This privacy notice applies if you are an applicant, borrower, agent or intermediary.
The following companies will act as data controller (or joint data controller as the case may be) in respect of any loan applications made to Wellesley Finance PLC:
- Wellesley Security Trustees Limited (08738060); and
- Wellesley Group Investors Limited (08478238).
The "Wellesley Group" companies who may additionally receive personal data include:
- Wellesley Secured Finance PLC (10565816) ; and
- Wellesley & Co Limited (07981279)
- Wellesley Group Limited (9811856)
- any subsidiaries or Affiliates of Wellesley Group Investors Limited (08478238) within the United Kingdom.
All of the above companies have their registered office address at 6th Floor St Albans House, 57/59 Haymarket, London, SW1Y 4QX, except for Wellesley Secured Finance PLC whose registered office address is at 35 Great St. Helen's, London, EC3A 6AP. It is not owned or controlled by Wellesley but invests in loans that are originated, serviced and monitored by Wellesley Finance PLC.
‘Affiliate’ means, as to any entity, any other entity (other than a subsidiary) which, directly or indirectly, is in control of, is controlled by, or is under common control with, such entity. For the purposes of this definition, a subsidiary is an entity which is more than 50% owned by another entity and "control" of an entity means the power, directly or indirectly control through exercise of 50% or more of voting rights, or otherwise cause the direction of the management and policies of such entity whether by contract or otherwise.
If you want to contact us you can email email@example.com or write to the relevant data controller's postal address. Wellesley Group have a designated Data Protection Officer who can be contacted via email at: firstname.lastname@example.org or by post in correspondence marked for his attention.
2. WHAT IS THIS POLICY FOR?
This policy has been prepared to meet the requirements of the EU General Data Protection Regulation, the UK's Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003. It explains why we process your personal data, what we do with your personal data, how we look after your personal data and what your rights are over your personal data.
It is important that you read this policy together with any other privacy notice or fair processing notice we may provide at the point of collecting or processing your personal data. This policy supplements those notices and is not intended to override them. Please read it in conjunction with the Terms of Website Use: https://www.wellesleyfinance.co.uk/website-terms-of-use and any other documents referred to in it ("Terms").
Our site, products and our services are not intended for use by children and we do not knowingly process personal data relating to children.
3. WHAT PERSONAL DATA DO WE COLLECT?
When we refer to "personal data" we mean information about an individual from which that person can be identified. This does not include data where the individual's identity has been removed.
We may collect, use, store and transfer the following types of data:
|Contact Data||Full name, postal address, email address and contact telephone numbers.|
|ID Verification data||Details of and/or copies of passport, drivers licence, firearms licence, utility bill, home phone bill, bank statement, credit card statement, including from any directors, partners, members, shareholders, beneficial owners and guarantors.
Please note that you must have the authority from any of the aforementioned to disclose their personal data to us and have shared this privacy notice with them before doing so.
|Credit Assessment Data||This information may include:
|Transaction data||Information provided to us during the course of and relating to a loan (including, if you are a borrower, agent or intermediary, certain personal, identity, contact and financial information about directors, partners, members, shareholders, beneficial owners and guarantors).
The payments you make to us, details of the bank account(s) they were sent from, the loan account balance, interest and workings, the loan agreement and related security agreement and correspondence between us in relation thereto you purchased from us, estimated net worth (if provided).
|Marketing and Communications data||Your preferences in receiving marketing as well as your preferred form of communication.|
|Technical data||Information about how you use our site (e.g. URL), your internet protocol (IP) address, operating system and platform, browser type and version, time zone setting, location data, information on how long you visit each page, cookie data and other identifying information required for your device to communicate with our site.|
We will not necessarily collect all of the above data about you. For example, if you are merely visiting our site then we will usually just collect Technical data about you and your device. If you decide to sign up for newsletters then we will collect Contact, Marketing and Communications data from you. Where you submit a loan application then we would need to collect the above as well as ID Verification, Credit Assessment and Transaction data.
The above data may not always be considered personal data. For example, much of the Technical data we collect is aggregated data, and it is not usually classified as personal data because it does not reveal your identity to us. If we link aggregated data to your personal information it will be treated as personal data in line with this policy.
We do not process any "special categories" of personal data about you (i.e. information about your race, ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data).
We try to be sure that the personal data we hold about you is accurate, and so please get in touch with us if your personal data changes so we can update our records. You can contact us using the details at the beginning of this policy.
HOW WE COLLECT YOUR DATA
We collect personal data about you from a number of different sources depending on who you are and what personal data it is. For example, we collect personal data:
- From you directly: when you submit an application form to us; purchase products or services from us, our Affiliates or the Wellesley Group; and correspond with us by post, phone, email, through social media, or otherwise.
- From third parties: such as information you have asked us to collect on your behalf (including from credit reference agencies (CRAs); providers of payment services where you make payments to us;
- From publicly available sources: such as Companies House, the Land Registry, Bankruptcy Register and the Electoral Register.
- From your device: when you access our site.
HOW WE USE YOUR PERSONAL DATA
We will only use your information where we have a lawful basis to do so. We set out below how we plan to use your personal data and the lawful basis that we rely on.
|Purpose||Types of Data Processed||Lawful Basis of Processing|
|To make lending decisions||If you are an applicant or borrower this may include Contact, ID Verification, Credit Assessment and Transaction data.||It is necessary for the performance of a contract, (or potential contract) with you.It is necessary for our legitimate interests (for running our business and to comply with the contractual obligations we have to our funding lines, to keep our records updated, to be able to enforce our contractual agreements, including but not limited to the loan agreements and terms and conditions or loan security and to service those loan agreements, to recover debts due to us and to any third party lenders who may fund or co-fund lending commitments originated by us, to be able to carry out internal and external audits on our loans and origination processes to ensure quality and consistency across our portfolio.
It is necessary to comply with our legal obligations.
|To contact you||Contact and Account data.||It is necessary for the performance of a contract, (or potential contract) with you.It is necessary for our legitimate interests (for running our business, to keep our records updated, to help prevent or detect crime, to recover debts due to us and to provide you with the services you have requested).
It is necessary to comply with our legal obligations.
|To verify your identity, prevent / detect money laundering and fraud.||Contact, ID Verification, Transaction and Account data.||It is necessary to comply with our legal obligations.It is necessary for our legitimate interests (to help prevent and detect crime, fraud and money laundering, to verify your identity).|
|To register you as a new customer||Contact, ID and Verification.||It is necessary for the performance of a contract, (or potential contract) with you.It is necessary for our legitimate interests (to take on new customers, expand our business and monitor our growth).|
|To manage our relationship with you including any account you have with us, dealing with any questions or complaints you may have||Contact, Account, and Transaction data.||It is necessary for the performance of a contract, (or potential contract) with you.It is necessary for our legitimate interests (to provide you with the services you have requested, to respond to any questions or complaints, for running our business, and to keep our records updated).|
|To market new products / services that we believe may be of interest to you||Contact, Account, Transaction, Technical, Marketing and Communications data.||It is necessary for our legitimate interests (to develop and grow our business, to study how customers use our site, to inform our marketing strategy)With your consent (where marketing is by SMS, letter or email).|
|To operate our site (e.g. troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)||Account, Technical, and Transaction data.||It is necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud).It is necessary to comply with our legal obligations.|
|To improve the products we offer and to carry out internal training||Technical and Transaction data.||It is necessary for our legitimate interests (of improving our business and ensuring our staff are trained to a high standard).It is necessary to comply with our legal obligations.|
|To comply with our legal and regulatory obligations and internal corporate governance rules.||Contact, ID Verification, Transaction, Account, Technical, Marketing and Communications data.||It is necessary for the performance of a contract, (or potential contract) with you.It is necessary to comply with our legal obligations.|
We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. If you need details about the specific legal ground we are relying on to process your personal data then please contact us. If we need to process your personal data for a different purpose that is not compatible with the original purpose, then we will let you know. Please note that we may also process your personal data for a different purpose than listed above and without your consent where it is necessary for us to comply with our legal obligations.
HOW CAN YOU OPT OUT OF MARKETING?
We only directly market to you by SMS and email where it is legally allowed, for example where you have consented, or where you have purchased (or negotiated to purchase) a product from us and did not chose to opt out. When directly marketing to you we may use a combination of the data we hold about you to form a view on what we think you would be interested in.
We only want to market to those who actually want to hear from us. You can ask us to stop sending you marketing messages at any time by:
- Selecting the opt-out link on any marketing message sent to you; or
- Emailing email@example.com with your request.
If you do opt-out of marketing from us, please note that we may still need to contact you for reasons other than direct marketing (for example to carry out anti-money laundering checks or to update your regarding your investment).
WHO IS YOUR DATA SHARED WITH?
We may share your personal data with the following third parties for the purposes set out in the table above:
- Wellesley Group companies;
- Services providers including identity verification providers, anti-money laundering providers, CRAs, data storage and shredding services providers.
- Financial or payment processors where you are trying to arrange a payment to or from us.
- Other banks and financial institutions who you authorise us to deal with.
- Contractors who help us to provide you with services, such as IT, cloud, telecommunications, security, client relationship management and system administration services.
- Marketing, communications, advertising and public relations suppliers.
- Professional advisers, such as auditors, accountants, administrators and solicitors.
- Our Group Companies, Affiliates and ultimate shareholders.
- Your professional advisers (if you have requested us to do so).
- HM Revenue & Customs, National Crime Agency, local authorities, law enforcement agencies, regulators and other authorities (both inside the UK and outside of the UK).
- The Financial Conduct Authority, Bank of England, the Financial Ombudsman Service and the Prudential Regulation Authority and any other competent authority in relation to our regulatory obligations as a financial institution.
- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, the new owners may use your personal data in the same way as set out in this policy.
- Our funding lines.
International transfers of your personal data
We may share your personal data with (or provide access to) third parties that are based outside of the European Economic Area (EEA). Whilst most of our suppliers are based in the EEA, we do use suppliers located outside, including in the United States of America and India.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We may transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- We may use specific contracts approved by the European Commission which give personal data the same protection it has in EEA.
- Where we use providers based in the USA we may alternatively transfer your data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data as is provided in the EEA.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
HOW DO WE KEEP YOUR DATA SECURE?
As a financial institution, we take the security of your data very seriously. We have implemented a number of reasonable and necessary security measures in order to try and prevent unauthorised access. For example:
- We use entry controls in our offices to control who can access secure areas.
- We limit who can access our computer network, and certain parts of our computer network, to specific personnel.
- We put agreements in place with third parties we work with to regulate the processing, security and confidentiality of data.
- We regularly review, monitor and audit our suppliers.
If we become aware of a data breach we will notify the Information Commissioner's Office in a timely manner. We may also notify you if we believe the breach is serious.
HOW LONG DO WE KEEP YOUR DATA FOR?
We store your personal data for different periods of time depending upon the purposes for which we collected it and we do not store your personal data for longer than is necessary to fulfil these purposes. We retain your personal data throughout our relationship with you, and usually for up to 7 years after your final investment with us has finished or you have closed your account.
Please be aware that as a financial institution, we may need to retain your personal data for longer in order to comply with our legal, regulatory and accounting obligations.
In order to determine how long we store your personal data for, we take into consideration why we need to continue to store your personal data, whether we can achieve the same result without having access to your data, and what the potential risk is if there is a data breach that affects your data.
Occasionally we may anonymise data which means that it is no longer associated with you. We do this for statistical or research purposes so we can improve the services we offer to you. We can use anonymous data indefinitely without further notice to you.
WHAT RIGHTS DO YOU HAVE?
You have the following rights over your personal data:
- To ask us for details of the personal data we hold and process about you (this is usually called a subject access request).
- To ask that any inaccurate information we hold about you is corrected.
- To ask that we delete personal data we hold about you
- To ask that we stop using your personal data for certain purposes.
- To ask that we do not make decisions about you using completely automated means.
- To withdraw your consent.
- To ask that we give you the personal data we hold about you, or (where technically feasible) that we give this personal data to a third party chosen by you, in a commonly-used machine-readable format.
These rights are not available to everyone all the time. Some are subject to exemptions, and so we may not always be able, or required, to comply with your request to exercise these rights. Further details about your rights can be found on the Information Commissioner's website: https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly/
To exercise any of the above rights, please contact us using the details included at the start of this policy and provide us with as much information as you can so we can respond as soon as we can. We may ask you to provide proof of identity (for example, your passport or driving licence) before we fully respond as we have to be sure we are giving the correct personal data to the correct individual.
We usually respond to data subject requests within one month, but it can take longer if your request is particularly complex or if you have made a number of requests. You will not usually have to pay a fee, but we reserve the right to charge a fee if your request if clearly unfounded, repetitive or excessive; alternatively we may refuse to comply with your request.
You also have the right to complain to the Information Commissioner's Office, the UK supervisory authority for data protection issues. Before exercising this right, we encourage you to contact us first to resolve any complaint you may have, although this is not legally required. More details can be found here: www.ico.org.uk.
What do credit reference agencies do with my data?
Credit reference agencies (CRAs) will use the data they gather to provide credit reporting. They keep records of outstanding debt on file for six years after they are closed, whether the debts have been settled or defaulted.
Your information will not be used by CRAs to make a decision or to create a blacklist. The information which we and other organisations provide to CRAs and fraud prevention agencies about you, your business partner(s) and your business may be passed on by CRAs and fraud prevention agencies to other organisations and used by them to:
- prevent crime, fraud and money laundering by, for example by checking details provided on applications for loan facilities or other borrowings and credit or credit related facilities;
- verify your identity if you or your business partner(s) makes an application for other facilities;
- make decisions on credit and credit related services about you and/or your business partner(s), or your business;
- manage your personal, your business partner’s and/or business credit or credit related account(s);
- trace whereabouts and recover debts that you, your business partner(s) or business owe;
- conduct other checks to prevent or detect fraud; and
- carry out statistical analysis and system testing.
The information recorded by fraud prevention agencies may also be accessed and used by similar organisations from other countries.
Credit Reference Agency contact details
You can contact the CRAs currently operating in the UK; the information they hold may not be the same so it is worth contacting them all.
- TransUnion (formerly Callcredit), One Park Lane, Leeds, LS3 1EP or call 0870 0601414 or log on to www.transunion.co.uk
- EQUIFAX PLC, Credit File Advice Centre, PO Box 10036, Leicester, LE3 4FS or call 0870 010 0583 or log on to www.equifax.co.uk
- EXPERIAN, Consumer Help Service, PO Box 9000, Nottingham NG80 7WF or call 0844 4818000 or log on to www.experian.co.uk.
The ways in which CRAs use and share personal information is explained in the Credit Reference Agency Information Notice (CRAIN) which can be accessed via any of the following links:
WHAT ABOUT CHANGES TO THIS POLICY?
We reserve the right to update this policy to reflect any changes to the way in which we collect, process or share your personal data, or to reflect any legal requirements. When we make any changes, we will upload the new version to our site. The new version will take effect as soon as it is uploaded.
This policy was last amended on 13 July 2018 and supersedes any earlier versions.