PassTo's Privacy Policy

Privacy Policy

Published 15 June, 2024

1. About our Privacy Policy

BlaBla Connect Limited (‘BlaBla’) is committed to protecting and respecting your privacy. This Privacy Policy together with our Terms and Conditions apply to your use of our PassTo application and the services accessible through our app and website.

It is important to us that you can trust us with your information when you use our services. Note that our services are not intended for children. Please take a few minutes to read this Privacy Policy to understand what information we collect, what we do with it and why.

We have layered this privacy policy so that you can find the details you need as quickly and easily as possible.

Our privacy policy gets updated from time to time. Whenever we make a change, we will post an update and inform you if there is a material change.

2. Who we are and our contact information

We are BlaBla Connect Limited, with a registered office at 60 Cannon Street, London, England, EC4N 6NP. We offer online payment and remittance services, commonly known as ‘eWallet services’ to our customers, which have features such as, payments (whereby you can make payments directly from our app), remittance (you can transfer money to anyone in the world) and peer to peer transfers.

In this privacy policy, ‘we/us’ means BlaBla, the entity responsible for processing your personal information and ‘third party’ means someone who is not you or us.

Your opinion matters to us – if you have any questions about compliance, this privacy policy or your rights, please submit your query to our Privacy Team at dataprivacy@passto.co.uk and a member of the team will respond to you.

If you have any other general questions about our services or products, please submit your query to our Customer Services Team at support@passto.co.uk and a member of the team will respond to you.

3. Personal information we collect about you

We will collect information about you and this will vary based on the services you choose to use and subscribe to as well as the amount of funds involved.

When you download our app, information may be accessed from or stored on your device to allow the app to operate and function.

The specific types of information we may have are as follows and we have grouped them in relation to each service type:

  • Identity Data

This includes your full name, nationality, date of birth, a picture of you, a copy of a proof of identity related documentation (passport or driving license or national identity card), your street address, postcode, city and country.

  • Your Beneficiary’s Identification Data

This includes your beneficiary’s first name, last name, phone number and email address.

  • Account Data

This includes your phone number and email address.

  • Your Beneficiary’s Account Data

This may include his/her phone number and email address.

  • Financial Data

This may include your bank account numbers, or debit/credit cards linked to your PassTo account when you make bank transfers. Additionally, we may collect your occupation and salary details for the last 3 (three) months, source of funds details and purpose of transactions. It may also include your beneficiary’s bank account details.

  • Technical Data

This includes internet protocol (IP) address, device information, such as device type and serial number, browser type and version, device operating system version, language, browsing patterns and user activity.

  • Usage Data

This includes details about how you use our products and services, your transaction amounts and dates, frequency of transactions, including their status.

  • Marketing and Communications Data

This includes your marketing preferences in receiving marketing from us and your communication preferences.

  • Customer Care Data

This includes your feedback to us, survey related information, call and chat logs.

  • Biometric Data

This includes your facial biometrics, which may include a “selfie” taken on your mobile or other device holding a copy of your identification documents.

  • Aggregated Data

This includes data that could be derived from your personal data but is not considered personal data by law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

Information generated by automated technologies or interactions includes automatically collected Technical Information about your device, browsing patterns and actions as you interact with the app. We collect this information by using cookies. Please see our Cookie Policy for further details.

Also, when you download our app, it will set out the preferences it requires to operate, some of which you may be able to opt out of in some cases.

Where we need to collect personal data by law and you fail to provide that data when requested, including failing to update your personal data, we may not be able to provide you with the services. We may also have to cancel a service you have with us but we will notify you if this is the case at the time.

Save for Biometric Data, we do not collect any special categories of personal data (Special Categories of Personal Data) about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic data).

4. How and when is your personal information collected

We use different methods to collect data from and about you including through:

  • Direct interactions. You may give us your Identity, Contact, Financial, Phone Call and Biometric Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:some text
    • apply for our products or services;
    • create an account on our service platforms;
    • subscribe to our service or publications;
    • take part in any competition or promotion organized by us;
    • request marketing materials to be sent to you; or
    • give us feedback or contact us.
  • Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our Cookie Policy for further details.
  • Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources as set out below:some text
    • Technical Data from the following parties:some text
      • analytics providers based inside or outside the UK;
      • advertising networks based inside or outside the UK; and
      • search information providers based inside or outside the UK.
    • Contact, Financial and Transaction Data from providers of technical, payment and delivery services based inside or outside the UK.
    • Identity and Contact Data from data brokers or aggregators based inside or outside the UK.
    • Identity and Contact Data from publicly available sources such as Companies House and the Electoral Register based inside the UK.

5. How we use your personal information

We will only use your personal data when the law allows us to, most commonly, in the following circumstances:

  • Where we need to perform the terms and conditions we are about to enter into or have entered into with you.
  • Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests. We have carried out a legitimate interests assessment to ensure that where we rely on legitimate interests, that those interests are valid.
  • Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a mandatory legal or regulatory obligation.
  • Where you provide your consent to us before processing.

We have set out below, a description of all the ways we plan to use your personal data, and which of the legal basis we rely on to do so. We have also identified what our legitimate interests are, where appropriate.

Purpose/Activity Type Data Lawful Basis for Processing Including Basis of Legitimate Interest
To register you as a new customer Identity, Account Performance of a contract with you
To process and deliver your order including: Deposit funds, Remit funds Identity, Account, Financial, Marketing and Communications, Customer Care Performance of a contract with you
Necessary for our legitimate interests (to recover debts due to us)
To manage our relationship with you which will include: Notifying you about changes to our terms or privacy policy, Asking you to leave a review or take a survey Identity, Account, Usage, Marketing and Communications, Customer Care Performance of a contract with you
Necessary to comply with a legal obligation
Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) Identity, Account, Technical, Customer Care Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise)
Necessary to comply with a legal obligation
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we present to you Identity, Account, Usage, Marketing and Communications, Technical Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences Technical, Usage Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about services that may be of interest to you Identity, Account, Technical, Usage Necessary for our legitimate interests (to develop our products/services and grow our business)
To (a) verify your identity when you open an account or use our services, (b) authenticate use of your account, (c) prevent fraudulent use of our services, (d) comply with legal and regulatory obligations, and (e) comply with a request from law enforcement or government entities Biometric Data We rely on the “substantial public interest” exemption to the prohibition on processing Special Categories of Personal Data. This is because we have a substantial public interest in preventing fraud and money laundering, to protect our business and customers from fraud and to comply with legal and regulatory requirements.

Note that we may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data.

6. With whom we may share your personal information

Where applicable, we may have to share information about you with:

• Another BlaBla affiliated entity under common control which provides ancillary technical services including digital wallet platform management and customer care support;

• Third parties which provide data centre services to us;

  • A third party or body where such disclosure is required to satisfy any applicable law, or other legal or regulatory requirement;

• Regulators which require the reporting of fraudulent and criminal activities;

  • Third party service provider which provides compliance services such as ‘Know Your Customer’ services;

• Third parties whom we have engaged to facilitate the processing of your transactions in the destination countries and payment gateways;

• Third parties which provide physical cards issuing services;

• A third party which enable customer support messaging;

• Our financial institution whom we bank with to manage our customer accounts;

  • Your beneficiaries;
  • Third parties where you have consented for us to do so. For example, if you have consented to receive marketing materials from them or monitor your browsing activity.

If we are reorganized or sold to another organization, we will provide your information to that organization.

Where applicable, we require all external third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

7. Information from children

Our services are not intended for anyone under the age of 18. We do not knowingly collect personal information via our services from anyone under 18.

8. International data transfers

The EEA consists of countries in the European Union, Switzerland, Iceland, Liechtenstein and Norway: they are considered to have equivalent laws when it comes to data protection and privacy while non-EEA countries (except for those deemed adequate by the European Commission) do not provide appropriate safeguards for data protection.

The company affiliated to BlaBla is based outside the EEA in Cairo and Egypt, so their processing of your personal data will involve a transfer of data outside the EEA. Additionally, the main establishment of our company is located in the UK which, in the event of Brexit, will be outside the EEA.

The categories of receivers in Cairo are the customer support and technical support departments. Our customer support department assists with customer complaints while our technical support is responsible for maintaining the backend servers and resolving faults and issues.

Our management team is located in Cairo and in the UK, we have our compliance team.

We ensure that processing of personal data is based on a need-to-know basis only and only relevant departments and functions will have access to personal data.

Additionally, some of the third parties we use for providing us with services are located in the USA and UK.

We take measures to ensure that your information is properly protected.

Where we intend to engage with our affiliated companies and third parties based in the non-EEA countries, we will either enter into legal agreements that reflect high data protection standards approved by EEA authorities and the European Commission, such as Standard Contractual Clauses, or we will engage with those third parties which adhere to the EU – US Privacy Shield certification requirements.

9. How long we keep your information for

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal requirements.

Details of retention periods for different aspects of your personal data are set in our Data Protection Policy.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case, we may use this information indefinitely without further notice to you.

10. Keeping your information secure

We have a dedicated function (Head of Information Security) who constantly reviews and improves our measures to protect your personal information.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. All the measures are documented in a single document known as the IT Security Policy which includes BlaBla’s practices on acceptable encryption, information security review and audit, network security, data retention, archiving and destruction.

Our app uses industry approved protection tools (encryption, passwords) to protect your personal information against unauthorized access or disclosure.

In addition, we limit access to your personal data to those staff members or other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a strict duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and relevant supervisory authority of a breach where we are legally required to do so.

11. Your rights, including your rights to withdraw consent

Under certain circumstances and where applicable , you can exercise your rights under data protection laws in relation to your personal data which are as follows:

Right to have access to your personal data – This enables you to make a request for a copy of the personal data that we hold about you and to check that we are lawfully processing it. You can contact us at dataprivacy@passto.co.uk.

Right to correct your personal data – This enables you to have information corrected if it is not accurate. You can do so by contacting us at support@passto.co.ukfor this purpose.

Right to data portability – This enables you to take with you the personal data you provided to us or port it to a third party. You can contact us at dataprivacy@passto.co.uk

Note, however, that this right only applies to automated information which you initially provided under your consent for us to use or where we used the information to perform a contract with you.

Right to object to the processing of your personal data – This enables you to object to the BlaBla processing your personal information, for example where we rely on legitimate interest for direct marketing. Please contact us at dataprivacy@passto.co.uk for this purpose.

Right to restrict the processing of your personal data – This enables you to ask us to suspend the processing of your personal data in certain circumstances. Please contact us at dataprivacy@passto.co.uk for this purpose.

Right to delete your personal data – This enables you to ask us to delete personal data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. Please contact us at dataprivacy@passto.co.uk for this purpose.

• Right to withdraw your consent If you no longer want to receive marketing messages from BlaBla, you can choose to opt out of all marketing communications or choose only selected methods (for example, email, text and push notifications through the app).

You can opt out by doing the following:

o Contacting our Customer Services team at support@passto.co.uk

o Clicking ‘Unsubscribe’ at the end of a marketing email or text

o Disabling push notification messages, including marketing messages at any time in the app by changing the notification settings in the preference centre.

Note that withdrawing your consent does not mean that you won’t receive any service-related messages. You will still continue to receive those (unless we have indicated otherwise).

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

12. Contacting the Supervisory Authority

You have the right to make a complaint at any time to the relevant data protection supervisory authority.

We would, however, appreciate the chance to deal with your concerns first before you approach the supervisory authority, so please do contact us in the first instance.