At Ontime, we are committed to protecting and respecting your privacy.
Our Approach to Privacy
This privacy policy sets out how we collect, store, process, transfer, share and use data that identifies or is associated with you ("personal information") when you use our website at www.ontime.co (or any other website operated by Ontime), use our services, enter into a commercial relationship with us or otherwise interact with us.
Where you use our services (in particular, to allow you to receive payments from your employer in order to pay third party billers), this privacy policy should be read alongside our terms and conditions.
About Us
Ontime is the trading name of Ontime Payments Limited (company no. 15474033) ("Ontime", "we", "our", or "us"). Ontime is the data controller of the personal information we hold about you.
Our registered and postal address is Spaces, 60 St Martin's Ln, London WC2N 4JS.
We are registered as a data controller with the Information Commissioner’s Office under data protection registration number ZB684820.
Personal information we collect about you and how we use it
The table at the Annex sets out the categories of personal information we collect about you and how we use that information. The table also lists the legal basis which we rely on to process the personal information.
More generally, we:
- collect personal information that you voluntarily submit to us, such as your date of birth, employment status and bank account details, when you register with us, use our services, or otherwise interact with us in the course of our business activities;
- collect personal information provided by your third-party biller, such as your name, date of birth, postal address, email address and loan reference;
- collect personal information that you are required to provide us as part of our, and Modulr’s, client onboarding procedures and for us to comply with our and their regulatory responsibilities (such as Know Your Client (“KYC”)) and anti-money laundering requirements);
- collect personal information about you from third parties, such as our e-money issuer (Modulr), billers to which you owe payments (see (b) above), background checking service providers, social networks, our advertising and marketing partners, research agencies (or their respective partners) (e.g. to test the services or for market research purposes) and our other partners where we carry out joint business activities; and
- may also collect certain personal information automatically, including in relation to how you access and use our services, technical information regarding the device you use to access our website and the way in which you interact with our marketing (such as whether you open these). We may also automatically record telephone calls when you contact our customer services team by phone.
We use the information we collect about you to correspond with you, perform our agreements with you, comply with our and Modulr’s regulatory responsibilities (such as KYC and anti-money laundering requirements), carry out marketing activities and our day-to-day business activities and operations.
We may link or combine the personal information we collect about you and the information we collect automatically. This allows us to provide you with a personalised experience regardless of how you interact with us.
You may also provide us with personal information, such as your contact details, when interacting with Ontime generally by email, over the phone, at online and physical events or in the course of your and/or business activities.
We will indicate to you where the provision of certain personal information is required in order for us to provide you certain services. If you choose not to provide such personal information, we may not be able to provide the services you have requested.
Special categories of personal information
We do not generally seek to collect sensitive (or “special category”) personal information (which are racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health or data concerning a natural person’s sex life or sexual orientation). However, we may process special categories of personal information where you have voluntarily chosen to submit that information to us (e.g. by email) and we will store such information in accordance with our data retention practices (see the [Data Retention section](#section-data-retention) below).
Anonymous data
We may anonymise and aggregate any of the personal information we collect about you (so that it does not directly identify you). We may use anonymised information for purposes that include testing our systems, research, data analysis, improving our service, promoting our service and developing new products and features. We may also share such anonymised information with others.
Data retention
We will store the personal information we collect about you for no longer than necessary for the purposes set out in the Annex in accordance with our legal obligations and legitimate business interests.
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, as well as the applicable legal, regulatory, tax, accounting or other requirements.
Recipients of personal information
We may share your personal information with the following categories of recipients (as required in accordance with the uses set out in the Annex):
- Third party biller: we will need to share your personal information (including your bill / loan / salary payment / repayment details) with the suppliers or lenders (or similar providers) to which you owe payments (and to which you have agreed to pay through your Ontime account).
- The e-money issuer: the e-money issuer will need your personal information as it is responsible for safeguarding the e-money in your Ontime account and managing the payments into and out of it at our instruction. The e-money issuer of your Ontime account is Modulr FS Limited (“Modulr”). We may need to share certain of your personal information with Modulr in order that they can monitor compliance with their and our regulatory obligations. Please ensure that you have read Modulr’s privacy policy so that you understand what personal information they collect about you and how they use it.
- Your employer (or payroll provider) as is needed to provide our services to you. For example, we need to share your national insurance number with the payroll provider to check your eligibility as an employee and to ensure this information matches with eligible employee records. We will also need to share other relevant information, such as your (e-money) account details as needed to provide the service.
- Service providers: we may share your personal information with third party vendors and other service providers that perform services for us or on our behalf, which may include providing mailing, marketing, advertising, fraud prevention, web hosting, payment gateway or analytics services.
- ID verification provider: we share your personal information with our ID verification provider(s) as needed to carry out KYC, anti-money laundering, compliance (including sanctions and PEP) and other background checks.
- Professional advisors: we may share your personal information with our lawyers, accountants, insurers and other professional advisors to the extent we need to (for example, to defend ourselves against legal claims).
- Business partners: we may share your personal information (such as contact details) with our business partners where this is necessary in the normal course of our business.
- Purchasers and third parties in connection with a business transaction: your personal information may be disclosed to third parties in connection with a transaction, such as a merger, sale of assets or shares, reorganisation, financing, change of control or acquisition of all or a portion of our business.
- Research agencies (or their respective partners): if you have agreed to participate in a research group, user testing, collaboration exercise, questionnaire regarding the service, focus group or similar-type project in respect of the service, we may share certain information of yours with the research agency or our business partner (and/or their respective partner as appropriate) that requires your information as part of that project.
- Law enforcement, regulators and other parties for legal reasons: we may share your personal information with third parties as required by law or if we reasonably believe that such action is necessary to
- comply with the law and the reasonable requests of law enforcement;
- detect and investigate illegal activities, unlawful activity and / or breaches of agreements; and / or
- exercise or protect the rights, property, or personal safety of Ontime, its customers or others.
- Other members of the Ontime group: (to the extent applicable) we may share your personal information with our group affiliates (for example, where they provide services on our behalf) or where such sharing is otherwise necessary in accordance with the uses set out in the Annex.
Marketing and Advertising
From time to time we may contact you with information about our services. We may also send you information regarding our other products and services we may offer from time to time, updates, offers, discounts and similar marketing (including related products and services of our partners such as third party billers, financial planning or fraud protection) which we believe you may be interested in.
Most marketing messages we send will be by email. For some marketing messages, we may use personal information we collect about you to help us determine the most relevant marketing information to share with you.
We will only send you marketing messages if you have given us your consent to do so, unless consent is not required under applicable law. Where you provide consent, you can withdraw your consent at any time, but without affecting the lawfulness of our processing based on consent before its withdrawal. In any case, you have the right to opt out of receiving electronic marketing communications from us by clicking on the ‘unsubscribe’ link at the bottom of our marketing communications.
Storing and transferring your personal information
Security. We implement appropriate technical and organisational measures to protect your personal information against accidental or unlawful destruction, loss, alteration or damage. All personal information we collect will be stored on our secure servers. We will never send you unsolicited emails or contact you by phone requesting your account ID, password, bank account details or national identification numbers.
International Transfers of your Personal Information. The personal information we collect may be transferred to and stored in countries outside of the UK where our third party service providers have operations. These international transfers of your personal information will be made pursuant to appropriate safeguards, such as adequacy decisions or standard data protection clauses adopted by the UK government. If you wish to enquire further about the safeguards used, please contact us using the details set out at the end of this privacy policy.
Your rights in respect of your personal information
In accordance with applicable privacy law, you have the following rights in respect of your personal information that we hold:
- Right of access. You have the right to obtain access to your personal information.
- Right of portability. You have the right, in certain circumstances, to receive a copy of the personal information you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal data to another data controller.
- Right to rectification. You have the right to obtain rectification of any inaccurate or incomplete personal information we hold about you without undue delay.
- Right to erasure. You have the right, in some circumstances, to require us to erase your personal information without undue delay if the continued processing of that personal information is not lawful or justified.
- Right to restriction. You have the right, in some circumstances, to require us to limit the purposes for which we process your personal information if the continued processing of the personal information in this way is not justified, such as where the accuracy of the personal information is contested by you.
- Right to withdraw consent. If you have provided consent to any processing of your personal information, you have a right to withdraw that consent, but without affecting the lawfulness of our processing based on consent before its withdrawal.
You also have a right to object to any processing based on our legitimate interests in certain circumstances. You can also object to our direct marketing activities for any reason by clicking the “unsubscribe” link set out in any marketing communication you receive.
Please note that the above rights are not absolute and we may be entitled to refuse requests, wholly or partly, where exceptions under the applicable law apply.
If you wish to exercise one of these rights, please contact us using the contact details at the end of this privacy policy.
You also have the right to lodge a complaint to your national data protection authority. If you are in the UK, information on how to contact the Information Commissioner is available at ICO website. We would of course prefer that you contact us first if you have any complaints or concerns regarding how we have used your personal information.
Automated decision-making
We sometimes use algorithms to make decisions on our behalf. This is referred to as automated decision-making. We use automated decision-making for the following purposes:
- To assess your application for an account. Our, or our third party service providers’, algorithms assess your suitability for an account with us based on the results of our ID and compliance checks (including anti-money laundering and sanctions checks). This means that we may automatically decide that you present a fraud or money-laundering risk or pose a risk to us in terms of breaking financial sanctions, in which case we will reject your application for an account.
- To decide whether we need to help you. If our, or our third party service providers’, algorithms detect that you may have become financially vulnerable, we may be obliged to help you. Such decisions are based on the repayment and payroll information we have about you and information you may have provided to us.
- To detect and prevent fraud. Our, or our third party service providers’, algorithms may freeze a transaction or account if we suspect fraud or money-laundering against Ontime, our customers or any relevant third parties. Such decisions are based on patterns in our data, such as the Ontime account being used in a way that fraudsters work.
Subject to any applicable law or regulatory requirement which provides otherwise, you can ask for a member of the team to review an automated decision using the contact details set out in section 15 below. If your application for an Ontime account was rejected, you can ask us to check this decision by using the contact details provided in our terms and conditions.
Cookies and similar technologies
Our website uses cookies and similar technologies to distinguish you from other users of our website. Please refer to our Cookie Policy for more information as to the way in which we use cookies on our website.
Links to third party sites
Our website, terms and policies may, from time to time, contain links to and from third party websites, including those of our business partners, advertisers, news publications and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for their policies. Please check the individual policies before you submit any information to the relevant data controller.
Changes to this policy
We may update this privacy policy from time to time and so you should review this page periodically. When we change this privacy policy in a material way, we will update the "last modified" date at the end of this privacy policy. Changes to this privacy policy are effective when they are posted on this page.
Notice to You
If we need to provide you with information about something, whether for legal, marketing or other business-related purposes, we will select what we believe is the best way to get in contact with you. We will usually do this through email or by placing a notice on our website (or both). The fact that we may send notices to you will not stop you from being able to opt out of certain types of contact as described in this privacy policy.
Contacting Us
If you have any questions, comments and requests regarding this privacy policy, you can contact us using one of the following methods:
By post:
FAO Chief Operating Officer
Spaces, 60 St Martin's Ln, London WC2N 4JS
By email:
privacy@ontime.co
Annex - Personal information we collect
| CATEGORY OF PERSONAL DATA | PURPOSE OF PROCESSING | LAWFULL BASIS FOR PROCESSING |
|---|---|---|
| Contact details (including first name, last name, email address and, where appropriate, home address), account preferences (including marketing and communication preferences) and customer unique ID. | To send you marketing and promotional content. | Consent or, where consent is not required under applicable law, it is in our legitimate interests to market relevant products and services in order to promote and grow our business. |
| To send you information regarding changes to our policies, other terms and other administrative information such as reminders, technical notices, updates and security alerts. | It is in our legitimate interests to ensure that any changes to our policies, terms and other such technical updates are communicated to you. | |
| To contact you to help us with market research. | It is in our legitimate interests to request your feedback, or invite you to participate in a research (or similar) project in order to improve our services, better understand the needs of our customers, enhance the user experience and grow our brand. | |
| Contact details and customer unique ID. | To provide you with information and materials that you request from us. To respond to your queries. | It is in our legitimate interests to respond to your queries and provide any information and materials requested in order to generate and develop business. |
| To communicate with you as needed in relation to our services to you. | Such processing is necessary for the performance of our contract with you or in order to take steps at your request prior to entering into a contract. | |
| Contact details, ID information (including home address and date of birth) and customer unique ID. | To carry out KYC, anti-money laundering, compliance (including sanctions and PEP) and other background checks as needed and, where necessary, share this with other financial institutions and regulatory bodies to comply with relevant laws. | Compliance with a legal obligation. Otherwise, such processing is necessary for the performance of our contract with you or, if not applicable, such processing is in our legitimate interests to perform our contract with, and provide our services to, the relevant person or entity. |
| Contact details, Modulr (e-money) account details (see below), customer billing information (including customer bill / loan unique identifier and payment status and amounts), incentive offer details (see below) and customer unique ID. | To communicate customer and payment data with the third party biller in order to pay the relevant amount due to the biller. |
Such processing is necessary for the performance of our contract with you or in order to take steps at your request prior to entering into a contract. Otherwise, such processing is in our legitimate interests to provide our services to you. |
| Contact details, employer / payroll provider details, national insurance number and customer unique ID. | To check your eligibility as an employee and in relation to payroll. To store data points of the depositor of funds (i.e. employer / payroll provider) for future validation of payments received. To ensure the appropriate amounts are deducted for the purpose of collecting the funds to pay the third party biller(s). To help ascertain the end of employment. | Such processing is necessary for the performance of our contract with you or in order to take steps at your request prior to entering into a contract. |
| Contact details, ID information, customer designated bank account details (including name of owner, account number and sort code) and customer unique ID. | To verify the bank account into which the remainder of your salary is to be sent is owned by you. To send the remainder of your salary into that designated bank account. | Such processing is necessary for the performance of our contract with you or in order to take steps at your request prior to entering into a contract. |
| Contact details, Modulr (e-money) account details (including account number and sort code), customer designated bank account details, customer billing information, employer / payroll provider details, salary details and customer unique ID. | To provide our services, including administering and processing of transactions to pay the third party biller(s) and to ensure you are paid the remainder of your salary, and to process data which is ancillary to those services. | Such processing is necessary for the performance of our contract with you or in order to take steps at your request prior to entering into a contract. |
| Modulr (e-money) account details, employer / payroll provider details, salary details and customer unique ID. |
To monitor transactions into the e-money account for unexpected transfers. To investigate source of funds and / or suspicious activity as necessary. | Compliance with a legal obligation. Otherwise, it is in our and your legitimate interests that we carry out fraud, anti-money laundering and similar checks (for suspicious activity or otherwise) to prevent you and us being defrauded and for the prevention of unlawful activity. |
| Contact details, Modulr (e-money) account details, customer designated bank account details, incentive offer details (e.g. cashback or discount) and customer unique ID. | In the event you are offered with incentives (such as lower priced APRs on credit or cashback), to present the incentive and to facilitate the necessary transactions. | Such processing is necessary for the performance of our contract with you or in order to take steps at your request prior to entering into a contract. |
| Vulnerable customer information (including material reduction in salary paid, biller data of impairment of account and (where applicable) information provided directly by you) and customer unique ID. | To provide the necessary support and inform the relevant third party biller(s) regarding the vulnerability. | It is in our legitimate interests to guide our customers as appropriate and to support third party biller(s) as is needed to support customers. |
| Technical information (including IP address, browser type, internet service provider, device identifier, your login information, time zone setting, browser plug-in types and versions, preferred language, activities, operating system and platform, and geographical location); and usage data (including clickstream to, through and from the website, pages you viewed and searched for, page response times, length of visits to certain pages, referral source/exit pages, page interaction information (such as scrolling, clicks and mouse-overs), date and time pages are accessed, and website navigation and search terms used). |
To administer our website including resolving technical issues, troubleshooting, data analysis, testing, research, statistical and survey purposes. To improve our website to ensure that content is presented in the most effective manner for you and your computer, mobile device or other item of hardware through which you access our website. To help create and maintain a trusted and safe environment on our website. To ensure that you are provided with marketing and advertising that is in line with your preferences. | Consent (to the extent required under applicable laws). Where consent is not required, such processing will be carried out on the basis of our legitimate interests to improve our website and services, provide a safe and secure environment for our customers, resolve issues for customers and develop and grow our brand. |
| Contact details, account preferences, technical information and usage data, customer unique ID and any other data as required for the project. |
If you have agreed to participate in a research group, user testing, collaboration exercise, questionnaire regarding our services, focus group or similar-type project in respect of our services, we may use certain information of yours and where relevant share it with the research agency or our business partner (and/or their respective partner as appropriate) for the purposes of that project. Such purposes may include (but are not limited to):
| It is in our legitimate interests (and the legitimate interests of the third party conducting the research) to ensure the project is conducted appropriately and successfully and, ultimately, to improve our services, better understand the needs of our customers, enhance the customer experience, inform our marketing strategy, gather feedback and/or develop and grow our brand. |
| Contact details (including name and phone number), telephone recordings | To record your calls with our customer services team to comply with applicable laws or otherwise as permitted by law. |
Compliance with a legal obligation. Otherwise, to pursue our legitimate interests to establish the existence of facts relevant to the business (e.g. to keep a record of instructions given over the phone) and to monitor that our training and quality standards are being maintained. |
| If you are representing a business, work contact details such as your name, surname, email address, telephone number, job title, mailing address/place of work. | To enter into a business relationship with you and to manage our ongoing business relationship with you. | Such processing is in our and your legitimate interests to enter into, and manage, a business relationship with you and ensure the organisation you represent is provided with our services in accordance with our contract with that organisation. |
| Any and all personal data mentioned above. | Compliance with any legal and / or regulatory requirements. | Compliance with a legal obligation. |
| To exercise or protect the rights, property, or personal safety of Ontime, its customers, staff or others | To pursue our legitimate interests in protecting the rights, property, or personal safety of Ontime, its customers, staff or others (including for the purpose of establishing, exercising or defending our legal rights). |
