Privacy Notice

25 September 2023

To read our privacy notice on your mobile device, please click here

How we use your personal data

At Perenna we care about your privacy. We want you to understand exactly what we use your personal data for, so this privacy notice tells you everything you need to know. It explains who we are and how we collect, use, share, and protect your personal data. We also explain your privacy rights and how the law protects you.

Firstly, what do we mean by personal data? Personal data is any information that we collect that relates to you and can be used to identify you. It could include your name, email address, National Insurance number, or home address, as well as information to allow us to make decisions about your mortgage eligibility. That’s why it’s important that you read this privacy notice carefully.

Page contents

1. Who we are
2. What data do we collect?
3. How do we collect your data?
4. Why do we need your information and what do we use it for?
5. Who do we share your information with?
6. Do we transfer your data outside of the UK?
7. How do we keep your data safe?
8. How long do we keep your data for?
9. What are your legal rights?
10. How will we keep you up to date?
11. Third party links and services
12. What if you need to complain?

1. Who we are

We are Perenna Bank PLC. When we say “we”, “us”, “our” or “Perenna” in this privacy notice, we mean Perenna Bank PLC.

Perenna is a company registered in England and Wales with company number 13084174. We are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under registration number 956138.

Perenna is the “data controller.” This means we’re responsible for the personal data you provide to us, or we collect under this privacy notice. If you have any questions about this privacy notice or how we use your information you can get in touch by email at Dataprotection@perenna.com or by writing to us at:

Data Protection Officer
Perenna Bank PLC
PO Box 755
S43 3LS

2. What personal data do we collect?

When you visit our website at www.perenna.com, contact us, use our online mortgage calculator, use our customer portal, apply for a Perenna mortgage (whether yourself or a broker) or make a deposit we will collect your personal data. We only collect and process information that we need. So, if you don’t give us the information we request, we won’t be able to offer you our products and services. For example, if you apply for a mortgage, we need to collect personal data relating to your identity to check that it’s really you. This protects both you and us from fraud. We also need it to check you can afford the loan.

How much information we collect depends on whether you’re just looking for an idea of how much we might lend to you or whether you’re making a formal application.

If you are making a joint application, we will collect information about both of you. Before you apply, please make sure you have the other persons permission to share their personal data with us and provide them with a copy of this privacy notice.

The information we collect may include:

Identity data

Examples include your name, previous addresses, home address, date of birth, phone number, email address and nationality. We may also ask you for copies of documents like your passport or driving licence or ask you to provide us with another visual image to verify your identity.

We may also collect unique reference numbers that we or others have allocated to you. For example, account numbers, online usernames and your national insurance number.

Financial data

This includes information about your accounts and transactions. For example, details of your savings and wealth, proof of your income, outgoings, credit and borrowing history, card payment details and bank details. We will also collect information about others you are financially linked to.

Lifestyle & social data

Including information about your family. For example, we may ask about the number of people who are financially dependent on you I.e your children or adult dependents. We may also collect personal data that relates to the climate. For example, we may ask about property features such as housing certification, ratings or your utility consumption.

Technical data

We will record information about how you access and use our website or other digital services like our customer portal. Details include your IP address, your location and the device and software you’re using.

Marketing & communication data

We will record your choices about receiving marketing from us and how you prefer us to contact you. We will also store any market research we have obtained providing us with statistical information that is relevant to you (such as market research that you have participated in and information you provided to us when you use our online mortgage calculator). When you provide consent to receive marketing emails, you also provide consent for us to track when you open and interact with them through the use of tracking pixels which tell us what messages you open, and links you click on. This information helps us to monitor engagement and improve our communications.

Sensitive data

Whilst processing your application we may collect information that reveals things like your racial or ethnic origin, criminal convictions or physical and mental health information. We will normally only collect this information if there is a legal reason or vital interest why we must do so or because you have given us your explicit consent. For example, we may use your health information to help you access our services more easily, like sending letters in braille if you need it. Please see Section 4 for more information about the legal reasons we use your personal data.

Aggregate data

We collect and process aggregate data. By this we mean, we group together information about our customers in a way that doesn’t identify people specifically, cannot be used for re-identification and is anonymous. We use this aggregate data for a number of business reasons – like market analysis and research, demographic profiling, marketing and advertising and to comply with regulations.

If we do connect any aggregate data with information that does identify you, we’ll always treat it as personal data and will use it only in accordance with data protection laws.

3. How do we collect your personal data?

We may collect information directly from you or from others. We collect it when you call us, email us, write to us, complete our online forms, use our website or customer portal or interact with us on social media.

We also collect personal data from other sources such as:

Third party sources

By this we mean fraud prevention agencies, credit reference agencies, other lenders, the Government and their agencies (e.g. HM Revenue & Customs, Financial Conduct Authority, Companies House).

Publicly available sources

This includes the electoral roll, telephone directory and other internet sources.

Other companies that we work with

This could include a surveyor conducting a valuation of your property or a conveyancer or solicitor.


If you apply for a mortgage with us through a broker, we will receive your personal data indirectly from them. If a broker is assisting you with your application for a mortgage, they should provide you with a copy of their own privacy notice explaining how they will process your personal data. If your broker does not provide you with a privacy notice, you should ask to see it. When the broker processes your personal data on our behalf, our privacy notice will apply. Depending on the information you are providing, your broker may also ask for your consent to pass your personal data to us.  If you withdraw your consent for any of our activities, such as direct marketing, you should also inform the broker as you will need to withdraw your consent from them separately to stop receiving their direct marketing.

Marketing / analytical service providers

These are services that help us understand how people use our website and companies that do market research or behaviour analysis.

Others who know you

This could be a joint account holder, other people you’re linked to financially, your employer or accountant.

Your use of our website, customer portal, or opening our emails

This includes information we obtain through cookies that collect information on your internet use and use of our website as well as tracking pixels which tell us what messages you open, and links you click on. Please see our Cookie Notice for more information.

4. Why do we need your personal data and what do we use it for?

UK data protection law says that companies can’t use your personal data without having a legal reason for using it. This reason is called a “lawful basis”. Here are the lawful bases we rely on, and what they mean:

Contract performance – We need your information to provide you with our product and service your account. For example, we need to hold your transaction history to give you an annual mortgage statement.

Legal obligation – The law requires us to process your information. For example, we need proof of your identity to meet our fraud and anti-money laundering responsibilities.

Legitimate interest – The law allows us to use your information if it is in the legitimate interest of our business. We will always check that on balance, the benefits to us or our partners are not outweighed by your interests, rights or freedoms. An example of a legitimate interest we have for processing your personal data might be to try to improve our products and services. Another could be to try and detect and prevent fraud.

Consent – By consent we mean that you’ve explicitly confirmed that you are happy for us to use your personal data for a specific reason. For example, if you consent to us recording something about your health so that we can support you in the right way. Or if you tell us you’re happy to receive marketing from us. Whenever ‘consent’ is the only reason for us using the information, you have the right to change your mind and change or withdraw your consent at any time. Please note that in some cases this might mean that we cannot provide the service you have requested where we need to use information on the basis of your consent. Please see Section 9 for more information about your legal rights and how to opt out of marketing.

Vital interests – If we need to process your personal data if we think it is necessary to protect someone’s life.

The table below explains the main ways we use your data and the reasons we have for doing so.

When we use your personal data Type of personal data we use Why we do it
To deal with any initial enquiry. This includes:

  • When you use (or a broker on your behalf uses) our online mortgage calculator or other tools on our website. We use the information you provide, so we can tell you how much we could lend you or provide details of our services.
  • When you join our waitlist, we use your contact details to tell you when our products become available.
(a) Identity data.

(b) Financial data.

(c) Lifestyle & Social data.

(a) Performance of a contract with you.

(b) You have given Consent.

(c) Necessary for our legitimate interests (for example, to provide you with information about our products and services).

(d) Necessary to comply with a legal obligation (for example, regulatory reporting purposes).

To conduct any activities relating to processing your mortgage application. This includes:

  • Checking your identity.
  • Checking you meet our lending criteria.
  • Credit checks.
  • Affordability checks.
  • Working with others such as your broker, solicitor, or the person conducting a valuation of your property.
  • Sending you documents like illustrations and offers.
  • Taking card payments from you to cover any fees.
  • Setting up your Direct Debit.
(a) Identity data.

(b) Financial data.

(c) Lifestyle & Social data.

(d) where necessary, sensitive data may be required including health information and political affiliation.

(a) Performance of a contract with you.

(b) Necessary to comply with a legal obligation.

(c) For sensitive data, where you have given your explicit consent or where you have manifestly made it public.

To manage your account including:

  • Authorising payments to and from you.
  • Keeping a history of your transactions and sending you statements.
  • Talking to you about your account and your relationship with us.
  • Keeping a record of any phone calls or conversations we’ve had.
  • Fixing any errors or resolving any complaints you might have.
  • Dealing with any data protection requests.
  • Closing your account.
(a) Identity data.

(b) Financial data.

(a) Performance of a contract with you.

(b) Necessary to comply with a legal obligation.

(c) Necessary for our legitimate interests (for example, to recover any money owed to us).

To assess risk. This includes:

  • Conducting credit checks at Credit Reference Agencies. For more information please see Section 5.
  • Any profiling or automated decision making we may conduct.
  • Using any information we’ve obtained about how you use your account.
(a) Identity data.

(b) Financial data.

(c) Sensitive data.

(a) Necessary to comply with a legal obligation.

(b) Necessary for our legitimate interests (for example, to make sure you can afford to repay the loan).

To comply with any law or regulation or prevent financial crime and the funding of terrorism. We may:

  • Check and share information with fraud prevention agencies, credit reference agencies, law enforcement or other government agencies like tax or immigration authorities.

For more details about when we share your information, please see Section 5.

(a) Identity data.

(b) Financial data.

(c) Sensitive data.

(d) Technical data.

(a) Performance of a contract with you.

(b) Necessary to comply with a legal obligation.

(c) Necessary for our legitimate interests (For example, to prevent any losses from financial crime).

To make things better. This will include:

  • Contacting you for research. Like asking your opinion about things. For example, we might send you a survey or ask you to do some user testing for us.
  • Making technical changes to our systems and processes to make them faster, safer or compliant with changing regulations.
(a) Identity data.

(b) Technical data.

(c) Marketing and communication data.

(a) Necessary to comply with a legal obligation.

(b) Necessary for our legitimate interests (for example, to improve our products and services).

(c) You have given us consent.

To recover money that you owe us. If you don’t have a plan in place to repay it, we could:

  • Take you to court.
  • Give and receive information from third parties including, field agents, solicitors, credit reference agencies, bailiff services.
(a) Identity data.

(b) Financial data.

(c) Technical data.

(a) Performance of a contract with you.

(b) Necessary for our legitimate interests (for example, to prevent any losses).

To send you direct marketing and recommend things like:

  • New products we’re launching or other products we offer that you may find interesting.
  • Other products from our partners that you may find interesting – we’ll only do this if you provide your consent. And we only want to send you things you might like. So we might use your profile or technical information to help us with this.
(a) Identity data.

(b) Marketing & communication data.

(c) Technical data.

(a) Necessary for our legitimate interests (for example, to grow our business).

(b) You have given us consent.

To manage our business and conduct activities such as:

  • Compliance monitoring – for example, we’ll record calls with you for regulatory purposes.
  • Our accounts and record keeping.
  • Analysis to see how well our communications are understood by customers.
  • Reporting and communication with our regulators, the Financial Ombudsman, Information Commissioner’s Office, and our auditors.
  • Training our staff – for example, we record or monitor phone calls with you for training and to improve our quality of service.
(a) Identity data.

(b) Technical data.

(c) Marketing and communications data.

(d) Financial data.

(a) Necessary to comply with a legal obligation.

(b) Necessary for our legitimate interests (for example, to improve our service).

To support our customers with additional needs, for example:

  • Adjusting the way we communicate with you if you need us to.
  • Support you in times of financial stress, for example, if you lose your job.
  • Give and receive information from third parties such as the police, social services or someone acting on your behalf if it’s necessary to meet our legal obligations.
(a) Identity data.

(b) Sensitive data.

(c) Marketing & communication data.

(a) Necessary to comply with a legal obligation.

(b) Performance of a contract with you.

(c) You have given us consent.

(d) Vital Interest.

To manage our relationships with third parties, this could include:

  • Paying any invoices or fees. For example, we will often pay your broker a procuration fee if they recommend you to us or when they conduct a review of your circumstances
  • Dealing with any complaints you may have in relation to a service provided by our partners
  • Compliance monitoring
(a) Identity data. (a) Necessary to comply with a legal obligation.

(b) Performance of a contract with you.

To manage deposits where you are listed as a contact point for the organisation you work for. (a) Identity data. (a) Necessary for our legitimate interests (for example, to provide our services).

5. Who do we share your personal data with?

When using your information, we might share it with third parties. If we do, we make sure they undertake to keep it confidential, safe and secure just like we do. These third parties can’t just use your information for any reason – it has to be for a specific purpose and in the way we tell them to. We have written contracts in place with such third parties to make sure of this.

Here’s more details about the third parties we might share your data with:

Our partners & service providers

We work with a number of third-party service providers to help run our business and provide you with our products. These include anyone we might work with to help you get a mortgage or buy your home. Such as, solicitors, conveyancers, surveyors, valuers and panel managers (companies that lenders use to outsource legal work for them).

We will also share your personal data with brokers acting on your behalf, to progress your application for a product through them. Unless you tell us not to, we may also share details with your broker in the future. We do this to enable them to contact you to do a periodic customer review.

It also includes third parties like our IT and system providers, cloud hosting companies, payment service providers, security partners, legal and accounting firms, insurance companies, financial auditors, property valuation firms and advertising and market research companies.

Credit reference agencies

When you apply for a loan, we will perform credit and identity checks on you with one or more credit reference agencies (“CRAs”). If you then take a mortgage product from us, we may also make periodic searches at CRAs to manage your account.

To conduct a credit and identity check, we supply your personal data to CRAs, and they give us information about you. The information we’ll supply includes information from your application and your financial situation and financial history. CRAs will also supply us with public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.

We will use this information to:

  • Assess your creditworthiness and whether you can afford to take the product.
  • Verify the accuracy of the data you have provided to us.
  • Prevent criminal activity, fraud and money laundering.
  • Manage your account(s) and relationship with us.
  • Help recover any money owed to us.
  • Ensure any offers and services provided to you are appropriate to your circumstances.

We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. They may then provide this information to other organisations.

When CRAs receive a search from us they will place a search footprint on your credit file that other lenders may see. Too many searches may affect your credit score and make it more difficult for you to borrow money.

If you are making a joint application or tell us that you have a spouse or financial associate, we will link your records together. Make sure you discuss this with the other applicant and share this information with them before you apply. CRAs will also link your information to the information of a joint applicant, partner or other financial associate. These links will remain on your and their files until you or your partner breaks the link. If in the future you want to break this link, you will need to apply directly to the CRAs.

The identities of the CRAs, their role as fraud prevention agencies, the data they hold, the ways in which they use and share personal data, data retention periods and your data protection rights with the CRAs are explained in more detail in the Credit Reference Agency Information Notice (CRAIN). You can find this on each of the CRAs websites at:




Fraud prevention agencies

We will share the personal data we collect from you or others with fraud prevention agencies. They will use it to verify your identity and prevent fraud and money-laundering. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by viewing the Cifas National Fraud Database fair processing notice at https://www.cifas.org.uk/fpn.

If you provide us with false or inaccurate personal data and we suspect any unlawful activity such as fraud or money laundering, this will be recorded, and we may pass details to fraud prevention agencies.

Government agencies & regulatory bodies

We will use your information to comply with the law and to protect ourselves, our customers and others. Where required we will share information to respond to a court order or other lawful request from a public authority. This includes Government and regulatory bodies such as HMRC, the Financial Conduct Authority, the Financial Ombudsman Service and the Information Commissioner’s Office.

Anyone who funds us, buys us or merges with us

We may have to share personal data with any person or legal entity who we sell or transfer (or anyone we have discussions with about this) all or part of our business to. This also includes transferring any of our rights or obligations under any agreement we have with you.

6. Do we transfer your personal data outside of the UK?

We are based in the UK but some of our service providers are located elsewhere. This means we may transfer your personal data outside the UK. If your personal data is being processed in Europe or other parts of the European Economic Area (“EEA”) then it is protected in the same way as it is in the UK. If we transfer your personal data outside of the EEA we’ll take all reasonable steps necessary to make sure it is protected to UK standards. The measures and safeguards we have in place include conducting strict security checks and having appropriate legal contracts in place. Please contact us if you would like more information about the specific safeguards applied to the transfer of your personal data.

7. How do we keep your personal data safe?

While no transfer of data (including over the internet or any website) can be guaranteed to be secure, we do everything we can to protect your personal data. Firstly, we make sure all our staff receive data protection training and support and that access to your personal data is on a strictly need to know basis.

We’ve put robust security systems and processes in place to protect your personal data. We use layered security controls, like firewalls, to make sure that your personal data isn’t accidentally lost, used, accessed, changed or shared in an unauthorised way. For example, we always encrypt your personal data in line with industry best practice. We do this both when we store and whenever we transfer your personal data.

You can also help us to protect your personal data by never sharing your login details, passwords or account numbers with anyone else. If you ever think someone has accessed your account, please contact us straightaway.

8. How long do we keep your personal data for?

We’ll only keep your personal data for as long as we need it to do the things we collected it for (see section 4) or where laws and regulations tell us we need to keep it for a specific amount of time.

Our online mortgage calculator stores personal data but only if you consent to receive marketing communications from us. If you do choose to receive marketing from us, we will keep your personal data for this purpose and will automatically delete your personal data after a period of 24 months if you do not engage with us, unless you tell us otherwise. Don’t forget you can change your mind and withdraw your consent to marketing at any time. If you apply for a mortgage with us and your application is unsuccessful, we’ll keep your personal data for up to 6 years, if required for fraud and financial crime purposes.

If you take our mortgage product, we’ll keep your personal data for the term of the loan plus another 6 years after that.

You have the right to ask us to delete your personal data but sometimes laws or regulations tell us we have to wait a certain amount of time before we can. If we have to wait, or if we can’t delete your personal data, we’ll let you know why. See Section 9 for more information about your legal rights.

9. What are your legal rights?

When it comes to your personal data, you have various rights. However, some of these rights only apply in certain circumstances or to certain information. We’ve explained more about each of your rights under the individual headings below.

If you want to talk to us about your rights, or make a request just get in touch using our online form available at www.perenna.com/subject-access-request or email us at dataprotection@perenna.com. You are not required to pay any fee for exercising your rights (subject to certain exceptions) and we will always aim to respond to your request within one month.

The right to be informed

You have the right to know what information we hold about you, why we have it, how we use and share it and how long we keep it for. This is one of the main reasons we have this privacy notice. To simply explain how we collect and use your personal data.

The right to object

We’ve explained in Section 2 and 4 about what data we collect from you and our reasons. In certain circumstances, you can ask us to stop processing your personal data. For example, if the reason we’re using your personal data is for marketing purposes. There are situations where we’re not able to stop processing your personal data and we will always tell you why we can’t.

You can opt out of receiving marketing communications from us at any time by clicking the unsubscribe link in any email you’ve received from us. Or by emailing us at unsubscribe@perenna.com.

The right of access

You have the right to ask us to confirm whether we are processing your personal data and to receive a copy of the personal data we hold about you (along with certain other details). This is commonly known as a “subject access request.” To find out more about how to submit a subject access request, please visit www.perenna.com/subject-access-request

The right to correct any errors

If any of the personal data we hold about you is incorrect or out of date, you can ask us to correct it. You also have the right to ask us to complete information you think is incomplete.

The right to deletion

You can ask us to delete your personal data (also known as “the right to be forgotten “) if:

  • We no longer need it for the original reason we collected it for.
  • We only hold and use your personal data because you gave us your consent, which you have now withdrawn.
  • You object to us processing your personal data, and we no longer have a legitimate interest to continue processing it.
  • You change your mind about receiving direct marketing from us.
  • We have collected or been using your information unlawfully.
  • We have a legal obligation to erase your information.

Sometimes, we might not be able to delete your personal data. This is because there are certain laws and regulations that tell us how long we have to keep some information for. If we can’t delete it, we will tell you the reasons why when we respond to your request.

The right to restrict processing

In some situations, you have the right to ask us to limit the way we use your information. You can ask us to do this if:

  • You have asked us to correct the personal data we hold about you and you don’t want us to process it until we’ve sorted it out.
  • We have been using your information unlawfully, but you don’t want us to delete it.
  • We no longer need your information, but you want us to keep it in order to create, exercise or defend legal claims.
  • You have objected to how we use your information, and we are still dealing with this.

The right to data portability

You have the right, in certain circumstances, to ask that we transfer any information you gave us from one organisation to another, or give it to you.

The right to challenge any automated-decision

Sometimes we use computers to make decisions without humans being involved. You have the right to challenge an automated decision and can ask us to get someone to review these decisions if they have had a serious impact on you or your legal rights.

10. How will we keep you up to date?

We last updated this privacy notice on 25 September 2023. We’ll update this notice any time we make changes affecting how we use your information. We’ll let you know about any significant changes to this privacy notice, usually by email or text message. And we’ll highlight the changes we make so that you can clearly see them. If you need to see an older version, you can also find these linked at the bottom of this page.

11. Third party links and services

This privacy notice does not apply to your interaction with any other third parties and applies solely to personal data processed by us through your use of our website, your receipt of our services and/or in connection with our business operations. When you use a link to go from our website or you request a service from another third party service provider, this privacy notice shall not apply to the processing of your personal data carried out by the relevant third party service provider. Your browsing and interactions on any other websites, or your dealings with any third party service provider, is subject to that website’s or third party service provider’s own rules and policies.

12. What if you need to complain?

If you’re unhappy about how we’re using your information, please get in touch. We’ll investigate and get back to you as soon as we can. You can make a complaint by:

Completing our webform at www.perenna.com/complaints

Emailing us at: complaints@perenna.com

Writing to us at:

Data Protection Officer
Perenna Bank PLC
PO Box 755
S43 3LS

We would really like the chance to help you first, but you do have the right to complain at any time to the Information Commissioner’s Office (“ICO”). The ICO is the UK data protection regulator. For more information and their contact details please visit: ico.org.uk/make-a-complaint.

Previous versions

August 2023

May 2023

December 2022

October 2022

December 2020

July 2020