Privacy Notice

Sharing your information

When you register an interest to use our services or make use of our services you consent to us sharing your data with the following parties:

• service providers and other third parties who process and store data on our behalf;

• motor dealers and brokers, including their business partners;

• financial crime prevention agencies and credit reference agencies;

• third parties who provide maintenance and servicing of any vehicles you hire as part of the services;

• professional advisors;

• individuals who you nominate as referees to verify certain information;

• in the event that our business, either in whole or in part, is acquired by a third party (in which case Personal Data about customers will be one of the transferred assets);

• if we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or in order to enforce any contract with you; or to protect our rights, property, or the safety of our employees, customers or others. This includes exchanging information with other companies and organisations for the purposes of financial crime prevention and credit risk reduction;

• companies and consultants providing services to us (for example, marketing agencies, mail outsourcing service provider, Information Technology service providers who provide and maintain our systems and our website host). Those companies and consultants providing services to us will only use your information to provide those services;

• a third-party company that may take over your contract, so that you can continue with your contract;

• third party insurance providers;

• debt collection agencies; and

• the courts in connection with court proceedings.

Credit Reference Agencies

If you submit your details to get pre-approval for motor finance we’ll supply your Personal Data to credit reference agencies (CRAs) and carry out what’s called a ‘soft credit search’ to get a view of your credit rating.

The CRAs will record our search but other lenders won’t be able to see it and it won’t affect your credit score.

When we perform a soft search on you, this will also include a soft credit search of any person that you share financial ties with (a joint current account or a joint mortgage, for example); this person is known as a ‘financial associate’. Beyond using your financial associate’s data for decisioning purposes, we will not use their data for any other purpose. However, it will leave a soft search on their credit file, so you should make them aware before submitting your details to get pre-approval for motor finance.

CRAs link your records together and these links will remain on your and their files until such time as you or your financial associate successfully files a request with the CRAs to break that link.

The above soft search will give us an overall view of your financial health (including your credit score) but not your full credit report. This will help us determine whether a full application is likely to be successful and the interest rate we might charge.

It’s only when you proceed to complete a full application and we fund the loan that we perform a full search of your credit report which can be visible by other lenders.

CRAs will supply to us public information (including from the electoral register), credit, financial situation and financial history information; in addition to financial crime prevention information about you.

We will use your credit file information to:

• Assess your creditworthiness and whether you can afford payments for the motor finance you want

• Verify the accuracy of the information you have provided us

• Prevent criminal activity, fraud and money laundering

• Manage your account if you take out motor finance with us

• Trace and recover debts if you take out credit finance with us

• Ensure any offers provided to you are appropriate to your circumstances

We’ll go on sharing your Personal Data with CRAs for as long as you are a customer. We will also inform CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. They may also provide this information to other organisations including financial institutions who offer similar products to Oodle.

In order to understand more about CRAs, you can read their Credit Reference Agency Information Notice (CRAIN) which will tell you:

• More about their role as a credit reference agency;

• Their role as a financial crime prevention agency;

• The data they hold;

• The ways in which they use and share Personal Data;

• Data retention periods; and

• Your data protection rights.

You can access the CRAIN for each of the CRAs we use here:

• TransUnion

• Equifax

• Experian

Financial crime prevention agencies

As a regulated financial services business, we are committed to preventing financial crime which includes fraud, money laundering, tax evasion or terrorist financing.

When you register or apply to use our services we will share your Personal Data with financial crime prevention agencies. This is because we have a legitimate interest in preventing financial crime and we are required to verify your identity in order to protect our business and to comply with laws that apply to us. The agreement that you have with us also allows us to share your Personal Data with financial crime prevention agencies.

If you give us false or inaccurate information, or if we suspect or identify fraud, money laundering, tax evasion or terrorist financing, we may record this and pass this information to financial crime prevention agencies and other relevant organisations, including law enforcement agencies. We and other organisations may access and use this information to prevent fraud, money laundering or other criminal activity.

As part of the processing of your Personal Data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity.

You have rights in relation to automated decision making: if you want to know more please refer to the “Automated Decisions and Profiling” section below.

If we, or a financial crime prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or we may stop providing existing services to you.

Financial crime prevention agencies may hold your information for different periods of time, and if you’re considered to be a fraud or money laundering risk, your information may be held for up to six years. It may also result in us and others refusing to provide services, financing or employment to you.

We use Cifas to help prevent fraud, money laundering and to verify your identity. Further information about how Cifas process your data can be found on their Fair Processing Notice.

You can contact us at dataprotectionofficer@oodlefinance.com if you’d like to know more about the financial crime prevention agencies we use.

Open Banking

At Oodle we may use Open Banking to liaise with your financial services providers to easily verify your income and other financial information.

We may do this when you first apply for motor finance with us to check you can afford the payments. We may also use Open Banking if you have motor finance with us but you experience financial difficulties, so we can easily check your financial position and consider the best ways to support you.

We will only use your Open Banking data with your informed consent, which will be sought from you via a link sent to your mobile phone. If you provide consent, we will have access to the transaction information from your bank account for the last 12 months. We will usually receive a one-off snapshot of 12 months of transaction history, which will be held on your file.

However, please note that some banks have set up their Open Banking so that third parties receive access to data for a longer period. In these instances, please be aware that the Open Banking access will remain in place for the period set by your bank, which is usually for up to 90 days post consent.

We will not give your Open Banking data to any third parties, unless we have a lawful basis to do so in accordance with this Privacy Notice. For more information about Open Banking please see http://www.openbanking.org.uk/customers/what-is-open-banking/.

The Open Banking platform we use Consents Online Limited.

Automated Decisions and Profiling

In some instances, our use of your Personal Data may result in automated decisions being taken (including profiling) that legally affect you or similarly significantly affect you.

Automated decision-makings means that a decision concerning you is made automatically on the basis of a computer determination (using software algorithms), without our human review. For example, we use automated decisions to consider your creditworthiness if you make an application for motor finance. We have implemented measures to safeguard the rights and interests of individuals whose Personal Data is subject to automated decision-making.

When we make an automated decision about you, you have the right to contest the decision, to express your point of view, and to require a human review of the decision. To understand more about this and how you can exercise your right for human intervention please see the “Your rights” section below.

How long we keep your information and how we store it

We only retain your Personal Data for as long as necessary for the purposes described in this Privacy Notice. For example, we retain Personal Data we collect from you where we have an ongoing legitimate business need to do so to provide you with our services or to comply with applicable legal, tax or accounting requirements.

In the event that you make an application to use our services, we will only store your Personal Data whilst you continue to use our services and for a period of 6 years thereafter (or such longer period as is necessary for the proper performance of our regulatory obligations to you).

When we have no ongoing legitimate business need to process your Personal Data, we will either delete or anonymise it or, if this is not possible (for example, because your Personal Data has been stored in backup archives), then we will securely store your Personal Data and isolate it from any further processing until deletion is possible.

In order to ensure fair and transparent processing, we will, taking into account our processing activities, adopt appropriate procedures for the processing of Personal Data, which shall include implementing technical and organisational measures which take into account the harm that may be suffered, and correct inaccuracies identified in Personal Data processed, so that risk of errors are minimised and your Personal Data is processed in a fair and secure manner.

All information you provide to us is stored on our secure servers which are located in England. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share the password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal Data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Your rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

Your right to rectification – You have the right to ask us to correct your information if you think it is inaccurate or update it if it is incomplete. We may need to ask for further information from you to correct or update your information.

Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances. We will action your request UNLESS we have a lawful basis that allows us to continue to hold and process your data.

Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances, which is normally only temporary. For example, you may want us to do this while we are updating a change to your information because it is inaccurate or incomplete.

Your right to object to processing – You have the right to object to processing if our lawful basis to process your information is because it is in our legitimate interests. We will action your request UNLESS we have a lawful basis that allows us to continue to hold and process your data other than solely for our legitimate interests.

Your right to data portability – You have the right to ask us to provide you with the Personal Data that we hold about you in a structured, commonly used, machine readable form, or ask for us to send such Personal Data to another data controller. This only applies to information you have given us.

Your right to human intervention – When you apply for motor finance we’ll use automated decision-making to decide whether to lend to you. If we decline your application, you can ask one of our underwriters to review our decision.

Your right to withdraw consent – You have the right to withdraw your consent to us processing your data at any time. Whether we will be able to action your request depends on our lawful basis for holding and processing it. We will confirm the outcome of your request and where relevant our records will be updated accordingly. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

Your right to raise a concern – You have the right to be confident that we are using your personal information responsibly and in line with good practice. If you have a concern about the way we are handling your personal information you have the right to raise this with us, and we will take your concern seriously and work with you to try and resolve it.

Your right of access – You have the right to ask us for copies of your personal information, also known as making a Data Subject Access Request (“DSAR”). If you would like to exercise this right please contact us at DSAR@oodlefinance.com

To contact us about any of your other rights please email us at dataprotectionofficer@oodlefinance.com.

Please note that we may ask you to provide a form of identification verification before we can review any requests made by you in relation to your rights.

You are not required to pay any charge for exercising your rights.

We have one month to respond to you to confirm the action taken, the outcome of any decision and the reasons why.

Links to other websites

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

Overseas transfers

Some of our service providers and other organisations that we work with (including credit reference agencies), may be located outside the European Economic Area in countries that do not have the same standards of protection for Personal Data as the UK. We will, however, always use every reasonable effort to ensure sufficient protections are in place to safeguard your Personal Data.

We will also ensure that our service providers enter into compliant processing agreements with us, including for transfers of data outside of the European Economic Area, to ensure that your Personal Data is processed in accordance with the General Data Protection Regulation and other applicable data protection laws.

Marketing

From time to time we would like to send you details of products and services, which may be of interest to you. The provision of Personal Data for the purposes of direct marketing is voluntary and you do not need to provide such Personal Data in order to receive our services. Where you have consented, we may:

• use your Personal Data to send you information about our own products and services and those of our group companies and other carefully selected third parties which may be of interest to you; and

• pass your details to our group of companies and other carefully selected third parties including anyone who introduced you to us, so that they may send you information about their products and services via e-mail, SMS text message, post and / or telephone

You can change your marketing preferences and opt-out of receiving marketing communications at any time by unsubscribing from the relevant communications.

To do this in relation to marketing from our group companies and third parties please write to them. Their contact details should be specified in the marketing communication itself which you have received from them.

Advertising

Like most businesses, we may use advertising to let people know about our services and products. Our use of advertising may involve the use of ad networks which enable potential advertisers to bid for the right to show advertising to you across the web. Part of this process may involve the use of a range of data about you (location, gender, preferences and interests) to allow better targeting of adverts so you hopefully see adverts relevant to you. However, it may mean that data about you is shared with a large number of third parties (ad networks operators and potential bidders).

As a result, you may see adverts for Oodle across the web. This may include where you have visited our website (because we think that because you visited the Oodle website previously you may be interested in Oodle’s products).

If you see an advert for Oodle and also if you interact with the advert and come to Oodle’s website, we may also measure the effectiveness of adverts, including by seeing how long you spend on our site.

We may set various cookies as part of the above. More information on this can be found in the “Cookies” section below and in our Cookies Policy which you can access here. In addition to the cookies set on our site, third party sites will also set cookies. You should be given the opportunity to refuse consent to the use of cookies when you visit third party sites that display advertising (along with any other cookies that aren’t necessary for the site to operate).

In addition to cookies and similar technologies used by Oodle as part of advertising to you across the internet, if you are an existing customer of Oodle, we may also send your contact details to social media sites. We may do this so we can find out if you’re also a member of those sites and if so, advertise our products to you through those sites. For example, we may use Facebook’s Custom Audiences for this purpose. If we provide contact details to Facebook, they will only use this data for the purpose of determining whether you’re on Facebook.

Cookies

A cookie is a small text file that is stored on your computer or device when you visit a website. Cookies are used by all websites, and have several different functions.

At a basic level cookies will:

• Allow the site to work properly, and help keep it secure

• Help us understand how people use the website

• Make the site easier to use by remembering information that you’ve entered

• Improve your experience by showing you information that’s relevant to you

You can view our full Cookies Policy here.

ReCAPTCHA

We use Google reCAPTCHA on our website(s) to ensure we are protected from spam and abuse. You will see this when you have made an application for motor finance when you log into your account. In addition to Google reCAPTCHA using data to provide services to Oodle, they also make use of data for their own purposes. For more information about ReCAPTCHA please refer to Google’s Privacy Policy and Terms of Use by clicking on the respective links.

Further questions or concerns?

If you have any further questions about data privacy at Oodle, or if you are unhappy with how we’ve handled your information, you can contact the Data Protection Officer at dataprotectionofficer@oodlefinance.com or via our postal address:

Data Protection Officer (DPO)

Fletcher House

Heatley Road

Oxford

Oxfordshire

OX4 4GE

If you remain dissatisfied you can refer your concerns to the Information Commissioner’s Office (ICO), the body that regulates the handling of Personal Data in the UK, at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5A

Tel: 0303 123 1113

Website: www.ico.org.uk

Changes to this Privacy Notice

We may modify this Privacy Notice from time to time, so please review it regularly.

Any material changes we make to our privacy notice in the future will be posted on this page and, if appropriate, be sent to you by email.

This Privacy Policy was last updated on 1 November 2020.