Privacy notice

Introduction

This Privacy Notice applies to any visitor to the lendingmetrics.com website (“the Website”) and where Perfect Data Solutions Limited t/a LendingMetrics (“PDS”) acts a controller of personal data in connection with a product or service PDS provides to support its business clients. If you are a retail customer of a PDS business client, their data governance and privacy practices also apply. For more information on their practices, please refer to their applicable terms and conditions and privacy notice.

This Privacy Notice explains the purposes and legal bases upon which PDS (company number 07407815) collects, processes, stores and shares data that can identify you in relation to the Website and as part of us carrying out the regulated activity of providing credit references (“Credit Referencing Processing”). We reserve the right to publish different versions of this Privacy Notice to suit different products, services or websites. Our privacy notices include:

·         oohMoolah Privacy Notice, which explains how and why we use personal data when we provide our open banking services.

·         Candidate Privacy Notice, which explains how and why personal data is used during the application process for a position at PDS.

·         Employee Privacy Notice, which explains how and why personal data is used throughout the duration of employment.

PDS has its registered office at 1650 Parkway, Whiteley, Fareham, Hampshire PO15 7AH. We are registered with the Information Commissioner (ICO) (No. Z2756934) and the Financial Conduct Authority (“FCA”). The regulated activities that we have FCA permission to provide are Consumer Credit – Providing Credit References (FRN 730062) and Payment Services – Account Information Services (FRN 802559).

The Website is owned and operated by PDS. Together with the Website Terms and Conditions (“the Terms”), this Privacy Notice forms our agreement with you.  

We have appointed a data protection officer (“DPO”) who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact the DPO by sending an email to DPO@lendingmetrics.com or via the contact information below.

What is personal data?

Personal data, or personal information, means any information that we could use to identify you, directly or indirectly, and any information that relates to you. Data protection law only applies to personal information.

What types of personal data do we collect?

We use and hold many different categories of personal data.

General Website Visitor

For general website visitors who interact with us, we may collect the following types of personal data:

Category

Description

Contact

Your name, email address and any other personal data you supply to us through forms you complete (such as any feedback or messages via ‘Leave a message’ or Contact us page).

Technical

Any personal data we collect as part of your cookies setting. These include IP address/location, browser type and version, page views and searches.

Credit Referencing Processing

For information on the types of personal data we collect associated with our products and services, please see our Supplemental Privacy Statement below.

How do we collect personal data?

We collect personal data in different ways, such as:

Method

Description

Direct interaction

You voluntarily provide your personal data when you interact with us, such as when you fill in forms or communicate with us. In some cases, if you do not provide us with your personal information, we may not be able to provide you with our services, communicate with you, or respond to your inquiries.

User contributions

We collect your personal data when you or others upload, share, send or input that data through our networks or products or when you or they communicate with us.

Automatically

We automatically collect personal data about you when you interact with us, visit our offices, open emails or view marketing material from us, or communicate with us. We may collect some of this personal data by using cookies and other similar technologies. For information on the cookies we use, please see our Cookies Policy.

Third-party or publicly available sources

We may receive your personal data from third parties, such as our strategic partners, our business clients and other publicly or generally available sources, including online websites.

How we use your personal data?

We will only use your personal data when we have a proper reason to do so. Data protection legislation (including the Data Protection Act 2018 and the UK General Data Protection Regulation 2016) says we must have one or more of the following reasons:

·         Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests.

·         Where we need to comply with a legal duty or obligation.

·         When you consent to it.

·         To fulfil a contract that we have with you.

·         When it is in the public interest.

We will not collect or use special categories of personal unless the law allows us to do so. If we do, this data may be obtained directly from you with your consent or when it is necessary to establish, exercise or defend legal claims or for reasons of substantial public interest.

The following is a list of the ways we may use your personal data and which of the reasons we rely on to do so.

General Website Visitor

Category

Purpose of Processing

Lawful Basis Relied Upon

Contact

To record any messages received and provide you with a response.

With your consent (Article 6(1)(a) UK GDPR).

For our legitimate interests, such as developing our products or services or managing our relationship with you (Article 6(1)(f) UK GDPR).

To respond to any subject access requests.

Where we need to comply with a legal obligation (Article 6(1)(c) UK GDPR).

For our legitimate interests, such as improving how we fulfil our legal and contractual duties, or where we may be asked to disclose our rights requests record (Article 6(1)(f) UK GDPR).

Technical

To allow us to run the operation of our websites, domains, portals, and ensure that our provision of the Service runs efficiently.

With your consent obtained through the Terms (Article 6(1)(a) UK GDPR).

For our legitimate interests (always balanced against your fundamental rights and freedoms) (Article 6(1)(f) UK GDPR).

Credit Referencing Processing

For information on how we use your personal data, please see our Supplemental Privacy Statement below.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Sharing of personal data with third parties

We may share your personal data where necessary with the following parties for the purposes set out in this Privacy Notice:

·         With other companies in our corporate group (such as LMX HoldCo Limited and LMX BidCo Limited).

·         Regulators and supervisory authorities.

·         Law enforcement agencies if required by law.

·         Third party vendors who help us manage and maintain our IT infrastructure, such as our cloud storage providers and data centre hosts.

·         Professional advisors including solicitors, accountants and insurers who provide us with professional services.

·         Third party auditors or consultants if required for compliance, risk management or auditing purposes.

·         With others when necessary to fulfil your consents or to follow your instructions.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Credit Referencing Processing

For further information on who we may share your personal data with, please see our Supplemental Privacy Statement below.

Automated decision-making

You will not be subject to decisions of PDS that will have a significant impact on you based solely on automated decision-making.

Where we store your personal data?

PDS is a UK based company and the majority of our processing of personal data takes place in the UK. PDS stores the personal data described in this Privacy Policy inside the UK.  We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and relevant data protection legislation at all times. 

International transfers

PDS does not engage in restricted transfers of personal data; however, from time to time we may transfer your personal data to our other company offices based outside of the UK and European Economic Area (EEA) for the purposes described in this Privacy Notice. If we do this, your personal data will continue to be subject to one or more appropriate safeguards set out in the law.

How do you withdraw your consent?

When PDS uses your personal data based on your consent, you can withdraw your consent at any time. You can do this by sending an email to DPO@lendingmetrics.com or via the contact information below. This will not affect the lawfulness of any processing undertaken prior to the withdrawal of your consent.

How long do we keep your personal data?

Where we hold your personal data and are responsible for it, the data will be stored in accordance with PDS’ data retention practices and data protection legislation.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Contact data, such as names and addresses, is kept for as long as we need to keep it. This need is assessed on a regular basis, and data that is no longer needed for any purpose will be securely disposed of.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Credit Referencing Processing

Other third party supplied data will be stored for a period determined by criteria such as what has been agreed in the contract between PDS and the business client. For more information of retention periods, please see our Supplemental Privacy Statement below.

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We deploy a range of technical and organisational measures including physical, electronic and procedural safeguards to protect information we process and store.

PDS has a comprehensive information security management system based on internationally recognised standards of security, issued by the International Organisation for Standardisation (ISO). PDS holds ISO/IEC 27001:2022 certification.

We have put in place procedures to deal with any suspected or actual personal data breach and will notify you and any applicable regulator and/or supervisory authority of a breach where we are legally required to do so. PDS will comply with data protection legislation expectations and timelines (including a 72 hour investigation and reporting window) in order to mitigate the risk to any individuals affected.

Your Legal Rights

Under certain circumstances, you have rights under data protection legislation in relation to your personal data. In summary, these rights include:

·         Be Informed: right to be informed over how we use your use personal data.

·         Access: right to access to your personal data and to certain other supplementary information. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it (known as a data subject access request).

·         Rectification: right to request the correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

·         Erasure: right to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing, where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

·         Restrict processing: right to request restriction or suppression of processing your personal data in the following scenarios:

o    If you want us to establish the data's accuracy.

o    Where our use of the personal data is unlawful, but you do not want us to erase it.

o    Where you need us to hold the personal data even if we no longer require it as you need it to establish, exercise or defend legal claims.

o    You have objected to our use of your personal data, but we need to verify whether we have overriding legitimate grounds to use it.

·         Data Portability: the right to move, copy or transfer your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

·         Object: right to object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms and an absolute right to stop your data being used for direct marketing. In some cases, we may demonstrate that we have compelling legitimate grounds to process your personal data which override your rights and freedoms.

·         Automated decision making (including profiling): right to object to decisions being taken by automated means including profiling which produce legal effects concerning you or similarly significantly affect you or to our continued processing of your personal data.

·         Withdraw consent: right to withdraw your consent at any time where we are relying on consent to process your personal data; however, this will not affect the lawfulness of any processing carried out before you withdraw your consent.

If you wish to exercise any of the rights set out above, you can do this by sending an email to DPO@lendingmetrics.com or via the contact information below.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights); however, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

Data Subject Rights Requests

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the personal data (or to exercise any of your other rights). This may include your account or reference number, username, registration details or proof of your identity and address. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Complaints

If you consider that your data has not been processed in accordance with this Privacy Notice or applicable data protection legislation, you have the right to make a complaint to the DPO by sending an email to DPO@lendingmetrics.com or via the contact information below.

Except in cases of exceptional circumstances, we will acknowledge receipt of your complaint within 5 Business Days of receipt of a complaint and will provide you with a substantive response within one month. If a complaint relates to the processing of personal data by PDS acting as a processor, we will communicate the details of the complaint to the controller without undue delay.

You also have the right to complain to the Information Commissioners Office (ICO) if you are concerned about the way we have processed your personal data. Please visit the ICO's website for further details (https://ico.org.uk/make-a-complaint/data-protection-complaints). We would appreciate the chance to deal with your concern before you approach the ICO.

Cookie Statement

We may use cookies and temporary cache entries on the Website.

For more information on the main cookies currently used, their purpose and their duration please see our Cookie Policy.

Third Party Links

This website or the Service may include links to third-party websites. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party websites and are not responsible for their privacy practices.

The Service may link you to other websites including websites owned and operated by your ASPSP. Their websites may also gather information about you in accordance with their own separate privacy policies. For information on their data governance and privacy practices, please review their applicable terms of use and privacy notice.

Contact Details

For all enquiries or complaints regarding this Privacy Notice (including to exercise your legal rights), please contact the DPO by sending an email to DPO@lendingmetrics.com. Alternatively, our postal address is 1650 Parkway, Whiteley, Fareham, Hampshire PO15 7AH and our contact number is 02394 211010.

Changes to this Privacy Policy

We reserve the right to add to or change the terms of this Privacy Policy to keep up to date with evolving data protection legislation or to take account of changes to our products and services. You are therefore advised to keep abreast of this Privacy Policy through whatever medium, site or device you access it.

Supplemental Privacy Statement – Credit Referencing Processing

This Supplemental Privacy Statement supplements our Privacy Notice and further explains the required disclosures about the type of data we collect, the legal basis for processing, the additional parties we may share your data with and the retention periods.

How do we collect personal data?

In carrying out the regulated activity of providing credit references, we offer LMX and DeeJoop to UK based businesses, primarily in the credit industry.  We receive personal data that is part of, derived from or otherwise used in credit activity, such as an application for secure or unsecured credit/lending. To enable us to offer these products, we collect and process different types of personal data. As we typically do not have a direct relationship with you, we obtain this information from:

·         Our business clients, who are predominately banks, building societies and credit providers (for example, where a credit provider sends us information about you so that we can conduct a credit check or de-duplicate credit records).

·         Credit reference agencies (“CRA”) (primarily Equifax Limited and Experian Limited when we conduct the credit report search).

The information that we retrieve from the CRA is returned, in real-time, to your relevant credit provider, who will use it alongside any other relevant underwriting information to assist in making a decision on your credit application. If your application is accepted, PDS may then receive information on an ongoing basis from the credit provider about how you are managing your repayments. We will then securely share this information with the CRA to ensure compliance with the Principles of Reciprocity. PDS typically acts as a processor in relation to this information. You can find the guidelines governing the sharing of personal credit performance and related data via the Steering Committee on Reciprocity (SCOR) website (https://www.scoronline.co.uk/principles/).

What types of personal data do we collect?

We may collect the following personal data when performing credit report search services (on behalf of our business clients via LMX) or de-duplicating a credit file (via DeeJoop):

Categories

Description

Contact

Your full name, residential address (current and previous), email address, phone number(s)

Identifiers

Your date of birth, age, alias, associates, marital status, dependants, employment status, employer details, employment history, credit application details, date registered at current address, length of time at address

Financial and repayment data

Pay frequency, bank account number and sort code, account status details (balance, payment amount, previous statement balance, cash advances), account number, loan/credit status, closed/settled accounts, payment history, instances of default, type of accounts, number of active accounts, number of default accounts, age of oldest account, total credit limits, total balance of all accounts, total credit limits, number of county court judgments (CCJ), CCJ balance

Searches  

Credit search, ID checks, bank account verification, CIFAS, sanctions, politically exposed persons, current account turnover data (CATO)

All the CRAs rely on similar types of data to provide their credit report/search services. Details of the types, description and source of information common to all three main CRAs can be found in the Credit Reference Agency Information Notice (CRAIN).

How we use your personal data?

We will only use your personal data when we have a lawful basis for doing so. As stated in the Privacy Notice above, there are a number of lawful bases available. In carrying out the regulated activity of providing credit references, the majority of our data processing activity is on the basis that the processing is necessary to:

·         Pursue our legitimate interests and those of third parties (such as our business clients), and those interests do not unduly prejudice your interests, rights and freedoms.

·         Comply with a legal obligation binding on us.

Legitimate interests

Data protection legislation allows us to process personal data if it is necessary to pursue a legitimate interest of ours or a third party, provided that those interests do not unduly prejudice your interests or fundamental rights or freedoms. This is referred to as the “legitimate interests” basis for processing personal data (Article 6(1)(f) UK GDPR).

Where we process your personal data in connection with the regulated activity of providing credit references, we rely on our legitimate interests, which include:

·         Facilitating responsible lending by our business clients by providing products (such as DeeJoop and LMX) that allow them to assess the creditworthiness of individuals more effectively, make better informed credit decisions and distil multiple credit searches.

·         Supporting our business clients with their legal and regulatory compliance (such as complying with anti-money laundering obligations, verifying data (such as your identity, address, bank account), performing affordability checks, adherence with the FCA Consumer Duty and/or other obligations set by the FCA or the Prudential Regulation Authority).

·         Compliance with our regulatory obligations (such as adherence with the FCA Consumer Duty).

·         Assisting our business clients with reporting personal credit performance and related data (such as information related to your payment/repayment history).

·         Commercial interests (such as generating sales revenue from our products and services or product development; we may create anonymous data for product development purposes).

Legal obligation

Data protection legislation allows us to process personal data if it is necessary for compliance with law (Article 6(1)(c) UK GDPR). We may rely on this legal basis in the following circumstances:

·         Where we are required to investigate, record and respond to a data subject’s rights request.

·         Where we are required to hold or share your personal data in compliance with FCA regulations.

·         Where a crime is suspected (including fraud or money laundering) and we are required to make appropriate notifications or assist with investigations.

·         Where we are required to comply with the instructions of a regulator, court or law enforcement agency.

·         To maintain records required by law or to evidence our compliance with laws.

Consent

In carrying out the regulated activity of providing credit references we typically do not rely on consent to process your personal data; however, if in isolated circumstances we do require your consent, we will explain to you why we need your consent and capture your express consent via a relevant consent form or similar document.

In circumstances where PDS business clients rely on consent to process your personal data, as a separate and independent controller, they are responsible for obtaining and managing that consent. PDS contractually requires its business clients to ensure that any data shared with us has been collected lawfully and with appropriate consent, where required.

How do you withdraw your consent?

Where processing of your personal data is based on your consent, you can withdraw your consent at any time by sending an email to DPO@lendingmetrics.com or via the contact information above. This will not affect the lawfulness of any processing undertaken prior to the withdrawal of your consent.

If you withdraw your consent prior to PDS performing credit referencing services on behalf of your credit provider/our business client, this may affect your credit provider’s ability to evaluate and process your application for credit, resulting in a refusal. There would be no direct impact on your credit score from withdrawing consent. We will advise you if this is the case at the time you withdraw your consent.

To withdraw your consent for your credit provider to process your personal data, you must contact them directly.

Sharing of personal data with third parties

In carrying out the regulated activity of providing credit references we may share your personal data where necessary with the following parties for the purposes set out in this Privacy Notice:

·         PDS business clients who have a direct relationship with you.

·         Credit reference agencies (primarily Equifax Limited and Experian Limited).

Where we share your personal data with these recipients, they are a separate an independent controller of your data. For more information on their practices, please refer to their applicable terms and conditions and privacy notice.

How long do we keep your personal data?

Where we hold your personal data and are responsible for it, the data will be stored in accordance with PDS’ data retention practices and data protection legislation. We will generally retain personal data for the following periods:

Categories

Retention Period  

Contact  

3 months from the date we receive the data from the CRA.

Identifiers

3 months from the date we receive the data from the CRA.

Financial and repayment data

3 months from the date we receive the data from the CRA.

Searches (LMX)

3 months from the date we receive the data from the CRA.

Searches (DeeJoop)

10 business days from the date we receive the searches from the credit provider.

After these periods, we will securely destroy the personal data. We may keep your personal data for longer than 3 months or 10 business days (as applicable) if we agree a longer retention period with our business client or we cannot delete it for legal or regulatory reasons. If we do, we will make sure that your privacy is protected and only use it for those purposes. We do not retain personal data in an identifiable format for longer than is necessary.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Please note, your credit provider, as a separate and independent data controller, will have their own data retention practices.

Statutory Credit Report

You have the right to request your Statutory Credit Report. This is a written report which shows you the information a CRA holds about your credit history. Your credit history is information that lenders may use when you apply for credit with them.

As PDS is a distributer of CRA data and not primarily responsible for gathering, maintaining and providing credit data, if you would like a copy if your Statutory Credit Report, please contact the CRA directly. You can contact the three main CRAs in the UK (Equifax, Experian and TransUnion) via their website:

·         Equifax: https://www.equifax.co.uk/Products/credit/statutory-report

·         Experian: https://www.experian.co.uk/consumer/statutory-report.html

·         TransUnion: https://www.transunionstatreport.co.uk/CreditReport/AboutYou

Version

This version of the Privacy Policy was last updated on 13 February 2025.