Privacy Notice

You should read this privacy notice if you use or are involved with our mortgage lending services.

Riverton Home Finance Limited is authorised and regulated by the Financial Conduct Authority. Firm reference number 1023724 and ICO registration reference ZB953628. Riverton Home Finance Limited is registered in England and Wales with company number 11877651. Registered Office: The Post Building, 100 Museum Street, London WC1A 1PB.

This privacy notice applies to all situations where we process personal data about any individual in connection with our mortgage lending services.

Riverton Home Finance Limited provides regulated mortgage lending services in England, Wales and Scotland. In order to provide these services, we process personal information about you throughout your relationship with us. If you are an applicant, your personal data is likely to be provided to us by your adviser in the first instance, but it may also be collected directly from you and other available sources. Prior to and throughout the application process and after the loan has been granted, we may also be required to process personal data relating to a joint applicant of the loan, or another related third party. If you are an adviser, or intermediary, we are likely to collect your personal data directly from you or your broker firm as required for onboarding or over the course of a mortgage application. 

We are a controller under data protection laws. This privacy notice explains how we use and look after your personal data. This privacy notice also tells you about your privacy rights and how the law protects you.

About this privacy notice

This privacy notice contains information about:

•    The personal data that we process as a controller.
•    Where the personal data has been obtained.
•    The reasons why we process your personal data and the lawful basis we use to do so.
•    The security measures that we have in place to keep your personal data secure.
•    The length of time we store your personal data for.
•    The organisations, or categories of organisation, with whom we might share your personal data.
•    International transfers of your personal data.
•    The rights you have under data protection laws in relation to our processing of your personal data.

The meaning of words which are shown in bold underlined text are explained in the Glossary. Throughout this notice any reference to "we" or "us" refers to Riverton Home Finance Limited.

Please note that we may change this privacy notice from time to time. The latest version of our privacy notice can be found on our website: www.rivertonhomefinance.co.uk/privacy-notice

The categories of personal data we process include the following:

1. Personal data which includes:

• identity: name, date of birth, gender, National Insurance number
• contact: address, address history telephone number, email address
• family information: marital status, details of dependents and other occupants
• nationality, residency status and citizenship information
• financial information: income and expenditure, savings, borrowings, debts, transactional history, information from credit reference agencies and fraud prevention agencies, financial distress reports, source of deposit
• employment record
• occupier status: e.g. whether you are currently a tenant or owner-occupier

2.  Mortgage information: Personal data relating to details of your mortgage and property. Personal data in this category may include:

• property value
• loan amount
• joint/single loan
• cash advance
• loan to value ratio
• Additional information - if you are in breach of the terms of your mortgage, we may obtain more information about the reason for the breach from other third parties in order to help determine what action to take.

3.    Sensitive personal data: We may also collect sensitive personal data about you to the extent that this is necessary and relevant to the provision of our products and services (for example, where we need to carry out our legal obligations, such as detecting fraud and financial crime, where it is needed in the public interest, such as making our products and services more accessible for those who require additional support or for our customers economic well-being, or in limited circumstances with your explicit written consent (which you can withdraw at any time)).  The processing of sensitive personal data may also extend to:

• religious beliefs
• political opinions
• racial or ethnic origin information
• biometric data
• information concerning health
• trade union membership

We may also, in line with relevant laws and regulations, process information that you provide to us about criminal convictions as part of your application.

The table below provides details of the purpose and the lawful bases upon which we process personal data.

Our commitment to corporate security is demonstrated through the implementation of policies, controls and procedures, which are externally certified and audited to the international information security standard, ISO 27001:2013.

Our security policies, controls and procedures are regularly reviewed and updated so that we maintain good practices across our business to keep your information safe. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have contractual arrangements in place with all of our service providers who process personal data in accordance with data protection laws. We regularly check that our service providers are complying with their contractual commitments. This includes assessing and reporting on our service providers' information security controls to check their compliance using questionnaires and/or on-site audits.

We will only keep your personal data for so long as we reasonably required and, in any event, only for as long as our internal rules and polices allow us in order to fulfil our business or legal and regulatory obligations. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

We share personal data with a variety of other companies to operate our business. However, we only share the personal data where necessary to help us satisfy one or more of the reasons for processing set out above.

We have detailed the types of companies with whom we currently share personal data below:

 1. Tracing agencies

We use these companies in order to check whether you are alive and whether your current address is your place of residence.

 2. Property related service providers

We engage a number of companies to provide services relevant to the mortgages we provide, including property valuation companies, auditors and due diligence providers.

3. Credit reference and fraud prevention agencies

We may use credit reference agencies to verify your identity and check your credit history. Fraud prevention agencies may also be used to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information may be used by these fraud prevention agencies, and your data protection rights, can be found here.

 4. Other service providers to our business

Other companies who process personal data on our behalf include and those service providers who provide day-to- day operational business services such as emails, IT infrastructure and software, archiving, document scanning and copying, document destruction and printing.

5. Existing mortgage providers

We may share your personal data with lenders in the course of your mortgage application.

6. Group entities

We will sometimes need to share personal data with entities within the Rothesay group of companies for administrative purposes and as part of our internal financing arrangements.

 7. Other loan providers or third parties like us

If we decide to sell our interests in certain of our loans to another provider or third party, we will give your personal data to the actual or proposed purchaser of the economic interest in your mortgage.

8. Professional advisers

We sometimes have to share personal data with our professional advisers (including accountants and lawyers) where it is required for the purposes of their advice.

9. Regulators, law enforcement and auditors

We will share personal data when requested by regulators, law enforcement agencies or other third parties to comply obligations imposed on us by laws and regulations.

Where personal data is transferred to and processed in a country outside of the UK or the EEA (as applicable), we take steps to provide appropriate safeguards to protect your personal data, including by entering into approved standard contractual clauses obliging recipients to protect your personal data and only transferring personal data to the extent that an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data is ensured in compliance with data protection laws.

If you want further information on the specific mechanisms used by us when transferring your personal data outside of the UK or EEA, please contact us using the details contained in the part of this privacy notice headed Contact details.

Under certain circumstances, you have the following rights under data protection law:

• The right of access to personal data relating to you. This is commonly known as a ‘subject access request’ and enables you to receive a copy of the personal data we hold about you.
• The right to correct any mistakes in your personal data. However, please note that we may need to verify the accuracy of the new data you provide to us.
• The right to require us to delete your personal data in certain circumstances. For example, where there is no good reason for us to continue to process it or where we may have processed your information unlawfully. However please note that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• The right to restrict our processing of your personal data. This means you can ask us to suspend the processing of your personal data in one of the following scenarios:

1. If you want us to establish the data's accuracy;
2. Where our use of the data is unlawful but you do not want us to erase it;
3. Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
4. You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

• The right to object to us processing your personal data, including for marketing purposes. Where we are relying on a legitimate interest as the legal basis for that particular use of your data. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
• Right to data portability of your personal data. You have the right to ask that we transfer personal information you gave us to another organisation or to you, in certain circumstances.
• Right to withdraw your consent at any time if we rely on your consent as the legal basis for processing your personal data.

How to exercise your rights

If you wish to exercise any of your rights, please contact us using the details contained in the part of this privacy notice headed Contact details.

How to contact us regarding this privacy notice

To contact us you can;

Email us: dpo@rivertonhf.co.uk 

Write to us: Data Protection, Riverton Home Finance, The Post Building, 100 Museum Street, London WC1A 1PB.

If you live within the European Union, you can also contact our European representative. Their details are as follows:

• Bird & Bird GDPR Representative Services SRL, Avenue Louise 235,1050 Bruxelles, Belgium
• Email: eurepresentative.rothesay@twobirds.com

How to make a complaint

If you have a problem or concern relating to the ways we process your personal data or the contents of this privacy notice, please contact us in the first instance.

We hope that we will be able to address the problem or concern to your satisfaction. However, you also have the right to make a complaint to the Information Commissioner's Office.

 The process for making a complaint to the Information Commissioner's Office is available here: https://ico.org.uk/ make-a-complaint/.

Their contact details are as follows:

• Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
• Phone: 0303 123 1113
• Website: ico.org