Data Privacy Notice


The privacy and security of your data is of paramount importance to all of us at Fiinu. Please read this Privacy Notice carefully before using our website, digital channels, mobile app, or any of our services. If you have any questions or queries about the contents, please email us at

As of 31 December 2020, the European General Data Protection Regulation (GDPR) no longer directly applies in the UK. However, the UK has passed its own version into law, known as the UK GDPR (United Kingdom General Data Protection Regulation). All references to GDPR in this Policy are to the UK GDPR, which has equivalent legal provisions to the EU GDPR

Personal data may be transferred to recipients located in countries outside the UK. In particular, your personal data will be stored locally, but may also be stored and backed up on servers located outside of the UK. We may also share your personal data with our trusted service provides and partners, some of which may be located outside the UK or the EU.

In accordance with applicable data protection laws in the UK, we ensure that whenever we transfer your personal data outside of the UK, your personal data is protected by ensuring that either:

  • The country outside of the UK or EU to which your personal data is transferred has been deemed to provide an adequate level of protection for personal data; or
  • The recipients of your personal data in the relevant country outside of the UK or EU enter into standard contractual clauses which offer other appropriate data privacy safeguards.

Who are we and how can you contact us

About us

This document is the combine Privacy Notice for the Fiinu Group of companies (henceforth collective referred to as “Fiinu”):

  • Fiinu Ltd, Company Registration number 12973786
  • Fiinu Holdings, Company Registration number 10544700.
  • Fiinu PLC, Company Registration number 04947859.

The Registered Office address for these entities is Meadows Business Park, Station Approach, Blackwater, Camberley, GU17 9AB.

Like any business, Fiinu also processes personal data to support its routine business operations. This includes handling data relating to business and consumer contacts and members of staff.

This privacy notice provides a high-level overview about how we use and share personal data across Fiinu and explains how and why Fiinu use your personal data. When we talk about personal data we mean any information that relates to an identifiable natural person. When we use terms such as “we”, “us” and “our” in this Policy, we mean Fiinu.

This notice applies to personal data processed by or collected on behalf of Fiinu. We may collect information from you when you visit our website, download our app, apply for a service, contact us by telephone or email or receive a communication from us relating to your service.

You should read this notice so you know what personal data we collect about you, what we do with it and how you can exercise your rights in connection with it.

At the end of this notice, we have included links to external websites providing further information that you need to consider. We have also included details of contact points, including those for our Data Protection Officer, which you can use if you wish to ask us for further information or to exercise your rights.

You will see at the end of this notice that we mention the privacy notices of Fraud Prevention Agencies and Credit Reference Agencies for your consideration. Please read them carefully and contact those organisations if you have questions relating to their privacy notices.


Fiinu is a “Data Controller”. This is a legal term which means that we make decisions about how and why we use your personal data. As the “Data Controller”, we are responsible for making sure that your personal data is used in accordance with applicable data protection laws. As Data Controller, we are required by law to give you the information in this notice.

However, on occasions there may be other Data Controllers involved in processing your data, as further explained in this notice, or as you may be advised at the time your information is to be processed.

Contact details

You can contact us about issues relating to personal data, including the contents of this notice, by any of the following methods:

  • Post: Fiinu Limited, Meadows Business Park, Station Approach, Blackwater, Camberley, GU17 9AB.
  • Email:

What do we use personal data for?

We collect and process personal data for several purposes, for which we need to articulate the legal grounds to justify processing of personal data. This section explains the purposes for which we use personal data, providing legal grounds relevant to you. More detail about the types of personal data that we use for these purposes can be found in section 1.4 below.

Processing relating to Products and Services

Many of our products and services rely on the use of personal data to perform on our contracts with customers, or for activities during the application stage. For example:

  • Data is used for managing activities relating to managing customer accounts, such as enquiry, application, administration and management of accounts, management of fees, charges and interest due on customer accounts.
  • Account administration and management such as updating customer records and tracing customer whereabouts for contacting purposes and for the recovery of debt.
  • We use credit referencing and affordability services data, which includes obtaining personal data from Credit Reference Agencies for credit risk assessment and other purposes. This includes information about credit repayments, court judgments and insolvencies.
  • We gather personal data from numerous sources and use it to confirm the identity of the consumers that we are dealing with. This helps us to prevent identity theft and other kinds of fraud, as well as help to reduce the risk of money laundering.
  • We make use of third-party service providers for open banking services that allow consumers to authorise us to obtain access to transactions information from their current accounts. This helps to provide a faster, more efficient way for consumers to demonstrate their financial position to us if they choose to do so.
  • We make use of third-party service providers, such as core banking services, for storage and processing of information and transactions.
  • We use data to exercise our rights set out in agreements and contracts.
  • Our marketing services involve gathering personal data from data suppliers and use it for marketing and related purposes. This includes names and addresses from the open version of the electoral register. We may also perform analysis of transaction and other data in order to help us understand our customers better.

Data evaluations and sharing

We use and share data for evaluation purposes. This includes assessing its suitability for a particular purpose and, for example, deciding whether or not it would be useful to us as part of a product or service. Sometimes it may be necessary to share data with a third party, such as a Credit Reference Agency, for them to be able to match it to data that they hold and return additional data to us.

“Automated decision making” refers to decisions we make about customers, such as suitability for a product, using computer based and automated systems without a person being involved in making that decision and “profiling” means automated processing of personal data to evaluate personal aspects about customers, such as analysing or predicting disposable income, economic situation, personal preferences, interests, health, reliability, behaviour, location or movements.

When we evaluate data, we apply a range of safeguards to protect the interests of consumers. For example, we anonymise or pseudonymise the data where possible, we ensure it is protected with appropriate security measures, and we limit the quantities of data and the period for which it is used and retained.

Similarly, we sometimes provide data to our service providers and third parties for them to evaluate or process it. For example, we share personal data with:

  • Payment service providers to execute payment instructions.
  • Fraud Prevention Agencies, for the purpose of performing checks to prevent fraud and money laundering, and to verify customer identity.
  • Law enforcement agencies and governmental and regulatory bodies such as HMRC, the Financial Conduct Authority, the Prudential Regulation Authority, the Ombudsman, the Information Commissioner’s Office and under the Financial Services Compensation Scheme (depending on the circumstances of the sharing).
  • Courts and to other organisations where that is necessary for the administration of justice or debt collection.
  • Our legal, auditors and other professional advisers.
  • Other organisations and businesses who provide services to us such as debt recovery agencies, back up and server hosting providers, IT software and maintenance providers, document storage providers and suppliers of other back office functions.
  • Market research organisations that assist us to improve our products and services.
  • Credit Reference Agencies (CRAs). CRAs maintain credit search footprints and customer credit files containing history on settled accounts, default history on borrowings and records of outstanding debt, that may be seen by other lenders. The CRAs also collect and use personal data for marketing and data profiling activities, to create data modelling tools. These tools are used to model customer behaviour to support marketing, research, brand and product communication campaigns. More information on TransUnion’s process and policy for processing personal data can be found in the notice displayed on the TransUnion website, at

Processing required to comply with legal requirements and obligations

As a regulated firm, Fiinu has to comply with many regulatory and legal requirements and obligations that require processing of personal data, for example: :

  • We use personal data to carry out identity checks, anti-money laundering checks and fraud prevention checks with Fraud Prevention Agencies. This typically occurs at the application stage and periodically after customer/client onboarding.
  • For compliance requirements relevant to us.
  • For activities relating to the prevention, detection and investigation of crime.
  • To process information about a crime or offence and proceedings related to that, where relevant if we know or suspect a crime or fraud.
  • To capture applicant information that may not have been processed as part of the onboarding process.
  • To establish, defend and enforce our legal rights.
  • To carry out monitoring and to keep records.
  • To deal with customer/subject’s requests for them to exercise their rights under data protection laws.

Operating our business

We use personal data as part of our own internal operations. For example:

  • We hold names, job titles and contact details that we get from our business contacts (such as the representatives of our clients and suppliers), and we use this to manage our relationship with them and for marketing purposes.
  • We hold names, contact details and other information that we get from individuals who make contact with us, and we use that information to deal with their enquiries.
  • We hold information about our members of staff, and we use that information to manage our relationship with them. The information includes details such as employment and educational history, background checks and performance appraisals.
  • We use CCTV cameras throughout the public areas of our business premises to help ensure the safety of our staff and visitors and the security of our information and assets.
  • We use personal data for legal and regulatory purposes. For example, this might include responding to complaints or enquiries from consumers or regulators about how we have used personal data.

What kinds of personal data do we use?

The data we use will depend on the products and services you use and obtain from us. The personal data that we hold and process about you typically falls into the categories as described below:

Identity verification/ who you are

  • Your name and surname.
  • Your date of birth and age.
  • Your address and correspondence address, and address history.
  • Contact details such as phone and email addresses.
  • Your marital status, family, lifestyle or social circumstances if relevant to the application.
  • Electoral registry data.
  • Data that we gather from correspondence with you.
  • Details on the devices and technology you use.
  • Device identifiers including IP address from websites and devices.
  • Data about how you use our products and services.
  • Personal data which we obtain from Fraud Prevention and Credit Reference agencies.
  • Some special categories of personal data such as information about your racial or ethnic origin, health data etc (where relevant).

Employment status, sources of income

  • Information on your employment, or whether you are retired or receive benefits.
  • Data on your financial position, status and history.
  • Data on your salary and other sources of income. Application salary data consists of the salary declared by a person when they are applying for credit. It also includes whether that figure is net or gross, and whether the salary has been verified (e.g. with copies of salary slips). This data also includes the date that an application was made.
  • Information on any savings.Personal data which we obtain from Fraud Prevention and Credit Reference agencies.
  • Some special categories of personal data such as information about your racial or ethnic origin, health data etc (where relevant).

Bank account transaction data, your financial commitments and credit account performance data

  • Bank account information. This data includes the name of the organisation providing current accounts, current account numbers, sort codes, the number of account holders, the transactions made on the current accounts (credits and in some cases debits), and a figure for all credits on each current account (less refunds and intra bank transfers).
  • Information on existing borrowings and loans. The data includes the name of the lending organisation, the date the account was opened, the account number, the amount of debt outstanding (if any), any credit available (including overdraft limits) and the repayment history on the account, including late and missing payments.
  • Details of payments and expenditure behaviour on your bank accounts.
  • Details about payments to and from your accounts to us.
  • Household expenditure data.
  • Personal data about your credit history which we will obtain from Credit Reference Agencies.
  • We obtain data about court judgments and decrees. This may include, for example, the name of the court, the nature of the judgment, how much money was owed, and whether the judgment has been satisfied.
  • We obtain data about insolvency-related events. This includes data about bankruptcies, administration orders, individual voluntary arrangements, debt relief orders, sequestrations, trust deeds and debt arrangement schemes. This data includes the start and end dates of the relevant insolvency or arrangement.

Where do we get your personal data from?

We collect data through our engagement with you through email, correspondence, digital channels, app registration, telephone engagement and open banking where authorised. In addition, we make use of the services of Credit Reference Agencies as a data service provider for several data requirements.

Directly from customers

  • We gather data from customer interactions, including from in person contact, digital channels, video meetings, social media and other forms of engagement.
  • Materials and content posted on our social media pages and social networks.
  • Information gathered through surveys.
  • Information gathered through participation in competitions, promotions and marketing events.

Data we collect when customers use our services

  • Payment and transaction data.
  • Information derived from cookies, which will include Internet Protocol (IP) addresses unless users have set their browser settings not to accept cookies.
  • Statistical information about computers and devices, where available, such as IP address, operating system and browser type, for system administration and support purposes.
  • Cookie information for identification and fraud prevention.

Data from third parties

  • Companies that introduce customers to us, such as brokers, business partners and agents working on our behalf.
  • Data obtained through open banking.
  • Data obtained from comparison websites.
  • Data obtained from Fraud Prevention Agencies (FPAs).
  • Public Information from sources such as Companies House.
  • Data from Market Researchers.
  • Government and law enforcement agencies.

Data sourced from Credit Reference Agencies (CRAs)

  • We obtain personal data from Credit Reference Agencies to verify identity and credit worthiness. This may include data gathered from Fraud Prevention Agencies, employers, landlords, other lenders, her Majesty’s Revenue and Customs (HMRC), Department for work and pensions, publicly available directories and information (e.g. social media, internet, news articles and telephone directories)

How long is the personal data kept for?

We take all reasonable steps to maintain personal data storage safely and securely and fully in accordance with the UK Data Protection Act 2018. You will need to contact us for our specific activities to find out exactly how long the data is kept for. The main points we think you might be interested in are:

  • We will keep personal data for up to seven years. This includes credit agreements, applications forms (paper and electronic), ID provided, credit scores, payments default records and complaints.
  • Credit reference data (such as your credit history, judgments, bankruptcies, etc) generally stays on your credit file for a period of six years. After that it is not used to make any decisions about you, but it is still used for a further four years for statistical analysis purposes.
  • Electoral register data is kept for the period that you reside at the relevant address, and for a further 14 years after you have moved out.
  • Search footprints stay on your credit file for at least two years.
  • Fraud Prevention Agencies can hold personal data for different periods of time, and if a person is considered to pose a fraud or money laundering risk, the data can be held for up to six years.
  • Personal data may be held for a longer period due to business continuity and backup procedures. This is in line with ICO guidance on retention of data which has been backed up. This data will not be used for any other purpose.

What is our legal basis for handling personal data?

This section explains the legal basis on which we process your personal data.

Legitimate interests

We sometimes rely on consent in order to process personal data, but this is relatively rare. The majority of what we do with personal data is not based on consent but instead based on other legal grounds. For processing that is based on consent, individuals have the right to revoke that consent for future processing at any time. This can be done by contacting Fiinu using the contact details in this Privacy Notice. Revoking consents may have consequences such as not being able to receive marketing communication, or not being able to consider special categories of personal data such as health or vulnerable customer information.

Payment services regulations require that we must share some personal data with other payment service providers in some circumstances, such as when customers ask us to share information about their accounts. Whilst those payment services regulations mention ‘consent’ for this, ‘consent’ in that context does not have the same meaning as ‘consent’ under data protection laws. The legal grounds which may be relevant to this are compliance with our legal obligations, performance of our contract with a customer, our legitimate interests, or a combination of these. It should therefore be noted that when you revoke consent with respect to what we do with your personal data, we may still have to hold and use that personal data if we need as required by payment services regulations.

Performance of our contract with you

If you sign up for our services, we agree to provide you with services as set out in the Terms & Conditions. We need to use some of your personal data to be able to provide you with those services. We also use this basis for processing some of our staff data.

Who do we share the personal data with?

Service providers

We may provide your information to third parties who help us use it for our business activities. For example:

  • Data is shared with Credit Reference Agencies.
  • Our databases of personal data may be hosted by third parties on our behalf.
  • Some of our products and services rely on us sending personal data to third parties who then analyse or enhance it and return the results to us.
  • We use third party email broadcasting services in order to send emails.
  • We use payment service providers in relation to any payments made by individuals.
  • We sometimes use market research companies to help us better understand our customers.
  • We use cloud-based technologies such as Microsoft Office 365 in the course of our ordinary business operations.
  • Our CCTV system is operated by a specialist sub-contractor.

Business transfers

If we sell our business to a third party, or go through a corporate reorganisation, we will transfer personal data to the company that acquires the business.


We may sometimes need to pass personal data to a regulator such as the Information Commissioner’s Office, the Prudential Regulations Authority, the Financial Conduct Authority or the London Stock Exchange’s AIM Regulator.

Where is the personal data stored and sent?

We are based in the United Kingdom, and will access and host your information predominantly in the UK and Ireland.

Monitoring involving processing of personal data?

Monitoring means any listening to, recording of, viewing of, intercepting of, or taking and keeping records of, face-to-face meetings, calls, emails, text messages, social media messages and other forms of communication.

Where permitted by law or required by regulations, we may monitor processing of personal data. For example, in some cases the Financial Conduct Authority’s regulatory regime may require us to record certain telephone calls or in person meetings.

Some of our monitoring may be to comply with regulatory rules, own risk management practices or procedures relevant to our business, to prevent or detect crime, in the interests of protecting the security of our communications systems and procedures, to have a record of what we have discussed with you and actions agreed with you, to protect you and to provide fraud risk management security for you, and for quality control and staff training purposes.

Is personal data used to make decisions about you or to profile you?

We perform the following automated decision-making and profiling activities using your personal data. When we refer to profiling, we mean using personal data to make predictions about you, or to categorise you into particular groups.

Individual-level profiling

We use personal data to predict or infer new information about you. In particular

  • We use the data that we gather, such as credit and utility repayment history, judgments, insolvencies and the electoral register, to generate scores that can be used to help assess your creditworthiness.
  • Our data marketing services involve combining personal data with other information such as census statistics to make predictions about people’s lifestyles or preferences.

Aggregated profiling

We use personal data to predict or infer information about the areas that people live in. This includes information such as the lifestyle, age or wealth of the typical residents of those areas.


We use personal data or profiling to make automated decisions, for example, we use credit scores to help us decide whether or not to grant you credit, and we use behavioural scoring to inform decisions to reduce or increase credit lines.

What are your rights in relation to the personal data we hold about you?

Individuals have several different rights in relation to the personal data that we hold about them. These are briefly described below. To enquire about exercising these rights, please email us at or use the Fiinu app to contact us.

  • To be informed: The purpose of this privacy notice is to be transparent with you about the processing that we do with your personal data. The information we process is determined depending on the personal data we collect directly from you or indirectly via someone else (such as a third-party provider).
  • Access: You have a right to find out what personal data we hold about you, and certain other information such as how we are using it.
  • Automated decision making: This right allows individuals in certain circumstances to access certain safeguards against the risk that a potentially damaging decision is taken solely without human intervention. In cases where automated decision making has a legal effect or otherwise significantly affects you, you have the right to obtain human intervention and an explanation of the decision, and you may be able to challenge that decision.
  • Rectification: If the information that we hold about you is inaccurate or out of date, you have a right to ask us to correct it.
  • Objection to direct marketing: You have the right to object to us using your personal data for direct marketing or where it is processed for the purposes of statistics. If you do this, we will stop using it for those purposes.
  • Objection to legitimate interests: If you disagree with us relying on the legitimate interest grounds for using your personal data, you can object to us doing so. We will then reassess the extent to which we can continue to use the data in light of your particular circumstances.
  • Withdrawal of consent: When we rely on your consent to use your data, you have the right to withdraw that consent at any time.
  • Erasure (also known as the “right to be forgotten”): In certain circumstances you can ask us to delete your personal data from our systems. However, this usually won’t apply to all of your data because we might have good reason for needing to keep some of it. For example, if you object to us using your data for direct marketing purposes we will need to keep a record of that objection so that we do not subsequently begin direct marketing activities in relation to you if we receive your data again. Requests for erasure may be refused in some circumstances such as where the personal data must be retained to comply with a legal obligation or to exercise or defend legal claims.
  • Restriction: In some circumstances you can ask us to restrict the ways in which we use your personal data.
  • Portability: In some circumstances you have the right to receive some limited kinds of information in a portable format. This right can only be relevant where personal data is being processed based on a consent or for performance of a contract and is carried out by automated means.
  • Complain: You also have a right to complain to the Information Commissioner’s Office (ICO website) which regulates the processing of personal data in the UK. If you wish to exercise any of these rights against the Credit Reference Agencies, the Fraud Prevention Agencies, or other intermediary who is Data Controller in its own right, you should contact them separately.

Useful links

Credit Reference Agency Privacy Notice

More information about how Credit Reference Agencies operate and how they use your information is available at:


Additional useful links

ICO website

ICO guidance for back up retention

Credit Industry Fraud Avoidance System

Who can you complain to if you are unhappy about the use of your personal data?

We try to ensure that we deliver the best levels of customer service but if you are not happy you should make contact so that we can investigate your concerns. Please contact us using these details:

Post: Fiinu Limited, Meadows Business Park, Station Approach, Blackwater, Camberley, GU17 9AB.

Email: You can contact our Data Privacy Officer at

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the body that regulates the handling of personal data in the United Kingdom. You can do this online through the ICO’s website at by telephone on 0303 123 1113, or by writing to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.