Privacy policy

This privacy policy explains how we collect, use, transfer, share and protect your personal information. That includes information you give us when you visit our website, sign up for a Habito account, or buy one of our products or services. This also includes information we collect from you or other sources when we provide our services. We’ll also explain your privacy rights and how the law protects you.

When we use the words ‘we’, ‘us’, ‘our’, or ‘Habito’ in this policy, we’re talking about Hey Habito Ltd and, where applicable, Habito Conveyancing Ltd. And when we say ‘you’ or ‘your’, we’re talking about anyone whose personal information we process.

Who we are
What personal information we collect
How we collect your personal information
How we use your personal information
Who we share your personal information with
Transferring your personal information to another country
Storing your personal information & how long we keep it for
Your rights
Contact us

1. Who we are

Habito is registered with the Information Commissioner’s Office (ICO) under registration number ZA153186.

Habito Conveyancing Ltd is also registered with the ICO under registration number ZA915395.

Habito is part of the Monzo group. This means Hey Habito Ltd and Habito Conveyancing Ltd are group companies of Monzo Bank Ltd.

Depending on the services you use, your personal information may be processed by Hey Habito Ltd and/or Habito Conveyancing Ltd as independent data controllers.

Habito is the data controller for the personal information we collect and use about you. That means we determine the purpose and means of processing your personal information.

Depending on the nature of the processing activity, Monzo may act as an independent controller, joint controller, or processor in respect of your personal information.

Where Habito remains the data controller for the personal information we collect and use about you, we may share your personal information with other companies within the Monzo group where they provide services to us, support our operations, or help us meet our legal and regulatory obligations.

We might also act as a processor in some instances. In all cases, we’ll treat your personal information as confidential and in accordance with the applicable data protection legislation, your personal information will only be shared as per this privacy notice.

We might make changes to this privacy policy from time to time. If we make substantial changes, we’ll let you know, usually by email. If you’d like a copy of a previous version, email us at [email protected].

2. What personal information we collect

We collect, use, store and transfer two types of data.

Personal data is any information that tells us something about you. This could include information such as name, contact details, date of birth, bank account details or any information about your needs or circumstances which allow us to identify you.

Special Category data is information which is classified as ‘sensitive’ under data protection legislation. This could include health data, religion or sexual orientation. There are also special conditions for the use of criminal conviction data. This special category data requires us to have additional lawful bases under the Data Protection Act 2018 to collect, store and process.
‍
If you’re enquiring about, or applying for a mortgage or protection through Habito, we’ll collect personal information from you, as laid out in the table below.

Personal information we may collect	Why we collect it
Your name, postal address, phone number, email address and details of your requirements which may include existing protection arrangements. Previous names, mother’s maiden name, previous addresses, health and family history, lifestyle, occupation, height and weight, information about your residential and smoker status and dependents. Your marital status, gender, date of birth, nationality and tax status. Employment details, national insurance number, residential status, bank details and credit history.	To apply or enquire about services related to mortgage or protection products. To carry out referencing and credit checks and the results of those checks.
Proof of identity to include, but is not limited to, passport, driving licence, and address documents. We may also need to collect information on other individuals who have an interest in the property and who are not considered to be our customers. Details of your mortgage arrangements, confirmation of how long you have owned the property and details of the source of money invested in the property.	To perform ‘know your customer’, anti-money laundering, and counter-terrorist financing requirements as required by law.
Your bank account details or payment card information.	Processing payments and transactions including accounting, authorisation, clearing, chargebacks, auditing, billing, reconciliation, collection, credit checks and related dispute resolution activities.
Bank statements, mortgage statements, proof of deposit, payslips and P60, accounts, SA302s and SA100s, tax year overviews, ID and proof of address, ASTs.	Supporting your mortgage application.
Facial recognition technology.	To deliver client ID verification checks.
IP address, browser type, operating system, URL information.	To improve the services we provide to our customers through insight.
Communication and marketing preferences.	To ensure we only send you details of products and services you are interested in through your preferred communication channel.

We may request additional information from you which is relevant to the service being provided.

If you’re making a joint application, we’ll also collect some of this information about the person you’re applying with, such as your spouse. Make sure you have their agreement before you give us their data.

If you’re applying for a company buy-to-let mortgage, we’ll collect some of this information about the people you have a financial link with. For example, the directors or certain employees of your company. Make sure you have their agreement before you give us their data.

We don’t offer products or services to children, but in some instances, we may need to collect the name and date of birth of children and share this with the selected mortgage or protection provider.

Any telephone calls made to or from you may be monitored and recorded for training, compliance and security purposes.

If you’re a returning Habito customer

We’ll use some of the personal information you gave us last time to help you the next time. That way, you don’t have to type in all your info again. If we do this, we'll always check that your information is accurate and up to date

3. How we collect your personal information

Here’s how we might collect personal information on our website, over live chat, on the phone, or from other companies and places.

You give us your personal information

You might give us data (for example about your identity) when you do any of these things:

create a Habito account on our website
contact us by email, phone or on live chat
use or apply for any of our products or services
subscribe to our newsletter or tell us you’re OK with getting marketing from us
enter one of our competitions or promotions
give us feedback or take part in a survey

We automatically collect data

Our website automatically collects technical data – things like the equipment you’re using, as well as a record of what pages you’re visiting. We use cookies for this, and we have a delicious cookie notice where you can find lots more details.

We get personal information from another source

Sometimes we get personal information from somewhere outside Habito, like:

Google Analytics (both inside and outside the UK), which is a service that helps us understand how people use the website. We collect this whenever you use our website.
Facebook, Google, and any social media or email account you use to log into Habito. We do this every time you log in.
Other brokers. If you have previously obtained a Habito mortgage from another broker, they may have shared your details with us as part of your mortgage application.
Credit reference agencies, like Experian, are the companies that hold your credit history and credit report. We may have collected this if you previously applied for a Habito mortgage.
Public sources like Companies House and the Electoral Register. We check these as part of your mortgage application, to verify what you’ve told us.
Onfido, which is an ID and anti-money laundering check service. This data helps us confirm your identity as part of your mortgage or protection application.

We can’t control how those other places use the data, and we’re not responsible for their privacy policies. Please be aware they may collect and process data about you in a different way than we do. You should read their privacy policies if you’d like more information about how they do that.

4. How we use your personal information

We use your personal information for one or more of the reasons we’ve listed below. We will only use your personal information when the law allows us to. No surprises there.

Companies can’t use your personal information without having a legal basis for using it. This reason is called a “lawful basis”. Here are the lawful bases we rely on:

Consent: you’ve given us clear and unambiguous consent before processing your data, for example, to send and/or receive marketing information from Habito. Being part of the Monzo group does not mean you will receive marketing from Monzo unless you have separately agreed to this.
Contract: where the collection and processing of your personal information is necessary for the performance of a contract you’re party to, or to take steps at your request before entering a contract.
Legal obligation: we have to process your data because the law or regulations require us to. For example, we need to get proof of your identity to meet our anti-money laundering responsibilities.
Legitimate interest: we might use your data because we have a legitimate interest in doing that. Sometimes that interest has to do with benefiting Habito, and sometimes it’s to benefit wider society. One example of legitimate interest in processing your personal information might be to try to detect and prevent fraud. Another might be to improve our products and services. Or, we might process your data to recover any money you owe us. This may include sharing your personal information within the Monzo group to support the delivery of our services, improve our products, manage risk, prevent fraud, meet regulatory and legal obligations, and operate our business effectively. We ensure that any such sharing is proportionate and that your rights are protected.

Where we process or share special category data (such as health information or vulnerability-related information), we will only do so where we have a valid legal basis and, where required, your explicit consent or another condition permitted under data protection law.

If you’d ever like more details about the lawful bases we use to process your personal information, just ask. We love talking about data and are always happy to help.

5. Who we share your personal information with

We might share your information with other companies. But we make sure they treat it as well as we do, and (of course) in line with the law. These other companies can’t just use your information for any reason – it has to be for a specific purpose.

Here’s a list of the people and companies we might share your data with:

Monzo group companies

Habito is part of the Monzo group. We may share your personal information with Monzo Bank Ltd and other companies within the Monzo group where necessary to provide services to us, support our operations, or help us meet our legal and regulatory obligations.

This includes support in areas such as:

technology infrastructure and systems
customer support and operations
risk management and fraud prevention
regulatory compliance and reporting
business analytics and service improvement

Monzo will not use your personal information for their own marketing purposes unless you have separately agreed to this.

Third parties

We will share personal information with our regulators, governmental or quasi-governmental organisations, law enforcement authorities, courts, tribunals and arbitrators as may be required to comply with our regulatory and legal obligations.

We may also engage with third-party service providers to provide products or other business services on our behalf. We only provide them with the personal information they need to perform the service we request. This includes IT systems providers and IT contractors as well as third-party referencing or screening agencies for the prevention and detection of crime. We contractually require them to securely protect information, and not use it for any other purpose.

An example of some third-party service providers that Habito uses and the purpose of sharing personal information with them are listed below.

Third-party	Why do we share it
Mortgage lenders	To progress your enquiry or application for a mortgage.
Insurance providers	To progress your enquiry or application for personal protection (i.e. life insurance, critical illness cover, income protection)
Solicitors/Conveyancers	To provide conveyancing services.
Panel Managers (companies that lenders use to outsource legal work)	To provide conveyancing services.
Surveyors/Valuers	To undertake a structural or homebuyer survey
Mortgage clubs (companies that connect brokers and lenders)	To assist us in getting you a mortgage
Referencing Companies, Credit and Risk agencies	For fraud prevention, anti-money laundering checks and identity verification.
Debt collection companies	To assist us in recovering any monies which we are owed and overdue.
Law enforcement bodies, including the police, HMRC and local authorities	To comply with court orders or legal obligations.
Land Registry Office	For conveyancing services.

Automated decision-making

Automated decision-making is when companies use computers to make decisions without humans being involved. For example, a bank might use it to approve an online loan.

Habito does not carry out solely automated decision-making that produces legal or similarly significant effects on you.

However, some of our partners, or companies within the Monzo group, may use automated decision-making as part of their services. You can ask the relevant provider for more information or request a human review.

While we do not use automated decision-making at Habito, we may use AI tools to support our internal compliance processes. These tools do not make decisions about individuals and are always subject to strict human oversight.

Data sharing within the Monzo group

When we share personal information within the Monzo group, we ensure that:

the sharing is necessary for a specific business purpose
appropriate data protection agreements are in place
access is limited to authorised individuals on a need-to-know basis
appropriate technical and organisational security measures are applied

Where we share special category data (such as health or vulnerability information) or financial crime data, additional safeguards and controls apply.

6. Transferring your personal information to another country

We are based within the UK, but we work with partners in the UK, in the European Economic Area (EEA), and in countries outside the EEA as well.

If we transfer your data to anyone outside the EEA, such as the Philippines, where some of our team members are located, we’ll take extra steps to protect it.

We’ll make sure the country has adequate levels of personal data protection, as determined by the European Commission.

Or, we’ll put robust contracts in place with whoever we’re transferring data to. These contracts offer the same level of protection as the UK and the EEA. For example, we rely on a contract called the Standard Contractual Clause transfer mechanism to transfer data to the US.

Some Monzo group companies or their service providers may also be located outside the UK or EEA. Where this is the case, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

Get in touch if you’d like to know more about how we protect your data across borders.

7. Storing your personal information & how long we keep it for

How we keep your data safe

Only a limited and authorised number of people can ever access your information, on a business need to know basis only.

We want to make sure your information isn’t accidentally lost, used, accessed, changed or shared in an unauthorised way. We’ve put robust security systems in place to make sure of that.

If we ever think that something’s gone wrong, we have procedures in place to deal with it. If something does go wrong, we’ll tell you – and sometimes the regulator – where we’re legally required to.

How long we keep your data

We’ll only keep your data for as long we need it to do the thing we collected it for. Or where laws and regulations tell us we need to keep it for a specific amount of time.

Usually, information is kept for around 7 years. However, where you use our conveyancing services, we may be required to retain your personal information for longer periods to comply with legal, regulatory, and professional obligations. In some cases, this may be up to 15 years or longer, depending on the type of information and the nature of the service provided

The period may vary depending on the type of service or product you have requested from us and will be dependent upon any legal or contractual obligations we have. In certain circumstances, we may also have a statutory obligation to keep your personal information for a set period, for example, financial information for financial auditing purposes.

Sometimes we anonymise your personal data (so it can’t identify you anymore) for research or statistics. We keep that data for as long as we need it.

You can talk to us about how long we keep your data, or ask us to delete your data, by talking to us on live chat or emailing [email protected]. But sometimes, laws or regulations tell us we have to wait a certain amount of time before we’re allowed to delete your data. If we have to wait, or if we can’t delete your data, we’ll let you know the reasons why.

8. Your rights

You have rights under the UK GDPR when it comes to your personal information. You have the right to:

Be informed about how we collect and use your data. That’s one of the big reasons we have a clear and simple privacy policy.
Have access to your data. You have the right to ask us for copies of your personal information. Exemptions within the legislation may mean that you do not receive all of the information we process. If this is the case, an explanation will be provided.
Delete your data. To ask us to delete your personal information, just get in touch. Sometimes we might have to keep your data, if laws or regulations tell us to. If we can’t delete your data, we’ll give you these reasons why when we respond to your request.
Have personal information rectified. You can ask us to correct your personal information if it’s not accurate, or add more data to complete it. We’ll let you know when we’ve done that.
Limit the way we process your data. You can ask us to do this, for example, if you want us to correct the data we hold about you, or you object to how we’ve processed it. There may be situations where we can’t, or where we refuse to – we’ll let you know if that’s the case.
Object to us processing your data. You can ask us to stop processing your data. In some circumstances we’ll always do this – for example, if the reason we’re using your personal information is for direct marketing. But there might be situations where we’re not able to, or where we refuse to. We’ll let you know if that’s the case.
Get a copy of your data in a way that lets you move it from us to somewhere else.
Challenge any decision made by automated decision-making, and ask for a human to review it.

If you’d like to make a request, or exercise any of your rights, email us at [email protected]. Upon receipt of your request, we’ll carry out a review and respond to confirm our decision within the relevant timeframe.

9. Contact us

If you want to talk to us about your data or make a complaint, we’re here to help. Email us at [email protected] or write to Habito, WeWork, Moor Place, 1 Fore Street Avenue, London, EC2Y 9DT.

You have the right to contact the Information Commissioner’s Office (ICO) which is an independent organisation that protects people’s data and privacy rights. If you have a complaint, we’d love the chance to help you first, but you can also complain to the ICO at anytime.

‍

This Privacy Policy was last updated on 01/05/2026