humm bird bnpl

Privacy Policy

We are committed to protecting and respecting your privacy.
We hope you take the time to read this Privacy Policy.


1. Introduction

Thanks for choosing FlexiFi Europe Limited trading as humm (we or us). We hope you take the time to read this Privacy Policy. We are committed to protecting and respecting your privacy. Your privacy is important to us. As our customer, you have a right to know who holds information about you, what they are doing with it and why, and who they are sharing it with. We have adopted a privacy compliance culture that cements this relationship with you in a transparent manner. The aim of this Privacy Policy is to set out the basis on which any personal data we collect from you (or that you provide to us) will be processed by us when you visit our website or use our services. We also want to provide you with a better understanding of:

  • the information we collect;
  • how we use that information;
  • how this information is shared;
  • your rights; and
  • other useful privacy and security related matters.

In addition to this policy, we may provide you with other privacy explanations, such as when you use our services for the first time.

Who is the Data Controller?

FlexiFi Europe Limited is the Data Controller and is located at Level 4, No. 5 Custom House Plaza, Harbourmaster Place, IFSC, Dublin 1, Ireland.

Who is the Data Protection Officer?
We have appointed a Data Protection Officer (DPO). While our DPO can be reached at [email protected] our Customer Service team will be your initial point of contact if you wish to exercise your rights. Please see the “How to contact us” section at the end of this Privacy Policy.

2. Your rights

Under the General Data Protection Regulation (GDPR), you, as a data subject, have a number of rights which are detailed in this Privacy Policy. Some of these only apply in specific circumstances and are qualified in several respects by exemptions in data protection legislation. We will advise you in our response to your request where we are relying on such exemptions. You should include adequate information to identify yourself and other relevant information that will reasonably assist us in fulfilling your request. 

2.1 Access to personal data (Article 15 GDPR): You have a right to request a copy of the personal information that we hold about you. Should you wish to make such a request, please see the “How to contact us” section for information on how to contact us. This right to information concerns, among other things, the categories of data processed, the purposes for which the data is processed, the source of the data, if not collected directly from you, and, if applicable, the recipients to whom your data has been transmitted. You can also obtain a copy of your data.

2.2 Correction of personal data (Article 16 GDPR): You can request us to rectify and correct any personal data that we are processing about you which is incorrect.

2.3 Right to withdraw consent (Article 7(3) GDPR): Where we have relied upon your consent to process your personal data, you have the right to withdraw that consent. This does not affect the lawfulness of processing based on your consent until withdrawal.

2.4 Right of erasure (Article 17 GDPR): You can request us to erase your personal data where there is no compelling reason to continue processing. This right only applies in certain circumstances – it is not a guaranteed or an absolute right.

2.5 Right to restrict processing of personal data (Article 18 GDPR): You have the right in certain circumstances to request that we suspend our processing of your personal data. Where we suspend our processing of your personal data we will still be permitted to store your personal data, but any other processing of this information will require your consent, subject to certain exemptions.

2.6 Right to data portability (Article 20 GDPR): This right allows you to obtain your personal data that you have provided to us with your consent or which was necessary for us to provide you with our products and services in a format which enables you to transfer that personal data to another organisation. You may have the right to have your personal data transferred by us directly to the other organisation, if this is technically feasible.

2.7 Right to object to processing of personal data (Article 21 GDPR): You have the right to object to our use of your personal data which is processed on the basis of our legitimate interests. However, we may continue to process your personal data, despite your objection, where there are compelling legitimate grounds to do so or we need to process your personal data in connection with any legal claims.

2.8 Right to complain to a supervisory authority (Article 77 GDPR): You have the right to lodge a complaint with a supervisory authority in relation to your personal data that we process in accordance with this Privacy Policy. In our case, the relevant supervisory authority is the Irish Data Protection Commission. The contact details of the Irish Data Protection Commission are available on its website,

3. What personal data do we collect?

3.1 Information you give us. You may give us information about you by filling in forms on our website at (Site) or by corresponding with us by phone, e-mail or otherwise. This includes information you provide us when you utilise a product or service from us. The type of information you will typically provide includes your name, postal address, e-mail address, phone number, banking and employment details, and proof of identity. This includes your image in photo or video form, and biometric data extracted from this information to verify your identity.. We may also require information about your financial circumstances,payment card details, and products or service preferences you may have. 

3.2 Information we collect about you. With regard to each of your visits to our Site we may automatically collect the following information:

(a) technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and 

(b) information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our Site (including date and time), products and / or services you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.

3.3 Information we receive from other sources. We may receive information about you from the following sources: 

(a) If you use any of the other websites we operate or other services we provide. Such data may be shared internally and combined with data collected on our Site. We also work closely with third parties (including, for example, business partners, sub-contractors in technical services, advertising networks, analytics providers and search information providers) and may receive information about you from them that is relevant to our business.

(b) If you are requesting services from us. We may request information from credit reporting agencies and/or any business providing information about creditworthiness, including credit report(s) about you for your application(s). In particular, we may receive information about you from retailers who you access our services through, referees you nominate to us, or in some cases official authorities.

3.4 Failure to provide data. If you do not provide us with the data we request, the most likely consequence of this is that we cannot provide you with the services that you are requesting from us.

4. Cookies

4.1 Certain statistical information is available to us via our internet service provider through the use of cookies. Our use of cookies is governed by our Cookies Policy which can be accessed at

4.2 Our aim is to continuously improve your experience of our digital channels. We use cookies to improve your customer experience of our products, service and online applications. Our web server collects information about your visit, for example:

  • number of people who visit the website;
  • date and time of visits;
  • number of pages viewed;
  • amount of time spent on the website; and
  • popular sections of the website. 

5. What do we use your personal data for?

5.1 Information you give to us. We will use this information:

(a) to assess your application for our products and services, for account management, arrears enforcement and end of term communication to you;

(b) to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;

(c) to assess your application for our services and whether you satisfy our eligibility requirements;

(d) to verify your identity in accordance with our legal obligations in particular the Central Credit Register;

(e) to assess your creditworthiness including undertaking credit checks and reporting to credit referencing agencies who will retain any information we provide (including in relation to the ongoing status of your loan) and who will share this with third parties;

(f) to manage your Account;

(g) to deal with, assign or transfer any of our rights, interests and / or obligations under our agreement with you;

(h) to register you to use our Site, subscribe you to a service available via the Site and / or when you report a problem with our Site;

(i) subject to your marketing preferences, to provide you with details of products and services that may be relevant to you (see “Direct marketing” section);

(j) to respond to any queries or other communications you submit to us;

(k) to notify you about changes to our services;

(l) to ensure that content from our Site is presented in the most effective manner for you and for your computer; and/or

(m) to register or redeem for promotional campaigns.

5.2 Information about your use of the Site. We will use this information:

(a) to determine which pages are the most popular, what country users come from, peak usage times and similar information;

(b) to administer our Site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;

(c) to improve our Site to ensure that content is presented in the most effective manner for you and for your device;

(d) to allow you to participate in interactive features of our Site when you choose to do so;

(e) as part of our efforts to keep our Site safe and secure;

(f) to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you; and/or

(g) to make suggestions and recommendations to you about goods or services that may interest you.

5.3 Information we receive from other sources. We may combine this information with information you give to us and information we collect about you. We may us this information and the combined information for the purposes set out above (depending on the types of information we receive).

5.4 Lawful bases for processing. Our lawful bases for processing personal data for the above purposes are the performance of contracts that we have with you, or otherwise as necessary for the purposes of our legitimate interest in ensuring our financial stability by assessing your creditworthiness, protecting you against fraud, security of IT systems (including system performance) and carrying out effective marketing and customer research activities. We may also process personal data to the extent it is necessary for compliance with a legal obligation, including complying with requests from a regulator or any court order, or where you have given us your consent to use your personal data.

When we process your sensitive personal data, we will use a second lawful basis in order to do so. We will rely on your explicit consent where we have obtained this, or for reasons of substantial public interest such as our obligation to prevent fraud and to support you if you become vulnerable.

5.5 If you require further information about our use of your personal data and lawful bases for processing, please see section 16 “How to contact us” below.


6. Sharing your personal data

We may share your personal data with a member of our corporate group (hummGroup), which means our subsidiaries, our ultimate holding company and its subsidiaries. For instance if we have a customer who has committed fraud and we suspect that customer is applying to another part of our group, we may need to inform the other company.

We may share your information with the selected third parties listed below as far as this is necessary to fulfil contractual and legal obligations or covered by our legitimate interest:

  1. our professional advisors (including lawyers, accountants and auditors), our business partners, product and services suppliers, service providers and sub-contractors, including suppliers of identity verification services, IT services, payment processing, data back up and data hosting services;
  2. advertisers and advertising networks that require the information to select and serve relevant adverts to you and others. We do not disclose information about identifiable individuals to our advertisers, but we may provide them with aggregate information about our users. We may also use such aggregate information to help advertisers reach the kind of audience they want to target. We may make use of the personal data we have collected from you to enable us to comply with our advertisers’ wishes by displaying their advertisement subject to ePrivacy and GDPR requirements;
  3. our assignees or potential assignees;
  4. credit reporting agencies or any business providing information about creditworthiness; other credit providers; insurers;
  5. any guarantor or proposed guarantor of your obligations to us; your assignees or proposed assignees;
  6. debt collection agencies; our banks and financial advisers;
  7. any person specifically authorised by you in writing to obtain your personal information from us; and/or
  8. analytics and search engine providers that assist us in the improvement and optimisation of our App or Site.

We may also disclose your personal data to third parties:

  1. in order to enforce our rights under any contracts entered into between you and us;
  2. if we are acquired or we sell or buy, or propose to sell or buy, any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
  3. if we assign, transfer or otherwise dispose of a debt that you owe us to another party or if we or such third party want to enforce such a debt;
  4. if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, to comply with the rules of any stock exchange or other trading exchange to which we are subject, in order to enforce or apply this Privacy Policy, our App or Site terms of use or other agreements; and/or;
  5. to protect our (or our customers or other relevant parties’) rights, property or safety.

7. Direct Marketing

We may (subject to your preferences) use your personal data to make suggestions to you about goods or services that may interest you. Those communications will give you the opportunity to opt out of receiving similar communications in the future. You can also choose to opt out of such future communications by contacting us, namely by:

(a) email, at [email protected]; or

(b) post, at FlexiFi Europe Limited of Level 4, No. 5 Custom House Plaza, Harbourmaster Place, IFSC, Dublin 1, Ireland.

When we send you marketing information we will always give you the option to opt-out of any future marketing.

8. Where we store your personal data

8.1 Data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (EEA), including the UK, Australia, New Zealand and the Philippines as discussed in section 11. It may also be processed by personnel operating outside the EEA that work for us or for one of our suppliers, service providers or sub-contractors. The laws of jurisdictions outside the EEA may not have the same level of protection for personal data as apply in Ireland. For instance, they may not be deemed “adequate” by the European Commission in respect of the processing of personal data. In such circumstances we will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and applicable law. To ensure an adequate level of data protection, we implement appropriate and adequate technical and contractual measures (definition of access rights on a need-to-know basis, documented instructions by us) in such cases. Such processing is also performed in compliance with the European Data Protection Board’s Recommendations on Supplementary Measures. By submitting your personal data, you acknowledge such transfer and processing.

9. Quality, access and correction

9.1 Information about you is integral to decisions we make about our products and services for you. It is essential that your information is correct. You are encouraged to assist us to ensure this by alerting us to any changes in your particular circumstances.

10. Data retention and deletion

10.1 We will store your personal data for as long as it is necessary for the purposes for which they were collected, in particular as long as it is necessary for the implementation of our offering and services, including any legal retention periods and documentation obligations and any relevant statute of limitations. In addition, longer retention of your data may be necessary for the assertion, exercise or defence of legal claims. We will therefore generally retain your data during ongoing legal proceedings or if such proceedings are imminent.

10.2 If you request, we will delete or anonymise your personal data so that it no longer identifies you, unless, we are legally allowed or required to maintain certain personal data, including situations such as the following:

(a) if there is an unresolved issue relating to your account (e.g. outstanding credit on your account or an unresolved claim or dispute we will retain the necessary personal data until the issue is resolved);

(b) where we are required to retain the personal data for our legal, tax, audit, and accounting obligations, we will retain the necessary personal data for the period required by applicable law; and/or,

(c) where necessary for our legitimate business interests such as fraud prevention or to maintain the security of our customers. 

11. Transfer to other countries

11.1 We may share your personal data globally with hummGroup in order to carry out the activities specified in this Privacy Policy. This includes our corporate group of companies in the UK, Australia, New Zealand and Philippines. We may also subcontract processing to, or share your personal data with, third parties located in countries other than your home country as set out in section 8.1.

11.2 Our transfers to the UK and New Zealand are made on the basis of a decision by the European Commission that UK and New Zealand law provide an adequate level of protection to personal data rights. Our transfers to Australia, the Philippines and other countries are made on the basis of the Standard Contractual Clauses approved by the European Commission (or, where necessary, on the basis of your consent).

11.3 Your personal data, therefore, may therefore be subject to privacy laws that are different from those in your country of residence, but you will still have protection in relation to that data based on the contracts we have entered into with data recipients or sub-processors.

11.4 Personal data collected within the European Union may, for example, be transferred to and processed by third parties located in a country outside of the European Union. In such instances we will ensure that the transfer of your personal data is carried out in accordance with applicable privacy laws and, in particular, that appropriate contractual, technical, and organisational measures are in place (e.g. such as the Standard Contractual Clauses approved by the EU Commission).

12. Links

We may display advertisements from third parties and other content that links to third-party websites (including on our Site). None of these links comprise or imply support or recommendation of any other company, product or service. We cannot control or be held responsible for third parties’ privacy practices and content. If you click on a third party advertisement or link, any personal data you provide will not be covered by this Privacy Policy. Please read the relevant privacy policies to find out how they collect and process your personal data.

13. Keeping your personal data safe

We are committed to protecting your personal data. We implement appropriate technical and organisational measures to help protect the security of your personal data. However, please note that no system is ever completely secure. We have implemented various policies including pseudonymisation, encryption, access, and retention policies to guard against unauthorised access and unnecessary retention of personal data in our systems.

Where you have chosen (or where we have given you) a password which enables you to access certain parts of our Site, you are responsible for keeping the password confidential. We ask you not to share your password with anyone.

Please be aware that the transmission of information via the internet is not completely secure. Although we will do our best to protect your data, we cannot guarantee the security of your data transmitted to our Site which you transmit at your own risk. Once we have received your information, we will apply procedures and use security features to try to prevent unauthorised access.

14. Automated decision-making

14.1 Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. We may use automated decision making to process your personal data where it is necessary for the entering into a credit services contract.

14.2 If you are requesting credit services from us, you must input your demographic and financial details to our online system. This will involve an initial stage of automatic decision making, and in particular your application may be automatically declined if the information you provide fails to meet our minimum requirements, including in relation to:

(a) your income;

(b) your place of residency; or

(c) your age.

14.3 If you submit any special categories of personal data to us as part of this process, such as data revealing racial or ethnic origin, political opinions, religious and philosophical beliefs, health data or trade union membership, you consent to our processing that information for the purpose of evaluating your application and receiving credit services from us.

14.4 If your application is automatically declined, you have the right to make an objection to this by contacting us, and to request that a human reviews your application and the decision. To exercise these rights, please see the “How to contact us” section at the end of this Privacy Policy. 

15. Changes to this Privacy Policy

We may occasionally make changes to this Privacy Policy. When we make material changes to this Privacy Policy, we will provide you with prominent notice as appropriate under the circumstances (e.g. by displaying a prominent notice on our Site or by sending you an email). We may notify you in advance. Please, therefore, make sure you read any such notice carefully.

16. How to contact us

Thank you for reading our Privacy Policy. If you have any questions, comments or requests about this Privacy Policy, please contact our Data Protection Officer by: 

(a) email, at [email protected]; or 

(b) post, at FlexiFi Europe Limited of Level 4, No. 5 Custom House Plaza, Harbourmaster Place, IFSC, Dublin 1, Ireland. 

You can also contact our Customer Care team by calling 01 9601601