2. Controllers contact details
3. Where we get your information from
4. The information we collect about you
5. Why and what we use your information for
6. Your data protection rights
7. Decision without human intervention, significance, consequences and your rights
8. Credit reference and fraud prevention agencies
9. Who your personal information may be shared with
10. Transfers outside EEA and safeguards
11. How long is your personal information stored for
12. Security of your data
13. Your use of our website
14. Changes to this Privacy Notice
1. OverviewWe appreciate the importance of using your personal information responsibly and pledge to handle it fairly and legally at all times. We are dedicated to being transparent about the information we collect and use about you. This Privacy Notice, which applies whether you visit our stores, use your mobile device or go online, explains how we collect your details, why we are able to collect them, what we use them for, how long we store them, whether anyone else receives personal information about you, whether we do automated decision-making or profiling and your legal rights in relation to your personal data.
2. Controllers contact detailsBrightHouse is the controller for the personal information we process, unless otherwise stated. BrightHouse is the trading name of Caversham Finance Limited and Caversham Trading Limited, so when you see the terms “we”, “us” or “our” in this notice, this is who we are referring to.
If you would like the privacy information to be provided orally or you would like more information about how BrightHouse uses your personal information, wish to complain or would like to change your mind about receiving marketing information, there are many ways you can contact us, including by phone, email and post:
5 Hercules Way
0800 526 069
9am and 5pm Monday, Tuesday, Thursday, Friday
9am to 4pm on Wednesday
9am to 3pm on Saturday
Or write to our Data Protection Officer at the above address or email DPO@brighthouse.co.uk.
3. Where we get your information fromWe collect your personal information from a number of sources, including:
• Directly from you when you express an interest in our products and services, enter into a contract with us or one of our competitions
• Credit reference and fraud prevention agencies
• Public sources of information, such as the voters roll or social network sites if, for example, we lose touch with you
• Other retail organisations
• Affiliate websites and market researchers who have your consent to pass your details to us.
4. The information we collect about youWe collect and process various categories of personal information at the start of, and for the duration of, your relationship with us, such as:
• Personal Information: name, address, date of birth, family members (where applicable)
• Lifestyle and social information: any vulnerabilities, debt situation
• Financial information: bank account details, bank statements, debt information, payroll data
• Health information: medical data, physical and mental health details
• Employment information: employer and salary information
• Credit reference and fraud data
• Goods and services provided
• Call monitoring and device identifiers, including IP addresses
The list above is not exhaustive and, in specific instances, we may need to collect additional data for the purposes set out in this Notice.
5. Why and what we use your information forWe, our suppliers and service providers may use your personal information for the following reasons. Please refer to the ‘Your Data Protection Rights’ section of this document in order to understand your rights in relation to all the reasons detailed below:
Contractual Necessity - To enter into a contract with you for the provision of our products or services or to perform our obligations under that contract. This may include processing to:
• assess and process credit applications;
• provide and administer the products and services you choose throughout your relationship including, opening, setting up or closing your accounts or products; arranging delivery, collecting and issuing all necessary documentation; accepting payments; executing your instructions; processing insurance claims and insurance administration; resolving any queries or discrepancies and administering any changes;
• administer any credit facilities or debts, including agreeing repayment options; and
• communicate with you about the products and services you receive from us.
Note: If you do not agree to provide us with the requested information, it may not be possible for us to provide products and services to you.
Legal Obligation - To comply with our legal or regulatory obligations. This may include processing to:
• confirm your identity;
• assess affordability and suitability of credit for initial credit applications and throughout the duration of the relationship, including analysing customer credit data for regulatory reporting. This would involve performing credit checks;
• investigate and resolve complaints;
• comply with laws relating to money laundering and fraud, terrorist financing, bribery and corruption, consumer credit and other applicable laws. This may require us to process information about criminal convictions and offences, to investigate and gather intelligence on suspected financial crimes, fraud and threats and to share data with police, law enforcement, regulatory bodies, tax authorities or other government and fraud prevention agencies;
• where we have a legal obligation, including reporting suspicious activity and complying with production and court orders;
• assess vulnerabilities we identify or you bring to our attention;
• deliver mandatory communications;
• manage contentious regulatory matters, investigations and litigation;
• perform monitoring and reporting activities for compliance; your calls may be recorded for these purposes;
• perform injury assessments, investigate and report on incidents or emergencies on our premises if required.
Legitimate interest - To pursue our legitimate interests without prejudicing your interests or fundamental rights and freedoms. It is in our interests to ensure that our processes and systems operate effectively and that we can continue operating as a business and develop and improve as an organisation, to ensure that we provide you with the most appropriate products and services and to protect us from unlawful activities. This may include processing to:
• offer products, services or promotions;
• perform risk assessments to enter into a contract with you, this may include performing credit and fraud checks;
• sell your debt to a debt collection agency if you default or go in arrears as set out in the Hire-Purchase agreement;
• develop, manage and maintain our relationships with you, for ongoing customer service and conduct customer surveys and market research;
• assess the quality of our customer services and to provide staff training. Calls may be recorded and monitored for these purposes;
• create profiles and marketing opportunities (including using information about what you buy from us and when and how you pay for it); and
• manage and monitor our properties (for example through CCTV) for the purpose of detection, investigation and prevention of crime.
For details of our legitimate interest, please contact us using the details provided in section 2 of this document.
Consent - When we have your consent for processing personal data. This may include marketing communications where consent has been obtained or where we are legally required to obtain consent in order to offer other products, services or promotions by mail, email, phone or text message. To help us make these offers we may use an automated scoring system.
You have the right to withdraw consent at any time. You may do this in person or by email, phone or post using the details set out in section 2 of this document. Withdrawing your consent will not affect the lawfulness of any processing which has already happened based on that consent.
The above list is not exhaustive, there may be other circumstances where personal data is used. However, we will adhere to the data protection regulations at all times.
6. Your data protection rights
Under data protection law, you have rights that we need to make you aware of. The rights available to you depend on our reason for processing your information. You are not required to pay any charge for exercising your rights unless your request is clearly unfounded or excessive.
We have one month to respond to you. If your request is complex or you make more than one, the response time may be a maximum of three calendar months, starting from the day after receipt.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.
Your data protection rights are highlighted below. To submit a request please contact us using the details set out in section 2 of this document.
|Your Right of Access||You can ask us to verify whether we are processing personal data about you, and if so, you are entitled to have a copy of the information we hold on you or ask us to provide more specific information.|
|Your Right to Correction / Rectification||You can ask us to have any inaccurate information corrected if you believe the information we hold contains incorrect or incomplete information about you.|
|Your right to erasure/to be forgotten||You can ask us to erase your personal information in certain circumstances.|
|Your right to restriction of processing||You can ask us to restrict the processing of your information in certain circumstances.|
|Your right to object to processing||You can object to processing if we are able to process your information because the basis for such processing is in our legitimate interest.|
|Your right to data portability||This only applies to information you have given us. You can ask that we transfer the information you gave us from one organisation to another, or give it to you.|
|Your right against automated decision making||You can ask for a manual review if you believe the results to be inaccurate by contacting us.|
|Your right to object to direct marketing and profiling||You can object to our use of your personal data for direct marketing purposes, including profiling.|
|Your right to withdraw consent (Opt Out)||You can withdraw consent for the any processing that we do based on your consent in relation to your personal data. Withdrawing your consent will not affect the lawfulness of any processing which has already happened based on that consent.|
|Your right to lodge a complaint to the supervisory authority||
You can complain to the Information Commissioner’s Office (ICO) by contacting them at:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
7. Decision without human intervention, significance, consequences and your rights
In some instances, such as when you apply for a rent-to-own product, we may make decisions about you based on processing your information by automated means (without human intervention). This can include information from your application, credit reference agencies and your relationship with our company. We report regularly to credit reference agencies and failing to keep up-to-date with your payments may affect your credit rating.
When we conduct fraud checks we may automatically decide you pose a fraud or money laundering risk or if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers; or is inconsistent with your previous submissions; or you appear to have deliberately hidden your true identify. If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide services and financing you have requested, or we may stop providing existing services to you.
You have rights in relation to automated decision making and can ask for a manual review if you believe the results to be inaccurate by contacting us using the details set out in section 2 of this document
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing and employment to you.
8. Credit reference and fraud prevention agenciesIt is important that you provide us with accurate information. In order to process your application, we will perform credit and identity checks on you with one or more Credit Reference Agencies (“CRAs”).
To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
We will use this information to:
• Assess your creditworthiness and whether you can afford to take the product;
• Verify the accuracy of the data you have provided to us;
• Prevent criminal activity, fraud and money laundering;
• Manage your account(s);
• Trace and recover debts; and
• Ensure any offers provided to you are appropriate to your circumstances.
We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.
When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
If you are making a joint application, or tell us that you have a spouse or financial associate, your records will be together, so you should make sure you discuss your application with them, and share with them this information, before lodging your application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail on any of these links:
TransUnion (formally Callcredit) - www.transunion.co.uk/crain
Equifax - www.equifax.co.uk/crain
Experian - www.experian.co.uk/crain
Before we provide services, goods or financing to you, we also undertake checks for the purposes of preventing fraud and money laundering, and to verify your identify. These checks require us to process personal information about you.
The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.
We and fraud prevention agencies also enable law enforcement and HM Revenue and Customs agencies to access and use your personal data to detect, investigate and prevent crime.
Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for approximately six years.
If you would like to know more about credit reference agencies visit: www.ico.org.uk/for_the_public/topic_specific_guides/credit.
If you want to see what information fraud-prevention agencies hold about you, you can contact the following agencies currently working in the UK. You should be aware that the information they hold may not be the same, so it may be worth contacting them both.
CIFAS, 6th Floor, Lynton House, 7-12 Tavistock Square, London, WC1H 9LT,
National Hunter, PO Box 2756, Stoke on Trent, ST6 9AQ
10. Transfers outside EEA and safeguardsWe may transfer your information to organisations in other countries based outside the European Economic Area (EEA) and other UK organisations provided that they protect it in accordance with applicable laws. We only share your information where:
• The European Commission has decided that the country or the organisation we are sharing your information with will protect your information adequately
• Companies that are covered by the Privacy Shield, a mechanism to comply with the data protection requirements.
• The transfer has been authorised by the relevant data protection authority
• We have entered into a contract with the organisation with which we are sharing your information (on terms approved by the European Commission) to ensure your information is adequately protected. If you wish to obtain a copy of the relevant data protection clauses, contact us using the details set out in section 2 of this document
11. How long your personal information will be stored forRetention periods for records are determined based on the type of record, the nature of the activity, product or service, applicable legal or regulatory requirements. We normally keep customer account records for up to seven years after our relationship with the customer ends. Other records are usually retained for shorter periods, for example approximately 30 days for CCTV records. We will dispose of personal data in a secure manner when we no longer need it. Any data that we hold is held securely and in accordance with regulatory requirements.
Retention periods may be changed from time to time based on business or legal and regulatory requirements. We may, by exception, retain information for longer, particularly where we need to withhold destruction or disposal based on an order from the courts or an investigation by law enforcement agencies or our regulators.
12. Security of your dataWe have strict security measures to protect personal information (for example, checking your identity when we speak with you). This includes the following:
• Encryption of data;
• Regular cyber security assessments of all service providers who may handle your personal data;
• Regular scenario planning and crisis management exercises to ensure we are ready to respond to cyber security attacks and data security incidents;
• Daily penetration testing of systems;
• Security controls which protect the entire IT infrastructure from external attack and unauthorised access; and
• Internal policies setting out our data security approach and training for employees.
We aim to ensure that access to your personal data is limited only to those who need to access it. Those individuals who have access to the data are required to maintain the confidentiality of such information.
If you communicate with us using the internet, we may, if you agree, email you occasionally about our other products, services or promotions. Please remember that communications over the Internet, such as emails and messages sent through a website (webmail), are not secure unless they have been encrypted. Your communications may go through a number of countries before they are delivered and we cannot accept responsibility for any loss of personal information that is beyond our control.
13. Your use of our websiteCookies - We use 'cookies' to monitor how people use our site. A cookie is a piece of information that is stored on your computer's hard drive and it records how you have used a website. This helps us to understand how our customers use our website so we can develop and improve the site. Click on our Cookie Notice https://www.brighthouse.co.uk/cookies-notice/ to find out more.
Links to other websites - Where we provide links to websites of other organisations, this Privacy Notice does not cover how that organisation processes personal information. Whilst we try to link only to sites that share our high standards and respect for privacy, we are not responsible for the content, security, or privacy practices employed by other sites. We encourage you to read the Privacy Notices on the other websites you visit.
14. Changes to this Privacy NoticeWe keep our Privacy Notice under regular review to make sure it is up to date and accurate.
This Privacy Notice was last updated in June 2019. Any significant changes to our Privacy Notice will be communicated to the affected individuals using the most suitable channel including e-mails or post.
^ Back to top