PRIVACY NOTICE

Our privacy notice tells you what we do with your Personal Data, how we use it, who we share it with and how long we keep it. As it’s your data, you have the right to know what happens with it. The types of data we hold about you and how long we keep it will depend on your relationship with us and why we have it.

Personal Data – also known as ‘personal information’ – is information that can identify you. This could be anything from your name and date of birth, to an email address or mobile number. It could also include ‘special category data’ which you can read more about below.

Here we’ll tell you:

• why we are able to process your information;
• what information (personal data) we process;
• what purpose we are processing it for;
• when we process information provided by you and when this may be provided by a third party;
• how long we store it for;
• whether there are other recipients of your personal information;
• whether we intend to transfer it to another country; and
• whether we do automated decision-making or profiling.

This notice sets out our commitment to protecting and respecting your privacy and data rights as required by the General Data Protection Regulation (“GDPR”). We undertake to act in accordance with the GDPR (including having in place adequate levels of security in respect of such Personal Data).

Where you enter into a credit or finance agreement with us, we may provide you with additional information in relation to the way in which we hold and process your Personal Data. If there is any inconsistency between any of the provisions of this Privacy Notice and the additional information provided to you, then the provisions of the additional information shall apply to the extent the privacy terms in it apply to the credit or hire agreement we enter into with you.

Who are we?

Oodle Financial Services Ltd (trading as Oodle Car Finance, Oodle Cars, Oodle Finance and Oodlecars.com) is the data controller (as defined in the GDPR) for the personal information we process, unless otherwise stated.

We are registered with the Information Commissioner’s Office with registration number ZA121323 and you can search our registration details on the Public Register of Data Controllers www.ico.org.uk.

There are many ways you can contact us, including by phone, email, live chat and post. More details can be seen here.

Our postal address is:

Fletcher House
Heatley Road
Oxford Science Park
Oxford
Oxfordshire
OX4 4GE

How do we get information

Customers and prospective customers

A lot of the personal information we process is provided to us directly by you for one of the following reasons:

• You have made an application for motor finance with Oodle
• You have accessed our website, app and online services
• You have contacted us directly to discuss your account

We may also receive information indirectly about you from the following sources:

• From a motor dealer, broker or other third party when you are making an application for motor finance via them
• From credit reference agencies, financial crime prevention agencies or other third parties that help us to prevent fraud and meet our legal obligations, as well as checking your creditworthiness to take out a loan. You will find more information about this in the “Credit Reference Agencies and “Financial crime prevention agencies” sections below.
• Your financial services providers where you have consented to us using Open Banking to verify your income and other financial information. More information about this can be found in the “Open Banking” section below.
• If you have authorised a third party to act on your behalf.
• Other third parties and publicly available sources, e.g. we may buy or rent marketing lists from third parties, which contain the contact details of individuals (including you) to whom we can send marketing materials

Visitors to our website

When you visit our site, in addition to information you provide to us on the site (such as name and contact details) we may collect certain information automatically from your device. In some countries, including countries in the European Economic Area, this information may be considered personal information under applicable data protection laws.

Specifically, the information we collect automatically may include information like your IP address, device type, unique device identification numbers, browser-type, broad geographic location (e.g. country or city-level location) and other technical information.

We may also collect information about how your device has interacted with our website, including the pages accessed and links clicked. We may also collect information about the website from which you came before visiting our site. Collecting this information enables us to better understand the visitors who come to our site, where they come from, and what content on our site is of interest to them.

We may also use the information to pre-populate fields to make it easier for you to provide information when you return to our sites.

We use this information for our internal analytics purposes and to improve the quality and relevance of our site to our visitors.

To enable this your Personal Data may be converted into anonymised form in a way which means you cannot be identified from it and it can then be used for the purposes of information security testing, statistical analysis and to enhance our provision of products and services.

Our use of all such data will be in line with our responsibilities under the GDPR and other applicable data protection laws and we would always anonymise it before using it for these additional purposes.

Some of this information may be collected using cookies and similar tracking technology, as explained further under the heading “Cookies” below.

Business contacts

If you are a business contact we may, for the purpose of conducting business with you (or your employer), process Personal Data such as your name, date of birth, address, telephone number, or email address, as well as the name of your employer. In addition, we may correspond with you and that may contain certain Personal Data that we exchange in the ordinary course of business such as to schedule meetings and calls and for the purpose of services we provide to you (or your employer) or you (or your employer) provide to us. We will not share this information with a third party, other than where there is a lawful basis to do so in accordance with this Privacy Notice.

Using your information

Whether you are a customer, prospective customer, visitor to our website or business contact, data protection law requires us to have a legal basis for using your Personal Data. We rely on one or more of the following bases to use your Personal Data:

• To perform our contractual obligation
• To comply with a legal obligation
• We have a legitimate interest (that is justified for good business or commercial purpose) which isn’t outweighed by your interests, rights or freedoms
• You have given us your consent

The types of Personal Data that we collect and process about you will depend on how you interact with Oodle. It may fall into the following categories but will extend to any data about you that we process as a result of your interactions with Oodle.

We may also collect ‘special category data’ about you. As this is treated differently under data protection law, there’s a section dedicated to it below.

Special category data

Data protection law requires us to treat ‘special category data’ with more care. Special category data includes biometric data (physical, physiological or behavioural characteristics about you), health data, criminal convictions, and any religious or political data.

When you make an application for motor finance using our mobile app, we use a third party to verify your identity with facial recognition technology, which requires the processing of biometric data. As part of this process, your special category data is processed only for the purposes of verifying your identity. The third party we use for this process is Jumio Corporation and you can find out more about how it processes your Personal Data using facial recognition here.

We might need to process your special category data to help us provide a service that best meets your needs. For example, so we can consider any specific requirements you may have, your needs have changed or you experience financial difficulties it may help for us to understand information about your health.

We will always ask for your explicit consent for special categories of Personal Data being processed by us and our service providers for the purposes stated in this Privacy Notice. You also have the right to withdraw consent, which you can read more about in the section “Your rights” below.

We may also require details regarding criminal records and proceedings for compliance with legal obligations (including safeguarding against fraud and anti-money laundering requirements).

Sharing your information

When you register an interest to use our services or make use of our services you consent to us sharing your data with the following parties:

• service providers and other third parties who process and store data on our behalf;
• motor dealers and brokers, including their business partners;
• financial crime prevention agencies and credit reference agencies;
• third parties who provide maintenance and servicing of any vehicles you hire as part of the services;
• professional advisors;
• individuals who you nominate as referees to verify certain information;
• in the event that our business, either in whole or in part, is acquired by a third party (in which case Personal Data about customers will be one of the transferred assets);
• if we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or in order to enforce any contract with you; or to protect our rights, property, or the safety of our employees, customers or others. This includes exchanging information with other companies and organisations for the purposes of financial crime prevention and credit risk reduction;
• companies and consultants providing services to us (for example, marketing agencies, mail outsourcing service provider, Information Technology service providers who provide and maintain our systems and our website host). Those companies and consultants providing services to us will only use your information to provide those services;
• a third-party company that may take over your contract, so that you can continue with your contract;
• third party insurance providers;
• debt collection agencies; and
• the courts in connection with court proceedings.

Credit Reference Agencies

If you submit your details to get pre-approval for motor finance we’ll supply your Personal Data to credit reference agencies (CRAs) and carry out what’s called a ‘soft credit search’ to get a view of your credit rating.

The CRAs will record our search but other lenders won’t be able to see it and it won’t affect your credit score.

When we perform a soft search on you, this will also include a soft credit search of any person that you share financial ties with (a joint current account or a joint mortgage, for example); this person is known as a ‘financial associate’. Beyond using your financial associate’s data for decisioning purposes, we will not use their data for any other purpose. However, it will leave a soft search on their credit file, so you should make them aware before submitting your details to get pre-approval for motor finance.

CRAs link your records together and these links will remain on your and their files until such time as you or your financial associate successfully files a request with the CRAs to break that link.

The above soft search will give us an overall view of your financial health (including your credit score) but not your full credit report. This will help us determine whether a full application is likely to be successful and the interest rate we might charge.

It’s only when you proceed to complete a full application and we fund the loan that we perform a full search of your credit report which can be visible by other lenders.

CRAs will supply to us public information (including from the electoral register), credit, financial situation and financial history information; in addition to financial crime prevention information about you.

We will use your credit file information to:

• Assess your creditworthiness and whether you can afford payments for the motor finance you want
• Verify the accuracy of the information you have provided us
• Prevent criminal activity, fraud and money laundering
• Manage your account if you take out motor finance with us
• Trace and recover debts if you take out credit finance with us
• Ensure any offers provided to you are appropriate to your circumstances

We’ll go on sharing your Personal Data with CRAs for as long as you are a customer. We will also inform CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. They may also provide this information to other organisations including financial institutions who offer similar products to Oodle.

In order to understand more about CRAs, you can read their Credit Reference Agency Information Notice (CRAIN) which will tell you:

• More about their role as a credit reference agency;
• Their role as a financial crime prevention agency;
• The data they hold;
• The ways in which they use and share Personal Data;
• Data retention periods; and
• Your data protection rights.

You can access the CRAIN for each of the CRAs we use here:

• TransUnion
• Equifax
• Experian

Financial crime prevention agencies

As a regulated financial services business, we are committed to preventing financial crime which includes fraud, money laundering, tax evasion or terrorist financing.

When you register or apply to use our services we will share your Personal Data with financial crime prevention agencies. This is because we have a legitimate interest in preventing financial crime and we are required to verify your identity in order to protect our business and to comply with laws that apply to us. The agreement that you have with us also allows us to share your Personal Data with financial crime prevention agencies.

If you give us false or inaccurate information, or if we suspect or identify fraud, money laundering, tax evasion or terrorist financing, we may record this and pass this information to financial crime prevention agencies and other relevant organisations, including law enforcement agencies. We and other organisations may access and use this information to prevent fraud, money laundering or other criminal activity.

As part of the processing of your Personal Data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity.

You have rights in relation to automated decision making: if you want to know more please refer to the “Automated Decisions and Profiling” section below.

If we, or a financial crime prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or we may stop providing existing services to you.

Financial crime prevention agencies may hold your information for different periods of time, and if you’re considered to be a fraud or money laundering risk, your information may be held for up to six years. It may also result in us and others refusing to provide services, financing or employment to you.

We use Cifas to help prevent fraud, money laundering and to verify your identity. Further information about how Cifas process your data can be found on their Fair Processing Notice.

You can contact us at dataprotectionofficer@oodlefinance.com if you’d like to know more about the financial crime prevention agencies we use.

Open Banking

At Oodle we may use Open Banking to liaise with your financial services providers to easily verify your income and other financial information.

We may do this when you first apply for motor finance with us to check you can afford the payments. We may also use Open Banking if you have motor finance with us but you experience financial difficulties, so we can easily check your financial position and consider the best ways to support you.

We will only use your Open Banking data with your informed consent, which will be sought from you via a link sent to your mobile phone. If you provide consent, we will have access to the transaction information from your bank account for the last 12 months. We will usually receive a one-off snapshot of 12 months of transaction history, which will be held on your file.

However, please note that some banks have set up their Open Banking so that third parties receive access to data for a longer period. In these instances, please be aware that the Open Banking access will remain in place for the period set by your bank, which is usually for up to 90 days post consent.

We will not give your Open Banking data to any third parties, unless we have a lawful basis to do so in accordance with this Privacy Notice. For more information about Open Banking please see http://www.openbanking.org.uk/customers/what-is-open-banking/.

The Open Banking platform we use Consents Online Limited.

Automated Decisions and Profiling

In some instances, our use of your Personal Data may result in automated decisions being taken (including profiling) that legally affect you or similarly significantly affect you.

Automated decision-makings means that a decision concerning you is made automatically on the basis of a computer determination (using software algorithms), without our human review. For example, we use automated decisions to consider your creditworthiness if you make an application for motor finance. We have implemented measures to safeguard the rights and interests of individuals whose Personal Data is subject to automated decision-making.

When we make an automated decision about you, you have the right to contest the decision, to express your point of view, and to require a human review of the decision. To understand more about this and how you can exercise your right for human intervention please see the “Your rights” section below.

How long we keep your information and how we store it

We only retain your Personal Data for as long as necessary for the purposes described in this Privacy Notice. For example, we retain Personal Data we collect from you where we have an ongoing legitimate business need to do so to provide you with our services or to comply with applicable legal, tax or accounting requirements.

In the event that you make an application to use our services, we will only store your Personal Data whilst you continue to use our services and for a period of 6 years thereafter (or such longer period as is necessary for the proper performance of our regulatory obligations to you).

When we have no ongoing legitimate business need to process your Personal Data, we will either delete or anonymise it or, if this is not possible (for example, because your Personal Data has been stored in backup archives), then we will securely store your Personal Data and isolate it from any further processing until deletion is possible.

In order to ensure fair and transparent processing, we will, taking into account our processing activities, adopt appropriate procedures for the processing of Personal Data, which shall include implementing technical and organisational measures which take into account the harm that may be suffered, and correct inaccuracies identified in Personal Data processed, so that risk of errors are minimised and your Personal Data is processed in a fair and secure manner.

All information you provide to us is stored on our secure servers which are located in England. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share the password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal Data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Your rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

Your right to rectification – You have the right to ask us to correct your information if you think it is inaccurate or update it if it is incomplete. We may need to ask for further information from you to correct or update your information.

Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances. We will action your request UNLESS we have a lawful basis that allows us to continue to hold and process your data.

Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances, which is normally only temporary. For example, you may want us to do this while we are updating a change to your information because it is inaccurate or incomplete.

Your right to object to processing – You have the right to object to processing if our lawful basis to process your information is because it is in our legitimate interests. We will action your request UNLESS we have a lawful basis that allows us to continue to hold and process your data other than solely for our legitimate interests.

Your right to data portability – You have the right to ask us to provide you with the Personal Data that we hold about you in a structured, commonly used, machine readable form, or ask for us to send such Personal Data to another data controller. This only applies to information you have given us.

Your right to human intervention – When you apply for motor finance we’ll use automated decision-making to decide whether to lend to you. If we decline your application, you can ask one of our underwriters to review our decision.

Your right to withdraw consent – You have the right to withdraw your consent to us processing your data at any time. Whether we will be able to action your request depends on our lawful basis for holding and processing it. We will confirm the outcome of your request and where relevant our records will be updated accordingly. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

Your right to raise a concern – You have the right to be confident that we are using your personal information responsibly and in line with good practice. If you have a concern about the way we are handling your personal information you have the right to raise this with us, and we will take your concern seriously and work with you to try and resolve it.

Your right of access – You have the right to ask us for copies of your personal information, also known as making a Data Subject Access Request (“DSAR”). If you would like to exercise this right please contact us at DSAR@oodlefinance.com

To contact us about any of your other rights please email us at dataprotectionofficer@oodlefinance.com.

Please note that we may ask you to provide a form of identification verification before we can review any requests made by you in relation to your rights.

You are not required to pay any charge for exercising your rights.

We have one month to respond to you to confirm the action taken, the outcome of any decision and the reasons why.

Links to other websites

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

Overseas transfers

Some of our service providers and other organisations that we work with (including credit reference agencies), may be located outside the European Economic Area in countries that do not have the same standards of protection for Personal Data as the UK. We will, however, always use every reasonable effort to ensure sufficient protections are in place to safeguard your Personal Data.

We will also ensure that our service providers enter into compliant processing agreements with us, including for transfers of data outside of the European Economic Area, to ensure that your Personal Data is processed in accordance with the General Data Protection Regulation and other applicable data protection laws.

Marketing

From time to time we would like to send you details of products and services, which may be of interest to you. The provision of Personal Data for the purposes of direct marketing is voluntary and you do not need to provide such Personal Data in order to receive our services. Where you have consented, we may:

• use your Personal Data to send you information about our own products and services and those of our group companies and other carefully selected third parties which may be of interest to you; and
• pass your details to our group of companies and other carefully selected third parties including anyone who introduced you to us, so that they may send you information about their products and services via e-mail, SMS text message, post and / or telephone

You can change your marketing preferences and opt-out of receiving marketing communications at any time by unsubscribing from the relevant communications.

To do this in relation to marketing from our group companies and third parties please write to them. Their contact details should be specified in the marketing communication itself which you have received from them.

Advertising

Like most businesses, we may use advertising to let people know about our services and products. Our use of advertising may involve the use of ad networks which enable potential advertisers to bid for the right to show advertising to you across the web. Part of this process may involve the use of a range of data about you (location, gender, preferences and interests) to allow better targeting of adverts so you hopefully see adverts relevant to you. However, it may mean that data about you is shared with a large number of third parties (ad networks operators and potential bidders).

As a result, you may see adverts for Oodle across the web. This may include where you have visited our website (because we think that because you visited the Oodle website previously you may be interested in Oodle’s products).

If you see an advert for Oodle and also if you interact with the advert and come to Oodle’s website, we may also measure the effectiveness of adverts, including by seeing how long you spend on our site.

We may set various cookies as part of the above. More information on this can be found in the “Cookies” section below and in our Cookies Policy which you can access here. In addition to the cookies set on our site, third party sites will also set cookies. You should be given the opportunity to refuse consent to the use of cookies when you visit third party sites that display advertising (along with any other cookies that aren’t necessary for the site to operate).

In addition to cookies and similar technologies used by Oodle as part of advertising to you across the internet, if you are an existing customer of Oodle, we may also send your contact details to social media sites. We may do this so we can find out if you’re also a member of those sites and if so, advertise our products to you through those sites. For example, we may use Facebook’s Custom Audiences for this purpose. If we provide contact details to Facebook, they will only use this data for the purpose of determining whether you’re on Facebook.

Cookies

A cookie is a small text file that is stored on your computer or device when you visit a website. Cookies are used by all websites, and have several different functions.

At a basic level cookies will:

• Allow the site to work properly, and help keep it secure
• Help us understand how people use the website
• Make the site easier to use by remembering information that you’ve entered
• Improve your experience by showing you information that’s relevant to you

You can view our full Cookies Policy here.

ReCAPTCHA

We use Google reCAPTCHA on our website(s) to ensure we are protected from spam and abuse. You will see this when you have made an application for motor finance when you log into your account. In addition to Google reCAPTCHA using data to provide services to Oodle, they also make use of data for their own purposes. For more information about ReCAPTCHA please refer to Google’s Privacy Policy and Terms of Use by clicking on the respective links.

Further questions or concerns?

Just so you know, our Data Protection Officer is Adam Wright.

If you have any further questions about data privacy at Oodle, or if you are unhappy with how we’ve handled your information, you can contact him at dataprotectionofficer@oodlefinance.com or via our postal address:

Data Protection Officer (DPO)
Fletcher House
Heatley Road
Oxford
Oxfordshire
OX4 4GE

If you remain dissatisfied you can refer your concerns to the Information Commissioner’s Office (ICO), the body that regulates the handling of Personal Data in the UK, at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5A

Tel: 0303 123 1113
Website: www.ico.org.uk

Changes to this Privacy Notice

We may modify this Privacy Notice from time to time, so please review it regularly.

Any material changes we make to our privacy notice in the future will be posted on this page and, if appropriate, be sent to you by email.

This Privacy Policy was last updated on 1 November 2020.