Who we are and how to contact us
Information we collect
Using your personal information
Automated decision making and credit reference agencies
Protection and storage of your personal information
Access to your personal information and your rights
Information that we share
PCI DSS Policy
Changes to this policy
We are Comma Payments Limited (company number 12162141), trading as Comma, registered in England and Wales. For the purposes of data protection law, we are the Data Controller of the personal information we hold about you. This means we make decisions about how and why your information is used and have a legal duty to make sure that your rights are protected when we use it and share it.
When using or seeking to use our services we collect the information you provide to us including:
Personal information such as your name, address, date of birth or other identification data
Contact information such as your phone number and email address
Financial information to allow us to connect with your bank account through Open Banking
In addition, we may collect information from you when you communicate with us or our service providers (in writing or verbally) such as communicating with our customer support.
As part of our assessments to comply with financial crime regulations and our obligations to our regulators, we also utilise third parties and may collect information from third parties such as credit agencies and identity verification providers and other commercial information service providers. We may also access information that is available publicly, such as on public and subscribed registers, and details you have shared publicly on social media platforms, which may be used to supplement our customer database.
We may also collect transaction information, which may include personal information, and may vary but could include your personal information and contact information. We may use some of this information, combined with other information we collect about your transactional behaviour and your use of our products, to create a profile of you to understand your preferences.
We may also collect information from your computer or device in relation to your use of our website or Comma Payments Platform such as IP address, activity logs, cookie and browser identifiers, operating system identifiers and location identifiers. We will only collect this information in accordance with our Cookies Policy (below).
We do not collect any “special category data” about you, such as your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, criminal convictions or offences, information about your health and genetic and biometric data, or any other personal data revealing or concerning such types of data.
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer. We only use (and store) non-essential cookies on your computer's browser or hard drive if you provide your consent.
We use the following types of cookies:
Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website or make use of our services.
Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. We only place these cookies with your consent.
Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
We use the following analytical / performance cookies with your consent:
We will process your personal information to the extent necessary to:
Make decisions to provide you with our services, including evaluating your creditworthiness or verifying your identity;
Enter into, or perform, a contract with you e.g. to make a payment;
Conduct an identity and financial crime checks prior to entering into a contract or when determining whether to provide an account to you;
Provide you with our services, including the provision of an account, responding to any queries and providing any information about us;
Improve, customise and enhance our services, platform and website;
Manage your scheduled payments and manage the services we provide;
Communicate with you via phone, text message, notifications, email or post and otherwise to manage our relationship with you (for example, sending you confirmations of payments);
Manage and prevent fraud and other risks to our business;
Provide you with information about changes or updates to Comma services which affect your rights and obligations;
Provide you with marketing materials and other news updates and promotions with respect to our products and services, where you have consented to receiving such information. You may elect to opt out of any marketing information we send to you by following the link in any relevant information;
Comply with any relevant law or regulatory obligation;
Contribute to statistical and analytical data relating to your habits; and
Build a profile of you to predict your preferences and to customise our marketing material and information to those preferences.
Under data protection laws, we have to have a legal justification to process your personal information, called ‘lawful bases’. The lawful bases we rely on for processing your information are:
Legal obligation – for personal information that is necessary for the credit, legal, regulatory, financial or accounting aspect of a contract;
Contract – for personal information that is necessary to enter into and perform a contract;
Consent – for personal information used for marketing, news, updates and promotions, and for collecting and using personal information via certain types of cookies for analytics purposes;
Legitimate interest – for assessing and managing risk, combatting fraud and criminal activity, marketing, profiling to enable us to tailor our marketing and information we provide to you, completing commercial lending transactions, clearing and collecting payments, contacting you about your account, soliciting feedback, market research, prevention of data breaches, remediation, business analysis and modelling, service testing and improvement, training, quality assurance, and asserting or protecting ourselves from legal claims. We ensure that the processing performed for this purpose is necessary for fulfilling our legitimate interest, and that our interest outweighs your interest in not having your personal data processed for this purpose.
We will only keep your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any credit, legal, regulatory, financial or accounting requirements. Depending on the applicable legislation, your personal data may be processed up to ten years after the end of the customer relationship.
Where it is necessary for us to carry out identity checks on you, we will supply your personal information to reference agencies and they will give us information about you. This will include information from your application and about your financial situation and financial history. These entities will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
We will use this information to:
confirm your identity;
verify the accuracy of the data you have provided to us;
prevent criminal activity, fraud and money laundering; and
manage your account(s).
For speed, ease and convenience, our identity decisions are automated.For information on the privacy and personal information policies of the CRAs (Credit Reference Agencies) that we may use (Equifax, Experian etc.), see:
In order to verify your identity to prevent fraud and manage risks within our business, we use third party identity verification service providers. Identity verification service providers will use the information that we have provided to them about you to provide us with identity verification services and present risk scores back to us relating to fraud risk. This information will form part of the decision to provide you with our services. This process is automated.
Your personal information will predominantly be stored in electronic form in secure cloud-based data centres located in the United Kingdom that may be owned by third parties. Your personal information may also be stored in paper form. All such information whether electronically or physically stored is kept secure using generally accepted standards of security (e.g. encryption).
You can request access to your personal information by contacting us using the details in section 1.
We do not charge for such access, unless you make excessive or unfounded requests.
We want you to remain in control of your personal information. Part of this is making sure you understand your legal rights, which are summarised as follows:
Where your personal information is processed on the basis of consent, the right to withdraw that consent;
The right to confirmation as to whether or not we are holding any of your personal information and, if we are, to obtain a copy of it;
The right to have certain information provided to you in a portable electronic format;
The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or has a significant effect on you;
The right to have inaccurate information rectified;
The right to object to your information being used for marketing or profiling, or on the basis of our or a third party’s legitimate interests;
The right to restrict how your information is used; and
The right to be forgotten, which allows you to have your information erased in certain circumstances.
If you want to exercise any of these rights, please contact us using the details given in section 1. There are exceptions to the rights above and, though we will always try to respond to your satisfaction, there may be situations where we are unable to do so. We encourage you to look at the UK Information Commissioner’s Office website for detailed information about your privacy rights and our obligations as a controller of your personal information.
If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you should contact the UK Information Commissioner’s Office, which oversees data protection compliance in the UK. Details of how to do this can be found at www.ico.org.uk.
We do not sell or provide access to your personal information to third parties for them to market direct to you. However, we may share your personal information with the following third parties for the following purposes:
to payment system providers with which we have contractual relationships in order to manage a transaction or respond to a query or complaint or improve their service offering;
to identity verification service providers to check your identity and manage risks;
to third party cloud-based storage service providers and other backend systems providers we use;
to our investors, potential acquirers and/or financiers for their due diligence and to any acquirer of part or all of our business;
to our commercial partners to enable them to improve their services to us and to you;
to financial, security and other third-party auditors, including governmental or regulatory bodies, in order to audit our systems, processes and business operations;
to law enforcement, government officials, regulatory authorities, or other third parties pursuant to a court summons, court order, or other legal process or requirement applicable to us or another member of our corporate group; when we need to do so to comply with law or credit card association rules; or when we believe, in our sole discretion, that the disclosure of personal information is necessary to prevent physical harm or financial loss, to report suspected illegal activity or to investigate violations of our Customer Terms & Conditions;
with your consent or direction to do so, to other third parties for other specific purposes.
We may anonymise your personal information (meaning that you can no longer be identified from it) and use the anonymised data for statistical and analytics purposes (for example, to identify and understand trends about the general use of our services). We may sell, distribute and/or disclose anonymised data to retailers and other third parties. We may also publish anonymised data publicly.
We do not share personal information with any other companies, organisations or outside individuals unless we have your consent or a legitimate interest to do so.
For security purposes, Comma does not have access to or hold your debit or credit card data. We use established payment gateway providers to process payments. Our payment gateway providers adhere to a comprehensive set of requirements created by the Payment Card Industry Security Standards Council for ensuring the safe handling of sensitive customer debit and credit card data. Our payment gateway providers are Level 1 Service Providers and are compliant to PCI DSS Version 3.2 standard.