Introduction:
We are Coremetrix UK Limited t/a Coremetrix (Company registration number 10299796) with the business address at Orbital House, 20 Eastern Road, Romford, Essex, RM1 3PJ, United Kingdom.
We produce image-based Quizzes for our Clients and use the data produced when completing these Quizzes to provide statistical propensity models to our Client base.
Our Quizzes only appear on third-party websites and we provide these services on behalf of our Clients (unless otherwise expressly indicated) any personal information collected therefore is provided to the owner of the website and its use governed by the website’s terms and conditions and privacy policy. Please review all third-party websites’ privacy policies carefully as we are not responsible for the practices of such parties.
If you have any queries in respect of Coremetrix’s Privacy Policy, please do not hesitate to contact privacy@coremetrix.com for further details.
We undertake to guard your personal data with the utmost care and we undertake to preserve the confidentiality of all data provided to us when completing the Quizzes outlined above.
We do not share, sell or disclose any data provided to us when completing the Quiz. The controller of your data will receive the answer to the demographics questions if these questions are present in the quiz.
The legal bases on which we process information about you:
Coremetrix process data about individuals completing our Quizzes in strict accordance with Article 6 of the European Union General Data Protection Regulation.
| Project type | Data obtained | Data obtained from | Legal basis for processing | Consent Required? | Data stored in: |
|---|---|---|---|---|---|
| POC – Non-Scoring | Quiz answer data | Data subject | Consent from data subject | Yes | AWS S3 |
| POC – Non-Scoring | Credit product performance data | Data controller | Legitimate business purposes of the data processor |
No | AWS S3 |
| POC – Scoring | Quiz answer data | Data subject | Consent from data subject | Yes | AWS S3 |
| POC – Scoring | Processed Quiz model scores | Processed from Quiz answer data using model built from previous Credit Product Performance Data | Legitimate business purposes of the data processor | No | AWS S3 |
| POC – Scoring | Credit product performance data | Data Controller | Legitimate business purposes of the data processor | No | AWS S3 |
| POC – Scoring / Offline | Quiz answer data | Data subject | Consent from data subject | Yes | AWS S3 |
| POC – Scoring / Offline | Processed Quiz model scores | Processed from Quiz answer data using model built from previous Credit Product Performance Data | Legitimate business purposes of the data processor | No | AWS S3 |
| POC – Scoring / Offline | Credit product performance data | Data Controller | Legitimate business purposes of the data processor | No | AWS S3 |
| Live Production | Quiz answer data | Data subject | Performance of a contract Legitimate business purposes of the data processor |
No | AWS S3 |
| Live Production | Processed Quiz model scores | Processed from Quiz answer data using model built from previous Credit Product Performance Data | Performance of a contract Legitimate business purposes of the data processor |
No | AWS S3 |
| Live Production | Credit product performance data | Data Controller | Legitimate business purposes of the data processor | No | AWS S3 |
If the basis on which we process your data is no longer relevant, then all personal data will be anonymized or securely deleted to ensure the privacy of all data subjects.
Any data being processed under the basis of the legitimate business purposes of the data controller is done so as the data controller (our Client) has a legitimate interest in using the processed data for either risk assessment or to evaluate a new method of risk assessment.
Critically due to the protection measures outlined below, and that the Coremetrix product is one designed to improve financial inclusion by overturning previous declines and improving access to credit the rights of the data controller do not override the rights of the data subject when processing this data.
If you disagree with this assessment, please contact the Data Protection Officer of the relevant Data Controller (outlined in Section `Data Controllers’ of this document) and refer to your Rights under Article 12.
Data protection by design and default
Coremetrix employs several measures to protect the personal data of those individuals who complete our Quizzes.
When a Client directs one of their Customers to take one of our Quizzes they assign a unique and randomized ID referred to as a PUID.
The PUID is the sole piece of data transferred to Coremetrix when an individual is directed to our Quiz.
The PUID is a pseudonymized ID and is used in place of other personal data.
All Quiz attempts are logged against the PUID. The Data Controller retains all other personal data.
Coremetrix store and process all Quiz attempts against the PUID. Scores produced by the statistical propensity models are returned to our Clients via a secure API connection against the PUID.
What Personal Data we collect from you:
We collect the minimal possible amount of Personal Data from you in order to provide our Quiz service and to provide a psychometric driven risk score to our Customers, who have requested that you take one of our Quizzes as a part of their credit assessment processes:
The data we collect is as follows:
Quiz answer data: The Quiz is an interactive online platform that is designed to collect psychometric data in the form of your answers to the questions that we ask in the Quiz. All answers are collected and stored in our database and are used to calculate risk scores and to build new statistical propensity models.
Cookies: Cookies are small text files that are downloaded to your computer or mobile device when you visit a website. Coremetrix employs 2 primary types of cookies:
First party cookies: these are served directly by Coremetrix to your computer/mobile device
Third-party cookies: these are served by a third party (Google Analytics) on Coremetrix’ behalf. We use third-party cookies for web analytics to optimise our website performance and to provide insights into Quiz usage.
For further information on Cookies see our Cookie Policy.
What personal data is provided to us about you?
The only personal data provided to us about you by our Clients is the PUID and Credit performance data (see detailed explanation below). Our Clients are Banks, Lenders and Insurance companies who use our Quiz assessment tool and statistical propensity models to assist in their credit decisioning/insurance decisioning processes.
The data provided to us is as follows:
PUID (Persistent Unique Identifier): This is a unique alphanumeric string created by our clients in order to identify you in place of other personal data. This is a type of pseudonymous data that is an excellent way of protecting your personal data, which remains held by the Bank/Lender/Insurer who you use. Coremetrix cannot trace this PUID to you or any other individual but use the PUID as a way of tracking the answers to our Quiz and to provide a score to our Clients.
Credit Product Performance data: When a client engages our services to develop a custom risk assessment tool, they will ask us to carry out a validation against their known credit performance. To carry out this activity our Clients will share with us pseudonymized and simplified Credit Product Performance data using the PUID outlined above and a simplified measurement of how any credit products have performed.
This data is used to both validate existing models and to develop new statistical propensity models.
Credit Bureau data: Some Clients are Credit Bureaux operating in many countries around the world. Coremetrix develops customized credit assessment tools for these bureaus in order to enhance financial inclusion and enable access to credit.
In order to develop these tools Credit Bureau data is shared with Coremetrix using the same pseudonymization method outlined above to protect an individual’s personal data.
Data controllers
Coremetrix operates as a Data Processor under the instructions of our clients who are the Data Controller of their Customers’ data.
Due to the use of pseudonymization to protect the personal data of the individuals who we process data on behalf of the data controllers, any queries regarding data processed by Coremetrix should be directed to the relevant data controller.
To find out the contact details for the relevant Data Controller please contact privacy@coremetrix.com.
We will respond to all requests within 72 hours.
EU representative
If you are in the European Union, you may address privacy-related inquiries to our EU representative pursuant to Article 27 GDPR:
EU-REP.Global GmbH, Attn: Coremetrix
Hopfenstr. 1d, 24114 Kiel, Germany
coremetrix@eu-rep.global
www.eu-rep.global
Data retention period:
The data collected by our Quizzes is retained for the entire lifecycle of the relationship with the client. The data is retained for this period in order to provide scoring services to our clients and to facilitate the data subject’s rights.
Third-party websites:
Our Quizzes only appear on third-party websites and we provide these services on behalf of our Clients (unless otherwise expressly indicated) any personal information collected therefore is provided to the owner of the website and its use governed by the website’s terms and conditions and privacy policy. Please review all third party websites’ privacy policies carefully as we are not responsible for the practices of such parties.
Exercising Data Subjects’ rights:
You have a number of rights as regards how companies process your data, Coremetrix is committed to ensuring that you may exercise your rights when you are asked to use our Product by your bank/lender/insurance company.
However, due to the advanced privacy settings and pseudonymization built into our product, we cannot trace individual users through normal search characteristics (name, address, date of birth, etc) that may apply to other companies. In order for Coremetrix to process any requests, we require the unique identifier / PUID assigned prior to you taking our Quiz.
Your bank/lender/insurance company is the Data Controller for the data processed by Coremetrix and will have a record of the unique PUID they assigned prior to directing that the data subject should take a Coremetrix Quiz.
If a Data Subject wishes to exercise their rights, they should contact the bank/lender/insurance company that requested they complete a Coremetrix Quiz. Coremetrix will fully comply with these requests and supply any data required to the Data Controller in order to be delivered to the Data Subject.
Security:
We value your trust in providing us your Personal Information, thus we are striving to use commercially acceptable means of protecting it.
We employ SSL encryption for our Quiz tool to protect the data as it is collected and store all Quiz answer and Credit Product Performance data in secure datastores in Amazon Web Services.
Our processed scores are returned to our Clients over a secure API connection using a cryptographically generated API key.
But remember that no method of transmission over the internet, or method of electronic storage is 100% secure and reliable, and we cannot guarantee its absolute security.
Children’s Privacy:
Our Services do not address anyone under the age of 16. Our Product is designed to assist our Clients to assess individuals for credit products, which have a normal minimum age of 18, or for motor insurance which has a minimum age to drive a vehicle of 17.
We do not knowingly collect or process information from children under the age of 16. In the case that we discover any personal information has been obtained from any individual under the age of 16 we will immediately delete the data from our servers. If you are a parent or guardian and you are aware that your child has provided us with personal information please contact us immediately so that we will be able to take the necessary actions.
Changes to This Privacy Policy
We may update our Privacy Policy from time to time. Thus, you are advised to review this page periodically for any changes. We will notify you of any changes by posting the new Privacy Policy on this page. These changes are effective immediately after they are posted on this page.
Comments or concerns about Privacy and the Coremetrix Product
We put the privacy of data subjects at the heart of our business and will treat all comments or concerns about Privacy with the respect and seriousness that they deserve and that we believe in.
If you have any concerns about how data is processed or have any comments or questions, please do not hesitate to contact us at privacy@coremetrix.com.
We will respond to all requests within 72 hours.