Apply for early access →

Privacy notice

This privacy notice sets out who we are, and how and why we collect, store, and use your personal data through our website or when you get in touch to find out more about or demo our products, when you sign up as a customer or when we otherwise process your personal data in respect of our banking services. Below we provide tailored information depending on who you are.

First, the official bit:

  • “We” are Griffin Bank Ltd, a company registered in England and Wales with company number 10842931. Our registered office address is 9th Floor, 107 Cheapside, London, EC2V 6DN.
  • “You” are an individual person using our website, https://griffin.com, signing up as a Griffin customer or otherwise benefitting from Griffin’s banking services.
  • We are based in the UK and subject to the UK General Data Protection Regulation (UK GDPR).

Beyond our legal and regulatory requirements, we want you to trust us with your personal data. We take your data privacy and security seriously, and we're fully committed to helping you exercise your rights over any personal data we hold. That's why, throughout this notice, we try to be entirely clear and transparent about:

  • How, why, and when we collect your personal data
  • What types of personal data we collect
  • Who we share it with
  • How long we hold it for
  • What we do to keep it safe

If anything in this policy is unclear or you have questions, please contact us at privacy@griffin.com.

How and why we use your personal data

How and why we process your personal data will depend on who you are. Below we provide tailored information on the personal data that we will collect and what we will do with it, depending on whether you are a customer, prospective customer, a third party who we may process personal data about in respect of our banking services or a website user.

We may collect, use and share aggregated data. Aggregated data is statistical or demographic data that cannot be used to directly or indirectly identify you, and so is not considered personal data.

For example, we may aggregate your usage data to help us calculate the percentage of users accessing a specific website page or using specific products. If we ever combine or connect aggregated data with your personal data, we treat the combined data as personal data.

Our products, services and website are not intended for use by children, and we do not knowingly collect or use personal data about children under the age of 16.

In line with data protection law, we only use your personal data if we have a “lawful basis” for doing so.

A lawful basis can include:

  • Consent. This is when you have given us clear consent to process your personal data for a specific purpose. For example, you might consent to receive marketing communications from us.
  • Contract. This is where we need to use your personal data to fulfil a contract we have with you, or because you have asked us to take specific steps before entering into a contract.
  • Legal obligation. This is when we need to use your personal data to comply with the law.
  • Legitimate interests. In simple language, a legitimate interest is when we (or one of our third party service providers) process your personal data in a way you would reasonably expect us to, when there's a clear benefit for us or a third party in doing so, and there's a low risk of us infringing your privacy rights. You can learn more about the legitimate interest basis on the ICO website.

Below we provide a detailed breakdown of the lawful bases that we rely on for different processing activities, depending on whether you are a customer, prospective customer, third party who we may process personal data about in respect of our banking services or a website user.

Who we share your personal data with

We may share your personal data with our chosen service providers from time to time. Below, we provide details of the third party service providers we may use, as these differ depending on who you are.

We only allow our service providers to handle your personal data if we are sure that they will protect it to the same standard that we do. As part of their contracts with us, our service providers may only use your personal data to provide services to us and to you, for the purposes listed in the tables below.

We may disclose your personal data to law enforcement agencies and regulatory bodies if we are required to do so.

We may also need to share some personal data with other parties during a corporate restructuring or third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them.

Usually, data will be anonymised but this may not always be possible. The recipient of the data will be bound by confidentiality obligations.

Marketing

We may use your personal data to send you marketing communications by email, text message, or post. This includes information about exclusive offers, promotions or information on new products. We will only send you marketing communications if we have your consent to do so or if it is in our legitimate interests to send them (such as business-to-business marketing).

We will never sell your personal data or share it with other organisations for marketing purposes.

You can ask us to stop sending you marketing communications at any time by:

We may ask you to confirm or update your marketing preferences from time to time, if there are changes in laws or regulations, or if we change the structure of our business.

Even if you have opted out of all marketing communications, we might still send you necessary updates or communications about products and services you have purchased from us, or respond to direct queries from you. These are not considered marketing communications because they contain information you need to use and find value from the product.

Your rights

You have the following rights over your personal data, which you can exercise at any time without paying any fee or charge to us.

Your rightsOur responsibilities
To accessWe must provide you with access to any personal data we have collected about you if you request it.
To rectificationWe must correct any mistakes regarding your personal data if you ask us to.
To be forgottenIn certain situations, we must delete your personal data if you ask us to. Although this is not an absolute right.
To limit or restrict how we use your dataIn certain circumstances, at your request, we must restrict processing of your personal data, or parts of your personal data (for example, if you contest the accuracy of the data).
To data portabilityIf you request access to the personal data we hold about you, we must provide it to you in a structured, commonly used and machine-readable format.
To objectYou can object to us processing your personal data for certain purposes, for example direct marketing purposes or if we are relying on our legitimate interests for the processing.
To not be subject to automated processingAutomated processing refers to decisions made without human involvement and includes profiling. We must not use automated processing to make a decision about you if that decision affects your legal rights or has other significant impacts for you.

If you would like to exercise any of these rights, please write to us at privacy@griffin.com. We try to respond to all requests within one month.

If your request is clearly unfounded, repetitive, or excessive‍—‌for example, if you've made several repeat requests in a short period of time‍—‌we may charge you a reasonable fee to cover our admin costs, or refuse your request altogether.

You can learn more about your data rights on the ICO website.

Keeping your personal data secure

We have a number of procedures and controls in place to stop your personal data from being lost, stolen, or otherwise used or accessed unlawfully.

  • Access. Within Griffin, access to personal data operates on the basis of “least privilege”, which means that our employees only have access to your personal data if they absolutely need it to do their job (such as customer support managers).
  • Authentication. We use modern, best practice authentication controls, including two-factor authentication. We require the same level of authentication in all third party systems, software, or applications that we use.
  • Physical security. We make sure robust physical and environmental controls are in place around any data centre where we store personal data.
  • Network security. We use strong firewalls, and all software is placed in the most restrictive zone possible on the basis of “least privilege”. All network zones block traffic not essential to perform their required tasks (both inbound and outbound).
  • Threats and vulnerabilities. We constantly review and test the security of our platforms and IT systems to identify and fix any vulnerabilities that hackers could exploit.

We have incident management procedures in place to deal with any suspected data security breaches. You will be contacted as soon as possible if we believe your personal data has been involved in a suspected breach.

How long your personal data will be kept

We hold on to different types of personal data for different lengths of time depending on why we are using it, but we do not keep your personal data for longer than we need it. When we no longer need to hold onto your personal data, we delete it or anonymise it.

If you are a Griffin customer or have purchased products or services from us on behalf of your organisation and that organisation is a Griffin customer, we will keep your personal data while we are providing those products or services. After that, we may keep your personal data so that we can:

  • respond to any questions, complaints, or claims made by you or on your behalf
  • show that we treated you fairly
  • keep any records required by law

We are required to retain certain customer records for at least 3 years from the date of a customer exercising its statutory rights to cancel a product. We are required to retain other personal information for at least 6 years so that sufficient information is available in the event of a legal claim. We are also required to retain some personal information for 10 years, for financial crime purposes.

If you'd like to know more about specific retention periods for different types of personal data, please contact us.

How to contact us

If you have any questions about this privacy notice or the data we hold about you, or if you want to exercise your rights under data protection law, please contact our Data Protection Officer (DPO) at privacy@griffin.com.

How to complain

If you feel that we have misused your personal data or failed to keep it secure, you should contact our DPO at privacy@griffin.com and clearly state that you wish to make a complaint. We are committed to investigating all complaints promptly, thoroughly, and transparently and providing you with a fair resolution as soon as we can.

You also have the right to make a complaint to the Information Commissioner's Office at any time. You can lodge your complaint in writing here: https://ico.org.uk/make-a-complaint. Alternatively, you can contact the Information Commissioner by phone at 0303 123 1113.

Changes to this privacy notice

This privacy notice was last updated in February 2024. When we update this notice, we'll post details of what has changed here. We may also contact you directly if we make changes that affect how we process your personal data.


If you are a customer or prospective customer

This section applies if you are a Griffin Bank customer in your individual capacity or if you are an employee, director or shareholder of a Griffin Bank business customer. It also applies where you are a prospective customer or your organisation is a prospective customer, applying for our products and services.

Note that, data protection laws only apply to personal data relating to individuals and therefore they don’t govern data relating to corporate entities.

Types of personal data

We collect different types of personal data about you depending on the products that you are signing up for and also whether you are signing up in your individual capacity or as an employee, director or shareholder of a Griffin Bank business customer.

The list below covers all the kinds of data we may collect about you:

  • Identity data‍—‌your full name, title, date of birth, information about your right to live in the UK, your tax residency and identification information such as a copy of your ID documents
  • Contact data‍—‌your residential address, previous residential addresses, email address, and telephone number(s)
  • Financial data‍—‌your employment status, annual income, number of dependents and residential status
  • Transaction data‍—‌your bank account details, including account number and sort code and your transaction history including details of payments to and from your account
  • Usage data‍—‌information about how you use our products and services including survey responses
  • Technical data‍—‌internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technical information about the devices you use
  • Marketing and communications data‍—‌your marketing communications preferences

We will only process “special category” personal data about you where we are legally permitted to do so. In order to process special category personal data we need to identify an applicable special category processing condition.

We may need to process special category personal data about you in certain circumstances, for example information about your health if you voluntarily provide this to us, in order for us to make adjustments to support you. We will only process this information with your explicit consent.

How we collect your personal data

We collect personal data about you through three main channels.

Direct interactions. You may provide your personal data when you contact us, purchase products or services from us and use our products and services.

Automated technologies or interactions. When you use our products, we automatically collect technical data about your equipment and browsing patterns, using cookies and similar technologies. Please see our cookie policy for more information.

Third parties or publicly available sources. We may receive personal data about you from third parties such as:

  • Credit check providers we use to verify your identity and assess your credit score (we do this via a 'soft search')
  • Background check providers we use to carry out the ‘Know Your Customer’ and ‘Anti-Money Laundering’ checks we are required to carry out by law
  • The Home Office when we screen potential and active customers against the list of disqualified persons provided by the Home Office, in order to comply with our obligations under the Immigration Act 2014

We may also collect information about you from public sources such as:

  • Companies House or the UK Electoral Register
  • Information published by the press or on social media

How and why we use your personal data

PurposeTypes of personal dataLawful basis
To consider your application, register you or your organisation as a customer and respond to your enquiries.Identity, Contact, Financial

Contract‍—‌we need to do this in order to enter into a contract with you and perform that contract.
Legal obligation‍—‌we are legally required to confirm your identity and check certain information about you before providing our products and services.
Legitimate interest‍—‌to set up and manage customer relationships.

To perform credit, background or disqualified person checks on you, either in your individual capacity or in your capacity as a director, shareholder or beneficial owner of a corporate entity.Identity, Contact

Contract‍—‌we need to do this in order to enter into a contract with you and perform that contract.
Legal obligation‍—‌we are legally required to carry out certain checks before providing our products and services.
Legitimate interest‍—‌to assess and make informed decisions about our prospective customers.

To provide products and services to you, including: to manage payments, fees, and charges‍ and to collect money owed to us.Identity, Contact, Transaction

Contract‍—‌we need to do this to perform our contract with you.
Legitimate interest‍—‌to receive payments and recover debts.

To manage our relationship with you, including: notifying you about changes to our products or services, terms and conditions, or this privacy notice‍ and asking you to leave feedback or take a survey.Identity, Contact, Transaction

Contract‍—‌we need to do this to perform our contract with you.
Legal obligation‍—‌we are legally required to inform you of certain changes.
Legitimate interest‍—‌ to help us keep our records up-to-date and better understand how customers use our products and services.

To prevent illegal activities such as money laundering and fraud.Identity, Contact, Transaction

Legal obligation‍—‌we are legally required to take action to prevent illegal activities.

To keep records of our dealings with you in line with legal requirements.Identity, Contact, Transaction, Usage

Legal obligation‍—‌we are legally required to keep certain records.

Investigate and fix complaints and other problems.Identity, Contact, Technical, Transaction, Usage

Contract‍—‌we need to do this to perform our contract with you.

To make suggestions and recommendations about products or services that may be of interest to you.Identity, Contact, Technical, Transaction, Usage, Marketing Communications

Consent or Legitimate interest‍—‌to grow our business.

Who we share your personal data with

In addition to the categories of third parties listed in ‘Who we share your personal data with’ at the start of this privacy notice, we routinely share personal data with the following service providers:

  • Amazon Web Services (AWS), our cloud provider
  • Form3, our Bacs payment gateway
  • Intercom, our customer support platform
  • TruNarrative, our customer due diligence onboarding provider
  • Veriff, our identification and verification system

All of the above service providers process your personal data within the UK and EEA.

We will also share certain personal data with our chosen credit check, background check and disqualified person check providers from time to time, for the purpose of carrying out these checks on you.

Transferring your personal data out of the UK

We do not process any customer transaction data outside of the UK and EEA.

Sometimes it is necessary for us, or our service providers, to share other personal data about you outside of the UK. When we do this, we are subject to special rules under UK data protection law.

If we transfer your personal data outside of the UK, we must:

  • confirm that the recipient is located in a country with data protection laws that are substantially equivalent to the UK's; or
  • put safeguards in place (such as approved standard contractual clauses) so that your data rights are enforceable and you have access to legal remedies if something goes wrong; or
  • confirm that a specific exception applies under data protection law.

Please contact privacy@griffin.com if you would like further information about where your personal data is transferred and what measures we have put in place.

Cookies and other tracking technologies

We use cookies on our site. For further information on what cookies are and how we use them, please see our cookie policy.


If you are a third party (not a customer) who we may process personal data about, in respect of our banking services

This section applies if you are a third party payee whose personal data we process via our Confirmation of Payee services and if you are a third party (non customer) beneficiary of one of our customer accounts.

Types of personal data

We collect different types of personal data about you depending on who you are.

The list below covers all the kinds of data we may collect about you:

  • Identity data‍—‌your full name and title and identification information such as a copy of your ID documents
  • Transaction data‍—‌your bank account details, including account number, sort code and international bank account number and payment references.

How we collect your personal data

We will collect personal data about you from third parties, such as:

  • Your bank, if you are a third party payee whose personal data we process via our Confirmation of Payee services.
  • Our customer, where you are a third party (non customer) beneficiary of one of our customer accounts.

How and why we use your personal data

If you are a third party payee whose personal data we process via our Confirmation of Payee services, we process your name, title and bank account details in order to confirm to our customer whether the details they are using to make a payment are a match or partial match. Our lawful basis for this processing is legitimate interests‍—‌our legitimate interests, our customer’s legitimate interests and your legitimate interests to ensure that the payment is made to the correct payee.

If you are a third party (non customer) beneficiary of one of our customer accounts, we may process your Identity Data to perform credit or background checks on you, either in your individual capacity or as a director, shareholder or ultimate beneficial owner of a corporate entity. We do this to assess and make informed decisions about our customers and the beneficiaries associated with our products and services. Our lawful basis for this processing is:

  • Legal obligation‍—‌we are legally required to carry out certain checks before providing our products and services
  • Legitimate interest‍—‌to assess and make informed decisions about our prospective customers

Who we share your personal data with

In addition to the categories of third parties listed in the ‘Who we share your personal data with’ at the start of this privacy notice, we routinely share personal data with the following service providers:

  • Amazon Web Services (AWS), our cloud provider
  • Form3, our Bacs payment gateway
  • Intercom, our customer support platform
  • TruNarrative, our customer due diligence onboarding provider
  • Veriff, our identification and verification system

All of the above service providers process your personal data within the UK and EEA.

Transferring your personal data out of the UK

We do not process any customer Transaction Data outside of the UK and EEA.

Sometimes it is necessary for us, or our service providers, to share other personal data about you outside of the UK. When we do this, we are subject to special rules under UK data protection law.

If we transfer your personal data outside of the UK, we must:

  • confirm that the recipient is located in a country with data protection laws that are substantially equivalent to the UK's; or
  • put safeguards in place (such as approved standard contractual clauses) so that your data rights are enforceable and you have access to legal remedies if something goes wrong; or
  • confirm that a specific exception applies under data protection law.

Please contact privacy@griffin.com if you would like further information about where your personal data is transferred and what measures we have put in place.


If you are a website user or are getting in touch to find out more about our products

This section applies if you are a website user or if you are getting in touch to demo or find out more about our products.

Our website may contain links to other websites. If you follow one of these links, please note that destination websites will have their own privacy policies and that we do not accept any responsibility or liability for these.

Types of personal data

We collect different types of personal data about you depending on how and why you interact with us. For example, you might browse our website to find out more about our products, log into our product sandbox to demo our product or send us feedback via email.

The list below covers all the kinds of data we may collect about you during these interactions:

  • Identity data‍—‌your full name, title, and date of birth.
  • Contact data‍—‌your address, email address, and telephone number(s).
  • Transaction data‍—‌any records of communications we have had with you.
  • Usage data‍—‌information about how you use our website including survey responses, download errors, and page interaction information.
  • Technical data‍—‌internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technical information about the devices you use.
  • Marketing and communications data‍—‌your marketing communications preferences.

We do not routinely collect and process “special category” personal data about you.

How we collect your personal data

We collect personal data about you through three main channels.

Direct interactions. You may provide your personal data when you access our website, register for our sandbox to demo our products, contact us, send us feedback, subscribe to our marketing materials, or purchase products or services from us on behalf of your organisation.

Automated technologies or interactions. When you browse our website, we automatically collect technical data about your equipment and browsing patterns, using cookies and similar technologies. Please see our cookie policy for more information.

Third parties or publicly available sources. We may receive personal data about you from third parties and publicly available sources such as Companies House or the UK Electoral Register. We may also receive Technical data about you from the following parties:

  • Google Analytics, our website analytics provider
  • Beauhurst
  • Leadfeeder
  • LinkedIn
  • Pipedrive

How and why we use your personal data

The table below gives a detailed breakdown of what we use different types of personal data for, and our lawful bases for doing so. See section “Types of personal data” for definitions of the terms listed below.

PurposeTypes of personal dataLawful basis
To respond to your enquiries.Identity, Contact

Legitimate interest‍—‌to set up and manage customer relationships

To manage our relationship with you, including: notifying you about changes to our products or services, terms and conditions, or this privacy notice‍ and asking you to leave feedback or take a survey.Identity, Contact, Transaction

Legal obligation‍—‌we are legally required to inform you of certain changes
Legitimate interest‍ - to help us keep our records up-to-date and better understand how customers use our products and services

To conduct troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting of data.Identity, Contact, Technical

Legitimate interest‍—‌these activities are necessary for day-to-day running of our business and IT services, for network security, and to prevent fraud
Legal obligation‍ - we are legally required to have robust controls in place to prevent fraud

To deliver demos of our products and services to your organisation, including granting you access to our sandbox so that you can demo the products yourself.
Note that you must only upload test data to the sandbox and should not demo our products using actual personal information.

Identity, Contact

Legitimate interest‍—‌to promote our products and grow our business

To track and analyse who is accessing our website and how they are using it.Identity, Contact, `Technical, Usage, Marketing and Communications

Legitimate interest‍—‌analysis of this data helps us measure the effectiveness of our website and marketing strategy, better define and understand our target customers, develop better customer relationships and user experiences, and improve our products and services

To make suggestions and recommendations about products or services that may be of interest to you.Identity, Contact, Technical, Transaction, Usage, Marketing and Communications

Consent or Legitimate interest‍—‌to grow our business

Who we share your personal data with

In addition to the categories of third parties listed in the ‘Who we share your personal data with’ at the start of this privacy notice, we routinely share personal data with the following service providers:

  • Google, our email and website analytics provider
  • Slack, our instant messenger provider
  • PipeDrive, our Customer Relationship Management (CRM) software provider

We process and store your information using Amazon Web Services (AWS), our cloud service provider.

Transferring your personal data out of the UK

Sometimes it is necessary for us, or our service providers, to share your personal data outside the UK. When we do this, we are subject to special rules under UK data protection law.

If we transfer your personal data outside of the UK, we must:

  • confirm that the recipient is located in a country with data protection laws that are substantially equivalent to the UK's; or
  • put safeguards in place (such as approved standard contractual clauses) so that your data rights are enforceable and you have access to legal remedies if something goes wrong; or
  • confirm that a specific exception applies under data protection law.

Please contact privacy@griffin.com if you would like more information about where your personal data is transferred and what measures we have put in place.

Cookies and other tracking technologies

We use cookies on our website. For further information on what cookies are and how we use them, please see our cookie policy.