Introduction

We are committed to protecting your privacy when dealing with your personal information as data controller. This Privacy Policy sets out details of the information that we may collect from you and how we may use that information. This Privacy Policy covers any personal products or service you have with us, including savings, financing. Please read this Privacy Policy carefully. When using our website (the "Website"), this Privacy Policy should be read alongside, and in addition to, the Website terms and conditions.

About us

In this Privacy Policy references to "we" or "us" or "Gatehouse Bank" are to Gatehouse Bank plc, a company incorporated in England and Wales (registered number 06260053) ("Gatehouse Bank plc") which has a registered office at The Helicon, One South Place, London, EC2M 2RB.

Irrespective the type of product you have with us or purpose for which data is provided, Gatehouse Bank plc is the data controller of your personal information.

Our processing of your personal information

We will only collect information in line with relevant law and regulations. We may collect it from a range of sources and it may relate to any of our products or services you apply for, currently hold, or have held in the past. We may also collect information about you when you interact with us, e.g. visit our website or call us or ask about any of our product and services.

We do not ask for "special categories of personal information” (which is information relating to your health, genetic or biometric data, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade union membership) or criminal convictions. We may obtain information on criminal convictions when we check third party sources for your information. You may also choose to provide us with health data if you wish us to interact with you in a particular way.

Where you provide personal information to us about other individuals (for example, directors of your company, shareholders, your employees, family members to be named on your account or on your product) we will also be data controller of their personal information. You should refer them to this notice before supplying us with their data on their behalf.

Some of the information will come directly from you e.g. when you provide ID to open an account. It can also come from your broker or finance intermediary, or other Gatehouse group companies, if for example they refer you to us for another Gatehouse product.

The information we collect may include:

Financial - Your financial position, history and status

Contact - Your name, address, email address, landline and mobile numbers

Socio - Demographic
This includes details about your profession, nationality

Transactional - Payments into your account, transaction records, your credit, your payment history

Contractual - Details about the products and services we provide you

Usage data - Data we get about where you are. This may come from where you
connect a computer to the internet, we also use cookies to collect data, to deliver content specific to your interests, and for other purposes.

Communications - Information that you give us by filling forms, or by communicating with us, whether face to face, by phone, email, or otherwise.

Open Data and Public Records - Details from publicly available sources such as Electoral Register, and information about you that is openly available on internet

Documentary Data - This could include documents like your Photo ID, Passport information, National Insurance number, National ID card, Driver’s license

Special categories of data - Details about your criminal convictions or related information. This will include information relating to offences or alleged offences if they are found in a third party search.

Marketing and sales information - Details of services you receive and your preferences

Risk rating information - Information from Credit Risk agencies for Credit risk rating, underwriting information

Investigation data - Information that we need to support our regulatory obligations, e.g. due
diligence checks, sanctions and anti-money laundering checks, external intelligence report, information about transaction details, detection of any suspicious and unusual activity and information about parties connected to you or these activities.

Security details - Login credentials for online banking


How will we collect your personal information?

Information that you provide to us, e.g.

  • personal details: e.g. name, date and place of birth;
  • contact details: e.g. address, email address, mobile and landline numbers
  • information relating to your identity: e.g. passport, National id, National insurance number
  • user login data: e.g. login credentials for online banking
  • information that you give us by filling out forms or by communicating with us, whether face-to-face, by phone, email, or otherwise;
  • lifestyle information: e.g. income, credit commitments, living costs and expenditures for finance affordability assessment

Information we collect or generate about you, e.g.

  • your financial information, products and services you hold with us, channels you use and your ways of interacting with us, your ability to get and manage your credit, your payment history, transaction records, and information concerning complaints and disputes;
  • information we use to identify and authenticate you e.g. login credentials;
  • marketing and sales information: e.g. details of services you receive, your preferences;
  • cookies to deliver content specific to your interests, and for other purposes, your IP address, the pages you visit within our site.
  • risk rating information: e.g. underwriting information, credit risk;
  • investigations data: e.g. due diligence checks, sanctions and anti-money laundering checks;
  • records of correspondence between us, e.g. emails;
  • information that we need to support our regulatory obligations, e.g. information about transaction details, detection of any suspicious activity.

Information we collect from other sources, e.g.:

  • companies or individuals that introduce you to us for your financing requirements;
  • from Credit Reference Agencies such as Equifax in the event you are an applicant of one of our residential financing products;
  • public information sources such as Electoral register or Companies House.

Use of CAPTCHA

Our website utilizes CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) to enhance security and prevent automated abuse or misuse of our online services. CAPTCHA helps verify that users accessing our website are human and not bots, thereby protecting the integrity of our systems and ensuring a safer online experience for our users.

What data is collected?

When you interact with our CAPTCHA system, certain technical information may be collected automatically, such as your IP address, browser type, device information, and cookies. This data is collected solely for the purpose of CAPTCHA verification and is not used for any other purposes.

How is this data used?

The data collected through CAPTCHA is used solely for the purpose of preventing spam, abuse, and unauthorized access to our website. It helps us distinguish between legitimate human users and automated bots, thus enhancing the security of our online platform.

Third-party disclosure

We may share CAPTCHA data with third-party service providers who assist us in implementing and managing our CAPTCHA system. However, we do not sell, trade, or otherwise transfer this data to outside parties for marketing or other purposes.

Your consent

By using our website and interacting with the CAPTCHA system, you consent to the collection and processing of your data for the purposes outlined above.

Your rights

You have the right to access, update, or delete the data collected through CAPTCHA. If you have any questions or concerns regarding the use of CAPTCHA or the data collected, please contact us at privacy@gatehousebank.com.

What will we use your personal information for?

We may use your personal information for a number of different purposes. In each case, we must have a "legal ground" to do so. We will rely on the following “legal grounds”, when we process your "personal information":

  • We need to use your personal information to enter into or perform the product that we hold with you. For example, we need to use your personal information to set you up on our systems and communicate with you.
  • We have a legal or regulatory obligation to process such personal information. For example, our regulators require us to make certain checks and hold certain records of our dealings with you. These include verifying your identity and the source of your funds.
  • We need to use your personal information for a justifiable purpose (e.g. to keep a record of the decisions we make when different types of applications are made, to keep business records, to carry out strategic business analysis, review our business planning and to develop and improve our products and services). When using your personal information for these purposes, we will always consider your rights and interests and ensure that your right to privacy is taken into consideration and that we have justifiable reasons for using the personal information in that way.

When the information that we process is classed as “special categories of personal information", we must have an additional “legal ground". We will rely on the following legal grounds when we process your "special categories of personal information":

  • We need to use such special categories of personal information to comply with our regulatory requirements to investigate whether you have committed an unlawful act or been involved in dishonesty, malpractice or other seriously improper conduct.
  • We need to use such special categories of personal information to establish, exercise or defend legal rights. This might happen when we are faced with legal proceedings or want to bring legal proceedings ourselves or when we are investigating a legal claim that a third party brings against you.
  • You have provided your consent to our use of your special categories of personal information. This may be because you have a specific health condition and wish us to know about it in our dealings with you.
  • Further detail on these legal grounds are provided below.

Processing activity, To deliver our products and services: Our reason Administer your accounts, or process your transactions Legal Ground We will do this in order to perform our contract with you.

Processing Activity, Banking operations support Our reason, We will use your information to enable the provision and function of our banking services in line with regulation, laws and customer rights and interests, e.g. complaints management and exit management. Legal Ground The lawful reasons for processing these are legitimate interest, legal obligation and in order to perform our contract with you.

Processing activity To prevent and detect crime including, e.g. fraud, terrorist financing and money laundering. Our reason, This will include monitoring, mitigation and risk management, carrying out customer due diligence, name screening, transaction screening - payments from are who they say they are, and aren’t subject to any sanctions, and customer risk identification. We may share your information with relevant agencies, law enforcement and other third parties where the law allows us to for the purpose of preventing or detecting crime. For further information on our use of fraud agencies please see below. Legal Ground We do this to comply with our legal and regulatory obligations. To the extent it includes Special categories of personal data to comply with our regulatory requirements to investigate whether you have committed an unlawful act or been involved in dishonesty, malpractice or other seriously improper conduct.

Processing activity Risk management, Our reason We will use your information to measure, detect and prevent the likelihood of financial, reputational, legal, compliance or customer risk. This includes credit risk, operational risk. For further information on our use of credit reference agencies see below. Legal Ground We will do this because we have a legitimate interest in ensuring that we carry out a proper risk assessment prior to providing finance.

Processing activity Online Banking/ portal, Our Reason We will use your information to allow us to provide you with access to Gatehouse Bank online platforms. The platform may allow you to directly or indirectly communicate with us through using Online Banking/ portal, or applying for products and services online. Legal Ground The lawful basis for using your information for this purpose is to perform our contract with you.

Processing activity Marketing (please see further information on our marketing activities below), Our reason If you are a Gatehouse savings or residential finance customer and did not opt out at the time your data was collected to receiving marketing from us, you may receive marketing messages from us You can change your mind on how you receive marketing messages or choose to stop receiving them at any time. To make that change, contact our DPO using the details provided in the section “Contacting us”. Legal Ground The lawful basis for this is our legitimate interest.

Processing activity, Tracking or recording activities. Our reason, We may record and keep track of our conversations you have with us including phone calls, emails. We may use these recordings for Quality assurance, training or Audit. We may also capture additional information about these interactions, e.g. telephone numbers that you call us from. We use closed circuit television on our sites and these may collect images or videos of you. Legal Ground, We would do this on the basis that it’s in our legitimate interest. Where the information contains special categories of personal data to establish, exercise or defend legal rights. This might happen when we are faced with legal proceedings or want to bring legal proceedings ourselves or when we are investigating a legal claim that a third party brings against you.

Processing activity, Protecting our legal rights. Our reason, We may need to use your information to protect our legal rights, e.g. in the case of defending or the protection of legal rights and interests (e.g. arrears management, enforcing or protecting our security or defending rights of intellectual property); court action; managing complaints or disputes. This may be in connection with action taken against you or other persons, e.g. joint customers. Legal Ground We would do this on the basis that it’s in our legitimate interest. Where the information contains special categories of personal data to establish, exercise or defend legal rights. This might happen when we are faced with legal proceedings or want to bring legal proceedings ourselves or when we are investigating a legal claim that a third party brings against you.

Profiling and Automated Decision Making

We may use automated system to help us make decisions. We may use technology that helps us identify the level of risk involved in customer, e.g. for fraud or financial crime reasons.

Profiling is any form of automated processing of personal information to evaluate certain personal aspects. Home finance underwriting is based on profiling as it assesses the likelihood of you being able to honour your finance payment obligations.

We use profiling as part of:
• Assessing home finance applications.
• Assessing eligibility for a Gatehouse Savings product.
• Preventing and detecting fraud. We use systems to help us recognise likely indications of fraud. This might result in your file being passed to our fraud team for further investigation.
• If you have provided your consent, we will use profiling to target certain marketing communications to you.

We keep our profiling process under regular review and, in most cases, an individual will then make a decision based on the outcome of that profiling.

Automated decision making refers to a situation where a decision is taken using personal information that is processed solely by automatic means (i.e. using an algorithm or other computer software) rather than a decision that is made with some form of human involvement.

As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behavior to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making: if you want to know more please contact us using the details provided in the section “Contacting us”.

Automated decision making is widely used in the banking industry to offer and administer financial products efficiently and accurately. Where an automated decision produces a legal or other similarly significant effect concerning you (for example, where your application for finance is rejected), we will only carry out automated decision making:

• using your personal information where it is necessary for the purposes of entering into or performing a contract with you (e.g. to assess your home finance application);

• using your special categories of personal data where it is necessary for preventing fraud or meeting our regulatory obligations.

In all other cases, we will ask for your consent in advance.

Please see section ‘Your rights’ for the rights that arise when we carry out automated decision making.

What marketing activities do we carry out?

We may use your information to provide you with details about Gatehouse Bank products and services. We may send you marketing messages by email, telephone, text or post. We will only do this if you enquired or have purchased a product or service from us and you have not opted out of marketing. You can change your mind on how you receive marketing messages or choose to stop receiving them at any time. To make the change please contact our DPO using the details set out in section “Contacting us”.

If you ask us not to send you marketing material it may take us a short period of time to update our systems and records to reflect your request, during which time you may continue to receive marketing messages. We will continue to use your contact details to provide you with important information, such as changes to your terms and conditions or if we need to tell you something to comply with our regulatory obligations.

Who we might share your information with

We may share your information with others where lawful to do so including where we or they:

• need to in order to provide you with products or services you’ve requested, e.g. fulfilling a payment request;

• have a legal or regulatory duty to do so, e.g. to assist with detecting and preventing fraud, tax evasion and financial crime;

• need to in connection with regulatory reporting, litigation or asserting or defending legal rights

and interests;

• have a legitimate business reason for doing so, e.g. to manage risk, verify your identity, or assess your suitability for products and services;

• have asked you for your permission to share it, and you’ve agreed.

We may share your information for these purposes with others including:

• sub-contractors, agents or service providers who work for us or provide services to us;

• anybody else that we’ve been instructed to share your information with by either you, a joint account holder or anybody else who provides instructions or operates any of your accounts on your behalf;

• people you make payments to and receive payments from;

• your beneficiaries, intermediaries, correspondent and agent banks, clearing houses, clearing or settlement systems, market counterparties;

• tax authorities, credit reference agencies, payment service providers and debt recovery agents;

• brokers who introduce you to us;

• any people or companies where required in connection with potential or actual corporate restructuring, merger, acquisition or takeover, including any transfer or potential transfer of any of our rights or duties under our agreement with you;

• law enforcement, government, courts, dispute resolution bodies, our regulators, auditors and any party appointed or requested by our regulators to carry out investigations or audits of our activities;
• other parties involved in any disputes;
• fraud prevention agencies who’ll also use it to detect and prevent fraud and other financial crime and to verify your identity;
• anyone who provides instructions or operates any of your accounts on your behalf, e.g. Power of Attorney, solicitors, etc;

How long do we keep personal information for?


We will keep your personal information for as long as reasonably necessary to comply with our legal and regulatory requirements or use it for our legitimate purposes such as managing your account and dealing with any disputes or concerns that may arise.

We have a detailed retention policy in place which governs how long we will hold different types of information for. The exact time period will depend on your relationship with us and the type of personal information. Indicative retention periods are set out below.

Finance applications - 6 months from application if the finance is not taken out

Finance product information - 6 years from when your product has terminated

Gatehouse Savings - 10 years from end of relationship

We may need to retain your information for a longer period where we need the information to comply with regulatory or legal requirements. We will only use your data for those purposes and will make sure if we don’t need to retain information beyond this period of time, we may destroy, or delete it promptly.

If you would like further information regarding the periods for which your personal information will be stored, please contact us using the details set out in section “Contacting us”..

What is our approach to sending your personal information overseas?


Sometimes we (or third parties acting on our behalf) will transfer personal information that we collect about you to countries outside of the European Economic Area ("EEA").
Where a transfer occurs we will take steps to ensure that your personal information is protected. We will do this by putting in place appropriate contracts. We will use a set of contract wording known as the "standard contractual clauses" which has been approved by the data protection authorities.

You can obtain more details of the protection given to your information when it’s transferred outside the EEA by contacting us using the details in the ‘Contacting us’ section below.

Your rights

You have a number of rights in relation to the information that we hold about you which we set out below. These rights might not apply in every circumstances. You can exercise your rights by contacting us at any time using the details set out in section 9. We will not usually charge you in relation to a request.

Please note that although we take your rights seriously, there may be some circumstances where we cannot comply with your request such as where complying with it would mean that we couldn't comply with our own legal or regulatory requirements. In these instances we will let you know why we cannot comply with your request.

In some circumstances, complying with your request may result in your product being cancelled. For example, if you request erasure of your personal information, we would not have the information required to administer your product. We will inform you of this at the time you make a request.

The right to access your personal information: You are entitled to a copy of the personal information we hold about you and certain details of how we use it.

We will usually provide your personal information to you in writing unless you request otherwise. Where your request has been made electronically (e.g. by email), a copy of your personal information will be provided to you by electronic means where possible.

The right to rectification: We always take care to ensure that the information we hold about you is accurate and where necessary up to date. If you believe that there are any inaccuracies, discrepancies or gaps in the information we hold about you, you can contact us and ask us to update or amend it.

The right to restriction of processing: In certain circumstances, you are entitled to ask us to stop using your personal information, for example where you think that the personal information we hold about you may be inaccurate or where you think that we no longer need to use your personal information.

The right to withdraw your consent: Where we rely on your consent in order to process your personal information, you have the right to withdraw such consent to further use of your personal information.

Please note that for some purposes, we need your consent in order to provide your product. If you withdraw your consent, we may need to cancel your product. We will advise you of this at the point you seek to withdraw your consent.

The right to erasure: This is sometimes known as the 'right to be forgotten'. It entitles you, in certain circumstances, to request deletion of your personal information. For example, where we no longer need your personal information for the original purpose we collected it for or where you have exercised your right to withdrawn consent.

Whilst we will assess every request, there are other factors that will need to be taken into consideration. For example we may be unable to erase your information as you have requested because we have a regulatory obligation to keep it.

The right to object to direct marketing: You have control over the extent to which we market to you and you have the right to request that we stop sending you marketing messages at any time. You can do this either by clicking on the "unsubscribe" button in any email that we send to you or by contacting us using the details set out in section “Contacting us”.

Please note that even if you exercise this right because you do not want to receive marketing messages, we may still send you service-related communications, where necessary.

The right to data portability: In certain circumstances, you can request that we transfer personal information that you have provided to us to a third party.

Rights relating to automated decision-making: We carry out some limited automated decision making to assess whether you meet the criteria for some of our products.

Where an automated decision produces a legal or other similarly significant effect concerning you (for example, where your policy or claim is rejected), you have the right to ask us to reconsider a decision taken by automated means or to take a new decision on a different basis (e.g. by introducing some form of human involvement).

The right to make a complaint with the Regulator: You have a right to complain to the Information Commissioner's Office (ICO) or any other local Data Protection Regulator if you believe that we have breached data protection laws when using your personal information.

You can visit the ICO's website at https://ico.org.uk/ for more information. Please note that lodging a complaint will not affect any other legal rights or remedies that you have.

You can exercise your rights by contacting us using the details set out in the ‘Contacting us’ section below.

Our use of Credit Reference Agencies

If you are applying for our Residential finance, in considering your application we will search your personal and where applicable, business record at one or more Credit Reference Agencies.

They will add details of our search to your records and your application will be seen by other organisations that make searches. Information held about you by the Credit Reference Agencies may already be linked to records relating to one or more of your partners. If you are a director, we will seek confirmation from Credit Reference Agencies that the residential address that you provide corresponds to the address listed on the restricted register of directors’ home addresses at Companies House. Information on the performance of any will be recorded against each director to the finance with Credit Reference Agencies.

We will also add to your personal and where applicable, business record with one or more of the Credit Reference Agencies details of your agreement with us, the payment you make under it, any default or failure to keep to its terms and any change of address you fail to tell us about where a payment is overdue. These records will be shared with other organisations and used by us and them to trace debtors, recover debt, and to manage your accounts.

By making a joint application, you confirm that you are entitled to: disclose information about your joint applicant (note that for the purpose of limited company applications director/ guarantors are considered applicants) and anyone referred to by you; and authorise us to search, link or record information at Credit Reference Agencies about you and anyone referred to by you. If you provide personal data about another person to us, you should provide them with this information concerning the processing of their personal data.

For further information on how Credit Reference Agencies use your personal data, please see https://www.equifax.co.uk/crain.html.

Our use of Fraud Prevention Agencies

We’ll carry out checks with fraud prevention agencies for the purposes of preventing fraud and money laundering, and to verify your identity before we provide products and services to you. These checks require us to process personal information about you.

The personal information you provide or which we’ve collected from you, or received from third parties, will be used to carry out these checks in order to prevent fraud and money laundering, and to verify your identity.

We’ll process personal information such as your name, address, date of birth, contact details, financial information, and employment details, device identifiers including IP address and vehicle details and employment details.

We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering and to verify your identity. This enables us to protect our business and to comply with laws that apply to us. This processing is also a contractual requirement of any of our products or services you use.

Fraud prevention agencies can hold your personal data for different periods of time. If they’re concerned about a possible fraud or money laundering risk, your data can be held by them for up to six years.

Consequences of Processing

If we, or a fraud prevention agency, have reason to believe there’s a fraud or money laundering risk, we may refuse to provide the services and credit you’ve requested, or to employ you. We may also stop providing existing products and services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services or employment to you. The information we hold about you could make it easier or harder for you to get credit in the future.

To find out more about fraud prevention agencies and how they manage your information, please visit https://www.cifas.org.uk/privacy-notice.

How do we protect your information?

We use a range of measures to keep your information safe and secure which may include encryption and other forms of security. We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.

What we need from you

You’re responsible for making sure the information you give us is accurate and up to date, and you must tell us if anything changes as soon as possible. If you provide information for another person (e.g. a joint account holder, a beneficiary under an insurance policy or a dependant), you’ll need to direct them to this notice.

Contacting us

If you would like further information about any of the matters in this notice or if you have any other questions about how we collect, store or use your personal information, you may contact our Data Protection Officer by telephoning +44 (0)20 7070 6000 or by e-mailing us at privacy@gatehousebank.com.

Updates to this notice

From time to time we may need to make changes to this notice, for example, as the result of changes to law, technologies, or other developments. We will provide you with the most up-to-date notice and you can check our website [Privacy Notice] periodically to view it.

This notice was last updated September 2024.