4131-4032-8235.3
TYMIT
PRIVACY NOTICE
This version is effective from: November 6, 2023
Introduction
When you apply for or use a Harley Davidson Visa Card and related credit card services (the "Services")
three key parties process your personal information:
• Tymit Limited ("Tymit", “we”, “our”, “us”);
• Harley-Davidson Financial Services International, Inc. ("HDFS"); and
• Transact Payments Limited (“TPL”)
This privacy notice explains how Tymit processes your personal information as part of the Services.
Further information about how HDFS and TPL process your personal information is available
separately.
Who are Tymit?
We are the regulated lender for the Harley-Davidson credit account (the "Account") and we are
regulated by the Financial Conduct Authority. This means that we are authorised to make, or take
assignments of, regulated consumer lending as part of our regulated business activities. In other words,
we are the party that provides you with credit. We also provide the Harley Davidson credit account
mobile application (the "App"). We also provide the loyalty programme that is linked to your Account
and accessible through the App.
The Account, the App and the loyalty programme form part of the Services and when we provide them,
we are the controller of your personal information.
Tymit is committed to safeguarding the privacy of your information and in this privacy notice we set out
when and why we collect your personal information, how we use it, the conditions under which we may
disclose it to others and how we keep it secure.
What about the other key parties, HDFS and TPL?
HDFS do not process any personal information through the Account, the App or the loyalty programme.
HDFS do however offer and market the Services (for example, by including a link on relevant HDFS
websites through which website visitors may be directed to Tymit's application process). To the extent
HDFS processes any personal information pursuant to their offering and marketing of the Services they
are the controller of your personal information. You can find out more about HDFS' responsibilities by
reading HDFS' privacy notice available [https://www.myhdfs.com/, at the bottom of the page] or by
contacting HDFS using the contact details they have provided. You can find out more about HDFS'
responsibilities by reading HDFS' privacy notice available [https://www.myhdfs.com/, at the bottom of
the page] or by contacting HDFS using the contact details they have provided.
TPL is the issuer of your payment card and is the controller for the personal information which you
provide to us in relation to the card only. You can find out more about TPL's responsibilities by reading
TPL's privacy notice available [Privacy Policy | Transact Payments (transactpaymentsltd.com)] or by
contacting TPL using the contact details they have provided.
What personal information does Tymit collect?
In providing the Account and the App, Tymit may collect the following types of personal information:
Identity Data
Identity data, including first name, maiden name, last name, username
or similar identifier, marital status, title, date of birth, gender and visual
(including photographic) identification.
- 2 -
4131-4032-8235.3
Contact Data
Contact data, including billing address, delivery address, email address
and telephone numbers.
Financial Data
Financial data, including Open Banking data, bank account and
payment card details, salary and other income details and credit
referencing information.
Transaction Data
Transaction data, including details about payments and other details of
products and services provided under your agreement with us.
Technical Data
Technical data, including internet protocol (IP) address, login data,
browser type and version, time zone setting and location, browser plug-
in types and versions, operating system and platform, and other
technology on the devices used in relation to the Account.
Profile Data
Profile data, including usernames and passwords, accountholder
interests, preferences, feedback and survey responses.
Usage Data
Usage data, including information about how accountholders use the
Services.
Marketing and
Communications Data,
Marketing and communications data, including accountholder
preferences in receiving marketing from the parties and third parties
and their communication preferences.
How your personal information is collected
We collect and receive personal information using different methods:
Direct Interaction
You may give us your Identity, Contact Data and Financial Data by
filling in forms (electronically or otherwise), or by corresponding with
us by post, phone, email or otherwise. This includes personal
information you provide when you:
• apply for the Account.
• upload content/documents onto our App;
• subscribe to our services or publications;
• register for our newsletter;
• request marketing to be sent to you; or
• give us feedback or contact us.
Personal information we
collect using cookies and
other similar technologies
When you access and use our App, we will collect certain Technical
Data. We may in part collect this personal information by using cookies
and other similar technologies.
Personal information
received from third parties
and publicly available
sources
We will receive personal information about you from various third
parties (including public sources) as set out below:
• Technical Data from parties such as analytics providers such as
Google and Amazon Web Services which may be based outside
the UK and/or the EU.
• Financial Data, Identity Data and Contact Data from credit
reporting agencies such as Experian PLC.
• Identity and Contact Data from publicly available sources such as
Companies House and the Electoral Register based inside the UK.
- 3 -
4131-4032-8235.3
• Financial Data and Identity Data from Cifas, a not-for-profit fraud
prevention membership organisation managing the largest
database of instances of fraudulent conduct in the UK.
• Financial Data and Identity Data from Regulatory Data Corp Inc
which provides services relating to anti-money laundering, KYC
(know your customer) compliance and identification of politically
exposed persons.
How Tymit users your personal information
We use your personal information for the purposes set out in this section. If we wish to make any
changes to these purposes, or if we wish to use your personal information for any purpose that is not
listed in this section, we will notify you using the contact details we hold for you.
Assessing your eligibility
for the Account
We will use your Identity Data, Contact Data, Financial Data,
Transaction Data, Profile Data and Usage Data to make assessments
of your eligibility for the Account as well as identify you and verify the
personal information you have provided, including any other
applications you make in the wider Tymit product range, to prevent
fraud and identity theft.
Our legal basis for processing
It is necessary for us to use your personal information to perform our
obligations in accordance with the contracts that you are entering into
or have entered into with us, or it is in our legitimate interest to use
personal information in such a way to ensure that we provide the
Account and to take the steps outlined above.
Performing credit and
identity checks and
undertaking debt tracing
and recovery
To process your application for an Account, we will perform credit and
identity checks on you with one or more credit reference agencies
(“CRAs”). We may also make periodic searches at CRAs to manage
your account with us. To do this, we will supply your Identity Data,
Contact Data, Financial Data and Transaction Data to CRAs, and they
will give us certain personal information about you. This will include
information from your credit application and about your financial
situation and financial history. CRAs will supply to us both public
(including the electoral register) and shared credit, financial situation
and financial history information and fraud prevention information.
This information will be used for:
• Assessing your creditworthiness and whether you can afford to
take the product.
• Verifying the accuracy of the data you have provided to us.
• Preventing criminal activity, fraud and money laundering.
• Managing your account(s).
• Tracing and recovering debts.
• Ensuring any offers provided to you are appropriate to your
circumstances.
We will also inform the CRAs about your settled accounts. If you
borrow and do not repay in full and on time, CRAs will record the
- 4 -
4131-4032-8235.3
outstanding debt. This information may be supplied to other
organisations by CRAs.
When CRAs receive a search from us they will place a search footprint
on your credit file that may be seen by other lenders.
Our legal basis for processing
It is necessary for us to use your personal information to perform our
obligations in accordance with the contracts that you are entering into
or have entered into with us, or it is in our legitimate interest to use
personal information in such a way to ensure that we provide the
Account and to take the steps outlined above.
Providing the Services
We will use your Identity Data, Contact Data, Financial Data,
Transaction Data, Profile Data, Technical Data and Usage Data: for
the purpose of supplying the Account and App as part of the Services.
This will include making responsible lending decisions in accordance
with our principles and regulatory obligations, processing payments
and managing transactions, providing you with access to our App.
Our legal basis for processing
It is necessary for us to use your personal information to perform our
obligations in accordance with any contract that we may have with you,
or it is in our legitimate interest or a third party’s legitimate interest to
use personal information in such a way to ensure that we provide the
Services in an effective, safe and efficient way.
Complying with our legal
obligations or in
connection with the
administration of our
business
We will use your Identity Data, Contact Data, Financial Data and
Transaction Data: (i) to comply with our legal obligations, including our
Financial Crime and Anti-Money Laundering obligations; (ii) to enforce
our legal rights; (iii) to protect the rights of third parties; and (iv) in
connection with a business transition such as a merger,
reorganisation, acquisition by another company, or sale of any of our
assets.
Our legal basis for processing
Where we use your personal information in connection with a business
transition, to enforce our legal rights or to protect the rights of third
parties, it is in our legitimate interest to do so. For all other purposes
described in this section, we have a legal obligation to use your
personal information to comply with any legal obligations imposed
upon us, such as a court order.
We will not process any special (or sensitive) categories of personal
information or personal information relating to criminal convictions or
offences except where we are able to do so under applicable
legislation or with your explicit consent.
Direct marketing
We will use your Identity Data, Contact Data and Marketing and
Communications Data to send you marketing communications by
email or text.
Our legal basis for processing
We will only send marketing communications to you by email or text
where you have consented to receive such content, or where we have
another lawful right to send marketing. For example, in certain
circumstances we may rely on our legitimate interest to send marketing
- 5 -
4131-4032-8235.3
by email to consumers who have purchased services from us and we
are able to rely on the soft opt-in.
Personal information we
collect using cookies and
other similar technologies
When you access and use our App, we will collect certain Technical
Data. We may in part collect this personal information by using cookies
and other similar technologies. Please see our cookie policy for further
information, a link to which is available [Our Cookie Policy | Tymit].
Our legal basis for processing
Where your data is collected through the use of non-essential cookies,
we rely on consent to collect your personal information and for the
onward processing purpose.
In certain circumstances, we may rely on another lawful basis when
we use your personal information collected via the use of cookies, for
example if a cookie is strictly necessary for the performance of the App.
If you fail to provide your personal information
Where we are required by law to collect your personal information, or we need to collect your personal
information under the terms of a contract we have with you, and you fail to provide that personal
information when we request it, we may not be able to perform the contract we have or are trying to
enter into with you. This may apply where you do not provide the personal information, we need in order
to provide our part of the Services or to process an application to register an Account. In these
circumstances, we may have to cancel your application or the provision of the relevant Services to you,
in which case we will notify you.
Sharing personal information
We only share personal information with others when we are legally permitted to do so. When we share
personal information with others, we put contractual arrangements or other appropriate security
mechanisms in place to protect the personal information shared and to comply with our legal obligations.
We set out below the relevant third parties with whom data is shared This list is non-exhaustive and
there may be circumstances where we need to share personal information with other third parties.
HDFS
(Harley-Davidson Financial
Services International, Inc.)
When you apply for an Account we will share your Identity Data,
Contact Data, Financial Data, Transactions Data, Usage Data and
Marketing and Communications Data with HDFS and its affiliates who
for relationship management, marketing, maintenance, and product
development of the loyalty programme.
Harley-Davidson dealers
As well as HDFS, we may share your Identity Data, Contact Data,
Financial Data, Transactions Data, Usage Data and Marketing and
Communications Data with Harley-Davidson dealers who are
participating in the loyalty programme.
TPL
(Transact Payments Limited)
We will share your personal information with TPL as the issuer of the
Harley-Davidson Visa Card.
CRAs
(Credit Reference Agencies)
To process your application, we will share your personal information
with CRAs to perform credit and identity checks.
The CRAs we use are:
• TransUnion: https://www.transunion.co.uk/crain
• Experian: https://www.experian.co.uk/crain
- 6 -
4131-4032-8235.3
• Equifax: https://www.equifax.co.uk/crain
Third-party suppliers who
provide applications/
functionality, data
processing or IT services
We share personal information with third parties who support us in
providing our App and help provide, run and manage our internal IT
systems.
Advertising partners
We share personal information with third party advertising partners.
This data is used to provide you with, and measure the effectiveness
of, online personalised advertising and for other advertising related
activities.
Auditors, lawyers,
accountants and other
professional advisers
We share personal information with professional services firms who
advise and assist us in relation to the lawful and effective management
of our organisation and in relation to any disputes we may become
involved in.
Law enforcement or other
government and regulatory
agencies and bodies
We share personal information with law enforcement or other
government and regulatory agencies or other third parties as required
by, and in accordance with, applicable law or regulation.
Another corporate entity in
connection with a business
transition
If we are involved in a business transition such as a merger,
reorganisation, acquisition by another company, or sale of any of our
assets, we may share or transfer personal information to a third party.
Any new owner of our business may continue to use your personal
information in the same way(s) that we have used it, as specified in
this privacy notice.
Other third parties
Occasionally, we may receive requests from third parties with authority
to obtain disclosure of personal information, such as to check that we
are complying with applicable law and regulation, to investigate an
alleged crime, or to establish, exercise or defend legal rights. We will
only fulfil requests for personal information where we are permitted to
do so in accordance with applicable law or regulation.
Transfers outside the UK and the European Economic Area (“EEA”)
Your personal information may be used, stored and/or accessed outside the UK and the EEA to our
suppliers. Further details on to whom your personal information may be disclosed are set out above.
When we provide any personal information about you to any non-UK or EEA parties, we take
appropriate steps to protect your privacy and implement reasonable security measures to protect your
personal information. These measures may include the following:
• Ensuring that there is an adequacy decision by the UK Government in the case of transfers out of
the UK, which means that the recipient country is deemed to provide adequate protection for such
personal information; or
• Ensuring that appropriate safeguards are in place, e.g. by entering into regulation mandated
contracts with our data processors that require them to treat personal information in a manner that
is consistent with this privacy notice.
How long we keep your personal information
In respect of personal information that we process in connection with our supply of the Services, we
may retain your personal information for the following periods:
Product/Process Name
Retention Period
- 7 -
4131-4032-8235.3
Accounts
6 years from the termination of the contract to which customer is a
party.
All declined applications
6 years from date at which customer is informed of our decision to
decline their application. We will cease contact 1 year after
customer is informed of our decision unless we gain the customer’s
explicit consent to continue processing their data.
All cancelled applications
6 years from date at which customer is informed of our decision to
approve their application. We will cease contact 1 year after
customer is informed of our decision unless we gain the customer’s
explicit consent to continue processing their data.
If any personal information is only useful for a short period (e.g. for a specific activity, promotion or
marketing campaign), we will not retain it for longer than the period for which it is used by us.
If you have opted out of receiving marketing communications from us, we will need to retain certain
personal information on a suppression list for a reasonably proportionate period so that we know not to
send you further marketing communications in the future. However, we will not use this personal
information to send you further marketing unless you subsequently opt back in to receive such
marketing.
Confidentiality and security of your personal information
We are committed to keeping the personal information you provide to us secure and we have
implemented information security policies, rules and technical measures to protect the personal
information under our control from unauthorised access, improper use or disclosure, unauthorised
modification and unlawful destruction or accidental loss.
Your rights as a data subject
You have certain rights in relation to the personal information we hold about you and these are set out
below. If you would like to exercise any of these rights please contact us by emailing
privacy@tymit.com.
Your right of access
You have the right to ask us for copies of your personal information.
There are some exemptions, which means you may not always receive
all the information we process.
Your right to rectification
You have the right to ask us to rectify information you think is
inaccurate. You also have the right to ask us to complete information
you think is incomplete..
Your right to erasure
You have the right to ask us to erase your personal information in
certain circumstances.
Your right to restrict
processing
You can ask us to “block” or suppress the processing of your personal
information in certain circumstances such as where you contest the
accuracy of that personal information or you object to us processing it
for a particular purpose. This may not mean that we will stop storing
your personal information but, where we do keep it, we will tell you if
we remove any restriction that we have placed on your personal
information to stop us processing it further.
Your right to data
portability
This only applies to information you have given us. You have the right
to ask that we transfer the information you gave us from one
organisation to another, or give it to you.
- 8 -
4131-4032-8235.3
Your right to object
You have the right to object to processing if we are able to process
your information because the process forms part of our public tasks,
or is in our legitimate interests.
Your rights in relation to
automated decision-
making and profiling
You have the right not to be subject to a decision when it is based on
automatic processing, including profiling, if it produces a legal effect or
similarly significantly affects you, unless such profiling is necessary for
the entering into, or the performance of, a contract between you and
us.
Your right to withdraw
consent
If we rely on your consent (or explicit consent) as our legal basis for
processing your personal information, you have the right to withdraw
that consent at any time. You can exercise your right of withdrawal by
contacting us using our contact details in section 2 (How to contact us)
above or by using any other opt-out mechanism we may provide, such
as an unsubscribe link in an email.
Your right to lodge a
complaint with the
supervisory authority
If you have a concern about any aspect of our privacy practices,
including the way we have handled your personal information, please
contact us using our contact details below (How to contact us) above,
or report any issues or concerns to the UK regulatory authority, the
Information Commissioner’s Office (“ICO”). Contact details for the ICO
can be found on its website at https://ico.org.uk.
Changes to this privacy notice
Any material changes we make to our privacy notice in the future will be posted on this page and, if
appropriate, sent to you by email.
How to contact us
If you have any questions about our privacy notice or the personal information which we hold about you
or, please send an email to our Data Protection Team privacy@tymit.com.
