Privacy notice
This privacy notice sets out how and why we collect and use your personal data. This will vary depending on who you are and how you interact with us, so we provide tailored information for different scenarios below.
First, the official bit:
- “We” are Griffin Bank Ltd. We are a company registered in England and Wales with company number 10842931. Our registered office address is 9th Floor, 107 Cheapside, London, EC2V 6DN.
- “You” are an individual person. You might be an employee, shareholder, or director of one of our customers or prospective customers, a user of our website or app, a beneficiary or a payee of a Griffin bank account, or someone who reached out to us via email or one of our other channels.
- We are based in the UK and subject to the UK General Data Protection Regulation ("UK GDPR").
We take data privacy and security seriously, and we're fully committed to helping you exercise your rights over any of personal data we may hold about you. Throughout this notice, we aim to be clear and transparent about:
- How, why, and when we collect your personal data
- What types of personal data we collect
- Who we share it with
- How long we hold it for
- What we do to keep it safe
If anything in this notice is unclear or you have questions, you can contact our Data Protection Officer ("DPO") at privacy@griffin.com.
Our lawful bases for processing your data
In line with UK GDPR, we only use your personal data if we have a “lawful basis” for doing so.
A lawful basis can include:
- Consent. This is when you have given us clear consent to process your personal data for a specific purpose, such as applying for a job with us.
- Contract. This is when we use your personal data to fulfil a contract we have with you, or because you have asked us to take specific steps before entering into a contract.
- Legal obligation. This is when we need to use your personal data to comply with the law.
- Legitimate interest. In simple language, a legitimate interest is when we (or one of our third party service providers) process your personal data in a way you would reasonably expect us to, when there's a clear benefit for us or a third party in doing so, and there's a low risk of infringing on your privacy rights. You can learn more about legitimate interest on the ICO website.
In the sections below, we provide detailed breakdowns of the lawful bases that we rely on for specific processing activities, depending on who you are and how you interact with us.
Our products, services and website are not intended for use by children. We do not knowingly collect or use personal data about children under the age of 16.
Aggregated data
Aggregated data is statistical or demographic data that cannot be used to directly or indirectly identify you, and so is not considered personal data.
We may collect and use aggregated data to help us understand, for example, how users are interacting with our products or our website.
If we ever combine or connect aggregated data with your personal data, we treat the combined data as personal data.
Special category data
“Special category data” refers to certain types of sensitive personal data that are afforded extra protection under UK GDPR. This includes data about your race, ethnicity, sexual orientation, politics, religious beliefs, health, and biometrics.
To process special category data, we need to satisfy a special category processing condition in addition to having a lawful basis. We will never process special category data about you unless we are legally permitted to do so.
We don’t routinely collect or use special category data in the course of our business. The main exception is if you voluntarily disclose information about your health or disability status so we can make accommodations to support you. We will only process this information with your explicit consent.
Sharing your personal data
We may share your personal data with our chosen service providers from time to time.
We only allow our service providers to handle your personal data if we are sure that they will protect it to the same standard that we do. As part of their contracts with us, our service providers may only use your personal data to provide services to us and to you, for the purposes listed below.
If required, we may disclose your personal data to law enforcement agencies and regulatory bodies.
We may also need to share some personal data with other parties during a corporate restructuring or if we choose to sell, transfer or merge parts of our business or our assets, or buy or merge another business with ours.
We usually anonymise any personal data we share with third parties, but this may not always be possible. In any case, the third party will be contractually bound to keep all personal data confidential.
The sections below list the specific providers we routinely share your personal data with, depending on who you are and how you interact with us.
Transferring your personal data out of the UK
We do not process any customer transaction data outside of the UK and EEA.
Sometimes it is necessary for us, or our service providers, to share other personal data about you outside of the UK. When we do this, we have to follow special rules under UK GDPR.
If we transfer your personal data outside of the UK, we must:
- confirm that the recipient is located in a country with data protection laws that are substantially equivalent to UK GDPR; or
- put safeguards in place (such as approved standard contractual clauses) so that your data rights are enforceable and you have access to legal remedies if something goes wrong; or
- confirm that a specific exception applies under data protection law.
Contact us at privacy@griffin.com if you would like more information about where your personal data is transferred and what measures we have put in place to protect it.
Your data rights
You have the following rights over your personal data, which you can exercise at any time without paying any fee or charge to us.
| Your rights | Our responsibilities |
| To access | We must provide you with access to any personal data we have collected about you if you request it. |
| To rectification | We must correct any mistakes regarding your personal data if you ask us to. |
| To be forgotten | In certain situations, we must delete your personal data if you ask us to (although this is not an absolute right). |
| To limit or restrict how we use your data | In certain circumstances we must restrict processing of your personal data, or parts of your personal data at your request (for example, if you contest the accuracy of the data). |
| To data portability | If you request access to the personal data we hold about you, we must provide it to you in a structured, commonly used and machine-readable format. |
| To object | You can object to us processing your personal data for certain purposes, for example direct marketing purposes or if we are relying on our legitimate interests for processing. |
| To not be subject to automated processing | Automated processing refers to decisions made without human involvement and includes profiling. We must not use automated processing to make a decision about you if that decision affects your legal rights or has other significant impacts for you. |
If you would like to exercise any of these rights, please write to us at privacy@griffin.com. We try to respond to all requests within one month.
If your request is clearly unfounded, repetitive, or excessive (for example, if you've made several repeat requests in a short period of time), we may charge you a reasonable fee to cover our admin costs, or refuse your request altogether.
You can learn more about your data rights on the ICO website.
Data security
We have a number of procedures and controls in place to stop your personal data from being lost, stolen, or otherwise used or accessed unlawfully.
- Access. Within Griffin, access to personal data operates on the basis of “least privilege”, which means that our employees only have access to your personal data if they absolutely need it to do their job (such as customer support managers).
- Authentication. We use best practice authentication controls, including two-factor authentication. We require the same level of authentication in all third party systems, software, or applications that we use.
- Physical security. We make sure robust physical and environmental controls are in place around any data centre where we store personal data.
- Network security. We use strong firewalls, and all software is placed in the most restrictive zone possible on the basis of “least privilege”. All network zones block traffic not essential to perform their required tasks (both inbound and outbound).
- Threats and vulnerabilities. We constantly review and test the security of our platforms and IT systems to identify and fix any vulnerabilities that hackers could exploit.
We have incident management procedures in place to deal with any suspected data security breaches. You will be contacted as soon as possible if we believe your personal data has been involved in a suspected breach.
Data rentention periods
We do not keep your personal data for longer than we need to. When we no longer need to hold on to your personal data, we delete it or anonymise it.
We are required to retain certain customer records for at least three years from the date that a customer terminates their contract with us. This is primarily so we can:
- respond to any questions, complaints, or claims made by you or on your behalf;
- show that we treated you fairly; and
- keep any records required by law.
We are required to retain other personal information for at least six years so that it is available in the event of a legal claim.
We are also required to retain some personal information for ten years, for financial crime prevention purposes.
If you'd like to know more about specific retention periods for different types of personal data, contact us at privacy@griffin.com.
Marketing and communications
We may use your personal data to send you marketing communications by email, text message, or post. This includes information about exclusive promotions, new products and features, and news about our business. We will only send you marketing communications if we have your consent to do so or if it is in our legitimate interest (such as business-to-business marketing).
We will never sell your personal data or share it with other organisations for marketing purposes.
You can ask us to stop sending you marketing emails at any time by:
- contacting us at privacy@griffin.com; or
- using the Unsubscribe link in our emails
We may ask you to confirm or update your marketing preferences from time to time, if there are changes in laws or regulations, or if we change the structure of our business.
Even if you have opted out of all marketing communications, we might still send you necessary updates about our products and services (for example, if we are discontinuing or introducing features that may impact how you use our product.) We will also respond to direct queries from you. These are not considered marketing communications because their goal is to help you use and find value from products you have already purchased.
Cookies and other tracking technologies
We use cookies on our website. For more information, check out our cookie policy.
How to complain
If you feel that we have misused your personal data or failed to keep it secure, you should contact our DPO at privacy@griffin.com and clearly state that you wish to make a complaint. We are committed to investigating all complaints promptly, thoroughly, and transparently and providing you with a fair resolution as soon as we can. For more information, see our complaints FAQ.
You also have the right to make a complaint to the Information Commissioner's Office at any time. You can lodge your complaint in writing here: https://ico.org.uk/make-a-complaint. Alternatively, you can contact the Information Commissioner by phone at 0303 123 1113.
Customer and prospective customers
This section applies to you if you are an employee, director, or shareholder of one of our customers or prospective customers.
Griffin solely serves businesses and we do not provide products or services directly to individual consumers. While UK GDPR does not apply to data related to corporate entities, it does cover the personal data of individuals associated with corporate entities.
Types of personal data
The list below covers all the kinds of data we may collect about you, though these may vary depending on the products your organisation is using and whether you are an employee, director, or shareholder.
- Identity data. Your full name, title, date of birth, information about your right to live in the UK, your tax residency, and copies of your identity documents.
- Contact data. Your residential address, previous residential addresses, email address, and phone number.
- Financial data. Your employment status, annual income, number of dependents, and residential status.
- Transaction data. Your bank account details, including account number and sort code, and your transaction history, including details of payments to and from your account.
- Usage data. Information about how you use our products and services, including survey responses
- Technical data. Your internet protocol (IP) address, login data, browser type and version, time zone and location, browser plug-in types and versions, operating system and platform, and other technical information about the devices you use.
- Marketing and communications data. Your marketing communications preferences
Data sources
We collect personal data about you through three main channels.
1. Direct interactions
You may provide your personal data when you contact us, when your organisation purchases products or services from us, and when you use our products and services.
2. Automated technologies or interactions
When you use our products, we automatically collect technical data about your equipment and browsing patterns, using cookies and similar technologies. For more information, check out our cookie policy.
3. Third parties and public sources
We may receive personal data about you from third parties such as:
- Credit check providers who help us verify your identity and assess your credit score. (We do this via a "soft search".)
- Background check providers, used to carry out Know Your Customer and anti-money laundering checks as required by law.
- The Home Office when we screen you against the list of disqualified persons, in compliance with the Immigration Act 2014.
We may also receive data about you from public sources such as Companies House, the UK Electoral Register, the press, and social media.
Our lawful bases for processing your data
The table below gives a detailed breakdown of what we use different types of personal data for, and our lawful bases for doing so.
| Our purpose | Types of personal data | Lawful basis |
| To consider your organisation’s application, to onboard your organisation as a customer, and to respond to your queries. | Identity, Contact, Financial |
Contract. We need to process this data to enter into a contract with your organisation and perform that contract.
|
| To perform credit, background, or disqualified person checks on you in your capacity as a director, shareholder, or beneficial owner of a corporate entity. | Identity, Contact |
Contract. We need to process this data to enter into a contract with your organisation and perform that contract. |
| To provide products and services to you, including managing your payments, fees, and charges, and to collect money owed to us. | Identity, Contact, Transaction |
Contract. We need to process this data to enter into a contract with your organisation and perform that contract. |
| To manage our relationship with you, including notifying you about changes to our products or services, terms and conditions, or this privacy notice, and asking you to leave feedback or take a survey. | Identity, Contact, Transaction |
Contract. We need to process this data to perform our contract with your organisation. |
| To prevent illegal activities such as money laundering and fraud. | Identity, Contact, Transaction | Legal obligation. We are legally required to take action to prevent illegal activities. |
| To keep records of our dealings with you | Identity, Contact, Transaction, Usage | Legal obligation. We are legally required to keep certain records. |
| To investigate complaints and provide support on technical problems. | Identity, Contact, Technical, Transaction, Usage | Contract. We need to process this data to perform our contract with your organisation. |
| To recommend products or services that may be of interest to you. | Identity, Contact, Technical, Transaction, Usage, Marketing communications | Consent and/or legitimate interest. We process this data so we can promote our products and grow our business. |
Who we share your personal data with
We routinely share personal data with the following service providers:
- Amazon Web Services (AWS), our cloud provider
- Form3, our Bacs payment gateway
- Hubspot, our sales and customer relationship management (CRM) platform
- Intercom, our customer support platform
- TruNarrative, our customer due diligence onboarding provider
- Veriff, our identification and verification (ID&V) provider
All of these service providers process your personal data within the UK and EEA.
We also share certain personal data with our chosen credit check, background check and disqualified person check providers from time to time.
Account beneficiaries
This section applies to you if you are a beneficiary of a Griffin bank account.
We do not provide banking products or services directly to individual consumers. That said, our business customers can and do use our banking platform to provide products and services to their own customers, who may be individuals. These companies may hold money that belongs to you in a bank account at Griffin. In other words, you may be beneficiary of a Griffin bank account, even if you do not have a direct banking relationship with us.
Types of personal data
If you are an account beneficiary, we may process your:
- Identity data, including your full name, title, and a copy of your ID.
- Transaction data, including your bank account details, such as your account number, sort code, international bank account number (IBAN), and payment references.
Data sources
Your data is provided to us by our customer, whose products or services you are using.
Our lawful bases for processing your data
We may process your identity data to:
- meet our legal obligation to carry out certain identity, credit, and background checks on you; and
- fulfil our legitimate interest in assessing and making informed decisions about who can deposit money with Griffin.
We process your transaction data to:
- perform our contract with our customer, whose products or services you are using; and
- meet our legal obligation to monitor transaction data for signs of suspicious activity that could indicate financial crime.
Who we share your personal data with
We routinely share personal data with the following service providers:
- Amazon Web Services (AWS), our cloud provider
- Form3, our Bacs payment gateway
- Intercom, our customer support platform
- TruNarrative, our customer due diligence onboarding provider
- Veriff, our identification and verification (ID&V) provider
All of these service providers process your personal data within the UK and EEA.
Payees
This section applies if you have received a payment from a Griffin bank account.
If you receive a payment from a Griffin bank account, we process your personal data in order to provide Confirmation of Payee ("CoP") services. CoP is “is an account name-checking service designed to help reduce misdirected payments and provide greater assurance that payments are being sent, and collected from, the intended account holder for UK domestic payments.” Learn more about CoP.
Types of personal data
If you are a payee of a Griffin bank account, we may process your:
- Identity data, including your full name and title.
- Transaction data, including your account name, account number, sort code, IBAN, and account type.
Data sources
Your transaction data is provided by the person or entity who is paying you.
Your identity data is provided by your bank.
Our lawful bases for processing your data
Our lawful basis for processing this data is legitimate interest. It is in our legitimate interest (and yours, and our customers’) to ensure that payments are being made to the correct payees.
Who we share your personal data with
We routinely share personal data with the following service providers:
- Amazon Web Services (AWS), our cloud provider
- Form3, our Bacs payment gateway
- Intercom, our customer support platform
- TruNarrative, our customer due diligence onboarding provider
All of these service providers process your personal data within the UK and EEA.
Website and sandbox users
This section applies to visitors to our website and users of our sandbox. It also applies to individuals who contact us through email or other channels.
Our website may contain links to other websites. If you follow one of these links, be aware that destination websites will have their own privacy policies and that we do not accept any responsibility or liability for these.
Types of personal data
The list below covers all the kinds of data we may collect about you, though this will vary depending on how and why you interact with us.
- Identity data. Your full name, title, and date of birth.
- Contact data. Your residential address, email address, and phone number.
- Transaction data. Records of any communications we have had with you.
- Usage data. Information about how you use our website or app, including survey responses, download errors, and page interaction information.
- Technical data. Your IP address, login data, browser type and version, time zone and location, browser plug-in types and versions, operating system and platform, and other technical information about the devices you use.
- Marketing and communications data. Your marketing communications preferences.
Our data sources
We collect personal data about you through three main channels.
1. Direct interactions
You may provide your personal data when you access our website, register for our sandbox, contact us, send us feedback, subscribe to our marketing communications, or purchase products or services from us on behalf of your organisation.
2. Automated technologies or interactions
When you browse our website, we automatically collect technical data about your equipment and browsing patterns, using cookies and similar technologies. For more information, check out our cookie policy.
3. Third parties or publicly available sources. We may receive personal data about you from third parties and publicly available sources such as Companies House or the UK Electoral Register. We may also receive technical data about you from the following parties:
- Beauhurst
- Leadfeeder
- Pipedrive
Our lawful bases for processing your data
The table below gives a detailed breakdown of what we use different types of personal data for, and our lawful bases for doing so.
| Our purpose | Types of personal data | Lawful basis |
| To respond to direct communications from you. | Identity, Contact |
Legitimate interest. We need to process this data to provide information about our products to interested parties and to set up and manage customer relationships. |
| To manage our relationship with you, including notifying you about changes to our products or services, terms and conditions, or this privacy notice, and asking you to leave feedback or take a survey. | Identity, Contact, Transaction |
Legal obligation. We are legally required to inform you of certain changes. |
| To conduct troubleshooting, data analysis, testing, system maintenance, support, reporting, and data hosting. | Identity, Contact, Transaction, Technical |
Legal obligation. We are legally required to have robust controls in place to prevent fraud and to ensure our platform is secure and resilient.
Legitimate interest. These activities are necessary for day-to-day running of our business and IT services, for network security, and to prevent fraud. |
| To demo our products to you, including granting you access to our sandbox so that you can try out products for yourself. Note: You should ever upload real personal data to our sandbox. For more detail, see our sandbox T&Cs. | Identity, Contact |
Legitimate interest. We process this data so we can promote our products and grow our business. |
| To track and analyse who is accessing our website and app, and how they are using them. | Identity, Contact, Technical, Usage, Marketing communications |
Legitimate interest. Analysing this data helps us understand if our marketing strategy is effective and if the content on our website is useful to our target audience. It also helps us better define and understand our target customers, develop better customer relationships and user experiences, and improve our products and services. |
| To recommend products or services that may be of interest to you. | Identity, Contact, Technical, Transaction, Usage, Marketing communications |
Consent and/or legitimate interest. We process this data so we can promote our products and grow our business. |
Who we share your personal data with
We routinely share personal data with the following service providers:
- Amazon Web Services (AWS), our cloud service provider
- Google, our email and website analytics provider
- Intercom, our customer support platform
- PipeDrive, our Customer Relationship Management (CRM) software provider
- Slack, our instant messenger provider
Changes to this privacy notice
This privacy notice was last updated in May 2024. When we make material changes to this notice, we'll post details of what has changed here. We may also contact you directly if we make changes that affect how we process your personal data.