Privacy Policy

Fractal Labs Limited (“we”, “our”, “us”, “tomato pay”) trading as tomato pay are committed to protecting and respecting your privacy. We are registered in England and Wales under company number 8972946 and have our registered office at Flat A, 123 Southgate Road, London N1 3JY.

This policy and any other documents referred to herein (“Privacy Policy”) applies to the use of our website or application providing account information services and/or payment initiation services (our “App”). This Privacy Policy applies in addition to the relevant agreement you have entered into with us referencing this Privacy Policy, the “Terms”. If you register for an account with us, or otherwise use our services, you agree to us processing your personal data in the manner set out in this Privacy Policy.

This Privacy Policy sets out the basis on which we process the personal data we collect from the users of our App and/or website (whether you register for an account with us directly or as a “Referred User” i.e. you have been referred to us by one of our “Distributors” which means our partner organisations which promote our services) and employees of our Distributors (in each case “you”). Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

Because of the financial nature of our business, our products and services are not designed to appeal to or to be sold to persons under the age of 18. Therefore, we do not knowingly attempt to solicit or receive any information from persons under the age of 18.

This Privacy Policy applies where we are a data controller and are responsible for the collection, use, disclosure, retention and protection of your personal data (which has the meaning as set out in the Data Protection Act 2018, the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR), any other European Union legislation relating to personal data and all other applicable laws, regulations or court judgements relating to the processing of personal data, data privacy, electronic communications, marketing and/or data security (the “Data Protection Laws”). For the purposes of the Data Protection Laws, we are registered with the Information Commissioner's Office under number ZA149049.

The terms “payment account,” “account information service” and “payment initiation service” have the meanings given to them in the Payment Services Regulations 2017.

1. Personal data we may collect from you

We may collect and process the following personal data about you:

  • Registration Information (App users only): Information that you provide by filling in forms on our App, including at the time of registering to use our App, subscribing to our service, posting material or requesting further services. We may also ask you for information when you enter any competition or promotion sponsored by tomato pay, and when you report a problem with our App. This information includes your name, e-mail address, telephone number, postal address, username and password to access the App.
  • Correspondence Information: If you contact us, we may keep a record of that correspondence.
  • Survey Information: Information which you provide to us by completing surveys or polls, and which we use for research purposes. You do not have to respond to these surveys.
  • App Transaction Data (App users only): Details (including value, date, identity of payee, identity of payer) of transactions you carry out through our App. Certain payments made through our App are administered by a third party payment processor and we do not have access to any debit or credit card numbers or information. However, we will gather the details of the transactions carried out through our App, such as value of payments and frequency of payments, but without viewing your billing information directly. Please note that any payments made using our third party payment processor will be subject to the payment provider's own user terms and privacy policy - you will be given the opportunity to read these before providing them with your data and completing the transaction.
  • tomato pay Data (App users only), which includes:
    • Transaction Information: information concerning your transactions, including the value of transactions and the payee and payer, which we obtain from your bank account(s) as part of the account information service and/or payment initiation service we provide to you or to a Distributor;
    • Consolidated Information: your consolidated Transaction Information, whether in its original form or whether it’s been consolidated or mixed with other information, and which we provide to you or, if you are a Referred User, to a Distributor to enable the Distributor to provide its services to you; and
    • Other Data: may include your accounting information from third party sources with which you have a relationships, including cloud-based accounting service providers. This information may include a description of your account; your bank account number, sort code and IBAN, roll number; bank account fees, charges and interest and rewards; details of your bank account transactions, standing orders and direct debits; the identity of merchants and transaction counterparties and related invoices.
  • tomato pay report and budget information (App users only): data charts and tables which we create in relation to tomato pay Data and to provide you with forward-looking budgets.
  • Mobile Information (App users only). information from your phone (like contact details from your address book) if you give us consent to use that data.
  • Session Information: Details of your visits to our App or website including, but not limited to, Internet protocol (IP) address used to connect your computer or phone to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and App or website, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise, and the resources that you access.
  • Cookie Information: Cookies are small files which are downloaded to your device when accessing our App or website. Most web browsers automatically accept cookies. We use the following categories of cookie:
    • Strictly necessary cookies. These are cookies that are required for the operation of our App or website. They include, for example, cookies that enable you to log into secure areas of our App or website, use a shopping cart or make use of e-billing services.
    • Analytical/ performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our App or website when they are using it. This helps us to improve the way our App or website works, for example, by ensuring that users are finding what they are looking for easily.
    • Functionality cookies. These are used to recognise you when you return to our App or website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
    • Targeting cookies. These cookies record your visit to our App or website, the pages you have visited and the links you have followed. We will use this information to make our App or website more relevant to your interests. We may also share this information with third parties for this purpose.
Cookie Name Cookie type Purpose
App State FL_Local Strictly necessary This cookie stores the current state of the application, e.g. the selected company.
Authentication Auth Strictly necessary This cookie is used to authenticate the client.
Session ID sessid Strictly necessary This cookie contains a session id and is used for audit logging.
Session ID JSESSIONID Strictly necessary This is a session management cookie.
CSRF Prevention CSRFToken Strictly necessary This is a session token that defends users to the site against Cross Site Request Forgery.
Hubspot Tracking __hstc Analytical/ Performance The main cookie for tracking visitors. It contains the domain, utk (see below), initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
Hubspot Tracking hubspotutk Analytical/ Performance This cookie is used for to keep track of a visitor's identity. This cookie is passed to HubSpot on form submission and used when de-duplicating contacts.
Hubspot Session __hssc Analytical/ Performance This cookie keeps track of sessions. This is used to determine if Hubspot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
Hubspot Session __hssrc Analytical/ Performance Hubspot session cookie to support browser restart.
Hubspot Tracking __hs_opt_out Analytical/ Performance This cookie is used by the Hubspot opt-in privacy policy to remember not to ask the user to accept cookies again.
Hubspot Tracking hsPagesViewedThisSession Analytical/ Performance This cookie is used to keep track of page views in a session.
Internationalisation i18next Functionality This cookie is used for language detection.
Intercom Session intercom-id-
intercom-lou-
intercom-session-		 Strictly Necessary These cookies are used to provide customer support with Intercom messages.
MixPanel Tracking mp_
_ga
_mkto_trk
_vwo_uuid		 Strictly Necessary We use these cookies to track app usage for billing purposes.
Segment intercom-session-
fs_uid
timezone
ajs_user_id
optimizelyEndUserId		 Strictly Necessary We use these cookies to track real-time events for fraud and AML monitoring purposes.

If you are an employee of a Distributor we may also collect and process the following personal data about you:

  • through our website when you register as a Distributor or use our services;
  • through email when you communicate with us;
  • through information that you provide to us, and from third party sources such as Companies House and LexisNexis for due diligence and onboarding purposes;
  • when you visit our website; and/or
  • when you provide us with your marketing preferences.

If you are a visitor to our website, we may also collect your personal data from the following sources:

  • through cookies (see above) that we have set on our website; and/or
  • when you provide us with your marketing preferences through the website.

In addition, we may aggregate and anonymise the categories of personal data listed above to create information which is not personal data (“Non-Personal Data”). Such Non-Personal Data is not personal data for the purposes of the Data Protection Laws and you hereby acknowledge and accept that we may retain Non-Personal Data indefinitely and use Non-Personal Data for any purpose.

2. Where we store your personal data

The personal data that we collect from you will be stored on our secure servers within the UK or European Economic Area (“EEA”). It may be also processed by staff operating outside of the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the operation of our App, the provision of services or provided through our app provision of support services. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.

Any Transaction Information and Consolidated Information will be encrypted. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our App, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

The transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data while in transit and to our App and any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

3. The way we use your personal data

We use information held about you in the following ways:

  • We use Correspondence Information and Survey Information to ensure that content from our App is presented in the most effective manner for you and for your computer or mobile. The legal basis for such processing is our legitimate interest.
  • We use Registration Information to:
    • enable you to use our App and to carry out our obligations arising from any contracts entered into between you and us, or between us and the organisation which has provided you with access to our App; and
    • notify you about changes to our service and other service-related announcements, billing-related matters, changes to our App or policies, or other service or administrative-related matters.

The legal basis for such processing is for the performance of the contract between you and us.

  • We use App Transaction Data to enable us to analyse your transactions on our App, provide you with insights and alerts and carry out our obligations arising from and exercise our rights under any agreements between you and us, including tracing and recovering payments and debts. The legal basis for such processing is for the performance of the contract between you and us.
  • We use Transaction Information and Consolidated Information to provide you with the account information service and/or payment initiation services and to provide you with insights and alerts. The legal basis for such processing is for the performance of the contract between you and us.
  • We use Other Data to enable us to analyse your financial information on our App and provide you with insights and alerts. The legal basis for such processing is for the performance of the contract between you and us.
  • If you are a Referred User we shall share the Consolidated Information and the Other Data with the Distributor to the extent set out in the Terms. Any further processing of the Consolidated Information and the Other Data by the Distributor shall be governed by the Distributor’s privacy policy.
  • We use your Session Information to administer our site and for internal operations, including security, troubleshooting, data analysis, continuity, testing, research, statistical purposes. The legal basis for such processing is our legitimate interest.
  • We may use Registration Information to provide you with information regarding products or services, as set out in section 4 below. The legal basis for such processing (and disclosing to third parties, where relevant) is that you have consented for us to do so.
  • If you are an employee of a Distributor, we use your personal data: (a) to deliver our services to you; (b) to conduct any due diligence and onboarding we are required to do in order for you to receive our services; (c) to provide you with updates on our activities, services and products; and (d) to record your marketing preferences and any feedback or responses for the purposes of improving our services.
  • The legal basis for such processing under (a) and (b) is for the performance of the contract between you and us. The legal basis for such processing under (c) and (d) is that you have consented for us to do so.
  • If you are a visitor to our site, we use your personal data: (a) to provide you with updates on our activities, services and products; to record your marketing preferences and any feedback or responses for the purposes of improving our services; and (b) to allow us to run the operation of our website and ensure that our provision of Services through our website runs as smoothly as possible.

The legal basis for such processing under (a) and (b) is that you have consented for us to do so.

4. Marketing

If you are an existing customer, we may contact you by electronic means with marketing information about goods and services similar to those which were the subject of a previous sale to you (“Similar Services”).

We will provide you with information regarding our products and services other than Similar Services, and enable our selected third parties to contact you regarding their products and services, only to the extent you have requested us to do so or you have consented for us to do the same.

At any time you can opt-out of receiving future marketing communications from us by following the directions contained in the e-mail to unsubscribe, or by contacting us on the details below unsubscribe@tomatopay.co.uk

Our App may, from time to time, contain links to and from the websites of our Distributor networks and affiliates (including third party payment providers as described above). If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

5. Mobile Contacts (App users)

We will ask you to let us sync your mobile phone contacts. This will help you to identify which of your mobile phone contacts are tomato pay customers. Your ‘confirmed contacts’ will also be able to see if you are a tomato pay customer in the app.

The tomato pay app gives you access to features like paying your confirmed contacts and requesting payments from your confirmed contacts.

We use technological safeguards to ensure a ‘confirmed contact’ is somebody you already know and who knows you (for example, you have each other saved in each other’s mobile phone contacts lists). Both you and your confirmed contact must have synced your mobile phone contacts lists with tomato pay to be viewable to each other in the App. By syncing your mobile phone contacts or by using our syncing functionality, you are giving your consent for us to identify you as a tomato pay customer to your confirmed contacts.

We only show your basic contact details in the App to your confirmed contacts who are also tomato pay customers (for example, your name (as saved in your friend’s contacts list), mobile phone number, tomato pay username, your tomato pay profile photo (if you have one)).

You can, of course, choose not to sync your contacts list with tomato pay. This means that you will not be able to identify which of your mobile phone contacts are tomato pay customers.

You can also turn this feature off through the privacy settings in the App.

6. Disclosure of your personal data

We may disclose your personal data to:

  • The organisation which has provided you with access to our App (such as your employer or place of work) and its representatives, and third parties with whom you have decided to share content and commentary from our App. This shall include the tomato pay Data (comprising the Transaction Information, Consolidated Information and Other Data). The legal basis for disclosing your personal data is for the performance of the contract between you and us.
  • If we need to enforce or apply our applicable Terms and other agreements;
  • Any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006 or our business partners, Distributors, suppliers and sub-contractors, in each case to enable us to provide the App and related services to you. The legal basis for disclosing your personal data is for the performance of the contract between you and us.
  • To a prospective seller or buyer of all, or substantially all, of the shares or assets of tomato pay Labs, in the event of a merger, acquisition or reorganisation, together with the professional advisors of such seller or buyer. The legal basis for disclosing your personal data is our legitimate interest.
  • To law enforcement authorities and organisations concerned with fraud prevention and credit risk and to our professional advisors, in order to enforce any agreement between us (or any of our rights thereunder); or to protect our rights, property, or safety, or that of our customers, or others; or to comply with a legal obligation. For these purposes, we may need to transfer your personal data outside of the EEA. The legal basis for disclosing your personal data is our legitimate interest and, in some cases, to comply with a legal obligation.
  • Santander only: If you are using the Santander version of our App (the CashFlow Manager by Santander | tomato pay), we will be sharing with Santander your personal data and other data relating to the account information services and/or payment initiation services we provide to you.

7. Retention of your personal data

We retain your personal data as long as it is necessary and relevant for our operations (including, where necessary, for providing our services to other users with whom your account has been associated). Please refer to the table below for more information in respect to each category of personal data. All deleted personal data is disposed of in a secure manner.

Category of personal data Duration of retention Reason for retention
Registration Information We shall retain your Registration Information for as long as you use the App. In practice, this means that we will retain this information for twenty (20) business days following the date on which the termination of the applicable Terms becomes effective, unless we have a good reason to retain it on a temporary basis. We need to retain your Registration Information to provide the App to you. In certain circumstances we may need to extend the retention period in the event of unpaid invoices, to resolve disputes, enforce our applicable Terms, or as may be required by law or regulation.
Correspondence Information We shall retain your Correspondence Information for as long as it takes to process and respond to you, but in any event for no longer than you use the App. In practice, this means that we will retain this information for no longer than twenty (20) business days following the date on which the termination of the applicable Terms becomes effective, unless we have a good reason to retain it on a temporary basis. We need to retain your Correspondence Information in order to respond to your enquiries. In certain circumstances we may need to extend the retention period in the event of unpaid invoices, to resolve disputes, enforce our applicable Terms, or as may be required by law or regulation.
Survey Information We shall retain your Survey Information for as long as it takes to process and analyse the results, but in any event for no longer than you use the App. In practice, this means that we will retain this information for twenty (20) business days following the date on which the termination of the applicable Terms becomes effective, unless we have a good reason to retain it on a temporary basis. We need to retain your Survey Information so that we can better understand our customers’ usage of the App and how we can improve it.
Transaction Information/Consolidated Information We shall retain your Transaction Information/Consolidated Information for as long as you use the App. In practice, this means that we will retain this information for twenty (20) business days following the date on which the termination of the applicable Terms becomes effective, unless we have a good reason to retain it on a temporary basis. We need to retain your Transaction Information/Consolidated Information to provide the App to you. In certain circumstances we may need to extend the retention period in the event of unpaid invoices, to resolve disputes, enforce our applicable Terms, or as may be required by law or regulation.
Other Data We shall retain your Other Data for as long as you use the App. In practice, this means that we will retain this information for twenty (20) business days following the date on which the termination of the applicable Terms becomes effective, unless we have a good reason to retain it on a temporary basis. We need to retain your Other Data to provide the App to you. In certain circumstances we may need to extend the retention period in the event of unpaid invoices, to resolve disputes, enforce our applicable Terms, or as may be required by law or regulation.
User generated data in app We shall retain data generated by you in the app (e.g., recategorisation of transactions) for as long as you use the App. In practice, this means that we will retain this information for twenty (20) business days following the date on which the termination of the applicable Terms becomes effective, unless we have a good reason to retain it on a temporary basis. We need to retain your user generated data to provide the App to you. In certain circumstances we may need to extend the retention period in the event of unpaid invoices, to resolve disputes, enforce our applicable Terms, or as may be required by law or regulation.
App State (FL_Local) It is deleted at the end of the browser session. This cookie will remain for the duration of your browsing session to enable to perform certain essential functions of the service.
Authentication (Auth) It is deleted at the end of the browser session. This cookie will remain for the duration of your browsing session to enable us to authenticate users and prevent fraudulent use of user accounts.
Session ID (sessid) It is deleted at the end of the browser session. This cookie will remain for the duration of your browsing session to enable us to authenticate users and prevent fraudulent use of user accounts.
Session ID (JSESSIONID) It is deleted at the end of the browser session. This cookie will remain for the duration of your browsing session to enable us to authenticate users and prevent fraudulent use of user accounts.
CSRF Prevention (CSRFToken) It is deleted at the end of the browser session. This cookie will remain for the duration of your browsing session to authenticate users and block unauthorised requests from other sites.
Company ID (companyid_)_ It is deleted at the end of the browser session. The cookie will remain for the duration of your browsing session to enable to perform certain essential functions of the service.
Hubspot Tracking (__hstc) 2 years This cookie tracks visitors. It contains the domain, utk (see below), initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
Hubspot Tracking (hubspotutk) 10 years This cookie is used for to keep track of a visitor’s identity. This cookie is passed to HubSpot on form submission and used when de-duplicating contacts.
Hubspot Session (__hssc) 30 minutes This cookie keeps track of sessions. This is used to determine if Hubspot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
Hubspot Session (__hssrc) It is deleted at the end of the browser session. This session cookie is used to support browser restart.
Hubspot Tracking (__hs_opt_out) 2 years This cookie is used by the Hubspot opt-in privacy policy to remember not to ask the user to accept cookies again.
Hubspot Tracking (hsPagesViewedThisSession) It is deleted at the end of the browser session. This cookie is used to keep track of page views in a session.
nternationalisation (i18next) It is deleted at the end of the browser session. This cookie is used for language detection.
Intercom Session (intercom-id-), (intercom-lou-), (intercom-session-) It is deleted at the end of the browser session. These cookies are used to provide customer support with Intercom messages.
MixPanel Tracking (mp_), (_ga), (_mkto_trk), (_vwo_uuid) It is deleted at the end of the browser session. These cookies are used to analyse how our App is used to continually improve our product delivery.
Segment It is deleted at the end of the browser session. These cookies are used to analyse how our platformApp is used to continually improve our product delivery.

8. Accessing your personal data and your rights

As a result of us collecting and processing your personal data, you have the following legal rights:

  • To access personal data we hold about you.
  • To request that we make any changes to your personal data if it is inaccurate or incomplete.
  • To request your personal data is erased where we do not have a compelling reason to continue to process such data in certain circumstances.
  • To receive your personal data provided to us as a data controller in a structured, commonly used and machine-readable format where our processing of the data is carried out by automated means and is based on: (i) your consent; or (ii) our necessity for performance of a contract to which you are a party to; or (iii) steps taken at your request prior to entering into a contract with us.
  • To object to, or restrict, our processing of your personal data in certain circumstances.
  • If we use your personal data for direct marketing, you can ask us to stop and we will comply with your request.
  • If we use your personal data on the basis of having a legitimate interest, you can object to our use of it for those purposes, giving an explanation of your particular situation, and we will consider your objection.
  • To object to, and not be subject to a decision which is based solely on, automated processing (including profiling), which produces legal effects or could significantly affect you.
  • To lodge a complaint with a data protection supervisory body, which at present, is the Information Commissioner’s Office. You may contact them on 0303 123 1113.

You may at any time request information about the personal data we hold about you by emailing us at privacy@tomatopay.co.uk.

9. Changes to our Privacy Policy

Any changes we may make to our Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. We recommend you regularly check this Privacy Policy to identify any changes.

10. Contact

If you have any questions or comments regarding this Privacy Policy, or if you want to exercise any of your rights, including as set out in section 6 above, or you wish to withdraw your consent where we have stated we are processing your personal data based on your consent, please contact us at privacy@tomatopay.co.uk.