We will not collect any personally identifiable information about you unless it is in response to you using our website or actively applying for one of our online products or services. We value your privacy and the security of your personally identifiable information is extremely important to us. The lawful basis by which we are collecting information from you is “the performance of a contract”.
For the purpose of the General Data Protection Regulation (GDPR) 2018, the registered data controller is Hey Habito Ltd, whose registered office is at Throgmorton UK Ltd, 4th Floor Reading Bridge House, George Street, Reading, Berkshire RG1 8LS. Our trading address is The Loom, 14 Gower’s Walk, London, E1 8PY.
Our Information Commissioner’s Office (ICO) registration number is ZA153186.
What information we collect
When you create an account and complete the ‘fact find’ form on our website, we collect the following information from you:
- Name, address and contact details;
- Employment details;
- Financial information such as banking details, salary, savings, and financial commitments; and
- Any other personally identifiable information necessary for the completion of a mortgage application.
In addition to the above, we collect information from you through your communications with us – for example:
- Identification and address verification;
- Payslips and contracts of employment;
- Self assessment tax returns and tax year overviews;
- Bank statements;
- Your credit report.
We may also collect personal information from you over the telephone for mortgage or life insurance purposes. We may record telephone calls for training and monitoring purposes.
How we will use your information
The information we collect about you will be mainly used for the purpose of applying for a mortgage or any other product or service we offer. There are also other ways in which we will use your information – these are detailed below.
We will use your information to:
- Operate and manage any Habito account you hold with us and any mortgage application(s) you consent to us making on your behalf;
- Manage any life insurance application(s) you are making;
- Carry out market research, profiling and business and statistical analysis including the formation of a view on you as an individual in order to service you and others better;
- Test our systems and develop our products (or any other similar purpose);
- Comply with any regulatory obligation we are obliged to; and
- If you have consented, we will contact you by any medium you have agreed to or provided us with details of, in relation to our goods and services.
We will hold your personal data on our systems as follows:
- All data pertaining to a completed mortgage application will be kept on our systems for 6 years after completion in line with our regulatory requirements;
- If you have not completed on a mortgage application yet we will keep your data on file as long as you have a Habito account. It is your responsibility to ensure the information we hold is up to date;
- All data (including special categories of date) relating to any Habito Life Insurance products you take out; and
- We may also use your data for internal statistical analysis purposes, although we will anonymise this data.
We may share your information with the following entities:
- Any Habito group company;
- Any regulatory/governmental body, ombudsmen or law enforcement agency who has jurisdiction;
- Any electronic identification firm we use for identification and address verification purposes only;
- A mortgage lender; to allow us to make a mortgage application on your behalf;
- Any third parties that participate in the entire mortgage journey (e.g. solicitors, valuers, conveyancers and mortgage clubs);
- Suppliers who process your data on our behalf; we will have written contracts in place with such entities which require them to process your data only in accordance with our instructions; and
- Any person or legal entity to whom we sell or transfer (or initiate discussions with to sell or transfer) our business or any part of it or any of our rights or obligations under any agreement we may have with you. If the transfer goes ahead, you agree that the purchaser can use your data in the same way as us.
- Life Insurers with whom we complete Life Insurance applications on your behalf. Our Life Insurance Policies are underwritten by American Insurance Group (AIG). In order for these insurance benefits to be administered it is required that your personal data is stored by AIG. AIG also require policy details to administer any claims. For more information, see the full AIG privacy notice.
We will ensure your data remains within the EEA and as a result is captured under the General Data Protection Regulation. If for any reason we use third parties that are domiciled outside of the EEA any such data storage will undergo further enhanced controls and checks, dependent on the country of storage. We will inform you of any such instance where this may occur.
Your rights under the General Data Protection Regulation (GDPR) 2018
Under the General Data Protection Regulation 2018, you have various rights in relation to your information. Detailed below are your rights and a description of each one.
You have the right to:
- Be informed – this means you have the right to be informed about the collection and use of your personally identifiable data – this is detailed above in more detail.
- Have access to your information – you have the right to access your personally identifiable data and supplementary information. This will be provided free of charge. However, when a request is manifestly unfounded, excessive or repetitive we reserve the right to charge a fee. We may also charge a reasonable fee to comply with requests for further copies of the same information. You can request access to your information by emailing us at firstname.lastname@example.org.
- Have personally identifiable information rectified – you have a right to have inaccurate personal data rectified, or completed if it is incomplete. We will inform you when any inaccurate information is corrected.
- Erase your personally identifiable information – the right to erasure is also known as ‘the right to be forgotten’. You can make a request for erasure of information verbally or in writing. We will respond to your request within one month. The right is not absolute and only applies in certain circumstances. For example it does not apply when we have statutory or regulatory obligations to keep your data.
- Restrict processing of personally identifiable data – you have the right to request the restriction or suppression of your personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, we are permitted to store the data, but not use it.
- Port your personally identifiable data – this right allows you to obtain and reuse your personally identifiable data for your own purposes across different services. It allows you to move, copy or transfer personally identifiable data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
- Object to the processing of your data – you have a right to object to the processing of your data for purposes of scientific or historical research and statistics, as well as for the purposes of direct marketing (including profiling).
- Challenge any decision made by automated decision making – we will inform you when we are performing automated decisioning and when we do we will give you information about the processing activity. We will introduce simple ways for you to request human intervention or challenge a decision made by automated decision making.
If you have changed your mind about receiving marketing from us, you can opt out at any time by clicking the unsubscribe button or the link at the bottom of any of our marketing emails. Alternatively you can email us at email@example.com.
We pride ourselves on treating your data with the utmost care and security. Our systems meet or exceed industry standards and we are constantly monitoring these to provide improvements where available.
We will never store passwords in plain text, nor will we allow anyone to access your data unless they have a justifiable reason to do so. All of our employees are background checked before they are granted access to your data.
Credit decisions, the prevention of fraud and money laundering
Your lender may use credit reference and fraud prevention agencies to help them make decisions. A short guide to what the lender does and how the lender, credit reference and fraud prevention agencies will use your information is detailed below. If you would like to read the full details of how your data may be used, please contact your lender.
A condensed guide to the use of your personally identifiable information by the lender and at credit reference and fraud prevention agencies
If you apply for a mortgage product through Habito, we will provide the information we hold about you to your lender. The lender will use this information to help make its decision about whether or not to lend to you. This will involve checking the following records about you and others:
- Its own records;
- Those at credit reference agencies (CRAs); and
- Those at fraud prevention agencies (FPAs).
When CRAs receive a search request from the lender they will place a search footprint on your credit file that may be seen by other lenders. They supply to lenders both public (including the electoral register) and shared credit and fraud prevention information. Having multiple search footprints on your credit file may affect your ability to borrow in the future.
The lender will make checks such as assessing your application for credit and verifying the applicants’ identities to prevent and detect crime and money laundering. The lender may also make periodic searches at CRAs and FPAs to manage your account with them.
If you are making a joint application or tell us or the lender that you have a spouse or financial associate, the lender will link your records together, so you must be sure that you have your partner’s agreement to disclose their information. CRAs also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
Information on applications will be sent to CRAs and will be recorded by them. Where you borrow from the lender, the lender will give details of your accounts and how you manage it/them to CRAs. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs and FPAs to perform similar checks and to trace your whereabouts and recover debts that you owe.
Records remain on file for 6 years after they are closed, whether settled by you or defaulted.
If you give false or inaccurate information and the lender suspects or identifies fraud, the lender will record this and may also pass this information to FPAs and other organisations involved in crime and fraud prevention.
If you have borrowed from the lender and do not make payments that you owe them, the lender will trace your whereabouts and recover debts.
The lender and other organisations may access and use the information recorded by fraud prevention agencies based in other countries.
Automated credit decisions
Your mortgage application may be assessed by the lender by the means of automated decision making and if it is declined we will endeavour to request from the lender the actual reason why the application has been declined. Once we know this reason we will contact you as soon as we are able to convey this to you.
If you have a complaint about how we handle your data please write to our VP Compliance & Operational Risk, John Carr:
- By email at firstname.lastname@example.org;
- By letter, addressed to: Hey Habito Ltd, The Loom, 14 Gowers Walk, London, E1 8PY; or
- By telephone on 0330 223 0196.
Please include your name and address, a contact telephone number, the email address you signed up with, your application number (if applicable), and details of why you are unhappy. If we do not have enough information to investigate your complaint we will contact you to ask for further information.
We will investigate your complaint promptly and will respond to you as soon as we can detailing our findings of your complaint.
If we have been unable to resolve your information rights concern, you can raise the matter with Information Commissioner’s Office (“ICO”). They will use the information you have provided, including our response to your concerns, to decide if your concern provides an opportunity to improve information rights practice.
You can contact the ICO by either:
- Calling their helpline on 0303 123 1113, or;
- Using their live chat system.
How to find out more
If you wish, you can contact the CRAs directly. The information they each hold about you may not be the same so it is worth contacting them all. You should check with them if a fee is payable for this information.
- CallCredit, Consumer Services Team, PO Box 491, Leeds, LS3 1WZ or call 0870 0601414.
- Equifax PLC, Credit File Advice Centre, PO Box 3001, Bradford, BD1 5US or call 0870 010 0583 or log on to www.myequifax.co.uk.
- Experian, Consumer Help Service, PO Box 8000, Nottingham NG80 7WF or call 0844 4818000 or log on to www.experian.co.uk.