1. Overview
2. Controllers Contact Details
3. Where we get your information from
4. What personal information do we collect?
5. Why and what we use your information for
6. Your Data Protection rights
7. Decision without human intervention, significance, consequences and your rights
8. Credit Reference and Fraud Prevention Agencies
9. Sharing your information
10. Transfers outside UK and Safeguards
11. How long do we retain your information or criteria for retention period
12. Security of your data
13. Your use of our websites
14. Changes to this Privacy Notice 

1. Overview

We appreciate the importance of using your personal information responsibly and pledge to handle it fairly and legally at all times. We are dedicated to being transparent about the information we collect and use about you. This policy, which applies whether you use your mobile device or go on line, explains how we collect your details, why we are able to collect them, what we use them for, how long we store them, whether anyone else receives personal information about you, whether we do automated decision-making or profiling and your legal rights in relation to your personal data.

2. Controllers Contact Details

BrightHouse is the controller for the personal information we process, unless otherwise stated. BrightHouse is the trading name of Caversham Finance Limited (In Administration) and Caversham Trading Limited (In Administration) so when you see the terms “we”, “us” or “our” in this notice, this is who we are referring to. 

Note: For the purpose of this document, “BrightHouse” refers to all entities of the BrightHouse Group, including Caversham Finance Limited (“CFL”) and Caversham Trading Limited (“CTL”).

The affairs, business and property of CFL and CTL are being managed by Chris Laverty, Trevor O’Sullivan and Helen Dale, appointed as Joint Administrators on 30 March 2020. The Joint Administrators act as agents of CFL and without personal liability. Chris Laverty, Trevor O’Sullivan and Helen Dale are authorised by the IPA to act as insolvency practitioners.

If you would like the privacy information to be provided orally to you or any more information about how BrightHouse uses your personal information, wish to complain or would like to change your mind about receiving marketing information, there are many ways you can contact us, including by phone, email and post:

PO BOX 18214,
B42 9NX

0800 526 069 
9am - 5pm Monday to Friday


Or write to our Data Protection Officer at the above address or email

3. Where we get your information from

We collect personal information about you from a number of sources, including:

Directly from you when you express an interest in our products and services, enter into a contract with us or enter one of our competitions
Credit Reference and Fraud Prevention Agencies
Public sources of information, such as the voters roll if, for example, we lose touch with you
Affiliate websites and market researchers who have your consent to pass your details to us.


4. What personal information do we collect?

We collect and process various categories of personal information at the start of and for the duration of your relationship with us, such as:

Personal Information: name, address, date of birth, family members (where applicable)
Lifestyle and social information: any vulnerabilities, debt situation
Financial information: bank account details, bank statements, debt information, payroll data
Health information: medical data, physical and mental health details
Employment information: employer and salary information
Credit reference and fraud data
Goods and services provided
Call monitoring and device identifiers, including IP addresses

The list above is not exhaustive and, in specific instances, we may need to collect additional data for the purposes set out in this Policy.

5. Why and what we use your information for

We, our suppliers and service providers may use your personal information for the following reasons. Please refer to the ‘Your Data Protection Rights’ section of this document in order to understand your rights in relation to all the reasons detailed below:

Note: since BrightHouse went into administration, we no longer provide or sell new credit, therefore not all data processing activities detailed below are now undertaken. However we would have historically conducted these activities with your data (for example, when you applied for credit with us) and they have been documented below for your reference.

5.1 Contractual Necessity

To enter into a contract with you for the provision of our products or services or to perform our obligations under that contract. This may include processing to:

Assess and process credit applications;
Provide and administer the products and services you choose throughout your relationship including, opening, setting up or closing your accounts or products; arranging delivery, collecting and issuing all necessary documentation; accepting payments; executing your instructions; repairs, processing insurance claims and insurance administration; resolving any queries or discrepancies and administering any changes;
Administer any credit facilities or debts, including agreeing repayment options; and
Communicate with you about the products and services you receive from us.

Please note that if you do not agree to provide us with the requested information, it may not be possible for us to provide products and services to you.

5.2 Legal Obligation

To comply with our legal or regulatory obligations. This may include processing to:

Confirm your identity;
Assess affordability and suitability of credit for initial credit applications and throughout the duration of the relationship, including analysing customer credit data for regulatory reporting. This would involve performing credit checks;
Investigate and resolve complaints;
Comply with laws relating to money laundering and fraud, terrorist financing, bribery and corruption, consumer credit and other applicable laws. This may require us to process information about criminal convictions and offences, to investigate and gather intelligence on suspected financial crimes, fraud and threats and to share data with police, law enforcement, regulatory bodies, tax authorities or other government and fraud prevention agencies;
Where we have a legal obligation, including reporting suspicious activity and complying with production and court orders;
Assess vulnerabilities we identify or you bring to our attention;
Deliver mandatory communications;
Manage contentious regulatory matters, investigations and litigation;
Perform monitoring and reporting activities for compliance; your calls may be recorded for these purposes;
Perform injury assessments, investigate and report on incidents or emergencies on our premises if required.

5.3 Legitimate interest:

to pursue our legitimate interests without prejudicing your interests or fundamental rights and freedoms. It is in our interests to ensure that our processes and systems operate effectively and that we can continue operating as a business and develop and improve as an organisation, to ensure that we provide you with the most appropriate products and services and to protect us from unlawful activities. This may include processing to:

Help prevent, detect and trace debt;
Perform risk assessments to enter into a contract with you, this may include performing credit and fraud checks;
Sell your debt to a debt collection agency if you default or go in arrears as set out in the Hire-Purchase or Cash Loan agreement;
Develop, manage and maintain our relationships with you, for ongoing customer service and conduct customer surveys and market research;
Assess the quality of our customer services and to provide staff training. Calls may be recorded and monitored for these purposes;
Create profiles and marketing opportunities (including using information about what you buy from us and when and how you pay for it); and
Manage and monitor our properties (for example through CCTV) for the purpose of detection, investigation and prevention of crime.

For details of our legitimate interest, please contact us

5.4 Consent:

when we have your consent for processing personal data. This may include marketing communications to offer other products, services or promotions by mail, email, phone or text message. To help us make these offers we may use an automated scoring system.

You have the right to withdraw consent at any time. You may do this in person or by email, phone or post using the details set out in section 2 of this document. Withdrawing your consent will not affect the lawfulness of any processing which has already happened based on that consent.

The above list is not exhaustive, there may be other circumstances where personal data is used. However, we will adhere to the data protection regulations at all times.

6. Your Data Protection Rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. You are not required to pay any charge for exercising your rights unless your request is clearly unfounded or excessive.

We have one month to respond to you. If your request is complex or you make more than one, the response time may be a maximum of three calendar months, starting from the day after receipt.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.

Your data protection rights are highlighted below. You can submit a request in person or by email, post or phone using the details provided in section 2.

Rights Description
Your Right of Access You can ask us to verify whether we are processing personal data about you, and if so, you are entitled to have a copy of the information we hold on you or ask us to provide more specific information.
Your Right to Correction / Rectification You can ask us to have any inaccurate information corrected if you believe the information we hold contains incorrect or incomplete information about you.
Your right to erasure/to be forgotten You can ask us to erase your personal information in certain circumstances.
Your right to restriction of processing You can ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing You can object to processing if we are able to process your information because the basis for such processing is in our legitimate interest.
Your right to data portability This only applies to information you have given us. You can ask that we transfer the information you gave us from one organisation to another, or give it to you.
Your right against automated decision making By contacting us you can ask for a manual review if you believe the results to be inaccurate.
Your right to object to direct marketing and profiling You can object to our use of your personal data for direct marketing purposes, including profiling.
Your right to withdraw consent (Opt Out) You can withdraw consent for any processing that we do based on your consent in relation to your personal data. If you withdraw your consent, it will not affect the lawfulness of any processing of your personal data we conducted based on your consent prior to you withdrawing that consent.
YYour right to lodge a complaint to the supervisory authority You can complain to the Information Commissioner’s Office (ICO) by contacting them at:

contacting them at:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113

7. Decision without human intervention, significance, consequences and your rights

In some instances, such as when you would have applied for a rent-to-own product or cash loan, we may have made decisions about you based on processing your information by automated means (without human intervention). This can include information from your application, credit reference agencies and your relationship with our company. We report regularly to credit reference agencies and failing to keep up-to-date with your payments may affect your credit rating.

When we conduct fraud checks we may automatically decide you pose a fraud or money laundering risk, or we may do so if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers; or is inconsistent with your previous submissions; or you appear to have deliberately hidden your true identify. If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide services and financing you have requested, or we may stop providing existing services to you.

You have rights in relation to automated decision making and by contacting us you can ask for a manual review if you believe the results to be inaccurate section 2

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing and employment to you.

8. Credit reference and fraud prevention agencies

It is important that you provide us with accurate information.

In order to process your application, we would have performed credit and identity checks on you with one or more Credit Reference Agencies (“CRAs”). 

To do this, we would have supplied your personal information to CRAs and they would have given us information about you. This would have included information from your credit application and about your financial situation and financial history. CRAs supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.

We will use this information to:

Assess your creditworthiness and whether you can afford to take the product;
Verify the accuracy of the data you have provided to us;
Prevent criminal activity, fraud and money laundering;
Manage your account(s);
Trace and recover debts; and
Ensure any offers provided to you are appropriate to your circumstances.

We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.

When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.

If you are making a joint application, or tell us that you have a spouse or financial associate, your records will be together, so you should make sure you discuss your application with them, and share with them this information, before lodging your application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.

The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail on any of these three links:

Callcredit (formally Callcredit) -
Equifax -
Experian -

Before we would have provided services, goods or financing to you, we also undertook checks for the purposes of preventing fraud and money laundering, and to verify your identify. These checks require us to process personal information about you.

The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.

We and fraud prevention agencies also enable law enforcement and HM Revenue and Customs agencies to access and use your personal data to detect, investigate and prevent crime.

Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk; your data can be held for approximately six years.

If you would like to know more about credit reference agencies visit:

If you want to see what information fraud-prevention agencies hold about you, you can contact the following agencies currently working in the UK. You should be aware that the information they hold may not be the same, so it may be worth contacting them both.

CIFAS, 6th Floor, Lynton House, 7-12 Tavistock Square, London, WC1H 9LT,

National Hunter, PO Box 2756, Stoke on Trent, ST6 9AQ

9. Sharing your Information

We may allow other people and businesses to use information we hold about you, these are third parties that provide elements of service to us and include:

Other companies under the “BrightHouse” brand such as Caversham Trading Limited and Caversham Insurance (Gibraltar) Limited
Other financial organisations
Credit reference and fraud prevention agencies
Suppliers and services providers
Regulatory bodies, Central or Local Government
Charities or Support Agencies
Security Services

We have data protection compliant contracts in place with our suppliers and service providers. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will hold it securely, retain it for the period we instruct, and implement the organisational and technological measures required to protect your data.

In some circumstances we are legally obliged to share information. For example, under a court order. Under any circumstance, we will only share your information if we have a lawful reason to do so.

If we believe that, in our dealings with you, you need extra care (for example, because of your poor health) we may, record this and seek your consent. If we believe at any time that other organisations may be able to help you, we will seek your consent before sharing your information with:

Social Services 
Debt or Welfare Charities
Healthcare Services
Other relevant support organisations  

10. Transfers outside UK and Safeguards

The EU GDPR is an EU Regulation and no longer applies to the UK. The provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018. We comply with the Data Protection Act 2018 (DPA 2018) and the UK GDPR. We may transfer your information to organisations in other countries and other UK organisations provided that they protect it in accordance with applicable laws. We only share your information where:

We believe that the country or the organisation we are sharing your information with will protect your information adequately
The transfer has been authorised by the relevant data protection authority 
We have entered into a contract with the organisation with which we are sharing your information to ensure your information is adequately protected. If you wish to obtain a copy of the relevant data protection clauses, contact us using the details set out in the Controllers contact details section of this document. contact us

11. How long do we retain your information or criteria for retention period?

Retention periods for records are determined based on the type of record, the nature of the activity, product or service, applicable legal or regulatory requirements. We normally keep customer account records for up to seven years after our relationship with the customer ends. Other records are usually retained for shorter periods, for example approximately 30 days for CCTV records. We will dispose of personal data in a secure manner when we no longer need it. Any data that we hold is held securely and in accordance with regulatory requirements.

Retention periods may be changed from time to time based on business or legal and regulatory requirements. We may, by exception, retain information for longer, particularly where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators.

12. Security of your data

We have strict security measures to protect personal information. This includes following procedures (for example, checking your identity when we speak with you):

Encryption of data;
Regular cyber security assessments of all service providers who may handle your personal data;
Regular scenario planning and crisis management exercises to ensure we are ready to respond to cyber security attacks and data security incidents;
Daily penetration testing of systems;
Security controls which protect the entire IT infrastructure from external attack and unauthorised access; and
Internal policies setting out our data security approach and training for employees.

We aim to ensure that access to your personal data is limited only to those who need to access it. Those individuals who have access to the data are required to maintain the confidentiality of such information.

If you communicate with us using the internet, we may, if you agree, email you occasionally about promotions, our services or to inform you of any changes to our terms. Please remember that communications over the Internet, such as emails and messages sent through a website (webmail), are not secure unless they have been encrypted. Your communications may go through a number of countries before they are delivered and we cannot accept responsibility for any loss of personal information that is beyond our control.

13. Your use of our websites

Cookies - We use 'cookies' to monitor how people use our site. A cookie is a piece of information that is stored on your computer's hard drive and it records how you have used a website. This helps us to understand how our customers use our website so we can develop and improve the site. Click on our Cookie Notice to find out more.

Links to other websites - Where we provide links to websites of other organisations, this Privacy Policy does not cover how that organisation processes personal information. Whilst we try to link only to sites that share our high standards and respect for privacy, we are not responsible for the content, security, or privacy practices employed by other sites. We encourage you to read the Privacy Policies on the other websites you visit.

14. Changes to this Privacy Notice

We keep our Privacy Policy under regular review to make sure it is up to date and accurate. This Privacy Policy was last updated in December 2021. Any significant changes to our Privacy Policy will be communicated to the affected individuals using the most suitable channel including e-mails or post.

^ Back to top