Welcome to Norton Home Loans privacy notice for applicants and customers.
Norton Home Loans and Norton Financial Services both form part of the Norton Finance Group Limited
This privacy notice tells you how we use your personal data to provide our services. It’s important that you understand what happens when you give us personal data or when we receive personal data about you from other sources.
We use some words and phrases in this privacy notice that have specific meanings under data protection law. We’ve put these words and phrases in bold.
Who we are and who is responsible for protecting your personal data
1.1 We are Norton Home Loans, a specialist mortgage provider. We are the data controller of personal data we collect and use about you in connection with services related to mortgage and secured loan advice and credit broking activities.
1.2 We have appointed a data protection officer, or “DPO”, who you can contact if you have any questions or complaints. You can email our DPO at dpo@norton-finance.co.uk.
Where we collect your personal data
We collect most of the personal data we process directly from you, for example when you complete an application or contact us. We do collect some personal data from third parties, including credit intermediaries, brokers, credit reference agencies and fraud prevention agencies.
Directly from you | We collect personal data from you when you:
|
---|---|
Data we collect when you use our services | Like many websites, we use cookies to monitor which areas of our website you spend the most time looking at, so we can tell you about services or products which might interest you when you next visit us online.
You can find out more about this in our Cookies Policy. |
Data from Third Parties | We may collect data from the following external organisations:
|
What personal data we collect
The personal data we collect includes (among others), your contact details, information about your financial status/financial history, information about your employment, information about your identity and information about how you manage your product with us.
Contact information | Your name (and any previous names), date of birth, address, previous addresses from the last three years, email address, contact telephone number and bank details. |
---|---|
Financial | Your financial status, circumstances, history, credit records, banking information. |
Socio-Demographic | Your occupation, salary, gender, age, nationality etc. |
Transactional | Details about the payments you make to your accounts or in relation to any contract you have with us. |
Contractual | Details about any products or services we supply to you. |
Behavioural | Details of how you use our products and services from us |
Communications | Any information we have that we have obtained about you from letters, e-mails and conversations between us. |
Creditor Information | Details about your current or expected mortgage, or any other outstanding credit. This may include the details of the lender, the amount outstanding, your mortgage broker, account numbers or property details. |
Technical | Details of the devices and technology you use, including your Internet Protocol (“IP”) address. |
Identity Information | We may collect information to verify your identity and residency. This could include documents such as your passport, driving licence, birth certificate, national insurance number, utility bills, bank statements, VISA status, rights of residency information and details obtained from national and international databases of sanctioned persons. |
Consent/Choices Information | Any permissions, consents or preferences that you give us, including how you would like us to contact you. |
Special Categories of Information | Certain types of personal information is classified as special category data. We will only collect and use this data if the law allows us to, and it is relevant to the provision of our services to you:
|
Gender Identity | Information about the gender you may identify as. |
Open Data and Public Records | Details in the public domain, such as Electoral Register, information that is openly available on the internet, including publicly available social media information. |
How and why we use your personal data
We only use your personal data if we have a “lawful basis” to do so. We use your personal data primarily to provide and manage our products and to manage our relationship with you, which we need to do so that we can fulfil our contractual obligations to you. We also use your personal data to comply with our legal and regulatory obligations [(for example, to keep accurate records and prevent and detect fraud)] and where we have an interest in using your personal data [(for example, collecting debt from you and monitoring our products and services so that we can improve them)].
If you are happy to receive marketing from us we’ll also use your personal data to market our products and services to you.
What we use your personal details for | Our lawful basis | Our legitimate interests (if applicable) |
---|---|---|
Your application:
|
Necessary for a contract. | Not applicable. |
Checking your identity to confirm that it is you. | Necessary to comply with the law. | Not applicable. |
Manage your account and your relationship with us. | Necessary for a contract. | Not applicable. |
Preventing and detecting fraud and financial crime. | Necessary to comply with the law. | Not applicable. |
Sharing relevant marketing about our products and services. | Consent. | Not applicable. |
Meet our legal and regulatory obligations | Necessary to comply with the law. | Not applicable. |
To improve our existing products and services, and to help develop new products and services. |
Necessary for our legitimate interests. Necessary for reasons of substantial public interest. |
To ensure our products and services meet the needs and financial objectives of the target market, so we can consistently deliver good customer outcomes and positive customer experiences. To enhance customer experiences. To enable us to manage risk more effectively, mitigating the risk of foreseeable harm. |
Provide information you request from us. | Necessary for a contract. | Not applicable. |
To provide additional support to you in challenging times, including to help you manage any payment shortfalls. |
Necessary for our legitimate interests. Necessary for reasons of substantial public interest. |
To ensure that you are provided with additional signposting and support where required, to protect your economic wellbeing. |
Who we share your personal data with and why
We sometimes need to share your personal data with other organisations, so that we can continue to provide our services to you or for other legitimate reasons. This can include suppliers, brokers, regulators, government/law enforcement agencies and other professional advisors. We will take reasonable steps to make sure that whoever we share your personal data with protects it as well as we do.
Who we share your personal data with | Why we share it |
---|---|
Suppliers who provide services to us that require them to use your personal data. In these cases, the supplier acts as a “data processor” on our behalf. The suppliers we share your personal data with include:
|
We share personal data to enable these suppliers to provide their services to us. This, in turn, allows us to continue to operate as a business and provide our products and services to you. They are not allowed to use your personal data for any purposes other than to provide their services to us. |
Other providers of financial services products. | We share personal data with providers of financial services products which we recommend from our panel. We only share the relevant amount of information required in order for them to consider your application with them. We may also need to contact your existing creditors, such as other lenders who have a charge on the property. |
Credit Reference Agencies | We share personal data with the Credit Reference Agencies to carry out credit and identity checks so we can assess the suitability of the products recommended and comply with our legal obligations. Please see the section below for more detail. |
Fraud Prevention Agencies | We may share information with external third party fraud prevention agencies, to help detect, investigate and prevent fraud. Please see the section below for more detail. |
Introducers | We share your information with other companies and organisations that introduce you to us, such as credit brokers and price comparison websites. |
Valuation/Survey Firms | We share personal data with third party firms providing professional valuation services, so we can assess the security that is being used for a proposed loan. |
Solicitors/Professional Third Parties | We may need to share your information with solicitors used in a conveyancing transaction, in order for your application to progress. |
Government Bodies and Agencies | We may need to share your data with government agencies, or public authorities, as part of our financial crime obligations. |
Payment Processors/Card Associations | We may need to share information with payment processors (e.g., BACS) or card associations (e.g. Visa) in order to take payments from you. |
Credit reference agencies
We use credit reference agencies (“CRAs”) to help us carry out credit and identity checks when you apply for a product or service with us. This involves us sharing your personal data with CRAs and receiving personal data back from them. We use the personal data they send us to assess our credit risk and make sure what you’ve told us is true.
CRAs link your records with other people who are associated with you – including people you make a joint application with and any spouse, civil partner or partner.
5.1 We share your personal data (and that of any joint applicants) with CRAs. We send your personal data to them when you apply for a product or service and during our relationship.
5.2 You must make sure that any joint applicants and associated partners are aware of the checks being undertaken before applying. You must not submit personal data about a third party without providing this privacy notice to them and ensuring they are happy to proceed.
5.3 When we ask CRAs about you and joint applicants, they will note it on your credit file. This is called a credit search. Other organisations (including lenders or providers of goods or services) will see this credit search or previous footprint on any report prepared for their own purposes and prospective relationship with you.
Personal data we send to the CRAs | Personal data we receive from the CRAs | How we use the information we receive from CRAs |
---|---|---|
Name, address, date of birth, credit application. We will give the CRAs details about settled amounts that were due to us. The CRAs may give this information to other organisations that want to check credit status. We will also report to the CRAs if you default on any payments due to us. This may negatively affect your credit score and limit your ability to obtain credit in the future. |
Name, address, date of birth. Credit score. Details of any shared credit. Financial situation and history. Public information from sources such as the electoral roll and Companies House. |
To verify your identity and the information you have provided to us. To assess our credit risk and decide whether to offer you a product or service. To help detect and prevent financial crime. To manage our contractual relationship with you. To trace and recover debts. |
5.4 Linked records and associated individuals:
If you make a joint application with someone else, we and the CRAs will link your records with the joint applicant’s records. We will do the same if you tell us you have a spouse, partner or civil partner. These linked records are called associated records. Enquiries made with CRAs may be answered from both your record and any associated records. Two people’s records will be associated when they make a joint application, you tell us about a financial association or the CRA has associated records.
You should tell associated individuals about this before you apply for a product or service. It is important that they know your records will be linked together, and that credit searches may be made on them.
These links will stay on your files unless one of you asks the CRAs to break the link. You will normally need to give proof that you no longer have a financial link with each other to successfully disassociate or break the linked record.
5.5 Where to find out more:
The CRAs have created a “Credit Reference Agency Information Notice” or “CRAIN”) which includes more details about how the CRAs use and share your personal data, as well as their role as fraud prevention agencies
The CRAINs for each of the three main CRAs are available on their websites, which we have linked below:
- Experian: https://www.experian.co.uk/legal/crain/
- Equifax: https://www.equifax.co.uk/crain/
- TransUnion: https://www.transunion.co.uk/legal/privacy-centre/pc-credit-reference
You can also find more information about how the CRAs use personal data, and your data protection rights with the CRAs, here: https://ico.org.uk/for-the-public/credit/
Fraud prevention agencies data
We are, or may in the future become, members of certain anti-fraud organisations known as “fraud prevention agencies” or “FPAs”. If we identify evidence of any financial crime on your account, we will share this information with FPAs. This helps other members of the FPAs and law enforcement agencies, to detect, investigate and prevent fraud and other financial crime.
If we, or an FPA, believe that you have committed fraud or another type of financial crime, the FPA will keep a record of this and you could be refused certain services or finance.
What happens if you don’t give us personal data we need
If we need personal data in connection with our contract with you (including for your application) or to comply with a legal requirement, and you do not provide it, this may delay or prevent us from meeting our obligations. It may mean that we cannot provide your product or service.
What rights you have over your personal data
You have certain rights over your personal data. These include rights to access a copy of your personal data, to ask us to erase your personal data and ask us to correct inaccurate personal data. You can ask to exercise these rights by contacting us at dsar@nortonhomeloans.co.uk. There are some circumstances in which we do not need to comply with all or part of your request. If this is the case, we will explain this to you.
8.1 The rights you have, and what each of these mean, are explained in the table below.
Your right | What this means |
---|---|
Right to access personal data | You can ask us to send you a copy of the personal data we hold about you. We will carry out a reasonable search for personal data and send you the personal data that we locate within one month, or three months if your request is complex. We are allowed to withhold information in some circumstances, for example to protect other individuals’ privacy or in the event of a criminal investigation. |
Right to correct inaccurate personal data | You can ask us to correct, clarify or amend your personal data if it is inaccurate, incomplete or otherwise out of date. |
Right to erasure | You can ask us to delete your personal data in certain circumstances, for example if we no longer need it or if we have collected it unlawfully. |
Right to restrict use of your personal data | You can ask us to limit how we use your personal data in certain circumstances. For example, if you think your personal data is inaccurate but we disagree, you can ask us to stop using it to make decisions until we can verify if it is accurate or not. |
Right to data portability | Where personal data is necessary for a contract, or where we collected it based on your consent, you can ask us to move, copy or transfer it to another provider. |
Right to object | Where the use of personal data is necessary for our legitimate interests, you can ask us to stop using it for those purposes. We can continue to use it if we can show that we have a compelling, legitimate reason to do so. |
Right to opt out of direct marketing | You can always ask us not to continue to send direct marketing to you. You can do this by clicking on the “unsubscribe” link in marketing emails or contacting us using the details above. |
Right to withdraw consent | If we have asked you for your consent to use personal data in a particular way, you can withdraw that consent at any time. |
8.2 If you ask to exercise one of the rights above, we may ask you to verify your identity before we process your request. This is to avoid confidentiality breaches and make sure we do not disclose personal data to the wrong person.
How we use your personal data to make automated decisions
We sometimes use your personal data to make automated decisions. This helps us to make sure our decisions are quick, fair, efficient and correct, based on what we know about you.
9.1 When you apply for a product or service, we make the following decisions electronically based on the personal data we know about you:
- deciding whether the product or service is relevant for you; and
- checking whether you meet the conditions to enter into the contract, which may include checking information such as your age, residency or nationality, as well as carrying out a credit check with credit reference agencies (see the section headed “Credit reference agencies” for more information about how this works).
9.2 If our systems decide that the product or service is not relevant, or that you do not meet the relevant conditions, we will not be able to offer you that product or service.
9.3 You can:
- ask us not to make the decision based on the automated score alone; or
- object to an automated decision and ask that a person reviews it.
How long we keep your personal data for
We only keep your personal data for as long as necessary for the purposes for which it was collected and used. When it is no longer needed, we securely delete it or anonymise it.
10.1 The period for which we keep personal data varies depending on the nature and context of the relevant personal data. When we decide how long to keep personal data, we take into account:
- how long we need to keep it to fulfil the original purpose of collecting it;
- whether there could be any claims, complaints or litigation that require us to use that personal data;
- any relevant guidance from official bodies such as regulators;
- how sensitive the personal data is; and
- whether there are any relevant legal obligations that we need to comply with.
10.2 Generally speaking, we keep personal data for 6 years after your relationship ends with us. We may keep your information for longer than indicated if we cannot delete it for legal, regulatory, or technical reasons. We may also keep it for research or statistical purposes. If we do, we'll make sure that your privacy is protected and only use it for those purposes.
How long we keep your personal data for
We only keep your personal data for as long as necessary for the purposes for which it was collected and used. When it is no longer needed, we securely delete it or anonymise it.
10.1 The period for which we keep personal data varies depending on the nature and context of the relevant personal data. When we decide how long to keep personal data, we take into account:
- how long we need to keep it to fulfil the original purpose of collecting it;
- whether there could be any claims, complaints or litigation that require us to use that personal data;
- any relevant guidance from official bodies such as regulators;
- how sensitive the personal data is; and
- whether there are any relevant legal obligations that we need to comply with.
10.2 Generally speaking, we keep personal data for 6 years after your relationship ends with us. We may keep your information for longer than indicated if we cannot delete it for legal, regulatory, or technical reasons. We may also keep it for research or statistical purposes. If we do, we'll make sure that your privacy is protected and only use it for those purposes.
Where we store and send your personal data
The personal data we collect is stored in the UK and the European Economic Area (EEA). Your data receives the same level of protection in the EEA as it does in the UK through the safeguard of Adequacy Decisions.
11.1 We carry out due diligence on all suppliers we appoint to check where they send personal data and, if personal data is transferred outside the UK, to make sure that appropriate protections are in place.
11.2 Those protections could be:
- 11.2.1 making sure the country your data is sent to is designated as an “adequate” country by the UK government. This means that the government has reviewed that country’s data protection laws and decided that it provides an equivalent level of protection of personal data to the UK; or
- 11.2.2 if the transfer of personal data is between group companies, making sure that there are “binding corporate rules” in place. These are sets of policies and rules between group companies that ensure that companies in other countries protect personal data in the same way that it is protected in the UK; or
- 11.2.2 making sure that there is an “international data transfer agreement” in place to cover the transfer. This is an agreement that places obligations on the recipient of the personal data outside the UK to protect personal data as would be required by UK data protection laws.
Changes to this privacy notice
We might change this privacy notice from time to time, to make sure it is up-to-date with the law and with the ways we use your personal data. You should check the privacy notice from time to time to see if anything has changed.
The privacy notice was last updated on 2nd April 2024.
What you can do if you have any questions or complaints
If you have any questions about this privacy notice or how we use personal data, or if you are not happy with how we have processed your personal data, you can contact our DPO using the following details:
Email: dpo@norton-finance.co.uk
Telephone number: 0808 231 5530
Post: Norton House, Mansfield Rd, Rotherham, S60 2DR
You also have the right to make a complaint to the Information Commissioner’s Office, which is the data protection regulator. You can find out on their website how to make a complaint: www.ico.org.uk.