When we use the words ‘we’, ‘us’, ‘our’, or ‘Habito’ in this policy, we’re talking about Hey Habito Ltd. And when we say ‘you’ or ‘your’ we’re talking about our customers.
If you want to talk to us about your data, we’re here to help. Email us at firstname.lastname@example.org or write to The Data Working Group, Habito, The Loom, 14 Gower’s Walk, London, E1 8PY.
If you have a complaint about anything to do with your data, use those same contact details to get in touch. We’ll investigate and get back to you as soon as we can.
We’re registered with the Information Commissioner’s Office (ICO) with registration number ZA153186. The ICO is an independent organisation that protects people’s data and privacy rights. If you have a complaint, we’d love the chance to help you first, but you can also complain to the ICO at any time.
www.habito.com might link to other places, like other websites or applications. We can’t control those other places and we’re not responsible for their privacy policies. So be aware they may collect and process data about you in a different way than we do. Read their privacy policies if you’d like more information about how they do that.
We collect, use, store and transfer personal data. Personal data is any information that can identify you. It doesn’t include information where you can’t be identified (anonymous data).
We might collect, use, store and transfer different types of your personal data for the reasons you can see here. ‘Transfer’ means sending your information somewhere else.
Types of personal data we collect, with examples of what each type includes:
If you’re making a joint application, we’ll also collect some of this information about the person you’re applying with, like your spouse. Make sure you have their agreement before you give us their data.
If you’re applying for a company buy-to-let mortgage, we’ll collect some of this information about the people you have a financial link with. For example, the directors or certain employees of your company. Make sure you have their agreement before you give us their data.
The Financial Conduct Authority asks firms like Habito to give special levels of care to customers they think might be vulnerable. If we think you’re vulnerable, we might record that information to help us give you the right service. That information could be special category data. That’s data that’s likely to be more sensitive – things like physical and mental health conditions.
When companies process special category data, they have to have “legal basis” to use it, which means a legal reason from the UK GDPR. The legal basis we rely on is "legal obligation” (we have to process your data because the law or regulations require us to).
Alongside that, companies also have to meet one of the legal conditions in Article 9 of the UK GDPR. The conditions we rely on are “substantial public interest," “regulatory requirements” and “support for individuals with a particular disability or medical condition.” In plain English, that means we use this data to make sure we support you in the right way. For example, you might tell us that you’re deaf, and that you prefer us not to call you on the phone. We’ll use this information to support you using online chat.
We might use the data you gave us last time to help you the next time. That way, you don’t have to type in all your info again. If we do this, we'll always check that your information is accurate and up to date.
We also collect and process aggregated data. That’s information about our customers that we combine together so that it doesn’t identify people specifically any more. We use this for all sorts of business reasons – like market analysis and research, demographic profiling, marketing and advertising, and to comply with regulation.
Aggregated data isn’t considered personal data because it won’t reveal your identity. But if we combine or connect aggregated data with your personal data so that it can identify you, we’ll treat that combined data as personal data.
Here’s how we might collect personal data on our website, over live chat, on the phone, or from other companies and places.
You might give us data (for example about your identity) when you do any of these things:
Sometimes we get personal data from somewhere outside Habito, like:
We use your data for one or more the reasons we’ve listed below. We will only use your personal data when the law allows us to. No surprises there.
Companies can’t use your data without having a legal reason for using it. This reason is called a “legal basis”. Here are the legal bases we rely on, and what they mean:
Here’s a deep dive into what we use your data for, and the legal bases we use. Strap yourself in, it’s going to be a detailed read.
If you’d ever like more details about the legal bases we use to process your data, just ask. We love talking data and are always happy to help.
Automated decision-making is when companies use computers to make decisions without humans being involved. For example, a bank might use it to approve an online loan.
We currently don’t do this at Habito – that’s why it’s not in the glorious table above. But we wanted to make you aware of it, because some of the companies involved in your mortgage or home-buying process might. It will be in their privacy policies if they do.
You can ask any lender who uses automated decision-making to give you the actual reason behind their decision (or we can ask your lender for you). If you’re getting a mortgage from Habito as your lender, a human will always be involved in deciding whether to give you a loan.
Here’s more information on automated decision-making and your rights.
We might share your information with other companies. But we make sure they treat it as well as we do, and (of course) in line with the law. These other companies can’t just use your information for any reason – it has to be for a specific purpose and in the way we tell them to.
Here’s a list of the people and companies we might share your data with:
We work with partners in the UK, in the European Economic Area (EEA), and in countries outside the EEA as well.
If we transfer your data to anyone outside the EEA, we’ll take extra steps to protect it.
We’ll make sure the country has adequate levels of personal data protection, as determined by the European Commission.
Or, we’ll put robust contracts in place with whoever we’re transferring data to. These contracts offer the same level of protection as the UK and the EEA. For example, we rely on a contract called the Standard Contractual Clause transfer mechanism to transfer data to the US.
Get in touch if you’d like to know more about how we protect your data across borders.
Only a limited and authorised number of people can ever access your information, on a business need to know basis only.
We want to make sure your information isn’t accidentally lost, used, accessed, changed or shared in an unauthorised way. We’ve put robust security systems in place to make sure of that.
If we ever think that something’s gone wrong, we have procedures in place to deal with it. If something does go wrong, we’ll tell you – and sometimes the regulator – where we’re legally required to.
We’ll only keep your data for as long we need it to do the thing we collected it for. Or where laws and regulations tell us we need to keep it for a specific amount of time.
Here’s a more detailed breakdown:
Sometimes we anonymise your personal data (so it can’t identify you anymore) for research or statistics. We keep that data for as long as we need it.
You can talk to us about how long we keep your data, or ask us to delete your data, by talking to us on live chat or emailing email@example.com. But sometimes, laws or regulations tell us we have to wait a certain amount of time before we’re allowed to delete your data. If we have to wait, or if we can’t delete your data, we’ll let you know the reasons why.
You have rights under the UK GDPR when it comes to your personal data. You have the right to: