humm bird bnpl

Privacy Policy

We are committed to protecting and respecting your privacy.
We hope you take the time to read this Privacy Policy.

1. Introduction

Thanks for choosing Humm Group Limited (we or us).

We are committed to protecting and respecting your privacy. We hope you take the time to read this Privacy Policy.

Your personal information and privacy are important to us. As our customer, we respect your right to be aware of who has information about you, what they are doing with it and why, and who else they are sharing it with. We have adopted a privacy compliance culture that cements this relationship with you. 

The aim of this Privacy Policy is to set out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. We also want to provide you with a better understanding of:

  • what information we collect;
  • how we use that information;
  • how this information is shared;
  • your rights; and
  • other useful privacy and security related matters.

In this policy we use the terms ‘personal data’ and ‘personal information’ interchangeably – they have the same meaning.

Who is the Data Controller?

For personal data processed under this Privacy Policy, the “Data Controller” is

Humm Group Limited of 3rd Floor, 2-4 Wellington Street, Belfast City, Belfast, BT16HT, UK.

What about the Data Protection Officer?

We have appointed a Data Protection Officer (DPO).

While our DPO can be reached at [email protected], our Customer Service Team will be your initial point of contact if you wish to exercise your rights.   

Please see the “How to contact us” Section 18 at the end of this Privacy Policy.


2. Your rights

Under the United Kingdom General Data Protection Regulation (UK GDPR), you, as a Data Subject, have a number of rights which are detailed in this Privacy Policy. Some of these only apply in specific circumstances and are qualified in several respects by exemptions in data protection legislation. We will advise you in our response to your request if we are relying on any such exemptions.

Access to personal data: You have a right to request a copy of the personal information that we hold about you. Should you wish to make such a request, please see the “How to contact us” section for information on how to contact us. You should include adequate information to identify yourself and such other relevant information that will reasonably assist us in fulfilling your request.  If you’re asking another person to make a request on your behalf (e.g. a claims management company or a relative who helps you with your affairs) we will need to see proof of authorisation from you.  Your request will be dealt with as soon as possible.

Correction of personal data: You can request us to rectify and correct any personal data that we are processing about you which is incorrect.

Right to withdraw consent: Where we have relied upon your consent to process your personal data, you have the right to withdraw that consent. To opt out of marketing (i.e. withdraw your consent), you can use the unsubscribe link found in the marketing communication you receive from us or you can contact our Customer Service Team (details are in section 9 below).     

Right of erasure: You can request us to erase your personal data where there is no compelling reason to continue processing. This right only applies in certain circumstances – it is not a guaranteed or an absolute right.

Right to data portability: This right allows you to obtain your personal data that you have provided to us with your consent or which was necessary for us to provide you with our products and services under the contract we have with you, and where the processing is carried out by automated means, in a format which enables you to transfer that personal data to another organisation. You may have the right to have your personal data transferred by us directly to the other organisation if this is technically feasible.

Right to restrict processing of personal data: You have the right in certain circumstances to request that we suspend our processing of your personal data. Where we suspend our processing of your personal data we will still be permitted to store your personal data, but any other processing of this information will require your consent, subject to certain exemptions.

Right to object to processing of personal data: You have the right to object to our use of your personal data which is processed on the basis of our legitimate interests. However, we may continue to process your personal data, despite your objection, where there are compelling legitimate grounds to do so or we need to process your personal data in connection with any legal claims.   You also have the right to object to our use of your personal data for direct marketing purposes.

Right to complain to a supervisory authority: You have the right to lodge a complaint with a supervisory authority in relation to your personal data that we process in accordance with this Privacy Policy.  In our case, this is the Information Commissioner’s Office. The contact details of the Information Commissioner’s Office are available on its website, https://ico.org.uk/

Right to have a human review our automated decision: If your application is automatically declined, you have the right to make an objection to this by contacting us, and to request that a human reviews your application and the decision that was made.

To exercise these rights, please see the “How to contact us” section 18 at the end of this Policy.


3. What personal data do we collect?

Information you give us

You may give us information about you by filling in forms on our app, our site at www.shophumm.com/uk (App and Site respectively) or by corresponding with us by phone, e-mail or otherwise. This includes information you provide us when you utilise a product or service from us.

The type of information you will typically provide includes your name, postal address (current and previous), e-mail address, phone number, banking and employment details, and proof of identity. We will also require information about your financial circumstances and history (this means your salary/income and your financial commitments/outgoings so that we can check the affordability of the product or service you’d like to purchase), and products or service preferences you may have (this means we collect information about what you’d like to buy using the credit applied for and also whether you consent to direct marketing from us).

Generally, we collect this information from you.

On occasions, we obtain information about you from others (this includes the UK Credit Reference Agencies and Fraud Prevention Agencies – see Section 7 & 8 below). While we will not specifically request this information from you (except in the case of health data which we sometimes do need to ask for if payments are in arrears), some of the information you voluntarily provide may be sensitive personal data, such as data revealing racial or ethnic origin, political opinions, religious and philosophical beliefs, health data or trade union membership, which requires higher levels of protection. Please do not share sensitive personal data (e.g. in free text boxes or emails) unless we ask you for it.

Information we collect about you

With regard to each of your visits to our App or Site we may automatically collect the following information:

  • technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and
  • information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our App or Site (including date and time), products and / or services you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.

Some of this information is your personal data. Our lawful basis for processing the information in the first bullet includes this being necessary for our legitimate interests in recognising users returning to our App and Site and making sure the App and Site operate effectively. Our lawful basis for processing the information in the second bullet includes this being necessary for our legitimate interests in seeing how our App or Site are used and which parts are more popular than others. In addition, the information helps us understand levels of interest in different industries and sectors and assists us in planning our strategy for developing our products and services. This, in turn, helps us improve our App and Site.

Information we receive from other sources

We may receive information about you from the following other sources:

  • If you use any of the other websites we operate or other services we provide. Such data may be shared internally and combined with data collected on our App or Site. We also work closely with third parties (including, for example, business partners, sub-contractors in technical services, advertising networks, analytics providers and search information providers) and may receive information about you from them that is relevant to our business.
  • If you are requesting services from us. We will request information from credit reporting agencies and/or any business providing information about creditworthiness, including consumer credit report(s) about you for application(s) for consumer credit. We will carry out searches at one [or more] of the UK’s Credit Reference Agencies. The information they hold will have originated from publicly accessible sources. In particular, Credit Reference Agencies draw on court decisions, bankruptcy registers and the electoral register (also known as the electoral roll). We explain more about Credit Reference Agencies below.
  • We may receive information about you from retailers who you access our services through, referees you nominate to us, or in some cases official authorities.

Failure to provide data

If you do not provide us with the data we request, the most likely consequence of this is that we cannot provide you with the products or services that you are requesting from us.


4. Cookies

Certain statistical information is available to us via our internet service provider through the use of cookies. Our use of cookies is governed by our Cookies Policy which can be accessed at http://www.shophumm.com/uk/cookies-policy/   

Our aim is to continuously improve your experience of our digital channels. We use cookies to improve your customer experience of our products, service and online applications. Our web server collects information about your visit, for example:

  • number of people who visit the App or Site;
  • date and time of visits;
  • number of pages viewed;
  • amount of time spent on the App or Site; and
  • popular sections of the App or Site.


5. What do we use your personal data for?

Information you give to us.

We will use this information:

  • to assess your application for our products and services, for account management, arrears enforcement, for service communications, about your account; and for end of term communication to you. Our lawful bases for this processing (see below in this Privacy Policy for more details about lawful bases) are to perform our contract with you (including taking steps at your request to enter into that contract) and, in the case of assessment of your application, for our legitimate interests in ensuring our financial stability by ensuring your creditworthiness.;
  • to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us. Our lawful bases for this processing are to perform our contract with you (including taking steps at your request to enter into that contract) or, in the case of provision of information, for our legitimate interests in providing you with the requested information.;
  • to assess your application for our services and whether you satisfy our eligibility requirements. Our lawful basis for this processing is our legitimate interests in ensuring our financial stability by ensuring your creditworthiness.;
  • to verify identity in accordance with our legal obligations. Our lawful basis for this processing is to comply with our legal obligations.;
  • to assess your creditworthiness including undertaking credit checks and reporting to credit referencing agencies who will retain any information we provide (including in relation to the ongoing status of your loan) and who will share this with third parties. Our lawful bases for this processing are for our legitimate interests in ensuring our financial stability by ensuring your creditworthiness and for the interests of those other third parties in ensuring their financial stability or, in the case of our initial credit check, to perform our contract with you (including taking steps at your request to enter into that contract).;
  • to manage your Account. Our lawful basis for this is to perform our contract with you.;
  • to deal with, assign or transfer any of our rights, interests and / or obligations under our agreement with you. Our lawful bases for this processing are to perform our contract with you or for our legitimate interests in being able to deal with our business.;
  • to register you to use our App or Site, subscribe you to a service available via the App or Site and / or when you report a problem with our App or Site. Our lawful bases for this processing are to perform our contract with you (including taking steps at your request to enter into that contract) or, in the case of dealing with reported problems, for our legitimate interests in fixing our App or Site and developing our services.subject to your marketing preferences, to provide you with details of products and services that may be relevant to you (see “Direct marketing” section). Our lawful basis for this processing is that you will have consented to receive such communications (this means that consent justifies our processing of your personal data for our marketing communications).;
  • to respond to any queries or other communications you submit to us. Our lawful bases for this processing are to perform our contract with you (including taking steps at your request to enter into that contract) and for our legitimate interests in responding to you and developing our services.;
  • to notify you about changes to our services. Our lawful bases for this processing are to perform our contract with you and for our legitimate interests in developing our services and keeping you update to date about changes.;
  • to ensure that content from our App or Site is presented in the most effective manner for you and for your computer. Our lawful basis for this processing is for our legitimate interests in providing our services, including our App and Site, as effectively as possible.; and/or
  • to register or redeem for promotional campaigns. Our lawful basis for this processing is your consent or (if we enter into a contract with you specific to that campaign) to perform our contract with you or (if we don’t ask for consent and if there’s not a contract) for our legitimate interests in promoting our services by way of having our customers participate in promotional campaigns.

     

Information about your use of the App or Site

We will use this information:

  • to determine which pages are the most popular, what country users come from, peak usage times and similar information;
  • to administer our App or Site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
  • to improve our App or Site to ensure that content is presented in the most effective manner for you and for your device;
  • to allow you to participate in interactive features of our App or Site when you choose to do so;
  • as part of our efforts to keep our App or Site safe and secure;
  • to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you; and/or
  • to make suggestions and recommendations to you about goods or services that may interest you.

Our lawful basis for the above processing is for our legitimate interests in providing our services, including our App and Site, as efficiently, effectively and securely as possible including understanding how they are used, to ensure that you can participate in interactive features, and to provide you with relevant and targeted content (including advertising and suggested recommendations). In addition, we have legitimate interests in carrying out effective marketing and customer research activities (this includes profiling about the services you’re likely to be most interested in so that we can tailor the content of direct marketing communications to this).

Information we receive from other sources

We may combine this information with information you give to us and information we collect about you. We may us this information and the combined information for the purposes set out above (depending on the types of information we receive).

Lawful bases for processing

You’ll have seen that we’ve explained in detail our lawful bases for processing personal data for the above purposes. We’ve done that so it’s easier for you to see how your data protection law rights can be exercised (particular rights relate to different lawful bases – for instance where we rely on consent you have the right to withdraw that consent – as you’ll see from Section 2 above).

What follows below is a summary of our lawful bases. It’s also an explanation of the lawful bases which justify the other purposes for which we process your personal data, as mentioned below this section of the Privacy Policy.

Our lawful bases include:

  • the performance of contracts that we have with you and processing that is necessary before you enter into the contract (we do credit reference agency checks on you for this reason);
  • processing necessary for the purposes of our legitimate interests which include presenting an effective App or Site, ensuring our financial stability by assessing your creditworthiness (we process personal data for this legitimate interest whereas the check at the credit reference agency itself is lawful for the ‘contract’ reason above), providing our services efficiently and carrying out effective marketing and customer research activities (this includes profiling about the products and services you’re interested in so that we can tailor the content of direct marketing communications to this) and protecting our company against risk of fraud, money laundering and other crimes;
  • processing necessary for compliance with a legal obligation, including to verify your identity and for complying with requests from a regulator or any court order; and
  • We will also process your personal data based on your consent if you sign up for direct marketing communications.

When we rely on legitimate interest as a lawful basis for processing your personal data under UK GDPR, it’s important to consider a balancing test to justify this. This is about balancing on the one hand our legitimate interests in the processing (or those of third parties – for instance the interests of other third parties in ensuring their financial stability) against on the other hand your own interests, fundamental rights and freedoms and making sure that the legitimate interests we rely on are not overridden by your own interests.

Our legitimate interests described above in this Privacy Policy are not overridden by your interests, fundamental rights and freedoms, for the following reasons. Either the processing does not cause you prejudice in any way (e.g. the development of our services and efficient provision of them) or in the case of ensuring your credit worthiness, our interests in ensuring our financial stability (and those of third parties) means that we need to take steps to ensure your credit worthiness when providing services to you. If you don’t have sufficient credit worthiness it’s important for us (and others) to know that. In the case of profiling to tailor direct marketing communications to services of interest to you, your interests aren’t overridden because we won’t share that profiling information with anyone else, we only use minimal and necessary personal data to do the profiling, and the end goal of that profiling is to seek to ensure that you receive communications you’re more interested in.

If you require further information about the balancing test that we have undertaken to justify our reliance on the legitimate interest legal basis under the UK GDPR, please see “How to contact us” Section 18 for further details on how to contact us.

We may process personal data for a substantial public interest under laws that apply to us where this helps us to meet our broader social obligations such as: 

  • Processing of your special categories of personal data such as about your health or if you are a vulnerable customer;
  • Processing that we need to do to fulfil our legal obligations and regulatory requirements (this will include criminal convictions and offences data and it will be relevant, for instance, where we suspect fraud, money laundering or other crimes if we cannot reasonably be expected to obtain your consent to the processing); and
  • When we share your personal information with other people and organisations if they need to know that you are a vulnerable customer and your relatives, social services, your carer, the person who has power of attorney over your affairs.

Sometimes we may need to ask for your explicit consent to process your sensitive personal data about your health (particularly if a substantial public interest reason doesn’t apply). In some cases, we can process your sensitive personal data on the basis that this is necessary for the establishment, exercise or defence of legal claims or before the courts.

6. Sharing your personal data

We may share your personal information with any member of our corporate group, which means our subsidiaries, our ultimate holding company and its subsidiaries. Our lawful basis for this processing is that it’s necessary for our legitimate interests in working effectively and efficiently as a corporate group, for instance if we have a customer who has committed a fraud and we suspect that customer is applying to another part of our group, we may need to tell the other company.

We’ll share personal information with other companies in our group because they are providing services to us as our ‘data processor’ and in those cases we’d have taken steps to protect your data as required under UK GDPR. An example of this is one member of the Group owns and manages the Data Warehouse for the Group where all data is stored to allow for retention and for internal analytics to be run (this analytics is described in more detail in the ‘Information we collect about you’ section above). The lawful basis justifying that particular processing is the same as our own (see section 5 above). You can find out the full company names and their contact details by contacting our Customer Service Team or our DPO (details below).

We may share your information with the selected third parties listed below. Where the third party is a data controller of your personal data, we’ll do this sharing based on the lawful basis of our legitimate interests (or the interests of the third parties receiving it), all of which we’ve mentioned above, or for performance of our contract with you, and as otherwise specified below:

  • our professional advisors (including lawyers, accountants and auditors), our business partners, product and services suppliers, service providers and sub-contractors and this includes suppliers of IT services, payment processing, data back up and data hosting services (justified by legitimate interests including of enabling our contracts with third parties to happen);
  • advertisers and advertising networks that require the information to select and serve relevant adverts to you and others. We do not disclose information about identifiable individuals to our advertisers, but we may provide them with aggregate information about our users (this means we anonymise the data so it cannot be used to identify you). We may also use such aggregate information to help advertisers reach the kind of audience they want to target. We may make use of the personal data we have collected from you to enable us to comply with our advertisers’ wishes by displaying their advertisement to that target audience (this only happens if you have consented to the marketing cookies on our App or Site) – our lawful basis under UK GDPR for this processing is legitimate interests or consent depending on the circumstances;
  • our assignees or potential assignees (this means other companies to whom we might in future assign or transfer our customers’ contracts) – justified by your contract and by our legitimate interests;
  • credit reporting agencies (this means the UK’s credit reference agencies – see further details below – justified by your contract) or any business providing information about creditworthiness (justified by the legitimate interests of others); other credit providers (justified by legitimate interests); insurers (justified by legitimate interests of enabling our policies of insurance to be administered properly);
  • any guarantor or proposed guarantor of your obligations to us; your assignees or proposed assignees (justified by legitimate interests and, in the case of your assignees or proposed assignees, your contract);
  • debt collection agencies; our banks and financial advisers (justified by our legitimate interests of enabling our contracts with these persons to be administered properly);
  • any person specifically authorised by you in writing to obtain your personal information from us (justified by your consent); and/or
  • analytics and search engine providers that assist us in the improvement and optimisation of our App or Site – our lawful basis under UK GDPR for this processing is legitimate interests.

We may also disclose your personal information to third parties:

  • in order to enforce our rights under any contracts entered into between you and us (the contract justifies this);
  • if we are acquired or we sell or buy, or propose to sell or buy, any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets (in which case our lawful basis for the sharing will be our legitimate interests in entering into or considering entering into these business transactions);
  • if we assign, transfer or otherwise dispose of a debt that you owe us to another party or if we or such third party want to enforce such a debt (our legitimate interests or those of the third party of recovering and disposing of debts justify this);
  • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation (in which case our lawful basis for processing your personal data is to comply with our legal obligations), including sharing your personal data with the Courts, to comply with the rules of any stock exchange or other trading exchange to which we are subject, in order to enforce or apply this Privacy Policy, our App or Site terms of use or other agreements; and/or
  • to protect our (or our customers or other relevant parties’) rights, property or safety (our lawful basis for this processing may, in certain circumstances, be to protect vital interests of people, in all other cases it’ll be for our legitimate interests in ensuring this protection happens).


7. How do we share your information with Credit Reference Agencies?

In order to process your application, we will perform credit and identity checks on you with one or more UK credit reference agencies (“CRAs”). We may also make periodic searches at CRAs to manage your account with us.

To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.

We will use this information to:

• Assess your creditworthiness and whether you can afford to take the product; • Verify the accuracy of the data you have provided to us; • Prevent criminal activity, fraud and money laundering; • Manage your account(s); • Trace and recover debts; and • Ensure any offers provided to you are appropriate to your circumstances. 

Our lawful bases for processing your personal data for this purpose are (as mentioned above) the performance of contracts that we have with you and processing that is necessary before you enter into the contract.

We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs. The identities of the CRAs, their role as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail at the websites which we refer to below.

When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.

If you are making a joint application or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.

You have a right to apply to the CRAs for a copy of your file. The information they hold may not be the same and there is a small fee that you may need to pay to each agency that you apply to.

Their contact details including their addresses are available from their websites:

TransUnion

https://www.transunion.co.uk/

Equifax

https://www.equifax.co.uk/ 

Experian

https://www.experian.co.uk/ 

You can find out more about what the UK’s credit reference agencies do with your personal data by reading the CRAIN (Credit Reference Agencies Information Notice).  It’s available in full here:

TransUnion

https://www.transunion.co.uk/crain

Equifax

https://www.equifax.co.uk/crain/

Experian

https://www.experian.co.uk/legal/crain/


8. How do we share your information with Fraud Prevention Agencies?

The personal information we have collected from you will be shared with Fraud Prevention Agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment.

Further details of how to contact us for information about how your information will be used by us and these Fraud Prevention Agencies, and your data protection rights, can be found at the end of this privacy policy.

The lawful bases justifying this sharing are our legal obligations (in the case of verifying your identity) and our legitimate interests in protecting our company from fraud, money laundering and other crimes. We also do this sharing to advance the legitimate interests of other companies protecting themselves from those crimes.

You can see the full privacy notice from Cifas (Fraud Prevention Agency) here: https://www.cifas.org.uk/fpn

Here are some important sections from it which we’d like to share within our own notice: 

  • Data transfers by fraud prevention agencies

Fraud prevention agencies may allow the transfer of your personal data outside of the UK. This may be to a country where the UK Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then the fraud prevention agencies will ensure your data continues to be protected by ensuring appropriate safeguards are in place. Fraud Prevention agencies have published more information about data transfers.

  • Consequences of processing by fraud prevention agencies

As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making: if you want to know more please contact us using the details above

  • Your rights in relation to fraud prevention agencies

Your personal data is protected by legal rights, which include your rights to object to processing of your personal data by Fraud Prevention Agencies to request that your personal data is erased or corrected, and request access to your personal data.

For more information or to exercise your data protection rights, please contact Humm Group Limited (please see section 18). You also have a right to complain to the Information Commissioner’s Office which regulates the processing of personal data (please see section 2).


9. Direct marketing

We may (subject to your preferences) use your personal data to make suggestions to you about goods or services that may interest you – based on your consent.. Those communications will give you the opportunity to opt out of receiving similar communications in the future (i.e. you can withdraw your consent at any time).

You can also choose to opt out of such future communications by contacting us, namely by: 

  • email, at [email protected]; or
  • post, at Humm Group Limited of 3rd Floor, 2-4 Wellington Street, Belfast City, Belfast, BT16HT, UK.


10. Where we store your personal data

Data that we collect from you may be transferred to, and stored at, a destination outside the United Kingdom including Ireland, Australia, New Zealand and the Philippines as discussed in Section 13.

It may also be processed by personnel operating outside the United Kingdom that work for us or for one of our suppliers, service providers or sub-contractors. The laws of jurisdictions outside the United Kingdom may not have the same level of protection for personal data as apply in the United Kingdom. For instance, they may not be deemed “adequate” by the UK Government (the Secretary of State) in respect of the processing of personal data.

In such circumstances, we will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and applicable law.


11. Quality, access and correction

Information about you is integral to decisions we make about our products and services for you. It is essential that your information is correct. You are encouraged to assist us to ensure this by alerting us to any changes in your particular circumstances


12. Data retention and deletion

We keep your personal data only as long as necessary to provide you with our products and services and for legitimate and essential business purposes, such as maintaining the performance of products and services, making data-driven business decisions about new features and offerings, complying with our legal obligations, and resolving disputes (our lawful bases for this processing are the same as set out above in this Privacy Policy – for instance if we have to keep your data in case of claims by or against you under the contract you were in, which has terminated, that will be justified by the lawful basis of the contract and by compliance with our legal obligations if there’s a claim already at issue).

We will keep your personal data on file for as long as you have a contract with us, and we will also retain some records (including personal data relating to your use of our products and services) for a period of no longer than six years and two months.

If you request, we will delete or anonymise your personal data so that it no longer identifies you, unless, we are legally allowed or required to maintain certain personal data, including situations such as the following:

(a) if there is an unresolved issue relating to your account (e.g. outstanding credit on your account or an unresolved claim or dispute we will retain the necessary personal data until the issue is resolved);
(b) where we are required to retain the personal data for our legal, tax, audit, and accounting obligations, we will retain the necessary personal data for the period required by applicable law; and/or,
(c) where necessary for our legitimate business interests such as fraud prevention or to maintain the security of our customers


13. Transfer to other countries

We may share your personal data globally with other companies in our corporate group in order to carry out the activities specified in this Privacy Policy (based on the legitimate interests set out in section 6 of this Privacy Policy). This includes our corporate group of companies in Australia, Ireland, New Zealand and Philippines. We may also subcontract processing to, or share your personal data with, third parties located in countries other than your home country (including those third parties mentioned in section 6(a)).

Our transfers to Ireland and New Zealand are made on the basis of a decision by the UK Government (the Secretary of State) that laws in Ireland (as part of the European Economic Area) and New Zealand (adopting an adequacy decision previously reached by the EU Commission whilst the UK was part of the EU) provide an adequate level of protection to personal data rights. Our transfers to Australia, the Philippines and other countries are made on the basis of the Standard Contractual Clauses as required by UK GDPR (or, where necessary, on the basis of your consent if there’s a one-off transfer). You can ask us for copies of these transfer mechanisms by using the contact details in section 18 below. 

Your personal data, therefore, may be subject to privacy laws that are different from those in your country of residence after the transfers we’ve mentioned, but you will still have protection in relation to that data based on the contracts we have entered into with data recipients or sub-processors.

Personal data collected within the United Kingdom may, for example, be transferred to and processed by third parties located in a country outside of the United Kingdom. In such instances we will ensure that the transfer of your personal data is carried out in accordance with UK GDPR, in particular, that appropriate contractual, technical, and organisational measures are in place (e.g. such as the Standard Contractual Clauses as required by UK GDPR).

Our transfers to Ireland and New Zealand are made on the basis of a decision by the UK Government (the Secretary of State) that laws in Ireland (as part of the European Economic Area) and New Zealand (adopting an adequacy decision previously reached by the EU Commission whilst the UK was part of the EU) provide an adequate level of protection to personal data rights.  Our transfers to Australia, the Philippines and other countries are made on the basis of the Standard Contractual Clauses as required by UK GDPR (or, where necessary, on the basis of your consent if there’s a one-off transfer).

Your personal data, therefore, may be subject to privacy laws that are different from those in your country of residence after the transfers we’ve mentioned, but you will still have protection in relation to that data based on the contracts we have entered into with data recipients or sub-processors.

Personal data collected within the United Kingdom may, for example, be transferred to and processed by third parties located in a country outside of the United Kingdom. In such instances we will ensure that the transfer of your personal data is carried out in accordance with UK GDPR, in particular, that appropriate contractual, technical, and organisational measures are in place (e.g. such as the Standard Contractual Clauses as required by UK GDPR).


14. Links

We may display advertisements from third parties and other content that links to third-party websites (including on our App or Site). None of these links comprise or imply support or recommendation of any other company, product or service. We cannot control or be held responsible for third parties’ privacy practices and content. If you click on a third-party advertisement or link, any personal data you provide will not be covered by this Privacy Policy. Please read their privacy policies to find out how they collect and process your personal data. For example, if you consent to cookies which place relevant and engaging advertisements on our Site, those advertisements might have links to third-party websites which have their own privacy policies.


15. Keeping your personal data safe

We are committed to protecting your personal data. We implement appropriate technical and organisational measures to help protect the security of your personal data. However, please note that no system is ever completely secure. We have implemented various policies including pseudonymisation, encryption, access, and retention policies to guard against unauthorised access and unnecessary retention of personal data in our systems.

Where you have chosen (or where we have given you) a password which enables you to access certain parts of our App or Site, you are responsible for keeping the password confidential. We ask you not to share your password with anyone.

Please be aware that the transmission of information via the internet is not completely secure. Although we will do our best to protect your data, we cannot guarantee the security of your data transmitted to our App or Site which you transmit at your own risk. Once we have received your information, we will apply procedures and use security features to try to prevent unauthorised access.


16. Automated decision-making

Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. We will use automated decision-making to process your personal data where it is necessary for the entering into our contract with you (we call this a credit agreement). UK GDPR means we can do this type of automated decision-making on the basis it’s necessary to check your credit standing prior to entering into any contract with you.

If you are requesting credit services from us, you must input your demographic and financial details to our online system. This will involve an initial stage of automatic decision making, and in particular your application may be automatically declined if the information you provide fails to meet our minimum requirements, i.e. for our customers to be aged 18 or over, where any fraud is detected, current and/or previous credit arrears or declined applications with us and for the UK Credit Reference Agency checks to indicate sufficient credit standing and affordability

If you submit any special categories of personal data to us as part of this process, such as data revealing racial or ethnic origin, political opinions, religious and philosophical beliefs, health data or trade union membership, this will only be processed if you provide your explicit consent to our processing that information for the purpose of evaluating your application and receiving credit services from us. This is the case unless we are able to rely on the substantial public interest reasons mentioned in Section 5 for processing this type of data. As a reminder, please do not provide this sensitive personal data to us unless we ask for it.

If your application is automatically declined, you have the right to make an objection to this by contacting us, and to request that a human reviews your application and the decision that was made. To exercise this right, please see the “How to contact us” section 18 at the end of this Policy.

As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making: if you want to know more please contact us using the details above.

17. Changes to this Privacy Policy

We may occasionally make changes to this Privacy Policy.

When we make material changes to this Privacy Policy, we will provide you with prominent notice as appropriate under the circumstances (e.g. by displaying a prominent notice on the relevant services or by sending you an email).

We may notify you in advance. Please, therefore, make sure you read any such notice carefully.

18. How to contact us

Thank you for reading our Privacy Policy.

If you have any questions, comments or requests about this Privacy Policy, please contact our Data Protection Officer by:

  • email, at [email protected]; or
  • post, at Humm Group Limited of 3rd Floor, 2-4 Wellington Street, Belfast City, Belfast, BT16HT, UK.

 You can also contact our Customer Service team by calling +44 2891 422113 or by email at [email protected]