We are HN Flow Ltd (trading as Hydr) (“Hydr“, “we” or “us“) and we are a “controller” for the purposes of data protection legislation. This means that we are responsible for, and control the processing of, your personal information.
We take your privacy very seriously and we ask that you read this Policy carefully as it contains important information on what personal information we collect about you, what we do with that information, and the situations in which we may share your information with other businesses.
This Policy applies to personal data processed by or collected on behalf of Hydr. We may collect information from you when you visit our website, use our services, contact us by telephone or email or receive a communication from us relating to your service.
How we use your information
We will collect your personal information for purposes set out below. We have also indicated below which legal basis allows us to use your information in this way:
- to perform our contract with you for the use of our services or for taking steps prior to entering into it during the application stage (legal basis: to perform a contract that we have entered into with you) including:
- administering and managing your account and associated services, updating your records and tracing your whereabouts to contact you about your account;
- sharing your personal data with certain third-party service suppliers such as background check service providers;
- all stages and activities relevant to managing your account including enquiry, application, administration and management of accounts and illustrations;
- to manage how we work with other companies that provide services to us and our customers; and
- to exercise our rights set out in agreements and contracts;
- to comply with our legal obligations (legal basis: because it is necessary for compliance with a legal obligation) including:
- to carry out identity checks, anti-money laundering checks and checks with Fraud Prevention Agencies pre-application, at the application stage and periodically after;
- for compliance with laws that apply to us;
- for establishment, defence and enforcement of our legal rights;
- for activities relating to the prevention, detection and investigation of crime;
- to carry out monitoring and to keep records;
- to deal with requests from you to exercise your rights under data protection laws; and
- to process information about a crime or offence and proceedings related to that (in practice this will be relevant if we know or suspect fraud);
- when we share your personal data with these other people or organisations (legal basis: to perform a contract that we have entered into with you or because it is in our legitimate interests as a business) including:
- other payment services providers such as when you ask us to share information about your account with them;
- any broker or other intermediary who introduced you to us;
- our legal and other professional advisers, auditors and actuaries;
- financial institutions and trade associations;
- Fraud Prevention Agencies;
- law enforcement agencies and governmental and regulatory bodies such as HMRC, the Financial Conduct Authority, the Prudential Regulation Authority, the Ombudsman and the Information Commissioner’s Office (depending on the circumstances of the sharing);
- courts and to other organisations where that is necessary for the administration of justice, to protect vital interests and to protect the security or integrity of our business operations;
- tax authorities who are overseas for instance if you are subject to tax in another jurisdiction we may share your personal data directly with relevant tax authorities overseas (instead of via HMRC);
- other organisations and businesses who provide services to us such as back up and server hosting providers, IT software and maintenance providers, document storage providers and suppliers of other back office functions;
- buyers and their professional representatives as part of any restructuring or sale of our business or assets;
- Credit Reference Agencies (see below where we explain more); and
- Market research organisations who help us to develop and improve our products and services;
- where we consider that, on balance, it is appropriate for us to do so (legal basis: because it is in our legitimate interests as a business) including:
- administering and managing your account and services relating to that, updating your records, tracing your whereabouts to contact you about your account, and doing this for recovering debt;
- to test the performance of our products, services and internal processes;
- to adhere to guidance and best practice under the regimes of governmental and regulatory bodies such as HMRC, the Financial Conduct Authority, the Prudential Regulation Authority, the Ombudsman and the Information Commissioner’s Office;
- for management and audit of our business operations including accounting;
- to carry out searches at Credit Reference Agencies;
- to carry out monitoring and to keep records;
- to administer our good governance requirements;
- to conduct research, statistical analysis and behavioural analysis;
- to customise our website and its content to your particular preferences;
- to improve our products and services;
- to notify you of any changes to our website or to our services that may affect you; and
- for some of our profiling and other automated decision making, in particular where this does not have a legal effect or otherwise significantly affect you.
We may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided, unless you have asked us not to.
From time to time, we may also use your information to contact you for market research purposes. We may contact you by email, phone, fax or mail. We may use the information to customise the website according to your interests.
You can opt out of receiving emails from us at any time by emailing us at firstname.lastname@example.org. Please see ‘The right to ask us to stop contacting you with direct marketing’ below for further information.
Information which we may collect
We collect personal information about you when you register with us, contact us or make use of our services.
We may collect the following personal information:
- identity data, including your full name, driving licence details and passport details;
- contact data, including your postal address, email address and telephone numbers;
- financial data, including bank account details;
- transaction data, including details of your payments;
- technical data, including your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the services;
- an electronic image of your signature;
- what we learn about you from letters, emails and conversations between us; and
- personal data about your credit history which we will obtain from Credit Reference Agencies (CRAs) including data which originates from Royal Mail (UK postal addresses), local authorities (electoral roll), the insolvency service, Companies House, other lenders and providers of credit who supply data to the CRAs, court judgments, decrees and administration orders made publicly available through public registers.
We may also collect personal information about you from other sources which we will add to the information we already hold about you in order to help us improve our products and services, and carry out the services that we provide to you as follows:
- companies that introduce you to us;
- Credit Reference Agencies;
- Fraud Prevention Agencies;
- public information sources such as Companies House;
- agents working on our behalf;
- market researchers; and
- government and law enforcement agencies.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data).
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with the services). In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time.
We may also collect anonymised and aggregated data about your use of the services, to help us improve our service offerings and understand the use of our services. Where we collect such data, this will be held on an indefinite basis.
Personal data about other individuals
If you make an application for your business, we will also collect the personal data mentioned above about all individuals who you have a financial link with or professional link through your company, for example other directors or officers of your company, who you must include on the application form.
You must show this Policy to any other applicants (including all beneficial owners and directors) and ensure they know you will share their personal data with us for the purposes described in it.
We may use an external agency to carry out background checks on directors and gather publicly held data to run authentication and world checks.
If the data we gather is insufficient to allow us to run these checks, we will request them directly from you.
To process your application, we will perform credit and identity checks on you with one or more Credit Reference Agencies (CRAs). Where you take products or services from us we may also make periodic searches at CRAs to manage your account with us.
To do this, we will supply your personal data to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
We will use this information to:
- Assess your creditworthiness;
- Verify the accuracy of the data you have provided to us;
- Prevent criminal activity, fraud and money laundering;
- Manage your account(s) on the App;
- Trace debts; and
- Ensure any offers provided to you are appropriate to your circumstances.
When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
If you are making a joint application or tell us that you have a financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.
The identities of the CRAs, their role also as Fraud Prevention Agencies, the data they hold, the ways in which they use and share personal data, data retention periods and your data protection rights with the CRAs are explained in more detail at www.experian.com/privacy/
The CRAs also collect and use personal data for marketing and data profiling activities, to create data modelling tools. These tools are used to model customer behaviour to support marketing, research, brand and product communication campaigns.
You can find out more about how CRAs use your data and how you can opt out at www.experian.co.uk/privacy/consumer-information-portal/
Before we provide services to you, and in order to determine eligibility as a potentially financeable invoice, we undertake checks for the purposes of preventing fraud and money laundering and to verify your identity. These checks require us to process personal data about you.
When we and Fraud Prevention Agencies process your personal data, we do so on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.
We, and Fraud Prevention Agencies, may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
Fraud Prevention Agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.
Sharing under change of business ownership
In the event that we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets.
If Hydr or substantially all of its assets are acquired by a third party, the personal data we hold about our customers will be one of the transferred assets.
How long we will keep your personal information
We will keep your personal data for 7 years from end of last financial year of our business relationship with you. This includes credit agreements, applications forms (paper and electronic), ID provided, credit scores, payments default records and complaints. We keep data relating to prospective and indicative customer enquiries for 6 months following the expiry of the quote or illustration. After this time, the data is securely disposed of.
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Our approach to information security
To protect your information, Hydr has policies and procedures in place to make sure that only authorised personnel can access the information, that information is handled and stored in a secure and sensible manner and all systems that can access the information have the necessary security measures in place. To achieve this, all employees, contractors and sub-contractors have roles and responsibilities defined in those policies and procedures.
To make sure all employees, contractors and subcontractors understand these responsibilities they are provided with the necessary training and resources they need.
In addition to these operational measures, we also use a range of technologies and security systems to reinforce the policies.
To make sure that these measures are suitable, vulnerability tests are run regularly. Audits to identify areas of weakness and non-compliance are routinely scheduled. Additionally, all areas of the organisation are constantly monitored and measured to identify problems and issues before they arise.
Transfers of your information out of the EEA or UK
Whenever we transfer your personal data out of the United Kingdom (UK) or European Economic Area (EEA), we ensure it is done so in accordance with the relevant data protection legislation. Where the third country does not have an adequacy decision we will put in measures such as the Standard Contractual Clauses to ensure that your personal data is protected.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA or UK.
In order to process any of the requests listed below, we may need to verify your identity for your security. In such cases your response will be necessary for you to exercise this right.
The right to access information we hold about you
At any point you can contact us to request that the information we hold about you as well as why we have that information, who has access to the information and where we got the information. Once we have received your request we will respond within 30 days.
The right to correct and update the information we hold about you
If the data we hold about you is out of date, incomplete or incorrect, you can inform us and we will ensure that it is updated.
The right to have your information erased
If you feel that we should no longer be using your data or that we are illegally using your data, you can request that we erase the data we hold. When we receive your request, we will confirm whether the data has been deleted or tell you the reason why it cannot be deleted.
The right to object to processing of your data
You have the right to request that Hydr stops processing your data. Upon receiving the request, we will contact you to tell you if we are able to comply or if we have legitimate grounds to continue. If data is no longer processed, we may continue to hold your data to comply with your other rights.
The right to ask us to stop contacting you with direct marketing
You have the right to request that we stop contacting you with direct marketing. In order to process your request we may need to verify your identity for your security.
The right to data portability
You have the right to request that we transfer your data to another controller. Once we have received your request, we will comply where it is feasible to do so.
The right to complain
You can make a complaint to us by contacting us via email@example.com or to the data protection supervisory authority – in the UK, this is the Information Commissioner’s Office, at https://ico.org.uk/.
In those cases where we need your consent to hold your information, we will ask you to check a box on any form requiring consent. By checking these boxes you are stating that you have been informed as to why Hydr is collecting the information, how it will be used, for how long it will be kept, who else will have access to it and what your rights are as a data subject.
Sharing your information
Where necessary to fulfil our obligations to you, Hydr may pass your details to third parties where this is necessary for the functioning of our product. We may share your personal information with these organisations:
- agents and advisers who we use to help run your accounts and services and explore new ways of doing business;
- HM Revenue & Customs, regulators and other authorities;
- UK Financial Services Compensation Scheme;
- Credit Reference Agencies;
- Fraud Prevention Agencies;
- any party linked with you or your business’s product or service;
- companies we have a joint venture or agreement to co-operate with;
- organisations that introduce you to us;
- companies that we introduce you to;
- market researchers;
- price comparison websites and similar companies that offer ways to research and apply for financial products and services; and
- companies you ask us to share your data with.
We may need to share your personal information with other organisations to provide you with the services you have chosen.
If you have any queries about this Policy, need further information or wish to lodge a complaint you can use the details below to contact the relevant party.
For the attention of Hector Macandrew or Nicola Weedall
HN Flow Ltd (trading as Hydr)
Bonded Warehouse, 18 Lower Byrom Street, Manchester M3 4AP
Changes to this Policy
We may change this Policy from time to time. You should check this policy occasionally to ensure that you are aware of the most recent version that will apply each time you access the website.