Privacy Policy

We collect personal data from you when you provide it to us directly, for example when you:

• enquire about, apply for, and use our products and services;
• talk to us on the phone (we record our calls and we will tell you about this when we speak to you);
• send us an email or letter;
• use our website;
• communicate with us via social media;
• complete a customer survey; and/or
• make an enquiry or complaint.

Third parties making an application on your behalf. If someone is making an application on your behalf (for example, someone who has a power of attorney), we will receive personal data on you from that person.

If your application results in you borrowing from one of our panel of lenders, and/or taking out any other products, such as warranties, the lender or other provider will share certain information about you with us (including to let us know if you default on your payment obligations).

CRAs hold personal data about individuals’ credit accounts (such as credit cards and loans) and publicly available information (for example, from the electoral roll). When you make an application, we receive information from the CRAs including your financial status and financial history. We also receive information like your address so that we can verify your identity.

If you want to know more about how we exchange data with CRAs, please see the section headed “Credit reference agencies” below

We are regulated by the Financial Conduct Authority, the Financial Ombudsman Service and the Information Commissioner’s Office. If you make a complaint to any of these regulators, or otherwise speak to them about us, we may receive some of your personal data from them to enable us and them to manage your complaint or enquiry.

Each of these regulators has their own privacy notice on their website, which will tell you more about how they use and share personal data.

We will use the information you share with price comparison websites; where that data is passed to us for us to share with selected lenders to return a finance quote or eligibility check for you which you can choose whether to proceed with.

We work with lead generation partners who will pass us personal data about potential customers. If you have submitted your details to one of these partners, they will tell you if they are going to share your information with us.

We might also receive personal data from other third parties not mentioned above. This could include law enforcement and government authorities, if they make enquiries about you, or the Court if you are involved in legal proceedings with us.

Contact details that we ask you for, or that you provide to us, including your name (and any previous names), date of birth, address, previous addresses from the last three years, email address and contact telephone number. This also includes any other contact details you may provide when interacting with our website, or when you contact us via email, social media, telephone or letter.

Information we ask you to provide as part of your application. This will be made clear in our application form, but could include details of your employment (including your employment status and employer), your financial details (including income, outgoings, and existing credit commitments) and information about your identity (including identity confirmation documents such as your passport).

When you communicate with us, including via email, social media, telephone, letter or when completing customer feedback or complaints, we collect the personal data you provide to us, this will include your name, contact information (such as email, address, telephone number) and the content of the communications.

If you attend an event or meeting of ours, we may collect your personal data when you attend the event or meeting and exchange your details with us (for example, by providing your business card or contact details on arrival) and we may take photographs with your personal image.

Permissions, consents, or preferences that you give us, for example how you want to be contacted and whether you want to receive marketing from us.

Sometimes, we need to collect personal data that is more sensitive than usual, or you might provide this to us in communications. This could include:

• personal data that is classified as special categories of data, such as information about your health (for example, to assess vulnerability or accessibility); and
• information about criminal convictions or criminal offences you have committed, for example if you have previously been convicted of fraud.

This information will only be collected where there is a valid legal basis and will be handled with a high level of care, as required by law.

As described in Section 3 above, we also receive information about you from third parties. This may include your credit information, payment and default information, and information from regulatory bodies or courts in connection with complaints or legal proceedings.

We and our service providers may automatically log information about you, your computer or mobile device, and your interactions with our services and our communications, such as:

• the type of browser you use, access times, pages viewed, documents downloaded, your IP address, and the site you visited before navigating to our Services;
• the computer or mobile device you use to access our Services, including the hardware model, operating system and version, unique device identifiers, and mobile network information;
• your browsing actions and patterns; for example, your internet protocol address and other similar identifiers, browsing history, search history, information on your interaction with the website. We collect this personal information by using different technologies, including cookies and web beacons. Please see our cookies policy here.
• your city, state, zip or postal code, to personalise content provided to you, or to show you prices and promotions.

We may need to collect other information not specifically listed here, which we will use as described in this privacy policy or as otherwise disclosed at the time of collection.

To perform our contract with you or third parties with whom we have a contractual relationship (e.g. lenders or credit reference agencies), or when it is in our legitimate business interests to do so, we will use your personal data to consider and process your application for our products and/or services, to communicate with you by social media, email, telephone, text (SMS) message or other electronic means to discuss your application or provide you with updates, to share your personal data with our panel of lenders and other partners to generate a finance quotation and process your application or otherwise provide the relevant product or service to you, and to manage our ongoing relationship with you, including notifying you of changes to our services. Where it is in our legitimate interests to do so, which includes ensuring that applications are processed efficiently and accurately and matching customers to appropriate products and/or services, we will also carry out credit checks with CRAs, verify your identity using our KYC ID verification partner, and carry out validation checks to confirm that your details are valid and that the application is being made by a human, in order to reduce the risk of fraudulent applications.

We use your personal data to comply with our legal obligations and to defend us against legal claims or disputes where it is in our legitimate business interests to do so, including to:

• comply with applicable laws, lawful requests, and legal process, such as to respond to court orders or requests from regulators and other government authorities;
• audit our internal processes for compliance with legal and contractual requirements and internal policies;
• enforce the terms and conditions that govern our products and services;
• prevent, identify, investigate, and deter fraudulent, harmful, unauthorised, unethical, or illegal activity, including cyberattacks, identity theft and other financial crime;
• protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims).

Where it is in our legitimate interests to do so, including so that we can provide the best possible service to our customers and to ensure that we design products to meet our customers’ needs and objectives, we will use your personal data to undertake analysis of your credit information to identify and inform you of suitable credit products, to ensure that our content, services, and advertising are tailored to your needs and interests, to provide products and services that meet the needs and requirements of our customers, and to process feedback from customers including through complaints.

We use personal data to help us better understand how people use our services and how we can develop, analyse and improve them where it is in our legitimate interests to do so. This includes monitoring and analysing trends, usage, and activities in connection with our services. As part of these activities, we may create aggregated, de-identified or other anonymous data from personal data we collect. We may use this anonymous data and share it with third parties for our lawful business purposes, including to analyse and improve the services, and promote the services.

We may use your personal data to send you marketing communications about our products and services, and those of our Zuto Partners. In certain instances, we may ask you for your explicit consent to market to you, but in other cases we may rely on our legitimate interests in promoting our business and our products and services. In each case you will be given the opportunity to opt-out in each marketing communication. Please see Section 12 for more information on how we use your personal data for marketing purposes.

Where it is necessary to comply with the law, and where it is in our legitimate interests to protect and improve our business, train our staff, and ensure that complaints and disputes are dealt with in a timely and appropriate manner, we record calls and use recordings and transcripts to check your instructions to us, to analyse, assess and improve our services, for training and quality purposes, to investigate complaints you make, and as evidence in any dispute between you and us.

Where it is in our legitimate interests to improve our services and ensure that customers are able to complete their applications efficiently, we may use key stroke recording technology on our website. This technology records the information you fill in on our application form as you complete it. If you do not proceed to submit your application, we may contact you using the details you provided, to see if you would like to complete it.

Where it is necessary to comply with the law or where it is in our legitimate interests to prevent and detect fraud and protect our business from false applications, we may use a third-party supplier to carry out validation checks before you submit your application, to confirm that your details are valid and that it is a human making the application.

We will share personal data to process your application for finance products/services and to generate a finance quotation. Our lenders may carry out additional credit reference searches. They may also share your personal data with fraud prevention agencies to prevent and detect fraud and help them make credit decisions.

As part of your application for credit, some lenders may use Open Banking solutions. If this is the case, your personal data will be shared with the relevant Open Banking provider. This will be made clear in the application process.

If your application is declined by our panel of available lenders, and if you give us consent to do so, we may pass your personal data to another credit provider (such as a lender, broker, or price comparison sites) to allow them to consider your eligibility for alternative finance products. These providers may carry out additional credit reference searches.

We may share your personal data with the following types of third party organisations for the following reasons:

• Online advertising solutions - To allow us to show you relevant content about our finance products/services.
• Customer feedback tools, live chat services and marketing communications software- To ensure we get your feedback to help us improve our service to you, help us speak to each other and contact you more effectively.
• Communication platforms and cloud hosting platforms - To allow us to contact you and securely store your data.
• Social media sites - To show you relevant content about our finance products/services.
• Vehicle valuation tools, car dealerships and our delivery partners - To allow you to value your vehicle as part of the finance process and to facilitate selecting a vehicle as part of your application, including arranging test drives for your selected vehicle and enabling collection by or delivery of the vehicle to you. Our delivery partners may also contact you directly in relation to the delivery of your vehicle, to allow you to track the delivery or provide updates on any delays.

In assessing your application for credit, we share personal data with CRAs to carry out credit checks, verify your identity, and to prevent fraud and money laundering.

Please see the section headed “Credit reference agencies” below for more information.

We will share your personal data obtained through our application process with our KYC ID verification partner for the purposes of verifying your identity.

We may offer additional products and services, including warranty, either directly or on behalf of our partners, and your personal data may be passed to the providers of these additional products for the purposes of providing you with these products. You can control whether this happens when speaking to your car buying expert. These providers may carry out additional credit reference searches against you.

Please note that we or our warranty provider may contact you directly to discuss renewals of your warranty, if relevant.

We may share your personal data between and among our current and future parents, affiliates, subsidiaries, and other companies under common control and ownership for purposes consistent with this privacy policy.

If you opt into marketing, we may share an encrypted version of your personal data with third party advertising providers (using a process called hashing), to allow us to target our advertising more accurately.

We share personal data with these agencies where we are required to do so by law or where information is required in connection with a crime or investigation.

We share personal data where required to comply with our regulatory obligations, including communicating with our regulators and responding to complaints and enquiries from them.

We may share personal data to comply with our audit and reporting obligations. We will only provide information that is necessary for the purposes of fulfilling our obligations.

We may share personal data as part of a proposed or completed corporate transaction, such as a merger, acquisition, reorganisation, financing, asset sale, or similar transaction, or in the event of bankruptcy or related proceedings. Any such disclosure would be subject to appropriate confidentiality protections.

You can ask us to send you a copy of the personal data we hold about you. We will carry out a reasonable search for personal data and send you the personal data that we locate within one month, or three months if your request is complex. We are allowed to withhold information in some circumstances (for example to protect other individuals’ privacy or in the event of a criminal investigation).

You can ask us to correct, clarify or amend your personal data if it is inaccurate, incomplete, or otherwise out of date.

You can ask us to delete your personal data in certain circumstances, for example if we no longer need it or if we have collected it unlawfully. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

You can ask us to limit how we use your personal data in certain circumstances. For example, if you think your personal data is inaccurate but we disagree, you can ask us to stop using it to make decisions until we can verify if it is accurate or not.

Where personal data is necessary for a contract, or where we collected it based on your consent, you can ask us to move, copy or transfer it to another provider.

Where the use of personal data is necessary for our legitimate interests, you can ask us to stop using it for those purposes. We can continue to use it if we can show that we have a compelling, legitimate reason to do so.

You can always ask us not to continue to send direct marketing to you. You can do this by clicking on the “unsubscribe” link in marketing emails or contacting us using the details above.

If we have asked you for your consent to use personal data in a particular way, you can withdraw that consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.