Privacy policy

This privacy policy explains how we collect, use, and protect your personal data. That includes data you give us when you visit our website, sign up for a Habito account, or buy one of our products or services. This also includes data we collect from you or from other sources when we provide our services. We’ll also explain your privacy rights, and how the law protects you.

When we use the words ‘we’, ‘us’, ‘our’, or ‘Habito’ in this policy, we’re talking about Hey Habito Ltd. And when we say ‘you’ or ‘your’ we’re talking about our customers.

1. Who we are & contact details

Habito is the data controller. That means we’re responsible for your personal data under this privacy policy.

If you want to talk to us about your data, we’re here to help. Email us at [email protected] or write to The Data Working Group, Habito, WeWork, Moor Place, 1 Fore Street Avenue, London, EC2Y 9DT.

If you have a complaint about anything to do with your data, use those same contact details to get in touch. We’ll investigate and get back to you as soon as we can.

We’re registered with the Information Commissioner’s Office (ICO) with registration number ZA153186. The ICO is an independent organisation that protects people’s data and privacy rights. If you have a complaint, we’d love the chance to help you first, but you can also complain to the ICO at any time.

We last updated this privacy policy on 12 April 2023. We might make changes to this privacy policy at any time. We’ll let you know if we do, usually by email. We'll highlight the changes we make so that you can clearly see them. If you’d like a copy of a previous version, email us at [email protected].

When we link to other websites might link to other places, like other websites or applications. We can’t control those other places and we’re not responsible for their privacy policies. So be aware they may collect and process data about you in a different way than we do. Read their privacy policies if you’d like more information about how they do that.

2. What data we collect

We collect, use, store and transfer personal data. Personal data is any information that can identify you. It doesn’t include information where you can’t be identified (anonymous data).

We might collect, use, store and transfer different types of your personal data for the reasons you can see here. ‘Transfer’ means sending your information somewhere else.

Types of personal data we collect, with examples of what each type includes:

Identity data
first name, maiden name, last name, marital status, title, data of birth, gender, citizenship and employment history.
Contact details
address history, email address and telephone number.
Financial data
bank account details, card payment details, salary and other income information, savings, credit history, financial commitments and other expenses.
Special category data
physical and mental health conditions, racial or ethnic origin, and biometric data.
Criminal offence data
information about criminal offences and convictions.
Transaction data
details about payments from you and other details related to the products and services you’ve bought from us.
Technical data
IP address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform.
Profile data
your username and password, feedback and survey responses.
Usage data
information about how you use our website, products and services.
Marketing and communications data
your choices about marketing from us and our business partners, and how you prefer us to contact you.
Other data
any other information that could be used to identify you, that we need to help you get a mortgage or buy a home.

If you’re making a joint application, we’ll also collect some of this information about the person you’re applying with, like your spouse. Make sure you have their agreement before you give us their data.

If you’re applying for a company buy-to-let mortgage, we’ll collect some of this information about the people you have a financial link with. For example, the directors or certain employees of your company. Make sure you have their agreement before you give us their data.

Special category data and vulnerable customers

The Financial Conduct Authority asks firms like Habito to give special levels of care to customers they think might be vulnerable. If we think you’re vulnerable, we might record that information to help us give you the right service. That information could be special category data. That’s data that’s likely to be more sensitive – things like physical and mental health conditions.

When companies process special category data, they have to have “legal basis” to use it, which means a legal reason from the UK GDPR. The legal basis we rely on is "legal obligation” (we have to process your data because the law or regulations require us to).

Alongside that, companies also have to meet one of the legal conditions in Article 9 of the UK GDPR. The conditions we rely on are “substantial public interest," “regulatory requirements” and “support for individuals with a particular disability or medical condition.” In plain English, that means we use this data to make sure we support you in the right way. For example, you might tell us that you’re deaf, and that you prefer us not to call you on the phone. We’ll use this information to support you using online chat.

Here are all the legal reasons we rely on to use your data.

If you’re a returning Habito customer

We might use the data you gave us last time to help you the next time. That way, you don’t have to type in all your info again. If we do this, we'll always check that your information is accurate and up to date.

Aggregated data

We also collect and process aggregated data. That’s information about our customers that we combine together so that it doesn’t identify people specifically any more. We use this for all sorts of business reasons – like market analysis and research, demographic profiling, marketing and advertising, and to comply with regulation.

Aggregated data isn’t considered personal data because it won’t reveal your identity. But if we combine or connect aggregated data with your personal data so that it can identify you, we’ll treat that combined data as personal data.

3. How we collect your data

Here’s how we might collect personal data on our website, over live chat, on the phone, or from other companies and places.

You give us data

You might give us data (for example about your identity) when you do any of these things:

We automatically collect data

Our website automatically collects technical data – things like the equipment you’re using, as well as a record of what pages you’re visiting. We use cookies for this, and we have a delicious cookie notice where you can find lots more detail.

We get data from another source

Sometimes we get personal data from somewhere outside Habito, like:

4. How we use your data

We use your data for one or more the reasons we’ve listed below. We will only use your personal data when the law allows us to. No surprises there.

Companies can’t use your data without having a legal reason for using it. This reason is called a “legal basis”. Here are the legal bases we rely on, and what they mean:

you’ve told us it’s OK to use your data for a specific reason.
you’ve agreed to a contract with us, and we need to use your data to carry out that contract. For example, we’ll use your data to provide our Plus service or help you apply for a Habito mortgage. We might also use your data if you’ve asked us to do something before we can carry out a service (like providing you with a Plus quote).
Legal obligation
we have to process your data because the law or regulations require us to. For example, we need to get proof of your identity to meet our anti-money laundering responsibilities.
Legitimate interest
we or one of our partners might use your data because we or they might have a legitimate interest to do that. Sometimes that interest is to do with benefitting Habito or our partners, and sometimes it’s to benefit wider society. One example of legitimate interest for processing your data might be to try to detect and prevent fraud. Another might be to improve our products and services. Or, we might process your data to recover any money you owe us.

Here’s a deep dive into what we use your data for, and the legal bases we use. Strap yourself in, it’s going to be a detailed read.

The purpose we use your data for (a refresher on each type of data) The legal basis for each purpose

Say hello

We use your identity and contact data to register you as a new customer and manage your Habito account.


Help you get ready for a mortgage

We use your identity, contact, financial, transaction, marketing and communications data to give you guidance on things like your deposit and how lenders might see you.


Sort your mortgage

We use your identity, contact, financial, transaction, marketing and communications, special category, and criminal offence data to help you with your mortgage. Things like finding the right mortgage for you and managing the mortgage applications we make on your behalf.

We’ll also use this information to monitor your mortgage and let you know when you could get a better deal.

  • Contract
  • Legal obligation (for special category data, we also rely on “substantial public interest”, “regulatory requirements,” and “support for individuals with a particular disability or medical condition”)
  • Legitimate interest (in this case, to recover any money you owe us and to develop and grow our business)

Check your credit

If you apply for a Habito mortgage, we use your identity, financial and contact data to check your credit history and score.

  • Contract
  • Legal obligation

Tell you stuff

We use your identity, contact, profile, transaction and marketing and communications data to manage our relationship with you.

This includes things like asking you to leave a review or take a survey. It also includes telling you when your mortgage deal is about to end, and for legal and regulatory reasons.

  • Contract
  • Legal obligation
  • Legitimate interest (keep our records updated, see how customers use Habito and review our standards of service, to contact you again as your mortgage deal ends)

Service your mortgage

If you have a Habito mortgage, we use your identity, contact, profile, and transaction data to service your mortgage.

That means things like telling you about the state of your mortgage, and collecting your repayments.

  • Contract
  • Legal obligation

Work with others

We use your identity, contact and financial data to talk to other companies or anyone else that helps you with the whole mortgage and home-buying journey.

That could include solicitors, conveyancers, surveyors, valuers, other lenders, and other brokers.

  • Contract
  • Legal obligation

Support your complaints

We use your identity, contact and marketing and communications data to manage complaints, take action to put things right, and answer your questions.

We can also use financial, transaction, special category data and criminal offence data when it relates to the complaint you’ve made.

  • Legal obligation
  • Legitimate interest (investigate complaints, improve our standards and try to prevent future complaints)

Give you prizes

We collect your identity, contact, and profile data when you take part in prize draws and competitions. We do this so we can contact you, and maybe even send you even a prize.

  • Consent
  • Contract

Ask your opinion

We collect your identity, contact, profile, technical and usage data when you complete a survey or take part in user testing.

  • Contract
  • Legitimate interest (to understand how customers use Habito and develop our services and business)

Follow up on your reviews

We might use your identity and contact data to get in touch to talk about a review you’ve left us, say on Trustpilot. For example, we might send you a message to say thank you, or to ask what we could have done better and how we can improve.

Legitimate interest (to improve our standards of service and customer experience)

Keep the site running

We use your identity, contact and technical data to manage and protect our business and our website. That includes things like troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data.

Legitimate interest (to run our business, including our admin and IT services, keep it secure, and prevent fraud)

Make everything better

We use your technical and usage data to analyse and test our systems, and improve our website, products and services, marketing, customer relationships and experiences. Quite a lot of things.

Legitimate interest (keep our website updated, and develop our business and marketing strategy)

Send you marketing & recommend stuff

We use your identity, contact, profile, usage, technical and marketing and communications data to suggest services you might like.

We’ll use your data to decide what you might find useful or like us to send you. You can unsubscribe from marketing by hitting ‘Unsubscribe’ in the bottom of any marketing email, or by emailing [email protected].

We’ll never share your details with other companies for marketing reasons without your consent.

  • Legitimate interest (grow Habito and develop what we offer – for example, we might use your data to send you personalised marketing campaigns)
  • Consent

Record our communications

We use your identity, contact, profile, usage, transaction, marketing and communications data to monitor or record any communications between you and us. That includes live chat and phone calls.

We do this to check your instructions to us, analyse and improve our services, and to help us train staff. We also do it for quality assurance purposes (which means to help us prevent mistakes or problems from happening).

  • Contract
  • Legal obligation
  • Legitimate interest (develop and improve our systems, train our people, and give our customers a high standard of service)

Stop fraud in its tracks

We use your identity, contact, profile, usage, financial, transaction, marketing and communications data to prevent fraud. We carry out checks on your identity and documents, and look at your financial transactions to detect fraud and money laundering.

  • Contract
  • Legal obligation
  • Legitimate interest (fraud and ID checks protect our and others’ businesses as well as you)

If you’d ever like more details about the legal bases we use to process your data, just ask. We love talking data and are always happy to help.

Automated decision-making

Automated decision-making is when companies use computers to make decisions without humans being involved. For example, a bank might use it to approve an online loan.

We currently don’t do this at Habito – that’s why it’s not in the glorious table above. But we wanted to make you aware of it, because some of the companies involved in your mortgage or home-buying process might. It will be in their privacy policies if they do.

You can ask any lender who uses automated decision-making to give you the actual reason behind their decision (or we can ask your lender for you). If you’re getting a mortgage from Habito as your lender, a human will always be involved in deciding whether to give you a loan.

Here’s more information on automated decision-making and your rights.

5. Who we share your data with

We might share your information with other companies. But we make sure they treat it as well as we do, and (of course) in line with the law. These other companies can’t just use your information for any reason – it has to be for a specific purpose and in the way we tell them to.

Here’s a list of the people and companies we might share your data with:

Habito group companies
These are companies that are controlled by Habito. We might share your data with other Habito group companies if they provide services to us. We might also do this for marketing where you’ve agreed.
Mortgage lenders
We share your data with a lender to make a mortgage application on your behalf. Mortgage lenders are also data controllers, and will look after your data according to their own privacy policy. It’s worth reading your lender’s privacy policy to see how they use your data.
Other brokers
If you apply for a Habito mortgage through another broker, we might share your information with that broker to update them about your application. For example, if we decide we can’t lend to you, we’ll tell your broker.
Solicitors, conveyancers, surveyors, valuers, panel managers (companies that lenders use to outsource legal work for them) and mortgage clubs (companies that connect brokers and lenders together)
Basically, any other third parties we might work with to help you get a mortgage and buy your home.
Insurance Brokers
For customers who consent to it, we may share information with our insurance broker partners in order for them to carry out their services appropriately. As with our other partnerships, we have robust data sharing agreements in place to make sure they process the data with the same high standards that we do.
to confirm your identity. We have a written contract with Onfido that makes sure they process your data as safely as possible.
Other service providers that support Habito – for example, IT providers and legal and accounting firms.
We have written contracts in place with everyone we partner with to make sure they process your data as safely as possible.
Anyone who funds, buys all or part of Habito, anyone Habito buys or merges with, or anyone we have discussions with about these.
We’ll do what we reasonably can to make sure they only use your personal data as set out in this privacy policy.
Fraud prevention agencies
We’ll use these to check your identity when you apply for a mortgage, and on an ongoing basis, for example if you remortgage with us. If you give us inaccurate, false or fraudulent information, we’ll tell a fraud prevention agency (you can ask us to tell you which ones). Those agencies then share that data with other organisations, like law enforcement, to prevent and detect fraud or other crimes. They can hold your personal data for up to 6 years.
Credit reference agencies (CRAs), the companies that hold your credit history and credit report.
Lenders will get data about you from these agencies to help them decide whether to give you a mortgage. This is known as a credit check. If you apply for a mortgage with Habito as your lender, we’ll carry out a credit check on you. If you apply for a mortgage with another lender, they’ll carry out a credit check on you. Checks show up on your file for others to see, and having lots might affect your ability to borrow in the future. We and other lenders will also share information with the CRAs about the financial details of your mortgage, and how you handle your mortgage. That includes whether you’re making your repayments in full and on time, and if you apply to borrow more money or take out another mortgage. The CRAs may share that with other lenders and organisations to help them perform credit checks, trace you and recover any money you owe. The main three CRAs are Transunion, Equifax and Experian – hit their names to read about how they use your data. If you want to check the data they hold about you, you can get in touch with them any time.
Regulators, governmental or dispute resolution bodies, law enforcement agencies or other authorities like those.
We share data when we have to, and when it’s in connection to their duties – for example, preventing crime.

6. Transferring your data to another country

We work with partners in the UK, in the European Economic Area (EEA), and in countries outside the EEA as well.

If we transfer your data to anyone outside the EEA, we’ll take extra steps to protect it.

We’ll make sure the country has adequate levels of personal data protection, as determined by the European Commission.

Or, we’ll put robust contracts in place with whoever we’re transferring data to. These contracts offer the same level of protection as the UK and the EEA. For example, we rely on a contract called the Standard Contractual Clause transfer mechanism to transfer data to the US.

Get in touch if you’d like to know more about how we protect your data across borders.

7. Storing your data & how long we keep it for

How we keep your data safe

Only a limited and authorised number of people can ever access your information, on a business need to know basis only.

We want to make sure your information isn’t accidentally lost, used, accessed, changed or shared in an unauthorised way. We’ve put robust security systems in place to make sure of that.

If we ever think that something’s gone wrong, we have procedures in place to deal with it. If something does go wrong, we’ll tell you – and sometimes the regulator – where we’re legally required to.

How long we keep your data

We’ll only keep your data for as long we need it to do the thing we collected it for. Or where laws and regulations tell us we need to keep it for a specific amount of time.

Here’s a more detailed breakdown:

Sometimes we anonymise your personal data (so it can’t identify you anymore) for research or statistics. We keep that data for as long as we need it.

You can talk to us about how long we keep your data, or ask us to delete your data, by talking to us on live chat or emailing [email protected]. But sometimes, laws or regulations tell us we have to wait a certain amount of time before we’re allowed to delete your data. If we have to wait, or if we can’t delete your data, we’ll let you know the reasons why.

8. Your legal rights

You have rights under the UK GDPR when it comes to your personal data. You have the right to: