Tickets now available for Europe's leading Financial Wellbeing conference on 20th May 2026
This Privacy Notice covers the position where Stream is the Controller of your Personal Data. Please see the end of this Privacy Notice for a statement concerning where Stream is a Processor.
Stream respects your privacy and is committed to protecting your Personal Data. We want to be transparent with you about how we collect and use your Personal Data in making available our platform, mobile application (“App”) and/or website(s) (together “Platform”) and tell you about your privacy rights and how the law protects you.
With that in mind, this Privacy Notice describes how Stream collects and processes your Personal Data, which may be either through your use of the Stream Platform, including any data you may provide through this Platform; or through your interaction with Stream through social media and marketing activities. The Privacy Notice complies with and is intended to meet our duties of Transparency under the retained EU law version of the General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (as amended from time to time).
It is important that you read this Privacy Notice together with any other privacy or fair processing notice we may provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your Personal Data. This Privacy Notice supplements other such notices and is not intended to override them.
Stream Platforms Ltd is a company registered in England and Wales (number 11173225) at 7-9 Rathbone Street, London, W1T 1LY; registered with the Financial Conduct Authority (“FCA”) (firm reference 902046) as an EMD Agent of Electronic Money Institutions authorised by the FCA: PayrNet Limited (firm reference 900594) and Modulr FS Limited (firm reference 900573); acts as a PSD agent (firm reference 995651) of Bud Financial Limited (firm reference 793327), a Payment Institution authorised by the FCA, for Account Information Services.
We are registered with the Information Commissioner’s Office (“ICO”) with reference number: ZA421647 (Stream Platforms Ltd).
In this Privacy Notice, where we refer to “Stream”, “we”, “us” or “our” we mean Stream Platforms Ltd unless expressly stated otherwise or the context otherwise requires.
The privacy notice applicable to the provision of credit cards, loans and workplace savings provided by Stream Financial Services Ltd can be found on our website.
The privacy notice applicable to the provision of pensions tracing and consolidation services provided by Stream Asset Management Ltd can be found on our website.
We have appointed a data protection officer (“DPO”) who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about it, including any requests to exercise your legal rights, please contact the DPO using the details set out below.
You can contact us through the App or Stream website; by emailing: dpo@stream.co or writing to us at DPO, Stream, 7-9 Rathbone Street, London, W1T 1LY.
The types of Personal Data we may collect about you, is outlined in the table below.
Category of Personal Data collected | What this means |
Identity Data | includes full name; username or similar identifier; title; date of birth; gender; age; nationality and language(s); passport, driving licence or other identity document, which includes a photograph (for KYC, AML checks, and profile picture where added), National Insurance Number |
Contact Data | includes your home address; email address and telephone numbers. |
Profile Data | includes your password, your interests, preferences, feedback and survey responses. |
Other Personal Data | includes data provided to customer services support about your personal circumstances, which may include additional financial information such as household income; financial income other than salary; financial liabilities. |
Employment Data | includes Employee ID; income; employment status; shifts and hours; absences, name of employer, place of work, employment history, start date, and termination date. |
Financial Data | includes sort code; account name; account number; salary and statutory payments. |
Open Banking Data | includes transaction history; transaction amounts and descriptions; account name; account number; account balance; currency; overdraft availability and balance; payment due dates and other information about your transactions, such as fees and account charges. |
Transaction Data | includes any details about payments to and from you; other details of our services you have used and your transactions with 3rd parties. |
Behavioural Data | includes inferred or assumed information relating to your behaviour and interests; based on your online activity and/or in App. This is most often collated and grouped into “segments” (e.g., there may be a segment for users, living in London and aged under 25, who use our services twice a month). |
Technical Data | includes data related to website visits and App usage, such as Internet Protocol (IP) address; mobile device identifier; your login data; browser type and version; time zone setting and location; device language settings; browser plug-in types and versions; download errors; response time; page interaction (such as scrolling, clicks, and mouse-overs) device type and model; operating system and platform and other technology on the devices you use to access this Platform or use our services. |
Marketing and Communications Data | includes your preferences in receiving marketing from us and third parties and your communication preferences; our communications with you (which may include correspondences, call and video records, automated transcriptions and AI generated analysis thereof). |
Health Data | includes data about your health such as absence data, where shared by your employer, to allow Stream to accurately adjust your salary accrual, this may include the reason that you are absent from work; any sensitive health information that individuals provide us during Coach conversations, or conversations with our support team, or any other communications that may reveal your vulnerability status, such as a gambling addiction, or other health issues |
Account Activity Data | includes your name, date of birth but also your current and past (i) address details, (ii) employment status (including your role, starting & ending date(s), number of worked hours), (iii) employer details, salary/earning/payroll details (including but not limited to payment dates and frequencies, gross and net salary/earnings information and tax related details). |
Pension Data | Includes pension scheme name(s); pension policy number(s); type of pension plan; charges, including any exit fees; transfer value; any restrictions or safeguarding benefits; and any other pension details. |
Letter of Authority Data | Includes a copy of your signature, collected for the purpose of creating Letters of Authority to be submitted to pension providers, enabling us to request information about your pension schemes on your behalf. |
We may use and share Personal Data as “Aggregated Data” for statistical purposes only. Aggregated Data may be derived from your Personal Data, but once in aggregated form it will not constitute Personal Data for the purposes of the UK GDPR as this data does not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Privacy Notice.
We may need to process sensitive information about you that data protection laws call “Special Category” data. This is information that can reveal details about a person’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, and information about health and genetic data.
Our reasons for using special category data
Face / Biometric Data – As Stream is a financial services provider, we are required to undertake Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance checks if you open a Build Pot, Savings Account, or apply for a credit product.
Our third party partner Onfido collects facial biometric data for the purposes of completing the KYC and AML checks, by comparing a photograph of your identity document, against a photograph of you to allow verification of your identity. Onfido stores this data for up to three years for legal and compliance purposes. Onfido’s Privacy Notice can be found on their website. Stream does not store this data.
We may also collect and process Health Data where you or your employer provide us with the same for the purposes of (i) ensuring accurate earnings calculations when absent from work; (ii) providing our Coach product to you; or (iii) protecting your financial wellbeing if you are at risk.
We will record any issues you tell us about if they involve special category (i.e., sensitive) personal information, such as a gambling addiction or information about your health. We do this to comply with the FCA's rules and expectations, which require us to understand and support customers with characteristics of vulnerability. We will only collect and process special category data that is necessary to meet our obligations and to provide appropriate support. We will ensure that the data collected is proportionate to the purpose. This information will be used to tailor our services, and ensure fair treatment. We rely on Article 9(2)(g) UK GDPR / paragraph 19 of Schedule 1 of the DPA 2018 (safeguarding of economic wellbeing) and Article 9(2)(g) / paragraph 9 of Schedule 1 of the DPA 2018 (equality of opportunity or treatment) as the legal basis for processing this data.
We may share information about you externally where we deem it is necessary to protect your vital interests or the vital interest of another person.
This Platform is not intended for individuals below 16 and we do not knowingly collect data relating to such children. If you believe that we may have processed the data of any person under 16 years of age please contact our DPO immediately by email at dpo@stream.co; or writing to us at DPO, Stream, 7-9 Rathbone Street, London, W1T 1LY.
Directly from you via in-App chat, by filling in forms or by corresponding with us by post, phone, email, social media channels or otherwise. This includes, without limitation, Personal Data you provide when you:
As you interact with the Platform, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this Personal Data by using cookies, server logs and other similar technologies. For more details, please see the Cookies section. You can read our full Cookie Notice in our Cookie Notice page.
In addition to the Personal Data that we collect directly from you, we may also collect certain categories of your Personal Data from third party sources. These sources are broken down in the table below.
Third party data source | Categories of personal data received | Purpose |
Your employer (including their agents and service providers for example, workforce management systems providers) | Identity Data, Contact Data, Employment Data, Financial Data | To register you as a user and provide you with the Stream services |
Analytics providers (such as Google based outside the UK) | Technical Data | To track issues that might be occurring on our systems and to understand and measure how users use our Platform to improve it and report relevant aggregated management information. |
Your bank(s) (where you have authorised an Open Banking connection) | Open Banking Data | To provide you with account information services and other Open Banking services including product referrals. |
Our service providers | Identity Data, Contact Data | To perform identity checks and compliance monitoring |
Affiliate networks (where you have authorised cookies for discount and/or cashback purposes) | Identity Data, Technical Data, Transaction Data | To perform our discount and cashback services |
We have set out below, in a table format, how we use your Personal Data. We will only use your Personal Data where we have a lawful basis to do so.
Purpose | Category(ies) of Personal Data involved | Why do we do this? | Our legal basis for this use of data |
Account Creation | Identity Data, Contact Data | To register you as a new user | Performance of contract |
Transfers and Service Provision | Identity Data, Contact Data, Profile Data, Employment Data, Health Data, Financial Data | To provide you with Stream’s services and related communications | Performance of contract, Consent |
Open Banking | Open Banking Data | To provide our account information services and other Open Banking services | Performance of contract |
Customer services and staff training | Identity Data, Contact Data, Profile Data, Employment Data, Financial Data, Technical Data, Marketing and Communications Data | To provide user support; to train our staff | Performance of contract (Support), Legitimate Interest (Training) |
Meeting Documentation & Analysis | Marketing and Communications Data | To transcribe and summarise meetings for internal record-keeping, team collaboration, and quality assurance. | Legitimate Interest |
Compliance and Fraud Prevention | Identity Data, Contact Data, Behavioural Data, Technical Data, Financial Data, Health Data | To keep our App, services and associated systems operational and secure. To keep your data and identity secure and comply with our AML, KYC and Consumer Duty obligations. To enable regulated partners to comply with their legal obligations | Legal Compliance, Legitimate Interest |
Troubleshooting | Technical Data | To track issues that might be occurring on our systems | Legitimate Interest |
Optimisation and Analytics | Identity Data, Contact Data, Transaction Data, Technical Data, Behavioural Data, Open Banking Data | To understand and measure how users use our Platform to improve it and report relevant aggregated management information | Legitimate Interest |
Product Referrals | Identity Data, Contact Data, Technical Data, Transaction Data, Financial Data, Open Banking Data | To allow Stream to refer to you, and for you to access, third party products and services | Performance of contract, Consent |
Surveys | Identity Data, Contact Data, Profile Data | To improve our service | Legitimate interest |
Research and Statistics | Identity Data, Contact Data, Profile Data, Employment Data, Financial Data, Open Banking Data, Transaction Data, Behavioural Data, Technical Data, Other Personal Data | We use a range of rigorous scientific methods to understand our users better and how to support them, which also serves to further a general public interest. | Legitimate Interest |
Service Improvement and Development | Identity Data, Contact Data, Profile Data, Employment Data, Financial Data, Open Banking Data, Transaction Data, Behavioural Data, Technical Data, Other Personal Data | To improve our existing services and develop ancillary services where we think these would be of interest to our users. | Legitimate Interest |
Credit Reference Agency Identification | Identity Data, Contact Data | We share this information with certain credit reference agencies to identify you within the credit reference agency’s database and assign a unique identifier to your account to enable future Verification Data Disclosure where requested or required. | Legitimate Interest |
Verification Data Disclosure | Account Activity Data | When you make an application to a third party (e.g., utility or financial services provider) or a potential employer, we provide verification of income, employment and tax details to the third party you have made an application to (and their agents) at your request. We also provide this information to credit reference agencies and, via them, to other verification service providers for credit risk assessments, fraud prevention, ID verification, employment and income verification, compliance with applicable law or to exercise or defend a legal right, debt management, consumer credit scoring services and analytics. | Legitimate Interest |
Work Profile | Identity Data, Contact Data, Employment Data, Pension Data, Letter of Authority Data | Where you create a work profile with us upon leaving your employer, this will be made visible to potential employers. | Consent |
Pension Tracing | Identity Data, Contact Data, Employment Data, Pension Data, Letter of Authority Data | To identify and obtain information about your pension schemes, provide you with details of your pension, and create Letters of Authority | Performance of contract, Consent |
AI-powered Customer Support & Coach Product | Identity Data, Contact Data, Profile Data, Employment Data, Health Data, Financial Data, Technical Data, Marketing and Communications Data, Open Banking Data, Transaction Data, Behavioural Data, Other Personal Data | To enhance customer support by using AI technology to categorise queries, suggest answers to agents, or provide automated chatbot responses. To deliver the Stream Coach product, offering tailored guidance based on your financial circumstances. | Legitimate Interest |
Credit Modelling | Identity Data, Contact Data, Employment Data, Financial Data, Open Banking Data, Transaction Data, Behavioural Data, Technical Data, Other Personal Data | To develop and utilise predictive models (using technology to analyze historical data patterns) that inform eligibility and terms for financial products offered by Stream Financial Services Ltd. This helps to assess credit risk and personalise product offerings. | Legitimate Interest |
We strive to provide you with choices regarding certain Personal Data uses, particularly around marketing and advertising.
We may use your Identity, Contact, Technical, Behavioural, Open Banking, and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).
You will receive marketing communications (including by email and push notification) from us if you have requested information from us or obtained services from us and you have not opted out of or unsubscribed from receiving that marketing.
You will receive marketing communications by text and/or WhatsApp only where you have consented to receive the same.
We will get your express opt-in consent before we share your Personal Data with any third party for their marketing purposes.
You can ask us to stop sending you marketing communications at any time by logging into the App and changing your preferences via the Profile tab (in respect of push notifications) or by following the unsubscribe links in any of our marketing emails sent to you (in respect of email communications) or in relation to text or WhatsApp messages by replying “STOP” as indicated in these messages. You may also unsubscribe or opt out by contacting us at any time using the contact details shown in “Who We Are and How to Contact Us” above (in respect of either or both communications).
Where you opt out of receiving these marketing messages, this will not apply to transactional or service messages. Please allow two working days for instruction to take effect in all of our systems.
We may share your Personal Data with the third parties set out below for the purposes set out in this privacy notice:
Your employer. Your employer(s) engaged Stream to provide the Platform and Stream’s services. We share your Personal Data with your employer(s) to provide them and you with such Platform and services.
Members of our group of companies (Stream Platforms Ltd, Stream Platforms Inc., Wagestream Financial Services UK Limited, Stream Financial Services Ltd, and Stream Asset Management Ltd). Data is shared for: reporting purposes; and the provision of ancillary services; and insurance services; and credit/regulated products; and customer services support.
Partners. Where partners provide elements of our, or ancillary, services.
Affiliate networks. To track sales originating from our service.
Service providers. Specifically those providing IT and system administration, email and marketing communications, customer support, meeting intelligence and transcription, and KYC /AML verification, as well as other professional and support services necessary for the operation of our business.
Professional advisers. For the provision of consultancy, banking, legal, insurance, accounting and similar services.
Utility or financial service providers/their third-party agents and Credit Reference Agencies. We share your Personal Data with utility providers, financial service providers, and Credit Reference Agencies (CRAs), including (but not limited to) Equifax and Experian and, via them, with employment/income verification service providers (including but not limited to Konfir) and their clients. When you make an application for a product such as a mortgage or a service such as utilities.
When we exchange data with CRAs, they will use it to verify your identity and creditworthiness. They may also link your data to the records of your spouse or financial associates. The CRAs process your Personal Data in accordance with the Credit Reference Agency Information Notice (CRAIN). The CRAIN applies to all three major agencies (Equifax, Experian, and TransUnion) and explains how they manage your data. You can read the full CRAIN notice at: www.equifax.co.uk/crain.
HM Revenue & Customs, regulators and other authorities acting as processors, and our principals, who require reporting of processing activities in certain circumstances.
Employers and their third-party agents and employment/income verification service providers (including but not limited to Konfir). To share your Work Profile, allow verification of your Work Profile, work history, and any associated data with prospective employers.
Pension Providers. We will share relevant data with pension providers, to obtain and/or ascertain the existence of any, and all information about your pension plans.
Research Institutions. To further understanding of the financial poverty premium, and financial wellbeing, we engage with trusted institutions to undertake financial research. Data will either be fully anonymised, or pseudonymised.
Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this Privacy Notice.
We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.
Many of our external third parties are based outside the UK so their processing of your Personal Data will involve a transfer of data outside the UK.
Stream shall not transfer your personal data outside of the UK or the European Economic Area (EEA) unless it has taken such measures as are necessary to ensure the transfer is in compliance with applicable data protection laws (including EU GDPR and the Data Protection Act 2018/UK GDPR, in each case as in force and applicable, and as may be amended, supplemented or replaced from time to time) Such measures may include (but are not limited to) transferring your Personal Data to a recipient in a country that the UK or European Commission (respectively) has decided provides adequate protection for Personal Data, to a recipient that has achieved binding corporate rules authorisation in accordance with applicable data protection laws, or to a recipient that has executed standard contractual clauses adopted or approved by the UK or European Commission (respectively).
We have put in place appropriate technical and operational security measures designed to prevent your Personal Data from loss, misuse, alteration or destruction. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. If you suspect any misuse or loss of, or unauthorised access to, your Personal Data, you should let us know immediately.
We will only retain your Personal Data for as long as necessary for the purposes set out above in “How we use your Personal Data and why”, unless a longer retention period is required by law (for example for regulatory purposes).
We may store your information for as long as you’re using Stream, and for five years after the end of our relationship with your employer to comply with the law. In some circumstances, like cases of anti-money laundering or fraud, we may keep data longer if we need to and/or the law says we need to.
Information related with Platform use and marketing activities are typically stored for three years.
Where we need to process your Personal Data either to comply with law, or to perform the terms of a contract we have with you and your employer and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with the functionalities of the Platform).
In this case, we may have to stop you using our Platform, but we will notify you if this is the case at the time.
Stream uses automated decision-making and profiling. This includes the use of your Personal Data to inform models, such as those related to Credit Modelling, which contribute to decisions concerning your eligibility for, and the terms of, certain financial products (such as loans) offered by Stream Financial Services Ltd.
While the creation of a score or profile itself does not always constitute a direct decision, its application within processes that affect your access to or the terms of financial products can have legal or similarly significant effects on you. This automated processing is what allows us to assess credit risk and personalise the financial products available to you.
Your Rights and the Human Review Process If an automated decision produces a legal effect or explicitly affects you (for example, if a loan application is declined based solely on our automated credit model), you have the right to:
How the Human Review works: If you request a review, a member of the credit team will manually examine the data used in the automated model, along with any additional information or context you provide. They will check for data accuracy and consider any exceptional circumstances to determine if the automated decision should be upheld or overturned. You can request this review by contacting us at uk@support.stream.co
We may also use aggregated data for internal analysis and to inform marketing strategies.
This Platform may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share your Personal Data. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Platform, we encourage you to read the Privacy Notice of every site you visit.
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of the Platform may become inaccessible or not function properly. You can read our full Cookie Notice in our Cookie Notice page.
You have certain rights under the law, such as notice to request access to your information, to manage it and to request for it to be deleted or to transfer information about you or to restrict the way it is used.
By law you have the right to:
If you wish to exercise any of these rights where we are the Controller please contact us using the contact details shown in “Who We Are and How to Contact Us”. Where we are the Processor, please contact the Controller (this will usually be your employer). If you are unsure, please contact us and we will be pleased to help establish who will be best placed to help you. Please note, our own contractual obligations with the Controller may require us to advise the Controller of the request.
Typically, you will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, except in relation to Consent Withdrawal, we may charge a reasonable fee, or refuse to comply with the request, if it is unfounded, repetitive or excessive.
We may need to request specific information from you to help us confirm your identity to exercise any of your rights, (including those related to data protection). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
If you would like to make a complaint regarding this Privacy Notice or our practices in relation to your Personal Data, please contact us at: DPO@stream.co or using our contact details above addressed “For the attention of: DPO”.
We aim to respond within one business day to all complaints and resolve them within the shortest time possible. Under the regulatory framework we are required to send a final response within 15 business days. If you submit a complaint, we both must first attempt to resolve the issue directly between us. However, if you feel that your complaint has not been adequately resolved, please note that the UK GDPR gives you the right to contact our lead supervisory data protection supervisory authority, which for the UK is the ICO.
You have the right to make a complaint at any time to the ICO the UK regulator for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Where we are a Processor of your Personal Data we will operate under the terms of a Data Protection Agreement with the relevant Controller.
This is generally when we receive information from your employer for enrolment and awareness campaign purposes.
How your employer (or another Controller in respect of whom we are a Processor of your Personal Data) processes your Personal Data, including through us, will be set out in their Privacy Notice.
This privacy notice is version Privacy Notice: 2026_1 and was last updated on 9th January 2026. We will post any changes to this Privacy Notice on this page.
