Use of your data

Introduction

We are Advantage Finance Limited (company number 03773673) and we are the data controller in respect of your personal data. This policy explains when and why we collect personal data, how this information is used, the conditions under which it may be disclosed to others, and how it is kept secure. If you have any queries about our handling of your personal data, we can be contacted by writing to our Data Protection Officer, Niall Dunn, at Unit 7, Acorn Business Park, Moss Road, Grimsby, DN32 0LW or by email to dataprotection@advantage-finance.co.uk.

This policy explains how we will use the personal data that you provide to us when you apply for motor finance via an online application or via a broker, or that we have obtained about you through our use of your information when you make such an application and, where applicable, when you enter into a finance agreement with us.

Where this policy refers to "we", "our" or "us", unless it mentions otherwise, it's referring to Advantage Finance Limited. Where this policy refers to "you" it's referring to the person applying for motor finance.

What personal data we collect and how we collect it

The personal data you have provided to us: This is information about you that you give to us during your online application or via your broker. This consists of the following categories of information:

• Name
• Date of birth
• Residential address and address history
• Contact details such as email address and telephone numbers
• Financial information
• Employment details
• Vehicle details

The personal data we may receive from other sources: We obtain certain personal data from credit reference and fraud prevention agencies. Please see "Use by credit reference and fraud prevention agencies" below for further information.

If you fail to provide us with any mandatory information that we request from you, we will not be able to proceed with the credit reference and fraud prevention checks described below and, subsequently, we will not be able to consider your application nor propose an offer to you.

How we use your personal data

The purposes for which we use your data and the legal basis under data protection laws on which we rely to do this are as follows:

• Performance of the contract with you or to take steps to enter into it. We may use personal data relating to you which we acquire in connection with any application for motor finance, or any agreement that you enter into with us, to manage, administer and take decisions regarding your agreement(s) with us. This includes verifying your identity, assessing your application and, if we enter into an agreement with you, administering the agreement including tracing your whereabouts to contact you and recover debt and to provide you with the service under that agreement (i.e. managing your account, communicating with you, providing updates on the status of your account, dealing with any complaints or insurance claims and notifying you of any changes to this statement, monitoring communications between us to prevent and detect crime, carrying out statistical analysis to help with decisions about credit and about credit fraud).
• Legitimate interests or that of a third party. This includes:
  • To use the employment data (acquired at the application stage) to contact your employer for voluntary information, during the life of your agreement.
  • For marketing activities (other than where we rely on your consent to contact you with information about our services and products or share your details with third parties to do the same, as explained below);
  • If the organisation has a promotion or competition and you choose to enter into it, your name will be used if you are randomly selected as the winner
  • For assessing the quality of our service and to provide staff training within the business.
  • For processing Special Category data should explicit consent not be gained because either it cannot be given, or every effort has been made to gain the consent (see below Special Category Data).
  • To use the executor information (acquired in the case of a deceased customer) to administer the agreement and potentially recover the debt.
• Compliance with a legal obligation. This includes when you exercise your legal rights under data protection law, to verify your identity, for the establishment and defence of our legal rights, for activities relating to the prevention, detection and investigation of crime, to conduct credit, fraud prevention and anti-money laundering checks and for compliance with our legal and regulatory responsibilities.
• Consent. When processing an application from yourself we may ask for your consent to access Open Banking as part of the process to ensure affordability. The consent allows us to view (on that date) 6 months of your bank statements, via the Account Score/Consents.online platform. We will keep a PDF version of what we see within our records. If we access Consents.online at a later date all we can see is the 6 months of bank statements that you provided us, we cannot view any other banking information. You can withdraw this consent at any time via Consents.online.

Special Category Data

You may notify us of Special Category Data as part of managing your account. Special Category data as defined in Article 9 GDPR/Schedule 1 of Data Protection Act as personal data concerning health matters.

• Explicit Consent. When processing special categories of data about you, for example for our compliance with our legal obligations relating to vulnerable people, we will gain your consent to process this data.
• Vital interests. When receiving an extreme disclosure from yourself which would be used by the emergency services.
• Public Interests/Economic Well-being. When processing special categories of data about you, if we are unable to gain explicit consent, because you are unable to give it or we have made every reasonable effort to gain it from you; and you may be further exposed to the risk of economic well-being (as described below) if we do not process the information. By:
  • Being at further risk of debt and financial difficulty.
  • Being at risk of financial abuse/fraud.
  • Not receiving advice or communications in a way they can make an informed decision.
  • Being excluded from processes, products or services they need.

Use by credit reference and fraud prevention agencies

In order to process your application, we will perform credit and identity checks on you with one or more credit reference agencies (CRAs). To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information. When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.

We will use this information to:

• assess your creditworthiness and whether you can afford to take the product you have applied for;
• verify the accuracy of the data you have provided to us;
• prevent criminal activity, fraud and money laundering;
• manage your account(s);
• trace and recover debts; and
• ensure any offers provided to you are appropriate to your circumstances.

We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.

If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before making an application to us. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.

The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail at www.experian.co.uk/crain/index.html and/or www.transunion.co.uk/crain and/or www.equifax.co.uk/crain.html

Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process your information. If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested or we may stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.

Automated decisions

As part of the processing of your personal data, decisions may be made by automated means.

Your information will be used to assess your credit risk using an automated decision-making technique called "credit scoring". Various factors help us to assess the risk; a score is given to each factor and a total credit score obtained, which will be assessed against a confidential pre-set pass score.

In regard to fraud prevention checks, we may automatically decide that you pose a fraud, credit or money laundering risk if:

• Our processing reveals your behaviour to be consistent with that of known fraudsters, money launderers, higher risk borrowers; or is inconsistent with previous submissions; or
• You appear to have deliberately hidden your true identity; or
• We conclude from the information and data we have received, it would not be responsible for us to agree the finance you have requested.

Use by third parties

We disclose your information to the following third parties:

• To other corporate entities within our corporate group (including S&U plc and their subsidiaries). We are a subsidiary of S&U plc. We may pass on your details to any company within our group in the ways set out in the "How we use your personal data" section and for internal processes such as internal audits.
• Credit reference, fraud prevention agencies, anti-money laundering agencies and/or counter-financial crime organisations (as detailed above).
• HMRC, government authorities, regulatory or law enforcement agencies if we are required by law to disclose it in connection with the detection of crime, the collection of taxes or duties, to enforce or apply the terms of our contracts, to protect the rights, property or safety of our visitors and clients, in order to comply with any applicable law or order of a court, or in connection with legal proceedings.
• Your broker to assist us with administering your application and your agreement with us.
• Third party debt/asset recovery agencies for the purposes of recovering vehicles and/or monies owed to us.
• Any third party to whom we sell your debt. If we do this, you will be notified and that third party will become the data controller of your information.
• Voyc Analytical Software - call data is transferred to them so that they can be transcribed into written documents and analysed for statistical purposes, the calls and transcribes will be stored for one year in Voyc and then deleted.
• Google Document AI - car invoice data is transferred to them so that they can convert it into digital information for our database to interpret, the data will be stored in google for 3 months and then deleted.

Any third party who is restructuring, selling or acquiring some or all of our business or assets or otherwise in the event of a merger, re-organisation or similar event. Third party service providers, agents and sub-contractors acting on our behalf. This may also include providers of data storage and database hosting services, IT hosting, IT software and maintenance services, professional advisors, and third parties that provide income verification services, affordability checks and communication fulfilment services. Courts in the United Kingdom or abroad as necessary to comply with a legal requirement, for the administration of justice, to protect vital interests and to protect the security or integrity of our business operations.

These third parties may share your information with us, which we will use in accordance with this policy. In some cases they will be acting as a controller of your information and therefore we would advise you to read their privacy policy in these instances.

When we use third party service providers, we only disclose to them any personal data that is necessary for them to provide their service.

Where we will store your data / data transfers to third parties

We store your personal data on servers located within the United Kingdom. If at any time we transfer your personal data to, or store it in, countries located outside of the United Kingdom or in The European Economic Area (EEA) (for example, if our hosting services provider changes) we will ensure that appropriate safeguards are in place for that transfer and storage as required by applicable law.

The third parties listed under "Use by third parties" may be located outside of the UK or they may transfer your information outside of the UK. Those countries may not have the same standards of data protection and privacy laws as in the UK. Whenever we transfer your information outside of the UK, we impose contractual obligations on the recipients of that information (Standard Contractual Clauses (SCCs) to protect your personal data to the standard required in the UK. Any third parties transferring your information outside of the UK or EEA must also have in place appropriate safeguards as required under data protection law.

Whenever fraud prevention or credit reference agencies transfer your personal data outside of the UK or EEA, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the UK. They may also require the recipient to subscribe to 'international frameworks' intended to enable secure data sharing.

Retention of your personal data

If we collect your personal data, the length of time we retain it is determined by a number of factors including the purpose for which we use that information and our obligations under other laws. We do not retain personal information in an identifiable format for longer than is necessary.

If your application for finance is declined or if your application is accepted but you do not proceed, we keep your information for 3 years or as long as necessary to deal with any queries you may have.

If your application is accepted and you proceed, we hold your information for 10 years from the date at which your agreement is closed, where settled by you or upon default or as long as necessary thereafter to deal with any queries you may have.

Fraud prevention agencies can hold your data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to 6 years. Credit reference agencies will retain the account information that we give to them for 6 years after your account is closed. Please see "Use by credit reference and fraud prevention agencies" for more information about the information that we give to them.

We may hold your information for a longer or shorter period from that described above where:

• the law requires us to hold your personal information for a longer period, or delete it sooner;
• we need your personal information to establish, bring or defend legal claims;
• you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law; and
• in limited cases, the law permits us to keep your personal information indefinitely provided we put certain protections in place.

Marketing

When you enter into an agreement with us, we will send marketing information by post, email or text to you about contract renewals and/or our similar products and services that we think will be of interest to you.

You have the right to opt-out of our use of your personal data to provide marketing to you in any of the ways mentioned above. Please see the "Withdrawing your consent" and "Objecting to our processing of your personal data and automated decisions made about you" sections for further details on how you can do this.

Your rights

You have a number of rights in relation to your personal data under data protection law. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal data. Except in rare cases, we will respond to you within one month after we have received this information or, where this is not required, after we have received your request.

• To be informed about the processing of your information. This is what this privacy notice sets out to do.
• Object to our processing of your personal data and automated decisions made about you. Where we rely on our legitimate business interests as the legal basis for processing your personal data for any purposes, as set out under "How we use your personal information", you may object to us using your personal data for these purposes by emailing or writing to us at the address above. Except for the purposes for which we are sure we can continue to process your personal data, we will temporarily stop processing your personal data in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise we will provide you with our justification as to why we need to continue using your data. You may object to us using your personal data for direct marketing purposes and we will automatically comply with your request. If you would like to do so, please contact us using the details above or email dataprotection@advantage-finance.co.uk or use the unsubscribe option included within each message. You may also contest a decision made about you based on automated processing by emailing or writing to us at the address above.
• Request that your personal data is erased or restricting its processing. In certain circumstances, you may ask for your personal data to be removed from our systems by emailing or writing to us at the address above. Provided we do not have any continuing lawful reason to continue processing or holding your personal data, we will make reasonable efforts to comply with your request. You may also ask us to restrict processing your personal data where you believe it is unlawful for us to do so, you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings. We may only process your personal data whilst its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.
• Withdrawing your consent. Where we rely on your consent as the legal basis for processing your personal data, as set out under "How we use your personal information", you may withdraw your consent at any time by contacting us using the details above. If you withdraw your consent, our use of your personal data before you withdraw is still lawful. If you would prefer not to be contacted with marketing information you may opt out by writing to us at the above address or email dataprotection@advantage-finance.co.uk or use the unsubscribe option included within each message.
• Correcting and updating your personal data. The accuracy of your information is important to us and we are working on ways to make it easier for you to review and correct the information that we hold about you. In the meantime, if you change your name or address/email address, or you discover that any of the other information we hold is inaccurate or out of date, please let us know by contacting us on the details provided above.
• Request access to your personal data. You have the right to ask for a copy of the information that we hold about you by emailing or writing to us at the address above. We may not provide you with a copy of your personal data if this concerns other individuals or we have another lawful reason to withhold that information.
• Transferring your personal data in a structured data file. Where we rely on your consent as the legal basis for processing your personal data or need to process it in connection with a contract with have with you, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly used and machine readable form, such as a CSV file. You can ask us to send your personal data directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your personal data if this concerns other individuals or we have another lawful reason to withhold that information.
• Complaining to the UK data protection regulator. If you have concerns about the way we have handled your personal data, we encourage you to contact us and we will seek to resolve any issues or concerns you may have. Please refer to our complaints policy. You will also find our contact details above. You have the right to complain to the Information Commissioner's Office (ICO) if you are concerned about the way we have processed your personal data. Please visit https://ico.org.uk/ for further details.

For more information or to exercise your data protection rights, please contact us using the contact details above.

Changes to this policy

We may review this policy from time to time and any changes will be notified to you in writing. Any changes will take effect 7 days after the date of our notification. If you do not agree with any aspect of the updated policy you must immediately notify us and cease using our services.