Introduction
We are Money Superhero Ltd (company number 11396660) and we are the data controller in respect of
your personal data. This policy explains when and why we collect personal data,
how this information is used, the conditions under which it may be disclosed to
others, and how it is kept secure. If you have any queries about our handling
of your personal data, we can be contacted by writing to us at 5 Grampian Close, North Shields NE29 9EG or by email to [email protected]
This policy
explains how we will use the personal data that you provide to us when you
apply for motor finance via an online application, through a credit broker,
when you contact us directly, or that we have obtained about you through our
use of your information when you make such an application.
Where this policy
refers to "we", "our" or "us", unless it mentions
otherwise, it's referring to Money Superhero Ltd. Where this policy refers to
"you" it's referring to the person applying for motor finance.
What personal data we collect and how we collect it
The personal data you have provided to us: This is
information about you that you give to us when you visit our website and
further data that we subsequently collect from you by telephone. Once you have
provided initial data via our website, we’ll contact you by telephone to
collect further data from you and discuss your application. This consists of
the following categories of information:
- Name
- Email address
- Telephone number
- Postcode
- Date of birth
- Residential address and address history
- Contact details such as email address and
telephone numbers
- Financial information
- Employment details
- Vehicle details
The personal data we may receive from other sources: We obtain certain
personal data from credit reference and fraud prevention agencies. Please see
"Use by credit reference and fraud prevention agencies" below for
further information.
If you fail to provide us with any mandatory information that we
request from you, we will not be able to proceed with the credit reference and
fraud prevention checks described below and, subsequently, we will not be able to proceed with your
application for finance.
How we use your personal data
The purposes for
which we use your data and the legal basis under data protection laws on which
we rely to do this are as follows:
- Passing on your application
to lenders or taking steps to do so. We will use personal data relating to
you which we acquire in connection with any application for motor finance,
to verify your identity and assess your application.
- Our legitimate interests or
that of a third party. This includes:
- to assess and process your application for
finance;
- to administer and manage your relationship
between us including for customer service purposes;
- making decisions about you on credit facilities
offered by a lender;
- preventing fraud and money laundering, and to
verify your identity, in order to protect our business and that of the lender and
to comply with laws that apply to us and the lender;
- to comply with a request from you in
connection with the exercise of your rights (for example where you have
asked us not to contact you for marketing purposes, we will keep a record
of this on our suppression lists in order to be able to comply with your
request);
- carrying out statistical analysis to help
with decisions about credit and about credit fraud;
- monitoring communications between us to
prevent and detect crime, to protect the security of our communications,
systems and procedures, and for quality control and training purposes;
- for marketing activities (other than where we
rely on your consent to contact you with information about our services
and products or share your details with third parties to do the same, as
explained below);
- to develop, test, monitor and review the
performance of products, services, internal systems and security
arrangements; and
- for assessing the quality of our service and
to provide staff training within the business.
- Compliance with a legal
obligation. This includes when you exercise your legal rights under data
protection law, to verify your identity, for the establishment and defence
of our legal rights, for activities relating to the prevention, detection
and investigation of crime, to conduct credit, fraud prevention and
anti-money laundering checks and for compliance with our legal and
regulatory responsibilities. It may also include processing special
categories of data about you, for example for our compliance with our
legal obligations relating to vulnerable people.
- Consent. When we submit a referral of
yours for finance, we may contact you via post, email and SMS with
information about similar services. Please see "Marketing preferences"
below for further information. You have the right to withdraw your consent
for us to use your information in this way at any time. Please see
"Withdrawing your consent" for further details.
Use by credit reference and fraud prevention agencies
In order to process
your application, the lender will perform credit and identity checks on you with one
or more credit reference agencies (CRAs). To do this, the lender will supply your
personal information to CRAs and they will give the lender information about you. This
will include information from your credit application and about your financial
situation and financial history. CRAs will supply to the lender both public (including
the electoral register) and shared credit, financial situation and financial
history information and fraud prevention information. When CRAs receive a
search from the lender they will place a search footprint on your credit file that may
be seen by other lenders.
Lenders will use this
information to:
- assess your creditworthiness and whether you
can afford to take the product you have applied for;
- verify the accuracy of the data you have
provided to us or to it;
- prevent criminal activity, fraud and money
laundering;
- manage your account(s);
- trace and recover debts; and
- ensure any offers provided to you are
appropriate to your circumstances.
Lenders will continue
to exchange information about you with CRAs while you have a relationship with
it. Lenders will also inform the CRAs about your settled accounts. If you borrow
and do not repay in full and on time, CRAs will record the outstanding debt.
This information may be supplied to other organisations by CRAs.
If you are making a
joint application, or tell us that you have a spouse or financial associate, we
and the lender will link your records together, so you should make sure you discuss
this with them, and share with them this information, before making an
application to us. CRAs will also link your records together and these links
will remain on your and their files until such time as you or your partner
successfully files for a disassociation with the CRAs to break that link.
The identities of
the CRAs, their role also as fraud prevention agencies, the data they hold, the
ways in which they use and share personal information, data retention periods
and your data protection rights with the CRAs are explained in more detail
at www.experian.co.uk/crain/index.html and/or www.transunion.co.uk/crain and/or www.equifax.co.uk/crain.html
Before we or the lender
provide services, goods or financing to you, we undertake checks for the
purposes of preventing fraud and money laundering, and to verify your identity.
These checks require us to process your information. If we, the lender, or a fraud
prevention agency, determine that you pose a fraud or money laundering risk, we
or the lender may refuse to provide the services and financing you have requested or
we may stop providing existing services to you. A record of any fraud or money
laundering risk will be retained by the fraud prevention agencies, and may
result in others refusing to provide services, financing or employment to you.
If you have any questions about this, please contact us using the details
above.
Use by third parties
We disclose your
information to the following third parties:
- Lenders, for the purposes outlined in this policy.
- To other corporate entities within our
corporate group. We may pass on your details to any company within our
group in the ways set out in the "How we use your personal data"
section and for internal processes such as internal audits.
- Credit reference, fraud prevention agencies,
anti-money laundering agencies and/or counter-financial crime
organisations to conduct identity and money laundering checks (as detailed
above).
- HMRC, government authorities, regulatory or
law enforcement agencies if we are required by law to disclose it in
connection with the detection of crime, the collection of taxes or duties,
to enforce or apply the terms of our contracts, to protect the rights,
property or safety of our visitors and clients, in order to comply with any
applicable law or order of a court, or in connection with legal
proceedings.
- Third party service providers, agents and
sub-contractors acting on our behalf. This may also include providers of
data storage and database hosting services, IT hosting, IT software and
maintenance services, professional advisors, and third parties that
provide income verification services, affordability checks and
communication fulfilment services.
- Courts in the United Kingdom or abroad as
necessary to comply with a legal requirement, for the administration of
justice, to protect vital interests and to protect the security or
integrity of our business operations.
- Any third party who is restructuring, selling
or acquiring some or all of our business or assets or otherwise in the
event of a merger, re-organisation or similar event.
These third parties
may share your information with us, which we will use in accordance with this
policy. In some cases, in particular
with lenders, they will be acting as a controller of your information and therefore
you should read their privacy policy in these instances.
When we use third
party service providers, we only disclose to them any personal data that is
necessary for them to provide their service.
Where we will store your data / data transfers to third parties
We store your
personal data on servers located within the European Economic Area (EEA). If at
any time we transfer your personal data to, or store it in, countries located
outside of the EEA (for example, if our hosting services provider changes) we
will ensure that appropriate safeguards are in place for that transfer and
storage as required by applicable law.
The third parties
listed under "Use by third parties" may be located outside of the EEA
or they may transfer your information outside of the EEA. Those countries may
not have the same standards of data protection and privacy laws as in the UK.
Whenever we transfer your information outside of the EEA, we impose contractual
obligations on the recipients of that information to protect your personal data
to the standard required in the UK. Any third parties transferring your
information outside of the EEA must also have in place appropriate safeguards
as required under data protection law.
Whenever fraud
prevention or credit reference agencies transfer your personal data outside of
the EEA, they impose contractual obligations on the recipients of that data to
protect your personal data to the standard required in the EEA. They may also
require the recipient to subscribe to ‘international frameworks’ intended to
enable secure data sharing.
Retention of your personal data
If we collect your
personal data, the length of time we retain it is determined by a number of factors
including the purpose for which we use that information and our obligations
under other laws. We do not retain personal information in an identifiable
format for longer than is necessary.
We keep your data for
6 years or as long as necessary to deal with any queries you may have.
Fraud prevention
agencies can hold your data for different periods of time, and if you are
considered to pose a fraud or money laundering risk, your data can be held for
up to 6 years. Credit reference agencies will retain the account information
that we give to them for 6 years after your account is closed. Please see
"Use by credit reference and fraud prevention agencies" for more
information about the information that we give to them.
We may hold your
information for a longer or shorter period from that described above where:
- the law requires us to hold your personal
information for a longer period, or delete it sooner;
- we need your personal information to
establish, bring or defend legal claims;
- you exercise your right to have the
information erased (where it applies) and we do not need to hold it in
connection with any of the reasons permitted or required under the law;
and
- in limited cases, the law permits us to keep
your personal information indefinitely provided we put certain protections
in place.
Your rights
You have a number
of rights in relation to your personal data under data protection law. In
relation to certain rights, we may ask you for information to confirm your
identity and, where applicable, to help us to search for your personal data.
Except in rare cases, we will respond to you within one month after we have
received this information or, where this is not required, after we have
received your request.
- To be informed about the
processing of your information. This is what this privacy notice sets
out to do.
- Object to our processing of
your personal data. Where we rely on our legitimate business interests as the
legal basis for processing your personal data for any purposes, as set out
under "How we use your personal information", you may object to
us using your personal data for these purposes by emailing or writing to
us at the address above. Except for the purposes for which we are sure we
can continue to process your personal data, we will temporarily stop
processing your personal data in line with your objection until we have
investigated the matter. If we agree that your objection is justified in
accordance with your rights under data protection laws, we will
permanently stop using your data for those purposes. Otherwise we will
provide you with our justification as to why we need to continue using
your data. You may object to us using your personal data for direct
marketing purposes and we will automatically comply with your request. If
you would like to do so, please contact us using the details above or
email [email protected].
- Request that your personal
data is erased or restricting its processing.In certain circumstances, you
may ask for your personal data to be removed from our systems by emailing
or writing to us at the address above. Provided we do not have any
continuing lawful reason to continue processing or holding your personal
data, we will make reasonable efforts to comply with your request. You may
also ask us to restrict processing your personal data where you believe it
is unlawful for us to do so, you have objected to its use and our
investigation is pending or you require us to keep it in connection with
legal proceedings. We may only process your personal data whilst its
processing is restricted if we have your consent or are legally permitted
to do so, for example for storage purposes, to protect the rights of
another individual or company or in connection with legal proceedings.
- Withdrawing your consent. Where we rely on your
consent as the legal basis for processing your personal data, as set out
under "How we use your personal data", you may withdraw your
consent at any time by contacting us using the details above. If you
withdraw your consent, our use of your personal data before you withdraw
is still lawful. If you would prefer not to be contacted with marketing
information you may opt out by writing to us at the above address or email
[email protected].
- Correcting and updating your
personal data. The
accuracy of your information is important to us and we are working on ways
to make it easier for you to review and correct the information that we hold
about you. In the meantime, if you change your name or address/email
address, or you discover that any of the other information we hold is
inaccurate or out of date, please let us know by contacting us on the
details provided above.
- Request access to your
personal data. You
have the right to ask for a copy of the information that we hold about you
by emailing or writing to us at the address above. We may not provide you
with a copy of your personal data if this concerns other individuals or we
have another lawful reason to withhold that information.
- Transferring your personal
data in a structured data file. Where we rely on your consent as the
legal basis for processing your personal data or need to process it in
connection with a service that we have agreed to provide to you, you may
ask us to provide you with a copy of that information in a structured data
file. We will provide this to you electronically in a structured, commonly
used and machine readable form, such as a CSV file. You can ask us to send
your personal data directly to another service provider, and we will do so
if this is technically possible. We may not provide you with a copy of
your personal data if this concerns other individuals or we have another
lawful reason to withhold that information.
For more
information or to exercise your data protection rights, please contact us using
the contact details above.
Customer
complaints
If you have concerns
about the way we have handled your personal data, we encourage you to contact
us and we will seek to resolve any issues or concerns you may have.Please refer to our complaints policy at [email protected].You will also find
our contact details above. You have the right to complain to the Information
Commissioner's Office (ICO) if you are concerned about the way we have
processed your personal data. Please visit https://ico.org.uk/ for further
details.
Changes to this policy
We may review this
policy from time to time and any changes will be notified to you in writing.
Any changes will take effect 7 days after the date of our notification. If you
do not agree with any aspect of the updated policy you must immediately notify
us and cease using our services.