Privacy Notice

How we work to protect your data

Moneyboat is committed to protecting the data we hold, whoever or whatever it relates to. This privacy notice explains how we collect, use, store, and transfer your data, and why we do it in the way we do. It also explains what rights you have and how you can contact us if you’ve got any questions.

Overview

This overview explains who we are, how you can contact us, and how we are regulated.

About us

We are Evergreen Finance London Limited, a limited company registered in England and Wales under number 07669210. Our registered office is at 5 Broadbent Close, Highgate, London N6 5JW, although this address shouldn’t be used for correspondence; details on how to contact us are in the next section.

Moneyboat.co.uk is a trading name of Evergreen Finance London Limited.

For the purposes of the General Data Protection Regulations (‘GDPR’), Evergreen Finance London Limited is the Data Controller for the data we process, unless otherwise specified.

Our Data Protection officer is David Price, who can be contacted at data@moneyboat.co.uk.

How to contact us…

If you want to contact us about this notice or in relation to your data, you can do so in a number of ways. More information on how to contact us can be found here.

You can write to us at:

PO Box 33969, Poole, BH15 9EL
FAO: Privacy team

You can call us on:

+44 (0) 203 818 7470

You can email us at:

data@moneyboat.co.uk

How we’re regulated

As a financial services organisation, we are authorised and regulated by the Financial Conduct Authority (‘FCA’). Our Financial Services Register number is 674154. You can find out more about the FCA here (links to an external website).

We are also registered with the UK Information Commissioner’s Office (‘ICO’), and our Data Protection Register Number is Z3596140. You can find out more about the ICO here (links to an external website).

How this privacy notice is structured

This privacy notice is structured into a number of parts.

  • Part 1 explains what kind of information we collect, and the sources we obtain it from
  • Part 2 explains how and why we process data, including the legal bases for that processing. We also explain how and why we use special categories of personal data
  • Part 3 explains how we might communicate with you
  • Part 4 explains which third parties we use to help us process your data
  • Part 5 explains if and how we transfer data overseas
  • Part 6 explains how long we will retain data for
  • Part 7 explains the circumstances under which we might process your personal data using automated means (sometimes called ‘algorithmic processing’)
  • Part 8 explains your rights in relation to your personal data
  • Part 9 gives guidance on when and how you can complain about the processing of your personal data

We’ve designed this notice to be as simple and easy to understand as possible, and you should read it carefully before you agree to us processing your data. If you’ve got any questions after you’ve read it, or you don’t know whether a certain part applies to you, you can contact us for help.

Part 1 – The data we process

As a financial services organisation, we collect a significant amount of data for a variety of reasons, including to provide high quality products to our customers, and to meet our regulatory obligations.

We collect and process data from a number of different sources, which are summarised here.

Information that you provide to us

A lot of the information we process will often come directly from you, for example through a product application or by making contact with a member of the Moneyboat crew. This includes:

  • Personal details, for example your full name, date of birth, address, and residential status
  • Contact details including your mobile telephone number, email address and home telephone number
  • Bank details, for example your bank account sort code, account number, and your bank’s address
  • Financial transactions data, for example details on the payments that you make and receive
  • Proof of financial status, for example bank statements or payslips
  • Lifestyle data, for example the number of dependants that you have, and the reason that you have applied for one of our products, or information that helps us to understand your personal circumstances and provide you with appropriate support if needed
  • Employment details, for example your employer’s name, your job title, work email address and work telephone number
  • Details about your health, whether mental or physical, so that we can help to provide you with appropriate support if needed
  • Details about any of our products that you might previously applied for or purchased

You don’t have to provide any data to us, but where you refuse to provide certain data, it might mean that we can’t provide you with the products that you have requested, or the level of service and support that you might need.

Information we process from your use of our products & services

In addition to the data that you provide to us directly, we also process certain data that we collect through your use of our products and services, for example our websites, customer portal, and call centres. The data we might process includes:

  • Details of how you interact with any of our websites
  • How you make use of our customer contact channels, for example our call centres, customer portal, chat facilities, and email
  • How you interact with our online ads or other digital marketing material
  • Information about the device you are using to access our products and services, including its type and your location, for example to carry out security and fraud-prevention checks. This includes your IP address
  • How you have made use of our products and services in the past, for example whether you have missed a payment

Information we collect from other sources

In order to provide you with the best possible products and services, we also process data from third parties. This data might be related to you personally and includes:

  • Credit reference agency (‘CRA’) checks, for example to verify your income or credit history.
  • Fraud prevention checks, for example to help us prevent and detect fraudulent applications
  • Marketing and advertising data, for example to see how you interact with one of our marketing campaigns, or to help us advertise products or services which we believe will be relevant to you
  • Information on any judgements or proceedings entered against you
  • Information from agents or representatives appointed to act on your behalf, for example a debt management company
  • Data which is publicly available, for example media articles, information from public registers like Companies House, or social media

The above list isn’t exhaustive, and we might obtain information from other third party sources if we believe that it will allow us to provide a better product or service to you. However, when we do use information from third parties that isn’t listed above, we will make every effort to inform you of what data we are using, where we obtained it, and how we plan to use it.

Part 2 – How & why we process data

We process data for a number of reasons, for example to provide you with high-quality products and services and to comply with our regulatory obligations. In order to process your data, we must have a reason for doing so, and provide you with this reason. This reason is sometimes called a “legal basis.” Where we process personal data, the legal basis will generally be one or more of the following:

  • To allow us to enter into a contract with you, or to carry out any contractual obligations
  • So that we can meet any requirements imposed on us by law
  • Because you have provided us with your consent to process your data
  • To protect our legitimate interests, unless there is a good reason to protect your personal data which overrides those legitimate interests.

Where we are processing data that is considered to be a special category of data (for example, data related to your health or well-being), we must also have a specific condition for doing so. This will generally be because it is in the substantial public interest, for example to support a vulnerable customer. In most cases, where we collect special category personal data, we will also ask for your specific consent to store it. Further information is provided later in this section.

What we use your data for

This section explains the circumstances in which we use your data, including how we use it and why. We provide you with an overview of how we use your data, as well as the specific reason(s) for doing so.

To deliver our products to you

When you interact with us in relation to a product that we offer (for example, by applying for a product or contacting our team), we will use your data to provide you with a high level of service and support you with any questions or concerns that you may have. We might also use your data to personalise or tailor the product to your needs.

The legal bases for us processing your data in this way are:

  • To allow us to enter into a contract with you, or to carry out any contractual obligations
  • So that we can meet any requirements imposed on us by law
  • Because it is in our legitimate interests to manage the delivery of our products so that you receive high-quality service, and to protect our and our stakeholders’ interests (where those interests do not outweigh your interests)

To communicate with you in relation to a specific aspect of a product

We might need to contact you in relation to a specific aspect of a product provided to you. This might be because we are required to or because we want to provide you with a high-quality service. Alternatively, you might want to contact us about a product provided to you by us. Where there is any form of contact between you and us, we will process your data in order to respond to any queries raised by you, provide you with support, or otherwise service your product.

The legal bases for us processing your data in this way are:

  • To carry out or enforce the terms of any contract in place between us
  • So that we can meet any requirements imposed on us by law

To deal with a complaint

If you complain about a product or service received, we will process information provided to us by you in order to review, respond to, and if appropriate resolve, the complaint.

The legal bases for us processing your data in this way are:

  • To carry out or enforce the terms of any contract in place between us
  • So that we can meet any requirements imposed on us by law
  • Because it is in our legitimate interests to review and resolve complaints so that we maintain our reputation, and so that we can prevent complaints from arising in the future, wherever possible
  • Because you have provided us with your consent to process any special categories of data (for example, information related to your mental health)

To provide support to you if you are, or you become, a vulnerable customer

You might provide us with information which suggests to us that you are, or are likely to become a “vulnerable” customer and that you might require additional support, for example you are experiencing a mental health crisis. We will process data in order to provide you with appropriate support as necessary, which might include placing a “marker” on your account.

The legal bases for us processing your data in this way are:

  • Because you have provided us with your consent to process your data
  • Because it is in our legitimate interests to do whatever we can to support customers who are vulnerable, for example by providing products that meet their needs
  • Because it is in the substantial public interest for us to process your data (including special categories of data, for example information related to your mental health) or, where we cannot demonstrate that it is in the substantial public interest, because you have provided us with your consent to process such data.

To analyse & improve our products & services

We regularly review and analyse data to identify ways in which we can improve our products and services. This might include information on your financial transactions, credit scoring details, and your interactions with us generally. We use this information to improve customer experience, adjust existing products, and develop new products, and we might also use it to help us make decisions on whether to offer products to you or other customers in the future.

The legal bases for us processing your data in this way are:

  • To carry out or enforce the terms of any contract in place between us
  • Because it is in our legitimate interests to continually improve our products and services so that we can meet the needs of our customers, and so that we remain competitive

To analyse service quality

We use data on your interactions with our team to understand how well we are performing and whether we are meeting the expectations of our customers. We may use this data both to improve service quality and to provide training to our team. This could include information provided to us through surveys or other forms of research, or through recordings of calls, you make to our call centres.

The legal basis for us processing your data in this way is:

  • Because it is in our legitimate interests to continually improve our service quality so that we can meet the needs of our customers, and so that we remain competitive, and train and educate our team members so that they can perform at their best in their roles

To carry out testing, research & analysis (including market research)

We use data to ensure that our systems and processes are working as expected and to carry out statistical analysis and research which might be useful for internal purposes. We might sometimes also carry out research and analysis which we summarise in publicly available material (for example, information on the number of loans that we have provided in total during a certain period).

Any testing, research, and analysis that we conduct will always aggregate data so that no one individual can be, or is at risk of being, identified personally. We have controls in place to prevent the sharing of data on individual customers both to people within our business, and to external audiences.

The legal bases for us processing your data in this way are:

  • So that we can meet any requirements imposed on us by law
  • Because it is in our legitimate interests to ensure that our systems and processes are working as expected, to prepare research and analysis which helps us to make better business decisions so that we can provide high-quality products and services, and to prepare research and analysis which is useful to us and others in our industry

To prevent & detect criminal or inappropriate activity

We are committed to protecting our customers’ and other stakeholders’ personal data and assets. As part of our safeguards, we carry out regular checks on data to prevent and detect various forms of criminal or otherwise inappropriate activity, for example fraud or money laundering. We might also, for example, operate CCTV in or around our premises to ensure that our buildings and staff are protected from criminal or other inappropriate activity.

The legal bases for us processing your data in this way are:

  • To allow us to enter into a contract with you, or to carry out any contractual obligations
  • So that we can meet any requirements imposed on us by law
  • Because it is in our legitimate interests to prevent and detect criminal activity so that we protect our business interests and the interests of our other stakeholders

To meet regulatory requirements

As a regulated organisation, we must comply with certain rules and obligations, and we do all that we can to ensure that this is the case.

The legal bases for us processing your data in this way are:

  • So that we can meet any requirements imposed on us by law
  • Because it is in our legitimate interests to comply with all regulatory requirements so that we can continue in business
  • Because it is in the substantial public interest, where we process any categories of special data

To recover a debt, enforce a contract, or otherwise protect our or our stakeholders’ interests

Where we have exhausted all other avenues available to us, we might need to process your data in order to begin recovery or some other form of legal action against you. We might also process your data if we have a reasonable belief that our interests, or the interests of our staff or other stakeholders, are at risk of harm.

The legal bases for us processing your data in this way are:

  • To carry out or enforce the terms of any contract in place between us
  • So that we can meet any requirements imposed on us by law
  • Because it is in our legitimate interests to protect our business from risk and to protect the interests and wellbeing of our staff and other stakeholders

To monitor & improve our website & other digital services

We use analytics data, including files called cookies (see below), to monitor and improve our website and other digital services. We aggregate this data so that no individual visitor is identifiable when we review it. Nevertheless, a visitor could theoretically be identified through our analytics, and so we classify it as personal data.

The legal bases for us processing your data in this way are:

  • Because it is in our legitimate interests to provide users with a website and other digital services which work efficiently and in line with their needs so that they can learn more about our products, apply for them, and receive a high level of service

Or, where we cannot demonstrate that it is in our legitimate interests as outlined above:

  • Because you have provided us with your consent to process your data

Cookies

We use small files called cookies to help us monitor the performance of our website and in some cases, our marketing (including marketing emails). These files contain strings of letters and numbers and are stored in your browser. When you visit our website, we ask you for permission to install certain cookies on your browser. Certain other cookies are automatically installed unless you have disabled this in your browser’s settings. We will only ever automatically install cookies that are necessary for our website to function correctly.

Further information on cookies, and which ones we use, can be found on our Cookies page.

To advertise our products & services online & to improve our online advertising generally

We might use your data, including information available from our digital advertising partners and information that we hold about you internally, to create and implement marketing strategies. These strategies allow us to advertise our products to you and others if we believe that they might be of interest, provided that such advertising doesn’t encourage irresponsible or inappropriate borrowing.

We might also share your information with our advertising partners (including social media companies) so that they can improve our marketing and advertising strategies on our behalf. More information on how we share information with third parties is found in Part 4. We will always share data in a secure format and require that any third party complies with stringent data protection requirements.

We will not process your data for marketing purposes if you have not agreed to it.

The legal bases for us processing your data in this way are:

  • Because it is in our legitimate interests to market products and services which are useful to existing and potential customers, and which they might be interested in

Or, where we cannot demonstrate that it is in our legitimate interests as outlined above:

  • Because you have provided us with your consent to process your data

To communicate with you about products, services & topics that we think you might be interested in

We might use your data, including information available from our marketing partners and information that we hold about you internally, to create marketing and other promotional communications that we believe might be of interest to you, provided that such communications do not encourage irresponsible or inappropriate borrowing. For example, we might send you a newsletter which contains information on topics like money-saving tips or borrowing responsibly.

We might also share your information with our marketing partners so that they can improve our marketing and other promotional communications on our behalf. More information on how we share information with third parties is found in Part 4. We will always share data in a secure format and require that any third party complies with stringent data protection requirements.

We will not process your data for marketing purposes if you have not agreed to it.

The legal bases for us processing your data in this way are:

  • Because it is in our legitimate interests to provide marketing and informational material to existing and potential customers, so that they are aware of, and understand, financial products (including our own) in more detail, and they can make an informed decision about whether or not they are appropriate for their needs

Or, where we cannot demonstrate that it is in our legitimate interests as outlined above:

  • Because you have provided us with your consent to process your data

Special categories of data

We might collect data that’s deemed to be sensitive in nature, and which falls within the “special categories” definition. This includes information related to your health (whether mental or physical) Where we collect this data, we follow special rules and must also provide you with further information about how and why we process it.

Where we process special categories of data, we will generally be doing so for one of the following reasons:

  • You have provided us with your explicit consent to process your data for this purpose
  • It is in the substantial public interest (for example, to assist a vulnerable customer or because we believe someone might be at risk of harm). Where we believe processing your data is in the substantial public interest, it will generally be to satisfy one of the following conditions:
    • To prevent fraud
    • To safeguard an individual who we believe is, or might be, at risk
    • To safeguard an individual’s economic well-being
  • It is necessary for the establishment, exercise or defence of a legal claim

The following paragraphs provide examples of why we might use special categories of data, and what the legal basis is for doing so.

To deliver our products to you

There might be some cases where we need to use special categories of data for the purposes outlined in the previous paragraphs. This could include, for example:

  • In order to provide you with information in a different format because of a medical condition
  • To identify special circumstances that our teams should be aware of when interacting with you (for example if you’ve recently suffered the loss of a loved one)
  • To be able to evaluate, reply to, and if appropriate resolve, a complaint made by you

The legal bases for us processing your data in this way are:

  • Because it is in the substantial public interest to safeguard your economic well-being
  • It is necessary for the establishment, exercise or defence of a legal claim

Or, where we cannot demonstrate that the processing of your data would meet the requirements for the bases above:

  • Because you have provided us with your explicit consent to process your data for this purpose

To identify & support vulnerable customers

If you provide us with certain data related to health or medical conditions, we might identify you as requiring additional support, or as being a vulnerable customer. If you are identified as being a vulnerable customer, we will use your special categories of data to provide you with additional support, and possible further tailor the product and service we provide to you. This could include asking for your agreement for us to place a vulnerable customer marker against your details.

The legal bases for us processing your data in this way are:

  • Because it is in the substantial public interest to safeguard your economic well-being or to safeguard you or an individual who we believe is, or might be, at risk

Or, where we cannot demonstrate that the processing of your data would meet the requirements for the bases above:

  • Because you have provided us with your explicit consent to process your data for this purpose

We do not require your consent to identify you as a vulnerable customer if we believe that you meet specific criteria, but we will nevertheless take into account your wishes as far as reasonably practicable.

If we believe that you or someone else is at risk of imminent harm

Where we believe that there is a possibility that you or someone else is at risk of imminent harm, we might need to process special categories of personal data in order to take appropriate action to protect you or the other person. This could include sharing the sensitive data with law enforcement and other public authorities who are better placed to assist you.

The legal basis for us processing your data in this way is:

  • Because it is in the substantial public interest to safeguard you or an individual who we believe is, or might be, at risk

If we are required to do so by law

We might be asked to share information with law enforcement and other public authorities, including our regulators. In certain circumstances, this could include special categories of data. Where we are asked to share data with these types of organisations, we will seek to ensure that it is legally permissible before doing so. We might not always be able to inform you that we have shared your data with these organisations.

The legal basis for us processing your data in this way is:

  • Because it is in the substantial public interest to safeguard your economic well-being; to safeguard you or an individual who we believe is, or might be, at risk; or to prevent fraud

If we are required to take, or defend ourselves against, legal proceedings

We might be required to disclose information in order to establish, execute, or defend against legal proceedings. In these circumstances, we will carry out an internal review to ensure that the disclosure of any special categories of data is kept to a minimum.

The legal basis for us processing your data in this way is:

  • It is necessary for the establishment, exercise or defence of a legal claim

If we identify information through access to your transaction history

We sometimes analyse customers’ transaction data to assist us with the evaluation of risk and to make better lending decisions. The analysis of this data could potentially reveal information about you which would be classified as special category data (for example, it might reveal an affiliation with a political party if you have made a donation to one). Where we identify such details, we will not record them on our systems, and we have processes in place to remove them in the event that they are inadvertently added to our system. However, because we are aware of them, we have nevertheless been deemed to have processed the data.

The legal basis for us processing your data in this way is:

  • Because you have provided us with your explicit consent to process your data for this purpose

Part 3 – How we communicate

We communicate with our customers for a wide variety of reasons, for example, to help us deliver our products and services, to comply with regulatory requirements, or to market other products that we feel might be of interest to them.

We’ll communicate with our customers through a variety of channels based on their preferences, including:

  • Post
  • Phone, including through voice calls, SMS, and mobile applications
  • Email
  • Other digital services, for example our website or customer portal

We might also use new forms of communication as they’re developed.

Our communications could be for a number of reasons, including:

  • To allow us to deliver our products and services to you
  • To keep you up to date on any products that you currently have with us
  • To ensure that we comply with any regulatory requirements imposed on us
  • To tell you about new products and services which we think might be of interest to you.

Where any messages are considered to be marketing communications, we will ask you for your explicit consent to send them to you before we do so (or we will provide you with the opportunity to opt-out of receiving marketing communications, where permitted under applicable laws). You can also opt-out of receiving such messages by contacting us using the details in this notice. Many of our marketing messages (for example emails) will also allow you to opt-out of receiving them through a link or button contained within them.

Part 4 – Third parties

We do all that we can to protect your personal data and to keep it secure. However, we might share it with certain third parties, as outlined here.

Any third parties that we share your data with are required to confirm that they will protect it and will abide by the terms of this privacy notice. This includes agreeing not to use the data for any other reasons than the ones that you have agreed to with us (and in many cases, there will be further restrictions on how they are able to use the data). This does not apply in circumstances where we transfer data to certain third parties who act as data controllers in their own right, for example our regulators or insurers.

Many of the third parties that we share data with will have their own privacy notices, which we review to ensure that they offer the same level of protection to our customers’ data as our own. Where our website contains links to third-party websites, you should review the privacy notice before you provide that organisation with any data. We are not responsible for any data which you provide directly to a third party (i.e. data that is not shared with them by us)

Our group companies & affiliates

We might need to share information with our group companies and affiliated companies (for example companies under common control) who help us to deliver products and services to you.

To execute financial transactions

We will often need to share some of your personal data with third parties who, for example, process payments or otherwise execute financial transactions. This data is transferred via secure connections and bank-grade encryption.

Affiliated service companies

We make use of a number of third-party service companies who help us to deliver certain aspects of our products and services, for example debt recovery firms.

Our advisers

We might share information with our professional advisers and auditors for the purpose of seeking professional advice or to meet our audit requirements

Product referral organisations

Where we are unable to provide you with a product or service, we might pass your details on to another organisation that we believe could provide you with (or identify) a product or service that meets your needs. We will only pass your data on to partner organisations if you explicitly give us consent to do so.

Your representatives

Where you ask us to speak to someone on your behalf, we might share your information with them in order to help us deliver a product or service to you, for example, if you engage the services of a debt management company.

Court and judicial services

If we are taking or defending ourselves against legal action, we might need to share your information with court services and others who are involved in the delivery of these services.

Organisations who we sell or transfer our assets or legal entities to

If we sell any part of our organisation, either through a transfer of business or assets, that organisation will be provided with the personal data that we hold on you. However, they will be required to confirm that they will only use that personal data in the same way that you have permitted us to use the data unless they obtain your explicit consent to do otherwise.

Marketing agencies

We might transfer data to organisations who we use to provide marketing and advertising to our customers and potential customers. This could include social media companies and online display ad networks. Where we share your data, it will be done so in a secure way, and we will never share your financial information or any special categories of data.

Regulatory bodies & law enforcement

We will share information with our regulators and law enforcement agencies where we are required to do so. We will generally share information with our regulators in an aggregated manner, so that information about a specific customer is not identifiable. However, we will share information about a specific customer with our regulator or law enforcement if we are required to do so.

Credit reference & fraud prevention agencies

We are committed to responsible lending and safeguarding consumers from financial crime, including fraud. As part of your application process, we will check the details provided by you against central databases to identify your credit history, and whether there is a risk of fraudulent activity.

During your time with us as a customer, and in some cases after our relationship has ended, we will continue to monitor and share your information with credit reference and fraud prevention agencies. These agencies may also share it with other financial services organisations for the purposes of identity verification, credit scoring and monitoring, and fraud prevention.

How we might use your credit record

We will process information from, and share information with, credit reference agencies for the following purposes:

  • To verify your identity and check that the details you have provided to us are accurate and match the records other financial institutions have about you
  • To check the affordability of our products and services and make sure that we are lending responsibly
  • Manage any products that you have with us on an ongoing basis
  • Updating your records if something changes (for example your address) and you do not tell us, or we are unable to locate you and you have a product with us that has an outstanding balance
  • For analysis and research purposes to help us improve our products and services. For example, we might analyse your credit history and combine the information with the information from other similar customers to determine whether the amounts we offer to customers are too high, or whether we could adjust our pricing models

For more information on how credit reference agencies use your information and share it with others, you can refer to the Credit Reference Agency Information Notice (‘CRAIN’). It’s available from the three main UK credit reference agencies (TransUnion, Equifax and Experian). The CRAIN is available here:

  • www.equifax.co.uk/crain
  • www.experian.co.uk/crain
  • www.transunion.co.uk/crain

Sharing data with credit reference & fraud prevention agencies

We might share information with credit reference and fraud prevention agencies which could have an adverse effect on you and your ability to obtain financial products and services in the future. For example, if you fail to repay (or make any attempt to repay) a debt owed to us, we will provide your details to the credit reference agencies that we work with, who will update your record with a default. This could make it difficult for you to borrow money in the future.

Similarly, if we become aware of fraudulent activity, we might share your information with fraud prevention agencies and, if necessary, law enforcement. This could make it difficult for you to borrow money or apply for financial products in the future.

Information on credit defaults and fraudulent activity is held by credit reference and fraud prevention agencies for varying periods of time, but will generally remain on your credit file for up to six years.

The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found here.

Associated records

If you’ve applied for a financial product jointly with someone else, this can create what’s known as an “associated record.” Associated records allow financial organisations to obtain information about an applicant from either person’s credit record if it’s available.

Associated records are created automatically when you apply for a product jointly with someone else. The only way to remove the association is to successfully apply to a credit reference agency for a record “disassociation.” At this point, your records will no longer be linked together.

To check if you have an association on your credit file, you can ask any of the three main UK credit reference agencies for a copy of your information.

Correcting incorrect or inaccurate information

If you believe that we’re reporting inaccurate information regarding your credit activity to any of the above agencies you can contact us to discuss the inaccuracy, or if you would prefer, you can contact a credit reference agency directly using the contact details provided on their website:

  • www.equifax.co.uk
  • www.experian.co.uk
  • www.transunion.co.uk

Sharing information when instructed to do so by you

If you provide us with explicit consent to share your information with a third party (for example a debt adviser), we will share that information provided that we are comfortable that the request has genuinely been made by you (and we might seek to verify a request before we share your data, for example through a phone call to you). Whilst we will make reasonable efforts to ensure that the third party is legitimate, you acknowledge that we will have no obligation to you where data has been shared with a third party as instructed by you. We would always advise you to carry out checks on a third party’s data protection practices before you instruct us (or any organisation that holds your data) to share information with them.

Part 5 – Transferring data overseas

Because we, our partners and our team are based in a number of countries, we’ll sometimes need to share information with organisations who are outside of the UK and the EU.

Whenever we share information with organisations and individuals outside the UK, we always require them to apply the same levels of protection to your data as would be applied in the UK by us. We regularly ask our partner organisations to confirm that they’re applying appropriate levels of data protection and security, and we will take action quickly against anyone found not to be taking their obligations as seriously as we do.

In some cases, we might have no choice as to whether we share information with a third party outside the UK (for example because it is required by law). In these cases, we will make sure that we provide the information in line with that law, and will do all that we can to maintain your data’s privacy and security (including through contractual means, where possible).

We will not transfer personal data relating to you to a country which is outside the UK or the European Economic Area (EEA) unless one of the following scenarios under the GDPR (or equivalent scenarios under UK data protection legislation, if applicable) applies:

  • the country or recipient is covered by an adequacy decision of the UK under GDPR Article 45;
  • appropriate safeguards have been put in place which meets the requirements of GDPR Article 46 (for example using the ICO’s approved International Data Agreement/Standard Model Clauses for transfers of personal data outside the UK or EEA); or
  • one of the derogations for specific situations under GDPR Article 49 is applicable to the transfer. These include (in summary):
    • the transfer is necessary to perform, or to form, a contract to which we are a party:
      • with you; or
      • with a third party where the contract is in your interests;
  • the transfer is necessary for the establishment, exercise or defence of legal claims;
  • you have provided your explicit consent to the transfer; or
  • the transfer is of a limited nature and is necessary for the purpose of our compelling legitimate interests.

If you wish to see a copy of the documentation in place used to implement the appropriate safeguards, please contact us and we will be able to assist you (please see our contact details above).

Part 6 – How long we keep data

We will store your personal data for as long as you are our customer. When your relationship with us ends (which means that you have closed any and all products that you hold with us, and you have not interacted with us), we will only keep your data for as long as is appropriate and necessary for us to comply with any laws or regulations.

We will generally store your personal data for six or seven years after your relationship with us has ended. This is because it is the amount of time in which you could bring legal action against us. However, we won’t store data that is not required for the purposes of defending ourselves against legal action.

Examples of the reasons we continue to store your data include:

  • Because we need it to comply with laws and regulations (for example, audit or anti-money laundering requirements)
  • To defend ourselves against (or to initiate) legal action or to review and if appropriate resolve, complaints
  • To monitor and improve the effectiveness of our marketing, or to prevent you from receiving marketing, if you’ve requested that

We will protect your information in line with this privacy notice for as long as we hold it. We will never alter the reasons that we hold your data for unless you have agreed to it, or it is required under law or regulation.

Part 7 – Automated data processing

We make use of systems and tools which automatically review and analyse your data. This is sometimes called “profiling” because it involves reviewing the data you have provided to us and comparing it against the data that individuals similar to you have provided to us previously.

Some of the decisions we make in regard to our products involve automated decision-making where there is no human involvement. If a decision is made by us using automated systems, you can always ask us to review it manually. A manual review does not necessarily mean that the outcome will change, but we will be happy to carry out a review, should you request it.

How do we use automated decision-making?

We use automated decision-making and profiling in a number of scenarios, including the following examples:

  • To assess the affordability of our products
  • To adjust and monitor credit limits
  • To carry our identity and regulatory checks, including fraud and anti-money laundering checks
  • To improve and assess our business processes, and to route you through a customer journey which we believe is optimised for you
  • To continually assess your circumstances, including to help us determine whether you might be at risk of becoming vulnerable, or might need additional support from us

When are we allowed to use automated decision-making?

We can only use automated decision-making in certain circumstances because of the potential impact that it might have on a customer. These circumstances include:

  • When it’s necessary to allow us to enter into a contract or to offer you a product or service (for example, to decide whether you represent an acceptable lending risk to us based on our pricing models)
  • To comply with laws and regulations (and automated decision-making is a reasonable way of allowing us to do this)
  • If we have explicitly gained your consent for us to carry out automated decision making

Where we are using special categories of personal data, we will only do so where it’s in the substantial public interest to safeguard your economic well-being. Special categories of data used by us in automated decision-making will generally be limited to the information disclosed by you about your health, whether mental or physical. For example, we might use profiling to identify and engage with customers who have said something to us that indicates they might require additional help.

How might automated decision-making affect you?

We will only use profiling in situations where we believe that it will offer customers a better outcome than manual decision-making can alone. The use of profiling could have the following effects on you:

  • It might mean that you are denied a product, including credit products, which could affect your credit file
  • It might mean that you receive personalised communications and marketing, and adjustments to your customer journey
  • Your account and products might be flagged as being at an increased risk of fraud or money laundering, particularly if high-risk behaviours are detected. These high-risk activities will always be reviewed by one of our team before any further action is taken by us
  • You might receive personalised products and services, for example adjusted credit limits or different pricing models, based on your history or the history of others who have similar characteristics to you
  • To continually monitor and adjust our organisation’s business risk, including financial exposure. The use of your data in this way is done at an aggregate level and will not affect you individually
  • To monitor our pricing and risk management processes. The use of your data in this way is done at an aggregate level and is likely to have only a minimal impact on you individually

Understanding more about automated decision making

You have a number of rights when it comes to our use of automated decision-making, and we’ll be pleased to provide you with further information. Simply contact us and we’ll be happy to help you.

Part 8 – Your rights

We take your privacy seriously, and we are committed to doing all that we can to protect your data. You have a number of rights in relation to how we use your personal data, which include:

  • Being able to see what information we hold on you at any point in time, and for what reason
  • Being able to ask us for a copy of the data we hold about you in electronic form
  • Being able to restrict us from using your data in certain ways or, where we rely on consent to process your personal data, withdrawing your consent for us to use it entirely
  • Being able to object to the processing of your personal data by us
  • Being able to have your personal data transmitted directly from us, as a data controller, to another data controller, where this is technically feasible
  • Asking us to correct any errors in your personal data
  • Asking us to delete your personal data

We will always take any requests made by you in relation to your rights seriously, and we will do all that we can to work with you to accommodate your wishes. However, there might be occasions where we can’t comply with your request. For example, if you’ve asked us to delete data which we’re required to keep because of a law or regulation, we won’t be able to complete your request. Where this is the case, we’ll always explain our decision to you (unless we’re also prevented by law from doing that).

To find out more about your rights, or to exercise them, please contact us.

Part 9 – Complaints

We hope that this privacy notice has provided you with the comfort of knowing that we take data protection seriously. However, if you feel like we’ve acted inappropriately, you are welcome to contact us to discuss your concerns. We will review your complaint in line with our complaint handling procedure.

If, after we have reviewed your complaint, you remain dissatisfied with the manner in which we have handled it, you may have the right to refer your complaint to the Financial Ombudsman Service (FOS). More information can be located by reviewing our complaint handling procedure.

Alternatively, you can contact the Information Commissioner’s Office (“ICO”), who are the data protection authority in the United Kingdom. The ICO can be contacted through their website at www.ico.org.uk. You do not need to complain to us or the FOS before you complain to the ICO.

This is Version 2.0 of our Customer Privacy Notice. Last updated: September 2022