Privacy Policy

Version 3.0, 31st October 2019


Coconut (“we”, “us”, “our”) takes your privacy seriously and we are committed to best practices in respect of your personal data and complying with data protection laws.

This policy applies to Coconut as a whole; including our website and mobile app, and is written for visitors to our website, our wait list and our customers. This policy also applies to various storage mediums including physical and digital.

Who we are

Coconut is a company registered in England and Wales with number 09904418 (our registered name is Coconut Platform Ltd). Our registered office is 27 Old Gloucester Street, London, WC1N 3AX, but you can find us at 35 Luke Street, London, EC2A 4LH.

We deliver the Coconut product and service, including designing and developing the Coconut app, processing account applications and providing ongoing customer support.

In respect of GDPR, we are the data controller, meaning we collect your personal information and choose how to process it and who we need to share it with for further processing.

You can chat to us any time through the Coconut app by pushing the chat icon, plus you can email us at [email protected].

For data protection specific questions please contact [email protected].

Our banking partner, PPS

We work with a financial services partner called Prepay Technologies Ltd, trading as PrePay Solutions (“PPS”), and is a company registered in England and Wales with number 04008083 and a registered office at 6th Floor, 3 Sheldon Square, Paddington, London W2 6HY.

PPS is an Electronic Money Institution authorised by the Financial Conduct Authority (FRN 900010). PPS provides Coconut with access to banking and payments infrastructure, and is also the issuer of the Coconut Card and Account. They are part-owned by Mastercard and have issued over 100 million cards worldwide.

PPS are a separate data controller for activities limited to your Coconut Card and Account: receiving, activating and using your card, making and receiving payments, meeting legal requirements, answering requests and providing information to you. PPS does not use your personal information for marketing purposes and never shares your information with third parties for marketing purposes.

You can email PPS at [email protected] or you can call PPS on +44(0)845 303 5303. PPS’s Data Protection Officer can be contacted at PO Box 3883, Swindon SN3 9EA or at [email protected].

The data we collect and why

In order to offer our service which is to operate, maintain and support our current account we need to collect various personal data for various reasons. These reasons are:

  • Contract: when you open and use our account you enter into a contract with us to provide our services
  • Legal obligation: we are legally obliged to process your personal data e.g. for the prevention of fraud and to offer strong customer security
  • Legitimate interests: providing our type of product requires in some cases that we process data e.g. for improving our service
  • Consent: where applicable, such as communications preferences, we will ask for your consent

The following table summarises which data is collected, on which bases it is processed and which data controllers collect and process it.

Data & Description Coconut PPS
Personal details

Full legal name, preferred name, date of birth and address

Contract, Legal Basis

Business details

Trading name, legal status and profession

Contract, Legal Basis

Contact details

Your email and mobile

Contract, Legal Basis

Technical data

Device vendor ID, name, make and model. Your IP address may also be collected

Contract, Legal Basis

Account data

Details about the use of your card account such as card activity (payments, refunds, withdrawals etc.) and also payments to and from contacts and Direct Debits

Contract, Legal Basis

Communications data

What we learn about you from emails and conversations between you and us

Contract, Legal Basis, Consent

Documentary data

A photographic “selfie” that allows us, together with your photo ID, to ensure we can verify who you are

Contract, Legal Basis

Analytical data

Data related to how you use our products and services such as which actions are taken in the app or on the account

Legitimate Interests

Account Information Services

We use an Account Information Services Provider (Truelayer) to connect your other accounts to Coconut. When you connect, Truelayer gains read-only access and stores transaction data associated with the connected accounts. This lets us display your account information and transactions within Coconut. All your details are encrypted and protected by bank level security.

By connecting with Truelayer you’ll be agreeing to their Terms of Service and Privacy Policy.

For the purposes of providing Account Information Services, Truelayer will retain Personal Data. Such Personal Data may include your date of birth, gender, account information, account balance, transactions, information on loans, insurance data and investments data. The manner in which Truelayer access, use, process and store your personal data for the provision of the Services is set out in Truelayer’s Privacy Policy.

Sources of personal data

Personal information will only be collected directly and voluntarily from you as part of the application process or as a result of transactions relating to your Coconut Cards. Some personal information may be verified by us and PPS with use of publicly accessible sources to fulfil customer due diligence.

Storage and recipients of personal data

We store your data primarily in the European Economic Area (EEA) however there are some aspects of operating our service that require us to transfer and store parts of your personal data with 3rd parties in non-EEA countries. We only send your personal information outside of the non-EEA countries with your permission, on your instructions or to comply with a legal duty.

Where this is the case we have ensured that we have the necessary agreements in place with those 3rd parties to the level expected by European data protection law.

Some of the kinds of 3rd parties that receive your personal data are in the areas of:

  • Infrastructure (servers, databases etc.)
  • Identity checking
  • Anti money laundering
  • Banking
  • Address/account lookup
  • System emails
  • Update/marketing emails
  • Text messages
  • Push messages
  • Error logging
  • Customer support
  • Product and marketing analytics
  • Card manufacturers
  • Card scheme

In relation to personal information processed by Mastercard certain processors are located outside of Europe. Personal information processed by Mastercard is subject to Mastercard Binding Corporate Rules which you have enforcement rights under as a third-party beneficiary.

Security of data

We operate a “Secure by Design” approach to protecting your data. This involves the use of best practices such as intrusion detection systems, firewalls, access control, encryption and key rotation and policies that ensure only those who need access to data do.

3rd parties holding your personal data are expected to apply the same level of security and controls.

Whilst we issue notifications for key changes in your profile, if you suspect anything suspicious please let us know.

If we become aware of unauthorised access to your data we will contact you promptly.

Read more on Coconut security

Selling information

We do not and will never sell your personal data.

Data retention

Your personal data are retained so long as you remain an active customer of Coconut, i.e. you have an open account with us.

In the event that you wish to close your Coconut account we don’t keep your information for longer than we need to, which is usually 7 years after the end of the relationship or upon termination of the contract, unless we are required to keep it longer (for example due to a court order or investigation by law enforcement agencies or regulators). This is so that we meet our legal obligations, e.g. the Money Laundering Regulations 2017.

After this time has elapsed your data will be deleted from all Coconut, PPS and 3rd parties systems.

Your rights

Under the General Data Protection Regulation 2018 you have enhanced rights in respect of your personal data and special category data.

  • Right to be informed. This Privacy Policy constitutes our informing you of how we use your personal data and your rights.
  • Right of access. You have the right to understand how we process your personal data and on which legal basis as provided in this Privacy Policy. You also have the right to request access to your personal data.
  • Right to rectification. You have the right to correct any incorrect personal data we store about you. You can change your own personal data in most cases or else speak with our Customer Support team.
  • Right to erasure. Also known as the right to be forgotten, you may ask for your personal data to be deleted. Please note that this will constitute an account closure in most cases. We are legally obliged to retain data however even after an account closure – see Data Retention.
  • Right to restrict processing. You have the right to restrict our processing of your personal data.
  • Right to data portability. You have the right for your personal data to be exportable in easy to use, open formats such as CSV.
  • Right to object. You have the right to object to use of your personal data for direct marketing.
  • Right to withdraw consent. You have the right to withdraw your consent to the processing of your personal data. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
  • Rights related to automated decision making including profiling. We explain in this Privacy Policy our use of automated decision making.

To exercise any of your legal rights, you can email us at [email protected] (or PPS at [email protected]).

For a more detailed explanation of each of these rights we would encourage interested readers to visit the Information Commissioner’s Office on GDPR.

Automated decision making

3rd parties that we use in respect of identity checking and fraud prevention may offer us an automated result based on your personal data and special category data.

These results are only used in part of a manual decision process on whether we wish to offer a Coconut account to you.

It is our right to decide whether to offer an account or not.

How can I manage my Coconut Privacy?

You can use the Profile area of the app to view or update some of your personal data.

Big Data

Big Data means processing and analysis of large amounts of data to identify patterns, trends and associations that can be used to make decisions.

Coconut shall only ever perform such Big Data processing on anonymised data, i.e. data that is not linked to a specific person.

Example: we might want to understand how age groups of our customers relate to the usage of Coconut features so that we can tailor our product better.

Fighting financial crime

Coconut and PPS will use your personal information to help decide if your accounts may be being used for fraud or money-laundering. We may detect that an account is being used in ways that fraudsters work. Or we may notice that an account is being used in a way that is unusual.

If we think there is a risk of fraud, we may stop activity on the accounts or refuse access to them.  We might also check and share your information with fraud and money laundering prevention agencies, other financial institutions and other screening, fraud and money laundering prevention providers. If fraud is identified or suspected, these third-party entities may keep a record of that information and we may refuse to provide any services. Law enforcement agencies may access and use this information.


If you aren’t happy with how we’ve handled your personal information, please email us at [email protected] and we’ll try our best to make it right. For complaints relating to how PPS have handled your personal information, you can contact their Data Protection Officer at [email protected].

If you’re still not happy, you can contact the Information Commissioner’s Office

Closing your account

It’s sad, but the expression of some of your rights such as erasure, restricting and objection may lead to a need for you to close your account with us.

If you want to close your account for any reason, just write to us and we will get this processed for you. We’ll settle up any balance first. Once your account is closed, you will lose access to your account and your card will be deactivated. We’ll talk you through how to export your records before closing your account.


This policy may change from time to time and is effective from date of posting to our website and app. For significant changes we will also let you know by email or through the Coconut app.