How Bamboo Limited uses and protects your information – Privacy Notice
Bamboo Limited (‘’Bamboo’’) is committed to ensuring that your privacy is protected. This privacy notice explains how we collect, use and share personal information about you in the course of our business activities and dealings with you and your representatives.
This notice is effective from 18 July 2023. Bamboo may change this notice from time to time to keep it up to date with legal requirements, guidance from the Information Commissioner’s Office and to reflect the way we operate our business. You should check this page regularly to ensure that you are aware of any changes.
Please note that if you are directed to our website via an intermediary then this privacy notice will apply, rather than any privacy notice used by the intermediary.
What personal information we collect and where from
By “your information” we mean personal information about you. We will collect most of this information directly from you as part of the application process, including but not limited to your name, address, date of birth, contact details, financial information, bank account details and transaction history, employment details, identity documents and details of any vulnerability affecting you.
We also collect the personal information referred to above, together with details of your loan and credit history, credit scoring (as described in more detail below) and fraud search results from other sources, including your broker or other loan sourcing business, from your guarantor and from any borrower you guarantee, from your representatives and from third parties, such as credit reference agencies (“CRAs”), fraud prevention agencies and analytical service providers.
Please note that we may record telephone calls for training, monitoring, compliance and security purposes.
What we do with the personal information we collect
Generally speaking, we require the information we collect to:
- understand your needs;
- service you as a customer;
- provide a better service;
- check whether you may be suitable for other credit products or services we, our group companies, affiliates, branded product providers or selected trusted third parties may offer from time to time (including in situations where we have declined you for a product or service);
- comply with our contractual obligations to you and our obligations to regulatory authorities; and
- develop our business and that of our group companies and affiliates.
More specifically, we will use your information for the following purposes:
- Carrying out checks for the purposes of preventing, investigating and responding to fraud, money laundering and other financial crime and to verify your identity.
- Reviewing and processing your loan application.
- Internal record keeping. For example, so we can ensure we keep in contact and are aware of any issues or changes concerning your personal or financial circumstances which may be relevant to the servicing of your loan account or the collections we make from you or your guarantor.
- Assessing your creditworthiness and whether you can sustainably afford to repay your loan or to service any guarantee you have given, verifying the accuracy of the data you have provided to us and managing your payment obligations to us. If you have any doubts about whether a loan you have applied for is affordable, you must let us know at once. Note that if you authorise us to use open banking to help us assess the affordability of your loan, the bank(s) with whom you hold an account will give us access to your bank statements showing historic transactions. To understand more about how your data is shared, data retention periods and your data protection rights via open banking, please see our appropriate open banking provider’s privacy notice here: Equifax: https://consents.online/Privacy; DataOne: https://connect.data.one./data-one-partner/privacy.
- Servicing and managing your loan account and any guarantee account and providing our services to you. For example, providing annual statements, payment reminders, arrears management, and debt collection and management.
- Liaising with and providing information to the Financial Conduct Authority, the Information Commissioner’s Office and other regulatory authorities, trade organisations, insurers, funders, investors and suppliers, the CRAs, Cifas and the National Crime Database and crime prevention agencies and ensuring we remain compliant with laws and regulations applicable to our business (in each case as described in more detail in the “SHARING YOUR PERSONAL INFORMATION” section below);
- Dealing with queries and complaints and managing disputes (including after settlement of your account with us) and in order to protect and enforce our legal rights and those of our affiliates and group companies.
- Improving our products and services for our customers. For example, by learning from our interaction with prospective and actual customers so we can improve customer experience, develop customer and brand loyalty, and develop effective promotion strategies.
- Producing models, content and statistical analysis and for enhancing our database and knowhow.
- Contacting you by electronic means, email, phone, SMS text message or mail for the purposes listed in this notice and otherwise where necessary in relation to the services offered or provided by us. Where applicable our group companies or affiliates may contact you for the same purposes.
- Contacting you to re-engage with you where you have visited our site or received a loan quotation but not proceeded with that loan. This may include posting banner advertisements as you browse the internet or use your social media accounts. This is described in more detail on our Cookie Notice webpage.
- Depending on your preferences, we or any of our group companies or affiliates may periodically send you promotional emails, SMS or mail (using the contact details you have provided to us) about new credit products or services and special offers or to provide information about our products or those of our group companies and affiliates (or selected trusted third parties) which we consider may be appropriate to your circumstances or of interest to you.
- Customising our website according to your interests.
- From time to time, contacting you for market research purposes.
Sharing your personal information
- We may pass your personal information to:
- other companies within our group or our affiliates (including Plata Finance Limited) or selected trusted third parties where such data sharing is necessary or helpful in providing you with products or services or to manage our business or for our internal funding arrangements;
- any borrower in respect of whom you have given a guarantee or any guarantor of your loan;
- our funders and investors;
- our professional advisors and insurers;
- your broker or any third party who introduces you to us;
- any insolvency officer, debt adviser or solicitor acting on your behalf;
- any operator or provider of our or any of our affiliate’s websites or any linked site;
- third parties who help manage our business and deliver services (these include IT service providers who help manage our IT and back office systems, our payment services providers and banks, providers of open banking facilities, providers of analytics and our loans servicing and administration suppliers);
- debt collection and tracing agencies;
- CRAs; and
- other third parties who provide a service to us or act on our behalf and purchasers of loan portfolios.
- We may also share your personal information with third parties (including private investigators) to detect, investigate or prevent fraud, money laundering and other financial crime, and to assist with the apprehension and prosecution of offenders, or if we have a duty to share that information with a third party or are required to do so by law, regulation or court order or are requested to do so by any law enforcement or regulatory or governmental agency.
- We may share your information with our regulators, which may include the Financial Conduct Authority or Information Commissioner’s Office and governmental agencies such as the Financial Ombudsman Service.
- The personal information we have collected from you will be shared with fraud prevention agencies such as Cifas, who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment and existing services could be withdrawn. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found on CIFAS
- We and fraud prevention agencies may allow law enforcement agencies to access and use your personal information to detect, investigate and prevent crime. Please contact us at 0330 159 6013 if you want to receive details about the fraud prevention agencies with whom we work. We may also use information about you provided by overseas fraud prevention agencies.
- Depending on your preferences, we may share your personal information with other companies within our group, or with our affiliates, branded product providers or selected trusted third parties in order to allow them to provide you with information and promotions about their products or services, to provide services and products to you, and to develop their business.
- We may share, in an aggregated, statistical form, non-personal information regarding the visitors to our website, traffic patterns, and website usage with our partners, affiliates, branded product providers or selected trusted third parties or advertisers.
- If, in the future, we sell or transfer some or all of our business, assets or loan portfolio to a third party, we may disclose your personal information to a potential or actual third party purchaser and their professional advisors.
- We may share your personal information with debt advice organisations and charities/support agencies if you consent to that.
Sharing data with Credit Reference Agencies
When you apply for a product from us, you confirm that all the information you have given to us is accurate. We will make contact with CRAs and fraud prevention agencies in order to assess your credit status, to verify your identity and to detect fraud. We may also make periodic searches at CRAs and fraud prevention agencies to enable us to manage your payment obligations to us or to check your credit status. When we conduct a search with a CRA, we will supply your personal information and add details of our search and information from your credit application to your credit records. This can be seen by other lenders. A large number of applications within a short period of time could impact your ability to obtain credit. We will use a credit scoring or a number of other automated decision-making systems when assessing your application. CRAs supply us with public information (including data from the electoral register), and credit, financial situation, financial history and fraud prevention information that has been shared by other lenders. Law enforcement agencies may also access and use this information. The sharing of your information with the CRAs is governed by a set of industry guidelines known as the ‘’Principles of Reciprocity’’.
We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, or if a guarantor fails to pay in full and on time, CRAs will record the outstanding debt in relation to the borrower and guarantor. This information may be supplied to other lenders and organisations by CRAs. When CRAs receive a search request from us (including a search carried out to resolve a query or complaint you have raised whether before or after the account has been settled) they will place a search footprint on your credit file that may be seen by other lenders.
If you tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them and share with them this information, before lodging the loan application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
The identities of the CRAs, their role as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail by each of the three CRAs – clicking on any of these three links will also take you to the same CRAIN (Credit Reference Agency Information Notice) document: TransUnion: www.transunion.co.uk/crain; Equifax: www.equifax.co.uk/crain; Experian: www.experian.co.uk/crain/.
The legal basis for using your personal information
We will only collect, obtain, use and share your personal information where we are satisfied that we have an appropriate legal basis to do this. This may be because:
- our use of your personal information is necessary to take steps to enter into a contract with you or to carry out a contract; for example, to assess your creditworthiness, to check the sustainable affordability of any repayments, or to enter into a loan agreement with you;
- our use of your personal information is necessary to comply with a relevant legal or regulatory obligation that we have; for example, to discharge our obligations to lend to you responsibly including by assessing your creditworthiness and/or conducting searches with CRAs. CRA searches may be conducted to investigate any query or complaint you have raised and your personal information may be supplied to the CRAs to ensure accurate reporting;
- our use of your personal information is in our legitimate interest as a commercial organisation; for example:
- to prevent fraud and money laundering, and to verify identity, in order to protect our business and to comply with the laws that apply to us (such processing is also a contractual requirement of the services or financing you have requested);
- to market our credit products to you in certain circumstances or to allow marketing by members of our group of companies or by affiliates;
- to make improvements to the design or user-friendliness of our products and services; or
- to share data with suppliers, purchasers, members of our group of companies and our affiliates.
We will look after your information at all times in a way that is proportionate and respects your privacy rights. You have a right to object to processing as explained in the “Your Legal Rights” section below;
- You have provided your consent to us or a service provider regarding use of your personal information: for example, in relation to our direct marketing activities or where you authorise us to use open banking to assess the affordability of your loan.
If you would like to find out more about the legal basis on which we process personal information, please contact us at email@example.com.
Explaining more about direct marketing, cookies and automated decision making
In this section you can find out more about:
- how we use personal information to keep you up to date with our products and services;
- how you can manage your marketing preferences;
- when and how we undertake profiling and analytics; and
- when and how we carry out automated decision making
How we use personal information to keep you up to date with our products and services
As mentioned above, we may use your personal information to let you know about products and services that we believe will be of interest to you. We may contact you by email, post, or telephone or through other communication channels. In all cases, we will respect your preferences as to how you would like us to manage marketing activity with you.
How you can manage your marketing preferences
To protect privacy rights and to ensure you have control over how we manage marketing with you:
- we will take steps to limit direct marketing to a reasonable and proportionate level and only send you communications which we believe may be of interest or relevance to you;
- whenever you are asked to fill in a form on our site, you can look for a box that you can click to indicate that you do not want the information to be used by anybody for marketing purposes;
- you can ask us to stop direct marketing at any time – you can ask us to stop sending email marketing, by following the ‘unsubscribe’ link you will find on all the email marketing messages we send you. Alternatively, you can contact us at firstname.lastname@example.org or by telephone by calling 0330 159 6013. Please specify whether you would like us to stop all forms of marketing or just a particular type (e.g. email). Also, you can, at any time, ask us to end marketing texts, by sending us a STOP message to +447480559920;
- you can change the way your browser manages cookies, which may be used to deliver online advertising, by using the tool we make available to you on our website or following the settings on your browser as explained on our Cookie Notice webpage.
We recommend you routinely review the privacy notices and preference settings that are available to you on any social media platforms.
When and how we carry out automated decision making
As described above, we will use a credit scoring or a number of other automated decision-making systems when assessing your application. These automated processes are used to assess your creditworthiness and whether you can sustainably afford to repay the loan and inform our decision about whether or not to proceed with your application. We may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have hidden your true identity. These processes make use of information which you provide to us directly and information which we collect from third parties (including from CRAs) and includes a combination of information about your personal and financial status. For more information about how you can exercise your rights in relation to these automated processes, please see the “YOUR LEGAL RIGHTS” section below.
Transferring personal information outside the United Kingdom
Your personal information may be transferred and stored in countries outside the United Kingdom, including the European Economic Area (the “EEA”) and/or the United States, that may be subject to different standards of data protection. We will take appropriate steps to ensure that transfers of personal information are:
- in accordance with applicable law;
- carefully managed to protect your privacy rights and interests; and
- limited to countries (including the EEA) which are recognised by the UK as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights.
To this end, where we transfer your personal information to third parties who help provide our products and services, we obtain contractual commitments from them to protect your personal information to UK standards, unless we are legally permitted to transfer your personal information, for example if the transfer is necessary for the establishment, exercise or defence of legal claims.
You have a right to contact us for more information about the safeguards we have put in place (including a copy of relevant contractual commitments) to ensure your personal information is adequately protected when transferred.
How we protect and store your information
We have implemented and maintain appropriate technical and organisational security measures, policies and procedures designed to reduce the risk of accidental destruction or loss, or the unauthorised disclosure or access to such information, appropriate to the nature of the information concerned. Measures we take include placing confidentiality requirements on our staff members and service providers and destroying, deleting or permanently anonymising personal information if it is no longer needed for the purposes for which it was collected. As the security of information depends in part on the security of the computer you use to communicate with us and the security you use to protect user IDs and passwords please take appropriate measures to protect this information.
We will store your personal information for as long as is reasonably necessary for the purposes for which it was collected- the longest period we will hold your personal information is for the lifetime of your loan agreement with us (together with any period where we are in dispute with you following repayment) plus a further period of 6 years following that date. In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, and/or accounting requirements.
Fraud prevention agencies can hold your personal information for different periods of time, and if you are considered to pose a fraud or money laundering risk, your information may be held by such agencies for six years.
Your legal rights
Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, you have certain rights in relation to your personal information. These rights are:-
- To access personal information
- To correct / erase personal information
- To restrict the processing of your personal information
- To transfer your personal information
- To object to the processing of personal information
- To object to how we use your personal information for direct marketing purposes
- To obtain a copy of personal information safeguards used for transfers outside your jurisdiction
- To lodge a complaint with the Information Commissioner’s Office
We may ask you for additional information to confirm your identity and for security purposes, before disclosing any personal information requested by you. We reserve the right to charge a fee where permitted by law, for instance if your request for personal information is manifestly unfounded or excessive.
You can exercise your rights by contacting us, see “CONTACT US” below. Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request.
We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.
Right to access personal information
You have a right to request that we provide you with a copy of the personal information that we hold about you and you have the right to be informed about: (a) the source of your personal information; (b) the purposes, legal basis and methods of processing; (c) the data controller’s identity; and (d) the entities or categories of entities to whom your personal information may be transferred.
Right to rectify or erase personal information
You have a right to request that we rectify inaccurate personal information. We may seek to verify the accuracy of the personal information before rectifying it.
Subject to the paragraph below, you can also request that we erase your personal information in limited circumstances where:
- it is no longer needed for the purposes for which it was collected; or
- you have withdrawn your consent (where the data processing was based on consent); or
- following a successful right to object (see Right to Object below); or
- it has been processed unlawfully; or
- erasure is required to comply with a legal obligation to which we are subject.
We are not required to comply with your request to erase personal information if the processing of your personal information is necessary:
- for compliance with a legal obligation; or
- for the establishment, exercise or defence of legal claims; or
- where we have a legitimate interest to retain the information (see “The legal basis for using your personal information” above).
Right to restrict the processing of your personal information
You can ask us to restrict the processing of your personal information, but only where:
- its accuracy is contested, to allow us to verify its accuracy; or
- the processing is unlawful, but you do not want it erased; or
- it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
- you have exercised the right to object, and verification of overriding grounds is pending.
We can continue to use your personal information following a request for restriction, where:
- we have your consent; or
- to establish, exercise or defend legal claims; or
- to protect the rights of another natural or legal person.
Right to transfer your personal information
You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller, but in each case only where:
- the processing is based on your consent or on the performance of a contract with you; and
- the processing is carried out by automated means.
Right to object to the processing of your personal information
You can object to any processing of your personal information which has our legitimate interests as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests.
If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
Right to human intervention
When you apply for a loan we will use an automated decision process to decide whether to lend to you. If we decline your application, you can ask one of our underwriters to review the decision.
Right to object to how we use your personal information for direct marketing purposes
You can request that we change the manner in which we contact you for marketing purposes.
You can request that we do not transfer your personal information to unaffiliated third parties for the purposes of direct marketing or any other purposes.
Right to obtain a copy of personal information safeguards used for transfers outside your jurisdiction
You can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside of the United Kingdom.
We may redact data transfer agreements to protect commercial terms.
Right to lodge a complaint with the Information Commissioner’s Office
You have a right to lodge a complaint with the Information Commissioner’s Office (which regulates the processing of personal data in the UK) if you have concerns about how we are processing your personal information.
We ask that you please attempt to resolve any issues with us first, although you have a right to contact the Information Commissioner’s Office at any time.
The primary point of contact for all issues arising from this privacy notice, is our Compliance Department who can be reached at email@example.com or by writing to us at Bamboo Limited, 1st floor, Grenville House, Nelson Gate, Southampton, SO15 1GX
If you have any questions, concerns or complaints regarding our compliance with this notice and/or data protection laws, or if you wish to exercise your rights, we encourage you to first contact us. We will investigate and attempt to resolve complaints and disputes and will make every reasonable effort to honour your wish to exercise your rights as quickly as possible and in any event, within the timescales provided by data protection law.
To contact the Information Commissioner’s Office
You have a right to lodge a complaint with the Information Commissioner’s Office at any time. The Information
Commissioner’s Office can be contacted on 0303 123 1113 or via other methods of communication as explained on their website (currently https://ico.org.uk). We ask that you please attempt to resolve any issues with us first.
Links to other sites
Our site may contain links to other sites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other site. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy notice. You should exercise caution and look at the privacy notice applicable to the site in question.