Privacy Notice

Please read this Privacy Policy carefully as it contains important information on who we are and how and why we collect, store, use and share your Personal Information. It also explains your rights in relation to your Personal Information and how to contact us or supervisory authorities in the event you have a complaint.

We take your privacy very seriously. The effective management of all Personal Information, including its security and confidentiality, lies at the very heart of our business and underpins our practices and processes.

We collect, use and are responsible for certain Personal Information about you. When we do so we are subject to data protection laws applicable in the United Kingdom.

1. CONTROLLER

We are This Bank Limited, a company registered in England and Wales (under number 11734380) whose registered office is at City Bridge House, 57 Southwark Street, London United Kingdom SE1 1RU.

This Bank Limited is the controller and responsible for your Personal Information (collectively referred to as, “we”, “us” or “our” in this privacy policy).

We have appointed a Data Protection Officer who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the Data Protection Officer using the information set out in the How To Contact Us section below.

2. PERSONAL INFORMATION WE COLLECT ABOUT YOU

We may collect and use the following Personal Information about you:

your name, address, date of birth, and contact information, including email address, telephone number and information in respect of your social media profiles;
details about your transactions with us including accounts you use;
your contact with us, such as a note or recording of a call you make to one of our contact centres, an email or letter sent, or other records of any contact with us;
your account information, such as dates of payments owed or received, account numbers or other information related to your account;
Information relating to your financial circumstances including personal wealth, assets and liabilities, proof of income and expenditure, credit and borrowing history;
your employment details and information taken from identification documents like your passport or driving licence when we review your application for any of our products and/or services;
information about your activity on our portal, online profile, and social media information, location coordinates;
online and mobile banking security authentication, mobile banking and security authentication, mobile phone network information, searches;
information about your preferences, interests and how you interact with our website and services;
your preferences for receiving marketing communications from us and your communication preferences.

3. SENSITIVE PERSONAL INFORMATION

Certain Personal Information we collect is treated as a special category to which additional protections apply under data protection law:

your biometric data in relation to authenticating your identity when using our products and/or services;
your health data where you voluntarily disclose physical or phycological health details or medical conditions to assist you with your disability; and
information about criminal convictions or offences and alleged offences for specific and limited activities and purposes, such as to perform checks to prevent and detect crime.

4. HOW YOUR PERSONAL INFORMATION IS COLLECTED

We collect most of this Personal Information directly from you, by telephone, letter or email and/or via our website. However, we may also collect information:

when you register and/or attend any of our events, webinars, or the conferences we host;
from publicly accessible sources, g. Companies House or social media websites;
directly from a third party, g.:
- sanctions screening providers;
- credit reference agencies;
- customer due diligence providers;
from a third party with your consent, g. another bank or building society; and
via our closed circuit television (CCTV) in and around our offices.

5. LAWFUL BASIS FOR PROCESSING

The law requires us to have a legal basis for collecting and using your Personal Information. We rely on one or more of the following legal bases:

Performance of a contract with you: Where necessary to fulfil a contract with you which covers the performance of the products and/or services we provide to you;
Legitimate interests: We may use your Personal Information where it is necessary to conduct our business and pursue our legitimate interests; and
Legal obligation: We may use your Personal Information where it is necessary for compliance with a legal obligation that we are subject We will identify the relevant legal obligation when we rely on this legal basis.

Generally, we do not rely on consent as a legal basis for processing your Personal Information, other than in relation to sending marketing communications to you (for example, emails or text messages). You have the right to withdraw consent to marketing at any time by contacting us (see ‘How to contact us’ below).

6. HOW WE USE YOUR PERSONAL INFORMATION

Purpose/Use	Lawful basis for processing including basis of legitimate interest	Possible third party disclosures
Creating an account with us
(a) Establishing a client relationship and creating your account (b) To evaluate, process and complete your requests and/or applications for our products and services (c) For security and verification of your identity (d) Performing credit or money laundering checks or other checks required by law (see further detail below) Note: we may use automated decision making when carrying out (c) and (d)	(a) Performance of a contract with you (b) Complying with a legal obligation (c) Necessary for our legitimate interests (to confirm you are within our risk profile) (d) Substantial public interest (prevention of crime) Note: Special category data is processed only where we have consent	(a) Fraud prevent agencies (b) Anti-fraud databases, sanctions lists, court judgments and other databases (c) Credit reference agencies (d) Our insurers, brokers and other professional advisers.
Throughout our contract with you
(a) General servicing of your account, including communication with you and sending you updates (b) To update our records (c) Complying with our regulatory and legal obligations (d) Investigating fraud and preventing financial crime Note: we may use automated decision making when carrying out (c) and (d)	(a) (Performance of a contract with you (b) Complying with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to assist with the detection and prevention of fraud) (d) Substantial public interest (prevention of crime) Note: Special category data is processed only where we have consent	(a) Fraud prevention agencies (b) Courts and lawyers (c) Credit reference agencies (d) Legal enforcement agencies (e) Our insurers, brokers and other professional advisers
Relationship management
To collect and recover money owed to us	(a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts due to us)	(a) Courts and lawyers (b) Legal enforcement agencies
Notifying you about changes to our terms or privacy policy	(a) Performance of a contract with you (b) Necessary to comply with a legal obligation
Managing your use of the products and/or services, responding to enquiries and comments and providing customer service and support.	(a) Performance of a contract with you (b) Necessary for our legitimate interests (to keep our records updated and manage our relationship with you) Note: Special category data is processed only where we have consent	(a) Credit reference agencies
Asking you to leave a review or take a survey	(a) Necessary for our legitimate interests	(a) TrustPilot
When things go wrong
To manage complaints made by you	(a) Performance of a contract with you (b) Necessary to comply with a legal obligation
To provide assistance when things go wrong e.g. if a payment was taken without your permission	(a) Performance of a contract with you (b) Necessary to comply with a legal obligation	(a) Regulators (b) Courts and lawyers (c) Legal enforcement agencies (d) Our insurers, brokers and other professional advisers (e) Other banks (f) Fraud prevention agencies
Business and website activities
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation	(a) IT service providers
To send you relevant marketing communications and make personalised suggestions and recommendations to you about goods or services that may be of interest to you	(a) Consent, having obtained your prior consent to receiving direct marketing communications

7. WHO WE SHARE YOUR PERSONAL INFORMATION WITH

We may share Personal Information, in the following limited circumstances, with:

TrustPilot to collect your feedback on our services;
companies within the This Bank Limited company group;
third parties we use to help deliver our products and/or services to you;
third parties we use to help us run our business: marketing agencies, debt collection agencies, website hosts, and IT service providers;
other banks and third parties where required by law to help recover funds that have entered your account as a result of a misdirected payment by such a third party;
other banks to help trace funds where you are a victim of suspected financial crime and you have agreed for us to do so, or where we suspect funds have entered your account because of a financial crime;
third parties approved by you;
credit reference agencies to obtain information from your credit application and about your financial situation and financial history and to let the agencies know about your settled accounts (see further detail CREDIT REFERENCE AGENCIES & OPEN BANKING SERVICES);
our insurers, brokers and other professional advisers to manage risk and assist with legal claims where required;
fraud prevention agencies to prevent fraud and money-laundering and to verify your identity.
law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations;
in the event that any additional authorised users are added to your account, we may share information about the use of the account by any authorised user with all other authorised

We only allow our service providers to handle your Personal Information if we are satisfied they take appropriate measures to protect your Personal Information.

The Personal Information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found at www.cifas.org.uk/fpn.

We may also need to share some Personal Information with other parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, information will be anonymised but this may not always be possible. The recipient of the Personal Information will be bound by confidentiality obligations.

8. CREDIT REFERENCE AGENCIES & OPEN BANKING SERVICES

In order to process your application, we will perform credit and identity checks on you with one or more credit reference agencies (“CRAs”) and will request your consent to obtain financial information through Open Banking providers.

To do this, we will supply your Personal Information to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.

We will use this information to:

assess your creditworthiness and whether you can afford to take the product;
verify the accuracy of the data you have provided to us;
prevent criminal activity, fraud and money laundering;
manage your account(s);
trace and recover debts; and
ensure any offers provided to you are appropriate to your

We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.

When CRAs receive a search from us they will place a footprint on your credit file. If this is an application search then it will be seen by other lenders; otherwise, it won’t.

If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files for a disassociation with the CRAs to break that link.

The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail at https://www.transunion.co.uk/crain, and https://www.experian.co.uk/legal/crain/.

We may request additional financial information with your consent through our Open Banking provider, GoCardless. This is used to confirm your account details and to facilitate payments. Visit the GoCardless privacy details for more information https://gocardless.com/privacy.

9. AUTOMATED DECISION MAKING

As set out in the table above, we may make decisions based on automated processing. In particular we use automated processing to carry out identity checks in order to comply with our legal obligations to prevent money laundering and fraud.

As part of this we and other organisations acting to prevent fraud may process your personal information in systems that look for fraud by studying patterns in the data. We may find that an account is being used in ways that fraudsters work or we may notice that an account is being used in a way that is unusual for you. Either of these could indicate a risk that fraud or money-laundering may be carried out against a customer, This Bank Limited, or our insurer(s). We have a legal obligation to undertake this activity. This is a form of automated decision making.

When you apply for a loan, we will need to credit score you and assess you for that loan. We may use an automated decision-making process for that decision.

In all cases where we use automated decision making you have the right for that decision to be explained to you, to make representations to us in respect of those decisions, to request that a person review or be involved in the decision making.

If you are unhappy with any decisions made about you using automated decision making, you have the right to ask for the decision to be reviewed.

10. INFORMATION PERTAINING TO CHILDREN

We do not knowingly collect or solicit Personal Information from anyone under the age of 18.

If you are under 18, please do not attempt to register for our services or send any Personal Information about yourself to us. If we learn that we have collected Personal Information from a child under age 18, we will delete that data as soon as possible.

11. HOW LONG YOUR PERSONAL INFORMATION WILL BE KEPT

We will only retain your Personal Information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements.

To determine the appropriate retention period for your Personal Information, we consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorised use or disclosure of your Personal Information, the purposes for which we process your Personal Information and whether we can achieve those purposes through other means, and the applicable legal and regulatory requirements.

When it is no longer necessary to retain your Personal Information, we will delete or anonymise it 6 years from the closure of the account.

12. TRANSFERRING YOUR PERSONAL INFORMATION OUT OF THE EEA

We may transfer Personal Information that we collect from you to our third-party data processors, vendors or hosting partners acting on our behalf located in countries outside of the UK or to other entities in our group of companies in connection with the purposes set out above.

Whenever we transfer your personal information outside the UK, we ensure a similar degree of protection is afforded to it by ensuring that the following safeguards are in place:

We will only transfer your Personal Information to countries that have been deemed by the UK to provide an adequate level of protection for Personal Information; or
We may use specific standard contractual terms approved for use in the UK which give the transferred Personal Information the same protection as it has in the UK.

If you would like further information, please contact our Data Protection Officer (see ‘How to contact us’ below).

13. OUR WEBSITE MAY CONTAIN LINKS TO OTHER SITES

We may have links to other sites promoting our partners and clients. These links may take you to other companies who have their own privacy notice and our privacy notice will not cover their use of data. They may collect additional information so we encourage you to look at their own privacy notices.

14. COOKIES

A cookie is a small text file which is placed onto your device (e.g. computer, smartphone or other electronic device) when you use our website

For further information on cookies, our use of cookies, when we will request your consent before placing them and how to disable them, please see our Cookie Policy.

15. YOUR RIGHTS

You have a number of rights under data protection laws in relation to your personal data.

You have the right to:

Access	The right to be provided with a copy of your Personal Information.
Rectification	The right to require us to correct any mistakes in your Personal Information.
Erasure	The right to require us to delete your Personal Information. Please note that this right of erasure is not available in all circumstances, for example where we need to retain the Personal Information for legal compliance purposes. If this is the case, we will let you know.
Restriction of processing	The right to require us to restrict processing of your Personal Information – in certain circumstances, e.g. if you contest the accuracy of the data.
Data portability	The right to receive the Personal Information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party – in certain situations.
To object	The right to object: – at any time to your Personal Information being processed for marketing (including profiling and analytics); or – in certain other situations to our continued processing of your Personal Information, e.g. processing carried out for the purpose of our legitimate interests. If so, we shall stop processing your personal data unless we can demonstrate sufficient and compelling legitimate grounds for continuing the processing which override your own interests.
Not to be subject to automated individual decision-making	The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
Withdraw consent	The right to withdraw your consent to us processing your Personal Information at any time if our processing is based on your consent.

For further information on each of those rights, including the circumstances in which they apply, please contact us or see the guidance from the UK’s Information Commissioner.

If you would like to exercise any of those rights, please:

email, call or write to our Data Protection Officer – see below: ‘How to contact us’;
let us have enough information to identify you (e.g. your full name, address and account number);
let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
let us know what right you want to exercise and the information to which your request

16. NO FEE USUALLY REQUIRED

You will not have to pay a fee to access your Personal Information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

17. KEEPING YOUR PERSONAL INFORMATION SECURE

We have appropriate security measures to prevent Personal Information from being accidentally lost or used or accessed unlawfully. We also have procedures in place to deal with any data breach.

18. HOW TO COMPLAIN

We hope that our Data Protection Officer can resolve any query or concern you may raise about our use of your information. Please reach out to our Data Protection Officer first to request clarification if there is something you do not understand.

You have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk).

However, before doing so please make sure you have first made your complaint to us or asked us for clarification if there is something you do not understand. You can access our complaints form here.

19. CHANGES TO THIS PRIVACY POLICY

This privacy notice was published on 16/12/2019 and last updated on 18/11/2025.

Any changes will be posted on this page. We encourage you to review this notice periodically to stay informed about how we are protecting your Personal Information.

20. HOW TO CONTACT US

Our Data Protection Officer’s contact details

Dianne Augustin

City Bridge House

57 Southwark Street

London

SE1 1RU

dataprotection@thisbank.co.uk