our or your legitimate interests (to help us improve your saving score and your user experience)

To manage our relationship with you which will include:

(a) Notifying you about changes to our services, terms or privacy policy

(b) Asking you to leave a review or take a survey

(a) Identity

(b) Contact

(d) Usage

(e) Marketing and Communications

(a) Performance of a contract with you

(b) Necessary to comply with a legal obligation

(c) Necessary for our legitimate interests (to manage our user relationships, keep our records updated and to study how users use our services)

To generate anonymised aggregated insights from your Savings Score

(a) Identity

(b) Profile

Necessary for our legitimate interests and the legitimate interests of our third party partners and merchants (to develop and grow our business, understand the spending and savings habits of our userbase and share these anonymised, aggregated insights with our third party partners and merchants)

To administer and protect our business and this Site (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

(a) Identity

(b) Contact

(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

(b) Necessary to comply with a legal obligation

To deliver relevant website content and marketing materials to you and measure or understand the effectiveness of the marketing we send to you

(a) Identity

(b) Contact

(d) Usage

(e) Marketing and Communications

(f) Technical

(a) Necessary for our legitimate interests (to study how users use our services, to develop them, to grow our business and to inform our marketing strategy)

(b) Consent, having obtained your prior consent to non-essential cookies or receiving direct marketing communications

To use data analytics to improve our Site, marketing, user relationships and experiences

(a) Technical

(b) Usage

(a) Necessary for our legitimate interests (to define types of users for our services, to keep our Site updated and relevant, to develop our business and to inform our marketing strategy)

(b) Consent, having obtained your prior consent to non-essential analytics cookies

To make suggestions and recommendations to you about products and services that may be of interest to you

(a) Identity

(b) Contact

(d) Usage

(e) Marketing and Communications

(f) Profile

(a) Necessary for our legitimate interests (to develop our services and grow our business and to provide you with relevant content which may be of interest)

(b) Consent, having obtained your prior consent to receiving direct marketing communications

Who we share your personal data with

We routinely share personal data with the following external service providers:

external third parties we use to help provide our services to you, e.g. our open banking platform provider Yapily Ltd that provides us with secure access to your Financial and Transaction Data, identity service providers for user authentication such as Clerk, sign-in authentication service providers such as Google and Apple and our application cloud storage and hosting provider, Microsoft Azure;
external third parties that we use to generate aggregated insights from your Identity Data, Financial and Transaction Data and Profile Data, such as Microsoft when we use Power BI;
other external third parties we use to help us run our business, e.g. marketing analytics providers such as Google Analytics, HotJar, and Hubspot and our back end IT infrastructure providers from time to time; and
our external professional advisors (such as our lawyers or accountants).

We only allow our service providers to handle your personal data if we are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on service providers to ensure they can only use your personal data to provide services to us and to you.

We may disclose your personal data to law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

We may also need to share personal data with other third parties, such as potential buyers of some or all of our business or during a company re-structuring. Alternatively, we may seek to acquire other business or merge with them. Personal data will be anonymised where possible, but this may not always be possible. The recipient of the personal data will be bound by confidentiality obligations.

Transferring your personal data out of the UK

To provide services to you, it is sometimes necessary for us to share your personal data outside the UK, for example, with our service providers that are either located outside the UK, or that transfer personal data outside of the UK.

Transfers of personal data outside of the UK are subject to special rules under UK data protection law. This is because non-UK countries do not have the same data protection laws as the UK.

We will ensure that any transfer of personal data outside of the UK complies with data protection laws and that all personal data will be secure.

As a result, when we transfer personal data outside of the UK we will ensure that the transfer complies with data protection laws by following one of the below steps:

Confirming that the recipient is located in a country which has been recognised as having an adequate level of protection for personal data.
Putting in place safeguards (such as approved standard contractual clauses) so that you have enforceable rights and effective legal remedies.
Confirming that a specific exception applies under data protection law.

For more information about our international transfers, please contact us using the information below.

Cookies and other tracking technologies

A cookie is a small text file which is placed onto your device (e.g. computer, smartphone or other electronic device) when you use our Site. We use cookies on our Site. Cookies help us recognise you and your device and store some information about your preferences or past actions. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this Site may become inaccessible or not function properly.

For further information about cookies, our use of cookies, when we ask your consent before placing them, and how to disable them, please see our Cookies Policy.

Marketing

During the registration process on our Site, you will be asked to indicate your consent to receiving updates (by email) about our services, including newsletters, exclusive offers, promotions or information about new services.

Whenever we need your consent to send you direct marketing, we will ask for this separately and clearly.

You always have the right to opt out of receiving further promotional communications by:

contacting us at support@stoa.money; or
using the ‘unsubscribe’ link in emails.

We may ask you to confirm or update your marketing preferences if there are changes in the law, regulation, or the structure of our business.

Please note that we may also send you other communications in relation to the services that we provide or in order to respond to queries you have raised, such communications are service communications and are not considered a form of marketing communication.

Challenging your Savings Score

We use automated technology to generate your Savings Score from your Transaction Data. It is necessary for us to do this to perform our contract with you. The Savings Score is generated for your own purposes so that you can analyse, understand or change your spending and saving habits. You may also be able to use your Savings Score to demonstrate to third parties that you have good savings habits, which may assist you to gain access to third party products or services.

If you want to challenge your Savings Score, you can do so by contacting us using the information below.

We securely retain your Transaction Data for 30 days after generating your Savings Score for this purpose, to enable us to explain to you why you were given a particular Saving Score and, if necessary, update the Savings Score for you. After this period we will delete the copy of your Transaction Data that we hold and we will not be able to revisit your Transaction Data to explain or change a specific Savings Score, but you can regenerate your Savings Score at any time.

Your rights

You have the following rights, which you can exercise free of charge:

Access

The right to be provided with a copy of your personal data (the right of access)

Rectification

The right to require us to correct any mistakes in your personal data

To be forgotten

The right to require us to delete your personal data—in certain situations

Restriction of processing

The right to require us to restrict processing of your personal data—in certain circumstances, e.g. if you contest the accuracy of the data

Data portability

The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations

To object

The right to object:

—at any time to your personal data being processed for direct marketing (including profiling);

—in certain other situations to our continued processing of your personal data, e.g. processing carried out for the purpose of our legitimate interests.

Not to be subject to automated individual decision making

The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you

For further information about your rights please contact us or see the guidance provided by the UK Information Commissioner’s Office (ICO) on individuals’ rights.

If you would like to exercise any of your rights, please:

email, call or write to us — see the 'How to contact us' section at the end of this notice;
let us have enough information to identify you e.g. your full name and user reference number;
let us have proof of your identity if requested; and
let us know which right you want to exercise and the data to which your request relates.

How long your personal data will be kept

We will not retain your personal data for longer than necessary for the purposes set out in this privacy policy. Different retention periods apply for different types of personal data.

When it is no longer necessary to retain your personal data, we will delete or anonymise it.

As an indication, if you create an account with us so that we may provide our services to you, we will keep your personal data while we are providing those services. Thereafter, we will keep your personal data for as long as is necessary:

to respond to any questions, complaints or claims made by you or on your behalf;
to show that we treated you fairly; and
to keep records required by law.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

We securely retain Transaction Data for 30 days after we have generated your Savings Score. This is to enable you to query how or why your Savings Score was generated. It also enables us to analyse and improve the Service by understanding how and why different savings scores are generated for our users. After 30 days we will permanently delete your Transaction Data and will only retain aggregated anonymised user insights.

You can request further details of retention periods for different aspects of your personal data by contacting us.

Keeping your personal data secure

We have appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your data will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

How to complain

Please contact us if you have any query or concern about our use of your data (see below ‘How to contact us’). We hope we will be able to resolve any issues you may have.

You also have the right to lodge a complaint with the Information Commissioner. The Information Commissioner may be contacted at https://ico.org.uk/make-a-complaint or telephone: 0303 123 1113

How to contact us

You can contact us using the contact details below if you have any questions about this privacy policy or the data we hold about you, to exercise a right under data protection law or to make a complaint.

Contact email address: support@stoa.money

Changes to this privacy policy

This privacy policy was last updated in November 2024. We keep our privacy policy under regular review to make sure it is up to date and accurate. If we change our privacy policy from time to time, we will post the details of any changes here. We may also take reasonable steps to notify you if such changes affect how your personal data is processed.

Contact email address: support@stoa.money

‍