When we use the words ‘we’, ‘us’, ‘our’, or ‘Habito’ in this policy, we’re talking about Hey Habito Ltd. And when we say ‘you’ or ‘your’ we’re talking about our customers.
If you want to talk to us about your data, we’re here to help. Email us at email@example.com or write to The Data Working Group, Habito, The Loom, 14 Gower’s Walk, London, E1 8PY.
If you have a complaint about anything to do with your data, use those same contact details to get in touch. We’ll investigate and get back to you as soon as we can.
We’re registered with the Information Commissioner’s Office (ICO) with registration number ZA153186. The ICO is an independent organisation that protects people’s data and privacy rights. If you have a complaint, we’d love the chance to help you first, but you can also complain to the ICO at any time.
www.habito.com might link to other places, like other websites or applications. We can’t control those other places and we’re not responsible for their privacy policies. So be aware they may collect and process data about you in a different way than we do. Read their privacy policies if you’d like more information about how they do that.
We collect, use, store and transfer personal data. Personal data is any information that can identify you. It doesn’t include information where you can’t be identified (anonymous data).
We might collect, use, store and transfer different types of your personal data for the reasons you can see here. ‘Transfer’ means sending your information somewhere else.
Types of personal data we collect, with examples of what each type includes
If you’re making a joint application, we’ll also collect some of this information about the person you’re applying with, like your spouse. Make sure you have their agreement before you give us their data.
If you’re applying for a company buy-to-let mortgage, we’ll collect some of this information about the people you have a financial link with. For example, the directors or certain employees of your company. Make sure you have their agreement before you give us their data.
The Financial Conduct Authority asks firms like Habito to give special levels of care to customers they think might be vulnerable. If we think you’re vulnerable, we might record that information to help us give you the right service. That information could be special category data. That’s data that’s likely to be more sensitive – things like physical and mental health conditions.
When companies process special category data, they have to have “legal basis” to use it, which means a legal reason from the UK GDPR. The legal basis we rely on is "legal obligation” (we have to process your data because the law or regulations require us to).
Alongside that, companies also have to meet one of the legal conditions in Article 9 of the UK GDPR. The conditions we rely on are “substantial public interest," “regulatory requirements” and “support for individuals with a particular disability or medical condition.” In plain English, that means we use this data to make sure we support you in the right way. For example, you might tell us that you’re deaf, and that you prefer us not to call you on the phone. We’ll use this information to support you using online chat.
We might use the data you gave us last time to help you the next time. That way, you don’t have to type in all your info again. If we do this, we'll always check that your information is accurate and up to date.
We also collect and process aggregated data. That’s information about our customers that we combine together so that it doesn’t identify people specifically any more. We use this for all sorts of business reasons – like market analysis and research, demographic profiling, marketing and advertising, and to comply with regulation.
Aggregated data isn’t considered personal data because it won’t reveal your identity. But if we combine or connect aggregated data with your personal data so that it can identify you, we’ll treat that combined data as personal data.
Here’s how we might collect personal data on our website, over live chat, on the phone, or from other companies and places.
You might give us data (for example about your identity) when you do any of these things: - create a Habito account on our website - contact us by email, phone or on live chat - apply for a mortgage through us - use or apply for any of our products or services, including a Habito mortgage - subscribe to our newsletter or tell us you’re OK with getting marketing from us - enter one of our competitions or promotions - give us feedback or take part in a survey
Sometimes we get personal data from somewhere outside Habito, like:
We use your data for one or more the reasons we’ve listed below. We will only use your personal data when the law allows us to. No surprises there.
Companies can’t use your data without having a legal reason for using it. This reason is called a “legal basis”. Here are the legal bases we rely on, and what they mean:
Here’s a deep dive into what we use your data for, and the legal bases we use. Strap yourself in, it’s going to be a detailed read.
|The purpose we use your data for (a refresher on each type of data)||The legal basis for each purpose|
We use your identity and contact data to register you as a new customer and manage your Habito account.
|Help you get ready for a mortgage|
We use your identity, contact, financial, transaction, marketing and communications data to give you guidance on things like your deposit and how lenders might see you.
|Sort your mortgage|
We use your identity, contact, financial, transaction, marketing and communications, special category, and criminal offence data to help you with your mortgage. Things like finding the right mortgage for you and managing the mortgage applications we make on your behalf.
We’ll also use this information to monitor your mortgage and let you know when you could get a better deal.
- Legal obligation (for special category data, we also rely on “substantial public interest”, “regulatory requirements,” and “support for individuals with a particular disability or medical condition”)
- Legitimate interest (in this case, to recover any money you owe us and to develop and grow our business)
|Check your credit|
If you apply for a Habito mortgage, we use your identity, financial and contact data to check your credit history and score.
- Legal obligation
|Tell you stuff|
We use your identity, contact, profile, transaction and marketing and communications data to manage our relationship with you.
This includes things like asking you to leave a review or take a survey. It also includes telling you when your mortgage deal is about to end, and for legal and regulatory reasons.
- Legal obligation
- Legitimate interest (keep our records updated, see how customers use Habito and review our standards of service, to contact you again as your mortgage deal ends)
|Service your mortgage|
If you have a Habito mortgage, we use your identity, contact, profile, and transaction data to service your mortgage.
That means things like telling you about the state of your mortgage, and collecting your repayments.
- Legal obligation
|Work with others|
We use your identity, contact and financial data to talk to other companies or anyone else that helps you with the whole mortgage and home-buying journey.
That could include solicitors, conveyancers, surveyors, valuers, other lenders, and other brokers.
- Legal obligation
|Support your complaints|
We use your identity, contact and marketing and communications data to manage complaints, take action to put things right, and answer your questions.
We can also use financial, transaction, special category data and criminal offence data when it relates to the complaint you’ve made.
|- Legal obligation|
- Legitimate interest (investigate complaints, improve our standards and try to prevent future complaints)
|Give you prizes|
We collect your identity, contact, and profile data when you take part in prize draws and competitions. We do this so we can contact you, and maybe even send you even a prize.
|Ask your opinion|
We collect your identity, contact, profile, technical and usage data when you complete a survey or take part in user testing.
- Legitimate interest (to understand how customers use Habito and develop our services and business)
|Follow up on your reviews|
We might use your identity and contact data to get in touch to talk about a review you’ve left us, say on Trustpilot. For example, we might send you a message to say thank you, or to ask what we could have done better and how we can improve.
|- Legitimate interest (to improve our standards of service and customer experience)|
|Keep the site running|
We use your identity, contact and technical data to manage and protect our business and our website. That includes things like troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data.
|- Legitimate interest (to run our business, including our admin and IT services, keep it secure, and prevent fraud)|
|Make everything better|
We use your technical and usage data to analyse and test our systems, and improve our website, products and services, marketing, customer relationships and experiences. Quite a lot of things.
|- Legitimate interest (keep our website updated, and develop our business and marketing strategy)|
|Send you marketing & recommend stuff|
We use your identity, contact, profile, usage, technical and marketing and communications data to suggest services you might like.
We’ll use your data to decide what you might find useful or like us to send you. You can unsubscribe from marketing by hitting ‘Unsubscribe’ in the bottom of any marketing email, or by emailing firstname.lastname@example.org.
We’ll never share your details with other companies for marketing reasons without your consent.
|- Legitimate interest (grow Habito and develop what we offer – for example, we might use your data to send you personalised marketing campaigns) |
|Record our communications|
We use your identity, contact, profile, usage, transaction, marketing and communications data to monitor or record any communications between you and us. That includes live chat and phone calls.
We do this to check your instructions to us, analyse and improve our services, and to help us train staff. We also do it for quality assurance purposes (which means to help us prevent mistakes or problems from happening).
- Legal obligation
- Legitimate interest (develop and improve our systems, train our people, and give our customers a high standard of service)
|Stop fraud in its tracks|
We use your identity, contact, profile, usage, financial, transaction, marketing and communications data to prevent fraud. We carry out checks on your identity and documents, and look at your financial transactions to detect fraud and money laundering.
- Legal obligation
- Legitimate interest (fraud and ID checks protect our and others’ businesses as well as you)
If you’d ever like more details about the legal bases we use to process your data, just ask. We love talking data and are always happy to help.
Automated decision-making is when companies use computers to make decisions without humans being involved. For example, a bank might use it to approve an online loan.
We currently don’t do this at Habito – that’s why it’s not in the glorious table above. But we wanted to make you aware of it, because some of the companies involved in your mortgage or home-buying process might. It will be in their privacy policies if they do.
You can ask any lender who uses automated decision-making to give you the actual reason behind their decision (or we can ask your lender for you). If you’re getting a mortgage from Habito as your lender, a human will always be involved in deciding whether to give you a loan.
Here’s more information on automated decision-making and your rights.
We might share your information with other companies. But we make sure they treat it as well as we do, and (of course) in line with the law. These other companies can’t just use your information for any reason – it has to be for a specific purpose and in the way we tell them to.
Here’s a list of the people and companies we might share your data with:
We work with partners in the UK, in the European Economic Area (EEA), and in countries outside the EEA as well.
If we transfer your data to anyone outside the EEA, we’ll take extra steps to protect it.
We’ll make sure the country has adequate levels of personal data protection, as determined by the European Commission.
Or, we’ll put robust contracts in place with whoever we’re transferring data to. These contracts offer the same level of protection as the UK and the EEA. For example, we rely on a contract called the Standard Contractual Clause transfer mechanism to transfer data to the US.
Get in touch if you’d like to know more about how we protect your data across borders.
Only a limited and authorised number of people can ever access your information, on a business need to know basis only.
We want to make sure your information isn’t accidentally lost, used, accessed, changed or shared in an unauthorised way. We’ve put robust security systems in place to make sure of that.
If we ever think that something’s gone wrong, we have procedures in place to deal with it. If something does go wrong, we’ll tell you – and sometimes the regulator – where we’re legally required to.
We’ll only keep your data for as long we need it to do the thing we collected it for. Or where laws and regulations tell us we need to keep it for a specific amount of time.
Here’s a more detailed breakdown:
Sometimes we anonymise your personal data (so it can’t identify you anymore) for research or statistics. We keep that data for as long as we need it.
You can talk to us about how long we keep your data, or ask us to delete your data, by talking to us on live chat or emailing email@example.com. But sometimes, laws or regulations tell us we have to wait a certain amount of time before we’re allowed to delete your data. If we have to wait, or if we can’t delete your data, we’ll let you know the reasons why.
You have rights under the UK GDPR when it comes to your personal data. You have the right to: