Privacy Policy

Last Updated: 30/05/2025

1. Introduction

This Privacy Policy explains how Lifestyle Loans Ltd ("we", "us", "our") collects, uses, shares, and protects your personal data. We are committed to protecting your privacy and handling your data in an open and transparent manner. Important Notice regarding our services: As of 1 December 2024, Lifestyle Loans Ltd has ceased offering new loans to customers. This Privacy Policy outlines how we manage personal data relating to our historic applicants and existing loan account holders, whose accounts are now managed by ACI-UK Limited ("ACI-UK") on our behalf. This policy applies where we are acting as a data controller with respect to your personal data. Please read this policy carefully to understand our views and practices regarding your personal data and how we will treat it.

2. Who We Are (The Data Controller)

Lifestyle Loans Ltd is the data controller responsible for your personal data.

Registered Company Name: Lifestyle Loans Ltd Registered Office: Unit G5, Frome Business Park, Manor Road, Frome, BA11 4FN FCA Registration Number: 787669 ICO Registration Number: ZA290627

3. Data Protection Officer (DPO)

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy policy and our data protection practices. If you have any questions or wish to exercise your legal rights, please contact our DPO using the details below:

Email: info@lifestyleloans.co.uk Postal Address: Data Protection Officer, Lifestyle Loans Ltd, Unit G5, Frome Business Park, Manor Road, Frome, BA11 4FN

4. What Personal Data We Collect

We have collected and continue to process the following categories of personal data about you. This data was primarily collected during your loan application process or through your interactions with us regarding your loan:

Identity Data: Name, date of birth, marital status. Contact Data: Residential address, email address, telephone numbers. Financial Data: Bank account details, income and expenditure details, credit history, details of existing credit commitments, employment details, mortgage/tenancy details, financial status (e.g., bankruptcy, defaults, CCJs, IVAs, DMPs). Loan Application Data: Loan amount requested, purpose of loan, details of any joint applicants. Transactional Data: Details about payments to and from you and other details of products and services you have obtained from us. Technical Data (from website usage): IP address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform (primarily historical data from when you applied). Communications Data: Records of your communications with us (letters, emails, call recordings). Special Category Data (Sensitive Data): Information about your health, if you provided this to us and it was relevant to your application or the management of your account (e.g., for vulnerability assessments). We only process this data with your explicit consent or where necessary to protect your vital interests or for reasons of substantial public interest.

5. How We Obtain Your Personal Data

We obtained your personal data through the following means:

Directly from you: When you applied for a loan via our website or telephone, or during subsequent communications. From Credit Reference Agencies (CRAs): When we conducted credit checks as part of your loan application (e.g., Experian, TransUnion, Equifax). From Fraud Prevention Agencies (FPAs): To prevent fraud and money laundering. From Introducers/Credit Brokers: If you were introduced to us by a third-party credit broker, they would have passed your information to us with your knowledge. We would have informed you of their identity at the time. From ACI-UK Limited: In their capacity as manager of your existing loan account, they may provide us with updated information or details related to the servicing of your account.

6. How We Use Your Personal Data and Our Lawful Basis for Doing So

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances and on the following lawful bases:

Activity/Purpose	Type of Data Used	Lawful Basis for Processing (UK GDPR)
Managing your existing loan agreement and servicing your account (via ACI-UK)	Identity, Contact, Financial, Loan Application, Transactional, Communications	Performance of a contract: Necessary to fulfil our contractual obligations to you under your loan agreement.
Communicating with you about your account (e.g., statements, payment issues)	Identity, Contact, Transactional, Communications	Performance of a contract. Legitimate Interests: To effectively manage your account and keep you informed.
Undertaking creditworthiness and affordability assessments (historical)	Identity, Contact, Financial, Loan Application	Performance of a contract (steps to enter). Legitimate Interests: To assess eligibility against lending criteria. Legal Obligation:To comply with responsible lending obligations.
Conducting credit checks with CRAs (historical and ongoing for account management)	Identity, Contact, Financial	Performance of a contract. Legitimate Interests: To assess credit risk and manage your account. Legal Obligation:In some cases (e.g., for responsible lending).
Preventing and detecting fraud, money laundering, and other financial crime	Identity, Contact, Financial, Transactional, Technical	Legal Obligation: To comply with anti-money laundering regulations and other legal requirements. Legitimate Interests:To protect our business and customers from fraud.
Debt recovery and arrears management	Identity, Contact, Financial, Transactional, Communications	Legitimate Interests: To recover outstanding debts owed to us. Performance of a contract.
Complying with legal and regulatory obligations (e.g., reporting to FCA, ICO)	Identity, Contact, Financial, Transactional	Legal Obligation: To meet our regulatory and legal requirements.
Maintaining records for legal, regulatory, and administrative purposes	All categories listed in Section 4	Legal Obligation: To comply with record-keeping requirements (e.g., under FCA rules, Companies Act). Legitimate Interests: For internal administration, defending legal claims, and responding to complaints.
Handling enquiries, complaints, and disputes	Identity, Contact, Communications, relevant Financial/Transactional data	Legitimate Interests: To resolve issues effectively and improve our services. Legal Obligation: In some cases, to comply with regulatory complaint handling rules.
Assessing and managing vulnerability (where applicable)	Identity, Contact, Special Category (Health) data if provided	Vital Interests: To protect you if you are at risk. Explicit Consent: Where you provided health data for this purpose. Substantial Public Interest: In certain circumstances, as permitted by law.
Internal analysis and reporting (anonymised/aggregated where possible)	Financial, Transactional, Technical (historical)	Legitimate Interests: To understand our historic business performance and manage our closed loan book effectively.
Keeping you updated on products/services (historical marketing, now ceased)	Identity, Contact	Legitimate Interests (with opt-out): Previously, to inform you about products. This activity has now ceased. You can still manage any historic preferences (see Section 10). Consent (where obtained): If we relied on consent for specific marketing.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

7. Who We Share Your Personal Data With

We may share your personal data with the following categories of third parties:

ACI-UK Limited: Our appointed agent for managing and servicing all existing Lifestyle Loans accounts. They process your data on our behalf and under our instruction to perform these services. Credit Reference Agencies (CRAs): (e.g., Experian, TransUnion, Equifax) To check your credit history (historically for applications, and potentially for ongoing account management, subject to the terms of your agreement). For more information on how CRAs use your data, you can access their Credit Reference Agency Information Notices (CRAIN): TransUnion Equifax Experian Fraud Prevention Agencies (FPAs): To prevent fraud and money laundering. If we suspect fraud, we may pass your information to FPAs, and if fraud is confirmed, this could affect your ability to obtain services or finance in the future. Our Service Providers: Companies that provide services to us, such as IT and system administration services, data hosting, secure data disposal, and communication platforms. These providers are contractually bound to protect your data. Payment Processors: To process payments related to your loan. Debt Collection Agencies: If your account is in arrears and we need to engage third parties to recover outstanding sums. Professional Advisers: Including lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services. Regulators and Other Authorities: Such as the FCA, ICO, Financial Ombudsman Service, and other authorities who require reporting of processing activities in certain circumstances or to whom we are obliged to disclose personal data. Law Enforcement Agencies: Where required by law or for the prevention or detection of crime. Potential Buyers of Our Business: If we (or substantially all of our assets) are acquired by a third party, personal data held by us about our customers will be one of the transferred assets. We will take steps to ensure your privacy rights continue to be protected.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers (acting as processors) to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

8. International Data Transfers

Your personal data is primarily processed within the United Kingdom (UK) and the European Economic Area (EEA).

If we or our service providers transfer your personal data outside the UK/EEA, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

The country to which the data is transferred has been deemed to provide an adequate level of protection for personal data by the UK government (an "adequacy regulation"). We use specific contracts approved by the UK Information Commissioner's Office which give personal data the same protection it has in the UK, such as the International Data Transfer Agreement (IDTA) or the Addendum to the EU Standard Contractual Clauses. For transfers to the USA, we may rely on the UK Extension to the EU-US Data Privacy Framework, where the recipient is certified under it.

Please contact our DPO if you want further information on the specific mechanism used by us when transferring your personal data out of the UK/EEA.

9. Data Security

We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. These measures include:

Data encryption Network security measures (e.g., firewalls) Access controls to IT systems Physical security for premises and equipment Staff training on data protection

In addition, we limit access to your personal data to those employees, agents, contractors (including ACI-UK), and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

10. How Long We Keep Your Personal Data

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

Generally, for customers with whom we had a loan agreement, personal data will be retained for a minimum period of six years following the date your account is closed (i.e., the loan is fully repaid or settled). This retention period is based on regulatory requirements (e.g., FCA rules on record-keeping, anti-money laundering regulations) and statutory limitation periods for legal claims.

For individuals who applied for a loan but did not proceed, or whose applications were declined, we will retain your data for 12 months from the date of your enquiry or our decision, unless a longer period is required for specific legal or regulatory reasons (e.g., fraud prevention).

Once the retention period expires, your personal data will be securely destroyed or anonymised (so that it can no longer be associated with you) for research or statistical purposes.

If you would like more detailed information about our retention policies for different aspects of your personal data, please contact our DPO.

11. Your Data Protection Rights

Under UK data protection law, you have several rights regarding your personal data. These include:

Right to be Informed: You have the right to be provided with clear, transparent, and easily understandable information about how we use your information and your rights. This is why we are providing you with this Privacy Policy. Right of Access: You have the right to obtain a copy of your personal data, as well as other supplementary information. This is so you are aware and can check that we are using your information in accordance with data protection law. This is commonly known as a "Data Subject Access Request" (DSAR). Right to Rectification: You have the right to have your personal data corrected if it is inaccurate or incomplete. Right to Erasure (Right to be Forgotten): This enables you to request the deletion or removal of your personal data where there is no compelling reason for us to keep using it. This is not an absolute right and only applies in certain circumstances (e.g., where the data is no longer necessary for the purpose for which it was originally collected, or you have withdrawn consent where consent was the lawful basis). Right to Restrict Processing: You have the right to 'block' or suppress further use of your personal data in certain circumstances. When processing is restricted, we can still store your personal data, but may not use it further. Right to Data Portability: You have the right to obtain and reuse your personal data for your own purposes across different services. This allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. This right only applies to information you have provided to us, where processing is based on your consent or for the performance of a contract, and when processing is carried out by automated means. Right to Object to Processing: You have the right to object to certain types of processing, including processing based on our legitimate interests and processing for direct marketing (even if we are no longer actively marketing). Rights Relating to Automated Decision-Making and Profiling: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you. Right to Withdraw Consent: If you have given your consent to anything we do with your personal data (i.e., we are relying on consent as a legal basis for processing), you have the right to withdraw your consent at any time. Withdrawing consent will not, however, make unlawful our use of your information while consent had been given.

To exercise any of these rights, please contact our DPO using the details provided in Section 3 or Section 14. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

There is usually no fee to exercise your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

If your data has been passed to ACI-UK for account management, and your request relates to processing carried out by them on our behalf, we will liaise with ACI-UK to address your request. You may also contact ACI-UK directly, but as the data controller, we remain ultimately responsible.

12. Automated Decision Making and Profiling

We do not currently use automated decision-making systems that produce legal effects or similarly significantly affect individuals in the ongoing management of existing loan accounts.

Historically, for loan applications (an activity which has now ceased), we used automated decision systems to assess eligibility against lending criteria. Applicants had the right to request a manual assessment.

13. Cookies and Similar Technologies

Our website uses cookies and similar technologies. Cookies are small text files placed on your computer or mobile device by websites that you visit. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

How we use cookies:

We use cookies for the following purposes:

Strictly Necessary Cookies: These are essential for you to browse the website and use its features, such as accessing secure areas of the site. Without these cookies, services you have asked for cannot be provided. Performance/Analytical Cookies: These cookies collect information about how visitors use our website, for instance, which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how our website works. Functionality Cookies: Functionality Cookies: These cookies allow the website to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features. For instance, these cookies can be used to remember changes you have made to text size, fonts, and other parts of web pages that you can customise.

Your choices regarding cookies:

When you first visit our website, you will be presented with a cookie banner which provides you with information about the cookies we use and gives you the option to accept or manage your cookie preferences for non-essential cookies.

You can also manage cookie preferences through your browser settings. Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set, visit www.aboutcookies.org or www.allaboutcookies.org.

Find out how to manage cookies on popular browsers:

Google Chrome Microsoft Edge Mozilla Firefox Microsoft Internet Explorer Opera Apple Safari

To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout.

14. How to Contact Us

If you have any questions about this Privacy Policy, how we handle your personal data, or wish to exercise any of your rights, please contact our Data Protection Officer:

By Email: info@lifestyleloans.co.uk By Post: Data Protection Officer, Lifestyle Loans Ltd, Unit G5, Frome Business Park, Manor Road, Frome, BA11 4FN By Telephone 0330 0889 764

15. How to Complain to the Information Commissioner's Office (ICO)

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

ICO Contact Details:

Helpline: 0303 123 1113 Website: https://www.ico.org.uk/make-a-complaint/

16. Changes to This Privacy Policy

We keep our privacy policy under regular review. This version was last updated on 30 May 2025. Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate (e.g., for significant changes), notified to you by email or through a notice on our website. We encourage you to review this policy periodically to stay informed about how we are protecting your information.