Konfir (UK) Ltd ("Konfir" or "we") respect your right to privacy. This Privacy Notice explains who we are, how we collect, share and use personal information about you, and how you can exercise your privacy rights. This Privacy Notice only applies to personal information that we process as a controller through our mobile application and/or website at https://www.konfir.com/ and through the Konfir platform (collectively, our "Services").
When you open a Konfir account, we collect and process personal information about you so that we can operate and ensure the security of your account. We refer to that personal information as “Account Data”, and we process it as a controller.
We process personal information relating to your education, employment and financial history and status (which we refer to as “Verification Data”) on behalf of potential employers, recruitment agencies with which you are working, banks and other financial service providers and/or (in each case) their service providers and other third parties (our “Clients”). Our Services include processes that check, cross-reference and match information to prove validity. For example, we may verify your employment history by matching information received from current or former employers against records of payment derived from your bank accounts, payroll, tax or benefits records including from His Majesty's Revenue and Customs ('HMRC') so that Verification Data might include matched data from those sources. We only provide your Verification Data to Clients if you have authorised them to request this information from us.
When we process your verification data for the purposes of providing that data to a Client, we do so on their behalf as their processor. Please refer to their privacy notice for how they process this personal data as a controller.
The exception to this is where we process data received from HMRC as a Tax Agent, we do so as controller. A Tax Agent can deal with HMRC on your behalf, you can find more information here: https://www.gov.uk/appoint-tax-agent. When we provide that HMRC data to a Client, we make a controller to controller transfer. Please refer to Client privacy notices for how they process this personal data as a controller.
When we process your Account Data, Verification Data or Technical Data for our own purposes (such as where you create an account and choose to save your Verification Data for future verifications or other uses) or where we send you marketing, we will be doing so as a controller. This Privacy Notice covers our processing of your personal information when we act as a controller.
If you have any questions or concerns about our use of your personal information, then please contact us using the contact details provided at the bottom of this Privacy Notice.
Konfir is headquartered in the United Kingdom. Our platform helps people manage verifications (such as income or employment data) that organisations such as banks or employers might request.
For more information about Konfir, please visit our Website at https://konfir.com/.
The personal information that we may process about you broadly falls into the following categories:
When you use our Services, we may ask you to provide personal information voluntarily: for example, we may ask you to provide as Account Data your full name, date of birth, national insurance number and contact details in order to register an account on our platform. We may also ask you to provide contact details to allow you to subscribe to marketing communications from us, and/or to submit enquiries to us. We may, if needed, ask for access to bank account information and other financial, tax or benefit details as well as for other information, such as employment history, in order to provide the verification services. The personal information that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point we ask you to provide your personal information.
We may also collect certain information automatically from your device as Technical Data. In some countries, including the UK and countries in the European Economic Area, this information may be considered personal information under applicable data protection laws.
Specifically, the information we collect automatically may include information like your IP address, device type, unique device identification numbers, browser-type, browser or digital fingerprint, broad geographic location (e.g. country or city-level location) and other technical information. We may also collect information about how your device has interacted with our Services, including session details, the pages accessed, links clicked and usage information (such as verifications requested).
Collecting this Technical Data enables us to better understand the users of our Services, where they come from, and what features or content is of interest to them. We use this information for our internal analytics purposes and to improve the quality and relevance of our Services. We may also, where it is lawful to do so and with your express authorisation, use Technical Data to facilitate access by you or on your behalf to third party websites or online services in order to obtain Verification Data.
Some of this information may be collected using cookies and similar tracking technology, as explained further under the heading “Cookies and similar tracking technology” below.
When you use our Services, you can permit us to access information from third parties (such as your employer, tax and/or other governmental authorities (such as HMRC), banks brokers, credit providers) to enable us to obtain and to provide Verification Data (for example, relating to your previous or current employment or tax status) to our Clients whom you have authorised to request and receive this information. Verification Data contains personal information relating to you. For example, depending on the verifications you authorise they could contain information on your educational attainments, employment history and status, visa status, salary, income payments, promotions, HR records, tax information or other information relating to you that you have requested the third party provide. The information contained in these verifications is securely stored on our platform and you decide if and when to share this information. "Verification Data" may include:
Our platform gives you the ability to request information directly from your third-party accounts, such as your bank account or your employer's payslip or HR provider or (where and to the extent permitted) government or public authority websites, including HMRC. In order to share Verification Data with the Clients you have authorised, we, or our third-party providers, may (where it is lawful to do so) ask you to provide your access credentials for your third-party accounts.
We process user account information data relating to other individuals in order to operate our platform and provide the Services. This information includes first name, last name, employer name, work email address, work phone number/mobile number, and in some cases other unique identifiers such as a payroll ID reference, and may relate to an employee, a Client representative or contact, or an Employer representative or contact ("User Account Information").
We also process information for marketing purposes, which we may obtain directly from you or from third parties, including your name, email, phone number, company name and employment details ("Marketing Data").
In general, we will use the personal information we collect from you only for the purposes described in this Privacy Notice or for purposes that we explain to you at the time we collect your personal information. However, we may also use your personal information for other purposes that are not incompatible with the purposes we have disclosed to you (such as archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes) if and where this is permitted by applicable data protection laws.
We may disclose your personal information to the following categories of recipients:
Our Clients and employers (described above) will both provide and receive your personal data in the course of our provision of services. For instance, employers will provide Verification Data on you and our Clients will access that Verification Data. When those Clients and employers access, use and otherwise process your personal data, they are acting as independent data controllers, which means they have their own obligations to comply with data protection law. They will have their own privacy notices, which describe how they collect, use and store your personal data, and how you can exercise your rights in relation to it. As you will have a direct relationship with them, you may already have a copy of their privacy notice, but if not, you can request a copy from them.
Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. In many cases, we act as a processor on behalf of employers and Clients and, in those situations, it is the employer or Client who requires a legal basis for processing your personal information and not us.
In some cases, personal information is regarded as “special category personal data”. Special category personal data is information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It also includes the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. If we process special category personal data relating to you, we will do so either (i) on the basis of your explicit consent or (ii) only where and to the extent it is necessary for us to do so in order to establish, exercise or defend legal claims.
The following table sets out the different types of personal information we process when we act as a controller in the course of providing the Services, the purposes or processing activities for which such personal information is processed and (where and to the extent it is not “special category personal data”) the applicable lawful basis:
Legitimate Interests
Where the table above indicates that our processing of your personal information is carried out on the basis of legitimate interests, these can be our legitimate interests or a third party's legitimate interests. Our legitimate interests may include:
Third party legitimate interests may include, for example, our Clients’ interests in receiving our services and being able to verify your employment information in connection with, for example, considering whether to offer you employment.
If the lawful basis for processing is performance of contract and you fail to provide certain information to us when requested then we may not be able to perform the contract we have entered into with you, for example, we may not be able to save your Verification Data for future use.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “How to contact us” heading below.
We use cookies and similar tracking technology (collectively, “Cookies”) to collect and use personal information about you. For further information about the types of Cookies we use, why, and how you can control Cookies, please see our Cookie Notice here.
We use appropriate technical and organisational measures to protect the personal information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. A summary of our security measures is available here.
Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different from the laws of your country.
Specifically, our website servers are located in the United Kingdom, and we use service providers located elsewhere (see here). This means that when we process your personal information it may be processed in any of these countries.
However, we have put appropriate safeguards in place to require that your personal information will remain protected in accordance with this Privacy Notice and with data protection laws. Those appropriate safeguards include use of the Standard Contractual Provisions adopted by the European Commission on 4 June 2021 and of the international data transfer agreement (IDTA) or (where applicable) the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (Addendum) issued under Data Protection Act 2018, s 119A.
If you wish to obtain more information on the safeguards we use and/or a copy of these, please refer to https://www.konfir.com/legals/security-measures
Where you have an account with us, we typically retain your personal information for seven years following the closure of your account. Where you do not have an account with us, we will typically retain your personal information for seven years from the date of the last relevant submission of Verification Data to our Client. We may keep your personal information for longer where we have an ongoing legitimate business need to retain the data for longer (for example, to improve our services, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements).
When we have no ongoing legitimate business need or lawful basis to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
Some further detail on the periods we retain your personal information is included in our retention schedule here.
You have the following data protection rights:
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws.
You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.