Full Privacy Notice

Full Privacy Notice

This Policy applies to: GDFC Finance Limited (Company number: 10977963), GDFC Services plc (Company number: 08271985), GDFC HoldCo Limited (Company number: 08272183), and GDFC Assets Limited (Company number: 08272354). These are referred to as the GDFC Group in this notice, and are all registered at:

Imperial House,
15 – 19 Kingsway,
London WC2B 6UN

The Owner and Data Controller can be contacted at: [email protected]. Alternatively, a letter addressed to the GDFC Data Controller can be sent to the address above. Any enquiries regarding the contents of this Privacy Notice can be directed here.

Last updated: 26th November 2018

Types of Data we collect

The types of Personal Data collected by us, directly or through third parties, include:

  • Internet Cookies that track your use of our website or application, known as Usage Data
  • First and last name
  • Email address
  • Physical addresses
  • Date of birth
  • National Insurance numbers
  • Data to assess credit risk

Complete details on each type of Personal Data collected are provided in the dedicated sections of this privacy policy or by specific explanation texts displayed before the Data collection.

Usage Data is collected automatically when using our website or application.  All other Personal Data is only required to be provided by the User to access a service or information.

Users who are unsure about which Personal Data is mandatory are welcome to contact us.

We use Cookies – or other tracking tools – for:

  • Providing the service required by the User
  • Making use of our websites easy, including remembering your preferences on our websites
Methods of processing, storing, retaining Data

The Data Controller processes the Data of Users by following this Privacy Notice and shall take appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorised destruction of the Data.

The Data processing is carried out using computers and/or IT enabled tools, following organisational procedures and modes strictly related to the purposes indicated. In addition to the Data Controller, in some cases the Data may be accessible to certain types of persons in charge, involved with the operation of the site (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner. The updated list of these parties may be requested from the Data Controller at any time.

The Data is processed at the Data Controller’s operating offices and in any other places where the parties involved with the processing are located. Please email us at [email protected] for further details, or write to us in the address listed on page 1 of this notice.

The User can always request that the Data Controller suspend or remove the data. The Data is kept for the time necessary to provide the service requested by the User, or stated by the purposes outlined in this document.

Using information about you

1. To provide you with products and services we need to collect, use, share and store personal and financial information about you. This includes information which we:

a) obtain from you or third parties, such as retailers from whom you are considering making a purchase, credit brokers, Green Deal Providers, Green Deal Assessors, employers, energy suppliers, credit reference agencies (who may check the information against other databases, public or private, to which they have access), or fraud prevention agencies. This information may come from your interactions with us or them, for example through applying for a loan, Green Deal Plan or another consumer finance product; or

b) ascertain from the way in which the loan is administered and managed, for example, information relating to the payments which are made to your account with your energy supplier.

2. Where you provide personal and financial information about others (such as dependents, other family members and a joint energy account holder, where applicable) you confirm that you have obtained their consent or are otherwise entitled to provide this information to us, and for it to be used in accordance with this notice.

3. You authorise us to process and disclose your information including relating to lifestyle, income and criminal offences alleged or otherwise that is provided by you or that we obtain from third parties for the purposes of:

a) assessing and identifying products and services;

b) applying for a credit product, a product of an insurance company/organisation or finance provider;

c) detecting and preventing crime (including without limitation fraud and money laundering);

d) transferring your information following Paragraph 11 of this document; and

e) otherwise meeting our obligations under this privacy notice.

4. Subject to applicable law, we may use your information to:

a) manage your Credit Agreement;

b) carry out regulatory checks and meet our obligations to our regulators;

c) protect ourselves against harm to our rights and property interests;

d) develop and improve our services through assessment and analysis of the information (including credit or behavioural scoring (or both), market and product analysis, and market research);

e) prepare high-level anonymised statistical reports which would contain details such as, for example, the percentage of people paying their energy supply by direct debit or the percentage of people changing energy supplier. We compile these reports from information about you and others. The information in these reports is never personal and you will never be identifiable from them. We may share these statistical and anonymised reports with third parties including non-GDFC companies;

f) prevent and detect fraud, money laundering and other crime (such as identity theft);

g) improve the relevance of marketing messages we may send you (which you can opt out of as stated below).

5. We may monitor or record any communications between you and us including telephone calls. We will use these recordings to check your instructions to us, to analyse, assess and improve our services to customers, deter fraud, and for training and quality purposes.

6. We may send you messages by post, telephone, text, email and other digital methods (including new methods that may become available in the future) in order to manage any financial product that you have applied for or hold with us.

7. We may send you messages by post, telephone, text, email and other digital methods (including new methods that may become available in the future) about products and services (including those of others) which may be of interest to you – these are marketing messages. You can ask us to stop or start sending you marketing messages at any time by writing to us or by replying to the messages we send you.

8. We may give your information to and receive information from credit reference agencies and fraud prevention agencies. We and other organisations may access and use this information to prevent and detect fraud, money laundering and other crimes, and to make credit assessments. Examples of circumstances when your information or information relating to your partner or other members of your household may be shared include:

a) checking details on applications for products and services, and credit and credit related, or other, facilities;

b) managing credit and credit-related accounts or facilities;

c) recovering debt;

d) checking details on proposals and claims for all types of insurance;

e) checking details of job applicants and employees; and

f) making enquiries when you ask for any lending products.

9. Information held about you by the credit reference agencies may already be linked to records relating to your partner or members of your household where a financial “association” has been created. Any enquiry we make at a credit reference agency may be assessed with reference to any “associated” records. Another person’s record will be “associated” with yours when:

a) you make a joint application;

b) you advise us of a financial association with another person; or

c) if the credit reference agencies have existing linked or “associate” records.

This “association” will be taken into account in all future applications by either or both of you and will continue until one of you applies to the credit reference agencies and is successful in filing a “disassociation”.

10. Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.

The personal data you have provided, we have collected from you, or we have received from third parties, will be used to prevent fraud and money laundering, and to verify your identity.

Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including IP address and vehicle details.

We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.

Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years. If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or to employ you, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.

11. We may use credit scoring and automated decision making systems when considering any application from you for lending products and managing your loan, which may involve further searches at credit reference agencies which may affect your ability to obtain credit. Please email us at [email protected] for further details, or write to us in the address listed on page 1 of this notice.

12. We may disclose appropriate information about you and the management of the loan to the following, wherever located in the world:

a) other companies within the GDFC Group (that are subject to a similar duty of confidentiality);

b) our partners, and companies and organisations that provide marketing services to us at our request and under our direction (that are subject to a similar duty of confidentiality);

c) other companies or organisations that assist us in reviewing your financial position, to process transactions in the exercise of our discretion under the loan where applicable or arising from recommendations made by us to you; for example, to obtain product quotes and recommend and complete a product purchase with a product provider;

d) our service providers and agents (including their sub-contractors). This may include, for example, where we pass your details to someone who will print your statements; companies and organisations that assist us to process transactions under the loan;

e) anyone to whom we may transfer our rights and/or obligations under the loan;

f) any third party as a result of any restructure, sale or acquisition of any company within the GDFC Group, provided that any recipient uses your information for the same purposes as it was originally supplied to us and/or used by us;

g) your advisers (including, but not limited to, accountants, lawyers or other professional advisers) where authorised by you;

h) public authorities, where the GDFC Group has a duty to do so, or if law or regulation allows us to do so.

13. Where we are sharing information with organisations in another jurisdiction, we will ensure they agree to apply equivalent levels of protection as we do. If this is not possible – for example because we are required by law to disclose information – we will ensure the sharing of that information is lawful.

Your data may need to be shared with parties that are based outside the European Economic Area (EEA). When we do so, this will be done in line with current data protection legislation by only transferring your data to jurisdictions where there is a European Commission adequacy decision, or by using model clauses which have been approved by the European Commission.

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing

14. We may use cookies and similar technologies on our websites and in our emails. Cookies are very small text files that may be stored on your computer or mobile device when you visit a website or enable images or click on a link in an email. These technologies do many different things, such as letting you navigate between web pages efficiently and remembering your preferences. In emails they help us to understand whether you have opened the email and how you have interacted with it.

15. If you end your relationship with us, or if your application for a loan or product is declined or you decide not to go ahead with it, we will keep your information afterwards. We may also continue to collect information from credit reference agencies to use after your account is closed or your relationship with us ends. We will do so for as long as we are allowed to for legitimate business purposes, to help prevent fraud and other financial crime, and for other legal and regulatory reasons.

16. You can ask for a copy of your information we hold about you by writing to us, or contacting the Data Controller at: [email protected].

Information not contained in this policy

More details concerning the collection or processing of Personal Data may be requested from the Data Controller at any time. Please see the contact information at the beginning of this document.

The rights of Users

Users have the right, at any time, to know whether their Personal Data has been stored and can consult the Data Controller to learn about their contents and origin, to verify their accuracy or to request for them to be supplemented, cancelled, updated or corrected, or for their transformation into anonymous format or to block any data held in violation of the law, as well as to oppose their treatment for any and all legitimate reasons. Requests should be sent to the Data Controller at the contact information set out above. This website/application does not support “Do Not Track” requests.

Users also have the right to complain to the Information Commissioner’s Office (ICO), which regulates the processing of personal data. The ICO’s contact details can be found below.

Changes to this privacy policy

The Data Controller reserves the right to make changes to this privacy policy at any time by giving notice to its Users on this page. It is strongly recommended to check this page often, referring to the date of the last modification listed at near the top of this page. If a User objects to any of the changes to the Policy, the User should stop using this website/application and can request that the Data Controller remove the Usage Data. Unless stated otherwise, the current privacy policy applies to all Personal Data the Data Controller has about Users.

How to find out more

Please contact us at:

  • GDFC Services plc, Data Controller, Imperial House, 15-19 Kingsway, London, WC2B 6UN, or email [email protected].uk

You can contact the credit reference agencies (CRAs) currently operating in the UK; the information they hold may not be the same so it is worth contacting them all.

  • CallCredit, Consumer Services Team, PO Box 491, Leeds, LS3 1WZ or call 0870 0601414
  • Equifax PLC, Credit File Advice Centre, PO Box 3001, Bradford, BD1 5US or call 0870 010 0583 or log on to www.myequifax.co.uk
  • Experian, Consumer Help Service, PO Box 8000, Nottingham NG80 7WF or call 0844 4818000 or log on to www.experian.co.uk

Further information regarding the CRAs can also be found in the Credit Reference Agency Information Notice, which is available on request, or can be found here: https://www.callcredit.co.uk/crain

If you want to receive details of the relevant fraud prevention agencies, please contact the Data Controller listed above, or:

  • Cifas, 6th Floor, Lynton House, 7-12 Tavistock Square, London, WC1H 9LT or call 0330 100 0180

The Information Commissioner’s Office, which regulates the processing of personal data, can be found at:

  • ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF, or call 0303 123 1113