Privacy Policy

Wave is a McCurrach company. This privacy policy sets out how McCurrach Group Ltd use and protect any information that you give McCurrach Group Ltd.

Privacy Policy

What this Policy covers

The data controller is McCurrach Group Limited (referred to in this policy as “we” or “us”).

We are committed to doing the right thing when it comes to how we collect, receive, use and protect your personal data. That’s why we’ve developed this privacy and cookies policy (“Policy”), which:

  • sets out the types of personal data that we collect;
  • explains why we collect, receive and use your personal data;
  • explains when and why we may share personal data within the McCurrach Group and with other organisations; and
  • explains the rights and choices you have when it comes to processing your personal data.

This Policy applies to you if you use our services (referred to in this Policy as “Services”). Using our Services means disclosing personal information with us either verbally, over the phone, online or otherwise using any of our websites or mobile applications. This Policy also applies if you contact us or we contact you about our Services.

Data Disclosure

Legal Authorities

We may share personal data with other organisations in the following circumstances:

 

  • if the law or a public authority says we must share the personal data;
  • if we need to share personal data to establish, exercise or defend our legal rights (this includes providing personal data to others for the purposes of preventing fraud and reducing credit risk);
  • to an organisation we sell or transfer (or enter into negotiations to sell or transfer) any of our businesses or any of our rights or obligations under any agreement we may have with you to. If the transfer or sale goes ahead, the organisation receiving your personal data can use your personal data in the same way as us; or
  • to any other successors in title to our business.

We will not sell, distribute or lease your personal information to third parties unless we have your permission, or are required by law to do so. We may use your personal information to send you promotional information about third parties which we think you may find interesting if you tell us that you wish this to happen.

Other Organisations

McCurrach shares personal data with organisations including Service Providers, Government Agencies and Financial Regulators. The disclosure sections below apply where the processing of personal data is necessary and where we have a legal right to do so.

McCurrach Group

Some other parts of our business and other McCurrach Group companies may need to collect and use personal data to provide you with their products and services and for certain other purposes. Where this is the case, each part of the business has their own privacy policy that explains how they use your personal data.

Service Providers

We work with selected Service Providers that carry out certain functions on our behalf. These include, for example, companies that help us with storing and analysing data, processing payments and delivering orders. We only share personal data that enable our Service Providers to provide their services. When we share personal data with these companies we require them to keep it safe, and they must not use your personal data for their own marketing purposes.

Fraud Prevention

To protect our customers and us from fraud and theft, we may look at the information that we get from making identity checks and other information in our customer records, including how you conduct your account, and may pass this to other group companies, other retailers and to financial and other organisations (including law enforcement agencies) involved in fraud prevention and detection, to use in the same way.

International Transfers

From time to time we may transfer your personal information to our group companies, suppliers or service providers based outside of the EEA for the purposes described in this privacy policy. If we do this your personal information will continue to be subject to one or more appropriate safeguards set out in the law. These might be the use of model contracts in a form approved by regulators, or having our suppliers sign up to an independent privacy scheme approved by regulators (like the US ‘Privacy Shield’ scheme).

Policy Change

McCurrach Group Ltd may change this policy from time to time by updating this document/webpage. Where the Policy is provided in document format, we may either email you an updated Policy, or post an updated Policy to you, depending on contact preference etc. Should this occur, please review the updated Policy to ensure that you are familiar with any changes. 

Data Processed

The list below contains the details of your personal data that we process. -         

  • name;
  • contact details (email address and telephone number);
  • birth date;
  • national insurance number;
  • address and postcode;
  • marital status;
  • pension details (including contributions);
  • financial information (direct debit details);
  • name of employer;
  • medical information;
  • lifestyle information (e.g. whether a person is a smoker/non-smoker).

Retention of your Personal Data

Personal Data that we collect and use for purposes named above shall not be retained for longer than is necessary. We will retain a record of your personal information. This is done to provide you with a high quality and consistent service across our group. We will always retain your personal information in accordance with law and regulation and never retain your information for longer than is necessary.

Data Controller

 

Data Controller:                                McCurrach Group Ltd

Registration Number:                   Z3518106

Address:                                                74 Waterloo Street, Glasgow, G2 7DJ

 

Controlling your Personal Information

The rights of Data Subjects are outlined in the section below. Should you need to contact our Data Protection Officer to exercise any of these rights, please use either of the following contacts:

Email:    DPO@McCurrach.co.uk

Letter:   Data Protection Officer

                   74 Waterloo Street,

                   Glasgow,

                   G2 7DJ.

There are a few circumstances where we do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.

Right to be Informed (applicable to all ‘Legal Rights’)

This Privacy Policy provides awareness to Data Subjects, in relation to what personal data we process and why. The Policy also informs Data Subjects of their Individual Rights and our Complaints Process.

Right of Access (applicable to all ‘Legal Rights’)

Under the General Data Protection Regulation 2016 you have the right to access the personal information that we hold about you in many circumstances. This is sometimes called a ‘Subject Access Request’. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you or them free of charge. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

We may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative cost of providing the information.

McCurrach have the right to refuse the request should it be manifestly unfounded or excessive.

Before providing personal information to you or another person on your behalf, we will ask for proof of identity and sufficient information about your interactions with us, in order to locate your personal information.

If you would like a copy of the information held on you, please send your request to our DPO using the contact details provided above.

Right to Rectification (applicable to all ‘Legal Rights’)

If you believe that any information we are holding on you is incorrect or incomplete, please complete the Proof of Identity Form located at the end of this document in ‘Appendix A – Proof of Identity Form’ and either post it to us, or email it to us as soon as possible, at the postal or email address below. Your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

We will promptly correct any information found to be incorrect. To allow us to deal with your request promptly, please provide information on where you believe the incorrect data is being held, for example an employee file and any details of the data you believe to be incorrect including the data you would like it to be replaced with. Send your request to our DPO using the contact details provided above.

Right to Data Portability (applicable to Consent and Contract ‘Legal Rights’ only)

The right to data portability allows Data Subjects to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

The right to data portability only applies:

  • to personal data an individual has provided to a Data Controller;
  • where the processing is based on the individual’s consent or for the performance of a contract; and
  • when processing is carried out by automated means.

McCurrach will, should the request meet the criteria above and be deemed reasonable, provide you with your data free of charge, in a structured and commonly used, machine readable format. Once validated your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

To allow us to deal with your request promptly, please provide as much detail as you can such as whether the incorrect data is held in an employee or other file system and the date range that you require to the data to be provided for.

If you would like to request some, or all your data to be provided in a format as outlined above, please complete the Proof of Identity Form located at the end of this document in ‘Appendix A – Proof of Identity Form’. Send your request to our DPO using the contact details provided above. Your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

Rights Related to Automated Decision Making - including profiling (applicable to all ‘Legal Rights’ apart from Vital Interest)

McCurrach will only process personal data for Automated Decision Making with your explicit consent. Should you wish to challenge any decision made using automated processing or request human intervention, please complete the Proof of Identity Form located at the end of this document in ‘Appendix A – Proof of Identity Form’. Send your request to our DPO using the contact details provided above. Your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

To allow us to deal with your request promptly, please provide as much detail as you can such as whether the incorrect data is held in an employee or other file. Please also describe the automated decision process and clarify whether you would like to challenge the decision and why, or whether you would like to request human intervention.

Right to Restrict Processing (applicable to all ‘Legal Rights’ apart from Vital Interest)

You may choose to restrict the collection or use of your personal information. If you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes.

Please complete the Proof of Identity Form located at the end of this document in ‘Appendix A – Proof of Identity Form’. Send your request to our DPO using the contact details provided above. Your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

To allow us to deal with your request promptly, please provide as much detail as you can such as whether the data is held in an employee or other file system. Please also describe the processing that you would like to restrict.

Right to Erasure (applicable to Consent and Legitimate Interest ‘Legal Rights’ only)

If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time. Once validated your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

Please complete the Proof of Identity Form located at the end of this document in ‘Appendix A – Proof of Identity Form’. Send your request to our DPO using the contact details provided above. Your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

To allow us to deal with your request promptly, please provide as much detail as you can such as whether the data is held in an employee or other file system. Please also describe what data that you would like us to stop processing.

Right to Object(applicable to Consent and Legitimate Interest ‘Legal Rights’ only)

If you have previously agreed to us using your personal information, you may change your mind at any time. Once validated your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

Please complete the Proof of Identity Form located at the end of this document in ‘Appendix A – Proof of Identity Form’. Send your request to our DPO using the contact details provided above. Your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

To allow us to deal with your request promptly, please provide as much detail as you can such as whether the data is held in an employee or other file system. Please also describe what data that you would like us to stop processing.

Complaints

We aim to acknowledge receipt of all complaints within five business days and to resolve all complaints within 30 business days (although this may not be possible in all circumstances and is dependent on the complexity of the issue).

Please complete the Proof of Identity Form located at the end of this document in ‘Appendix A – Proof of Identity Form’. Send your complaint to our DPO using the contact details provided above. Your request will be processed within 30 calendar days upon receipt of a fully completed form and proof of identity.

Where we cannot resolve a complaint within 30 business days, we will notify you of the reason for the delay as well as an indication of when we expect to resolve the complaint.

You also have the right to lodge a complaint with the UK regulator, the Information Commissioner. Go to ico.org.uk/concerns to find out more.

Cookies

What is a cookie?

A cookie is a small amount of data, which often includes a unique identifier that is sent to your computer or mobile phone browser from a website's computer and is stored on your device's hard drive. Each website can send its own cookie to your browser if your browser's preferences allow it, but (to protect your privacy) your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other websites. Many websites do this whenever a user visits their website to track online traffic flows.

During any visit to a website, the pages you see, along with a cookie, are downloaded to your device. Many websites do this, because cookies enable website publishers to do things like find out whether the device has visited the website before. This is done on a repeat visit by checking to see, and finding, the cookie left there on the last visit.

How do McCurrach UK Ltd use cookies?

McCurrach UK Ltd may use an independent measurement and research company to collect information about your visit to the website. They will gather information regarding the visitors to the website on our behalf using cookies. McCurrach UK Ltd uses this type of information to help improve the services it provides to its users. All third parties are strictly required not to use any information for their own business or other purposes.

How do I control and delete cookies?

McCurrach UK Ltd will not use cookies to collect personally identifiable information about you. However, if you wish to restrict or block the cookies, you can do this through your browser settings. The ‘Help’ function within your browser should tell you how.

Alternatively, you may wish to visit www.aboutcookies.org which contains comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your computer as well as more general information about cookies. For information on how to do this on the browser of your mobile phone you will need to refer to your handset manual.

Please be aware that restricting cookies may impact some functionality on some websites.

Security

The company takes all reasonable steps to ensure that the Personal Data we collect, use or disclose is accurate, complete, up-to-date, relevant and stored securely.

We also take all reasonable steps to ensure that the Personal Data we hold is protected from misuse, interference, loss, unauthorised access, modification or disclosure using various methods including access limitation, and industry-standard Secure Socket Layer (SSL) encryption technology to safeguard the contact us process. Other security safeguards include but are not limited to data encryption, firewalls, and physical access controls to building and files.

We are committed to ensuring that your information is secure. To prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.

Social Media

When using one of our websites or mobile applications, you may be able to share information through social networks like Facebook and Twitter. For example, when you ‘like’, ‘share’ or review our Services. When doing this your personal information may be visible to the providers of those social networks, their other users and/or McCurrach Group Companies. Please remember it is your responsibility to set appropriate privacy settings on your social network accounts so you are comfortable with how your information is used and shared on them.

Data collected from this website is stored and processed within the EEA. Your data will not be transferred out of this region.

Websites

Website improvement

To help us design our website and improve your experience, we may collect information about the way you use and access our website. Our web system collects information about each visitor, including IP address, the length of time spent on the website and the order in which pages are visited. We may employ third party experts to

help us look at this information. However, we make sure that anyone we employ treats all information with the same sensitivity and security that we treat it with. This is explained in more detail in the cookies section above.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Our Websites may contain links to other websites operated by other organisations that have their own privacy policies. Please make sure you read the terms and conditions and privacy policy carefully before providing any personal data on a website as we do not accept any responsibility or liability for websites of other organisations.

Useful resources

The Information Commissioner’s Office (ICO) is the UK’s independent body to uphold information rights. The ICO’s website has useful information on data privacy and your rights.

 

Appendix 1: Proof of Identity Form

Appendix 2: Data Requester Information Form