Effective as of 07 August, 2024

1. Introduction

This privacy policy explains how the Mount Street (“Mount Street”, “we”, “us”, “our”) collects, uses, and shares your personal data. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and any other applicable data protection laws. Please read this policy carefully before using our website or providing us with any personal data.
Mount Street is made up of different legal entities and this privacy policy is issued on behalf of the Group so when we mention “Mount Street”, “we”, “us” or “our” in this privacy policy, we are referring to the relevant company in the Group responsible for processing your data. We will let you know which entity will be the controller for your data when you purchase a product or service with us. Mount Street Mortgage Servicing Limited is the controller and is responsible for the maintenance of this website.

2. What personal data do we collect?

Personal data means any information that can identify you directly or indirectly. We may collect the following types of personal data from you when you use our website:

  • Contact Data – Name, email address, phone number, and other contact details that you provide when you fill out a form, register for an account, subscribe to our newsletter, or contact us through our website.
  • Financial Data – Financial information, such as bank account details, credit card details, income, expenses, and other information that you provide when you apply for or use our products or services.
  • Identity Data – Identification information, such as passport number, driver’s license number, national insurance number, and other information that you provide to verify your identity or comply with our legal obligations.
  • Technical Data – Technical information, such as your IP address, browser type, device type, operating system, location data, and other information that we collect through cookies and similar technologies when you access or use our website.
  • Usage Data – Usage information, such as the pages you visit, the links you click, the time and duration of your visits, and other information that we collect through analytics tools when you access or use our website.
  • Marketing & Communications Data – Marketing information, such as your preferences, interests, feedback, and other information that you provide when you participate in our surveys, promotions, contests, or events, or when you interact with our social media accounts.

3. How is your personal data collected?

We use different methods to collect data from and about you including through:

a) Your interactions with us. You may give us your personal data by filling in online forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:

  • apply for our products or services;
  • submit an application for a position, or query about a job opening;
  • subscribe to our services or publications;
  • request marketing to be sent to you;
  • enter a competition, promotion or survey; or
  • give us feedback or contact us.

b) Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.

c) Third parties or publicly available sources. We will receive personal data about you from various third parties and public sources as set out:

i.Technical Data is collected from the following parties:

  • analytics providers
  • advertising networks; and
  • search information providers.

ii. Contact, Financial and Transaction Data is collected from providers of technical, payment and delivery services.

iii. Identity and Contact Data is collected from data brokers or aggregators.

iv. Identity and Contact Data is collected from publicly available sources such as Companies House and the Electoral Register based inside the UK.

 

4. Why and how do we use your personal data?

We use your personal data for the following purposes and on the following legal bases:

  • To comply with our legal and regulatory obligations, such as verifying your identity, preventing fraud, maintaining records, and cooperating with authorities, based on our legal obligations.
  • To provide you with our products and services, to process your transactions, to communicate with you, and to fulfil our contractual obligations to you.
  • To improve our website, products, and services, to develop new features and functionalities, to analyse your usage and behaviour, and to enhance your user experience, based on our legitimate interests.
  • To send you marketing communications, such as newsletters, offers, and updates, to inform you about our products and services, and to personalise our marketing messages, based on your consent or our legitimate interests.
  • To protect our rights and interests, such as enforcing our terms and conditions, resolving disputes, defending claims, and preventing harm, based on our legitimate interests or our legal obligations.

5. Who do we share your personal data with?

We may share your personal data with the following recipients, subject to appropriate safeguards and confidentiality agreements:

  • Our affiliates and subsidiaries that provide or support our products and services, or that operate in different jurisdictions.
  • Our service providers, such as IT vendors, payment processors, marketing agencies, and analytics providers, that perform services on our behalf or assist us with our operations.
  • Our business partners, such as financial institutions, credit bureaus, and insurance companies, that offer or facilitate our products and services, or that collaborate with us on joint ventures or projects.
  • Our regulators, auditors, lawyers, and other professional advisors, that supervise, audit, advise, or represent us in relation to our business or legal matters.
    Our customers, clients, and counterparties, such as individuals, companies, or organizations, that have a contractual or commercial relationship with us or with whom we interact through our website.
  • Other third parties, such as law enforcement agencies, courts, or other public authorities, that have a lawful or legitimate request or demand for your personal data, or that we need to disclose your personal data to protect our rights or interests.

6. How do we transfer your personal data?

We have our Head Office in England, United Kingdom, but operate globally. We may transfer your personal data to other countries or regions that have different data protection laws and standards than the UK. For example, we may transfer your personal data to our affiliates and subsidiaries in the European Union and the United States of America, or to our service providers or business partners that are located or operate outside the UK. When we transfer your personal data to another country or region, we will ensure that your personal data is protected by appropriate safeguards which meet the requirements of Article 45 0f the UK GDPR. You can contact us to obtain a copy of the safeguards that we use to transfer your personal data.

7. How long do we keep your personal data?

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

By law, we must keep basic information about our customers including Contact, Identity, Financial and Transaction Data for 6 [six] years after they cease being customers for tax purposes.

In some circumstances you can ask us to delete your data: see (9) below for further information.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

8. How do we protect your personal data?

We are committed to protecting the confidentiality, integrity and availability of the data using a variety of commercially reasonable, industry standard physical, administrative and technical safeguards. This includes, but is not limited to, access controls, employee training, industry-standard encryption, firewalls, and server authentication technology to protect data when the Sites are accessed using a supported web browser. We host data in cloud-based environments including Microsoft Azure and Amazon Web Services (AWS) that use intrusion protection and intrusion detection systems and other industry-standard technology to prevent access from outside intruders. These include appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an

unauthorised way, altered or disclosed and we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know

It is your responsibility to keep confidential the username and password provided to you by Mount Street at the time of your registration on the Website. If you become aware of any unauthorized use of an account, loss of your account credentials or suspect a security breach, notify us immediately.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

9. What are your rights?

You have the following rights under the UK GDPR and any other applicable data protection laws, subject to certain conditions and exemptions:

  •  The right to access your personal data and to obtain a copy of it (“subject access request”).
  • The right to rectify your personal data if it is inaccurate or incomplete.
  • The right to erase your personal data if you withdraw your consent, if it is no longer needed, or if it is processed unlawfully.The right to restrict the processing of your personal data if you contest its accuracy, if its processing is unlawful, or if we no longer need it.
  • The right to data portability, which means to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
  • The right to object to the processing of your personal data, especially for direct marketing purposes, or if the processing is based on our legitimate interests.
  • The right to withdraw your consent at any time, without affecting the lawfulness of the processing based on your consent before its withdrawal.
  • The right to lodge a complaint with the ICO or any other competent data protection authority, if you are not satisfied with how we handle your personal data.

To exercise your rights, or to obtain more information about your rights, please contact us using the details below. We will respond to your request within one month, unless we need more time or we have a valid reason to reject it. We may ask you to provide proof of your identity or other information to verify your request. We will not charge you any fee for exercising your rights, unless your request is manifestly unfounded, excessive, or repetitive.

10. How can you contact us?

We are Mount Street, a company registered in England and Wales under company number 03411668, with our registered office at 100 Wood Street, London, EC2V 7AN, United Kingdom. You can contact us by email at info@mountstreet.com, by phone at +44 20 7659 7000, or by post at our registered office address. You can also contact our Data Protection Officer, who is responsible for overseeing our compliance with the UK GDPR and any other applicable data protection laws, by email at GroupCompliance@mountstreet.com, by phone at +44 20 7659 7000, or by post at our registered office address.

11. How do we update this policy?

We may update this policy from time to time to reflect changes in our practices, technologies, laws, or regulations. We will notify you of any material changes by posting a notice on our website, or by sending you an email, or by any other means required by law. The date of the last update will be indicated at the top of this policy. We encourage you to review this policy periodically to stay informed about how we collect, use, and share your personal data.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.