The policy was last updated May 2018.
- Telephone: 01603 896878
- Email: email@example.com
- Commercial Trust is a company registered in England and Wales, company number 08633445
- Registered office: Norfolk Tower, 48-52 Surrey Street, Norwich NR1 3PA
- VAT number GB765353512
- Authorised and regulated by the Financial Conduct Authority (FCA) Reference no. 610175
- Registered with the Information Commissioner’s Office. Reference No. ZA041124
You can contact our data protection officer by telephone, email or post at:
Data Protection Officer, Commercial Trust, Norfolk Tower, 48-52 Surrey Street, Norwich NR1 3PA
Telephone: 01603 896 878
There are a number of ways contact between us may arise, these are described below.
You may choose to contact our company, having visited our website, in a number of ways.
Some of the ways data passes from you to us is handled using technology our company has built and controls, such as our website forms.
Other ways data passes from you to us may use technology we pay a third party to provide, such as our Live Chat interface.
These methods of contact are described below.
1. Enquiry form
By submitting an enquiry form you are agreeing to us contacting you via telephone, email, SMS and letter about your enquiry.
Changed your mind about hearing from us? See “Stopping attempts at contact” below.
Lender deals and landlord news
Before submitting an enquiry form, you will be asked whether you would like to be kept informed of lender deals and landlord news, with the option to receive this information via email, SMS, telephone or letter.
If you do not give your consent, you will not be sent this information.
If you do give your consent, you are giving us permission to send you this information via the channel(s) you have stipulated.
You can adjust your contact preferences or opt-out at any time by visiting our Contact Options form.
These consents do not affect any interactions you may have with our advisor team relating to the conduct of our service (see “Interactions regarding our service” below).
2. Call-back form
By submitting your details via our call-back form, which you may see on a number of pages on our website and is specifically identified as such, you are agreeing to our advisor team calling you on the number you have submitted to discuss our service with you (see “Interactions regarding our service” below).
Changed your mind about hearing from us? See “Stopping attempts at contact” below.
3. Email newsletter sign-up form
By submitting your details via our newsletter sign up form, which you may see on a number of pages on our website and is specifically identified as such, you are agreeing to our sending information about our industry to you via email.
Changed your mind about hearing from us? You can adjust your preferences or opt-out at any time by visiting our Contact Options form.
4. Email communications
We use a third party platform to facilitate the sending of some of our emails. The software is provided by a company called PurePromoter Limited, trading as Pure360, who operate as a Data Processor for Commercial Trust Limited. When you work with us, or subscribe to receive information from us, the following details are held on the Pure360 platform to enable us to send you process emails and informational emails (if you have opted to receive informational emails):
a) Your email address
b) Your first and last name
c) Your telephone number
d) Your marketing preferences
These details reside on Pure360 servers. Your data will not be transferred outside the European Economic Area unless; the receiving country has adequate protection in place; appropriate safeguards have been imposed and you have enforceable rights and effective legal remedies; or, you have given prior written consent, having been made aware of possible risks. Replies to emails sent to you come directly to Commercial Trust Limited only.
Wherever and however your data is processed, Pure360 adheres to processes and measures necessary to adequately protect your data.
For information on the Licence Agreement between PurePromoter Limited, trading as Pure360 and Commercial Trust Limited, which outlines their data protection obligations , visit these pages of their website: https://www.pure360.com/licence-agreement/
Copies of email correspondence between you and your advisor (if applicable) are saved on our internal systems. This is so that we have a full picture of our work with you, this data is subject to our standard data retention periods (see “Your data – retention periods / how we keep your data”).
5. SMS communications
We use a third party platform to facilitate the sending of our SMS. The software is provided by a company called FastSMS Limited who operate as a Data Processor for Commercial Trust Limited.
When SMS communications are sent by us to you, or by you to us, they are handled by the FastSMS Limited platform, this means that some or all of the following information resides on the FastSMS Limited servers:
a) Your mobile phone number
b) Your first name
c) The message content
These details reside on FastSMS Limited servers. Your data will not be transferred outside the European Economic Area.
Wherever and however your data is processed, FastSMS Limited adheres to processes and measures necessary to adequately protect your data. Your data is subject to the FastSMS Limited retention period of 6 months; after which it is deleted from their platform.
For information on the security measure put in place by FastSMS Limited, visit these pages of their website: https://fastsms.co.uk/features/data-centres.html
Copies of SMS correspondence between you and your advisor (if applicable) are saved on our internal systems. This is so that we have a full picture of our work with you, this data is subject to our standard data retention periods (see “Your data – retention periods / how we keep your data”).
6. Live Chat
We use a third party platform to deliver our Live Chat service to handle customer enquiries in real time. The software is provided by a company called Zopim, the Live Chat product is called Zendesk Chat.
When you interact with the Live Chat interface, the following details are recorded by Zendesk Chat:
- Username (which may or may not be your actual name)
- IP address (An IP address is a number sequence that identifies a device (not a user) that is connected to the internet. Some IP addresses are the same each time they connect to the internet, “Static IP” and some change each time “Dynamic IP”.)
- Any data added to the Chat window
- Operating System and version of Chat end user
- Internet Browser and version of the Chat end user
- Date and time of events as perceived by the app
- Any data in attachments.
If you use the Live Chat service and you request to speak to a member of our advisor team we may ask you for your name, telephone number and email address in order to arrange contact with our advisor team. This is optional.
The details of your Live Chat conversation reside on Zopim servers. Zopim operates in a number of countries worldwide, for this reason your personal data may be processed outside the European Economic Area (EEA). Furthermore, Zopim may use “sub-processors” (third parties) to help them in the conduct of providing their service.
Wherever and however your data is processed, Zopim adheres to processes and measures necessary to adequately protect your data.
For information on how Zopim secures the data that exists on the Zendesk Live Chat platform, visit these pages of their website: https://www.zendesk.co.uk/product/zendesk-security/
Your Live Chat conversation will also be passed to the advisor team so that they understand the nature of your enquiry.
Advisors usually save chat interactions with your client records on our internal systems. This is so that we have a full picture of our work with you, this data is subject to our standard data retention periods (see “Your data – retention periods / how we keep your data”).
All of our calls are recorded and may be monitored to resolve queries or complaints, improve our service quality and to detect or prevent fraud or other crimes. Telephone calls may also be monitored for staff training purposes.
SMS, Email, Letter or other correspondence
If you make your first enquiry with us via SMS, Email, Letter or any other means, we will attempt to call you to resolve your request.
This is because we have to have first-hand contact with you to conduct our service compliantly and we have to verify your identity.
Where you are engaged in ongoing dialogue with our staff, regarding a case we are handling for you, we keep copies of SMS, Emails and Letters between us, in order to efficiently and accurately conduct our service on your behalf.
Interactions regarding our service
If you have made an enquiry to our company regarding our broker service, we will attempt to contact you up to three times a day for seven days, to ensure we have made every effort to respond to your request for information.
Our team may use telephone, email, SMS or letter to contact you regarding our service.
Gathering information from you, beyond initial enquiry
What information do we collect from you?
During the enquiry/application process we will collect personal and financial information (including but not limited to):
- Name, address and postcode
- Employment type and income
- Contact information including telephone numbers and email addresses
- Date of Birth
- Address (residential history)
- Property details
- Credit history
- Details of existing credit commitments (including car finance and hire purchase)
We do not request or process ‘sensitive’ information (such as medical records) during the application process. If sensitive information is provided to us, we will ask for your explicit consent prior to recording it.
Legal basis for processing personal data
When we process your personal data, including performing credit searches with one or more lenders, we do so because this is required to progress your mortgage enquiry and potential mortgage application. Such processing is a requirement of the service you have requested.
How we use the information we collect from you
The information gathered is used to:
- Process your application
- Assess your needs and make an appropriate recommendation
- To keep your broker (if any) informed about the progress of your loan application
- Keep you updated on the progress of your application
- Electronically verify your identity
- Administer your application
- Record and respond to complaints
- Improve our services
- Statistical analysis, research and behavioural analysis.
Consequences of processing – credit decision
As your mortgage broker, we will discuss your personal circumstances with mortgage lender/s, in order to determine the most appropriate product for your needs. In order to make a recommendation we will complete a credit search with one or more lenders. These searches may be seen by other organisations searching in the future. Details of the search will be recorded whether you proceed with the application or not.
Legal basis for processing personal data – Anti fraud
When Commercial Trust process your personal data, we do so on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with the laws that apply to us. Such processing is also a contractual requirement of the services you have requested.
We may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
Fraud prevention agencies can hold your personal data, and if you are considered to pose a fraud or money laundering risk, they could hold your data for up to six years.
Consequences of processing – Anti Fraud
If fraud or money laundering is identified, details will be passed to fraud prevention agencies to prevent fraud or money laundering. If we or a fraud prevention agency determine that you pose a fraud or money laundering risk, we may refuse to provide the services you have requested, or to employ you or we may stop providing existing services to you.
A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services or employment to you. If you have any questions about this, please contact us on the details above.
How we check your identity
We will search credit reference agency files who, will provide details and information from the Electoral Register to verify your identity. The agency keeps a record of the search, whether or not your application proceeds with us. Our search is not seen or used by lenders to assess your ability to obtain credit in the future.
We may also request physical forms of identification to enable us to proceed with your application.
Information sharing with brokers and others who introduce business to us (if applicable)
If you have been introduced to Commercial Trust by a broker (intermediary) or someone else, we may tell that person about our contact with you, the progress of any mortgage application that you may make with our help, and whether or not any such application is successful. We may also tell them about relevant dates, the type of loan we have helped you with and the loan amount.
This will be for the purposes of establishing whether any payment may be, or become, due to that person (or someone associated with them), the amount and timing of any such payment, for assessing their effectiveness in identifying suitable clients for us, for monitoring our relationship with that person and shaping their future conduct in identifying and referring to us possible new clients). We will not pass on to them details about the nature of any help we may have given to you.
Our commitment to you about your personal information
We will treat all your information as private and confidential (even when you are no longer a client).
We will not give your data to anyone else unless we have your express consent, except where we are required to do so by a court or regulator, or where disclosure is made at your request or with your consent in relation to arranging your mortgage.
Your personal data is protected by legal rights, which include your rights to:
- Object to our processing of your personal data
- Request that your personal data is erased or corrected
- Request access to your personal data.
Stopping attempts at contact
If you change your mind and are no longer interested in our service, you can:
- Tell our representative when they contact you
Or contact our Data Protection Officer using your choice of the following options:
Data Protection Officer
- Call 01603 896 878
- Email firstname.lastname@example.org stipulating your first and last name and the telephone number you supplied so that we can identify you and update our records
- Write to: Data Protection Officer, Commercial Trust, St Crispin’s House, Duke Street, Norwich, NR3 1PD
Your right to erasure
In certain circumstances you have the right to have personal information erased. Any request for erasure will be dealt with in conjunction with our retention period table (below).
Accuracy of the data we hold about you
If you have reason to believe that the data we hold about you is inaccurate, please write to the Data Protection Officer at the address provided, detailing the error. We will promptly any information confirmed to be incorrect.
If you have provided your consent, we will keep you informed of the latest products and industry news.
Future marketing contact may be made by letter, telephone email or SMS.
If you prefer not to be contacted by us, please e-mail your name, address and postcode to:
email@example.com or write to the Data Protection Officer informing us which communication channels you wish to restrict (i.e. telephone, text, e-mail).
If you wish to unsubscribe from all channels, please confirm that you wish to cease all future marketing.
Your right to access information that we hold about you (Subject Access Request)
Under General Data Protection Regulation, you have the right to have access to certain information we hold about you. Any request should be made to our Data Protection Officer.
There is no charge for submitting a Subject Access Request.
Upon receipt of a Subject Access Request Commercial Trust Ltd has one month to respond.
More information about Google Analytics is available on the pages of their website: https://www.google.com/analytics/analytics/
Google Analytics cookies do not gather personally identifiable information about you.
Stackpath is the Content Distribution Network we use to help our website load more quickly within the internet browser of anyone visiting it.
Stackpath hosts cached versions of our website on various servers within its network, and the shortest route to those cached versions is used to load the website.
More information about Stackpath is available on the pages of their website: https://www.stackpath.com/
Stackpath cookies do not gather personally identifiable information about you, they only gather browser validation information.
Web server logs
Most website providers record what happens when their websites are accessed. This is done automatically and the result is saved and retained in what is known as a web server log.
This is a practice that is followed too for our website and, as a result, your IP address is amongst the data recorded and held in the web server logs for our website. The IP address recorded is specific to the device you are using to access our website.
Other information, such as the pages visited, the date and time of the visit and the technical specification of your device is also captured with, and is attributable to, the IP address of your device. This is recorded and held in the web server logs. Personal data that you type in is not captured in the web server log.
Our website is managed and maintained for us by a sister company, Norfolk Capital Management Services Limited, which produces and holds the web server logs for us.
We have a legitimate interest in producing and retaining web server logs. Web server logs are used by us to troubleshoot problems with our website, to help us determine which devices people are most commonly using to access our website, and to make improvements to the website as a result. We may also use the web server logs to identify and investigate suspicious activity and malicious attacks on the website.
We may provide information in our web server logs to people we have asked to help us maintain and develop our websites and to assist us in making our websites available to internet users.
We may also provide information in our web server logs to the police and other law enforcement agencies if we suspect criminal activity and, if they approach us, to assist them in the prevention, detection and investigation of criminal activity.
Our web server logs are deleted after a year. This mirrors the period for which internet service providers (ISPs) are legally required to retain their own logs.
For more information about web server logs, visit online encyclopedia Wikipedia.
Google reCAPTCHA is a piece of security software provided by Google Inc. (Google). You will encounter it, if you submit a form on our website. The software is designed to identify that interactions with our forms are by a human and not an automated machine. This is done by asking you to complete a task or tasks, prior to being able to submit a form.
If you are not logged into a Google Account:
“The information we [Google] collect includes unique identifiers, browser type and settings, device type and settings, operating system, mobile network information including carrier name and phone number, and application version number. We also collect information about the interaction of your apps, browsers, and devices with our services, including IP address, crash reports, system activity, and the date, time, and referrer URL of your request.”
Of this data, IP address is the only personally identifiable data recorded.
If a website visitor is logged into a Google Account:
Google also collects “information that we store with your Google Account, which we treat as personal information”.
For more information regarding reCAPTCHA, visit: https://www.google.com/recaptcha/
Third party licences for code
To build parts of the functionality on the Commercial Trust website, our development team have used a variety of code libraries. The details of the authors and the copyright associated with these libraries, can be found here.
Security of your data
Commercial Trust is committed to ensuring that your personal information is held securely. We have put in place various controls and procedures to protect and keep secure the information we collect online, on a recorded call or hold separately.
If you contact Commercial Trust you will be asked a number of security questions before we will discuss your application.
|Data type /information held||Retention period||Basis for retention|
If you provide us with your details but do not progress as far as a credit search.
Mortgage application details including personal information (name, address, postcode)/documents submitted by you/correspondence/recorded telephone calls/IP address
12 months from the last contact with you*
Legitimate interest/regulatory requirement
If you provide us with your details and we conduct a credit search and you decide not to progress with the application or the lender is unable to provide you with a suitable finance.
Application details including personal information (name, address, postcode)/documents submitted by you/correspondence/recorded telephone calls/IP address/credit history /bank accounts details /quotes.
12 months from the last contact with you*
*Unless we have an overriding obligation to retain your details longer.
Legitimate interest/regulatory requirement
If you provide us with your details and we conduct a credit search and you obtain finance.
Application details including personal information (name, address, postcode)/quote documents/documents submitted by you/correspondence/recorded telephone calls/IP address/credit history/bank account details.
Proof of identification and proof of address will be held for 5 years from the end of the recommended finance term.*
Name, address, postcode, credit history, mortgage documents will be held for 6 years from the end of the recommended finance term*
*unless we have an overriding obligation to retain your details for longer
Legitimate interest/regulatory requirement
Mortgage application and complaints information including personal information/application documents/correspondence/telephone call recording/date of complaint/redress paid/market consent and preferences
|6 years from the date our recommended mortgage expired||
Consent to receive marketing from Commercial Trust
Your preferences , as recorded through communications through you
|Retained until you ask to be deleted from marketing preferences||Consent|
To register a complaint with Commercial Trust Limited, please visit our complaint page.
If you are not satisfied with our response or believe, we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).
To register a complaint with the ICO, please visit https://ico.org.uk/make-a-complaint/for additional information.