Privacy Policy

Intro

We, Mistho Services Limited (hereinafter also referred to as “Mistho” or “we”), take the protection of your personal data very seriously. We treat personal data with confidentiality and in accordance with the applicable data protection regulations as well as on the basis of this data protection policy (“Policy”).

Mistho is a company based in the UK that facilitates the day-to-day conclusion of contracts by processing your relevant data from your monthly pay slips on your behalf, as your agent, and transmitting this data to your selected partner (the "Mistho Service''). The partner (“Partner”) in turn will use and process your data to provide its own services or to fulfil your bilateral contractual relationship (“Partner Services”). Mistho makes it possible to extract your relevant personal data, e.g. for the conclusion of a rental, leasing, purchase, credit or brokerage contract, from your payslips and to process for the conclusion of a rental, leasing, purchase, credit or brokerage contract can be forwarded to the respective Partner via a secure connection. In this way, a Partner can receive this data for further processing for the specific purpose of the contract. We at Mistho offer Partners an application programming interface, or API for short, which means an interface through which the relevant data can be exchanged. Mistho thus arranges for you and a Partner the efficient and secure data exchange of the data required for the purpose of the contract between you, without you having to copy, scan and transmit unencrypted salary slips to the Partner. The data shared, includes in particular, your first and last name, your address, your date of birth and your monthly income from your employment.

To use the Mistho Service, you will be forwarded to the Mistho Service by a Partner of your choice. Typical Partners of Mistho are service providers such as lenders, buy-now-pay-later services, online real estate services, brokers or landlords, i.e. services for which you have to verify your monthly income, amongst other things. You always decide for yourself whether you want to transmit your data to the respective Partner.

Nothing is intended to, or shall be deemed to, establish any partnership or joint venture between Mistho and any Partner, constitute either Mistho or any Partner the agent of the other, or authorise either Mistho or any Partner to make or enter into any commitments for, or on behalf of, the other.

With this Policy we would like to inform you what personal data is collected while using the Mistho Service and for what purpose that data is processed and used. We will also inform you about your rights under applicable data protection laws and give you advice on whom you can contact if you have any questions.

About us

The Mistho Service is operated by Mistho Services Limited, a company registered in England and Wales with company number 13636487 and whose registered office is situated at 27 Old Gloucester Street, London, WC1N 3AX, United Kingdom (Mistho/we/us/our). As explained in this Policy, there will be times at which Mistho is the controller (also known as a data controller) of, and is responsible for, your personal information. At other times and again as explained in this Policy, Mistho will simply be acting as an extension of you (as your agent, only performing activities on your instruction) and as a processor or data processor on behalf of your Partner. The term “you” refers to the user wishing to access and/or use the Mistho Service.

Person responsible

We have appointed a data protection officer (“DPO”) who is responsible for overseeing questions in relation to this Policy. If you have any questions about this Policy, including any requests to exercise your legal rights, please contact the DPO using the details set out below.

Full name of legal entity: Evalian Limited

Email address: dpo@evalian.co.uk

Who does this Policy apply to?

This Policy applies to all current, former and potential customers of Mistho who are natural persons.

It is important that you read this Policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Policy supplements other notices and privacy policies and is not intended to override them.

General notes and information on data processing

As a matter of principle, we only collect and use personal data of our users insofar as this is necessary for our services and for the provision of a functional website.

What personal data do we collect from you?

Personal data is all information that tells us something about you or that we can relate to you. By processing, we mean the collection, recording, organization, ordering, storage, adaptation or modification, reading, querying, use, disclosure by transmission, dissemination or any other form of provision, comparison or the linking, restriction, deletion or destruction.

We collect personal information that you voluntarily provide to us when registering to use and actually using the Mistho Service, or otherwise contacting us. In particular, we may collect personal information via our website and other technical systems (for more information, see section below titled “Collection of personal data when you visit our website www.mistho.io”), when you participate in or receive a service from us (including, for example, where you contact us, request information online, report an issue, provide feedback or enter a live chat), and from any payslip you provide (which is used when using our Mistho Service to initiate or conclude a contract with Partners selected by you). The personal data may include:

Your first and last name, your title, your address, your e-mail address, your telephone and / or fax number, your date of birth, socio-demographic data (marital status, family situation and whether you have children);
Data on your online behavior and your online preferences, e.g. IP addresses, unique allocation features of mobile devices when you use our website, data on your visits to our website, devices with which you have visited our website (this helps to identify whether you are browsing our website);
Financial and banking details: your monthly earnings, bank details;
Date of entry into the employment relationship, if applicable the date of leaving the employment relationship;
Tax data, such as tax contributions;
Special categories of personal data contained in the payroll: your tax number, national insurance number, religious affiliation, gender, child allowance, information on the degree of disability in the case of severe disabilities, insurance numbers for health, long-term care and unemployment and pension insurance;
Information about your interests and wishes that you communicate to us, e.g. via our customer service or when you take part in an online survey;
Know-Your-Customer- (KYC-) data, i.e. this means checking the personal data of new customers in order to prevent criminal offenses.

Special Category Personal Data or “Sensitive Data”

Special category personal data, formerly known as "sensitive data", is personal data from which racial and ethnic origin, political opinions, religious or ideological convictions or union membership emerge, as well as the processing of genetic data, biometric data to uniquely identify a natural person, health data or data on the sex life or sexual orientation of a natural person.

We only process your sensitive data:

when we have your express consent;
if we are legally obliged and / or entitled to do so.

Children's data

We do not process personal data from children. By using the Mistho Service, you represent that you are at least 16 years of age. If we learn that personal data from users less than 16 years of age has been collected, we will deactivate the relevant account and take reasonable measures to promptly delete such data from our records.

What do we use your data for and on what legal basis?

We only process personal data of our users insofar as this is necessary for the provision of our services and our content.

The goal of processing your data is to simplify the transmission of relevant data from your monthly payslips to the Partners selected for the respective contract, who in turn process your data to provide you with their own services. You can only use the Mistho Service if instigated through your use of a Partner Service.

We will act as your agent and the processor of your selected Partner where processing your personal data in the context of the Mistho Service – e.g. when accessing your payslips and making those available to your selected Partners.

Otherwise, we will act as a controller – e.g. when marketing our services, operating our website or completing any data analytics activities which are not related to a specific Partner contract.

We may process your data for the following purposes:-

What do we use your data for and on what legal basis?

We only process personal data of our users insofar as this is necessary for the provision of our services and our content.

Otherwise, we will act as a controller – e.g. when marketing our services, operating our website or completing any data analytics activities which are not related to a specific Partner contract.

We may process your data for the following purposes:-

Fulfillment of contractual obligations or measures in the context of contract initiation

In order to be able to provide the Mistho Service, we have to process your data on behalf of your selected Partner. This also applies to any pre-contractual information that you provide to us.

Customer management and marketing

We can ask for your opinion on our services. We will do so as a controller. We can use this data to improve our offers or to tailor our products and services to you. This is described in further detail in the section below titled “Notes on Marketing”.

Measures for your security, legitimate interest

We are obliged to protect your personal data and to prevent, detect and contain data protection violations. In addition to this, not only do we want to protect you from fraud and cybercrime, we are also committed to protecting the integrity and safety of Mistho.

If the processing of personal data is not compatible with one of the above-mentioned purposes, we ask for your express consent, which you can refuse or revoke at any time.

Processing of personal data based on your consent

When using the Mistho Service, special category personal data may be processed by Mistho on behalf of your selected Partner. This is due to the fact that we forward the relevant data in your payroll for the respective contract conclusion to the Partner, for example when granting a loan or in the run-up to a rental agreement.

Special category personal data may be included in your pay slip, which you voluntarily provide or make available to us. Mistho only uses this information to provide you with the Mistho Service you require. In order for Mistho to process special category personal data, you must explicitly consent to the processing of special personal data. You have the right to withdraw your consent at any time in relation to the processing of special category personal data.

How long do we keep your data?

We only store your data for as long as is necessary for the respective purpose of processing, unless a longer retention period is required or permitted by law (such as tax law, accounting requirements or other legal or regulatory requirements). When we have no ongoing purpose to justify the processing of your personal data, we will either delete or anonymise it, or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.

Who do we share your data with and why?

In order to be able to offer you the best possible service and to maintain the competitiveness in our industry, we pass on certain data externally to third parties. If we transfer your personal data to third parties (other companies outside of Mistho) in countries outside the UK, we will ensure that the necessary protective measures have been taken in accordance with this Policy and applicable laws. To the extent that any transfer requires approved safeguards to be in place we will only transfer your information to countries that have been deemed to provide an adequate level of protection for personal data. Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK. Please contact us if you want further information on the specific mechanism(s) used by us when transferring your personal data out of the UK.

Public bodies

In order to fulfill our legal obligations, we can disclose data to the competent authorities, e.g. in the event of fraud or forgery of documents. In some cases we are legally obliged to pass on your data, for example to tax authorities, judicial authorities and similar institutions upon their express and legitimate request, or in order to comply with applicable laws, governmental requests, judicial proceedings, court orders, or legal processes.

Service providers and other third parties who support us

If we commission service providers or other third parties to carry out certain activities in the course of normal business activities, we may have to transmit personal data for certain tasks. Service providers support us in activities such as:

Provision of application or infrastructure services (e.g. cloud services);
Special services, including in the areas of law and auditing, tax advice from lawyers, auditors, tax advisors, notaries, trustees or other specialist advisors

Mistho‘s Partner, your selected business and contractual Partners

We transmit your personal data to the Partner after you have specified them as providing you with a Partner Service and after you have approved the transmission as part of the use of our Mistho Service.

With your consent

We may disclose your personal data for any other purpose with your consent, including with any person who you have named as a person we can contact and any agent or representative of yours.

Your rights are important to us. What are your rights?

As a data subject, you have the following rights towards the controller (which, as explained above, will be us in certain contexts). Please note that we will require evidence of your identity before we are able to respond to any requests. This is a security measure to ensure that your personal data is not disclosed to a person who does not have the right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. If you would like to exercise one of your rights, please contact our data protection officer:

Full name of legal entity: Evalian Limited

Email address: dpo@evalian.co.uk

Right of access by the data subject

You have the right to request information from us as to whether and, if so, how we process personal data relating to you. Upon request, we will provide you with a digital copy of this data.

The aforementioned right to information can be restricted or excluded under certain legal requirements. Where we have good reason, and where data protection law permits, we can refuse your request for a copy of your data, or certain elements of the request. If we refuse your request or any element of it, we will provide you with our reason(s) for doing so.

Right to rectification

You have the right to correction and / or completion of your personal data from the person responsible if the processed personal data concerning you is incorrect or incomplete.

Right to erasure (‘right to be forgotten’)

You can request the deletion of your data stored by us if:-

the data is no longer necessary for the purposes for which it was collected or processed;
you have withdrawn your consent and there is no other legal basis for the processing;
you lodge an objection to processing of your personal data and there are no overriding legitimate reasons for the processing or you lodge an objection to processing in relation to direct marketing, in each as further described below;
the personal data has been processed unlawfully; or
the deletion is necessary to fulfill a legal obligation.

This right to deletion does not apply if the processing is used to exercise the right to freedom of expression and information; to fulfill a legal obligation; for reasons of public interest; or is necessary for the establishment, exercise or defense of legal claims.

Right to restriction of processing

You can request that the processing of your personal data be restricted if:-

the accuracy of the personal data is contested by you for the duration of the verification of the accuracy by the person responsible;
the processing is unlawful and you request the restriction of use instead of deletion;
the person responsible no longer needs the data, but you need them to assert, exercise or defend legal claims: or
you have lodged an objection to the processing and it has not yet been determined whether the controller's legitimate reasons outweigh your reasons.

If the processing of your personal data has been restricted, this data - apart from its storage - may only be used with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

If the processing restriction has been restricted according to the above conditions, you will be informed by the person responsible before the restriction is lifted.

Right to data portability

You have the right to receive the personal data you have provided to us in a structured, common and machine-readable format or to request that it be transmitted to another person responsible.

Right to object

In certain circumstances, you have the right to object to our processing of your personal data (for example, if we are processing your personal data on the basis of our legitimate interests but there are no longer any compelling legitimate grounds to justify our processing overriding your rights and interests).If the objection is directed against direct marketing, you have a general right of objection.

Right to withdraw consent

You have the right to revoke the consent you have given us at any time, with the result that we are no longer allowed to continue the data processing based on this consent in the future. Please note however that this will not affect the lawfulness of the processing that occurred before the withdrawal of such consent.

Right to lodge a complaint with the Information Commissioner’s Office

You have the right to complain to the Information Commissioner’s Office (the ICO), the UK supervisory authority for data protection issues (https://ico.org.uk/concerns). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

Collection of personal data when you visit our website www.mistho.io

We will act as a controller in relation to such personal data.

Informational use

If you only use the website for informational purposes, we only collect the personal data that your browser transmits to our server. If you would like to visit our website, we collect the following data, which is technically necessary for us to display our website to you and to guarantee stability and security:- IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status / HTTP status code, amount of data transferred in each case, website from which the request comes, browser, operating system and its interface, language and version of the browser software.

Use of Cookies

We use cookies on our website. Cookies are small text files that are assigned to the browser you are using and stored on your hard drive by means of a characteristic string of characters and through which certain information flows to the place that sets the cookie. Cookies cannot run programs or transfer viruses to your computer and therefore cannot cause any damage. They serve to make the Internet offer more user-friendly and more effective overall, i.e. more pleasant for you.

Cookies can contain data that enable the device used to be recognized. In some cases, however, cookies only contain information about certain settings that cannot be related to a person. However, cookies cannot identify a user directly.

A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. With regard to their function, a distinction is again made between cookies:

Technical cookies: These are absolutely necessary in order to move around the website, to use basic functions and to guarantee the security of the website; they do not collect information about you for marketing purposes, nor do they store which websites you have visited.

Performance cookies: These collect information about how you use our website, which pages you visit and e.g. whether there are errors in the use of the website; they do not collect any information that could identify you - all information collected is anonymous and is only used to improve our website and to find out what interests our users.

Advertising cookies, targeting cookies: These are used to offer website users needs-based advertising on the website or offers from third parties and to measure the effectiveness of these offers.

Any use of cookies that is not technically required represents data processing that is only permitted with your express and active consent. This applies in particular to the use of advertising or targeting cookies. In addition, we only pass on your personal data processed by cookies to third parties if you have given your express consent.

Cookie Policy

For more information about which cookies we use and how you can manage your cookie settings and deactivate certain types of tracking, see our Cookie Policy mistho.io/cookie-policy.

Notes on data processing when using our Mistho Service

This section provides you with further technical information on how the Mistho Service works.

We integrate the Mistho Service with the corresponding Partner Service, i.e. as part of using the corresponding Partner Service, you will be redirected from the front-end (user interface) of the respective Partner to the Mistho front-end. You will recognize this by the fact that a separate Mistho window will open where you will be guided through our process. This takes place within the framework of the offer of the Partner whose service you primarily use. Within our window as part of the Partner's Service, you can also view our imprint, the data protection declaration and the terms of use of Mistho.

You have the option of choosing between two different options to provide us with your payslip for further processing:

Manual upload of your pay slip that you have saved on your computer or mobile device or;
Enter your log-in data for your respective payroll service.

Only after entering your personalized log-in data or after uploading your selected payslip and after your explicit approval will we receive access to your information and data, which we then process and subsequently forward to the Partner. Mistho uses a state-of-the-art encrypted connection for the data transfer.

The further use or processing of the data within the Partner Service is in turn exclusively based on the applicable data protection regulations of the Partner and is solely the responsibility of the Partner. We cannot guarantee the safety and privacy of data you provide to any Partner Service or any other third parties. Any data collected by third parties is not covered by this Policy. We are not responsible for the content or privacy and security practices and policies of any third parties, including other websites, services or applications that may be linked to or from the Mistho Service. You should review the policies of such third parties and contact them directly if you have any related questions.

In the following we will inform you about the various options for using our Mistho Service:

Manual upload of your payroll

You can provide us with your pay slip using an upload function.

For this purpose, your payslip will be saved on our server in the United Kingdom so that we can then process it further. We process your payslip using our Optical Character Recognition System (“OCR”) and extract all information that is essential for the Partner. After the OCR process has been completed, Mistho will process the essential data and share it directly with the Partner as a so-called API response.

Log-in via your payroll service

At your option, you can also log in via your payroll log-in and provide us with your payslip for further processing.

Payroll services are portals or services through which you can access your monthly payroll payslips, income tax certificates and social security certificates, among other things.

As soon as you have selected your payroll service, you can enter your log-in data in the mask. After the log-in process, we will ask you which payslips you would like to release. By entering this data in the mask provided for this purpose, we can access the pay slip of your selected provider.

In addition, the Partner has the option of informing us in advance which payslips and data they need to conclude the Partner Service with you.

As part of our process, we will then inform you which payslips the Partner needs from you. Before you can log into your payroll service, you must explicitly approve the required payslips and agree to their processing. If you agree to the processing of the data required by the Partner, you can select your payroll service and enter your log-in data in the mask. By entering this data in the mask provided for this purpose, we can access the stored payslip(s) of your selected payroll service provider.

After you have agreed to the processing of the payslips for the months of March, April and May 2021, for example, we will process the relevant payslips, extract the essential information and process it in an API response.

If we do not yet offer your payroll service, you can upload your payslip manually. You can also tell us which service you use to manage your payslips by providing us with your name, email address and your payroll service. You will then receive a notification from us as soon as your payroll service is available. This is of course voluntary.

Data passed to the Partner

The API response created by us includes the following data and categories:-

Employee Data (Name, Address, Tax ID, Social Security No.)
Employer Data (Name, Address)
Income Data (Earnings, Deductions, Contributions, YTD Running Totals, Income amount paid, Payment Method, Payment Date, Payslip Date)

We forward the API response to the Partner so that the Partner can fulfill the contract between you and the Partner.

In addition to the API response, we also forward your payslips to the Partner by providing the Partner with a download link.

Duration of storage and deletion of your data

No storage of your log-in data
- Your log-in data for the payroll service will not be saved by us at any time.
Storage and deletion of the API response
- The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected.
- We store the API response for a period of ten years, whereby the API response is generally not visible to us. The storage serves to preserve evidence, for example in cases of fraud for investigative, criminal or civil proceedings.
- The API response will be deleted after ten years.
Storage and deletion of your payslip
- We also save your payslip for a period of 10 years on our server, whereby your payslip (s) cannot be viewed by us. The storage serves to preserve evidence, for example in cases of fraud for investigative, criminal or civil proceedings.
Access
- Only a few selected and specially trained Mistho employees have access to your data for the duration of the storage.
Storage of anonymized data
- In addition, we save a masked version of the API response for the optimization and further development of our offer. The masked version of the API response does not allow any conclusions to be drawn about a person's identity. The data is completely anonymized and is used solely for the optimization and further development of our Mistho Service by our IT department.

Notes on Marketing

We also use your data to recommend new services / applications to you. We will do so as a controller.

If we do not yet offer your payroll service, you can tell us which service you use to manage your payroll by providing us with your email address and your payroll service. You will then receive a notification from us as soon as your payroll service is available.

This notification / newsletter is sent on the basis of your consent. After you have given us your name, your e-mail address and your payroll service, you will receive an e-mail from us in which we ask you to click a link to confirm that you would like to receive our newsletter (Double opt-in). We will therefore only send you a newsletter if you have expressly confirmed to us beforehand that you would like to receive one.

You can object to the use of your data for information and advertising purposes at any time by email to info@mistho.io or by using the unsubscribe link in any newsletter.

We use the services of Mailchimp to send our newsletters.

The provider is Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA.

MailChimp is a service with which, among other things, the sending of newsletters can be organized and analyzed. If you enter data for the purpose of subscribing to the newsletter (e.g. email address), it will be stored on MailChimp's servers in the USA.

With the help of MailChimp we can analyze our newsletter campaigns. When you open an email sent with MailChimp, a file contained in the email (so-called web beacon) connects to MailChimp's servers in the USA. In this way it can be determined whether a newsletter message has been opened and which links have been clicked. Technical information is also recorded (e.g. time of access, IP address, browser type and operating system). This information cannot be assigned to the respective newsletter recipient. They are used exclusively for the statistical analysis of newsletter campaigns. The results of these analyzes can be used to better adapt future newsletters to the interests of the recipients.

The data you have stored with us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted from our servers as well as from the MailChimp servers after you unsubscribe from the newsletter. This does not affect data that we have stored for other purposes (e.g. e-mail addresses for the member area).

At MailChimp, the standard contractual clauses of the European Commission apply to the transmission of data for online advertising as well as personal data originating from the European Economic Area, Switzerland and the United Kingdom.

We have concluded a "Data Processing Agreement" with MailChimp, in which we oblige MailChimp to protect our customers' data and not to pass it on to third parties.

Further information can be found at:

https://mailchimp.com/eu-us-data-transfer-statement/

https://mailchimp.com/legal/data-processing-addendum/

You can also find more information in MailChimp's data protection provisions at:

https://mailchimp.com/legal/

Data security

We use the widespread SSL (Secure Socket Layer) method in conjunction with the highest level of encryption supported by your browser.

We also use suitable technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.

Changes to this Policy or your information

This Policy is valid from July 2021. Due to the further development of our website and offers or due to changed legal requirements, a change to this Policy may become necessary.

We review this Policy regularly and it is your responsibility to check regularly and determine whether you still agree to comply with the Policy. If you do not agree to any changes to this Policy then you must immediately stop using the Mistho Service. In the event we make any significant changes to this Policy we will use our reasonable endeavours to inform you of such changes in advance in writing.

It is important that the personal information we hold about you is true, complete, accurate and current. Accordingly, you must notify us of any changes to your personal information (for example, if you change your email address).