While we hold your data we will take reasonable steps to keep it safe and secure, and we will regularly review the rules around how long we keep it for.
A copy of our retention schedule can be found here.

We need to keep your personal data up to date. You should tell us without delay if your details change (for example, if you move address) so that we can update our records.

In order to process your application, we will perform credit and identity checks on you with one or more credit reference agencies (CRAs). To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.

We will use this information to:

• assess your creditworthiness and whether you can afford to take the product
• verify the accuracy of the data you have provided to us
• prevent criminal activity, fraud and money laundering
• manage your account(s)
• trace and recover debts
• ensure any offers provided to you are appropriate to your circumstances

We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.

When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.

If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files with the CRAs for a disassociation to break that link.

Further information about the processing that CRAs perform can be found in their Credit Reference Agency Information Notice (CRAIN)

Purpose / Activity	Data Type	Lawful Basis for processing
Administering and managing your mortgage, savings product or core capital deferred shares and related services.	• Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data.	Necessary to perform our contract with you.
Updating your records.	• Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data.	Necessary to perform our contract with you.
Tracing your whereabouts to contact you about your account.	• Identifying details. • Contact details. • Profile data. • Identification data.	Necessary to perform our contract with you.
Processing your application for a product or service including assessing creditworthiness.	• Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data.	Necessary to perform our contract with you.
Supporting you through arrears and collections processes.	• Identifying details. • Contact details. • Financial data. • Profile data. • Identification data.	Necessary to perform our contract with you.
Managing third party access, such as power of attorney.	• Identifying details. • Contact details. • Financial data. • Profile data. • Identification data.	Necessary to perform our contract with you.
To manage your membership with Ecology Building Society.	• Identifying details. • Contact details.	Legal Obligation.
Establishment, defence and enforcement of our legal rights.	• Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data. • How you interact with us. • Technical data.	Legal Obligation.
Prevention, detection and investigation of crime.	• Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data. • How you interact with us. • Technical data. • Criminal Data.	Legal Obligation. Additional basis for Criminal Data. Substantial Public Interest (preventing fraud, preventing money laundering and terrorist financing).
Identity checks, anti-money laundering checks, and checks with fraud prevention agencies.	• Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data. • How you interact with us. • Technical data. • Criminal Data.	Legal Obligation. Additional basis for Criminal Data. Substantial Public Interest (preventing fraud, preventing money laundering and terrorist financing).
Monitoring and record keeping.	• Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data. • How you interact with us. • Technical data. • Criminal Data. • Health Data.	Legal Obligation. Additional basis for Criminal Data. Substantial Public Interest (preventing money laundering and terrorist financing). Additional basis for Health Data. Explicit Consent.
Handling data subject requests.	• Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data. • How you interact with us. • Technical data. • Criminal Data. • Health Data.	Legal Obligation. Additional basis for Criminal Data. Substantial Public Interest (preventing money laundering and terrorist financing). Additional basis for Health Data. Explicit Consent.
Meeting our legal and regulatory obligations.	• Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data.	Legal Obligation.
When we have to provide your information to them because some money paid to you by them should not be in your account.	• Identifying details. • Contact details. • Financial data.	Legal Obligation.
Whistleblowing processing.	• Identifying details. • Contact details. • Profile data.	Legal Obligation.
To test the performance of our products, services and internal processes.	• Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data. • How you interact with us. • Technical data.	Legitimate Interest.
Management and audit of our business operations.	• Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data.	Legitimate Interest.
Searches at credit reference agencies as part of applications	• Identifying details. • Contact details. • Financial data. • Personal information. about your family. • Profile data.	Legitimate Interest.
market research, analysis and developing statistics in relation to understanding our customers’ needs and circumstances in order to improve our service/products.	• Financial data. • Personal information. about your family. • Profile data.	Legitimate Interest.
Buyers and their professional representatives as part of any restructuring or sale of our business or assets.	• Identifying details. • Contact details. • Financial data. • Personal information. about your family • Profile data. • Identification data. • How you interact with us. • Technical data.	Legitimate Interest.
When you request that we share your personal information with someone else.	• Identifying details. • Contact details.	Consent.
When agree to a referral to a trusted third party (eg insurance).	• Identifying details. • Contact details.	Consent.
When you agree to share details about you, your property or project, including images, as part of a case study.	• Identifying details. • Contact details. • How you interact with us.	Consent.
Direct marketing communications.	• Identifying details • Contact details • How you interact with us.	Consent.
When it is necessary to provide additional support due to health or other circumstance, or to meet our regulatory requirements around this.	• Identifying details. • Contact details. • Personal information about your family. • How you interact with us. • Health Data.	Consent.

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website.

Your right of access – you have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about this right here.

Your right to rectification – you have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about this right here.

Your right to erasure – you have the right to ask us to delete your personal information. Read more about this right here.

Your right to restriction of processing – you have the right to ask us to limit how we can use your personal information. Read more about this right here.

Your right to object to processing – you have the right to object to the processing of your personal data. Read more about this right here.

Your right to data portability – you have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about this right here.

Your right to withdraw consent – when we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about this right here.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Where necessary, we may transfer personal information outside of the UK. When doing so, we comply with the UK General Data Protection Regulation (GDPR), making sure appropriate safeguards are in place.

When necessary, we share your personal information with:

• service providers
• tax, government, and regulatory authorities
• fraud prevention and/or law enforcement agencies
• courts and other third parties connected with legal proceedings
• third parties where you have asked us to share your details
• third parties where it is required by law
• joint account holders
• receivers of payment transactions
• credit reference agencies

You can find links to all relevant third-party privacy notices at section 9.

We work with carefully selected third parties, and may receive information from:

• brokers and intermediaries
• business partners
• sub-contractors
• credit reference agencies
• fraud prevention agencies
• government bodies
• your employer
• your landlord
• someone authorised to act on your behalf
• public sources (such as the Electoral Role or Companies House)