1. Introduction

Welcome to PremFina’s privacy policy (‘Privacy Policy’).

PremFina respects your privacy and is committed to doing the right thing when it comes to protecting your personal data, including how we collect, use and protect your personal data. This Privacy Policy will inform you as to how we look after your personal rights and how the law protects you.

Specifically, and in relation to PremFina (as defined below), this Privacy Policy aims to give you information on:

It is important that you read this Privacy Policy so that you are fully aware of how and why we are using your data. This Privacy Policy supplements any other privacy notices or policies and is not intended to override them.

If you have any questions about this Privacy Policy or our use of your information, you can contact us at customers@premfina.com or riskcompliance@premfina.com.

This Privacy Policy may change from time to time and if it does, the up-to-date version will always be available on the PremFina website. Please note that by continuing to use the PremFina website, you are agreeing to any updated versions of this Privacy Policy.

‘PremFina’ consists of PremFina Ltd, registered in England and Wales, under company number 07208343, and PremFina Ireland Ltd (registered in the Republic of Ireland, under company number 654567, and trading as PremFina Ireland and PremFina Technologies), as well as their parent companies, affiliates and any of their subsidiaries.

In addition, for individuals located in Jersey (Channel Islands), PremFina (or the relevant entity in the PremFina group) acts as a data controller under the Data Protection (Jersey) Law 2018 (the “Jersey Data Protection Law”). Where the provisions below refer to the ‘applicable data protection law’, for Jersey residents this includes the Jersey Data Protection Law.

PremFina Limited

Tintagel House

92 Albert Embankment

Vauxhall

London

SE1 7TY

United Kingdom


PremFina Ireland Ltd

Alexandra House

The Sweepstakes

Ballsbridge

Dublin

DO4 C7H2

Republic of Ireland

Both companies are the respective data controller in the United Kingdom and in the Republic of Ireland, as defined under European Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). PremFina Ltd is registered as a data controller with the UK Information Commissioner’s Office (‘ICO’), with registration number Z2931422.

PremFina may collect personal data from data subjects aged 16 years old and over.


2. Policy

2.1 Types of Personal Data PremFina Collects and Process

2.1.1 Information you provide to us

a) Enter into a contract or credit agreement with PremFina, we may collect the following personal data from you:

• Your name and contact details, including postal address, telephone number and e-mail address

• Your date of birth

• A copy of your signature

• Your country of residence

• Employment and residential status (including time at current address)

• Bank account details (including usage data); and/or

• Any other information necessary for regulatory compliance


b) Use this website, we may collect the following personal data from you:

• Your name and contact details, including postal address, telephone number and e-mail address

• Your IP address; and/or

• Any other information necessary for regulatory compliance


c) Contact us, either through this website or via email, letter or phone, we may collect the following personal data from you:

• Your name and contact details, including postal address, telephone number and e-mail address

• The reason(s)s for your contact; and/or

• Any other information necessary for regulatory compliance.


d) Interact with us on social media, (including but not limited to ‘follow’, ‘like’ and/or ‘post’), we collect information about or included in those interactions.


e) For individuals in Jersey, we may also collect such information as required or permitted under the Jersey Data Protection Law (e.g. identification documents, proof of address, tax identifiers).


2.1.2 Information PremFina Collects About You

a) We may also collect data about you from credit reference agencies, public sources, insurance intermediaries, third-party service providers, government, tax and/or law enforcement agencies, but only where such third-parties have confirmed that they have your consent or are otherwise legally permitted or required to disclose your personal data to us. Where necessary, we may combine such data with information which we may already hold about you (for example, if you have previously obtained products and/or services from PremFina or have had previous contact with PremFina).

b) When you contact us, we monitor and record calls, emails and any other communications in accordance with applicable law.

c) Each time you visit our website, we may also automatically collect information and personal data about your computer for system administration including, where available, your IP address, operating system and browser type. We do this to help us analyse how users use our website (including how you move around our website, timestamps, behaviour patterns and the tracking of visits across multiple devices), to establish more about our website users and to assist us in managing and improving your online experience. Please see our cookies policy https://premfina.com/cookies for further information about what information may be automatically collected when you visit our website.


2.2 PremFina’s Use of Your Personal Data

We may use your data for other legitimate business purposes including, but not limited to, management analysis, funding requirements, audits, forecasts, business planning and transactions. We may also use your data to establish or exercise our legal rights and to comply with law enforcement or other government agency requests or court orders. We will do so in compliance with applicable laws, regulatory requirements as well as our data protection policies.

For individuals in Jersey, we will process personal data only to the extent that the processing is fair, lawful and compatible with the purpose(s) for which that data was obtained, in accordance with the Jersey Data Protection Law. We will ensure that our processing in Jersey is limited to the minimum necessary and that the data is not used for incompatible purposes.

Please note that this list may be updated from time to time as PremFina's business needs and legal requirements dictate.


2.3 Credit Reference Agencies (UK)

When you enter into and during the life of your credit agreement with PremFina Ltd, your personal data will be supplied to credit reference agencies, in compliance with applicable laws and regulatory requirements. Those agencies will provide us with information about you, including details of your financial history. We do this to assess creditworthiness and product suitability, verify your identity, manage your account, trace and recover debts and prevent fraud and other criminal activity.

PremFina will continue to exchange information about you with credit reference agencies on an ongoing basis, including details of your settled accounts and any debts not fully repaid on time. Credit reference agencies may share your information with other authorised organisations for purposes such as credit-worthiness assessments, fraud prevention and anti-money laundering checks. Where relevant, your data may also be linked to the data of your spouse, any joint applicants or other financial associates. For individuals located in Jersey, this sharing is carried out only with credit reference agencies authorised or recognised for use in Jersey and in accordance with the Data Protection (Jersey) Law 2018.

The identities of the credit reference agencies, and the ways in which they use and share personal data, are explained in more detail by each of the two credit reference agencies that PremFina Ltd engages within the United Kingdom including www.experian.co.uk/crain and CreditSafe Business Information Transparency Notice.


2.4 Automated Decision-Making Profile

Automated Decision Making refers to a decision which is taken based on automated processing of your personal data (for example, using software code or algorithm, without human intervention).

Profiling refers to the use of automated processes to analyse your personal data to evaluate your behaviour or to predict, in the context of premium financing, your risk profile.

Before entering into a credit agreement with PremFina, we may use credit scoring techniques and automated decision-making systems to assess your application. These credit scoring techniques and automated decision-making systems consider previous applications for finance, defaults or existing debt and are necessary for PremFina to ensure you can afford a credit with us.

You have certain rights in respect of automated decision-making, where that decision has significant effects on you, including where it produces a legal effect on you.


2.5 Special Categories of Data

Data protection laws define certain personal data as falling into ‘special categories of personal data’ such as personal data regarding your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying a person, data concerning your health (including mental and physical health), data concerning your sex life or sexual orientation.

You may voluntarily give such personal data to us in connection with your loan repayments. In the unlikely event you do so, PremFina will only keep a record of this special category of personal data as long as it is in your interest to manage the credit agreement you entered into with PremFina.


2.6 Basis for Using Your Personal Data


2.6.1 Necessary for the entry into or performance of a contract

When you enter into a transaction with PremFina or any other entity in the PremFina Group, we will need to collect, process and share (as further detailed in section 7 below) your personal data. Failure to provide the requisite personal data when entering into such an agreement, objecting to this type of processing and/or exercising your deletion rights may unfortunately mean that products and/or services cannot be provided to you.


2.6.2 Legitimate Interest

In certain circumstances we may use your personal data to pursue legitimate interests of our own or that of third-parties, but this is provided your interests and fundamental rights do not override those interests. This is on the basis of:

a) Our legitimate interest and the legitimate interests of third-parties to make decisions about whether or not to offer you credit;

b) And our legitimate interest to:

(i). Provide you with information and services as requested by you

(ii). Carry out research to understand our customers and how they use our products and services

(iii). Develop and improve our services to you and to our other customers

(iv). Communicate with you and manage our relationship with you

(v). Administer our site

(vi). Carry out management analysis, audit, forecasts, business planning and transactions

(vii). Ensure our compliance with applicable laws, regulatory requirements and our policies; and

(viii). Deal with legal claims and related administrative activities.


c) We consider that it is reasonable for us to process your personal data for the purposes of our legitimate interests or the legitimate interests of a third party, as outlined above, as:

• We process your personal data only so far as is necessary to achieve the purpose outlined in this Privacy Policy; and

• The processing of your personal data does not unreasonably intrude on your privacy and ultimately benefits you in optimising our provision of services to you.


2.6.3 Consent

We may, on occasion, send you marketing messages by email and post about us and our events and offers where you have provided clear consent.

You have the right to withdraw your consent to the processing of this nature at any time.


2.6.4 Compliance with Legal Obligations

To meet our regulatory and legal obligations, we need to process some of your personal data.


2.6.5 Lawful Bases for Processing – Jersey

In the case of individuals located in Jersey, we rely on the lawful bases for processing set out in the Jersey Data Protection Law. Where applicable, we will seek explicit consent, or process data to perform a contract, to comply with a legal obligation, or for our legitimate interests (provided those interests do not override your rights). If we rely on legitimate interests in Jersey, we will carry out a balancing test and document it.


2.7 Who do we share your information with?

We may share your information with third-parties, but only for the purposes specified in this Privacy Policy. In particular:

a) Other companies in our Group to enable us to provide our services.

b) Third-party service providers relevant to our business activity, such as:

(i). Credit Reference Agencies (refer to section 3.2 above)

(ii). Customer identity verification and due diligence

(iii). Fraud Prevention Agencies based in the UK and Ireland

(iv). Financial institutions, payment system operators, payment service providers and other financial services companies

(v). Electronic signature and secure document solution service providers for sending notification emails and SMS

(vi). IT developers and IT service providers, including but not limited to cloud computing services and online chat functionalities

(vii). Customer Relationship Management technology to manage interactions with our customers

(viii). Supplier of technology systems and software for the insurance industry

(ix). Debt Recovery Agency in the UK and in Ireland to enable us to enforce our legal rights

(x). As well as any other service providers we may appoint from time to time in accordance with our basis for using your personal data explained in section 6 above.


c) With your permission, we may also share your personal data with our trusted partners who may use it to provide you with information related to their products and services.


d) External legal counsel and other professional advisers including accountants and auditors.


e) Government authorities, law enforcement and regulatory authorities where required or permitted by law and/or for tax or other purposes. Personal data may also be disclosed to external parties in response to legal process, and when required to comply with laws.


f) To any prospective or actual funders/investors to enable them to assess the value of our assets.


Where you are located in Jersey, we may share your personal data with:

• other entities within the PremFina group (for group administration, reporting, oversight, audit), provided that those entities adhere to equivalent safeguards;

• third‐party service providers (e.g. payment processors, IT providers, credit reference or identity verification agencies), subject to contracts or binders ensuring compliance with Jersey Data Protection Law;

• regulators, law enforcement, courts, or other government bodies in Jersey or elsewhere, as required or permitted under the Jersey Data Protection Law;

• other persons or organisations with your consent or where otherwise permitted by law under Jersey rules.”


2.8 Will your personal data be transferred abroad?

Following the European Union (‘EU’) Commission adequacy decisions for the UK with respect to the GDPR and the Law Enforcement Directive, personal data can flow freely between the EU to the UK where it benefits from an essentially equivalent level of protection to that guaranteed under EU law.

All personal data processed pursuant to this Privacy Policy shall be held and processed within the UK and the EEA, and PremFina will ensure that no personal data is transferred to a country or a territory outside the UK and the EEA unless it has adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data (the adequacy of the protection of personal data in non-EU countries as defined on the EU Commission website.

Alternatively, we may rely on appropriate safeguards in respect of transfers of personal data to a country outside of the EEA, for example, by agreeing standard contractual clauses adopted by the European Commission. A copy of the standard contractual clauses are available on the EU Commission's website.


2.9 Retention of your personal data

We will typically keep your personal data for 7 years from the termination of your credit with PremFina in order to enable us to deal with any issues or concerns you may have about how we handled your account, and also to allow us to bring or defend legal proceedings. In some circumstances, some of your data will be deleted in much shorter timescales, such as call recordings which shall be kept for a minimum of 12 months from the latest date of PremFina’s last contact (by whatever method) with you.

For personal data concerning individuals in Jersey, we will retain the data only for as long as is necessary for the relevant purpose(s), or as required by law under Jersey Data Protection Law. After that period, we will either delete or anonymise the data, unless further retention is necessary for legal claims or regulatory obligations in Jersey.


2.10 What safeguards are in place to protect your personal data?

The security of your personal data is very important to PremFina. We strive to implement and maintain appropriate technical and organisational security measures, procedures and practices suitable to the nature of the information we store, in order to protect it from unauthorised access, destruction, use, modification, or disclosure.

These measures are applied consistently across all jurisdictions in which we operate, including the United Kingdom, the European Economic Area and Jersey, and are designed to meet the standards required under the UK GDPR, the Data Protection Act 2018 and the Data Protection (Jersey) Law 2018.


Our security measures include, but are not limited to:

• Ensuring the physical security of our offices

• Ensuring the physical and digital security of our equipment and devices by using appropriate password protection, encryption and access control

• Ensuring the security of our databases by using suppliers who use industry-standard encryption and physical security measures

• Conducting identity verification and fraud detection activities

• Performing regular security, penetration and vulnerability testing

• Maintaining a comprehensive data protection policy for, and delivering data protection training to all our employees; and

• Limiting access to your personal data strictly to those who require it for legitimate business purposes.


For individuals located in Jersey, PremFina applies equivalent safeguards and security controls to ensure that personal data is processed and stored in compliance with the Data Protection (Jersey) Law 2018. Where data from Jersey is transferred or accessed outside the jurisdiction, we ensure that appropriate safeguards are in place to maintain its security and confidentiality.

As with all website operations, we cannot guarantee the security of any transmission of personal data over the Internet. Communications such as e-mails are not secure unless encrypted. While we strive to protect your personal information, we cannot ensure the security of data transmitted to us electronically. Please consider the security risks and implications before submitting personal data through our website.


2.11 What are your rights?

In this section, we have summarised the rights you have under the data protection laws in relation to how we process your personal data, which are set out below. You may contact us to request additional details or to exercise these rights by sending an email to customers@premfina.com or riskcompliance@premfina.com. In some instances, we may be unable to carry out your requests, in which case we will write to you to explain why.

These rights apply under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU GDPR (where applicable), and, for individuals located in Jersey, under the Data Protection (Jersey) Law 2018.

You have a right:

a) To be informed in relation to the personal data we collect from you and how we use such data as well as your rights with respect to data protection, all of which being part of this Privacy Policy.

b) To access personal data we hold about you (through us providing a copy), to request confirmation that your personal data is being processed and other information about how we process your personal data. You may submit a request to obtain a copy of the personal data we hold about you, which should be provided to you by us free of charge. However, we may charge a reasonable fee when the request is manifestly unfounded or excessive, particularly if it is repetitive.

c) To rectification of personal data we hold about you in case it is inaccurate or incomplete. We will ensure that inaccurate or incomplete data are rectified as soon as possible once notified.

d) To erasure, also known as the 'right to be forgotten', of any personal data we hold about you where there is no compelling reason for its continued processing. We have however a legal obligation to hold your personal data during the duration of any Agreements we entered into with you and we may retain a copy of your personal data in accordance with applicable law upon termination of such Agreements and/or in case it is required for the establishment, exercise or defence of legal claims.

e) To restrict the processing of your personal data in case:

(i). You contest the accuracy of the personal data we hold

(ii). You would rather we block the processing of your personal data instead of erasing your data

(iii). We no longer need the personal data for the purpose we collected it for, but we require your personal data for the establishment, exercise or defence of legal claims or

(iv). In certain circumstances, you have objected to processing of your personal data for automated decision making.


f) To portability to obtain and reuse the personal data that you have provided to us and that we process by automated means. This allows you to move personal data easily to another organisation, or to request us to do this for you.


g) To object to processing your personal data on the basis of our legitimate business interests, unless we are able to demonstrate that, on balance, our legitimate interests override your rights or we need to continue processing your personal data for the establishment, exercise or defence of legal claims.


h) To withdraw your consent, to the extent that the legal basis for our processing of your personal data is consent. Withdrawal will not affect the lawfulness of processing before the withdrawal. Your withdrawal does also not mean the erasure of your personal data from our databases as it may still be required for the purpose of any agreements, we have entered into with you and/or for the establishment, exercise or defence of legal claims.


i) Related to automated decision making, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly consequences for you, unless the decision:


• Necessary for entering into, or performance of, a contract with us;

• Authorised by law (including the UK, EU, or Jersey data protection laws) which lays down suitable measures to safeguard your rights and freedoms; or

• Based on your explicit consent.


You may exercise any of your rights in relation to your personal data or obtain further information about this Policy by contacting us at customers@premfina.com or compliance@premfina.com and/or write to us at:

PremFina Limited

Tintagel House

92 Albert Embankment

Vauxhall

London

W1J 6ER

United-Kingdom

Premfina Ireland Ltd

Alexandra House

The Sweepstakes

Ballsbridge

Dublin

DO4 C7H2

Republic of Ireland


For individuals located in Jersey, you may contact us using the same details above in relation to any data protection matters under the Data Protection (Jersey) Law 2018.

If you have any reason to complain about a problem related to our use of your personal data, please contact us using the above details and we will do our best to resolve such problem as soon as possible. If you consider that our processing of your personal data infringes data protection laws or if you consider the solution to a complaint you raised is not satisfactory, you also have a legal right to lodge a complaint with a supervisory authority responsible for data protection.


You may do so in the country of your habitual residence, your place of work or the place of the alleged infringement. The relevant authorities are:

• United Kingdom: Information Commissioner's Office - https://ico.org.uk

• Republic of Ireland: Data Protection Commission - https://www.dataprotection.ie

• Jersey: Jersey Office of the Information Commissioner (JOIC) - https://jerseyoic.org


2.12 Other Websites

Our website may, from time to time, contains links to and from the websites of third-parties. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies or your use of those websites.


3. Policy Maintenance

We may occasionally update this Privacy Policy. When we do, we will post the updated Privacy Policy and update the date of our last update at the beginning of the Privacy Policy. If we make any changes that materially alters your rights or obligations, we will use reasonable efforts to notify you of the change. For example, we may send a message to your email address, if we have one on file, or generate a pop-up or similar notification when you access the website for the first time after such material changes are made. We also encourage you to periodically review this Privacy Policy to stay informed about how we collect, use, and disclose your personal information.