Last updated: 11th October 2021
We understand that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of all of our customers, users, contractors and contacts and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the law.
In this privacy notice, we explain how Eligible processes the personal data of: (i) individuals whose data has been provided to us by our business customers, so that we can invite those individuals to create an account with us; and (ii) individuals who have registered for an account with us and/or use our services but not as part of an account of an organisation they work for. This privacy notice explains how we use your personal data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data.
We may receive your personal data from you and/or from third parties, including our business customers, or organisations listed in section 8 below. Our business customers are organisations that provide products and services within the mortgage market, for example, mortgage providers and advisors.
Eligible Limited (Eligible, we, our) is registered as a controller with the Information Commissioner’s Office (ICO). Eligible’s ICO registration number is ZB078146.
- Information About Us
Company: Eligible Ltd
Address: 7 Floor, 109 Cheapside, London. EC4N 8AD
Data protection lead: Zahra Hassan
Email address: firstname.lastname@example.org
Telephone number: 07880 382189
3. What is Personal Data?
Personal data refers to information about an individual or, alternatively, information from which an individual can be identified.
Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.
The personal data that we use is set out in section 5, below.
4. What Are My Rights?
Under data protection legislation, you have the following rights, which we will always work to uphold:
- The right to be informed about our collection and use of your personal data. This privacy notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in section 2 of this privacy notice.
- The right to access the personal data we hold about you. You are entitled to receive confirmation that we process your personal data and for a copy of such personal data to be sent to you. Section 10 of this privacy notice tells you how to request this information.
- The right to have any of the personal data which we hold about you rectified if any of it is inaccurate or incomplete. Please contact us using the details in section 2 of this privacy notice to find out more.
- The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have if there is no valid legal basis for processing to continue. Please contact us using the details in section 2 of this privacy notice to find out more.
- The right to restrict the processing of your personal data. You have this right if any of the following apply: (i) the accuracy of the personal data is contested (this applies until such time as we have verified its accuracy); (ii) the processing is unlawful and you would rather restrict processing than have your personal data erased; (iii) we no longer need to process your personal data but you require us to retain it for the establishment, exercise or defence of a legal claim; or (iv) we are processing your personal data on the basis of legitimate interests, you have objected to processing and a decision on whether our or others’ legitimate interests override your interests is pending..
- The right to object to us using your personal data if our processing is carried out on the basis of legitimate interests. Please note, however, that should we determine that our or others’ interests are so compelling as to override your objection we may continue to process your personal data. You also may object to receiving direct marketing at any time.
- The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data in a structured, commonly used and machine-readable format to re-use with another service or business in many cases. This right extends to you being able to request that such data is sent to a third-party controller.
- Rights relating to automated decision-making and profiling. We do not use your personal data in this way.
For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in section 2 of this privacy notice.
Further information about your rights can also be obtained from the ICO or your local Citizens Advice Bureau.
If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with a supervisory authority – in the UK, this is the ICO (https://ico.org.uk/).
5. What Personal Data Do You Collect and How?
We may collect your personal data directly from you, including when you use our website, when you create and use an account with us and when you contact us.
We may also collect your personal data from third parties, for example, our business customers who might provide us with your contact details so that we can email you and ask you to create an account with us and/or information about any products or services you are receiving from them. We may also collect your personal data from other third parties, such as those listed in section 8 of this privacy notice.
We may collect some or all of the personal data set out below:
- Contact details, for example, name, address, telephone number, job title, profession
- Information relating to your mortgage product, for example, full property address, mortgage property value, mortgage product description, product start date, product expiry date, term, initial interest rate, loan amount, mortgage type (residential, buy-to-let, etc.), mortgage payment type (interest-only, repayment only, etc.), mortgage loan purpose (purchase, remortgage, further advance, etc.), mortgage lender, advisor name, and/ or advisor email.
- Information relating to your interaction with our business customers, for example, calls or appointments held.
- Information relating to your account, for example, username, password, authentication codes, and links to reset your password.
- Any other information you provide to Eligible, for example, personal data included in any correspondence you have with Eligible.
- Eligible does not normally collect any special category personal data. In the event that special category personal data is provided to Eligible, this will have been provided by you.
If you have an account with Eligible, you should regularly check your details in your account to ensure that any personal data provided remains up to date.
6. How Do You Use My Personal Data?
We set out below the purposes for which Eligible processes your personal data and the lawful bases for processing your personal data:
|To invite you to create an account with us, set-up, administer and manage your account with us.||[Our legitimate interests in fulfilling our contract with the organisation that has engaged our services and asked us to invite you to create an account with us] [Necessary for the performance of a contract]|
|To respond to any communications from you regarding the functionality of our platform, for example, IT support queries||Legitimate interests in running our business and assisting you|
|To record and analyse communications for our internal training purposes||Legitimate interests of improving our service|
|To send you service updates about our website and services||[Our legitimate interests in fulfilling our contract with the organisation that has engaged our services and asked us to invite you to create an account with us] [Necessary for the performance of a contract]|
|To monitor and analyse the use and performance of our website and services by you and other users, to investigate complaints and to seek and analyse feedback, to improve and develop our website and services||Legitimate interests of ensuring our services and website are as useful as possible|
|To administer and protect our business and the website including troubleshooting, data analysis and system testing||Legitimate interests of running our business, provision of administration and IT services, including network security|
|To send you updates, for example, for new products, services or features||Legitimate interests of growing our business|
|To send you marketing communications via email||Consent|
|To share with third party service providers we appoint from time to time||Our legitimate interests, to produce service efficiencies and to get the benefit of specialist products or services|
|To run our everyday operations, for example, communications between personnel||Legitimate interests in running our business|
|To administer a sale or possible sale of the whole of or part of our business or the restructuring of our business||Legitimate interests of facilitating any such possible or actual transaction or restructuring|
Other reasons we may process your personal data for include:
- To comply with any legal obligation, we are under.
- For additional purposes in the future, but only if such purposes are compatible with those listed above and if we believe that the same lawful basis applies.
In certain circumstances, failure to provide us with personal data about your or another person may prevent us from performing any legal obligations to you or another person. For example, if you make a data subject access request, we may need to verify who you are before providing personal data to you; if you do not provide the information we reasonably need to verify your identity, we may not be able to comply with the subject access request.
7. How Long Will You Keep My Personal Data?
We will not keep your personal data for any longer than is necessary to process the personal data for the reason(s) for which it was first collected. Your personal data will therefore be kept for the following periods (or, where there is no fixed period, the following factors will be used to determine how long it is kept):
- If you make an enquiry but do not engage our services, we will keep your personal data for 3 months from the date of last communication.
- If you engage our services, we will keep your personal data for 7 years from the date of last communication.
- If you unsubscribe from our marketing communications, we will maintain a record of your unsubscribe request and associate it with your email address to ensure you do not receive future communications.
8. Do You Share My Personal Data?
We set out below the circumstances in which your personal data might be shared with third parties:
- Business customers and their users: Your personal data will be shared with the organisation that has asked us to create a profile for you i.e. the organisation with which you have a mortgage product. Your personal data will be shared with users of the account of that organisation.
- Service providers: We share the personal data collected by Eligible with service providers we use to help us operate our business, including organisations that provide us with technology related services, such as AWS and Heroku. We may also need to share your personal data with contractors we engage.
- HMRC and law enforcement agencies: We may also disclose your personal data to HMRC and/or law enforcement agencies in order to assist with any investigations, when we bring a claim or defend ourselves against a claim that requires the disclosure of the personal data, and when we engage professional advisors.
- Sale/restructuring: We may also transfer your personal data to third parties in the context of a sale or possible sale of the whole of or part of our business or the restructuring of our business.
- Other data sharing: There are other circumstances in which we may need to share your data with third parties. For example, in connection with legal proceedings or if we need to protect or defend our legal rights. We will always only share your data in other circumstances where it is lawful to do so.
9. International transfers
When your data is transferred internationally, we are required to ensure you are afforded equivalent protection in respect of your personal data to that provided in the UK.
Generally, we will put in place appropriate safeguards when making international transfers, for example, by using specific contractual clauses which have been approved by the European Commission and/or the UK Government together with supplementary measures if we deem it necessary in the circumstances, for example, further contractual commitments or enhanced security.
We are following the developments in this area of law and will be putting in place any necessary new, different and/or additional measures for any such transfers.
10. How Can I Access My Personal Data?
If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
All subject access requests should be made in writing and sent to the email or postal addresses shown in section 2 of this privacy notice. To make this as easy as possible for you, a Subject Access Request Form is available for you to use. You do not have to use this form, but it is the easiest way to tell us everything we need to know to respond to your request as quickly as possible.
There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
We will aim to respond to your subject access request within one month of receiving it or as otherwise provided for in data protection legislation. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
11. How Do I Contact You?
To contact us regarding your personal data and data protection, including to make a subject access request, please use the contact details in section 2 of this privacy notice.
12. Changes to this Privacy Notice
We may change this privacy notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.
Any changes will be made available in the latest version of this document, which is always available from our website.