Privacy Notice

Our Privacy Notice is below, or alternatively, download it here.

In this privacy notice, ‘Masthaven’, ‘we’, ‘us’ and ‘our’ refer to Masthaven Bank Limited and any other group company or associated company.

Data Controller and Data Protection Officer

Masthaven is a data controller of your personal information. “Personal information” means information that is about you or that can be used to identify you. Should you wish to contact us for any matters concerning your personal information, including complaints, you can do this in the following ways:

Write to: Data Protection Officer, Masthaven Bank Limited, 15-18 Rathbone Place, London, W1T 1HU
Email: [email protected]
Telephone: 020 7036 2000

If you would like to exercise any of your rights under the Data Protection Act please complete this DSAR form to help us process your request as quickly as possible.

Personal information we process
Depending on the products or services you apply for and (if your banking, savings or lending application is successful) obtain from us – we collect and process different kinds of personal information, including:
• Your main personal information (e.g. your name, date of birth and contact information)
• Your financial information (e.g. your income, credit rating or history)
• Information about your profession or work
• Information about your family and other relationships
• Tracking information (e.g. IP address and MAC address)

Special category data we process
Biometric data (e.g. selfies you sent in as part of ID verification process for certain products)
Information relating to any health conditions you or authorised third-parties disclose to us (more details below - see The basis on which we deal with (“process”) your personal information)

Where we collect personal information from 
We will generally collect your personal information directly from you. If you are introduced to us by a broker or other intermediary, we will obtain some personal information about you from them.

In addition, we may also obtain personal information about you from the following sources or in the following ways:
• Credit reference agencies
• Fraud prevention agencies
• Government and law enforcement agencies
• Agents working on our behalf
• Public information sources (e.g. HM Land Registry, Companies House)
• Information collected when you are using our website
• Publicly available information (Google, Facebook, social media)

How we will use your personal information
• To accept or decline an application for our banking, savings or lending services
• To deliver our banking, savings and lending products and services
• To manage our relationship with you
• To comply with our legal and regulatory obligations
• To assess and manage the risks of fraud and financial crime
• To run our business in an efficient and proper manner
• To investigate and respond to complaints from you  

How we will use your special category information

• To comply with our regulatory obligations
• To comply with our legal obligations

The basis on which we deal with (“process”) your personal information

(A) Our legitimate interests
We process your information in accordance with our legitimate interests, these being our business or commercial reasons to use your information, balanced with your right to privacy. These include:
• Administering and managing your banking, savings or lending account and services relating to that
• Developing new products and services
• Complying with regulations that apply to us and the services we provide
• Carrying out searches using credit reference agencies
• Maintaining and developing our financial crime risk management practices
• Ensuring we are able to respond to complaints and seek to resolve them

(B) Our contractual obligations
• Carrying out pre-contractual checks before we enter a contract during the application stage
• Administering and managing your account(s) and services relating to them, including managing payments and receipts

(C) Our legal obligations
• Complying with laws and regulatory requirements that apply to us and the services we provide
• Carrying out identity checks, anti-money laundering checks and checks with fraud prevention agencies
• Dealing with requests from you when you exercise your rights under data protection law

(D) With your explicit consent (which can be withdrawn by you at any time)
• Developing and carrying out marketing activities
• Working out which of our existing or new products and services may be of interest to you
• Identify and support vulnerable customers (health data) - if obtaining valid consent is not possible and we believe processing this information is in your interest and aligns we our regulatory/legal obligations we may process this information without explicit consent
• Carry out ID verification process (biometric data)

Joint applicants & third-parties

If you give us personal data about other people (such as your family or joint account holders), or you ask us to share their personal data with third parties, you confirm that they understand and accept the information in this notice about how we will use their personal data.

Power of attorney

We will provide this privacy notice to the holder of a valid power of attorney for you when we make contact with him/her directly. That person will be allowed to see the personal information we hold on you.

Sharing your personal information

We will share your personal information within our group and with our advisers, auditors, solicitors, customer communication providers, customer feedback providers and third party information providers in order to be able to provide a proper and efficient service in accordance with our legitimate interests.

In order to process banking, savings and lending applications and transactions, we may share your personal information with one or more credit reference agencies (CRAs) and anti-fraud databases to carry out identity checks, anti-money laundering checks, anti-fraud checks, credit checks and to provide them with your mortgage payment history.

Link to the information notice for the three main CRAs: Credit Reference Agency information notice

When required by law or regulation or to assist in identifying and preventing financial crime, we will provide your personal information to: regulatory bodies; fraud prevention agencies; government and law enforcement agencies.

Where you have given your consent for us to contact you about our products and services we may use a third party provider to issue this information to you on our behalf. We will not share your information with other third parties for marketing purposes.

We may also share your personal information if there is a potential or actual change in the future:
• We may choose to sell, transfer, or merge all or parts of our business, or our assets. Or we may seek to acquire other businesses or merge with them
• During any such process, we may share your personal information with other parties. We’ll only do this if they agree to protect your personal information in accordance with UK data protection law
• If the changes to Masthaven happen, then other parties may use your personal information in the same way as set out in this notice

Sharing personal information outside of the UK

We are based in the UK and your personal information is retained within the UK or European Economic Area (EEA). Should data be transferred at any future date outside of the EEA we will take appropriate measures to safeguard it.

For more information about the safeguards and how to obtain a copy of them, should we transfer data outside the European Union in the future, you can contact our Data Protection Officer using the details above.

How long we keep your personal information for

We will hold your personal information for the following periods for our legitimate interests and to comply with legal and regulatory requirements:
• Banking, savings and lending applications that are cancelled, declined or not funded – normally up to 1 year from application
• Banking, savings and lending accounts that are opened and funded – normally up to 6 years after the account is closed

Based on our legitimate interests, your personal information may be kept for longer than the aforementioned periods, for example, if we are dealing with an on-going complaint or in order to fulfil our legal or regulatory obligations.

If you would like further information about our data retention practices, contact our Data Protection Officer.

Automated decisions using your personal information

We do not make automated decisions about banking, savings or lending clients or applicants. We do make use of automated systems to provide us with information. This may include things like checking your age, residency or nationality, and credit checking, to confirm that you meet the conditions needed to open and maintain the account. This helps us to make sure our decisions are consistent, fair, quick and efficient.

Your rights under data protection laws
We have summarised the rights that you have under data protection law below. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, if you wish to exercise any of them we will explain at that time whether they can be exercised.

The right to access
You have the right to know if we process your personal information and, if so, to access it (subject to some exceptions) together with certain additional information.

The right to rectification
You have the right to have any inaccurate personal information about you rectified.

The right to erasure
In some circumstances you may have the right to have your personal information erased.

The right to restrict processing
In some circumstances you may have the right to restrict the processing of your personal information.

Notification to third parties regarding rectification, erasure and restriction
Where we have disclosed your personal information to a third party, and you have subsequently exercised any of the rights of rectification, erasure or blocking, we will notify those third parties of your exercising of those rights.

The right to object to processing
You have the right to object to our processing of your personal information on grounds relating to your particular situation.

The right to data portability
You may have the right to receive your personal information from us in a structured, commonly used and machine readable format. However, this right can only be exercised where personal information is being processed based on consent, or for performance of a contract and is carried out by automated means.

The right to withdraw consent
For personal information being processed on the basis of your consent you have the right to withdraw that consent for continuing and future processing.

Rights in relation to automated decision-making and profiling
This right allows you, in certain circumstances, to access certain safeguards against the risk that a potentially damaging decision is taken solely without human intervention.

You have the right to complain to the Information Commissioner’s Office (ICO) – the UK’s independent authority set up to uphold information rights in the public interest. In addition, they will be able to provide you with further information or advice on your rights under data protection laws. ICO website:

Call recording
We may record or monitor phone calls to confirm details of our conversations, to resolve queries and complaints, to help detect or prevent fraud and other crimes, for regulatory purposes, to improve service and help monitor and train our staff. This is in accordance with our legitimate interests and, in some cases, legal obligations.

Changes to this privacy notice

We may change this privacy notice from time to time. If we make any changes, we will revise the "Last updated" date at the bottom of this privacy notice.

Last updated: June 2021