Credit Karma UK Limited t/a Credit Karma and Credit Karma, Inc. PRIVACY NOTICE Version: 2.0 Date adopted: November 25, 2020 This privacy notice provides information about how we collect and process personal data about you. It covers the following topics: 1. Who we are and how you can contact us 2. What we use personal data for 3. What kinds of personal data we use, and where we get it from 4. Our legal grounds for processing personal data 5. Who we share the personal data with 6. Where the personal data is stored and sent 7. How long the personal data is kept for 8. Your rights in relation to the personal data we hold about you 9. Who you can complain to if you are unhappy about the use of your personal data 10. Changes to the privacy notice Personal data means information, or a combination of pieces of information, that could identify you. 1. WHO WE ARE AND HOW YOU CAN CONTACT US The controllers of your personal data are Credit Karma UK Limited ("CK-UK") trading as "Credit Karma" and Credit Karma, Inc. ("CKI") (CK-UK and CKI are sometimes collectively referred to as “us” or "we"). CK-UK is a company with its registered office c/- Legalinx Limited, Tallis House, 2 Tallis Street, London, EC4Y 0AB, United Kingdom and CKI is a company with headquarters at 760 Market Street. 2nd Floor, San Francisco, CA 94102, United States CKI and CK-UK and CKI, as controllers of your personal data, are responsible for ensuring that your personal data is used fairly and lawfully. We are also the legal persons against whom you can exercise the rights referred to in section 8. You can contact us about issues relating to personal data, including the contents of this notice, and the exercise of your data protection rights, via email at firstname.lastname@example.org. 2. HOW DO WE USE PERSONAL DATA This section explains the purposes for which we collect and process personal data about you. More detail about the types of personal data that we might use for these purposes can be found in section 3 below. Research ● Conducting user and market research on people’s needs, behaviors, and attitudes, as well as product concepts, to inform CK-UK product and design development decisions and to help us improve the services CK-UK provides Marketing ● Promoting CK-UK’s services to potential customers whose contact details are provided by existing members Managing resources and conflict resolution ● Maintaining records in order to respond to and defend against legal claims Legal and regulatory ● Responding to complaints or enquiries from you or a regulator such as the Information Commissioner (about our use of your personal data) ● Responding to requests from law enforcement agencies where we consider it appropriate to do so to protect our workers, visitors, customers and their consumers, or our business interests. 3. WHAT KINDS OF PERSONAL DATA WE USE, AND WHERE WE GET IT We obtain and use information from various different sources, including from market research companies and existing members. These are summarized below. Types of Information we collect about you from other sources: ● Name and contact details: This is basic personal data about you, and how to get in touch with you. It includes your current home address, email address, and telephone number ● Date of birth ● Personal demographic information, such as your age or gender ● Your image and voice which will appear on videos and recordings provided by our third party market research partners Types of Information we collect from you: ● Name and contact details: This is basic personal data about you, and how to get in touch with you. It includes your current home address, email address, and telephone number ● Date of birth ● Personal demographic information, such as your age or gender ● Opinions and feedback that you provide to us. For example: (1) feedback you have on CK-UK products; (2) information you choose to provide to us about your finances or financial habits; or (3) information you have about finances or financial products generally ● Your image and voice which will appear on videos and recordings of live conversations you have with us directly when we undertake research Sensitive information (SCPD) We may also collect s ensitive information (known as SCPD) about you as permitted or required by law. This is a category of personal data that has special protection under data protection laws and may include, for example, information concerning health, information revealing racial or ethnic origin, or information revealing your religion. We may obtain this information from you or from other sources that have obtained it from you. 4. OUR LEGAL GROUNDS FOR PROCESSING PERSONAL DATA This section explains the bases on which we process your personal data. Legitimate interests In most cases, we have a legitimate interest in processing your personal data, including dealing with legal claims made against us. When we process personal data to meet our legitimate interests, we put in place safeguards to protect your privacy and so that our legitimate interests do not override your fundamental rights and freedoms. For more information about the balancing test that we carry out when processing your personal data in order to meet a legitimate interest, please contact us at the details below. With your consent We may obtain your explicit consent to collect and use your personal data. We may rely on your consent for the processing of personal data, both when we are required to do so by law (for example when we process some categories of SCPD) and where it is the appropriate legal basis to rely on. If we ask for your consent to process your personal data, you may withdraw your consent at any time by contacting us using the details at the end of this privacy notice. To comply with our legal and regulatory obligations as a business To establish, exercise or defend legal claims We may process some categories of SPCD without your consent where it is necessary for the establishment, exercise or defense of legal claims. 5. WITH WHOM DO WE SHARE THE PERSONAL DATA We will share your personal data with third parties: ● Where required to do so by law, including with public authorities to comply with legal and/or regulatory requirements ● To protect and defend our rights and property, where permitted by law We will also share your personal data with the following recipients and categories of recipients: Our Group companies We will share your personal data with other members of the Credit Karma group (the "Credit Karma Group") including our sister company, Credit Karma Holdings UK Limited, for the purposes described in this privacy notice. As the Credit Karma Group grows and changes the information in this section may be updated. Service providers We will provide your information to third parties who help us use it for the purposes described in this privacy notice. For example: • Our databases of personal data may be hosted by third parties on our behalf. • Our communications (such as emails) that are broadcast through a third party service. • Usability testing and market research platforms that provide us with videoconferencing technology to enable us to conduct user or market research. These service providers, where they process your personal data under our instructions, will not be allowed to use your information for their own purposes or on behalf of other organizations. Business transfers and re-organization If we sell our business to a third party, or go through a corporate reorganization, this will involve the transfer of your personal data collected for the purposes outlined in this privacy notice to the new undertaking for them to use in the same way as set out here. 6. WHERE IS PERSONAL DATA STORED AND SENT To the extent that we transfer your personal data to the US for processing or for storage, we will put in place appropriate measures such as the standard contractual clauses approved by the European Commission to legitimize such international data transfers or we will ensure that the recipient is Privacy Shield certified. We may also send information to other non-EEA countries that have not received an adequacy decision. While countries within the European Union all ensure a high standard of data protection law, some parts of the world may not provide the same level of legal protection in relation to personal data. On this basis, when we do send personal data overseas, we will make sure that suitable safeguards are in place to protect the information. These safeguards include the standard contractual clauses approved by the European Commission. If your information has been sent overseas like this, you can obtain further information about the safeguards used by contacting us using the details set out in section 1 above. 7. HOW LONG IS PERSONAL DATA KEPT We will retain your personal data for as long as required to fulfill the purpose for which the data was collected. Additionally, we may need to retain certain personal data for longer to enable us to deal with any queries or issues that may arise, meet our legal or regulatory requirements or deal with potential litigation. We may also retain your personal data for another legitimate business interest. If you would like to know more about our retention policy, please contact email@example.com. 8. YOUR RIGHTS IN RESPECT OF THE PERSONAL DATA THAT WE HOLD ABOUT YOU You have several different rights in relation to the personal data that we hold about you. These are briefly described below. To discuss or exercise these rights, unless otherwise stated please use the contact details set out in section 1. ● Access: You have a right to find out what personal data we hold about you and certain other information such as how we are using it. ● Rectification: If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it. ● Objection to legitimate interests: If you disagree with us relying on the legitimate interests grounds for using your personal data (see section 4 above), you can object to us doing so. We will then reassess the extent to which we can continue to use the data in light of your particular circumstances. ● Erasure: In certain circumstances you can ask us to delete your personal data from our systems. ● Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data. ● Portability: You have the right to receive some limited kinds of information in a useable electronic format and transmit it to a third party. Where we rely on your consent to process your personal data you have the right to withdraw that consent at any time. 9. RECOURSE If you have any questions, complaints, or inquiries about the way we use or handle your personal data, please contact us by sending an email to firstname.lastname@example.org. You also have the right to lodge a complaint with the UK Information Commissioner's Office. 10. CHANGES TO THE PRIVACY NOTICE You may request a copy of this privacy notice using the contact details set out above. We may modify or update this privacy notice from time to time. Where changes to this privacy notice will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on you, we will give you sufficient notice so that you have the opportunity to exercise your rights (e.g., to object to the processing).