Using data ethically

We’re proud to be building a new data infrastructure that will completely revolutionise the way we think about receipts. Our technology is fast becoming industry standard, so the way we use data has important implications for everyone in society.

We’re not satisfied to simply follow the moral minimum - we want to set a new standard of data management in the fintech industry and play a key role in building the kind of world we want to live in.

These principles outline the key ways we do this.

Diagram

Our data principles

Our data principles are the four key values that guide our approach to capturing and using data. We consider these principles to be the bedrock of our new data infrastructure and are additional moral duties that sit above our existing legal and regulatory responsibilities.

Accountability

We’re firm believers that there’s no trust without accountability. We’ve implemented a robust programme of checks and balances, including voluntary third-party auditing, to help ensure that we’re not just holding ourselves accountable, but that we’re always accountable to you, too.

Transparency

Transparency means that we’re always open and honest about what we’re doing. We think no-one should ever be surprised by what we’re doing with data and strive to build a culture of mutual loyalty, trust and understanding with our customers and partners.

Privacy

We sit in the middle of a three-way network of data exchange between retailers, banks and customers. We consider ourselves to be guardians of their privacy, which is why we always take a privacy-centric approach to product design and keep privacy at the heart of our decision-making processes.

Social responsibility

We believe that it’s our responsibility to ensure our technology makes people's’ lives better. We place human rights and the public good at the heart of everything we do and take our social obligations to our community and our planet extremely seriously.

What does this mean for me?

Click one of the options below to read more about what our data principles mean for you

I'm a customer

As a Flux customer, our most important responsibility is keeping your data safe. Although regulations like the General Data Protection Regulation (GDPR) and the Payments Services Directive (PSD2) are really useful, we don’t think it’s good enough to simply meet the minimum requirements - we’re determined to do better. Some of the extra ways we ensure we’re protecting your data to the highest standard are:

  • Voluntary, third-party audits: Each year, we invite third-party auditors to assess how well we’re complying with our legal obligations and to stress-test our systems and processes. If they find gaps, we fill them quickly and securely.
  • Additional security accreditations: We’ve sought out additional security accreditations, like the ISO27001, to ensure we’re implementing best practices. We have to reapply for this accreditation each year, so it’s a great way to make sure our high standards don't slip.
  • Transparency: We’re open when things go wrong, sharing information about incidents we’ve experienced and what we’ve done to resolve them on our Statuspage.
  • Ethics by design: We use our Risk Framework to make sure that everything we do with data is predicated on principles of fairness and compliance - we don’t just think about what we could do with data, but also what we should do. This means we’re always putting ourselves in your shoes and making decisions with your best interests in mind.
  • Anonymisation and aggregation: We use best-in-class methods of anonymisation and aggregation to ensure that your data will never be identifiable in any analytics we do - this means no-one will ever be able to trace the data back to you or identify you in any meaningful way.

We also believe that sharing data is a value-exchange: it’s really important to us that you understand what data you’re sharing with us and what you’re getting from us in return. Some of the ways we do this are:

  • Open communication: Making sure that all of our policies use an open, frank and accessible tone of voice and explain any legal terms in plain English, so it’s really clear to you how and why we’re using your data
  • Data minimisation: We always take a privacy-by-design approach when it comes to creating products, and will only ever use data that’s strictly necessary to provide our product and services - and if there’s a more private option available, we’ll always take it by default
  • Giving you control: We communicate openly and honestly when there’s a change to the way we’re using data and will always provide a quick and easy way for you to cease data-sharing with us if you change your mind about using our products
  • 360 advocacy: All Flux staff members are encouraged to question the new products we’re developing and challenge anything they’re uncomfortable with - so there’s always someone fighting your corner.

I'm a bank

The new networks of data-sharing facilitated by open banking have created really exciting opportunities to improve customers’ banking experiences - but with the increased level of data-sharing comes an increased risk to customers’ privacy. Our approach to data privacy is trust-centric and consumer-focused, and we’re firm believers that you can maintain the highest standards of privacy without compromising on product effectiveness.

Protecting your data:

  • Legal accountability: We’re accountable to regulations governing the use of payments data, like the General Data Protection Regulation (GDPR) and the Payments Services Directive (PSD2).
  • Voluntary accountability: We invite third-party auditors to audit our compliance with laws and regulations and to try to identify any weaknesses in our operating systems, and seek out additional accreditations to ensure our compliance is best-in-class, like the ISO27001 data security badge.
  • Data minimisation: We strongly adhere to data minimisation practices and will only process the minimum amount of data necessary to provide our products and services to our partners and customers
  • Anonymisation and aggregation: We’ll never share any personally-identifiable information with third parties, and apply best-in-class anonymisation and aggregation practices to any data we use for analytics or market insights

Protecting your customers:

  • Explicit consent: Where Flux acts as the Data Controller, we’ll contract directly with your customers to ask for their explicit consent to use their data to provide them with Flux services and to share anonymised and aggregated analytics with our retail partners.
  • Knowledge sharing: Where Flux is the processor, we’ll work with you to ensure your customers understand the data they’re sharing with us and what they’re getting in return, and to facilitate easy data-sharing revocation if customers change their mind about using digital receipts.
  • Privacy by design: We always take a privacy-by-design approach and are firm believers that you can maintain the highest standards of privacy without compromising on product effectiveness
  • Serious security: We jealously guard the integrity of our data and take a proactive approach to improve our architecture and infrastructure. We adhere strictly to the standards set by ISO27001 and perform regular, proactive pen tests and risk assessments throughout our entire product development lifecycle.
  • Bias minimisation: We’re constantly on the lookout for bias - whether that’s in the language we use, our accessibility, our hiring practices, or the algorithms we use, and regularly challenge ourselves with regards to diversity and inclusion
  • Sustainable champions: We’re champions of sustainability and seek to educate the public through our environmental campaign, Beat the Receipt. We’ve worked closely with the Carbon Trust to understand the environmental impact of paper and digital receipts, and are committed to reducing our carbon footprint even further.
  • Future-proofing: We’re obsessed with future-proofing, and regularly conduct exercises to reflect on the potential societal impact of any products or technology we’re developing so that we can mitigate any risks.

I'm a retailer

When you’re making commercial decisions based on data, it’s crucial that you’re able to trust and protect that data. We understand that your sales data is commercially sensitive and we’re committed to ensuring this always stays secure - meaningful analytics does not mean you have to compromise on privacy.

  • Protecting your IP: Your Intellectual Property or any other identifying factors will never be made available to any of our other partners. Where we do look to conduct market analysis we may use some sales information in a way that means you are not identifiable through our enhanced process of anonymisation and aggregation.
  • Wall: Our banking partners do not have access to the transaction data you send us, and receive only the minimum data necessary to surface your customers’ receipts in their app. We have stringent contracts that prevent our bank partners from using or selling any third-party data they access through the integration with Flux.
  • Legal accountability: We’re accountable to regulations governing the use of payments data, like the General Data Protection Regulation (GDPR) and the Payments Services Directive (PSD2) and adhere to advanced cybersecurity standards like those stipulated by the ISO27001 accreditation.
  • Compliance is everything: We have a world-class compliance team dedicated to identifying and mitigating risks and embedding best practices across the team - including ensuring data ethics is considered at each stage of the product life cycle.
  • Risk awareness: Our entire team is trained in undertaking effective Data protection impact assessments and risk assessments, which are used throughout the product lifecycle to ensure that we’re adhering to privacy best practices
  • Data minimisation: We strongly adhere to data minimisation practices and will only process the minimum amount of data necessary to provide our products and services to our partners and customers

Protecting your customers:

  • Consumer first: Our approach to data privacy is trust-centric and consumer-focused, and we’re firm believers that you can maintain the highest standards of privacy without compromising on product effectiveness.
  • Explicit consent: All customers included in your insights analysis have actively provided consent to be part of Flux services. We make it easy for customers to understand what they’re sharing with us and to express and manage their privacy and data-sharing preferences - avoiding the “ick” factor that other invisible analytics platforms may have
  • Privacy-centric: We respect a customers’ right to privacy and only collect the necessary information required to provide them with digital receipts - this is the same information we use in aggregated and anonymised form to share retail insights with you
  • Ethics by design: Our Risk Framework makes sure that everything we do is predicated on principles of fairness and compliance - we don’t just think about what we could do with data, but also what we should do. The best interests of your customers will always guide our decisions and product outputs.
  • Bias minimisation: We’re constantly on the lookout for bias - whether that’s in the language we use, our accessibility, our hiring practices, or the algorithms we use, and regularly challenge ourselves with regards to diversity and inclusion
  • Future-proofing: We’re obsessed with future-proofing - both in terms of the data infrastructure we’re building and the impact on our planet - and regularly conduct exercises to reflect on the potential societal impact of any products or technology we’re developing

Meet our data guardians

It’s important to us that we consider our use of data from all angles. That’s why we don’t just focus on making the technical aspects of our data use - like our network security or anonymisation methods - best in class, but also undertake voluntary audits and accreditations and have a robust data ethics framework in place.

At Flux, we don’t just think about what we can do with your data - but also what we ought to do. Meet the Fluxers who make that happen.

Tom Reay

CTO

As CTO, Tom has oversight of all our systems and infrastructure, so is a key guardian of our technical security. It’s Tom’s job to make sure our systems are safe, stable, and that we adhere to privacy by design product frameworks.

Katarina Vetrakova

Compliance Manager

Kat is our compliance guardian and is responsible for making sure that Flux meets all of our legal and regulatory requirements in using data, and also oversees all of our voluntary audits and accreditations.

Samantha Lind

Customer Lead

Samantha has over ten years’ experience in customer advocacy and is our data ethics guardian. It’s her role to ensure our banks, retailers and customers’ interests are protected and that our use of data is in line with our ethical values.

You’re in safe hands

We built Flux with bank level security, so your data is fully protected. We're regulated by the Financial Conduct Authority as an Account Information Service Provider (AISP) and hold ISO/IEC 27001:2013 standard and Cyber Essentials Plus certifications. We go through several voluntary audits each year so you can rest assured that Flux is operating at the highest possible standards.

Read our plain english privacy policy