humm bird bnpl

Privacy Policy

We are committed to protecting and respecting your privacy.
We hope you take the time to read this Privacy Policy.

1. Introduction

Thanks for choosing Humm Group Limited (we or us).

We are committed to protecting and respecting your privacy. We hope you take the time to read this Privacy Policy.

Your personal information and privacy are important to us. As our customer, we respect your right to be aware of who has information about you, what they are doing with it and why, and who else they are sharing it with. We have adopted a privacy compliance culture that cements this relationship with you. 

The aim of this Privacy Policy is to set out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. We also want to provide you with a better understanding of:

  • what information we collect;
  • how we use that information;
  • how this information is shared;
  • your rights; and
  • other useful privacy and security related matters.

In this policy we use the terms ‘personal data’ and ‘personal information’ interchangeably – they have the same meaning.

Who is the Data Controller?

For personal data processed under this Privacy Policy, the “Data Controller” is

Humm Group Limited of 3rd Floor, 2-4 Wellington Street, Belfast City, Belfast, BT16HT, UK.

What about the Data Protection Officer?

We have appointed a Data Protection Officer (DPO).

While our DPO can be reached at [email protected], our Customer Service Team will be your initial point of contact if you wish to exercise your rights.   

Please see the “How to contact us” Section 18 at the end of this Privacy Policy.

2. Your rights

Under the United Kingdom General Data Protection Regulation (UK GDPR), you, as a Data Subject, have a number of rights which are detailed in this Privacy Policy. Some of these only apply in specific circumstances and are qualified in several respects by exemptions in data protection legislation. We will advise you in our response to your request if we are relying on any such exemptions.

Access to personal data: You have a right to request a copy of the personal information that we hold about you. Should you wish to make such a request, please see the “How to contact us” section for information on how to contact us. You should include adequate information to identify yourself and such other relevant information that will reasonably assist us in fulfilling your request.  If you’re asking another person to make a request on your behalf (e.g. a claims management company or a relative who helps you with your affairs) we will need to see proof of authorisation from you.  Your request will be dealt with as soon as possible.

Correction of personal data: You can request us to rectify and correct any personal data that we are processing about you which is incorrect.

Right to withdraw consent: Where we have relied upon your consent to process your personal data, you have the right to withdraw that consent. To opt out of marketing (i.e. withdraw your consent), you can use the unsubscribe link found in the marketing communication you receive from us or you can contact our Customer Service Team (details are in section 9 below).     

Right of erasure: You can request us to erase your personal data where there is no compelling reason to continue processing. This right only applies in certain circumstances – it is not a guaranteed or an absolute right.

Right to data portability: This right allows you to obtain your personal data that you have provided to us with your consent or which was necessary for us to provide you with our products and services under the contract we have with you, and where the processing is carried out by automated means, in a format which enables you to transfer that personal data to another organisation. You may have the right to have your personal data transferred by us directly to the other organisation if this is technically feasible.

Right to restrict processing of personal data: You have the right in certain circumstances to request that we suspend our processing of your personal data. Where we suspend our processing of your personal data we will still be permitted to store your personal data, but any other processing of this information will require your consent, subject to certain exemptions.

Right to object to processing of personal data: You have the right to object to our use of your personal data which is processed on the basis of our legitimate interests. However, we may continue to process your personal data, despite your objection, where there are compelling legitimate grounds to do so or we need to process your personal data in connection with any legal claims.   You also have the right to object to our use of your personal data for direct marketing purposes.

Right to complain to a supervisory authority: You have the right to lodge a complaint with a supervisory authority in relation to your personal data that we process in accordance with this Privacy Policy.  In our case, this is the Information Commissioner’s Office. The contact details of the Information Commissioner’s Office are available on its website,

3. What personal data do we collect?

Information you give us

You may give us information about you by filling in forms on our app, our site at (App and Site respectively) or by corresponding with us by phone, e-mail or otherwise. This includes information you provide us when you utilise a product or service from us.

The type of information you will typically provide includes your name, postal address (current and previous), e-mail address, phone number, banking and employment details, and proof of identity. We will also require information about your financial circumstances and history (this means your salary/income and your financial commitments/outgoings so that we can check the affordability of the product or service you’d like to purchase), and products or service preferences you may have (this means we collect information about what you’d like to buy using the credit applied for and also whether you consent to direct marketing from us).

Generally, we collect this information from you.

On occasions, we obtain information about you from others (this includes the UK Credit Reference Agencies and Fraud Prevention Agencies – see below). While we will not specifically request this information from you (except in the case of health data which we sometimes do need to ask for if payments are in arrears), some of the information you voluntarily provide may be sensitive personal data, such as data revealing racial or ethnic origin, political opinions, religious and philosophical beliefs, health data or trade union membership, which requires higher levels of protection.

Information we collect about you

With regard to each of your visits to our App or Site we may automatically collect the following information:

  • technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and
  • information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our App or Site (including date and time), products and / or services you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.

Information we receive from other sources

We may receive information about you from the following other sources:

  • If you use any of the other websites we operate or other services we provide. Such data may be shared internally and combined with data collected on our App or Site. We also work closely with third parties (including, for example, business partners, sub-contractors in technical services, advertising networks, analytics providers and search information providers) and may receive information about you from them that is relevant to our business.
  • If you are requesting services from us. We will request information from credit reporting agencies and/or any business providing information about creditworthiness, including consumer credit report(s) about you for application(s) for consumer credit. We will carry out searches at one of the UK’s Credit Reference Agencies.  The information they hold will have originated from publicly accessible sources.  In particular, Credit Reference Agencies draw on court decisions, bankruptcy registers and the electoral register (also known as the electoral roll).  We explain more about Credit Reference Agencies below. 
  • We may receive information about you from retailers who you access our services through, referees you nominate to us, or in some cases official authorities.

Failure to provide data

If you do not provide us with the data we request, the most likely consequence of this is that we cannot provide you with the products or services that you are requesting from us.

4. Cookies

Certain statistical information is available to us via our internet service provider through the use of cookies. Our use of cookies is governed by our Cookies Policy which can be accessed at   

Our aim is to continuously improve your experience of our digital channels. We use cookies to improve your customer experience of our products, service and online applications. Our web server collects information about your visit, for example:

  • number of people who visit the App or Site;
  • date and time of visits;
  • number of pages viewed;
  • amount of time spent on the App or Site; and
  • popular sections of the App or Site.

5. What do we use your personal data for?

Information you give to us.

We will use this information:

  • to assess your application for our products and services, for account management, arrears enforcement and end of term communication to you;
  • to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us;
  • to assess your application for our services and whether you satisfy our eligibility requirements;
  • to verify identity in accordance with our legal obligations;
  • to assess your creditworthiness including undertaking credit checks and reporting to credit referencing agencies who will retain any information we provide (including in relation to the ongoing status of your loan) and who will share this with third parties;
  • to manage your Account;
  • to deal with, assign or transfer any of our rights, interests and / or obligations under our agreement with you;
  • to register you to use our App or Site, subscribe you to a service available via the App or Site and / or when you report a problem with our App or Site;
  • subject to your marketing preferences, to provide you with details of products and services that may be relevant to you (see “Direct marketing” section);
  • to respond to any queries or other communications you submit to us;
  • to notify you about changes to our services;
  • to ensure that content from our App or Site is presented in the most effective manner for you and for your computer; and/or
  • to register or redeem for promotional campaigns.


Information about your use of the App or Site

We will use this information:

  • to determine which pages are the most popular, what country users come from, peak usage times and similar information;
  • to administer our App or Site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
  • to improve our App or Site to ensure that content is presented in the most effective manner for you and for your device;
  • to allow you to participate in interactive features of our App or Site when you choose to do so;
  • as part of our efforts to keep our App or Site safe and secure;
  • to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you; and/or
  • to make suggestions and recommendations to you about goods or services that may interest you.

Information we receive from other sources

We may combine this information with information you give to us and information we collect about you. We may us this information and the combined information for the purposes set out above (depending on the types of information we receive).

Lawful bases for processing

Our lawful bases for processing personal data for the above purposes are the performance of contracts that we have with you and processing that is necessary before you enter into the contract (we do credit reference agency checks on you for this reason), or otherwise as necessary for the purposes of our legitimate interests. 

Those legitimate interests include presenting an effective App or Site, ensuring our financial stability by assessing your creditworthiness (we process personal data for this legitimate interest whereas the check at the credit reference agency itself is lawful for the ‘contract’ reason above), providing our services efficiently and carrying out effective marketing and customer research activities (this includes profiling about the products and services you’re interested in so that we can tailor the content of direct marketing communications to this). 

We may also process personal data to the extent it is necessary for compliance with a legal obligation, including to verify your identity and for complying with requests from a regulator or any court order.   We will also process your personal data based on your consent if you sign up for direct marketing communications. 

If you require further information about the balancing test that we have undertaken to justify our reliance on the legitimate interest legal basis under the UK GDPR, please see “How to contact us” Section 18 for further details on how to contact us.

We may process personal data for a substantial public interest under laws that apply to us where this helps us to meet our broader social obligations such as:

  • Processing of your special categories of personal data such as about your health or if you are a vulnerable customer;
  • Processing that we need to do to fulfil our legal obligations and regulatory requirements (this will include criminal convictions and offences data and it will be relevant, for instance, where we suspect fraud, money laundering or other crimes if we cannot reasonably be expected to obtain your consent to the processing); and 
  • When we share your personal information with other people and organisations if they need to know that you are a vulnerable customer and your relatives, social services, your carer, the person who has power of attorney over your affairs.   

Sometimes we may need to ask for your explicit consent to process your sensitive personal data about your health (particularly if a substantial public interest reason doesn’t apply).  In some cases, we can process your sensitive personal data on the basis that this is necessary for the establishment, exercise or defence of legal claims or before the courts.

6. Sharing your personal data

We may share your personal information with any member of our corporate group, which means our subsidiaries, our ultimate holding company and its subsidiaries.  You can find out the full company names and their contact details by contacting our Customer Service Team or our DPO (details below).

We may share your information with selected third parties including:

  • our professional advisors (including lawyers, accountants and auditors), our business partners, product and services suppliers, service providers and sub-contractors and this includes suppliers of IT services, payment processing, data back up and data hosting services;
  • advertisers and advertising networks that require the information to select and serve relevant adverts to you and others. We do not disclose information about identifiable individuals to our advertisers, but we may provide them with aggregate information about our users (this means we anonymise the data so it cannot be used to identify you). We may also use such aggregate information to help advertisers reach the kind of audience they want to target. We may make use of the personal data we have collected from you to enable us to comply with our advertisers’ wishes by displaying their advertisement to that target audience (this only happens if you have consented to the marketing cookies on our App or Site);
  • our assignees or potential assignees (this means other companies to whom we might in future assign or transfer our customers’ contracts);
  • credit reporting agencies (this means the UK’s credit reference agencies – see further details below) or any business providing information about creditworthiness; other credit providers; insurers;
  • any guarantor or proposed guarantor of your obligations to us; your assignees or proposed assignees;
  • debt collection agencies; our banks and financial advisers;
  • any person specifically authorised by you in writing to obtain your personal information from us; and/or
  • analytics and search engine providers that assist us in the improvement and optimisation of our App or Site.

We may also disclose your personal information to third parties:

  • in order to enforce our rights under any contracts entered into between you and us;
  • if we are acquired or we sell or buy, or propose to sell or buy, any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
  • if we assign, transfer or otherwise dispose of a debt that you owe us to another party or if we or such third party want to enforce such a debt;
  • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, including sharing your personal data with the Courts, to comply with the rules of any stock exchange or other trading exchange to which we are subject, in order to enforce or apply this Privacy Policy, our App or Site terms of use or other agreements; and/or
  • to protect our (or our customers or other relevant parties’) rights, property or safety.

7. How do we share your information with Credit Reference Agencies?

In order to process your application, we will perform credit and identity checks on you with one or more UK credit reference agencies (“CRAs”). We may also make periodic searches at CRAs to manage your account with us.

To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information. 

We will use this information to:

  •  Assess your creditworthiness and whether you can afford to take the product;
    •    Verify the accuracy of the data you have provided to us;
    •    Prevent criminal activity, fraud and money laundering;
    •    Manage your account(s);
    •    Trace and recover debts; and
    •    Ensure any offers provided to you are appropriate to your circumstances.

We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs. The identities of the CRAs, their role as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods, and your data protection rights with the CRAs are explained in more detail at the websites which we refer to below. 

When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.

If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.

You have a right to apply to the CRAs for a copy of your file. The information they hold may not be the same and there is a small fee that you may need to pay to each agency that you apply to. 

Their contact details including their addresses are available from their websites:




You can find out more about what the UK’s credit reference agencies do with your personal data by reading the CRAIN (Credit Reference Agencies Information Notice).  It’s available in full here:




8. How do we share your information with Fraud Prevention Agencies?

The personal information we have collected from you will be shared with Fraud Prevention Agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment.

Further details of how to contact us for information about how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found at the end of this privacy policy.

9. Direct marketing

We may (subject to your preferences) use your personal data to make suggestions to you about goods or services that may interest you. Those communications will give you the opportunity to opt out of receiving similar communications in the future (i.e. you can withdraw your consent at any time).

You can also choose to opt out of such future communications by contacting us, namely by: 

  • email, at [email protected]; or
  • post, at Humm Group Limited of 3rd Floor, 2-4 Wellington Street, Belfast City, Belfast, BT16HT, UK.

10. Where we store your personal data

Data that we collect from you may be transferred to, and stored at, a destination outside the United Kingdom including Ireland, Australia, New Zealand and the Philippines as discussed in Section 13.

It may also be processed by personnel operating outside the United Kingdom that work for us or for one of our suppliers, service providers or sub-contractors. The laws of jurisdictions outside the United Kingdom may not have the same level of protection for personal data as apply in the United Kingdom. For instance, they may not be deemed “adequate” by the UK Government (the Secretary of State) in respect of the processing of personal data.

In such circumstances we will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and applicable law.

Where you have chosen (or where we have given you) a password which enables you to access certain parts of our App or Site, you are responsible for keeping the password confidential. We ask you not to share your password with anyone.

Please be aware that the transmission of information via the internet is not completely secure. Although we will do our best to protect your data, we cannot guarantee the security of your data transmitted to our App or Site which you transmit at your own risk. Once we have received your information, we will apply procedures and use security features to try to prevent unauthorised access.

11. Quality, access and correction

Information about you is integral to decisions we make about our products and services for you. It is essential that your information is correct. You are encouraged to assist us to ensure this by alerting us to any changes in your particular circumstances. 

12. Data retention and deletion

We keep your personal data only as long as necessary to provide you with our products and services and for legitimate and essential business purposes, such as maintaining the performance of products and services, making data-driven business decisions about new features and offerings, complying with our legal obligations, and resolving disputes. 

We will keep your personal data on file for as long as you have a contract with us, and we will also retain some records (including personal data relating to your use of our products and services) for a period of no longer than six years and two months.  

If you request, we will delete or anonymise your personal data so that it no longer identifies you, unless, we are legally allowed or required to maintain certain personal data, including situations such as the following:

  • if there is an unresolved issue relating to your account (e.g. outstanding credit on your account or an unresolved claim or dispute we will retain the necessary personal data until the issue is resolved);
  • where we are required to retain the personal data for our legal, tax, audit, and accounting obligations, we will retain the necessary personal data for the period required by applicable law; and/or,
  • where necessary for our legitimate business interests such as fraud prevention or to maintain the security of our customers.

13. Transfer to other countries

We may share your personal data globally with other companies in our corporate group in order to carry out the activities specified in this Privacy Policy. This includes our corporate group of companies in Australia, Ireland, New Zealand and Philippines. We may also subcontract processing to, or share your personal data with, third parties located in countries other than your home country (including those third parties mentioned in section 6(a)). 

Our transfers to Ireland and New Zealand are made on the basis of a decision by the UK Government (the Secretary of State) that laws in Ireland (as part of the European Economic Area) and New Zealand (adopting an adequacy decision previously reached by the EU Commission whilst the UK was part of the EU) provide an adequate level of protection to personal data rights.  Our transfers to Australia, the Philippines and other countries are made on the basis of the Standard Contractual Clauses as required by UK GDPR (or, where necessary, on the basis of your consent if there’s a one-off transfer).

Your personal data, therefore, may be subject to privacy laws that are different from those in your country of residence after the transfers we’ve mentioned, but you will still have protection in relation to that data based on the contracts we have entered into with data recipients or sub-processors.

Personal data collected within the United Kingdom may, for example, be transferred to and processed by third parties located in a country outside of the United Kingdom. In such instances we will ensure that the transfer of your personal data is carried out in accordance with UK GDPR, in particular, that appropriate contractual, technical, and organisational measures are in place (e.g. such as the Standard Contractual Clauses as required by UK GDPR).

14. Links

We may display advertisements from third parties and other content that links to third-party websites (including on our App or Site). None of these links comprise or imply support or recommendation of any other company, product or service. We cannot control or be held responsible for third parties’ privacy practices and content. If you click on a third-party advertisement or link, any personal data you provide will not be covered by this Privacy Policy. Please read their privacy policies to find out how they collect and process your personal data.  For example, if you consent to cookies which place relevant and engaging advertisements on our Site, those advertisements might have links to third-party websites which have their own privacy policies.

15. Keeping your personal data safe

We are committed to protecting your personal data. We implement appropriate technical and organisational measures to help protect the security of your personal data. However, please note that no system is ever completely secure. We have implemented various policies including pseudonymisation, encryption, access, and retention policies to guard against unauthorised access and unnecessary retention of personal data in our systems.

16. Automated decision-making

Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention.  We will use automated decision-making to process your personal data where it is necessary for the entering into our contract with you (we call this a credit agreement).  UK GDPR means we can do this type of automated decision-making on the basis it’s necessary to check your credit standing prior to entering into any contract with you. 

If you are requesting credit services from us, you must input your demographic and financial details to our online system.  This will involve an initial stage of automatic decision making, and in particular your application may be automatically declined if the information you provide fails to meet our minimum requirements, [i.e. for our customers to be aged 18 or over, where any fraud is detected,  current and/or previous credit arrears or declined applications with us] and for the UK Credit Reference Agency checks to indicate sufficient credit standing and affordability

If you submit any special categories of personal data to us as part of this process, such as data revealing racial or ethnic origin, political opinions, religious and philosophical beliefs, health data or trade union membership, we will take this to mean that you give your explicit to our processing that information for the purpose of evaluating your application and receiving credit services from us.  This is the case unless we are able to rely on the substantial public interest reasons mentioned in Section 5 for processing this type of data.

If your application is automatically declined, you have the right to make an objection to this by contacting us, and to request that a human reviews your application and the decision that was made.  To exercise these rights, please see the “How to contact us” section at the end of this Privacy Policy.

17. Changes to this Privacy Policy

We may occasionally make changes to this Privacy Policy.

When we make material changes to this Privacy Policy, we will provide you with prominent notice as appropriate under the circumstances (e.g. by displaying a prominent notice on the relevant services or by sending you an email).

We may notify you in advance. Please, therefore, make sure you read any such notice carefully.

18. How to contact us

Thank you for reading our Privacy Policy.

If you have any questions, comments or requests about this Privacy Policy, please contact our Data Protection Officer by:

  • email, at [email protected]; or
  • post, at Humm Group Limited of 3rd Floor, 2-4 Wellington Street, Belfast City, Belfast, BT16HT, UK.

 You can also contact our Customer Service team by calling +44 2891 422113 or by email at [email protected]