Customer Privacy Notice

Pinpoint Finance is a trading style of Pinpoint Commercial Finance Ltd, which is authorised and regulated by the Financial Conduct Authority, number 733225. We are registered with the Information Commissioner’s Office under registration number ZA146757.

1. Why we are asking you to read this notice

During the course of dealing with us we will ask you to provide detailed personal information about your existing circumstances, your financial situation, and in some cases your health and family health history (“Your Information”). This Customer Privacy Notice explains what we will need to do with Your Information and the rights you have in relation to it.

We have updated this notice to reflect the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Financial Conduct Authority’s Consumer Duty (PRIN 2A), all of which set high standards for how we look after your data and treat you fairly.

2. What we mean by “Your Information”

Your Information means any information describing or relating to you. It may identify you directly (for example your name, address, date of birth or National Insurance number) or indirectly (for example your employment situation or financial circumstances).

In the context of providing advice on loans, mortgages, commercial finance and insurance, Your Information may include:

• name, date of birth, gender, nationality, marital status, contact details, addresses, and identification documents
• employment, salary, bonuses, sick pay, other benefits, and employment history
• bank account details, tax information, loans, credit commitments, credit history, sources of income and expenditure, family circumstances and dependents
• health status and history, treatment and prognosis, medical reports (further detail in section 4 below)
• pre-existing loans, mortgage and insurance products and the terms relating to them
• where you may be in vulnerable circumstances (for example as a result of health, life events, financial resilience or capability), the information needed to provide you with appropriate support

3. The basis on which we use Your Information

When you ask us to advise on or arrange a loan, mortgage, commercial finance facility or insurance product, we use Your Information primarily to perform our contract with you (UK GDPR Article 6(1)(b)).

We also rely on the following lawful bases where appropriate:

• legitimate interests (Article 6(1)(f)) — for example to keep you informed about your existing products, to seek feedback on our service, or to maintain accurate records after our advice relationship ends
• legal obligation (Article 6(1)(c)) — to meet our regulatory duties to the FCA, HM Revenue & Customs, the Information Commissioner, anti-money laundering legislation, and the Financial Ombudsman Service
• consent (Article 6(1)(a)) — where you have agreed to receive marketing communications, or for non-essential cookies on our website (you can withdraw consent at any time)

4. Special category and criminal data

Some of the information you may share with us is treated as “special category” or “criminal” data under data protection law and requires a higher level of protection.

4.1 Health and insurance information

If you ask us to assist with your insurance needs (in particular life insurance and protection insurance), we may ask about your health, family health history, and ethnic origin. We will record and use this information to make enquiries with insurance providers about products that may meet your needs and to advise on suitability.

4.2 Information about children

If you have parental responsibility for children under 16, we are likely to record information about them and, where relevant, their special category data, only as needed to advise on the policies you are arranging.

4.3 Criminal disclosures

Some insurance products require disclosure of historic or current criminal convictions or offences (“Criminal Disclosures”). This is relevant to underwriting, claims and fraud management.

4.4 Vulnerability information

Where we identify that you may be in vulnerable circumstances, we record this so that we can provide appropriate support and reasonable adjustments throughout our relationship. This is recorded sensitively, on a need-to-know basis, and reviewed at least annually.

4.5 Lawful basis for special category and criminal data

When we process special category data and criminal disclosures, we do so on the basis of:

• substantial public interest under UK GDPR Article 9(2)(g) and the Data Protection Act 2018 Schedule 1 Part 2 — including for the regulatory purposes of providing financial advice and identifying customer vulnerability
• preventing or detecting unlawful acts under DPA 2018 Schedule 1 Part 2 Paragraph 11 — for example our anti-money laundering and sanctions screening

5. How we collect Your Information

We collect Your Information from a number of sources, mainly directly from you during meetings, calls, or via secure online forms.

We may also obtain information from third parties such as credit reference agencies, electronic identity verification services, your employer, lenders, or publicly available sources such as the electoral roll. Where we use technology to verify your identity or assess credit information, we will inform you of how this works before any service is activated.

6. What happens to Your Information when it is disclosed to us

When you share Your Information with us, we will:

• record and store your information within our secure compliance customer relationship management system (FinPlan), our marketing customer relationship management system (Go High Level) where you have consented to marketing communications, and on Microsoft 365 cloud services. Access is restricted to authorised individuals at Pinpoint Finance
• verify your identity and complete anti-money laundering checks using our electronic verification service (currently RedFlag ID), which performs identity, address, politically exposed person and sanctions screening
• submit Your Information to lenders, packagers, insurance providers and conveyancing solicitors as needed to progress your application
• use Your Information to respond to questions from lenders, providers, regulators and other authorised parties
• use Your Information to handle any complaint you may make in line with our regulatory duties
• where you have consented or where it is in our legitimate interests, send you marketing communications about products and services that may interest you (you can opt out of marketing at any time)
• use Your Information to evidence the suitability of advice we have given you and to support our regulatory record-keeping for at least six years after our relationship ends

7. Sharing and transferring Your Information

Your Information will be shared with or transferred to the following categories of recipient, only where necessary and only for the purposes set out in this notice:

• lenders, insurance providers, packagers, master brokers and product specialists, to progress and arrange the products you require
• conveyancing solicitors, surveyors and valuers, where required for your case
• our information technology, cyber security and IT support provider (currently Genius IT Solutions)
• our cloud telephony provider (currently Invoco)
• our marketing customer relationship management provider (currently Go High Level)
• our identity verification provider (currently RedFlag ID)
• our compliance customer relationship management provider (currently FinPlan)
• our accounting software provider (currently QuickBooks Online)
• our cloud services provider (currently Microsoft 365)
• our professional indemnity insurers, brokers, claims handlers and legal advisers, where this is necessary to manage a complaint, claim or investigation
• fraud prevention agencies and credit reference agencies, where searches are needed to verify your details and progress your application
• the Financial Conduct Authority (FCA), the Financial Ombudsman Service, HM Revenue & Customs, the Information Commissioner’s Office, the National Crime Agency, and any other regulatory or law enforcement body to whom we are required to disclose Your Information

Where Your Information is shared, it is shared only for the purpose of providing the service or meeting our legal duties. The third parties we share with are not entitled to use Your Information to send you their own marketing.

7.1 International transfers

We are a UK firm and most of Your Information is processed within the UK. However, some of our cloud-based service providers (notably Microsoft 365 and Go High Level) may process or store data in jurisdictions outside the UK. Where this happens, we rely on the UK Government’s adequacy decisions, Standard Contractual Clauses, and supplementary safeguards to keep Your Information protected at the UK standard.

8. Security and retention of Your Information

Your privacy matters to us. We protect Your Information through a combination of technical and organisational measures including:

• secure cloud-based storage with multi-factor authentication
• role-based access controls so that only authorised people see your data
• encryption in transit and at rest
• annual data protection and cyber security training for all our personnel
• a documented incident response process so that any data breach is identified, notified to the Information Commissioner’s Office within 72 hours where required, and remediated quickly

We also ask you to play your part in keeping Your Information safe by not sending confidential information by unprotected email, ensuring email attachments are password-protected or encrypted, and using secure post when sending originals.

We retain Your Information for the following minimum periods, in line with FCA, anti-money laundering and tax requirements:

• mortgage advice records: at least 6 years from the end of the contract or sale
• consumer credit records: at least 6 years where applicable
• anti-money laundering records: 5 years from the end of our relationship
• complaints records: 3 years from closure

Where multiple regulations apply, we keep records for the longest applicable period.

9. Your rights in relation to Your Information

Under UK data protection law you have the following rights:

• request a copy of Your Information that we hold about you (subject access request) — we will respond within one month
• ask us to correct information that is inaccurate or out of date
• ask us to delete or restrict our use of Your Information, where we are not legally required to keep it
• ask us to transfer Your Information to another organisation in a structured electronic format, where this is technically feasible
• object to processing carried out on the basis of legitimate interests
• withdraw any consent you have given (including consent to receive marketing communications) at any time

If we believe we have a legal or regulatory reason not to action a request — for example where retention rules require us to keep certain records — we will explain that to you at the time.

10. How to contact us about Your Information

For any question, comment or request relating to Your Information, please contact our Data Protection Lead:

Please contact us as soon as possible if you become aware of any unauthorised disclosure of Your Information, so that we can investigate and meet our regulatory obligations.

11. Complaints to the Information Commissioner’s Office

If you have any concerns about how we have handled Your Information, you can lodge a complaint with the Information Commissioner’s Office, who is the UK’s data protection regulator. Their contact details are:

12. Changes to this Privacy Notice

We review this Customer Privacy Notice at least annually and following any material change to our processing activities or to the law. The current version is always available on our website at pinpoint.finance, on request from our office, and is provided to all new customers at the start of our relationship.