This sets out how Bamboo uses and protects your information
This policy is effective from 11 January 2021.
Bamboo may change this policy from time to time to keep it up to date with legal requirements, guidance from the Information Commissioner’s Office and the way we operate our business. You should check this page regularly to ensure that you are aware of any changes.
What personal information we collect and when and why we use it
By “your information” we mean personal information about you, such as your name, address, date of birth, contact details, financial information, employment details, and device identifiers including IP address that we collect: from you, your broker or other loan sourcing business, your representative, any potential guarantor for you or individual you may guarantee, or from third parties, such as credit reference agencies (“CRAs”) (who may search the electoral register), fraud prevention agencies, credit, income and expense analytical service providers or other organisations; or learn about you from the way you manage your payment obligations to us (including from the transactions and payments made to your account with us) or the way in which you interact with our website.
We may record telephone calls for, training, monitoring, compliance and security purposes.
What we do with the personal information we collect
We require the information we collect to understand your needs, to service you as a customer, provide a better service and to check and assess whether you may be suitable for other credit products or services we, our affiliates, branded product providers or selected trusted third parties may offer, or provide from time to time, including if we were to decline you for a product or service. Specifically, we will use your information for the following purposes:
- Before we provide services or financing to you, we undertake checks for the purposes of preventing fraud and money laundering and to verify your identity. These checks require us to process personal data about you.
- Processing your loan application or determining your ability to be a guarantor: for example, by assessing your creditworthiness and the sustainable affordability of the loan instalments throughout the loan term. If you have any doubts about the loan affordability for you, any borrower you may guarantee, or as guarantor, you should tell us and not proceed with the application.
- Internal record keeping: for example, so we can ensure we keep in contact and are aware of any issues or changes concerning your personal or financial circumstances which may be relevant to our servicing of your loan account or collections we make for you or any guarantor.
- Carrying out credit and identity checks including with one or more of the CRAs (as described in more detail below) including for query or complaint handling after your account has been settled.
- Assessing your creditworthiness and whether you can sustainably afford to repay the loan or guarantee it, verifying the accuracy of the data you have provided to us and managing your payment obligations to us.
- Servicing and management of your loan account and guarantor and our services to you: for example to provide annual statements, payment reminders, and arrears management and query or complaint handling (including after your account has been settled).
- Improving our products and services for our customers: for example, by learning from our interaction with prospective and actual customers (whether borrowers or guarantors) what is helpful and what is unhelpful in their online experience and our dealings (and those of our commercial partners (such as income verification service providers)) with customers so we can develop and improve the customer experience and develop customer and brand loyalty.
- We may contact you by electronic means, email, phone, SMS text message, fax or mail for the purposes listed in this policy and otherwise where necessary in relation to our services.
- We may contact you to re-engage with you where you have visited our site or received a loan quotation but not proceeded with that loan. This may include posting banner advertisements as you browse the internet or use your social media accounts.
- Depending on your preferences, we may periodically send you promotional emails, SMS or mail about new credit products or services, special offers or other information of ours, our affiliates, branded product providers or selected trusted third parties which we consider may be appropriate to your circumstances and that you may find interesting, using the email address or SMS contact details or postal address which you have provided.
- We may use the information to customise our website according to your interests.
- From time to time, we may also use your information to contact you for market research purposes.
Sharing your personal information
- We may pass your information to: other companies within our group or affiliates, branded product providers or selected trusted third parties where such disclosure is necessary to provide you with our services or to manage our business; for our internal funding arrangement; our funders; your broker or any third party who introduces you to us; any borrower in respect of whom you are acting as guarantor or guarantor whom guarantees your loan with us; or any operator or provider of our site or any linked site; third parties who help manage our business and deliver services (these include IT service providers who help manage our IT and back office systems, our payment services providers and banks and our loans servicing and administration suppliers); debt collection and tracing agencies; any party to which we sell, transfer or assign our rights; CRAs and fraud prevention agencies; where necessary to other people or third parties who provide a service to us or act on our behalf.
- We may also share your information for crime, fraud and money laundering prevention and the apprehension and prosecution of offenders, or if we have a duty to do so or are required by law. To comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies we may share your information with our regulators, which may include the Financial Conduct Authority or Information Commissioner’s Office and governmental agencies such as the Financial Ombudsman Service.
- We and fraud prevention agencies may also enable law enforcement agencies to access and use this information to detect, investigate and prevent crime. Please contact us at 0330 159 6010 if you want to receive details of the relevant fraud prevention agencies. We and other organisations may access and use from other countries the information recorded by fraud prevention agencies.
- We may share your data with our affiliates, branded product providers or selected trusted third parties to provide you with information about other credit products or services which they offer and may be of interest to you.
- We and other organisations may also access and use this information to check your identity and to prevent fraud and money laundering, for example, when: checking details on applications for credit and credit related or other facilities; managing credit and credit related accounts or facilities; tracing debtors and recovering debt; checking details on proposals and claims for all types of insurance; checking details of job applications and employees; and for any other purpose for which you give your agreement.
- We may share in aggregate, statistical form, non-personal information regarding the visitors to our website, traffic patterns, and website usage with our partners, affiliates, branded product providers or selected trusted third parties or advertisers.
- If, in the future, we sell or transfer some or all of our business assets or loans to a third party, we may disclose information to a potential or actual third party purchaser of our business assets or loans.
Sharing data with Credit Reference Agencies
When you apply for a product from us you confirm that all the information you have given to us is accurate, we will make contact with CRAs and fraud prevention agencies for assessing your credit status and identity and to detect fraud and comply with the law, and following our approval of you, we may also make periodic searches at CRAs and fraud prevention agencies to enable us to manage your payment obligations to us or identify your credit status. When we conduct a search with a CRA we will supply your personal information and add details of our search and information from your credit application to your credit records that may be seen by other lenders. A large number of applications within a short period of time could impact your ability to obtain credit. We will use a credit scoring or a number of other automated decision-making systems when assessing your application. CRAs supply to us public information (including the electoral register), and shared credit, financial situation and financial history information and fraud prevention information. Law enforcement agencies may also access and use this information.
We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs. When CRAs receive a search from us (including a search carried out to resolve a query or complaint you have raised whether before or after the account has been settled) they will place a search footprint on your credit file that may be seen by other lenders.
If you tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail by each of the three CRAs – clicking on any of these three links will also take you to the same CRAIN document: TransUnion: www.transunion.co.uk/crain; Equifax: www.equifax.co.uk/crain; Experian: www.experian.co.uk/crain/.
The legal basis for using your personal information
We will only collect, obtain, use and share your personal information where we are satisfied that we have an appropriate legal basis to do this. This may be because:
- our use of your personal information is necessary to take steps to enter into a contract with you or perform a contract: for example, to assess your creditworthiness and sustainable affordability of any credit obligations you may undertake, or to conclude a loan agreement with you or obtain a guarantee and indemnity from you if you are to guarantee a Bamboo loan;
- our use of your personal information is necessary to comply with a relevant legal or regulatory obligation that we have: for example, to discharge our obligations to lend to you responsibly including to assess your creditworthiness and/or conduct searches with CRAs. CRA searches may be conducted to investigate any query or complaint you have raised, and your personal information may be supplied to the CRAs to ensure accurate reporting;
- our use of your personal information is in our legitimate interest as a commercial organisation: for example:
(a) to prevent fraud and money laundering, and to verify identity, in order to protect our business and to comply with the laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.
(b) to market our credit products to you in certain circumstances; or
(c) to make improvements to our products and services.
In these cases, we will look after your information at all times in a way that is proportionate and respects your privacy rights and you have a right to object to processing as explained in the “Your Legal Rights” section below;
- you have provided your consent to us or a service provider using the personal information: for example, in relation to certain of our electronic direct marketing activities.
Additionally, we will look for your consent to process personal information in relation to your health. This will only be in circumstances where you choose to share this information with us to help us understand your circumstances and appropriately manage your account. This will be used for no other purposes than managing your account and for training and quality purposes.
If you would like to find out more about the legal basis by which we process personal information please contact us at firstname.lastname@example.org.
Explaining more about direct marketing, cookies and automated decision making
In this section you can find out more about:
- how we use personal information to keep you up to date with our products and services
- how you can manage your marketing preferences
- when and how we undertake profiling and analytics
- when and how we carry out automated decision making
How we use personal information to keep you up to date with our products and services
As mentioned above we may use your personal information to let you know about products and services that we believe will be of interest to you. We may contact you by email, post, or telephone or through other communication channels that we think you may find helpful. In all cases, we will respect your preferences for how you would like us to manage marketing activity with you.
How you can manage your marketing preferences
To protect privacy rights and to ensure you have control over how we manage marketing with you:
- we will take steps to limit direct marketing to a reasonable and proportionate level and only send you communications which we believe may be of interest or relevance to you;
- whenever you are asked to fill in a form on our site, you can look for the box that you can click to indicate that you do not want the information to be used by anybody for marketing purposes;
- you can ask us to stop direct marketing at any time – you can ask us to stop sending email marketing, by following the ‘unsubscribe’ link you will find on all the email marketing messages we send you. Alternatively, you can contact us at email@example.com or by telephone by calling 0330 159 6011. Please specify whether you would like us to stop all forms of marketing or just a particular type (e.g. email). Also you can, at any time, ask us to end texts, by sending us a STOP message to +447860018021;
We recommend you routinely review the privacy notices and preference settings that are available to you on any social media platforms.
When and how we carry out automated decision making
As described above, we will use a credit scoring or a number of other automated decision-making systems when assessing your application. These automated processes are used to assess your creditworthiness and whether you can sustainably afford to repay the loan or guarantee it, and inform our decision about whether or not to proceed with your application. We may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have hidden your true identity. These processes make use of information which you provide to us directly and that information which we collect from third parties (including from CRAs) and includes a combination of information about your personal and financial status. For more information about how you can exercise your rights in relation to these automated processes please see the “Your Legal Rights” section below.
If we, or fraud prevention agencies, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or to employ you, or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please see Contact Us below.
Transferring personal information outside the United Kingdom
Your personal information may be transferred and stored in countries outside the United Kingdom, including the European Economic Area (the “EEA”) and/or the United States, that may be subject to different standards of data protection. We will take appropriate steps to ensure that transfers of personal information are: in accordance with applicable law; carefully managed to protect your privacy rights and interests; and limited to countries (this is expected to include the EEA) which are recognised by the UK as providing an adequate level of legal protection or where we can be satisfied that alternative arrangement are in place to protect your privacy rights.
To this end where we transfer your personal information to third parties who help provide our products and services, we obtain contractual commitments from them to protect your personal information to the UK standards, unless we are legally permitted to transfer your personal information, for example if the transfer is necessary for the establishment, exercise or defence of legal claims.
You have a right to contact us for more information about the safeguards we have put in place (including a copy of relevant contractual commitments) to ensure the adequate protection of your personal information when this is transferred as mentioned above.
How we protect and store your information
We have implemented and maintain appropriate technical and organisational security measures, policies and procedures designed to reduce the risk of accidental destruction or loss, or the unauthorised disclosure or access to such information appropriate to the nature of the information concerned. Measures we take include placing confidentiality requirements on our staff members and service providers; destroying or permanently anonymising personal information if it is no longer needed for the purposes for which it was collected. As the security of information depends in part on the security of the computer you use to communicate with us and the security you use to protect User IDs and passwords please take appropriate measures to protect this information.
We will store your personal information for as long as is reasonably necessary for the purposes for which it was collected, as explained in this notice. In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, and/or accounting requirements.
Fraud prevention agencies can hold your personal information for different periods of time, and if you are considered to pose a fraud or money laundering risk, your information may be held by such agencies for six years.
Your legal rights
Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, you have certain rights in relation to your personal information. These rights are:-
- To access personal information
- To correct/erase personal information
- To restrict the processing of your personal information
- To transfer your personal information
- To object to the processing of personal information
- To object to how we use your personal information for direct marketing purposes
- To obtain a copy of personal information safeguards used for transfers outside your jurisdiction
- To lodge a complaint with the Information Commissioner’s Office
We may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal information requested to you. We reserve the right to charge a fee where permitted by law, for instance, if your request is manifestly unfounded or excessive.
You can exercise your rights by contacting us, see Contact Us below. Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request.
We may not always be able to fully address your request, for example, if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.
Right to access personal information
You have a right to request that we provide you with a copy of your personal information that we hold and you have the right to be informed of;
(a) the source of your personal information;
(b) the purposes, legal basis and methods of processing;
(c) the data controller’s identity; and
(d) the entities or categories of entities to whom your personal information may be transferred.
Right to rectify or erase personal information
You have a right to request that we rectify inaccurate personal information. We may seek to verify the accuracy of the personal information before rectifying it.
Subject to the paragraph below, you can also request that we erase your personal information in limited circumstances where:
- it is no longer needed for the purposes for which it was collected; or
- you have withdrawn your consent (where the data processing was based on consent); or
- following a successful right to object (see Right to Object below); or
- it has been processed unlawfully; or
- to comply with a legal obligation to which we are subject.
We are not required to comply with your request to erase personal information if the processing of your personal information is necessary:
- for compliance with a legal obligation; or
- for the establishment, exercise or defence of legal claims;
- where we have a legitimate interest to retain (see “The legal basis for using your personal information” above).
Right to restrict the processing of your personal information
You can ask us to restrict your personal information, but only where:
- its accuracy is contested, to allow us to verify its accuracy; or
- the processing is unlawful, but you do not want it erased; or
- it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
- you have exercised the right to object, and verification of overriding grounds is pending. We can continue to use your personal information following a request for restriction, where:
- we have your consent; or
- to establish, exercise or defend legal claims; or
- to protect the rights of another natural or legal person.
Right to transfer your personal information
You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller, but in each case only where:
- the processing is based on your consent or on the performance of a contract with you; and
- the processing is carried out by automated means.
Right to object to the processing of your personal information
You can object to any processing of your personal information which has our legitimate interests as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests.
If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
Right to human intervention
When you apply for a loan we will use an automated decision process to decide whether to lend to you. If we decline your application, you can ask one of our underwriters to review the decision.
Right to object to how we use your personal information for direct marketing purposes
You can request that we change the manner in which we contact you for marketing purposes.
You can request that we not transfer your personal information to unaffiliated third parties for the purposes of direct marketing or any other purposes.
Right to obtain a copy of personal information safeguards used for transfers outside your jurisdiction
You can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside of the United Kingdom.
We may redact data transfer agreements to protect commercial terms.
Right to lodge a complaint with the Information Commissioner’s Office
You have a right to lodge a complaint with the Information Commissioner’s Office which regulates the processing of personal data in the UK if you have concerns about how we are processing your personal information.
We ask that you please attempt to resolve any issues with us first, although you have a right to contact the Information Commissioner’s Office at any time.
The primary point of contact for all issues arising from this privacy notice, is our Compliance Department who can be reached at firstname.lastname@example.org or by writing to us at Bamboo, 1st Floor, Grenville House, Nelson Gate, Southampton, SO15 1GX
If you have any questions, concerns or complaints regarding our compliance with this policy and the data protection laws, or if you wish to exercise your rights, we encourage you to first contact us. We will investigate and attempt to resolve complaints and disputes and will make every reasonable effort to honour your wish to exercise your rights as quickly as possible and in any event, within the timescales provided by data protection laws.
To contact the Information Commissioner’s Office
You have a right to lodge a complaint with the Information Commissioner’s Office at any time. The Information Commissioner’s Office can be contacted on 0303 123 1113 or via other methods of communication as explained on their website (currently https://ico.org.uk). We ask that you please attempt to resolve any issues with us first.
Links to other sites