Castlight

We read Castlight's privacy policy so you don't have to.

  • Find out what they do with data about you
  • Contact them if you have a request about that data
Make a request

Organisation information

Description

Castlight allows customers to share transactional data from their bank accounts as an alternative to a credit score

Registration country

United Kingdom

Registration number

06793893

Data Protection Officer

Organisations that use special categories of data, are public bodies, or do large scale processing must appoint a Data Protection Officer.

Name

Murdo Thomson

Role

Data Protection Officer

Email address

dpo@castlightfinancial.com

Telephone number

+44 0800 193 3547

Postal address

6th Floor, 133 Finnieston Street, Glasgow G3 8HB

Data categories collected

Organisations must give details about what categories of data are stored and processed.

  • Bank transactions

  • Date of birth

  • Device information

  • Email address

  • Gender

  • Names

  • Postal address

  • Telephone number

Observations

They also collect marital status.

They explicitly specify that they do not collect any Special Categories of Personal Data.

They also collect information about you from Credit Reference Agencies.

Unusual processing purposes

Organisations must provide information about what they do with data. This section highlights less common uses of data.

Observations

It appears that when you use Castlight you share your bank login details to a third party called Yodlee so they can access your financial transaction data.

Third parties

Organisations must give details about other parties that personal data is shared with.

List of third parties

  • Yodlee

  • Credit Reference Agencies

How specific is this information?

Third parties are listed as groups

Observations

It appears that when you use Castlight you share your bank login details to a third party called Yodlee so they can access your financial transaction data. They say Yodlee will not store this information for longer than is necessary to allow them to access your Financial Data for the purpose of providing the Service.

Castlight says it has a contract with Yodlee which requires Yodlee to be bound by their privacy policy and to meet the requirements of the Data Protection Act and General Data Protection Regulations in just the same way it applies to Castlight.

Retention rules

Organisations must give details about how long data is kept.

How specific is this information?

  • Retention rules are given without mentioning specific categories of data

  • Unspecific times for how long data is kept

Lawful bases

Organisations must justify collection and use of data under six lawful bases and provide information about their decisions

  • Contract

    - To register you as a new customer and create and store an “Affordability Passport”
    - To manage their relationship with you
    - Notifying you about changes to their terms or privacy policy

  • Legal obligation

    - Notifying you about changes to our terms or privacy policy
    - To administer and protect our business and this website

  • Legitimate interests

    - Asking you to leave a review or take a survey
    - To administer and protect their business and this website
    - To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising
    - To use data analytics to improve their website, products/services, marketing, customer relationships and experiences
    - To make suggestions and recommendations to you about goods or services that may be of interest

Observations

They appear often rely on several lawful bases for the same activity which isn't wrong but is unusual in the sector.

Security standards

Organisations must ensure that data is stored and processed securely.

How specific is this information?

This organisation provides general details about how they secure data

Data processing addendum

Some organisations offer a data processing addendum that gives data adequate protections when it leaves the EEA.

This privacy notice does not appear to have this information.

Automated decision making

Organisations must give details about how data is used to make decisions without human involvement.

This privacy notice does not appear to have this information.

Complaint information

Organisations must give details about how to make a complaint with a data protection authority.

Summary

This privacy notice contains information about to make a complaint to a data protection regulator

Observations

Castlight says they would like you to contact them first before approaching the Information Commissioner. This is reasonable.

How specific is this information?

This privacy notice contains specific contact details for a data protection regulator

Design recommendations

Organisations are required to provide privacy information in a transparent way. The Article 29 Working Party has provided recommendations on how to do this.

Assessment

This privacy notice:

  • Has language that is easy to understand

  • Is designed in a way that makes it easy to find information

  • Can be easily found on the organisation's website

Make a request

  • See data they hold about you

    You can ask to see what data Castlight has about you. They usually can’t charge for this, and they must respond to your request within a month.

    Why you might make this request

    You might want a copy of the data about you to understand what data the organisation has collected about you.

    By email

    Email dpo@castlightfinancial.com using a template.

    Template

    Copy template to clipboard

    By phone

    +44 0800 193 3547

    By post

    6th Floor, 133 Finnieston Street, Glasgow G3 8HB

  • Change data they hold about you

    You can ask Castlight to change inaccurate or incomplete data about you. They must respond to your request within a month. Sometimes your request can be refused.

    Why you might make this request

    If an organisation is using information about you which is incorrect, you can ask them to correct it.

    By email

    Email dpo@castlightfinancial.com using a template.

    Template

    Copy template to clipboard

    By phone

    +44 0800 193 3547

    By post

    6th Floor, 133 Finnieston Street, Glasgow G3 8HB

  • Delete data they hold about you

    You can ask that Castlight delete information about you. They must respond to your request within a month. Sometimes your request can be refused.

    Why you might make this request

    You might want to delete data about you if, for example, you have stopped using an organisation’s services.

    By email

    Email dpo@castlightfinancial.com using a template.

    Template

    Copy template to clipboard

    By phone

    +44 0800 193 3547

    By post

    6th Floor, 133 Finnieston Street, Glasgow G3 8HB

  • Limit how they use data about you

    You can ask that Castlight only store data about you and not use it. They must respond to your request within a month.

    Why you might make this request

    You might want the accuracy of the data to be verified or you might want the organisation to hold on to data so you can make a legal claim against them.

    By email

    Email dpo@castlightfinancial.com using a template.

    Template

    Copy template to clipboard

    By phone

    +44 0800 193 3547

    By post

    6th Floor, 133 Finnieston Street, Glasgow G3 8HB

  • Stop their use of data about you

    You can ask Castlight to stop using your data for particular reasons. They must respond to your request within a month.

    Why you might make this request

    You might want to stop the organisation using your data to for direct marketing.

    By email

    Email dpo@castlightfinancial.com using a template.

    Template

    Copy template to clipboard

    By phone

    +44 0800 193 3547

    By post

    6th Floor, 133 Finnieston Street, Glasgow G3 8HB

  • Export data they hold about you

    You can ask Castlight to move data about you to another service or provide it in a format that can be used by another service.

    Why you might make this request

    You might want to move your data to another organisation to get a better deal.

    By email

    Email dpo@castlightfinancial.com using a template.

    Template

    Copy template to clipboard

    By phone

    +44 0800 193 3547

    By post

    6th Floor, 133 Finnieston Street, Glasgow G3 8HB

  • Challenge an automated decision

    You can ask Castlight to give you information about how they use automated decision making, or ask for a person to review an automated decision.

    Why you might make this request

    You might want to find out about an automated decision if, for example, you were rejected for a bank loan or account.

    By email

    Email dpo@castlightfinancial.com using a template.

    Template

    Copy template to clipboard

    By phone

    +44 0800 193 3547

    By post

    6th Floor, 133 Finnieston Street, Glasgow G3 8HB

Last updated 2018-11-01 at 10:11:06 • Download as JSONAPI documentationView on GitHubView on OpenCorporates