1. Who we are
We understand how important your privacy is to you and ensure any personal data you provide us with is treated with respect, is properly protected and handled in accordance with UK data protection rules and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).
This website is owned and operated by Mindflow Marketing Limited, a company registered in England and Wales (company number 09829835) with its registered office at Manchester Business Park, 3000 Aviator Way, Manchester, M22 5TG. Mindflow Marketing Limited is authorised and registered by the Financial Conduct Authority and is entered on the Financial Conduct Authority Register (registration number 770925). Mindflow Marketing Limited is also licenced by the Information Commissioners Office, (registration number ZA232696).
Mindflow Marketing Limited is authorised and registered by the Financial Conduct Authority and is entered on the Financial Conduct Authority Register (registration number 770925). Mindflow Marketing Limited is also licenced by the Information Commissioners Office, (registration number ZA232696).
Mindflow Marketing Limited is an appointed representative under Maintain Marketing Limited (company number 09829835) with its registered office at Bayside Business Centre, Sovereign Business Park, Willis Way, Poole, Dorset, BH15 3TB. Maintain Marketing Limited is authorised and registered by the Financial Conduct Authority and is entered on the Financial Conduct Authority Register (registration number 727520). Maintain Marketing Limited is licenced by the Information Commissioner's Office (registration number ZA202297).
Contained within this statement and set out below are details of the type of personal data we may hold about you, our customer, how we obtain and process any personal data we may have and, most importantly, how we protect your privacy. This policy relates only to the personal data submitted or collected via this website.
If you have any queries or concerns regarding how we use your personal data or any questions regarding any of the information provided in this statement, please contact our Data Protection Officer at [email protected]
For all other queries you can contact us at [email protected] or write to us at Manchester Business Park, 3000 Aviator Way, Manchester, M22 5TG.
2. General Data Protection Principles
You are visiting our website to apply for a personal loan. In order to match you with the best lender or credit broker we have asked you to provide us with personal information. You need to know where your personal information is being sent, who is using it and why. You also need to be sure your personal information is kept safe and used only for the purposes you have agreed to.
Under the GDPR we are required to process the personal data you provide us with in a responsible manner. In accordance with the six principles below it must be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposed; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
3. Your Personal Data
What Personal Data do we collect?
We provide a credit brokering service. By completing our secure online application form we pass your details to our lenders' systems so they can make an informed decision whether to lend to you or not. If we are not able to find you a lender, we may pass your details to another credit broker or provide an alternative solution to help you understand and improve your financial position.
The information we ask you to provide via the application form on this website is the minimum required for us to provide you with the service and for our lenders to provide you with a loan decision.
The personal data we usually ask you to provide is:
- Date of Birth
- Residential address
- Email addresses and phone numbers
- Income and employment details
- Bank account information
Other ways we collect your personal data include:
- Registration on another site - you may have provided your personal data to a credit broker by filling in forms on their website, consented for the information to be passed to us and been re-directed to our website
- In correspondence between us and to enable us to answer queries or address complaints
Why do we collect your Personal Data?
The main reason we collect your personal data is to provide you with a credit brokering service and help you gain access to short term personal loan offers.
We also use information about you to:
- Communicate with you in connection with your enquiry by email, SMS, telephone or post
- Contact you to offer products, services or offers you may be interested in (where we have your express consent to do so)
- Verify your personal information
- Conduct statistical analysis for our own internal processes and/or to detect, prevent and investigate actual and potential fraud and related activities
- Update this website to meet our customers' needs in the future and develop, improve and update our products
- Assist us in the administration and servicing of your account
- Notify you of any changes to our services
- Comply with any legal or regulatory obligations
Legal basis for collecting your personal data
We are a credit broker and in order to provide our service we share your information with our panel of lenders and credit brokers to assist you in finding a suitable financial services product.
When you complete all loan application details on our website we process this data on the basis that we have a legitimate interest in processing this data.
The legitimate interests basis is defined by Article 6(1)(f) of the GDPR as being where ‘processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data which overrides those legitimate interests’.
How we use your Personal Data
We use the personal data you input via the online loan application form to match your details with our panel of lenders and credit brokers.
We, and our panel of lenders and credit brokers, will keep you informed as to the progress of your loan application via telephone, email or SMS unless specified otherwise.
In addition, we may also send you information regarding similar products or services using the contact information that you supplied to us as part of your application. This forms an essential part of our service which you can opt out of at any time by clicking the link https://optme.co or by emailing us at [email protected]
The basis on which we are able to send you this information is called ‘soft opt-in’. As an existing customer who has provided us with your details in order to use our credit broking services, we are able to contact you about similar products or services.
Customers are able to opt out of these messages when we first collect their details via our online application form or by using the unsubscribe function in any message we send.
Who do we share your personal data with?
We share your personal data with those companies who require it so we can provide the credit broking service you have signed up for.
A list of the categories of recipients who might receive your personal data are listed below:
1. Lenders and credit brokers on our panel
By completing our secure online loan application form you have accessed our credit broking service and permitted us to use your details to search the market for a loan that meets your individual criteria.
If we cannot find a suitable lender on our panel then we may pass your personal data onto another credit broker who may have a lender that meets your eligibility criteria on their panel.
Please be aware that our lenders with whom we share your information may use it for their legitimate business interests to match applications, carry out fraud checks, carry out research such as analysis of market trends and customer demographics and to customise and develop the product/service which they may offer to you or other individuals in the future. Most lenders might use this for up to twelve months.
2. Credit Reference Agencies (CRAs) and Fraud Prevention Agencies (FRAs)
By using our service you are also agreeing that our lenders and brokers can use Credit Reference Agencies (CRAs) and Fraud Prevention Agencies (FRAs) to assess your credit. More information regarding these agencies is given below.
3. Alternative Product Providers
If we are unable to match you with a suitable lender we may share your personal data with providers of credit and financial products. These include, but are not limited to, credit reporting and credit scoring providers and online digital savings vouchers or discount cards.
4. Regulatory bodies
We may need to disclose your personal data to regulatory bodies such as the Financial Conduct Authority, Information Commissioner's Office or any other applicable regulatory, government, compliance or law enforcement agency. This may be to investigate complaints, for tax purposes or for the prevention and detection of crime.
5. Service Providers
We may share your personal data with companies who assist us in providing our service to you such as telecommunication services (for email and SMS communication) and technology services for the operation and maintenance of our websites. Access to your personal data by these service providers is limited to the information reasonably required for them to perform their function. We take steps to help ensure that service providers keep your personal data confidential and comply with our privacy and security requirements.
We may also disclose your personal data if required or permitted to do so by law or in connection with legal proceedings or in connection with the sale or transfer of our business.
Where you have given your express consent to marketing, your personal data will be shared with our trusted third parties so they can inform you about products, services or offers by email and SMS which may be of interest.
Our trusted third parties include the following, but are not limited to:
- ESL Consultancy Services Ltd
- Fuel Ltd
- Utilita Limited
- Shell Energy Ltd
- Bulb Ltd
- Octopus Ltd
- Scottish Power Ltd
- ESB Energy Ltd
- Mint Marketing Limited
- Duke Leads Ltd
- Elevate Technologies Ltd
- Galactic Marketing Limited
To opt out of marketing received from any of our trusted third parties you will need to unsubscribe via the links provided in their communications with you.
The products, services and offers are:
Loan Comparison - Payday Loans/Short Term Credit - Loan Brokerage - Credit and Debit Cards - Credit Score Companies - Current Accounts - Guarantor Loans - Mobile Phones - Car Finance - Home Repairs - Debt Services - Utility Switching - Broadband - Online Retailers - Tax Rebate.
Credit Reference Agencies and Fraud Prevention Agencies
Our lenders may use both credit referencing agencies and fraud prevention agencies to help make relevant decisions on any application.
Credit Reference Agencies (CRAs)
- When this type of check is made a footprint will appear on your credit file, this can be seen by other lenders. CRAs provide us with shared credit data, fraud prevention data and public data; this data will include the electoral register. You may contact any or all the credit reference agencies (CRA's) directly.
Fraud Prevention Agencies (FPAs)
- When we assess your application we will also check your identity in order to prevent fraud and crime; this includes money laundering. We may also make additional searches over periods of time with CRAs and FPAs. This ensures that our records are kept up to date with any vital data. This data will then be used to ascertain whether to continue with your credit or any future credit that may be available. As we have an obligation to comply with responsible lending, FPAs and CRAs assist us in doing so.
If you choose to contact a CRA, please bear in mind that the data held may not be the same so it may be useful to contact all CRAs. You are legally entitled to a free copy of your statutory credit report every 12 months directly from any of the 3 main credit agencies.
The three main Credit Reference Agencies, TransUnion, Equifax and Experian will use and share your data in line with the Credit Reference Agency Information Notice (CRAIN) for further information on how CRAs use your data please visit their websites as stated below:
- TransUnion, Consumer Services Team, PO Box 491, Leeds, LS3 1WZ, 0870 060141
- Equifax Plc, Credit File Advice Centre, PO Box 3001, Bradford, BD1 5US, Tel number 0870 010 0583
- Experian, Consumer Help Service, PO Box 8000, Nottingham, NG80 7WF, 0844 4818000
Data sent to CRAs
- Data received by CRAs will be recorded by them. If after an application via us you take out a loan, the activity and details of management of your account will be passed onto them by the lender. In the event that you take out a loan and fail to repay back the full funds required this will also be recorded with the CRA. In this case data may be passed onto other companies by CRAs and FPAs in order to locate and trace you in order to recover any outstanding debts. We must warn you that if this does occur then this will remain on your record for 6 years once a case has been closed by either settlement or default.
Inaccurate information provided by you
- False or inaccurate data if given by yourself will be brought to the attention of FPAs or other relevant companies who deal in fraud/crime prevention. The same applies if we or our lenders suspect fraud or false or inaccurate data has been supplied. Any reported instances may also be accessed by law enforcement agencies i.e. HMRC, regulatory bodies or the police, for use to prevent any possible fraud and money laundering for the following:
- Managing credit and credit related accounts or facilities
- Recovering debt
- Checking details on proposals and claims for all types of insurance
- Checking details of job applicants and employees
- Data recorded outside the UK
We or our lenders may use and get access to data outside of the UK that has been recorded and reported by fraud prevention agencies.
How long do we keep your data for?
The amount of time we retain your data for depends on the basis it was provided by you to us:
- In order to provide you with a service we will be required to keep the data whilst we continue to provide you with a service for however long this may take us.
- If you request that we do not contact you for advertising and marketing reasons, then we still need to keep your application data as this reflects your preferences. The information we retain will be the minimum we are required to keep
- Data is kept relating to any transactions you may enter via our website. This data will be kept for a minimum of 6 years which will commence at the end of the relationship. We are required to do this to ensure that if any disputes or complaints are raised, then we have your data to enable us to address the complaints or disputes.
- In order to comply with our obligations under UK &EU law.
- We will retain your personal data as advised above unless we have a legitimate reason for retaining it beyond those dates.
Where will your personal data be held?
Your personal data may be held within the European Economic Area which comes under the GDPR. Where personal data is transferred or stored outside of the European Economic Union we check whether the EU Commission has issued an adequacy decision, which is a confirmation from them that the personal data will be afforded the same level of protection as if it was within the European Economic Union.
If there is not an adequacy decision in place, and to comply with GDPR requirements, we will ensure the transfer of personal data is protected by other means, including where explicit consent from the data subject has been received or through contractual obligations with relevant third parties regarding usage of the personal data.
Confidentiality & security
Keeping your personal data secure and confidential is of tantamount importance to us. Due to this we have introduced rules, measures, specialist technology and implemented security policies to ensure that your data is protected.
We use Secure Sockets Layer (SSL) encryption to secure your personal data and only provide your personal data to the staff who have to access it for the function of carrying out their duties.
Whilst we make every attempt to protect your data there are still risks involved when inputting your data online and we need to make you aware of this.
We can further confirm that all parties we share your personal data with, such as our lenders, credit brokers and trusted third parties are bound by contract to maintain the security and integrity of your personal data.
Please be advised that, although Mindflow Marketing Ltd takes all reasonable precautions to protect your data, no data storage or data transmission security is guaranteed. Accordingly, Mindflow Marketing Ltd cannot, and does not, represent, warrant, or guarantee the complete security of any data storage or data transmission. You agree that your access to and use of this site and your use of Marketing Limited's services, which necessarily includes data storage and data transmission, is carried out at your own risk.
4. Your Individual Rights
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Subject to certain circumstances, you are able to exercise all of the above rights. Where you elect to exercise any of your rights please be aware we not charge you a fee. However, if we receive excessive, repetitive or unfounded requests we are permitted to charge a reasonable fee.
Right to be informed
You have the right to be informed about the collection and use of your personal data. To be completely transparent with how we use your personal data we provide you with the following privacy information:
- The name and contact details of our organisation and the contact details of our Data Protection Officer
- The purposes and lawful basis for processing personal data
- The categories of personal data obtained
- The recipients or categories of recipients of the personal data
- The details of transfers of the personal data to any third countries or international organisations
- The retention periods for the personal data
- The rights available to individuals in respect of the processing
- The right to withdraw consent and the right to lodge a complaint with a supervisory authority
- The details of the existence of automated decision-making, including profiling. We regularly review, and where necessary, update our privacy information.
Right of access
You have the right to know who has access to your personal data, what it is being used for, where it's kept, and everything about your personal data as it passes through our data process.
A 'Subject Access Request' (SAR) can be made requesting us to supply you with all reasonable information or documentation that we hold relating to your personal data. You can make a subject access request verbally or in writing. If you make your request verbally, we recommend you follow it up in writing to provide a clear trail of correspondence.
Before providing any information we must verify the identity of the person making the request using 'reasonable means'. We will ask you for your first name, surname, date of birth, address, a utility bill (or similar) and the method by which you received marketing communications.
Please email your SAR to our Data Protection Officer at [email protected]
Alternatively, you can post your request to Manchester Business Park, 3000 Aviator Way, Manchester, M22 5TG.
Responses will be provided electronically in a clear format unless requested otherwise. We have one month to comply with this request but if the request is complex can extend the period for a further two months. You would be notified of the time limit when making the request.
For more information on how you make a SAR please visit https://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/
Right to rectification
The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.
It is important that the personal data you input on this website is accurate, complete and up to date.
We will assume the personal data you provide is correct and provide our services on this basis. If fraudulent information is given then we may be alerted to this by a Fraud Prevention Agency.
If you think you have mistakenly given us incorrect information, please contact us at [email protected] and we will update it as soon as possible.
Whilst we make every effort to ensure the personal data we hold about you is right, if you notice any errors in any communications received from us please send us an email detailing the changes to the email address above and we will ensure it is accurate.
We will rectify the information within a month of receiving your request and inform all relevant third parties of the amendment. If the request is complex we can extend the period for a further two months.
Right to erasure
You have the right to erasure which is also known as a 'request to be forgotten'. This equates to asking for any personal data you have supplied to be removed from our systems where there is no reason to keep processing it.
This right can be exercised under the following circumstances:
- Where the individual withdraws consent
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
- When the individual objects to the processing and there is no overriding legitimate interest for continuing processing.
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
We will suppress and remove all data held, upon request. Our marketing partners will immediately be informed of the request and will follow the same actions. We will however keep the communication of the 'request to be forgotten' for our records. Where we cannot remove all your personal data we will notify you.
Grounds on which we can legally refuse a request are:
- To comply with a legal obligation
- The exercise or defence of legal claims
- To exercise the right of freedom of expression and information
Right to restrict processing
You can ask us to stop or restrict processing your personal data. It is an alternative to requesting erasure of your data.
This is not an absolute right and will only apply in certain circumstances such as:
- Where you are contesting the accuracy of your personal data and we are verifying the accuracy of the data.
- The data has been unlawfully processed (i.e. in breach of the lawfulness requirement)
- We no longer need the personal data but we need to keep it in order to establish, exercise or defend a legal claim.
As a matter of good practice we will automatically restrict processing your personal data whilst we are considering its accuracy or the legitimate grounds for processing the personal data in question.
When we restrict your personal data, we are still permitted to store it but not use it. We will inform all relevant third parties to confirm this right is carried out.
You can make a request for restriction at any time and we have one month in which to respond to your request. This can be extended by two months where the request is complex or we receive a number of requests. We would advise you if an extension is necessary clearly stating our reasons why.
Right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Before transferring your personal data we will carry out rigorous checks to verify your identity.
The right to data portability applies:
- To personal data an individual has provided to a controller;
- Where the processing is based on the individual's consent or for the performance of a contract; and
- When processing is carried out by automated means. If you request us to transfer your information we will do so in a format that is structured, commonly used and in a machine-readable form. We will respond to your request within one month. This can be extended by two months where the request is complex or we receive a number of requests. We would advise you if an extension is necessary clearly stating our reasons why.
Right to object
You have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling
You have the right to object to automated decision making, to express your point of view, ask for human intervention, and to be provided with an explanation of the decision with your option to challenge it. The right is not absolute and is not applicable for the entering into a consumer credit agreement.
5. Further Information
Notification of Breach
We make a promise as a company, that we will inform you at the first sign of a data breach. We want to make sure we are being completely transparent with you regarding your data and the security of your data. We will contact you via email or phone, to inform you of any suspicious activity.
If you have any complaints about how we have used your personal data please contact our Data Protection Officer at [email protected] or write to: The Data Protection Officer, Mindflow Marketing Ltd, Manchester Business Park, 3000 Aviator Way, Manchester, M22 5TG
We do recommend that you bring any issues to our attention as soon as possible. The sooner we know about the issue the sooner we can help resolve it.
We will do our best to resolve your complaint but if you remain unsatisfied with any aspect relating to your personal information, you have the right to complain to the Information Commissioner's Office.
The ICO may be contacted at https://ico.org.uk/make-a-complaint/
By post at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
Alternatively, you may have the right to refer your complaint to the Financial Ombudsman Service who can be contacted at www.financial-ombudsman.org.uk/consumer/complaints.htm
By post at Exchange Towner, London, E14 9SR
Telephone: 0800 023 4567 (0300 123 9123 from a mobile)
In relation to your complaint you can also request a review from the European Online Dispute Resolution platform: ec.europa.eu/consumers/odr/
Usage of links to other sites
This website may provide links to other websites which have privacy policies that differ from ours.
When you visit this website a small text file known as a 'cookie' is placed on your computer or other device which may provide some personal data details from you. Some cookies are required for the functioning of the website, others allow us to recognise you each time you visit and remember your preferences. Cookies are also used to improve user experience on the website, advertising, tracking and browsing habits.
Processing special categories of personal data
Should we be required to process your special categories of personal data, then we will notify you and seek your explicit consent prior to us doing so. Special categories of personal data as defined under GDPR are:
- Ethnic origin;
- Trade union membership;
- Biometrics (where used for ID purposes);
- Sex life or sexual orientation;
- Suspected or proven criminal activity (including any proceedings).
We do not knowingly collect any personal data from children under the age of eighteen. Applicants on this website must be eighteen years of age or older to use our services.