Your personal information and what we do with it
This Privacy Notice explains who we are and how we use your personal data.
Personal data is any information that can be used to identify who you are as a unique individual.
Ecology Building Society is a controller of your personal data, this means that we make decisions on how we use personal data in the context of our business relationship with you. How we use this data is explained in this Privacy Notice.
When we use terms such as we, us and our in this notice, we mean Ecology Building Society.
We are registered with the UK’s Information Commissioner’s Office (ICO) under registration number Z5798250.
Our Data Protection Officer can be contacted if you have queries about this privacy notice or wish to exercise any of the rights mentioned in it.
Ecology Building Society
7 Belton Road
Silsden
Keighley
West Yorkshire
BD20 0EE
Tel: 01535 650770
Email: [email protected]
We collect personal data when you:
- apply for our products or services online, on the phone, or through the post
- update your information online, on the phone, or through the post (for example, when you change your address)
- speak to us on the phone
- visit our website, or any digital service we offer now or in the future
- send us letters, emails or other documents
The types of personal information we collect from you are:
- identifying details such as your full name, previous names and addresses, title, date of birth, age, signature, unique personal identifier and account number
- contact details such as your home address, email address and phone number
- financial data such as your bank account number, payment details, payee details, earnings, income, expenditure, spending habits, transaction history, tax residency, tax reference number, source of funds, and purpose of withdrawal
- personal information about your family such as your marital status, next of kin, dependents and emergency contact details
- profile data such as your sex, occupation, employment status, citizenship status, residential status, status as a Politically Exposed Person, details of directorship or trustee roles, property details, occupancy status and insurance information
- identification data which includes your driving licence, passport, National Insurance number and other national identifiers
- how you interact with us which includes the products and services you hold with us, transaction, call recordings, photographs, video recordings or any other form of communication
- technical data such as internet protocol (IP) address, location data, operating system, time zone etc
Special Category and Criminal data
We also collect:
- some special categories of personal data such as information on your political beliefs or those concerning your health or if you are a vulnerable customer
- biometric data for the purpose of accessing your account or identifying fraud
- details of any unspent criminal convictions, pending convictions, bankruptcy/receivership, county court judgements, court records and pending orders. This will also include any sanctions or suspensions from any financial services regulator
We work with carefully selected third parties, and may receive information from:
- brokers and intermediaries
- business partners
- sub-contractors
- credit reference agencies
- fraud prevention agencies
- government bodies
- your employer
- your landlord
- someone authorised to act on your behalf
- public sources (such as the Electoral Role or Companies House)
When necessary, we share your personal information with:
- service providers
- tax, government, and regulatory authorities
- fraud prevention and/or law enforcement agencies
- courts and other third parties connected with legal proceedings
- third parties where you have asked us to share your details
- third parties where it is required by law
- joint account holders
- receivers of payment transactions
- credit reference agencies
You can find links to all relevant third-party privacy notices at section 9.
Where necessary, we may transfer personal information outside of the UK. When doing so, we comply with the UK General Data Protection Regulation (GDPR), making sure appropriate safeguards are in place.
Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.
Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website.
Your right of access – you have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about this right here.
Your right to rectification – you have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about this right here.
Your right to erasure – you have the right to ask us to delete your personal information. Read more about this right here.
Your right to restriction of processing – you have the right to ask us to limit how we can use your personal information. Read more about this right here.
Your right to object to processing – you have the right to object to the processing of your personal data. Read more about this right here.
Your right to data portability – you have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about this right here.
Your right to withdraw consent – when we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about this right here.
If you make a request, we must respond to you without undue delay and in any event within one month.
To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.
| Purpose / Activity | Data Type | Lawful Basis for processing |
|---|---|---|
| Administering and managing your mortgage, savings product or core capital deferred shares and related services. | • Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data. | Necessary to perform our contract with you. |
| Updating your records. | • Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data. | Necessary to perform our contract with you. |
| Tracing your whereabouts to contact you about your account. | • Identifying details. • Contact details. • Profile data. • Identification data. | Necessary to perform our contract with you. |
| Processing your application for a product or service including assessing creditworthiness. | • Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data. | Necessary to perform our contract with you. |
| Supporting you through arrears and collections processes. | • Identifying details. • Contact details. • Financial data. • Profile data. • Identification data. | Necessary to perform our contract with you. |
| Managing third party access, such as power of attorney. | • Identifying details. • Contact details. • Financial data. • Profile data. • Identification data. | Necessary to perform our contract with you. |
| To manage your membership with Ecology Building Society. | • Identifying details. • Contact details. | Legal Obligation. |
| Establishment, defence and enforcement of our legal rights. | • Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data. • How you interact with us. • Technical data. | Legal Obligation. |
| Prevention, detection and investigation of crime. | • Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data. • How you interact with us. • Technical data. • Criminal Data. | Legal Obligation. Additional basis for Criminal Data. Substantial Public Interest (preventing fraud, preventing money laundering and terrorist financing). |
| Identity checks, anti-money laundering checks, and checks with fraud prevention agencies. | • Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data. • How you interact with us. • Technical data. • Criminal Data. | Legal Obligation. Additional basis for Criminal Data. Substantial Public Interest (preventing fraud, preventing money laundering and terrorist financing). |
| Monitoring and record keeping. | • Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data. • How you interact with us. • Technical data. • Criminal Data. • Health Data. | Legal Obligation. Additional basis for Criminal Data. Substantial Public Interest (preventing money laundering and terrorist financing). Additional basis for Health Data. Explicit Consent. |
| Handling data subject requests. | • Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data. • How you interact with us. • Technical data. • Criminal Data. • Health Data. | Legal Obligation. Additional basis for Criminal Data. Substantial Public Interest (preventing money laundering and terrorist financing). Additional basis for Health Data. Explicit Consent. |
| Meeting our legal and regulatory obligations. | • Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data. | Legal Obligation. |
| When we have to provide your information to them because some money paid to you by them should not be in your account. | • Identifying details. • Contact details. • Financial data. | Legal Obligation. |
| Whistleblowing processing. | • Identifying details. • Contact details. • Profile data. | Legal Obligation. |
| To test the performance of our products, services and internal processes. | • Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data. • How you interact with us. • Technical data. | Legitimate Interest. |
| Management and audit of our business operations. | • Identifying details. • Contact details. • Financial data. • Personal information about your family. • Profile data. • Identification data. | Legitimate Interest. |
| Searches at credit reference agencies as part of applications | • Identifying details. • Contact details. • Financial data. • Personal information. about your family. • Profile data. | Legitimate Interest. |
| market research, analysis and developing statistics in relation to understanding our customers’ needs and circumstances in order to improve our service/products. | • Financial data. • Personal information. about your family. • Profile data. | Legitimate Interest. |
| Buyers and their professional representatives as part of any restructuring or sale of our business or assets. | • Identifying details. • Contact details. • Financial data. • Personal information. about your family • Profile data. • Identification data. • How you interact with us. • Technical data. | Legitimate Interest. |
| When you request that we share your personal information with someone else. | • Identifying details. • Contact details. | Consent. |
| When agree to a referral to a trusted third party (eg insurance). | • Identifying details. • Contact details. | Consent. |
| When you agree to share details about you, your property or project, including images, as part of a case study. | • Identifying details. • Contact details. • How you interact with us. | Consent. |
| Direct marketing communications. | • Identifying details • Contact details • How you interact with us. | Consent. |
| When it is necessary to provide additional support due to health or other circumstance, or to meet our regulatory requirements around this. | • Identifying details. • Contact details. • Personal information about your family. • How you interact with us. • Health Data. | Consent. |
In order to process your application, we will perform credit and identity checks on you with one or more credit reference agencies (CRAs). To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.
We will use this information to:
- assess your creditworthiness and whether you can afford to take the product
- verify the accuracy of the data you have provided to us
- prevent criminal activity, fraud and money laundering
- manage your account(s)
- trace and recover debts
- ensure any offers provided to you are appropriate to your circumstances
We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.
When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.
If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you or your partner successfully files with the CRAs for a disassociation to break that link.
Further information about the processing that CRAs perform can be found in their Credit Reference Agency Information Notice (CRAIN)
We need to keep your personal data up to date. You should tell us without delay if your details change (for example, if you move address) so that we can update our records.
While we hold your data we will take reasonable steps to keep it safe and secure, and we will regularly review the rules around how long we keep it for.
A copy of our retention schedule can be found here.
We may use your home or correspondence address, phone numbers and email address to contact you about new products and services.
We may also use other platforms (e.g. Facebook and Google) to contact you according to your online preferences such as your cookie settings.
You can request we stop our direct marketing at any time by emailing [email protected] or by writing to Ecology Building Society, Ellis House, 7 Belton Road, Silsden, Keighley, West Yorkshire BD20 0EE or by following the instructions on how to unsubscribe within each marketing email.
There may be some circumstances where we use your personal information for profiling, this where we look at your personal data to evaluate certain things about you.
For example, to help us provide a consistent service and give people the best products and advice at the right times.
We’ll always make sure the way we process your information is safe and not unfair to you.
Where possible, we’ll keep your details anonymous and use your information only to produce statistical reports, so you won’t be identified from the data.
You have the right to object to us using your personal information for profiling activities. Please refer to the “Lawful basis and data protection rights” section for more information.
We may use automated decision making using your personal information.
We use automated decision making to check that we can enter into an agreement with you, and also carry out our legal and regulatory obligations (e.g. when complying with UK money laundering regulations).
You have certain rights over your personal information when using automated decision making. If you would like more information on this, please see the “Lawful basis and data protection rights” section above.
This Privacy Notice may be updated from time to time. This means we may send you an updated copy (depending on whether we are required to do that or not) or notify you of the changes.
Effective from 19 February 2025.
