Habito

Privacy policy

This privacy policy explains how we collect, use, and protect your personal data. That includes data you give us when you visit our website, sign up for a Habito account, or buy one of our products or services. This also includes data we collect from you or from other sources when we provide our services. We’ll also explain your privacy rights, and how the law protects you.

When we use the words ‘we’, ‘us’, ‘our’, or ‘Habito’ in this policy, we’re talking about Hey Habito Ltd. And when we say ‘you’ or ‘your’ we’re talking about our customers.

You can download a PDF of the whole policy here.


  1. Who we are & contact details
  2. What data we collect
  3. How we collect your data
  4. How we use your data
  5. Who we share your data with
  6. Transferring your data to another country
  7. Storing your data & how long we keep it for
  8. Your legal rights

1. Who we are & contact details

Habito is the data controller. That means we’re responsible for your personal data under this privacy policy.

If you want to talk to us about your data, we’re here to help. Email us at data@habito.com or write to The Data Working Group, Habito, The Loom, 14 Gower’s Walk, London, E1 8PY.

If you have a complaint about anything to do with your data, use those same contact details to get in touch. We’ll investigate and get back to you as soon as we can.

We’re registered with the Information Commissioner’s Office (ICO) with registration number ZA153186. The ICO is an independent organisation that protects people’s data and privacy rights. If you have a complaint, we’d love the chance to help you first, but you can also complain to the ICO at any time.

We last updated this privacy policy on 10 March 2021. We might make changes to this privacy policy at any time. We’ll let you know if we do, usually by email. We'll highlight the changes we make so that you can clearly see them. If you’d like a copy of a previous version, email us at data@habito.com.

www.habito.com might link to other places, like other websites or applications. We can’t control those other places and we’re not responsible for their privacy policies. So be aware they may collect and process data about you in a different way than we do. Read their privacy policies if you’d like more information about how they do that.

2. What data we collect

We collect, use, store and transfer personal data. Personal data is any information that can identify you. It doesn’t include information where you can’t be identified (anonymous data).

We might collect, use, store and transfer different types of your personal data for the reasons you can see here. ‘Transfer’ means sending your information somewhere else.

Types of personal data we collect, with examples of what each type includes

  • Identity data: first name, maiden name, last name, marital status, title, data of birth, gender, citizenship and employment history.
  • Contact details: address history, email address and telephone number.
  • Financial data: bank account details, card payment details, salary and other income information, savings, credit history, financial commitments and other expenses.
  • Special category data: physical and mental health conditions, racial or ethnic origin, and biometric data.
  • Criminal offence data: information about criminal offences and convictions.
  • Transaction data: details about payments from you and other details related to the products and services you’ve bought from us.
  • Technical data: IP address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform.
  • Profile data: your username and password, feedback and survey responses.
  • Usage data: information about how you use our website, products and services.
  • Marketing and communications data: your choices about marketing from us and our business partners, and how you prefer us to contact you.
  • Other data: any other information that could be used to identify you, that we need to help you get a mortgage or buy a home.

If you’re making a joint application, we’ll also collect some of this information about the person you’re applying with, like your spouse. Make sure you have their agreement before you give us their data.

If you’re applying for a company buy-to-let mortgage, we’ll collect some of this information about the people you have a financial link with. For example, the directors or certain employees of your company. Make sure you have their agreement before you give us their data.

Special category data and vulnerable customers

The Financial Conduct Authority asks firms like Habito to give special levels of care to customers they think might be vulnerable. If we think you’re vulnerable, we might record that information to help us give you the right service. That information could be special category data. That’s data that’s likely to be more sensitive – things like physical and mental health conditions.

When companies process special category data, they have to have “legal basis” to use it, which means a legal reason from the UK GDPR. The legal basis we rely on is "legal obligation” (we have to process your data because the law or regulations require us to).

Alongside that, companies also have to meet one of the legal conditions in Article 9 of the UK GDPR. The conditions we rely on are “substantial public interest," “regulatory requirements” and “support for individuals with a particular disability or medical condition.” In plain English, that means we use this data to make sure we support you in the right way. For example, you might tell us that you’re deaf, and that you prefer us not to call you on the phone. We’ll use this information to support you using online chat.

Here are all the legal reasons we rely on to use your data.

If you’re a returning Habito customer

We might use the data you gave us last time to help you the next time. That way, you don’t have to type in all your info again. If we do this, we'll always check that your information is accurate and up to date.

Aggregated data

We also collect and process aggregated data. That’s information about our customers that we combine together so that it doesn’t identify people specifically any more. We use this for all sorts of business reasons – like market analysis and research, demographic profiling, marketing and advertising, and to comply with regulation.

Aggregated data isn’t considered personal data because it won’t reveal your identity. But if we combine or connect aggregated data with your personal data so that it can identify you, we’ll treat that combined data as personal data.

3. How we collect your data

Here’s how we might collect personal data on our website, over live chat, on the phone, or from other companies and places.

You give us data

You might give us data (for example about your identity) when you do any of these things: - create a Habito account on our website - contact us by email, phone or on live chat - apply for a mortgage through us - use or apply for any of our products or services, including a Habito mortgage - subscribe to our newsletter or tell us you’re OK with getting marketing from us - enter one of our competitions or promotions - give us feedback or take part in a survey

We automatically collect data

Our website automatically collects technical data – things like the equipment you’re using, as well as a record of what pages you’re visiting. We use cookies for this, and we have a delicious cookie notice where you can find lots more detail.

We get data from another source

Sometimes we get personal data from somewhere outside Habito, like:

  • Analytics providers (both inside and outside the UK), which are services that help us understand how people use the website, like Google Analytics, Amplitude and Optimizely. We collect this whenever you use our website.
  • Facebook and Google, and any social media or email account you use to log into Habito. We do this every time you log in.
  • Other brokers. If you get a Habito mortgage from another broker, they might share your details with us as part of your mortgage application.
  • Credit reference agencies, like Experian, which are the companies who hold your credit history and credit report. We collect this when you apply for a Habito mortgage.
  • Public sources like Companies House and the Electoral Register. We check these as part of your mortgage application, to verify what you’ve told us.
  • Onfido, which is an ID and anti-money laundering check service and SIRA, which is a fraud prevention service. This data helps us confirm your identity as part of your mortgage application.

4. How we use your data

We use your data for one or more the reasons we’ve listed below. We will only use your personal data when the law allows us to. No surprises there.

Companies can’t use your data without having a legal reason for using it. This reason is called a “legal basis”. Here are the legal bases we rely on, and what they mean:

  • Consent: you’ve told us it’s OK to use your data for a specific reason.
  • Contract: you’ve agreed to a contract with us, and we need to use your data to carry out that contract. For example, we’ll use your data to provide our Plus service or help you apply for a Habito mortgage. We might also use your data if you’ve asked us to do something before we can carry out a service (like providing you with a Plus quote).
  • Legal obligation: we have to process your data because the law or regulations require us to. For example, we need to get proof of your identity to meet our anti-money laundering responsibilities.
  • Legitimate interest: we or one of our partners might use your data because we or they might have a legitimate interest to do that. Sometimes that interest is to do with benefitting Habito or our partners, and sometimes it’s to benefit wider society. One example of legitimate interest for processing your data might be to try to detect and prevent fraud. Another might be to improve our products and services. Or, we might process your data to recover any money you owe us.

Here’s a deep dive into what we use your data for, and the legal bases we use. Strap yourself in, it’s going to be a detailed read.

The purpose we use your data for (a refresher on each type of data)The legal basis for each purpose
Say hello
We use your identity and contact data to register you as a new customer and manage your Habito account.
- Contract
Help you get ready for a mortgage
We use your identity, contact, financial, transaction, marketing and communications data to give you guidance on things like your deposit and how lenders might see you.
- Contract
Sort your mortgage
We use your identity, contact, financial, transaction, marketing and communications, special category, and criminal offence data to help you with your mortgage. Things like finding the right mortgage for you and managing the mortgage applications we make on your behalf.
We’ll also use this information to monitor your mortgage and let you know when you could get a better deal.
- Contract
- Legal obligation (for special category data, we also rely on “substantial public interest”, “regulatory requirements,” and “support for individuals with a particular disability or medical condition”)
- Legitimate interest (in this case, to recover any money you owe us and to develop and grow our business)
Check your credit
If you apply for a Habito mortgage, we use your identity, financial and contact data to check your credit history and score.
- Contract
- Legal obligation
Tell you stuff
We use your identity, contact, profile, transaction and marketing and communications data to manage our relationship with you.
This includes things like asking you to leave a review or take a survey. It also includes telling you when your mortgage deal is about to end, and for legal and regulatory reasons.
- Contract
- Legal obligation
- Legitimate interest (keep our records updated, see how customers use Habito and review our standards of service, to contact you again as your mortgage deal ends)
Service your mortgage
If you have a Habito mortgage, we use your identity, contact, profile, and transaction data to service your mortgage.
That means things like telling you about the state of your mortgage, and collecting your repayments.
- Contract
- Legal obligation
Work with others
We use your identity, contact and financial data to talk to other companies or anyone else that helps you with the whole mortgage and home-buying journey.
That could include solicitors, conveyancers, surveyors, valuers, other lenders, and other brokers.
- Contract
- Legal obligation
Support your complaints
We use your identity, contact and marketing and communications data to manage complaints, take action to put things right, and answer your questions.
We can also use financial, transaction, special category data and criminal offence data when it relates to the complaint you’ve made.
- Legal obligation
- Legitimate interest (investigate complaints, improve our standards and try to prevent future complaints)
Give you prizes
We collect your identity, contact, and profile data when you take part in prize draws and competitions. We do this so we can contact you, and maybe even send you even a prize.
- Consent
- Contract
Ask your opinion
We collect your identity, contact, profile, technical and usage data when you complete a survey or take part in user testing.
- Contract
- Legitimate interest (to understand how customers use Habito and develop our services and business)
Follow up on your reviews
We might use your identity and contact data to get in touch to talk about a review you’ve left us, say on Trustpilot. For example, we might send you a message to say thank you, or to ask what we could have done better and how we can improve.
- Legitimate interest (to improve our standards of service and customer experience)
Keep the site running
We use your identity, contact and technical data to manage and protect our business and our website. That includes things like troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data.
- Legitimate interest (to run our business, including our admin and IT services, keep it secure, and prevent fraud)
Make everything better
We use your technical and usage data to analyse and test our systems, and improve our website, products and services, marketing, customer relationships and experiences. Quite a lot of things.
- Legitimate interest (keep our website updated, and develop our business and marketing strategy)
Send you marketing & recommend stuff
We use your identity, contact, profile, usage, technical and marketing and communications data to suggest services you might like.
We’ll use your data to decide what you might find useful or like us to send you. You can unsubscribe from marketing by hitting ‘Unsubscribe’ in the bottom of any marketing email, or by emailing unsubscribe@habito.com.
We’ll never share your details with other companies for marketing reasons without your consent.
- Legitimate interest (grow Habito and develop what we offer – for example, we might use your data to send you personalised marketing campaigns)
- Consent
Record our communications
We use your identity, contact, profile, usage, transaction, marketing and communications data to monitor or record any communications between you and us. That includes live chat and phone calls.
We do this to check your instructions to us, analyse and improve our services, and to help us train staff. We also do it for quality assurance purposes (which means to help us prevent mistakes or problems from happening).
- Contract
- Legal obligation
- Legitimate interest (develop and improve our systems, train our people, and give our customers a high standard of service)
Stop fraud in its tracks
We use your identity, contact, profile, usage, financial, transaction, marketing and communications data to prevent fraud. We carry out checks on your identity and documents, and look at your financial transactions to detect fraud and money laundering.
- Contract
- Legal obligation
- Legitimate interest (fraud and ID checks protect our and others’ businesses as well as you)

If you’d ever like more details about the legal bases we use to process your data, just ask. We love talking data and are always happy to help.

Automated decision-making

Automated decision-making is when companies use computers to make decisions without humans being involved. For example, a bank might use it to approve an online loan.

We currently don’t do this at Habito – that’s why it’s not in the glorious table above. But we wanted to make you aware of it, because some of the companies involved in your mortgage or home-buying process might. It will be in their privacy policies if they do.

You can ask any lender who uses automated decision-making to give you the actual reason behind their decision (or we can ask your lender for you). If you’re getting a mortgage from Habito as your lender, a human will always be involved in deciding whether to give you a loan.

Here’s more information on automated decision-making and your rights.

5. Who we share your data with

We might share your information with other companies. But we make sure they treat it as well as we do, and (of course) in line with the law. These other companies can’t just use your information for any reason – it has to be for a specific purpose and in the way we tell them to.

Here’s a list of the people and companies we might share your data with:

  • Habito group companies. These are companies that are controlled by Habito. We might share your data with other Habito group companies if they provide services to us. We might also do this for marketing where you’ve agreed.
  • Mortgage lenders. We share your data with a lender to make a mortgage application on your behalf. Mortgage lenders are also data controllers, and will look after your data according to their own privacy policy. It’s worth reading your lender’s privacy policy to see how they use your data.
  • Other brokers. If you apply for a Habito mortgage through another broker, we might share your information with that broker to update them about your application. For example, if we decide we can’t lend to you, we’ll tell your broker.
  • Solicitors, conveyancers, surveyors, valuers, panel managers (companies that lenders use to outsource legal work for them) and mortgage clubs (companies that connect brokers and lenders together). Basically, any other third parties we might work with to help you get a mortgage and buy your home.
  • Onfido, to confirm your identity. We have a written contract with Onfido that makes sure they process your data as safely as possible.
  • Other service providers that support Habito – for example, IT providers and legal and accounting firms. We have written contracts in place with everyone we partner with to make sure they process your data as safely as possible.
  • Anyone who funds, buys all or part of Habito, anyone Habito buys or merges with, or anyone we have discussions with about these. We’ll do what we reasonably can to make sure they only use your personal data as set out in this privacy policy.
  • Fraud prevention agencies. We’ll use these to check your identity when you apply for a mortgage, and on an ongoing basis, for example if you remortgage with us. If you give us inaccurate, false or fraudulent information, we’ll tell a fraud prevention agency (you can ask us to tell you which ones). Those agencies then share that data with other organisations, like law enforcement, to prevent and detect fraud or other crimes. They can hold your personal data for up to 6 years.
  • Credit reference agencies (CRAs), the companies that hold your credit history and credit report. Lenders will get data about you from these agencies to help them decide whether to give you a mortgage. This is known as a credit check. If you apply for a mortgage with Habito as your lender, we’ll carry out a credit check on you. If you apply for a mortgage with another lender, they’ll carry out a credit check on you. Checks show up on your file for others to see, and having lots might affect your ability to borrow in the future. We and other lenders will also share information with the CRAs about the financial details of your mortgage, and how you handle your mortgage. That includes whether you’re making your repayments in full and on time, and if you apply to borrow more money or take out another mortgage. The CRAs may share that with other lenders and organisations to help them perform credit checks, trace you and recover any money you owe. The main three CRAs are Transunion, Equifax and Experian – hit their names to read about how they use your data. If you want to check the data they hold about you, you can get in touch with them any time.
  • Regulators, governmental or dispute resolution bodies, law enforcement agencies or other authorities like those. We share data when we have to, and when it’s in connection to their duties – for example, preventing crime.

6. Transferring your data to another country

We work with partners in the UK, in the European Economic Area (EEA), and in countries outside the EEA as well.

If we transfer your data to anyone outside the EEA, we’ll take extra steps to protect it.

We’ll make sure the country has adequate levels of personal data protection, as determined by the European Commission.

Or, we’ll put robust contracts in place with whoever we’re transferring data to. These contracts offer the same level of protection as the UK and the EEA. For example, we rely on a contract called the Standard Contractual Clause transfer mechanism to transfer data to the US.

Get in touch if you’d like to know more about how we protect your data across borders.

7. Storing your data & how long we keep it for

How we keep your data safe

Only a limited and authorised number of people can ever access your information, on a business need to know basis only.

We want to make sure your information isn’t accidentally lost, used, accessed, changed or shared in an unauthorised way. We’ve put robust security systems in place to make sure of that.

If we ever think that something’s gone wrong, we have procedures in place to deal with it. If something does go wrong, we’ll tell you – and sometimes the regulator – where we’re legally required to.

How long we keep your data

We’ll only keep your data for as long we need it to do the thing we collected it for. Or where laws and regulations tell us we need to keep it for a specific amount of time.

Here’s a more detailed breakdown:

  • If you submit a mortgage application through us and your application is unsuccessful, we’ll keep your data for 6 years.
  • If you get a mortgage through us, we’ll keep your data for the term of the mortgage and for 6 years after that. Same thing applies if you get a Habito mortgage from us or another broker. That’s because we want to help you avoid mortgage hell forever. This helps us talk to you about your mortgage in the future, and get you on the best deal when it’s time to remortgage. It also helps us make sure we gave the right advice.
  • If you open an account with us, and don’t do either of the two things above, we’ll keep your data for 6 years. This is so that we can help you get ready for your mortgage, and actually apply for it when you’re ready.
  • We used to sell life insurance. If you bought insurance from us, we’ll keep your data for 6 years.

Sometimes we anonymise your personal data (so it can’t identify you anymore) for research or statistics. We keep that data for as long as we need it.

You can talk to us about how long we keep your data, or ask us to delete your data, by talking to us on live chat or emailing data@habito.com. But sometimes, laws or regulations tell us we have to wait a certain amount of time before we’re allowed to delete your data. If we have to wait, or if we can’t delete your data, we’ll let you know the reasons why.

You have rights under the UK GDPR when it comes to your personal data. You have the right to:

  • Be informed about how we collect and use your data. That’s one of the big reasons we have a clear and simple privacy policy.
  • Have access to your data. You have the right to ask us for copies of your personal data. To do that just email us at data@habito.com and we’ll provide those to you for free. We might not always be able to give you all the information you’ve asked for – for example, if it includes someone else’s personal data.
  • Withdraw your consent. If you’ve given us consent to use your data for a specific reason, you can withdraw this at any time.
  • Delete your data. To ask us to delete your information, just get in touch. We’ll respond to your request within one month. Sometimes we might have to keep your data, if laws or regulations tell us to. If we can’t delete your data, we’ll give you these reasons why when we respond to your request.
  • Have personally identifiable information changed. You can ask us to correct your data if it’s not accurate, or add more data to complete it. We’ll let you know when we’ve done that.
  • Limit the way we process your data. You can ask us to do this, for example, if you want us to correct the data we hold about you, or you object to how we’ve processed it. There may be situations where we can’t, or where we refuse to – we’ll let you know if that’s the case.
  • Object to us processing your data. You can ask us to stop processing your data. In some circumstances we’ll always do this – for example, if the reason we’re using your data is for direct marketing. But there might be situations where we’re not able to, or where we refuse to. We’ll let you know if that’s the case.
  • Change your mind about direct marketing. If you’ve ever chosen to get direct marketing from us, you can opt out at any time. Just click the unsubscribe link in any message you get, or let us know at data@habito.com. Just give us a few days to update our records, and then you’ll be opted out.
  • Get a copy of your data in a way that lets you move it from us to somewhere else.
  • Challenge any decision made by automated decision-making, and ask for a human to review it.