PEXA – UK Privacy Policy

Page updated: May 2023
Version: 2.0

 

What is the purpose of this document?

Digital Completion UK Limited (“PEXA”, “we” / “us” / “our”) is a “Data Controller” for customer Personal Data. This means we are responsible for deciding how we collect, hold, use, and share personal information about you. This UK Privacy Notice makes you aware of how and why your Personal Data will be used, and how long it will usually be retained for. It provides you with certain information that must be provided under the UK General Data Protection Regulation (“UK GDPR”).

Data Protection Principles

PEXA will comply with data protection law and principles so your data will be:

  • Used lawfully, fairly and in a transparent way.
  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  • Relevant to the purposes we have told you about and limited only to those purposes.
  • Accurate and kept up to date
  • Kept only as long as necessary for the purposes we have told you about.
  • Kept securely.

Data Controller

PEXA respects your privacy and will only use information for specified and lawful purposes under current UK Data Protection Legislation.

By using our Services, Website and Platforms, you consent to the collection, use and sharing of your data as described in this Privacy Notice. Please take the time to read our Privacy Notice so you understand how we manage the use of your Personal Data.

Data Controller: Digital Completion UK Ltd (Trading as PEXA).

Address: First Floor, 85 Great Portland Street, London, W1W 7LT.

Data Protection Officer: Mr Matt Ellis, uk.dpo@pexa.com.au.

What is Personal Data

Personal Data is defined by the UK GDPR and the Data Protection Act 2018 (collectively, “UK Data Protection Legislation”) as any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

Put simply, Personal Data is any information about a Data Subject that enables them to be identified. Personal Data covers information such as a Data Subject’s name and contact details, but it also covers identification numbers, electronic location data, and other identifiers.

Definitions

Automated Decision-Making (ADM) means when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. The UK GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not Automated Processing.

Consent means agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signify agreement to the Processing of Personal Data relating to them.

Controller means the person or organisation that determines when, why and how to process Personal Data. They are responsible for establishing practices and policies in line with the UK GDPR. We are the Controller of all Personal Data relating to our customers and Personal Data used in our business for our own commercial purposes.

Data Subject means an individual, identified or identifiable natural person about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

Data Privacy Manager (DPM) means the Company Data Protection Officer or such other person appointed by the Company who is responsible for data protection compliance.

UK GDPR means the General Data Protection Regulation ((EU) 2016/679) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 as modified by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419). Personal Data is subject to the legal safeguards specified in the UK GDPR. The UK GPDR is supplemented by, and must be read in conjunction with, the Data Protection Act 2018 (“DPA 2018”). The DPA 2018 sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner’s functions and powers.

Personal Data means any information relating to an identified or identifiable natural person (Data Subject).

Personal Data Breach means any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The accidental or unlawful destruction, loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.

Process or Processing means operation or set of operations which is performed on Personal Data or on sets of Personal Data whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction.

The Data We Collect

PEXA collects Personal Data only when we have a valid legal basis to do so. We may rely on your consent or that the Processing is necessary to fulfill our contractual arrangements. We also collect Personal Data from you either directly or indirectly, when using our Services, Website or when our Platforms are accessed. Through the use of our Services, we may also collect Data Subject information, including but not limited to:

  • Name, job title / details, contact details (e.g. business address, corporate email, telephone number(s), etc.), username and password;
  • Borrower(s) and associated property information;
  • Financial, banking or other payment information;
  • PEXA Pay payee / beneficiary information;
  • Information necessary to process and analyse documents such as title deeds for lodgement purposes, enable payment transactions, or other information required to deliver our core Services;
  • Technical information as a result of configuring the Services, including IP addresses, geographic location, browser-type, device-type, operating system, date and time stamp; and,
  • Other information including the interactions you may have with customer support.

End-user Data

You may provide PEXA with ‘end-user Personal Data’ (“Consumer Data”), including through your use of our Services. You represent and warrant that you have received consent from the end user to obtain and share the Consumer Data with PEXA as a “Data Processor”. For the remainder of this Privacy Notice, “data” and “Personal Data” refer to both Customer Personal Data and Consumer Data.

How We Use Data

PEXA uses data for a variety of purposes, such as:

  • delivering our Services;
  • processing transactions necessary for property completion;
  • optimising customer experience;
  • providing customer support for our Services;
  • security and fraud prevention;
  • analytical purposes;
  • performance of our contractual arrangements; and,
  • complying with applicable laws or legislation.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

PEXA will only retain Personal Data for so long as to fulfill the purposes for which it was collected as described in this Privacy Policy. We will carefully consider retention periods and work to retain Personal Data for the shortest possible period under existing law or best practice. After this period, we will securely destroy your personal information in accordance with our data retention schedule.

Legitimate Interest

PEXA’s legitimate interests include mandated record-keeping, administrative purposes and operating, maintaining, and improving our Website or Platform experience, and developing new service offerings.

By agreeing to use our Services, you agree that we are permitted to collect, use, share and store anonymised (or pseudonymised) and aggregated data for analytics, metrics, reporting and other legitimate business purposes.

Cookies and Other Technologies

PEXA’s Website or Platforms may use Cookies and Other Technologies to help us safely authenticate users (PEXA Verify), understand visitor / user behaviour, for security and fraud prevention purposes, and/or to inform us about which parts of the Website visitors go to.

Cookies are text files containing small amounts of information that are transferred and stored to your device when you visit our Website. Cookies are then sent back to us on each subsequent visit, or to another Website that recognises that cookie. Cookies are useful because they allow us to recognise a user’s device and to remember a user’s actions and preferences over a period of time and improve your experience the next time you visit. PEXA considers the information collected from Cookies as non-Personal Data; however, IP addresses or similar identifiers are considered as Personal Data.

Information is collected and used by us in accordance with the Cookies Policy and this Privacy Notice

Location

When you use our Platform, PEXA may receive technical data about the device used to access our Platform, including device ID, operating system, browser type, IP address, and location (collectively, “Device Data”). Device Data may be used as part of PEXA’s technical and organisational security measures which are used to identify the device and log and authenticate users accessing the Website or Platform. Device Data may be shared, along with information about any fraudulent transactions using the device with our Sub-Contractors. They may compare and add the Device Data, and any fraud-related data, to a database to identify and block access to the Platform by devices that have performed questionable or fraudulent activity.

Data Transfers

In compliance with applicable laws, PEXA may use, process, transfer, and share your data. We may combine this data with other information collected from publicly available information, including third-party sources.

By using the Services, Website or Platforms or by providing Personal Data to us, you acknowledge and agree that Personal Data may be sent to and processed in countries outside your country of residence. Some of these countries may not have data protection laws that provide an equivalent level of data protection as the laws in the UK; however, we take steps to ensure Personal Data is handled in accordance with all applicable UK Data Protection Legislation. Personal Data relating to Data Subjects in the UK is governed by Standard Contractual Clauses, Art. 46 GDPR. These contractual clauses ensure appropriate data protection safeguards can be used as a ground for data transfers to third countries.

PEXA may share data, including Personal Data, with Sub-Contractors to deliver our Services, Website or Platform. These Sub-Contractors include business partners, completion and delivery services, analytics providers, IT specialists and product developers. Sub-Contractors are contractually bound to use and process Personal Data we share for the permitted purposes only as well as use adequate technical and operational measures to protect Personal Data from unauthorised access and use. Permitted purposes may include providing payment processing, verifying, and authenticating identity, sanctions screening, document scanning, processing, and storage. Sub-Contractors may be located outside of the United Kingdom.

Lawful Basis

Your information is collected and processed for the performance of a contract. We will only process your Personal Data where it is necessary to support the legitimate interests of our business or with those we may have shared your information, except where these are overridden by your interests or fundamental rights and freedoms which require the protection of Personal Data.

We will obtain consent from customers to process information in this way. You have the right to withdraw your consent at any time. Once consent has been refused or withdrawn, we will no longer process your Personal Data.

PEXA may share data, including Personal Data to:

  • comply with applicable laws, court orders, or governmental agencies
  • protect the security or integrity of our customers and PEXA’s Databases, Services, Website or Platform; or
  • prevent legal liability.

PEXA may also share Personal Data with law enforcement in the event criminal activity is suspected.

Your Rights

Under UK Data Protection Legislation, you have the following rights, which we will always work to uphold. These include rights to:

  • withdraw Consent to Processing at any time;
  • receive certain information about the Data Controller’s Processing activities;
  • request access to your Personal Data that we hold;
  • prevent our use of your Personal Data for direct marketing purposes;
  • ask us to erase Personal Data if it is no longer necessary for the purposes for which it was collected or Processed or to rectify inaccurate data or to complete missing data;
    restrict Processing in specific circumstances;
  • challenge Processing which has been justified on the basis of our legitimate interests or in the public interest;
  • request a copy of an agreement under which Personal Data is transferred outside of the UK;
  • object to decisions based solely on Automated Processing, including profiling (ADM);
  • prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;
  • be notified of a Personal Data Breach which is likely to result in high risk to your rights and freedoms;
  • make a complaint to the supervisory authority; and,
  • in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used, and machine-readable format.

Protecting Your Data

PEXA processes Personal Data in a way that ensures its security, by using appropriate technical and organisational measures. This is to protect against unauthorised or unlawful Processing and against accidental loss, destruction, or damage.

Withdrawing Consent

You can withdraw your consent at any time. If you wish to do so or have any questions, please contact Digital Completion UK Limited (Trading name PEXA) by:

Email
uk.dpo@pexa.com.au

Post
85 Great Portland Street, First Floor, London, W1W 7LT.

Please note that if you do withdraw your consent, we may not be able to provide our Services to you. We will let you know in writing if this is the case.

You can also contact the Information Commissioner’s office for more information about your rights of access:

Post

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Telephone

0303 123 1113 (local rate), or

Fax

01625 524 510.

PEXA is the trading name of Digital Completion UK Limited.
Registered Office: 85 Great Portland Street, First Floor, London W1W 7LT.
Registered in England and Wales. Company No. 12830944.

Our website uses cookies to make your browsing experience better. By using our site you agree to our use of cookies. Learn more.