Burnley Savings and Loans Limited (“Burnley Savings and Loans”, “BSAL”, “we”, “us” or “our”) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our website or any related services. By visiting our website (www.burnleysavingsandloans.co.uk) and using our services (including any future mobile app or online account services), you acknowledge that you have read and understood the practices described in this Privacy Policy. We are the “data controller” of your personal data for the purposes of applicable data protection law (UK GDPR and Data Protection Act 2018). We are also registered with the UK Information Commissioner’s Office (ICO) as a data controller, which you can verify on the ICO’s register. References to “you” or “your” in this Policy mean any individual who uses our website or services. References to our “website” include any mobile applications or online portals we may offer for our services.

 Who We Are and What We  

Burnley Savings and Loans Limited is a financial services provider authorized and regulated by the Financial Conduct Authority (FRN: 717019). We operate as a credit broker and a lender, which means we may either lend directly or introduce you to other lenders for finance . Our primary services include:

Automotive Finance – we can act as a broker, direct lender, or introducer to other lenders for vehicle purchase loans.

Personal Loans – we may act as a broker, lender, or introducer to help arrange unsecured personal loans.

Business Loans – we offer business financing, acting as a broker, lender, or introducer, depending on the funding.

Asset Finance – we facilitate asset financing (such as equipment or vehicle leasing) as a broker or introducer (we may arrange this through third-party lenders).

Mortgages & Secured Loans – we act as a broker or introducer to connect you with mortgage providers or secured loan lenders (we do not directly provide mortgages ourselves).

Credit Cards – we act as a broker or introducer for credit card products offered by third-party financial institutions.

In providing these services, we may introduce you to a limited number of other lenders or finance providers who can offer products suitable to your requirements . We will only share your information with these partners as needed to facilitate the service you’ve requested (see “Who We Share Your Information With” below). We do not charge you any fees for our brokerage/introducer services; any costs of credit will be clearly shown in your agreement with the lender. We may receive a commission from the finance provider if you enter into an agreement with them, but this does not affect the rate you pay (you can request details of any commission at any time).

 The Information We Collect 

We collect and process various types of personal information about you (and, in some cases, about others that you provide to us with their consent). This data helps us operate our services as a lender or broker and comply with legal requirements. We may collect information through the following ways:

Information You Provide to Us: This is information that you give us when you apply for our products or services, fill in forms on our website, communicate with us by phone, email or in person, or otherwise interact with us. This may include personal details such as:

Identification and Contact Details: Title, full name, date of birth, email address, telephone number, postal address, and any identification details (e.g. driver’s license number or passport number) you provide for verification.

Financial Information: Your income, employment status, employer details, outgoings and monthly expenditure, bank account details (such as account number and sort code for loan disbursement or repayment setup), credit card or payment card details (if you use one to make a payment to us), and your credit history or credit score if you share it with us.

Loan Application Details: For example, the amount you wish to borrow, the purpose of the loan, deposit amount (if any), asset or property value (for vehicle finance, asset finance, or mortgages), details about any collateral (for a secured loan or vehicle finance, this might include vehicle registration number or property address), and your address history (previous addresses) for credit reference checks.

Lifestyle and Demographic Information: If relevant to specific products, we might collect information such as marital status, number of dependents, or housing status (owning/renting) as part of a loan application’s affordability assessment.

Sensitive Personal Data: We do not actively ask for special category (sensitive) personal data. However, you may choose to provide information about your health or personal circumstances (for example, if you disclose a medical condition or a vulnerability that could impact how we serve you). Any sensitive data you provide will be processed only with your explicit consent and only used for the specific purpose for which you provided it (for instance, to accommodate your needs as a vulnerable customer). We will not use such information for any other purpose and will securely delete it when it’s no longer needed. (Note: We do not collect or process special categories of data unless necessary – for example, we might record that a customer has a vulnerability only with permission, to ensure we act in their best interest.)

Information We Obtain from Credit Reference Agencies (CRAs): As a regulated lender/broker, when you apply for credit or finance with us, we will conduct credit and identity checks by obtaining information about you from one or more Credit Reference agencies. This means we will share your personal details (like name, address, date of birth) with the CRAs and receive your credit report and credit score in return. Your credit report includes information about your credit accounts, outstanding debts, repayment history, public records such as County Court Judgments (CCJs) or insolvencies, and whether you are registered to vote, among other details. Important: When a credit search is performed, a record of your search is left on your credit file. For finance applications with us, this is typically a “soft” search at the quotation stage (which does not affect your credit score or is visible to other lenders), but if you proceed with a full application or agreement, it may be a “hard” credit search visible to other creditors. We will tell you when a search is being conducted. The CRAs will also link records of credit searches and share information with other lenders who subsequently search your file. (For more on how CRAs handle your data, see Credit Checks and Fraud Prevention below.)

Information from Fraud Prevention and Identity Verification Agencies: We may also obtain information from specialist fraud prevention agencies (FPAs) or identity verification service providers as part of processing your application. This can include verifying your identity documents, checking for any history of fraudulent activity, and confirming that the details you provided are not associated with fraudulent behaviour or money laundering. These checks help us verify your identity, prevent crime, and comply with anti-money laundering regulations. If false or misleading information is provided and fraud is identified, details will be transmitted to fraud prevention agencies and law enforcement. This could result in the refusal of services, finance, or employment elsewhere if those agencies have a record of the incident.

Information We Receive from Other Lenders or Partners: If we have introduced you to another lender or finance provider (or they have introduced you to us), or if you take up a finance product through us with a third-party lender, we may receive information back from those third parties about the product or service you obtained. For example, if we broker a loan or mortgage for you with another lender, that lender may inform us whether your application has been approved and provide details about the loan (such as the amount and term). This helps us keep our records accurate, calculate any commissions, and manage our customer relationships. We may also receive information from other third parties such as: public databases (like the electoral roll or government registries), employers or referees (to confirm employment, with your consent), or car dealers/brokers (if you are obtaining vehicle finance through a dealership, they may pass us details to process the credit). Additionally, we work with certain external services to better assist our customers – for example, we have partnered with the Vulnerability Registration Service (VRS) to identify and support vulnerable customers. This means we may check the VRS database to see if you are listed as a vulnerable individual and note any relevant support needs. The VRS is a third-party database where individuals can register their vulnerable status; we only use this information to ensure we treat you fairly and appropriately. We do not use information from such sources for marketing purposes without your consent.

Information Collected About Your Use of Our Website: When you visit our website (or use any future mobile app), we collect technical and usage data automatically. This includes, for example:

Technical Data: your device’s Internet Protocol (IP) address, browser type and version, time zone setting, device identifiers, operating system and platform, and other technology on the devices you use to access our site.

Usage Data: details of your website interactions, such as the pages or products you view, how you navigated to and from our site (the full URL clickstream to, through and from our site, including date and time), response times, download errors, length of visits on pages, page interaction information (scrolling, clicks, mouse-overs), and methods used to browse away from pages.

Mobile App Data (if applicable): if we offer a mobile application in the future and you use it, we may collect device information (like your device model and OS), app usage statistics, and crash logs. If location services are enabled and relevant to a service (for example, for security or fraud prevention), we would only collect location data with your permission.

This automatically collected information helps us understand how users use our website, enables us to troubleshoot technical issues, improve site performance, and enhance user experience. It may also be used for security monitoring (for example, detecting unusual login locations to guard against unauthorised access).

Cookies and Similar Technologies: Like most websites, we and our service providers use cookies and similar tracking technologies to collect information about your browsing activities on our site. Cookies are small data files stored on your browser or device. They help our site function correctly and can enhance your user experience (for example, by remembering your preferences or login state). We also use cookies and third-party tools for analytics and advertising. For instance, we utilise Google Analytics to understand how visitors navigate our site and to improve our content. We have enabled certain Google Analytics Advertising Features – such as remarketing and demographic reports – which means information about your visit (such as pages viewed, or if you clicked on our ads) is collected via cookies or similar identifiers. These cookies do not directly identify you by name, but they may track your device and browsing behaviour. We may use this data to show you relevant advertisements about our services on other platforms (e.g. showing you a Burnley Savings and Loans offer when you visit certain social media sites, via those sites’ advertising networks). Important: You can control or disable cookies through your browser settings. You can also opt out of Google Analytics for Display Advertising and customise Google Display Network ads using Google’s Ads Settings or by installing the Google Analytics opt-out browser add-on. To learn more about how we use cookies and how you can manage them, please see our Cookies Notice (available on our website).

Information from Communications and Telephone Calls: If you contact us by telephone, email, SMS, or other communication channels, we may monitor and record these communications for quality assurance, training, and security purposes. For example, calls to our customer service line might be recorded and stored. We use these recordings solely for legitimate business purposes, such as verifying instructions you provide, resolving complaints, improving our services, and ensuring compliance with our legal obligations. We will also retain copies of any correspondence you send us (such as emails or letters) as part of your customer record.

Open Banking Data (if you use this service): With your explicit consent, we may offer an Open Banking service to securely retrieve your financial information from your bank or accounts, in order to provide certain services (such as a more accurate affordability assessment or budgeting tools). If you choose to use Open Banking features, we will collect data such as your transaction history, account balances, regular payments, and income information from your bank or account provider. For example, open banking data could show your incoming salary payments, outgoing bills, and spending patterns. We will only access and use this data with your permission, and only to the extent necessary for the specific service (e.g., evaluating your loan affordability). Note: Open Banking services are governed by additional terms and a separate privacy notice, which we will present to you at the time, in accordance with UK Open Banking regulations. We will not retrieve or store your banking credentials; that process is handled through secure, authorised channels as per Open Banking standards.

Two-Factor Authentication Data (if applicable): If in the future we provide an online account and you choose to enable two-factor authentication (2FA) for added security, we will collect the contact details necessary to send the second-factor code (e.g. your mobile phone number for SMS 2FA). We would use this information solely to send you verification codes for logging into your account, and not for marketing. This is entirely optional and for your security; if you enable it, standard messaging rates may apply for the SMS messages.

We will not collect any personal data from you that is not needed for the provision of our services, for the legitimate interests described in this policy or to meet legal/regulatory requirements. When we request information, it is because it is necessary to provide the service you requested, to comply with our obligations (e.g., performing anti-fraud checks), or for other legitimate purposes described in this Policy. If you choose not to provide the requested information, we may not be able to offer you certain products or services. We will always indicate where information is optional.

We use the personal data we collect for various purposes in connection with providing our services to you and running our business. Below is a summary of the main ways in which we use your information:

To Process Applications and Provide Services: We use your information to set up and administer your account or agreement with us. This includes processing your loan or finance applications, conducting credit and affordability assessments, making lending decisions, and if approved, issuing the loan or arranging the finance you requested. We’ll use your data to draft and execute agreements, manage repayments, and provide any related services or aftercare. For example, we use your address and identification details to verify your identity and prevent fraud, and your financial information to decide if we can offer you credit responsibly.

To Communicate with You: We will use your contact information (email, phone, address) to communicate with you about your account and our services. This includes sending you important notices such as approval decisions, loan documents, payment reminders, statements, updates about any ongoing application, and changes to our terms or Privacy Policy. We may contact you via telephone, post, email, SMS, or other electronic means (such as messaging apps or push notifications, if you use our app) as appropriate. These service communications are necessary for us to fulfil our contract with you or to inform you of important information – you cannot opt out of receiving essential service messages.

Identity Verification and Fraud Prevention: Your data is used to verify your identity when you register or apply, as part of our efforts to prevent fraud and money laundering. For example, we may use document verification or ask security questions to confirm it’s really you. We also use personal data to monitor for and detect fraudulent or suspicious activities. If we detect fraud, we will take action to protect our interests and comply with applicable laws, which may include refusing services and reporting incidents to relevant authorities or databases.

To Provide Broker Services and Introduce Products: When you use Burnley Savings and Loans as a broker or introducer, we use your information to match you with appropriate third-party lenders or product providers. We might analyse your credit profile and preferences to determine which of our partner lenders could offer you a suitable product. If you have consented to it, we will also use your details to pre-populate application forms or facilitate the application process with those partners. For example, if you apply through us for a car finance deal that another lender will provide, we will transmit the necessary information from your application to that lender so they can process it. We also use your data to obtain indicative quotes or pre-approvals from partners (where possible, we might perform a “soft search” on your credit file to see your eligibility for partner lenders’ offers without impacting your score). This allows us to inform you of your chances of approval or show you “pre-approved” offers – but remember, any final offer is subject to the partner’s own checks and decision. We will only share your data with these third-party providers for the purpose of securing the product or service you have expressed interest in, and not for their own marketing unless you separately consent (see “Who We Share Your Information With” below for more on this).

Service Improvement, Product Development, and Analytics: We may use pseudonymized data about you, your application, how you use our services, third-party services (including credit file and open banking records) and your feedback to improve our offerings, develop new products and develop new features. This includes analysing usage patterns on our website (for example, which pages are most visited or where users drop off in an application form) so we can make our platform more user-friendly. We may perform statistical analyses on customer demographics, credit outcomes, and product popularity to gain a deeper understanding of our customer base and business performance. Any insights derived from analytics or research will typically be in an aggregated or anonymised form, so they no longer identify individual customers. We also keep internal records for training and quality control, ensuring we maintain high service standards.

Marketing (with your consent): If you have given us your permission, we will use your contact details and preferences to send you marketing communications about our products or related financial services. This may include information about new loan products, special offers, interest rate promotions, events, newsletters with financial tips, or products from our partners that we think might interest you. We aim to tailor our marketing to be relevant – for example, if you have taken out a vehicle loan with us, we might inform you about our other products, such as business loans or refinancing offers. Alternatively, if your loan is nearing completion, we might offer a new financing deal. You are in control – we will only send marketing by the methods you’ve agreed to (e.g., email or SMS), and you can opt out at any time (see “Marketing Communications and Your Choices” below). We do not sell your information to third parties for their marketing purposes.

Personalised Recommendations: In some cases, and only if you have given your consent, we may use specific personal data (such as your credit profile and borrowing history) to profile your needs and preferences, allowing us to highlight financial products that are likely suited to you. For instance, we might analyse your credit score, existing credit commitments, and stated goals to determine that you could benefit from a debt consolidation loan or a credit card with a better rate and then inform you of such opportunities. This type of profiling is designed to provide you with more relevant suggestions and assist you in making informed financial decisions. It does not involve any automated decisions that have legal or similarly significant effects without human involvement – it’s simply a way for us to organise information and present options to you. You have the right to object to this type of processing if you wish (see “Your Rights” below).

Website Functionality and User Experience: We use data (like cookies and device information) to ensure our website and online services function correctly and securely. This includes using cookies to keep you logged in during a session, remember your preferences (such as form inputs or consent choices), and deliver content appropriately for your device. We also use certain cookies and tracking data to personalise what you see – for example, to show you targeted advertisements or to greet you by name on the dashboard. Additionally, collected technical data allows us to safeguard our site (for example, detecting unusual behaviour that might indicate a bot or attack) and diagnose and fix any issues (like a page loading slowly).

Legal and Regulatory Compliance: We process personal data as necessary to fulfil our legal obligations. This includes using your information for activities such as: reporting to regulators (e.g., submitting required reports to the FCA or HMRC where applicable), carrying out anti-money laundering (AML) and “Know Your Customer” checks before onboarding you and on an ongoing basis, preventing, detecting and investigating financial crime, and complying with lawful requests from authorities (e.g., court orders or information requests from law enforcement). If you apply for credit, we also use your data to provide mandated disclosures and treat you fairly per consumer credit laws (for example, assessing affordability to prevent over-indebtedness). We may use and retain specific data to exercise or defend legal claims as well. For instance, we keep records of your agreements and communications so that we have evidence in case of any dispute or investigation.

Anonymised or Aggregated Data Uses: Where possible, we anonymise or aggregate personal data so that you are not identifiable and use it for purposes such as research, trend analysis, and development of new products. For example, we might compile statistics like “average loan size by region” or “percentage of customers interested in electric car financing” to help guide our business strategy. This anonymised data contains no personal identifiers and is not subject to data protection law.

What We Will Not Do: We never sell your personal information to third parties – we value your trust, and your data is not for sale. We also will not share your personal data with unrelated third parties for their own marketing purposes without your consent. Our use of your data is strictly as outlined in this Policy. If we propose to use data for any new purpose, we will update you and, if required, seek your consent.

Legal Bases for Processing Your Data 

We are required by law to have a valid “lawful basis” for each use of your personal data. We rely on the following legal grounds for our data processing activities:

Contractual Necessity: Many of our data uses are necessary for the performance of a contract (the agreement between you and us) or in order to take steps at your request prior to entering a contract. When you apply for or take out a loan (or use our brokerage services), we process your personal data to provide that service as part of our contractual obligations to you. This includes all core activities, such as processing your application, making a credit decision, providing customer service, and administering your account. If you do not provide the required information for these purposes, we will be unable to offer you the product or service. In summary, we need to process specific personal data to fulfil our obligations to you under the terms and conditions of the service you have requested.

Legitimate Interests: We also process some of your data based on our legitimate interests (or those of third parties) in running an effective and lawful business. “Legitimate interests” means we have assessed that our processing is necessary for a genuine and fair business interest, and that it does not override your fundamental rights and freedoms. As a credit intermediary and lender, our legitimate interests include ensuring that our services are secure, efficient, and tailored, and promoting our business, provided these interests are balanced against your privacy rights. We rely on legitimate interests for purposes such as:

Preventing fraud and ensuring security: e.g. verifying identity, detecting malicious activities, and keeping our systems safe .

Improving our services: e.g. analysing usage data to enhance user experience, developing new loan products to better serve customers, and internally auditing our processes to maintain high standards.

Marketing and communications: e.g. sending you product news or offers that are relevant (where permitted by law), engaging with you throughout your customer journey to ensure you are satisfied, and sharing data with certain partners (like advertising networks or analytics providers) to reach individuals who may be interested in our services. (Note: for any electronic direct marketing to you as an individual, we will have obtained your consent as required by law – see “Marketing Communications and Your Choices” below.)

Supporting our business operations: e.g. sharing data within our organisation and with service providers (under strict controls) to facilitate our everyday functions like IT hosting, payment processing, and customer support.

Protecting our legal rights: e.g. retaining records and sharing information with our legal advisors or authorities if necessary to defend against legal claims or enforce our terms.

Re-assessment for further credit: periodically re-assessing existing customers' eligibility for further credit by conducting soft searches and analysing Open Banking data (where we still have your consent to hold it), so we can offer products that may save you money or better suit your needs.

When we rely on legitimate interests, we ensure that we consider and respect your rights. You have the right to object to processing based on our legitimate interests in some instances (see “Your Rights” section). If you object, we will consider whether our interests in the processing outweigh the impact on your privacy, and we will stop or adjust processing if required.

Consent: We will request your consent in situations where we are required to do so by law or where consent is the most appropriate basis. For example, we seek your consent before sending you marketing emails or texts (unless you are an existing customer and the law allows us to send specific, limited marketing on an opt-out basis). Similarly, if we ever process special category sensitive data (such as health information you volunteer), we will do so only with your explicit consent and for the purpose you agreed to. If we implement new technologies (for example, biometric identification or specific cookies on our site), we will obtain consent as necessary. Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing already carried out, but it will mean we stop the specific activity going forward. For example, if you withdraw consent for marketing, we will cease sending you marketing messages. You can withdraw consent by contacting us (see “Contact Us” section below) or, in the case of email/text marketing, by using the unsubscribe mechanism provided in those messages.

Legal Obligation: In some cases, we need to process your personal data to comply with a legal or regulatory obligation to which we are subject. This includes processing necessary to fulfill our duties under financial regulations, anti-money laundering laws, consumer credit laws, tax laws, and other UK or EU legislation. For instance, we are required to verify customers’ identities and retain certain transaction records to satisfy anti-money laundering rules. We may also have to disclose data if compelled by a court order or to cooperate with regulators or law enforcement inquiries. These are mandatory data uses – meaning if you object to such processing, we may not be able to provide services to you (as we cannot violate our legal obligations).

In summary, the personal data we ask for is generally required either by law, by the need to enter/perform a contract with you, or by our legitimate business needs. We will always endeavour to inform you of the applicable basis for our processing at the point of collection (and you can contact us for further clarification if needed).

Who We Share Your Information With

To provide our services to you and operate our business, we may occasionally need to share your personal information with third parties. We only share your data when necessary, and in compliance with data protection law. We require all third parties to respect the security of your data and to treat it in accordance with our instructions. We do not sell your personal data to any third parties. Below are the types of organisations with whom we may share data:

Lender and Finance Partners: If we act as a broker or introducer for a product you’re interested in, we will share your relevant personal information with the specific lender, bank, or finance company that will be providing the credit or product. For example, if you apply for a vehicle loan through us but Lender X will actually make the loan, we transmit your application details to Lender X so they can process the loan. This typically includes the information on your application form, as well as any supporting documentation or ID verification required. The lender will use this data to assess your eligibility, perform their own credit checks or fraud checks (they may share data with CRAs and FPAs as well), and to issue and manage the credit agreement. We only share with lenders that you have agreed to explore offers from (for instance, lenders on our panel for which you want to receive quotes, or a specific lender you have chosen). These product providers are separate data controllers of your information for their product, meaning they have their own responsibility to comply with data protection laws. They should provide you with their own privacy notice when you engage with them. We ensure that these partners are bound to use your data solely for the purpose of evaluating your application, providing the product, and related regulatory compliance (such as fraud prevention or reporting) . They are not permitted to use your data for other purposes (like marketing their other services to you) unless you expressly consent to them doing so . Note: If you obtain a product via one of our partners, the fact that you were introduced by Burnley Savings and Loans may also be shared with them or an affiliate network to ensure we receive correct commission and for auditing. This information, however, does not include sensitive personal details – it may simply be a reference ID or note that “this customer came through BSAL.”

Credit Reference Agencies: As described earlier, we share personal data with CRAs to perform credit searches and identity verification when you apply for a product. This typically involves sending your identifying details (name, address, DOB, etc.) to the CRA and, in return, obtaining information about your credit history. We may use one or more of the main UK CRAs, namely Experian, Equifax, and TransUnion, depending on the product and our internal policies. The CRAs will record our enquiry on your credit file. They may also share with us public data (like whether you are on the electoral roll at your given address). If you become our customer (e.g., you take a loan from us), we may also share ongoing account information with CRAs. This means we could report details of your account and repayment history to the CRAs – for example, the fact that you have a loan, the outstanding balance, your payment performance each month, and how you settle the account. If you miss payments or default on your agreement, this may be reported and could adversely affect your credit score and future ability to obtain credit. Data shared with CRAs can be retained on your credit file for a period (typically 6 years after an account is closed, whether by repayment or default). The CRAs may share your information with other organisations that perform credit or identity checks (for example, other lenders or insurers) as allowed by law. You can find out more about how each CRA uses and shares personal data in the Credit Reference Agency Information Notice (CRAIN) on their respective websites (see the Experian, Equifax, and TransUnion sites for these notices). We provide links to these notices on our website for your convenience. (See also section “Credit Checks and Fraud Prevention” below for more details.)

Fraud Prevention Agencies: When processing your application and throughout your relationship with us, we may share information with fraud prevention agencies (FPAs) (such as databases that flag known fraudulent identities or activities) . This is to help us and other financial institutions identify and prevent fraud and money laundering. The information shared could include personal identifiers, contact information, and details about any suspected fraud or reported misbehaviour. If we determine that you pose a fraud or money laundering risk (for instance, if our checks flag inconsistent information or you are proven to have submitted false details), we will report this to FPAs. Law enforcement authorities may access this data. Be aware: If your data is recorded by fraud prevention agencies as having a risk indicator, it may result in other companies refusing to provide you with services, credit, or employment (if the role involves trust and finance) . These records are typically retained for several years. For details on the fraud prevention agencies we use and their data handling practices, please contact our Data Protection Officer (see the Contact Us section) for further information.

Service Providers and Data Processors: We employ trusted third-party companies to perform certain business operations on our behalf. These include, for example: IT and cloud hosting providers (who may host our website or databases), customer management and support tools, email and SMS delivery services, payment processing services (for handling Direct Debits or any online payments securely), identity verification services (to help confirm IDs or perform anti-impersonation checks), debt collection agencies (if ever needed to assist with overdue accounts), and professional advisors (such as auditors, accountants, or legal counsel). We only share the information necessary for these providers to carry out their functions. For instance, if we use an email service to send out newsletters, we would provide our email address and name to that service, but they are not permitted to use our data for anything outside of our instructions. All our service providers are subject to contracts that enforce strict data protection obligations, meaning they must secure your data and can only process it for the purposes specified by us. We conduct thorough due diligence to ensure they meet the highest security standards. Examples of service providers include our cloud database host (which securely stores customer data), our website analytics tools (which may process usage data), and any backup storage services. These providers act as “data processors” on our behalf. We remain responsible for how your data is used by them, and we ensure that they treat it with the same care as we do.

Group Companies: If Burnley Savings and Loans is part of a group of companies in the future (for example, subsidiaries or affiliates under common ownership), we may share your information within that corporate group as needed to operate our services. Currently, Burnley Savings and Loans Limited operates as a single company (independent). If this changes (for instance, if we establish a parent company or sister companies), and if those related entities require access to personal data (say for centralised management, compliance, or analytics), we will only share what is necessary and ensure those entities are bound by similar privacy obligations. Any intra-group sharing would still be limited to the purposes outlined in this Policy.

Advertising and Analytics Partners: We may share specific, limited data with advertising networks, social media platforms, and analytics companies to assist us with marketing and enhancing our outreach. For example, we might provide a hashed (encrypted) version of your email or phone number to online platforms like Facebook, Instagram, Google, or others to help identify if you are a user of those platforms, so we (or they on our behalf) can show you targeted advertisements. This technique is often used to either exclude existing customers from seeing irrelevant ads or to include people in audiences for promotions (such as finding “lookalike” audiences who have similar characteristics to our customers). We also work with Google Analytics and similar tools that may involve sharing data (such as cookie identifiers and site usage information) to analyse usage and measure the effectiveness of our advertisements. These partners may use cookies or tracking pixels on our website that collect data about your interactions (see “Cookies” above). All such activities are conducted under appropriate legal bases – for instance, we will seek consent for non-essential cookies and targeted advertising where required. You can opt out of many advertising platforms’ targeted advertising programs through their own privacy settings or via third-party opt-out tools. If you have opted out of our marketing, we will also endeavour to inform these advertising partners not to serve you targeted ads on our behalf.

Other Third Parties in Specific Circumstances: We might share your data with other parties in specific scenarios, such as:

Business Transfers: If we ever sell or transfer part of our business or assets, or undergo a merger or reorganisation, your personal data may be disclosed to the prospective buyer/new owner as part of the transaction. We will ensure that any such disclosure is subject to confidentiality and is only made as necessary for the transaction’s due diligence or completion. Similarly, if we acquire another business, your data might be shared within the expanded company. In the event of any such occurrence, we will ensure that your data remains protected and is used in accordance with this Policy.

Legal Requirements: We will disclose personal information to courts, law enforcement, regulators, government authorities, or other organisations if legally required to do so or if we believe in good faith that such disclosure is necessary. This includes complying with court orders or subpoenas, responding to lawful requests by public authorities (including for national security or law enforcement purposes), or enforcing our Terms and other agreements. For example, we may share information with the police or fraud investigators if we suspect criminal activity such as fraud or identity theft. We may also share data with the Information Commissioner’s Office (ICO) or the Financial Ombudsman Service if they are investigating a complaint you made.

Regulatory Bodies: As a regulated firm, we may be required to share data with the Financial Conduct Authority (FCA) or other regulatory bodies for supervision, compliance, or reporting purposes. For instance, during an FCA audit or review, they may request specific customer files or communications to ensure that we are treating customers fairly. We will only provide what is required and permitted by law.

Professional Advisors and Insurance: We may share information with our lawyers, auditors, accountants, or insurers where necessary to obtain professional advice or manage legal disputes/insurance claims. These parties are also bound to confidentiality.

In all cases of sharing, we minimise the data disclosed to only what is needed for that third party to perform its task. We also have agreements in place to ensure that any third party protects your data. Aside from the parties listed above, we will not share your information with any other third parties unless you have specifically requested us to do so or we have a legal obligation to do so.

Credit Checks and Fraud Prevention – Further Details 

Because credit and identity checks are central to our services, we want to provide additional clarity on how your data is used in these processes and how it might affect you:

Credit Reference Agencies (CRAs): When you apply for credit or finance through Burnley Savings and Loans, we will perform checks with CRAs. The CRAs will keep a record of the search (known as a “footprint”). If the search is a “hard” credit search (usually conducted at the point of agreement), it can be visible to other lenders who view your report and may slightly impact your credit score. If it’s a “soft” search (for example, a quotation eligibility check), it will not affect your score and isn’t visible to other companies (only you can see it). We’ll endeavour to use soft searches for initial eligibility and only conduct a hard search when necessary (such as just before finalising a loan), in line with responsible lending practices. We may also perform these soft searches periodically while you are an existing customer, solely to gauge eligibility for further credit; you may opt out of this at any time.

The data we exchange with CRAs can include: your personal details (name, addresses, DOB), credit application details, details about your financial associates (anyone you have a joint account or credit link with), and information about your credit history that the CRAs provide to us (such as existing credit accounts, outstanding balances, payment arrears, history of insolvency or judgments, etc.). We use this information to assess creditworthiness and suitability for our products or those you seek via our partners. This helps us make fair and informed decisions.

If you become a customer, we may report the status of your account to the CRAs. For example, we will inform the CRAs whether you pay on time or have fallen behind. If you pay us on time, it can help build a positive credit history for you; if you miss payments or default, it will likely harm your credit history. A default typically means you failed to repay after multiple reminders, and we closed your account. This is typically recorded and remains on your file for six years, which can make it more difficult or expensive to obtain credit during that period.

It’s essential to ensure that the information you provide us is truthful and accurate, as we will verify it against external sources. If we find inconsistencies (for example, a different address on your credit file than the one you provided, or undisclosed credit commitments), we may request clarification from you.

Multiple Credit Applications: Note that if you make multiple credit applications in a short period (with us and/or others), multiple hard search footprints might appear on your file, which could temporarily lower your credit score. If you are shopping around for credit, consider using eligibility checks or brokers that use soft searches (like our initial checks) to minimise impact.

Your Credit File: You have the right to access your credit file and to correct any wrong information. If you believe something on your credit report that we contributed (like a search or account record) is incorrect, you can contact us or the CRA to have it reviewed.

For more detailed information about how CRAs handle your data, you can refer to the “Credit Reference Agency Information Notice” (CRAIN). The three main CRAs in the UK have this notice available on their websites: Experian (experian.co.uk/crain), Equifax (equifax.co.uk/crain), and TransUnion (transunion.co.uk/crain). These notices explain what data the CRAs hold, how they share it, the retention periods, and your rights in relation to CRA data. You can also find general information on credit files on the ICO’s website and via organisations like Citizens Advice.

Fraud Prevention: We participate in data sharing with fraud prevention agencies (such as CIFAS and others). If you provide false or misleading information and fraud is identified, the details will be forwarded to these agencies. Law enforcement organisations can access this information to investigate and prevent crime. The types of data that may be shared include personal identifiers, contact information, suspected fraud details, and modus operandi (patterns of behaviour). Fraud records can result in others refusing services to you – it’s a serious measure, so it is only done where warranted.

We also use fraud prevention data to verify identities. For instance, when you apply, the information you provide may be checked against records like the electoral roll, sanction lists, or databases of known fraudulent identities. This could involve an electronic identity check where your information is matched to records held by a credit agency or identity provider (this counts as a soft search purely for ID verification, not for credit risk assessment). If we cannot verify your identity through these means, we may request additional documents, such as a passport or utility bill, or utilise a third-party identity verification service. In some cases, if identity verification is not possible, we will be unable to provide services.

Automated Decisions in Checks: Some of our credit and fraud checks involve automated decision-making. For example, we might use an automated system to initially score your credit application (taking into account information like credit score, income, and existing debts) to determine if you meet our lending criteria. Additionally, automated systems may instantly flag a transaction as suspicious if it matches a fraud rule (e.g., an application originating from a high-risk IP address may be paused for manual review). You have rights relating to automated decisions (see “Automated Decision-Making” and “Your Rights” sections). If you are declined based on an automated credit check, you can request a review, and we will have a person reevaluate your application.

If you want to learn more about the fraud prevention agencies and credit reference agencies we use, or obtain their contact details, please reach out to us. We can provide a copy of relevant information or direct you to their privacy information. Remember, you can also obtain a copy of your credit report from each CRA (the law entitles you to a free statutory credit report).

Marketing Communications and Your Choices

We would like to keep you informed about products and services from Burnley Savings and Loans (and occasionally from our partners) that might benefit you. However, we will only do so in accordance with your marketing preferences and applicable law. This section explains what you can expect and how you can manage your communication preferences:

Types of Communications: With your consent (or as otherwise permitted by law), we may send the following types of marketing and informational communications:

Product Offers and Updates: Personalised offers for financial products that we believe could interest you. For example, if you have a car loan with us, when you near the end of the term, we might offer a new deal for your next car. If you have inquired about business loans, we might send updates about our business financing options. These communications may highlight special interest rates, new product launches, or pre-approved credit limits (if applicable). They may also include invitations to apply for additional borrowing or refinancing if our eligibility checks suggest you are likely to be accepted. We strive to time these and tailor the content based on what’s relevant to you.

Educational Content and News: General newsletters or content about managing finances, improving credit scores, budgeting tips, industry news (like regulatory changes that might affect borrowers), or updates about Burnley Savings and Loans (such as new branch openings or community initiatives). We send these to provide added value beyond just offers.

Surveys and Feedback Requests: Occasionally, we may reach out to ask for your feedback on our services or to participate in customer satisfaction surveys. These help us improve our offerings. Participation is completely voluntary. 

Channels: We typically send marketing via email if we have your email address and consent. We may also use SMS/text messages, postal mail, or telephone for marketing if you have agreed to those channels. For instance, if you agree to receive offers by SMS during your application, we may send a text with a link to a new loan offer. Push notifications may be used in a mobile app scenario if you opt in. Each method will only be used if you have not opted out of it. We will not bombard you – we aim to send a reasonable number of communications and only with pertinent information.

Third-Party Marketing: We do not share your contact details with third-party companies for their marketing unless you explicitly consent to that. For example, we won’t sell your email address to an insurance company for cold contact. If we ever promote a partner offer, that communication will come from us, not the partner, unless you have a direct relationship with that partner. We may include offers from our trusted partners in our own communications (for instance, “check out [Partner Bank] credit card with 0% for 12 months, available via our site”). However, the communication is ultimately under our control. 

Opting In: At the point of data collection (e.g., when you fill a form or create an account), you will be given the option to opt in to marketing. This might be presented as tick-boxes (e.g., “Yes, I would like to receive news and offers from Burnley Savings and Loans via email”). We try to make this granular, meaning you can choose the channels or topics you’re interested in. For example, separate checkboxes for email vs SMS, or for different product categories, so you only get what you want. If you do not check or select these options, we will assume you do not want to receive marketing and will not send it. You can still use our services regardless of your marketing preference. 

Opting Out / Unsubscribing: You have the right to opt out of marketing at any time. If you no longer wish to receive marketing communications from us, you can do any of the following:

·Click “Unsubscribe” – All our marketing emails will contain an unsubscribe link (usually at the bottom). Clicking this will allow you to stop further emails from that list. We will process these requests as quickly as possible.

·Contact us directly – You can email us at any time at info@bsal.co.uk or call us at 01282 454744 to let us know you want to opt out of some or all marketing. If you write to us, please include your name, contact details and a note that you do not want marketing contact. Our staff will update your preferences accordingly.

Account settings: If we provide an online account or preference centre, you can log in and change your marketing preferences there (e.g., untick certain types of messages or all communications). We’ll make sure any such changes are honoured.

Once you opt out, we will cease using your information for direct marketing purposes. Please note that opting out of marketing will not affect service communications – you will still receive necessary emails or messages about your active accounts, transactions, or other non-marketing matters (as described earlier, these are not optional). If you opt out via one channel (e.g., email), we will endeavour to remove you from all marketing. However, you can specify if, for instance, you don’t mind receiving SMS but not email, etc.

Opting out of marketing also stops our periodic eligibility monitoring for promotional purposes (we will still run statutory credit checks needed to service any live agreement you already have)

Third-Party Advertising Opt-Outs: If we are using advertising partners (such as social media platforms) to target ads to you and you no longer want to see them, in addition to opting out with us (which we will action), you can also adjust your ad preferences on those platforms. For example, you can adjust your Google Ads settings and Facebook ad preferences to control interest-based ads. Additionally, industry opt-out websites, such as YourAdChoices (for various ad networks), can be utilised. Please note that, even after opting out of our marketing, you may still see generic Burnley Savings and Loans advertisements on the web that are not explicitly targeted using your data (for example, banner ads on a website for everyone in a particular region). Those are not directed by your personal data but rather by general advertising.

After Opting Out: When you opt out of marketing, we will retain enough of your information to ensure we honour your no-contact request going forward. For example, we may keep your email address on a “suppression list” to ensure it is not inadvertently included in a future campaign. This doesn’t mean we’re still marketing to you; it’s purely for compliance.

We promise to make it easy to opt out and to respect your choices. We do not want to send unwanted messages. If you ever feel you are receiving marketing from us that you did not agree to, please contact us so we can investigate and correct the situation.

Automated Decision-Making and Profiling 

In some cases, we use automated processing of your personal data to make decisions or to profile aspects of your creditworthiness or preferences. “Automated decision-making” means that a decision concerning you is made by a computer system based on algorithms, without a human reviewing each case. We use automated decision-making primarily to expedite and ensure consistency in our credit decision process. For example:

Credit Scoring: When you apply for a loan or other credit product, our systems may automatically calculate a credit score or affordability assessment based on the information you provided and data from credit reference agencies. This score helps determine whether your application meets our lending criteria. It considers factors like your income, existing debts, credit history, and other information. A threshold is set, and if your score is below that threshold, the system might automatically decline the application at that stage (subject to manual review as needed). This helps us handle applications quickly and fairly, applying the same criteria to everyone. Rest assured, if your application is automatically declined, you have the right to request a human review of the decision. We will then have an underwriter or credit officer reassess your application manually. We understand not everyone’s situation fits a standard model, and we’re happy to consider additional information you provide upon review.

Fraud Screening: Our fraud detection systems may automatically flag and decline certain activities that appear to be of high risk. For instance, if an application triggers multiple severe fraud rules (such as an identity associated with confirmed fraud or an IP address from a region known for fraudulent attacks), the system may automatically prevent further processing of that application. In most cases, though, potential fraud flags result in a referral for manual investigation rather than an outright automated denial.

Profiling for Product Offers: As mentioned in the Marketing section, we might use automated logic to segment customers or website visitors into groups based on their attributes or behaviour. For example, our system could analyse your credit profile and interactions and categorise you as someone who might benefit from a particular product (like a secured loan versus an unsecured one) and then automatically show you content or offers related to that product. This kind of profiling is aimed at personalising your experience. It does not have legal effects or similarly significant effects on you – it’s more about which adverts or recommendations you see. You always have the option not to act on those suggestions.

No Fully Automated Rejections Without Safeguards: We do not make any solely automated decisions that produce legal or similarly significant effects without providing you with an opportunity for human intervention. Credit decisions are important, but we ensure there’s a safety net (e.g., the ability for you to appeal or have a person check it). Any automated process is regularly tested for fairness and accuracy to avoid biased outcomes.

Your Rights regarding Automated Decisions: Under the UK GDPR, if a decision is made about you based solely on automated processing (and it has a significant effect on you), you have the right to:

Request human intervention, so that an actual person reviews the data and decision.

Express your point of view about the decision, especially if you believe the automated process overlooked something important.

Contest the decision if you believe it was incorrect or unjust.

For example, if an automated credit risk decisioning system declined you, you might contact us with additional context (perhaps your credit file had an error, or you have a strong recent income change that wasn’t reflected) and ask us to reconsider. We will review such requests seriously.

Why use automation? Automated decision-making enables us to deliver faster decisions (often within minutes or instantly) rather than requiring you to wait days for a manual review. It also ensures consistency, so similar inputs yield similar outcomes, reducing human error or bias. We calibrate our systems using historical data and industry standards to aim for accuracy. However, we acknowledge that automated systems are not perfect, which is why we have the safeguards and human oversight mentioned.

If you have any questions about our use of automated decision-making or want to object to a particular use, please contact us (see “Contact Us” below). We are transparent about where we use these tools and want you to feel comfortable with how your data is processed.

How We Protect Your Information 

We take the security of your personal data extremely seriously. We have implemented a variety of technical and organisational measures to guard your information against unauthorised access, loss, alteration, or disclosure. These are some of the key steps we take to protect your data:

·Secure Storage: All personal information you provide to us is stored on secure servers. We utilise reputable hosting providers that adhere to robust security practices. Data is typically encrypted at rest (where feasible) and always encrypted in transit (we enforce HTTPS for our website, meaning data is encrypted between your browser and our website). We maintain firewalls and access controls to prevent unauthorised access to our systems.

Access Control: Internally, we restrict access to your personal data to employees, agents, and contractors who require access to process it on our behalf. They only access the minimum amount of data required for their role (principle of least privilege). All staff are trained on confidentiality and data protection. Our offices and IT systems are secured with physical controls, passwords, and multi-factor authentication where appropriate.

Password Protection and Encryption: If you set up an online account with us in the future, your account will be protected by a password (or other secure login method) which you should keep confidential. We do not store plaintext passwords – they are hashed or encrypted. Highly sensitive personal data (if we ever handle any, such as ID scans or bank statements for underwriting) is stored in an encrypted form. When we transfer data internally or to service providers, we use encrypted channels (VPNs, secure FTP, etc.).

Monitoring and Testing: We continuously monitor our systems for potential vulnerabilities and attacks, and conduct regular security testing. This includes routine software updates (to patch security issues), periodic penetration tests by security experts, and continuous observation for any suspicious system activity. We also have logging in place, allowing us to audit access to personal data and detect any irregularities.

Secure Disposal: When we no longer need personal data (at the end of its retention period – see Retention section), we delete it securely. Physical documents are shredded or incinerated, and digital data is deleted in a manner that it cannot be readily recovered. Our service providers are contractually bound to do the same.

Organisational Measures: We have a range of internal policies and procedures to ensure data is handled safely. For example, we have an incident response plan so that if any data breach were to occur, we can react swiftly to mitigate harm and notify the appropriate parties (including you and regulators, as required by law). We regularly review who has access to what, and we ensure data protection and privacy by design in new projects (meaning we consider privacy at the outset when designing new systems or features).

While we strive to protect your data, it’s important to understand that no method of transmission over the internet or electronic storage is 100% secure. We thus cannot guarantee absolute security. For instance, email communications or web forms, if not protected, could be intercepted by bad actors, though we use encryption to minimise this risk. Any data you send to us is at your own risk. Once we receive your data, we will implement strict procedures and security features to prevent unauthorised access. If we become aware of a data breach that is likely to result in a high risk to your rights and freedoms, we will inform you and the ICO as required by law.

Your Responsibilities: You also play a role in keeping your information secure. We advise that you use strong, unique passwords for any online accounts (including with us), do not share your account login details with anyone, and be cautious of phishing scams (e.g., emails that look like they’re from us but are not – always verify the sender or contact us if unsure). We will never ask you for your password via email or phone. If you suspect any unauthorised access to your account or data, let us know immediately so we can assist.

International Data Transfers

Burnley Savings and Loans is based in the UK. Generally, we prefer to process and store data within the UK or the European Economic Area (EEA), which has strong data protection laws. However, some of the third parties we work with (or certain technical solutions we use) may involve transferring or storing your personal data in other countries. For example:

• We use cloud services or IT providers that may host data on servers located outside the UK/EEA (for instance, in the United States or other countries).

• If you apply to a lender or partner based outside the UK/EEA through us (less common, but possible in certain specialist finance scenarios), your data may be sent to that entity abroad.

• Our customer service operations or certain team members may occasionally access data remotely while travelling or from an offshore location (for instance, if we use an outsourced support service or have a development team in another country).

Whenever we transfer your personal data out of the UK (or EEA) to a country that is not deemed by UK authorities (or the European Commission) to have an adequate level of data protection, we ensure that appropriate safeguards are in place to protect your information. These are typically:

·Standard Contractual Clauses (SCCs): These are legal contracts approved by the European Commission (and recognised in the UK) that bind the receiver of the data to protect it according to EU/UK standards. We sign SCCs with non-UK/EEA service providers unless they are covered by another valid mechanism.

UK International Data Transfer Agreement/Addendum: The UK has its own adaptation of SCCs. We use these when required for transfers from the UK.

Adequacy Decisions: If the country has been officially deemed to provide adequate protection by the UK (or EU), such as countries in the EEA or a few others like New Zealand or Canada, for certain data, then we rely on that decision.

Additional Security Measures: In some cases, we may implement extra technical measures, such as encrypting data before transfer, so that even if it’s stored or processed abroad, it remains protected.

For example, if we use an email service whose servers are in the US, we will have an agreement incorporating SCCs with that provider to ensure your data is safeguarded. Or, if we work with a tech support team in India (for illustration purposes), we would also have contracts and ensure secure remote access protocols.

We also require that any foreign recipients apply the same level of protection as we would have in the UK. We monitor developments and guidance around international data transfers to ensure continued compliance.

If you would like more information about international data transfers (including details of specific safeguards in place for particular services), you can contact our Data Protection Officer. We can provide copies of relevant contract terms or further explanations as appropriate.

Data Retention – How Long We Keep Your Data

We will keep your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. This duration will vary depending on the nature of the data and our interactions with you. Here are some general guidelines we follow:

Active Customer Accounts: If you have an ongoing loan or an open account with us, we will retain your personal data for the life of that account or contract. This enables us to effectively manage the service (e.g., process payments, send statements, respond to inquiries) and comply with our contractual obligations.

After Closure of Account/Service: Once your relationship with us ends, for example, after you repay your loan in full or you decide not to proceed after getting a quote, we generally retain your data for a defined retention period. In most cases, this is up to six (6) years from the end of our relationship or the date of the last transaction. A six-year retention period is common in financial services, as it aligns with certain legal requirements and the UK’s statute of limitations for contractual claims. This means if any dispute or legal issue arises within six years, we have the records to defend or address it. It is also aligned with guidance from our regulator (the FCA) and practices across the industry for record-keeping.

Regulatory and Legal Requirements: Certain information may need to be retained for specific periods due to legal requirements. For example, anti-money laundering regulations may require us to keep identity verification and transaction records for 5 years from the end of the customer relationship (or longer if required by local transposition of the EU 5th AML Directive). Also, if you make a complaint, the Financial Ombudsman Service expects firms to have relevant records (complaints can be raised within 6 years or 3 years from when you became aware of an issue). Thus, the 6-year timeframe generally covers these needs.

Anonymised Data: In some cases, rather than fully deleting data, we may anonymise it (so it can no longer be associated with you) and retain it for longer for analysis. For instance, we might keep anonymised loan performance data to study credit risk trends. This is not personally identifiable and, therefore, not subject to the same retention limitations.

Marketing Data: If you are not a customer but have subscribed to receive marketing communications (for example, you signed up for our newsletter), we will retain your contact information for marketing purposes until you unsubscribe or the information becomes inaccurate. If you unsubscribe, we will promptly remove you from our marketing lists. However, we may keep your contact information on a suppression list indefinitely to ensure we don’t accidentally contact you.

Recruitment Records: (If applicable) If you applied for a job with us, personal data in recruitment will be kept only for the recruitment period, unless we need to retain it longer for legal reasons or if you consent to us keeping your CV on file for future openings.

At the end of the relevant retention period, we will either securely delete or destroy the personal data, or pseudonymize/anonymise it if we still need it for statistical purposes. For example, our databases may purge personal identifiers while keeping general account information for portfolio risk analysis.

Retention Example: Suppose you took a loan with us that ended on 1st July 2025 (fully repaid). We will keep your records for at least 1st July 2031 (6 years later). After that, the data may be deleted around that time in our normal purge cycles, except for any minimal data we retain longer (such as your name and the fact that you were a customer, to prevent re-fraud or for legal holds). If an issue arose in 2027 (within the 6 years), we’d have the info to address it. If you simply inquired about a loan in 2025 but never proceeded, we might keep that inquiry data for a shorter period (perhaps 1-2 years) unless there’s a reason to retain longer (like potential fraud record or you asked us to keep your file in case you come back).

Extended Retention: There are scenarios where we might need to keep data beyond our standard period, such as:

• If there is a legal dispute or proceeding, we would preserve relevant data until it is resolved (even if that goes beyond the normal retention schedule).

• If instructed by law enforcement or regulators to retain data (for example, if an account is under investigation), we will keep it as required.

• If you exercise certain rights like suppression (as mentioned, e.g., opt-out of marketing, we keep minimal data indefinitely to honour that.

Once we consider that we no longer need your personal data, we will securely delete it. We also periodically review the data we hold to ensure we’re not keeping anything longer than necessary.

Note on Backup Systems: It’s possible that when we delete data from our active systems, it might remain for a time in secure backups. We have processes to eventually purge or overwrite backups too, or to ensure that if data is restored from a backup, it’s deleted again if it should no longer be in live systems. We strive to ensure no personal data lingers beyond what’s needed.

If you have any questions about our retention policy or wish to know if we still have certain information about you, you can contact us for details.

Links to Other Websites

Our website may contain links to websites or mobile apps operated by third parties (for example, links to partner lenders, credit reference agencies, or helpful resources). If you follow a link to any website that is not operated by Burnley Savings and Loans, please be aware that those third-party sites have their own privacy policies, and we do not control how they collect or use your data. We encourage you to read the privacy policy of every site you visit. We are not responsible for the content or data practices of external websites. This Privacy Policy applies solely to data collected by Burnley Savings and Loans for our services.

For instance, if you click a link on our site that takes you to a separate credit broker service or a news article on another domain, any information you provide on that external site will be governed by that site’s privacy practices. However, if you come back to our site or provide information to us, our Policy will apply at that point.

We do provide links to trusted partners and reputable organisations (such as the Vulnerability Registration Service, MoneyHelper, Citizens Advice, etc.) to assist our customers. None of these organisations receives your personal data from us just by virtue of you clicking a link. You would have to engage with them separately and provide data directly to them for them to have it.

In summary, please exercise caution and look at the privacy statements applicable to each website you visit through links on our site. If you have any concerns about a link on our site (e.g., you think a link is malicious or broken), let us know, and we will investigate or remove it if necessary.

Automated Decision-Making and Profiling (Your Rights and Further Info)

(This section is an addendum to the earlier explanation about automated processes, emphasising your rights and our responsibilities around them.)

As described, we may use automated processing, including profiling, to make decisions about you or to analyse your personal aspects. Under data protection law, you have specific rights when such automated decisions significantly affect you:

Right to Human Review: If a decision has been made about you purely by a computer (for example, an algorithm declining your application without any human input) and it has a legal or similarly significant effect, you can request that a human being review that decision. We will then have one of our team members (e.g., a credit underwriter) review your application and the data, consider any additional information you provide, and make a fresh decision or confirm that the automated decision was appropriate. In practice, we often already include human oversight, especially for borderline cases, but your right ensures you can demand it if needed.

Right to Express Your Point of View: You have the right to request an explanation of an automated decision and provide additional information or context for our consideration. For example, you might say, “I believe the decision was wrong because it didn’t take into account X.” We will listen to your viewpoint and factor it in during a review.

Right to Contest the Decision: You can object to an automated decision, and we will then investigate whether the decision was made correctly. If it wasn’t, we may reverse it or adjust it (for instance, if an automated decline was based on an error in your credit file that later gets corrected, we might be able to change the outcome).

Please note that these rights apply when the decision in question is solely automated and has a significant effect. Many decisions we make are not solely automated (often there is some human check, or the decision might not be impactful in a way that triggers the rights – e.g., automated filtering of marketing preferences would not qualify). But for credit eligibility, which can be significant, we treat it carefully.

Example: If you were automatically declined for a personal loan, you could reach out and say you wish to have it reviewed. We would inform you of any basic reason we can (sometimes it might be “the credit score did not meet our cutoff” – though we might not be able to divulge detailed scoring algorithms). You could then, for instance, point out that your credit report had an error (like a wrongly recorded missed payment) or that you have additional income not reflected in your initial application. We would then have a human consider that and potentially re-run the assessment with corrections or override the automated decision if appropriate. We want to ensure deserving customers are not unfairly turned away due to an automated process.

On the other hand, if the automated process was a straightforward enforcement of our policy (e.g., “under 18, auto-decline”), a human would likely uphold it (because we legally cannot lend to minors). But at least you would get confirmation that it wasn’t some arbitrary or incorrect factor.

Profiling Transparency: You are also entitled to ask if we are profiling your data and get some information about the logic involved and what it means for you. We’ve explained some of that above (like credit scoring factors, etc.). If you have questions like “how did you calculate my eligibility?” we can provide a general explanation (keeping in mind that detailed algorithms might be protected for fraud prevention or proprietary reasons).

We hope that our use of automation benefits you with quicker and fair service. But we understand the need for transparency and fairness, so we commit to not using automated decisions in a way that discriminates against or unjustly impacts individuals. Our models do not consider any protected characteristics (such as race, religion, etc.) and are designed solely around credit risk and fraud risk factors. We regularly test outcomes to ensure fairness.

If you remain concerned about any automated processing, please contact us. We can clarify if a decision was automated and work with you to address any issues.

Your Rights Under Data Protection Law

As a data subject (an individual whose data we hold), you have several important rights under UK data protection laws. We are committed to facilitating these rights. Below, we outline your key rights and how to exercise them:

Right to Access (Subject Access Request): You have the right to request a copy of the personal data we hold about you, as well as to obtain information about how we process it. This is commonly known as a “Subject Access Request” (SAR). Upon request, we will provide you with a copy of the information in a commonly used format, along with details on the sources, purposes of processing, and who it has been shared with, unless an exemption applies. How to exercise: You can submit a written request (via email or letter) – see the Contact Us details below. To ensure we release data to the right person, we will need to verify your identity (we may ask for a form of ID or ask security questions). We do not normally charge a fee for this service (it’s free), and we aim to respond within one month of receiving your request (and verification). If your request is complex or numerous, we may extend the time by up to two further months, but we will inform you if that’s the case. Also, if you specifically want certain information (e.g., “I want phone call recordings from June” or “I want copies of specific emails”), telling us that can help us fulfil your request more efficiently.

Right to Rectification: If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. For example, if we have the wrong address or a misspelt name, or an outdated phone number, please inform us, and we will update it. We strive for accurate data, so we welcome corrections. In many cases, you can directly correct certain data (like your contact details) by logging into your account (if online access is available). If that’s not possible, please contact us and we’ll make the necessary adjustments. We will do so as soon as possible, typically within one month. If, for some reason, we cannot act (e.g., if we believe the data we have is correct and your request is unfounded, or if the data is part of a record, we must keep it unchanged for legal reasons), we will explain that to you.

Right to Erasure (Right to be Forgotten): You have the right to request deletion of your personal data in certain circumstances. This right is not absolute, but you can ask us to erase data, for example, if: (a) the data is no longer necessary for the purpose we collected it, (b) you originally gave consent and now want to withdraw it and we have no other lawful basis to keep it, (c) you have objected to processing (see right to object) and we have no overriding grounds to continue, or (d) we may have processed your data unlawfully. If you request erasure, we will assess whether the conditions are met. If they are, we will securely delete or anonymise the data. We will also inform any third parties we’ve shared it with (where feasible) about your deletion request. Please note that, due to regulatory reasons, we may not be able to delete all data immediately. For instance, if you’ve had a financial product with us, we are required to keep records for a certain time (e.g., 6 years as mentioned). In such cases, we might not be able to fulfil an erasure request until that period passes. Instead, we would suppress your data from active use. We’ll explain to you what we can and cannot erase at the time of your request. Additionally, if you withdraw your consent for marketing, we will remove you from marketing lists – you don’t necessarily need to request full erasure for this purpose.

Right to Restrict Processing: In certain situations, you can request that we limit the processing of your data (essentially marking it so that we only store it but don’t actively use it until the restriction is lifted) . You might exercise this right if you have a dispute over the accuracy of the data or an objection pending, or if our processing is unlawful and you want to prevent further use but not deletion. For example, if you contest an entry on your file, you can ask us to restrict processing of that data until it’s resolved. During restriction, we can still retain the data, but we won’t engage in activities such as sending you marketing or sharing it (except for storage or if required for legal purposes). If the issue is resolved or you consent, we’d remove the restriction and notify you. We’ll inform you when the restriction is in place and when it’s lifted.

Right to Data Portability: You have the right, in certain cases, to receive your personal data that you provided to us in a structured, commonly used, and machine-readable format, and to have that data transmitted to another controller at your request. This typically applies to data processed based on your consent or under a contract, and which is processed by automated means. For instance, if we have an online account in the future and you provide data directly into it, you could request a CSV or JSON file of the data you entered (such as your profile information or transaction list) to transfer to another service. Or you could ask that we directly transfer it to a new provider if technically feasible. This right is intended to help you reuse your data across services. It’s not likely applicable to most of our processing (since credit decisions aren’t exactly portable, and much of our data is for regulatory requirements), but if you have such a request, we will do our best to accommodate it. For example, if you need a copy of your loan payment history to provide to another lender, we can provide it in a spreadsheet format.

Right to Object: You have the right to object to certain types of processing of your personal data:

Direct Marketing: You can object to (opt out of) having your data processed for direct marketing purposes. If you object, we will cease such processing immediately. This includes any profiling related to direct marketing. (As explained earlier, you can opt out via the provided channels).

Legitimate Interests: If we are processing your data based on legitimate interests (or performing a task in the public interest) and you feel it impacts your rights and freedoms, you have the right to object to that processing. Upon your objection, we must stop the processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless the processing is for the establishment, exercise, or defence of legal claims. In simpler terms, if you object, we’ll pause and assess our reasons for processing versus your reasons for objecting. If your rights should prevail, we’ll stop that processing. For example, you might object to certain data being used for analytics – if it’s not essential, we would likely comply and stop using it for that. However, if you object to processing that is fundamental to providing your service (like reporting to CRAs or using data to prevent fraud), we may inform you that we cannot cease that processing and still provide you with the service (or comply with the law). In such a case, you might have to choose to terminate the service if you don’t agree, but we’ll discuss it with you.

Right to Withdraw Consent: Where we rely on your consent to process data, you have the right to withdraw that consent at any time. We’ve covered this under various sections (marketing, special data, etc.), but to reiterate, withdrawing consent will not affect the lawfulness of processing that happened before the withdrawal. Once consent is withdrawn, we will cease processing that was based on the consent. There is no penalty or impact on your service for withdrawing consent – for example, if you withdraw consent to marketing, you still get your loan on the same terms; or if you withdraw a consent you gave during an application (like to fetch open banking data), it just means we won’t continue that optional part. To withdraw consent, you can contact us via email/phone (see Contact Us below) or use specific opt-out mechanisms (unsubscribe links, etc.). For consents like cookies, you can also adjust settings on your device.

Right Not to be Subject to Automated Decisions: As discussed, if a decision with legal or significant effect is made solely by an algorithm, you have the right to contest it or have human intervention. We list this separately to emphasise you can say, “I don’t want decisions about me made by computers alone.” While we may not always be able to accommodate requests in real-time (some decisions, such as initial credit scoring, must be automated due to volume), we will ensure that a human is available to review if you request it.

These rights are provided at no cost to you. However, we are allowed by law to charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive (for example, repetitive requests). We rarely, if ever, resort to that. If we decide that a request is excessive (for example, if you submit a SAR every week), we would inform you of why we believe it’s excessive and either ask you to narrow it down or explain the fee. However, we generally aim to be helpful and respect your rights.

To exercise any of your rights, please contact us (see next section for contact details). We may need to request proof of identity (especially for SAR, deletion, etc.) to ensure we’re dealing with the correct individual. This is for your protection – for instance, we wouldn’t want to hand out your data to someone impersonating you. Acceptable proof may include a copy of a driver’s license, passport, or a recent utility bill for address verification. If you are making the request via a third party (like a solicitor), we will need to verify that they have your authority.

Once we have verified your identity and have all the necessary information to locate the data or understand your request, we will proceed. We aim to respond within one month. If we foresee it taking longer (due to complexity or volume), we will let you know within that month and give an estimated timeframe (no longer than an additional two months). We will keep you updated on progress.

If we decide not to act on your request (which could happen if, for example, deleting data would conflict with legal obligations, or if we consider an objection and determine we have overriding legitimate grounds), we will inform you of the reasons for our decision and your right to complain about it.

Remember, you also have the right to lodge a complaint with the ICO if you believe we have not handled your request properly or are otherwise mishandling your data (see “Complaints” below). But we encourage you to reach out to us first so we can try to address your concerns directly. We’re here to help and ensure your data rights are respected.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or data processing practices. If we make significant changes, we will post the updated Policy on our website and change the “Effective from” date at the top so you can see when the last changes occurred. For material changes that may affect you, we may also choose to notify you directly via email or via an in-service notification. For example, if we were to start processing your data for a new purpose not covered by this Policy, or if we change how we share data in a meaningful way, we would let you know in advance when possible.

We encourage you to check this page periodically to review any updates . Any changes will become effective when the revised Policy is posted (or the notified effective date). If you object to any changes, you should contact us and/or consider stopping using our services if the issue is unresolved. If you continue to use our services after the date the updated Policy takes effect, we will assume you have acknowledged the changes. 

This Policy is version 1.0 (August 2025). Historical versions of our privacy policy may be requested from us if needed. We maintain an archive of changes for accountability.

Contact Us (Questions or Exercising Your Rights)

We welcome any questions, concerns, or requests you may have regarding this Privacy Policy or our handling of your personal data. Our aim is to be transparent and fair, so please do not hesitate to reach out.

Data Protection Officer (DPO): We have appointed a Data Protection Officer who oversees our data protection strategy and compliance. You can contact our DPO by emailing privacy@bsal.co.uk or info@bsal.co.uk (either will reach us for privacy matters). Please include attention to the Data Protection Officer in the subject line or body.

Postal Address: If you prefer to write to us or need to send documents for identity verification, you can reach us at:

Data Protection Officer

Burnley Savings and Loans Limited

30 Keirby Walk

Burnley, Lancashire

BB11 2DE

United Kingdom

·       Telephone: You can call us at 01282 454744. Our phone lines are open 9am to 5pm Monday to Friday (excluding bank holidays). Calls may be recorded (as noted before). Our staff will either help directly or refer you to the appropriate department for privacy inquiries.

When contacting us about your data or rights, please provide enough information for us to locate your records (e.g., your full name, any account or reference number if you have one, the service you used, etc.). For rights requests, also be prepared to verify your identity – we might ask you to confirm some personal details or provide ID as mentioned. This is to protect you.

We will do our best to respond promptly. Email is usually the quickest method for rights requests, but choose whatever is most convenient for you. We aim to make the process as smooth as possible.

Complaints and Your Right to Contact the ICO

We hope to resolve any privacy-related issues or concerns you have. You can always reach out to us using the contact details above, and we will work with you to address your complaint. However, if you are not satisfied with our response or believe we are processing your personal data unlawfully or not in line with data protection law, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the UK’s independent authority overseeing data protection rights.

·       The ICO’s website is ico.org.uk – here you can find information on how to raise a concern. They have an online form and guidance on the process.

·       You can also contact the ICO by phone: 0303 123 1113 (this is their helpline) .

·       Or by mail: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, UK.

The ICO will usually ask if you’ve tried to resolve the issue with us first (and they often expect that you do so). We certainly encourage you to let us try to fix the matter before contacting them, as we are committed to your privacy and it might be a misunderstanding or an easily fixable issue. That said, you absolutely have the right to go to the ICO at any time.

If you live or work in another European country (or have a complaint about our activities in an EU country), you may alternatively contact the data protection authority in that country. For example, if you reside in Ireland, you could contact the Irish Data Protection Commissioner. But for most of our UK customers, the ICO is the relevant authority. 

Other Avenues: If your concern relates to how we handled a financial matter (such as a credit reporting issue or lending decision) and you believe it’s also something for the Financial Ombudsman Service (FOS), you can consider contacting them. The FOS handles complaints about financial services. However, issues related solely to data handling fall under the ICO. In some cases, there’s overlap (e.g., a complaint about inaccurate data affecting your credit – ICO can address data accuracy, FOS can address any fairness in lending decisions). We can guide you if you’re unsure.

No Retaliation: Rest assured, we will never discriminate against or penalise you for exercising your rights or making a complaint (whether to us, the ICO, or any body). Your services with us will remain the same. Our goal is to operate with transparency and fairness.

Thank you for reading this Privacy Policy. We hope it has helped explain how we protect your personal data and your associated rights. If anything remains unclear or if you need further information, please get in touch. Your trust is important to us, and we are always here to help.