Our Privacy Notice is below, or alternatively, download it here.
In this privacy notice, ‘Masthaven’, ‘we’, ‘us’ and ‘our’ refer to Masthaven Bank Limited and any other group company or associated company.
Our Privacy Notice is provided in a layered format so you can click through to the specific areas set out below:
Data Controller and Data Protection Officer
Personal information we process
Special category data we process
Where we collect personal information from
How we will use your personal information
How we will use your special category information
The basis on which we deal with (“process”) your personal information
Joint applicants & third parties
Power of attorney
Sharing your personal information
Sharing personal information outside of the UK
How long we keep your personal information for
Automated decisions using your personal information
Your rights under data protection laws
Changes to this privacy notice
Masthaven is a data controller of your personal information. “Personal information” means information that is about you or that can be used to identify you. Should you wish to contact us for any matters concerning your personal information, including complaints, you can do this in the following ways:
Write to: Data Protection Officer, Masthaven Bank Limited, 15-18 Rathbone Place, London, W1T 1HU
Email: [email protected]
If you would like to exercise any of your rights under the Data Protection Act please complete this DSAR form to help us process your request as quickly as possible.
Depending on the products or services you apply for and (if your banking, savings or lending application is successful) obtain from us – we collect and process different kinds of personal information, including:
• Your main personal information (e.g. your name, date of birth and contact information and any other identity information)
• Your financial information (e.g. your income, credit rating or history, details of your accounts, transactions, data relating to any fraudulent activity or suspected fraudulent activity)
• Information about your profession or work (e.g. your job role, title)
• Information about your family and other relationships, if relevant to the products or services you apply for (e.g. number of dependants, or if you are applying for a joint account)
• Criminal conviction data
• Tracking information (e.g. IP address and MAC address)
Depending on the products and services you apply for and (if your banking, savings or lending application is successful) obtain from us - we collect and process different kinds of special category data, including:
- Biometric data (e.g. selfies you sent in as part of ID verification process for certain products)
- Information relating to any health conditions you or authorised third-parties disclose to us (more details below - see The basis on which we deal with (“process”) your personal information)
We will generally collect your personal information directly from you. If you are introduced to us by a broker or other intermediary, we will obtain some personal information about you from them.
In addition, we may also obtain personal information about you from the following sources or in the following ways:
• Credit reference agencies
• Fraud prevention agencies
• Government and law enforcement agencies
• Agents working on our behalf
• Public information sources (e.g. HM Land Registry, Companies House)
• Information collected when you are using our website
• Publicly available information (Google, Facebook, social media)
• Where one person opens a joint account, and you are a joint account holder
• To accept or decline an application for our banking, savings or lending services
• To deliver our banking, savings and lending products and services
• To manage our relationship with you
• To comply with our legal and regulatory obligations
• To assess and manage the risks of fraud and financial crime
• To run our business in an efficient and proper manner
• To investigate and respond to complaints from you
• To comply with our regulatory obligations
• To comply with our legal obligations
• Where it is in our or your legitimate interests to do so (as explained further below)
(A) Our legitimate interests
We process your information in accordance with our legitimate interests, these being our business or commercial reasons to use your information, as described further below, balanced with your right to privacy. These include:
• Administering and managing your banking, savings or lending account and services relating to that
• Developing new products and services
• Complying with regulations that apply to us and the services we provide
• Carrying out searches using credit reference agencies
• Maintaining and developing our financial crime risk management practices
• Ensuring we are able to respond to complaints and seek to resolve them
• In order to run, manage and/or reorganise our business, assets and operations. We may also process your special category data in relation to this, however if we do so, we will ensure we process your information in accordance with the appropriate conditions and safeguards as required under applicable data protection law
(B) Our contractual obligations
• Carrying out pre-contractual checks before we enter a contract during the application stage
• Administering and managing your account(s) and services relating to them, including managing payments and receipts
(C) Our legal obligations
• Complying with laws and regulatory requirements that apply to us and the services we provide
• Carrying out identity checks, anti-money laundering checks and checks with fraud prevention agencies
• Dealing with requests from you when you exercise your rights under data protection law
(D) With your consent (which can be withdrawn by you at any time)
• Developing and carrying out marketing activities
• Working out which of our existing or new products and services may be of interest to you
• Identify and support vulnerable customers (health data) - if obtaining your explicit consent is not possible and we believe processing this information is in your interest and aligns with our regulatory/legal regulations, or is necessary for reasons of substantial public interest, or we are otherwise permitted to do so by law, we may process this information without explicit consent
• Carry out ID verification process (biometric data)
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our products or services). In this case, we may have to cancel a product or service you have with us, or we may be unable to offer you that product or service, but we will notify you if this is the case at the time.
If you give us personal data about other people (such as your family or joint account holders), or you ask us to share their personal data with third parties, you confirm that you have their authority to share their personal data.
We will provide this privacy notice to the holder of a valid power of attorney for you when we make contact with him/her directly. That person will be allowed to see the personal information we hold on you.
We will share your personal information within our group and with our advisers, auditors, solicitors, customer communication providers, customer feedback providers and third party information providers in order to be able to provide a proper and efficient service in accordance with our legitimate interests.
In order to process banking, savings and lending applications and transactions, we may share your personal information with one or more credit reference agencies (CRAs) and anti-fraud databases to carry out identity checks, anti-money laundering checks, anti-fraud checks, credit checks and to provide them with your mortgage payment history.
Link to the information notice for the three main CRAs: Credit Reference Agency information notice
When required by law or regulation or to assist in identifying and preventing financial crime, we will provide your personal information to: regulatory bodies; fraud prevention agencies; government and law enforcement agencies.
Where you have given your consent for us to contact you about our products and services we may use a third party provider to issue this information to you on our behalf.
We may also share your personal information if there is a potential or actual change in the future:
• We may choose to sell, transfer, or merge all or parts of our business, or our assets. Or we may seek to acquire other businesses or merge with them. It is within our legitimate interests to share your personal information in order to run, manage and/or reorganise our business, assets and operations (including in anticipation of the same)
• During any such process, we may share your personal information with other parties. We’ll only do this if they agree to protect your personal information in accordance with UK data protection law
• If the changes to Masthaven happen, then other parties may use your personal information in the same way as set out in this notice
We are based in the UK and your personal information is retained within the UK or European Economic Area (EEA). Should data be transferred at any future date outside of the EEA we will take appropriate measures to safeguard it.
For more information about the safeguards and how to obtain a copy of them, should we transfer data outside the European Union in the future, you can contact our Data Protection Officer using the details above.
We will hold your personal information for the following periods for our legitimate interests and to comply with legal and regulatory requirements:
• Banking, savings and lending applications that are cancelled, declined or not funded – normally up to 1 year from application
• Banking, savings and lending accounts that are opened and funded – normally up to 6 years after the account is closed
Based on our legitimate interests, your personal information may be kept for longer than the aforementioned periods, for example, if we are dealing with an ongoing complaint or in order to fulfil our legal or regulatory obligations.
If you would like further information about our data retention practices, contact our Data Protection Officer.
We do not make automated decisions about banking, savings or lending clients or applicants. We do make use of automated systems to provide us with information. This may include things like checking your age, residency or nationality, and credit checking, to confirm that you meet the conditions needed to open and maintain the account. This helps us to make sure our decisions are consistent, fair, quick and efficient.
We have summarised the rights that you have under data protection law below. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, if you wish to exercise any of them we will explain at that time whether they can be exercised.
The right to access
You have the right to know if we process your personal information and, if so, to access it (subject to some exceptions) together with certain additional information.
The right to rectification
You have the right to have any inaccurate personal information about you rectified.
The right to erasure
In some circumstances you may have the right to have your personal information erased.
The right to restrict processing
In some circumstances you may have the right to restrict the processing of your personal information.
Notification to third parties regarding rectification, erasure and restriction
Where we have disclosed your personal information to a third party, and you have subsequently exercised any of the rights of rectification, erasure or blocking, we will notify those third parties of your exercising of those rights.
The right to object to processing
You have the right to object to our processing of your personal information on grounds relating to your particular situation.
The right to data portability
You may have the right to receive your personal information from us in a structured, commonly used and machine readable format. However, this right can only be exercised where personal information is being processed based on consent, or for performance of a contract and is carried out by automated means.
The right to withdraw consent
For personal information being processed on the basis of your consent you have the right to withdraw that consent for continuing and future processing.
Rights in relation to automated decision-making and profiling
This right allows you, in certain circumstances, to access certain safeguards against the risk that a potentially damaging decision is taken solely without human intervention.
You have the right to complain to the Information Commissioner’s Office (ICO) – the UK’s independent authority set up to uphold information rights in the public interest. In addition, they will be able to provide you with further information or advice on your rights under data protection laws. ICO website: https://ico.org.uk/.
We may record or monitor phone calls to confirm details of our conversations, to resolve queries and complaints, to help detect or prevent fraud and other crimes, for regulatory purposes, to improve service and help monitor and train our staff. This is in accordance with our legitimate interests – in particular, it is necessary to ensure our staff are trained and to allow us to continually improve our services and help detect or prevent fraud. In some cases, we rely on our legal obligations to process your personal information for the above purposes.
Changes to this privacy notice
We may change this privacy notice from time to time. If we make any changes, we will revise the "Last updated" date at the bottom of this privacy notice. If we think that the changes are fundamental in nature, we will make a copy of our updated privacy notice available to you.
Last updated: January 2022