Real Estate Finance privacy policy

Who we are

Hodge Bank is made up of several different parts, some of which are legally separate from each other. We will let you know which entity you have a relationship with when you take out a product or service with us.

You can find out more about us at https://hodgebank.co.uk/.

This notice applies across our Real Estate Finance offering and the relevant Hodge entity will act as a controller of the personal information that it collects from you.

Contact Details

If you have any questions or queries about this notice, please get in touch with us:

• Email: [email protected]
• Post: One Central Square, Cardiff, CF10 1FS
• Telephone: 02920803079

What data do we collect?

The personal data we may collect from you includes:

• Data about who you are as an individual: Name, date of birth, gender, and identification numbers
• Data that will help us get in contact with you: Address, email, and phone numbers
• Data about your finances and financial history: Bank account details, transaction history and credit information
• Data about your history: marital status, dependents
• Data about how you interact with us digitally: IP address, browser type, and usage data from our website

Further support

We understand that circumstances can change, and you may need extra support. If you have specific needs, please let us know – we’re here to help. We’ll do our best to tailor our services to you and make using our services as straightforward as possible.

Depending on your personal circumstances, we may process what is known as special category data. Most commonly, this type of data relates to your health, but other categories relate to:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for the purpose of unique identification
• Sex life or sexual orientation

We don’t routinely process this data, but during the course of your relationship with us we may record it. Under most circumstances you will provide this data to us directly and we will normally request your explicit consent before recording anything.

Why do we need your personal data for a company agreement?

1. There are two main reasons why your personal data is needed:
   The first relates to screening checks we conduct when onboarding a new account, and from time to time after this. These will relate to you and any other individuals with significant control or an ownership stake in the business. We will carry out credit and identity checks and we will also share your personal information as needed to help detect fraud and money-laundering risks
2. The second is dependent on the type of company involved; for some corporate entities, such as sole traders, company data may also be classified as personal. This means that when handling your account, more of the data recorded is likely to relate to you as an individual

Lawful bases

Data Protection Law sets out specific requirements for when we are allowed to process your personal data:

• Consent – this is when we ask your permission to process particular personal data. This will always be specific, and you will be asked before this processing begins
• Contract – if you have an agreed product with us, and/or expressed an interest in one of them, we will need to process your personal data for us to provide it
• Legal obligation – under certain circumstances we are required to process your personal data to fulfil legal and regulatory requirements. These can range from, but are not limited to, fraud prevention and anti-money laundering, to rules from the Financial Conduct Authority and the Prudential Regulation Authority
• Legitimate interest – as an organisation we sometimes have a justification for processing your personal data that does not fit into any of the other bases. In these cases, we must balance that interest with your individual interests, fundamental rights, and freedoms. These interests are:
  • To protect our organisation and the general public from financial crime
  • To improve our products and services, this may include, but is not limited to, audit activities and quality assurance, which feed into training and development work
  • To administer our website, and analyse customer journeys and interactions
  • To handle queries and complaints we receive directly from you, or via your appointed representative
  • To consider and handle legal claims, including extraordinary account handling beyond our normal retention period
  • To conduct research activities that help us to better understand our existing and future customers
  • To run our business in an efficient and proper way. This includes managing our financial position, business capability, planning, communications, and corporate governance

Where does your data come from?

We may source your personal data from a few different places. This can be from yourself directly or from your appointed representative, depending on what stage of the journey you are on with us.

Data may also come from third parties, such as the credit reference agencies, fraud prevention agencies, public information sources, and government/law enforcement agencies.

We are obliged to maintain accurate and up-to-date records; therefore, these checks may occur throughout your relationship with Hodge.

If you make a joint application for any of our products, we will need to collect personal information relating to your coapplicant too. In this case you must ensure that you share this document with them and that they know and understand what personal data is being provided about them.

Who do we share your data with?

In some circumstances we may need to share your personal data with other organisations for one or more of the following reasons: management, accounting, audit, compliance, digital services, legal, logistics, and with other corporate colleagues who need access to your data to fulfil their roles within Hodge Group. These organisations are all under contract to provide such services as we request.

When you apply for a product with us, your data may be shared with Credit Reference Agencies and Fraud Prevention Agencies to enable them to perform their respective checks.

In the unlikely unfortunate event that you do not keep up with your agreed payments, this may lead to us engaging with debt-recovery services to trace and reclaim the money owed, including contact with other companies if yours forms part of a wider group or partnership.

We may provide specific personal data when presented with a lawful request from a government/law enforcement agency, where required or permitted by law.

Your personal data may also be shared in the event of an organisational restructure or if the business or relevant assets are to be sold.

We will never sell your personal data, unless through part of a restructuring or asset sale by the company.

In some cases, our services involve sharing your data with suppliers who are either outside the UK or may transfer your personal information outside the UK, such as those hosted in the cloud. There are several ways in which we ensure your personal data remains safe and secure, as we are permitted to do so by law. Most often this will be via an adequacy decision; a country, sector, or scheme means the regulator has specified they have equivalent rules in place. Or via our contract with a supplier, we will require them to meet the same standards of protection as required in the UK.

What rights do you have under data protection law?

You have the right to ask us:

• For a copy of the personal data we hold about you
• To delete your personal data
• To limit how we use your personal data
• To transfer your personal data to another organisation
• To correct incorrect or incomplete personal data
• To withdraw your consent, where that is the lawful basis

Please be aware that this only applies to your personal data. Except as explained in the “Why We Need Your Personal Data For a Company Agreement” these rights do not apply to corporate data.

How long will we keep your personal data?

Our working practice for Real Estate Finance products and services is that we will hold your personal data for as long as you are a Hodge customer, plus twelve additional years. If for any reason you have applied for a product or service with us but do not become a customer, we will hold it for one year after your application is closed.

In both scenarios there may be certain circumstances why account details are required for longer, but these will always be by exception. Examples of this include scenarios where there is an ongoing complaint, legal/regulatory considerations, or for research and statistical analysis purposes.

Do you make automated decisions using my personal data?

Automated decisions are decisions using your personal data undertaken without a person being involved in the process. We do sometimes use systems to support in making automated decisions as this helps us to ensure our decisions are made quickly, fairly, efficiently and correctly, based on what we know. These automated decisions can affect the products, services or features we may offer you now or in the future or the price we charge for them.

Do I have any rights in relation to the way automated decision are made?

Yes, you can:

Ask that we do not make our decision based on the automated score alone

• Object to an automated decision and ask that a person reviews it
• If you want to know more about these rights, please contact us by emailing [email protected]

There are a few particular areas where automated decision making is specifically made by external bodies:

Credit Reference Agencies (CRAs) – we carry out credit and identity checks when you apply for a product or service for you or your business. We may use Credit Reference Agencies to help us with this.

We may also search information that the CRAs hold to help us manage any accounts you have with Hodge. More
information is available here and directly via each of the three main Credit Reference Agencies:

Callcredit

Equifax

Experian

Fraud Prevention Agencies (FPAs) – The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found Fair Processing Notices for Cifas.

What about cookies?

Cookies are a separate topic that have a dedicated policy. If you want to find out more about how we use cookies, please click here.

What if I want to know more, or am unhappy with the way my data has been handled?

Hopefully we have answered any questions you might have, but if you have a query or concern, please let us know. You can contact us using the details available here. Alternatively, you can contact our Data Protection Officer directly by writing to One Central Square, Cardiff, CF10 1FS, or emailing [email protected]. You also have the right to complain to the Information Commissioner’s Office. You can find out how to do this on their website https://ico.org.uk/concerns/.

Changes to this Document

This document is reviewed and updated regularly. Occasionally, we may make changes to it to explain changes in our business practices, data handling, or if there is a change in the law. When this happens, the version control information on this document will be updated. Due to this, we encourage you to revisit this page periodically to view any changes that may have been made. In some circumstances we will update you of any significant changes using the contact details you have provided.