Data Retention Policy

Policy details

This policy explains how Bluecroft Finance Limited (BF) retains the personal data of its customers who, for example, apply for a loan and are stored on our core databases.
In summary, BF receives personal data from its customers when they apply for a loan. The personal data includes (but is not limited too): Name, current address, date of birth, email address, telephone numbers (home, mobile, work), employment status, bank account and sort code, IP address and device type together with a variety of other categories of personal data relating to the customer’s loan application. We refer to the above as Customer Data in this policy.

When a customer completes our application form their data is transferred to our internal systems. There a search may be conducted at Experian and further personal data is received from the Credit Ratings Agency (CRA) relating to the Customer. We refer to this pre-application personal data as CRA Data in this policy.
The Customer Data and CRA Data is fundamental to the business of BF. Further, it is essential for complying with our legal and regulatory obligations that this information is processed lawfully, is kept secure and we have policies and procedures in place to ensure compliance with the same.
There are legal and regulatory requirements for us to retain the data, usually for a specified amount of time (for example, we need to retain Customer Data for 6 years from the end of the relationship with the Customer as we explain in the schedule attached). We also retain data to help our business operate and to have information available when we need it. However, we do not need to retain all data indefinitely, and retaining data can expose us to risk as well as be a cost to our business.
This Data Retention Policy explains our requirements to retain data and to dispose of data. Failure to comply with this policy can expose us to fines and penalties, adverse publicity, difficulties in providing evidence when we need it and in running our business.
We may share your data, to manage the relationship with funders or anyone applying to become a funder and to maintain appropriate records relevant to that relationship.
This policy has been agreed between the Chief Executive Officer and Compliance Officer.

Scope Of Policy

This policy covers the retention of Customer Data and CRA Data.

In this policy we refer to the Customer Data and CRA Data collectively as “Data”.

Guiding Principles

Through this policy, and our data retention practices, we aim to meet the following commitments:

We comply with legal and regulatory requirements to retain Data.
We comply with our data protection obligations, in particular to keep Personal Data no longer than is necessary for the purposes for which it is processed (known as the storage limitation principle).
We handle, store and dispose of Data responsibly and securely.
We create and retain Data where we need this to operate our business effectively, but we do not create or retain Data without good business reason.
We allocate appropriate resources, roles and responsibilities to data retention.
We regularly remind employees of their data retention responsibilities.
We regularly monitor and audit compliance with this policy and update this policy when required.

Roles And Responsibilities

The Chief Executive Officer and Compliance Officer are responsible for:

Identifying the Data that we must or should retain, and determining, in collaboration with our Legal Counsel the proper period of retention.
Arranging for the proper storage and retrieval of data, co-ordinating with outside third parties where appropriate. Additionally, ensuring the destruction of Data whose retention period has expired.
Advising on and monitoring our compliance with data protection laws which regulate Personal Data.

Record Retention Schedule

Type of Data

Retention Period

Reason / Comments

Customer Data stored on the Core Platform

6 years from the end of the relationship with the customer. This will be, for example, 6 years from the date the Customer made the application for a loan if that was the last contact with or service to the customer.

Following the expiry of the 6 years, the Customer Data shall be permanently deleted from the Core Platform.

Section 5 of Limitation Act 1980 states:

“An action founded on simple contract shall not be brought after the expiration of six years from the date on which the cause of action accrued”.

In circumstances where we have entered into a contract with the customer, we need to retain the Customer Data up to 6 years to cover the potential for future claims (no matter how small the likelihood of such claims arising).

BF pays and receives payment from its partners and lender panel based on the volume of introductions it receives or makes. Customer Data may therefore be required to make or defend any claims under our contracts with our partners and lender panel (no matter how small the likelihood of such claims arising).

CRA Data

The CRA Data provided by Experian will not be retained for more than 90 days from receipt.

The BF contract with Experian agrees that they comply with the Principles of Reciprocity (PoR) established by the Steering Committee on Reciprocity (SCOR).

Paragraph 5.12.2 of PoR states:

“CRA Data may only be retained by the Black Box Provider for…

Validation and audit trail purposes for a maximum of 90 days

Supporting the processing of multiple pre-applications requests from the consumer for a maximum of 90 days”.

Complaints Data

Three years

All records of complaints received and outcomes should be stored for 3 years to ensure that information and responses are not duplicated and that training can take place and root cause analysis can be performed.