Privacy Notice

30 August 2023

How we use your information

At Perenna we care about your privacy. We want you to understand exactly what we use your personal data for, so this notice tells you everything you need to know. It explains who we are and how we collect, use, share, and protect your personal data. We also explain your privacy rights and how the law protects you.

Firstly, what do we mean by personal data? Personal data is any information that we collect that relates to you and can be used to identify you. It could include your name, email address, National Insurance number, or home address. That’s why it’s important that you read this privacy notice carefully.

 

Page contents

1. Who we are
2. What data do we collect?
3. How do we collect your data?
4. Why do we need your information and what do we use it for?
5. Who do we share your information with?
6. Do we transfer your data outside of the UK?
7. How do we keep your data safe?
8. How long do we keep your data for?
9. What are your legal rights?
10. How will we keep you up to date?
11. What if you need to complain?

 

1. Who we are

We are Perenna Bank PLC. When we say “we”, “us”, “our” or “Perenna” in this privacy notice, we mean Perenna Bank PLC.
Perenna is a company registered in England and Wales with company number 13084174. We are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under registration number 956138.
Perenna is the “data controller.” This means we’re responsible for the personal data you provide to us, or we collect under this privacy notice. If you have any questions about this notice or how we use your information you can get in touch by email at dataprotection@perenna.co.uk or write to:
Data Protection Officer
Perenna Bank PLC
20 Eastbourne Terrace
London
W2 6LG

 

2. What data do we collect?

When you use our online calculators or apply for a Perenna mortgage we will collect your personal data. We only collect and process information we need. So, if you don’t give us the information we request, we won’t be able to offer you our products and services. For example, if you apply for a mortgage, we need to collect personal information to check that it’s really you. This protects both you and us from fraud. We also need it to check you can afford the loan.

How much information we collect depends on whether you’re just looking for an idea of how much we might lend to you or whether you’re making a formal application.

If you are making a joint application, we will collect information about both of you. Before you apply, make sure you have the other persons permission to share their data.

The information we collect may include:

Identity data

Examples include your name and address, date of birth, contact details and nationality. We may also ask you for copies of documents like your passport or driving licence or ask you to provide us with another visual image to verify your identity.

We may also collect unique reference numbers that we or others have allocated to you. For example, account numbers, online usernames, and your national insurance number.

Financial data

This includes information about your accounts and transactions. Details of your savings and wealth, proof of your income and outgoings, credit and borrowing history, card payment details and bank details. We will also collect information about others you are financially linked to.

Lifestyle & social data

Including information about your family. For example, we may ask about people who are financially dependent on you. We may also collect data that relates to climate. For example, we may ask about property features such as housing certification, ratings, or your utility consumption.

Technical data

We will record information about how you access and use our website or other digital services like our customer portal. Details include your IP address, your location and the device and software you’re using.

Marketing & communication data

We will record your choices about receiving marketing from us and how you prefer us to contact you. We will also store any market research we have obtained. When you provide consent to receive marketing emails, you also provide consent for us to track when you open and interact with them. This information helps us to monitor and improve our communications.

Sensitive personal data

Whilst processing your application we may collect information that reveals things like your racial or ethnic origin, criminal convictions or physical and mental health information. We will normally only collect this information if there is a legal reason why we must do so or because you have given us your explicit consent. For example, we may use your health info to help you access our services more easily, like sending letters in braille if you need it. Please see Section 4 for more information about the legal reasons we use your data.

Aggregate data

We collect and process aggregated data. By this we mean, we group together information about our customers in a way that doesn’t identify people specifically and is anonymous. We use this data for all sorts of business reasons – like market analysis and research, demographic profiling, marketing and advertising, and to comply with regulation.

If we do connect this data with information that does identify you, we’ll always treat it as personal data.

 

3. How do we collect your data?

We may collect information directly from you or from others. We collect it when you call us, email us, write to us, complete our online forms, or interact with us on social media.

If you apply for a mortgage with us through a broker, we will receive your personal information indirectly from them. Your broker will also provide you with a notice about how they process your data and provide you with a copy of this notice.

We also collect data from other sources such as:

Third party sources

By this we mean Fraud Prevention Agencies, Credit Reference Agencies, Other lenders, The Government and their agencies (e.g. HM Revenue & Customs, Financial Conduct Authority, Companies House).

Publicly available sources

This includes the electoral roll, telephone directory and other internet sources.

Other companies that we work with

This could include a surveyor conducting a valuation of your property or a conveyancer or solicitor.

Marketing / analytical service providers

These are services that help us understand how people use our website and companies that do market research or behaviour analysis.

Others who know you

This could be a joint account holder, other people you’re linked to financially, your employer or accountant.

Your use of our website or customer portal

This includes information we obtain through cookies that collect information on your internet use. Please see our Cookie Notice for more information.

 

4. Why do we need your information and what do we use it for?

The Data Protection law says that companies can’t use your data without having a legal reason for using it. This reason is called a “legal basis”. Here are the legal bases we rely on, and what they mean:

Contract performance

We need your information to provide you with our product and service your account. For example, we need to hold your transaction history to give you an annual mortgage statement.

Legal obligation

The law requires us to process your information. For example, we need proof of your identity to meet our fraud and anti-money laundering responsibilities.

Legitimate interest

The law allows us to use your information if it is in the interest of our business. We will always check that on balance, the benefits to us or our partners are not outweighed by your interests or rights. An example of a legitimate interest we have for processing your data might be to try to improve our products and services. Another could be to try and detect and prevent fraud.

Consent

By consent we mean that you’ve told us that it’s OK to use your data for a specific reason. For example, if you consent to us recording something about your health so that we can support you in the right way. Or if you tell us you’re happy to receive marketing from us. Whenever ‘consent’ is the only reason for us using the information, you have the right to change your mind and change or withdraw your consent. Please see Section 9 for more information about your legal rights and how to opt out of marketing.

The table below explains the main ways we use your data and the reasons we have for doing so.

 

When we use your information Type of data we use Why we do it
To deal with any initial enquiry. This includes:

  • When you use our mortgage calculator or other tools on our website. We use the information you provide, so we can tell you how much we could lend you or provide details of our services.
  • When you join our waitlist, we use your contact details to tell you when our products become available
(a) Identity data

(b) Financial data

(c) Lifestyle & Social data

(a) Performance of a contract with you

(b) You have given Consent

(c) Necessary for our legitimate interests (to understand the customer demand for our products and services)

To conduct any activities relating to processing your mortgage application. This includes:

  • Checking your identity
  • Checking you meet our lending criteria
  • Credit checks
  • Affordability checks
  • Working with others such as your Broker, Solicitor, or the person conducting a valuation of your property
  • Sending you documents like illustrations and offers
  • Taking card payments from you to cover any fees
  • Setting up your Direct Debit
(a) Identity data

(b) Financial data

(c) Lifestyle & Social data

(a) Performance of a contract with you

(b) Necessary to comply with a legal obligation

To manage your account including:

  • Authorising payments to and from you
  • Keeping a history of your transactions and sending you statements
  • Talking to you about your account and your relationship with us
  • Keeping a record of any phone calls or conversations we’ve had
  • Fixing any errors or resolving any complaints you might have
  • Dealing with any data protection requests
  • Closing your account
(a) Identity data

(b) Financial data

(a) Performance of a contract with you

(b) Necessary to comply with a legal obligation

(c) Necessary for our legitimate interests (For example, to recover any money owed to us)

To assess risk. This includes:

  • Conducting credit checks at Credit Reference Agencies. For more info please see Section 5
  • Any profiling or automated decision making we may conduct
  • Using any information we’ve obtained from how you use your account
(a) Identity data

(b) Financial data

(a) Necessary to comply with a legal obligation

(b) Necessary for our legitimate interests (for example, to make sure you can afford to repay the loan)

To comply with any law or regulation or prevent financial crime and the funding of terrorism. We may:

  • Check and share information with Fraud prevention agencies, credit reference agencies, law enforcement or other government agencies like tax or immigration authorities

For more details about when we share your information, please see Section 5

(a) Identity data

(b) Financial data

(c) Sensitive data

(d) Technical data

(a) Performance of a contract with you

(b) Necessary to comply with a legal obligation

(c) Necessary for our legitimate interests (For example, to prevent any losses from financial crime)

To make things better. This will include:

  • Contacting you for research. Like asking your opinion about things. For example, we might send you a survey or ask you to do some user testing for us
  • Making technical changes our systems and processes to make them faster, safer or compliant with changing regulations
(a) Identity data

(b) Technical data

(c) Marketing and Communication data

(a) Necessary to comply with a legal obligation

(b) Necessary for our legitimate interests (to improve our products and services)

(c) You have given us consent

To recover money that you owe us. If you don’t have a plan in place to repay it, we could:

  • Take you to court
  • Give and receive information from third parties including, Field Agents, solicitors, Credit Reference Agencies, Bailiff services
(a) Identity data

(b) Financial data

(c) Technical data

(a) Performance of a contract with you

(b) Necessary for our legitimate interests (For example, to prevent any losses)

To send you direct marketing and recommend things like:

  • New products we’re launching or other products we offer that you may find interesting
  • Other products from our partners that you may find interesting – we’ll only do this if you say we can. And we only want to send you things you might like. So we might use your profile or technical information to help us with this.
(a) Identity data

(b) Marketing & Communication data

(b) Technical data

(a) Necessary for our legitimate interests (to grow our business)

(b) You have given us consent

To manage our business and conduct activities such as:

  • Compliance monitoring – For example, we’ll record calls with you for regulatory purposes
  • Our accounts and record keeping
  • Analysis to see how well our communications are understood by customers
  • Reporting and communication with our regulators, the Financial Ombudsman, Information Commissioner’s Office, and our auditors
  • Training our staff – for example, We also record or monitor phone calls with you for training and to improve our quality of service.
(a) Identity data

(b) Technical data

(c) Marketing and Communications data

(d) Financial data

(a) Necessary to comply with a legal obligation

(b) Necessary for our legitimate interests (For example, to improve our service)

To support our customers with additional needs, for example:

  • Adjusting the way we communicate with you if you need us to
  • Support you in times of financial stress, for example, if you lose your job
  • Give and receive information from third parties such as the police, social services or someone acting on your behalf if it’s necessary to meet our legal obligations
(a) Identity data

(b) Sensitive data

(a) Necessary to comply with a legal obligation

(b) Performance of a contract with you

(c) You have given us consent

To manage our relationships with third parties, this could include:

  • Paying any invoices or fees. For example, we will often pay your broker a procuration fee if they recommend you to us or when they conduct a review of your circumstances
  • Deal with any complaints you may have in relation to a service provided by our partners
  • Compliance monitoring
(a) Identity data (a) Necessary to comply with a legal obligation

(b) Performance of a contract

 

5. Who do we share your information with?

When using your information, we might share it with other companies. If we do, we make sure they keep it confidential, safe and secure just like we do. These other companies can’t just use your information for any reason – it has to be for a specific purpose and in the way we tell them to. We have written contracts in place to make sure of this.

Here’s more details about the companies and people we might share your data with:

Our partners & service providers

We work with a number of third-party service providers to help run our business and provide you with our products. These include anyone we might work with to help you get a mortgage or buy your home. Such as, Solicitors, conveyancers, surveyors, valuers, panel managers (companies that lenders use to outsource legal work for them) and of course your broker. Unless you tell us not to, we may also share details with your broker in the future. We do this to remind them to check with you that your mortgage remains suitable for your needs.

It also includes third parties like our IT and system providers, cloud hosting companies, payment service providers, security partners, legal and accounting firms, insurance companies, financial auditors, property valuation firms and advertising and market research companies.

Credit reference agencies

When you apply for a loan, we will perform credit and identity checks on you with one or more credit reference agencies (“CRAs”). If you then take a mortgage product from us, we may also make periodic searches at CRAs to manage your account.

To conduct a credit and identity check, we supply your personal information to CRAs, and they give us information about you. The information we’ll supply includes information from your application and your financial situation and history. CRAs will also supply us with public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.

We will use this information to:

  • Assess your creditworthiness and whether you can afford to take the product
  • Verify the accuracy of the data you have provided to us
  • Prevent criminal activity, fraud and money laundering
  • Manage your account(s) and relationship with us
  • Help recover any money owed to us
  • Ensure any offers and services provided to you are appropriate to your circumstances.

We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. They may then provide this information to other companies.

When CRAs receive a search from us they will place a search footprint on your credit file that other lenders may see. Too many searches may affect your credit score and make it more difficult for you to borrow money.

If you are making a joint application, we will link your records together. Make sure you discuss this with the other applicant and share this information before you apply. CRAs will also link your information to the information of a joint applicant, partner or other financial associate. If in the future you want to break this link, you will need to apply directly to the CRAs.

The identities of the CRAs, their role as fraud prevention agencies, the data they hold, the ways in which they use and share information, data retention periods and your data protection rights with the CRAs are explained in more detail in the CRA Information Notice (CRAIN). You can find this on each of the CRA websites at:

www.experian.co.uk/crain

www.transunion.co.uk/crain

www.equifax.co.uk/crain

Fraud prevention agencies

We will share the personal information we collect from you or others with fraud prevention agencies. They will use it to verify your identity and prevent fraud and money-laundering. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found at https://www.cifas.org.uk/fpn

Government Agencies & Regulatory Bodies

We will use your information to comply with the law, to protect ourselves, our customers, or others. Where required we will share information to respond to a court order or other lawful request from a public authority. This includes Government and regulatory bodies such as HMRC, the Financial Conduct Authority, the Financial Ombudsman Service, and the Information Commissioner’s Office.

Anyone who funds us, buys us or merges with us

We may have to share personal information with any person or legal entity who we sell or transfer (or anyone we have discussions with about this) all or part of our business to. This also includes transferring any of our rights or obligations under any agreement we have with you.

 

6. Do we transfer your data outside of the UK?

We are based in the UK but some of our services providers are in different locations. This means we may transfer your personal information outside the UK. If your data is being processed in Europe or other parts of the European Economic Area (EEA) then it is protected in the same way as it is in the UK. If we transfer your data outside of the EEA we’ll take all reasonable steps necessary to make sure it is protected to UK standards. The measures and safeguards we have in place include conducting strict security checks and having appropriate legal contracts in place.

 

7. How do we keep your data safe?

We do everything we can to protect your personal information. Firstly, we make sure all our staff receive data protection training and support. And access to your data is on a strictly need to know basis.

We’ve put robust security systems and processes in place to protect your data. We use layered security controls, like firewalls, to make sure that your data isn’t accidentally lost, used, accessed, changed, or shared in an unauthorised way. For example, we always encrypt your data in line with industry best practice. We do this both when we store and whenever we transfer your data.

You can also help us to protect your data by never sharing your login details, passwords or account numbers with anyone else. If you ever think someone has accessed your account, contact us straightaway.
If something does go wrong, we’ll tell you. And if we need to, we will tell the regulator as well.

 

8. How long do we keep your data for?

We’ll only keep your data for as long we need it to do the things we collected it for (see section 4). Or where laws and regulations tell us we need to keep it for a specific amount of time:

  • Some of our online calculators and tools store personal information. But only if you consent to receive marketing communications from us. If you do choose to receive marketing, we will keep your data for 24 months. Don’t forget you can change your mind and withdraw your consent at any time.
  • If you apply for a mortgage with us and your application is unsuccessful, we’ll keep your data for 6 years.
  • If you take our mortgage product, we’ll keep your data for the term of the loan plus another 6 years after that.

You have the right to ask us to delete your data but sometimes laws or regulations tell us we have to wait a certain amount of time before we can. If we have to wait, or if we can’t delete your data, we’ll let you know why. See Section 9 for more information about your rights.

9. What are your legal rights?

When it comes to your personal data, you have rights. However, some of these rights only apply in certain circumstances or to certain information. We’ve explained more about each of your rights under the individual headings below.

If you want to talk to us about your rights, or make a request just get in touch at dataprotection@perenna.co.uk. We will always aim to respond to your request within 30 days.

The right to be informed

You have the right to know what information we hold about you, why we have it, how we use and share it and how long we keep it for. This is one of the main reasons we have this privacy notice. To simply explain how we collect and use your data.

The right to object

We’ve explained in Section 2 and 4 about what data we collect from you and our reasons. You can ask us to stop processing your data, and in some circumstances, we’ll always do this. For example, if the reason we’re using your data for marketing purposes. But there are situations where we’re not able to, we will always tell you why we can’t.

You can opt out of receiving marketing communications from us at any time by clicking the unsubscribe link in any email you’ve received. Or emailing us at unsubscribe@perenna.co.uk.

The right of access

You have the right to a copy of any personal information we hold about you. This is known as a “subject access request.” We do not charge any fees for sending you copies of your data.

The right to correct any errors

If any of the information we hold is incorrect or out of date, you can ask us to correct it.

The right to delete your data

Also known as “the right to be forgotten.” You can ask us to delete your data if:

  • We no longer need it for the reason we collected it.
  • We only hold and use your data because you gave us your consent, which you have now withdrawn.
  • You object to us processing your data, and we no longer have a legitimate interest to continue.
  • You change your mind about receiving direct marketing from us.
  • We have been using your information unlawfully.
  • We have a legal obligation to erase your information.

Sometimes, we might not be able to delete your data. This is because there are certain laws and regulations that tell us how long we have to keep some information for. If we can’t delete it, we will tell you the reasons why when we respond to your request.

The right to restrict processing

In some situations, you have the right to ask us to limit the way we use your information. You can ask us to do this if:

  • You have asked us to correct the data we hold about you and you don’t want us to process it until we’ve sorted it out.
  • We have been using your information unlawfully, but you don’t want us to delete it.
  • We no longer need the information, but you need it for legal reasons.
  • You have objected to how we use your information, and we are still dealing with this.

The right to data portability

You have the right to get some of your information from us, in a way that lets you move it from us to somewhere else.

The right to challenge any automated-decision

Sometimes we use computers to make decisions without humans being involved. You can ask us to get someone to review these decisions if they have had a serious impact on you or your legal rights.

 

10. How will we keep you up to date?

We last updated this privacy notice on 26th May 2023. We’ll update this notice any time we make changes affecting how we use your information. We’ll let you know about any changes, usually by email or text message. And we’ll highlight the changes we make so that you can clearly see them. If you need to see an older version, you can also find these linked at the bottom of this page.

 

11. What if you need to complain?

If you’re unhappy about how we’re using your information, please get in touch. We’ll investigate and get back to you as soon as we can. You can make a complaint by:

Emailing us at: dataprotection@perenna.co.uk

By writing to us at:
Data Protection Officer
Perenna Bank PLC
20 Eastbourne Terrace
London
W2 6LG

We would really like the chance to help you first, but you do have the right to complain at any time to Information Commissioner’s Office (ICO). The ICO is the UK data protection regulator. For more information and their contact details please visit: Make a complaint | ICO.

 

Previous versions

 

May 2023

December 2022

October 2022

December 2020

July 2020