Welcome to CAF Bank

The bank dedicated to supporting charities and social purpose enterprises. So we understand what you need.

Current account Savings Loans Security centre Help About us
CAF BANK

Privacy notice

Protecting your personal data - our Privacy Notice

Last updated 20 February 2025


The protection of your personal data is at the forefront of everything we do at CAF Bank. Our privacy notice has been designed to explain how we collect, use, store, transfer and protect your personal data when you engage or interact with us via our website, or via our customer services.

We have written this privacy notice with you, the individuals who service your organisation’s accounts in mind– keeping it simple and informative to allow you to understand what we do with your personal data. All individuals who provide information to us must read and understand this privacy notice and how we process their personal data.

 

Introduction

CAF Bank Limited (herein referred to as “CAF Bank” is a data controller, as defined under the UK General Data Protection Regulation (UK GDPR). We are part of the “CAF Group”, being a subsidiary of the “Charities Aid Foundation”. We are a limited company registered in England and Wales with registration number 1837656, authorised by the Prudential Regulation Authority (PRA) and regulated by the Financial Conduct Authority (FCA) and the Prudential Regulation Authority. Within this document “We”, “Us”, or “Our” refers to CAF Bank only.

 

What is personal data?

By “Personal Data”, we mean any data which can be used to identify you directly or indirectly. “Special Category Data” is unique information about you which can include your race, ethnicity, religion, political affiliations and health data. This data is more sensitive and requires additional protection. “Criminal Offence Data” is a separate category but may form part of a larger record which contains special category data.

What personal data we collect about you and our lawful basis to do so

When you apply for and manage a product on behalf of your organisation, access our website, or contact us in relation to the product you are associated with or your organisation is interested in, we collect and process your personal data.

The information below outlines what data we collect, and how and why we collect it. You do not have to provide the data requested; however, not doing so may limit your organisation’s ability to apply for a product with us or use our services.

We require personal data from all different individuals when your organisation applies for a product with us, this includes but is not limited to:

  • trustees
  • signatories
  • account contacts
  • online banking users
  • card holders
  • directors
  • ultimate beneficial owners
  • controllers

For your organisation to have a product with us the minimum amount of personal data we will require you to share will include your:

  • full name
  • date of birth
  • residential address (including those lived in within the last three years and where applicable forwarding addresses)
  • business address (where this is also a residential address)
  • email address
  • UK registered mobile number
  • nationality
  • signature (depending on your role within the organisation)

Once your organisation has a product, additional personal data may be requested from you such as identification documents. If this is required, we will inform you directly.

We will only process your personal data where we have a lawful basis to do so. We use the following lawful basis to process your personal data:

 
  • to comply with our legal and regulatory obligations e.g., Anti-Money Laundering.

  • to perform the contract which we have in place with the Charity and subsequently yourself as a representative e.g., our terms and conditions

  • for our legitimate interests (or those of a third party) in such cases, we will ensure your interests and fundamental rights will be balanced against the interests of the business 

  • when you have given us consent

The table below outlines the categories of personal data which we may collect, why we collect it and our lawful basis for doing so.

Data Collected Why we collect this data? Lawful Basis

Personal details and contact details e.g., name, date of birth, email address etc

  • To facilitate the creation of your organisation’s bank account or any other associated product. 

  • To contact you, where necessary in connection with the management and operation of this product

  • To prevent and detect crime

  • To ensure we are meeting our regulatory and legal obligations

  • Marketing, to deliver marketing communications about our work, our products and services, events and other related information.

  • To allow us to contact you about your organisation as a prospective customer

  • To comply with our legal obligations 

  • To enter into and perform our contract with your organisation 

  • Legitimate Interest

  • Consent

Technical information and details of your visit to our website or apps associated with our website

  • For internal research and development

  • For internal testing of CAF Bank products and website

  • To help diagnose system issues

  • To improve the content and services which we provide to you and your organisation

  • To prevent and detect crime

  • To comply with our legal obligations

  • To perform our contract with your organisation

Technical information relating to how you use and access our products and services, such as the type of device

  • To assist you with any queries which you may have

  • To prevent and detect crime
  • To comply with our legal obligations

  • To perform our contract with your organisation

 

Payment information and details of transactions you carry out on behalf of your organisation, including but not limited to payments, withdrawals, debit card transactions 

  • To allow you to deposit and withdraw from the account

  • To facilitate any loan facilities which your organisation may have

  • Regulatory reporting

 

  • To comply with our legal obligations

  • To perform our contract with your organisation

Communications with us or our employees for example, calls*, emails, and letters

*Wherever possible we will let you know that calls are recorded
  • To service your organisation’s account
  • To meet our legal obligations
  • To prevent and detect crime
  • For quality control and staff training
  • For self-regulatory practices
  • To respond to any complaints you may have in relation to a product or service
  • To comply with our legal obligations
  • To perform our contract with your organisation

Information regarding your location including IP address, geographical information and traffic information 
  • To ensure that you are authorised to access our website in your current location
  • To meet our legal obligations
  • To prevent and detect crime
  • To process card transactions
  • To comply with our legal obligations
  • To perform our contract with your organisation

Additional information you submit through third party websites, for example on social media
  • For internal research and development purposes
  • To improve our services
  • To respond to any complaints
  • Legitimate interests
  • Where you have provided consent

Photo identification, proof of address or source of funds information
  • For identification and verification including to ensure you are of the age to be associated with a CAF Bank product
  • To prevent and detect crime
  • To meet our legal and regulatory requirements
  • To comply with our legal obligations
  • As part of our contract with your organisation

Special Category and Criminal Offence data
  • To ensure we meet any additional needs you may have to manage the product on behalf of your organisation if you are or become a vulnerable individual
  • To meet our legal and regulatory requirements
  • To assess your eligibility for a product
  • Substantial public interest

Back to the top ^

How we collect your personal data

We may collect your personal data from:


  • you directly
    For example, the data you provide to us during product application upon request from us, or when you communicate with us by post, phone, email or otherwise
     
  • the organisation you represent
    For example, during product application you may choose to provide your personal details to a nominated individual who will provide these on the application form on your behalf
     
  • publicly available sources
    We may collect data from publicly available sources such as news articles, social media platforms, forums, official records i.e. the electoral roll. These searches allow us to meet our legal and regulatory obligations and may be used to facilitate the prevention and detection of crime
     
  • third parties
    We may collect data about you from third-party service providers for various reasons. These may include for the purposes of identification, ensuring our website is safe and secure, to comply with our legal and regulatory obligations including the requirements of our regulators e.g., The Financial Conduct Authority (FCA), The Prudential Regulation Authority (PRA), and the Information Commissioners Office (ICO)

  • members of the CAF Group
    We may share or collect information about you with / from members of the CAF Group, we will only do this where we have a lawful basis to do so

Back to the top ^

Why we process your personal data

The law requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases:

  • Performance of a contract with you: CAF Bank processes your personal data to perform the contract which we are about to enter into or have entered into with your organisation. The organisation’s information and, in turn, your personal data may be reviewed for the purpose of enforcing our terms and conditions, for more information on this, please review the terms and conditions associated with the products held by your organisation these can be found at www.cafonline.org/cafbank-tariff-terms.

  • Legitimate interest: we may use your personal data where it is necessary to conduct our business and pursue our legitimate interest, for example to prevent fraud, by undertaking identification checks and verification, and to enable us to give you the best and most secure customer experience

  • Legal and regulatory obligations: we may use your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to. These include, but are not limited to, Anti-Money Laundering legislation, fraud detection and prevention of crime, and identifying and verifying you as an individual

  • Consent: we may use your personal data when you have provided us consent to do so 

Back to the top ^

How we process your personal data for Marketing

Our marketing will contain information relating to our products and services. At times, it may contain information relating to the products and services of members of the CAF Group and provide details of the great work we are doing as a collective and services which may benefit your organisation.

You can update how you wish to receive marketing from CAF Bank by contacting us, or you can click the unsubscribe link located at the bottom of the marketing emails we send.

When you have opted out of receiving marketing communications from us, we will take all reasonable steps to ensure you no longer receive marketing communications.

If you request to stop receiving marketing, you will continue to receive service communications about the product or service that you are responsible for e.g., changes to terms and conditions.

To obtain feedback on our processes, products and services, CAF Bank and CAF Group may send you invitations to take part in surveys. You can opt out of receiving these surveys in the correspondence we send.

If you opt out of marketing, you are not automatically opted out of receiving surveys and will need to opt out of each individually.

 

Back to the top ^

Who we share your personal data with

We may share your personal information with the categories of third parties outlined below. These third parties may be “Controllers” or “Processors” in respect of your personal data for the purposes explained above.

  • With other individuals associated with your organisation
    If we are required to share your personal data with other members of your organisation this will be kept to a minimum, as an example your name

  • Within the CAF Group
    Your data may be shared within the CAF Group in line with the relevant data protection laws and this privacy notice. The sharing of this data is for the purposes outlined in the section “How do we collect and process your personal data” and to help with providing your organisation’s services.

    If you have products or services with other members of CAF group, you can find out more about how they process your personal data within their privacy notice which can be found at https://www.cafonline.org/privacy.

  • With Trusted Third Parties
    We may share your data with trusted third parties such as: credit reference and fraud prevention agencies, as well as our service providers who help us deliver services essential to our Banking products. These third parties may provide:
    • banking and payment services
    • assistance with risk management
    • identity verification services
    • credit check
    More information on the credit reference agencies and fraud prevention agencies we used can be found here:
    • Equifax Europe Ltd
    • CIFAS - This is a data sharing scheme used for fraud prevention and detection
    • Dow Jones - Provides watch lists for name screening for sanctions, politically exposed persons and other persons or entities of significant interest – these lists are publicly available by government agencies across the world, Dow Jones bring them together
    When we decide to work with suppliers and third parties, we always make sure that:
    • they are suitable to look after your personal information and have appropriate standards and processes in place to protect it and treat it in accordance with the law;
    • they only process your personal data for the specified purpose and in accordance with our instructions;
    • they only retain your personal information for as long as is required
    • they only use your personal information for the purposes that we have trusted it to them for
    • there is a written contract or agreement in place between us and them to protect personal data; and
    • we regularly review and monitor them to ensure they remain appropriate and ethical
      •  
  • Statutory Authorities
    In some circumstances, we are legally obligated to provide your data to statutory authorities, these include:
    • Government authorities, such as law enforcement agencies
    • Regulators including the FCA, PRA, ICO, the Charities Commission, the Financial Ombudsman Service (FOS) and the Financial Services Compensation Scheme (FSCS) 

There are instances where our website may contain links to and from the websites of third-party organisations, or you may speak to us via a third-party platform such as a social media site. These websites may have their own privacy notices, please check these notices carefully before you submit any personal data as we do not accept any responsibility for those notices

Back to the top ^

Sharing your data outside of the European Economic Area

We will only send your personal information outside the EEA UK when:

  • you ask us to do so
  • we have to comply with a legal obligation, or
  • we are working with our trusted third parties to provide a product or service

Wherever possible we will always make sure it is always protected in a similar way as if it were in the EEA by using one of these safeguards:

  • transfer to a non-EEA country or jurisdiction with the same standard of data protection and privacy laws as the UK
  • complete the relevant risk assessments
  • put in place a contract with the recipient that means they must protect it to the same standards as if it were in the EEA

Back to the top ^

How we keep your personal data safe

We take the security of your information extremely seriously.

We use appropriate security arrangements to prevent the personal data that we hold from being accidentally or deliberately compromised. This is both in the security of our IT networks and information systems (cybersecurity) and our physical and organisational security.

For example, we apply access controls over your data, limiting access to those who need to process the data, doing so under our instruction and a duty of confidentiality and ensuring relevant controls around our buildings are always appropriate.

With regards to security standards and certificates that we align to or hold, we:

  • align our processes to comply with industry standards such as ISO27001
  • are compliant with the PCI Data Security Standards

We have procedures in place to deal with any suspected personal data incidents and will notify you and any applicable regulator of a breach, as per our legal obligations.

Retention of your personal data

We will only keep your personal data for as long as is required to meet the purposes the data was collected for as outlined within this privacy notice. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. To determine the appropriate retention period for personal data, we consider your rights and freedoms and what the law requires us to do. This is generally, seven years from the end date of your relationship with us.

Once your personal data is no longer required, it will be deleted or anonymised in line with our policies and processes which consider the legal obligations placed upon us.

 

Your data subject rights

Your personal data belongs to you and current data protection law give you rights in relation to this data. These rights are as follows and can be exercised at any time and free of charge:

  • to be informed
    We need to let you know what we do with your personal data in this privacy notice or when you ask us

  • of access
    You have the right to request a copy of the personal data we hold about you. The information you receive as part of this process will only relate to you as a data subject, you will not be provided any information relating to the organisation to which you are associated with, or other individuals related to that organisation.

  • to rectification
    You have the right to amend information you think is inaccurate and to ask us to complete information that you think is incomplete, though we may need to verify the accuracy of the new data you provide to us.

  • to erasure
    You have the right to request ‘to be forgotten’ and for your personal data to be removed or deleted. This is not an absolute right and there may be times where we must retain your data for legal reasons even after you’ve enacted your rights

  • to restrict processing
    In certain circumstances you can tell us that you do not want your data used for a particular purpose. We may demonstrate that we have compelling legitimate reasons to process your information which override your right to object

  • to data portability
    You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. This only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with

  • to object to processing
    You can object to us processing your personal data at any time for marketing purposes (including carrying out profiling) and in some cases where the processing is in our legitimate interests

  • relating to automated decision-making including profiling
    This means “not being subject to a decision which is based solely on automated processing (without human involvement)”, where those decisions “produce a legal effect” or “may significantly affect you". You can request that our team reviews the decisions made.

For further information about your data subject rights, please visit the ICO’s website.

Should you wish to exercise your data subject rights, please contact our customer services, or email our Data Protection Officer at DPO@cafonline.org. Or if you are an EU Citizen contacting caf@gdprnomrep.eu

In some circumstances, we may need to request further information, such as identification, from you to validate your request. We will aim to satisfy your request within one calendar month of receipt, but where this isn’t possible, we will contact you directly to provide an explanation.

Back to the top ^

Contacting us about your personal data or this privacy notice

If you have any questions about this privacy notice, or how we use your personal data please contact our Data Protection Officer:

By email: DPO@cafonline.org.

By phone: 03000 123 000 (calls to this number may be recorded for training and monitoring purposes)

By Post: The Data Protection Officer, 25 Kings Hill Avenue, West Malling, Kent ME19 4TA.

If you are an EU citizen, our appointed representative is Castlebridge NomRep Services Ltd. who can be contacted at caf@gdprnomrep.eu.

If you have a data protection complaint, please contact us using the details above and we will do our best to resolve this with you directly. If you are not satisfied with our response, you have the right to complain to the ICO. Find out on their website how to report a concern.

Back to the top ^

Changes to this notice

We reserve the right to amend this privacy notice at any time. We will notify you of any substantial changes via email, unless otherwise specified all other changes to this privacy notice will take effect immediately as of the stated “last updated” date. We recommend that you re-visit this page frequently.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

 

Back to the top ^

You may also be interested in

Keep exploring