Call free on 0800 694 5566 Open 24 hours a day.


More than any bank

Norton Finance and Mortgages – Customer Privacy Notice

Welcome to Norton Finance and Mortgages privacy notice for applicants and customers.

Norton Finance and Mortgages forms part of the Norton Finance Group Limited.

This privacy notice tells you how we use your personal data to provide our services. It’s important that you understand what happens when you give us personal data or when we receive personal data about you from other sources.

We use some words and phrases in this privacy notice that have specific meanings under data protection law. We’ve put these words and phrases in bold.

Click on each heading below to find out more.

Who we are and who is responsible for protecting your personal data

1.1    We are Norton Finance and Mortgages, a specialist loan broker. We are the data controller of personal data we collect and use about you in connection with services related to mortgage and secured loan advice and credit broking activities.

1.2    We have appointed a data protection officer, or “DPO”, who you can contact if you have any questions or complaints. You can email our DPO at

Where we collect your personal data from

We collect most of the personal data we process directly from you, for example when you complete an application or contact us. We do collect some personal data from third parties, including credit intermediaries, brokers, credit reference agencies and fraud prevention agencies.

Directly from you We collect personal data from you when you:
  • Enquire about, apply for and use our products and services;
  • Talk to us on the phone (if we record any calls, we will tell you about this when we speak to you);
  • Send us an email or letter;
  • Use our website;
  • Communicate with us via social media;
  • Complete a customer survey; and/or
  • Make an enquiry or complaint.
Date we collect when you use our services Like many websites, we use cookies to monitor which areas of our website you spend the most time looking at, so we can tell you about services or products which might interest you when you next visit us online.

You can find out more about this in our Cookies Policy.
Data from Third Parties We may collection data from the following external organisations:
  • Credit reference agencies such as Equifax, Experian, and TransUnion.
  • Fraud Prevention Agencies.
  • Other financial services companies, for example, your existing mortgage provider.
  • Valuation agents.
  • Public sources such as Electoral Register.
  • Credit Brokers/Price Comparison Websites and any other lead providers.
  • Social media sites.
  • Marketing companies. These firms may get in touch with you to request feedback on our products and services.
  • Payroll service providers
  • Government institutions
  • Law enforcement agencies.
  • Insurers

What personal data we collect

The personal data we collect includes (among others), your contact details, information about your financial status/financial history, information about your employment, information about your identity and information about how you manage your product with us.

Contact information Your name (and any previous names), date of birth, address, previous addresses from the last three years, email address, contact telephone number and bank details.
Financial Your financial status, circumstances, history, credit records, banking information.
Socio-Demographic Your occupation, salary, gender, age, nationality etc.
Transactional Details about the payments you make to your accounts or in relation to any contract you have with us.
Contractual Details about any products or services we supply to you.
Behavioural Details of how you use our products and services from us
Communications Any information we have that we have obtained about you from letters, e-mails and conversations between us.
Creditor Information Details about your current or expected mortgage, or any other outstanding credit. This may include the details of the lender, the amount outstanding, your mortgage broker, account numbers or property details.
Technical Details of the devices and technology you use, including your Internet Protocol (“IP”) address.
Identity Information We may collect information to verify your identity and residency. This could include documents such as your passport, driving license, birth certificate, national insurance number, utility bills, bank statements, VISA status, rights of residency information and details obtained from national and international databases of sanctioned persons.
Consent/Choices Information Any permissions, consents or preferences that you give us, including how you would like us to contact you.
Special Categories of Information Certain types of personal information is classified as special category data. We will only collect and use this data if the law allows us to, and it is relevant to the provision of our services to you:
  • Health data
  • Criminal records of convictions and offences
  • Allegations of criminal offences.
Gender Identity Information about the gender you may identify as.
Open Data and Public Records Details in the public domain, such as Electoral Register, information that is openly available on the internet, including publicly available social media information.

How and why we use your personal data

We only use your personal data if we have a “lawful basis” to do so. We use your personal data primarily to provide and manage our products and to manage our relationship with you, which we need to do so that we can fulfil our contractual obligations to you. We also use your personal data to comply with our legal and regulatory obligations [(for example, to keep accurate records and prevent and detect fraud)] and where we have an interest in using your personal data [(for example, collecting debt from you and monitoring our products and services so that we can improve them)].

If you are happy to receive marketing from us we’ll also use your personal data to market our products and services to you.

What we use your personal details for Our lawful basis Our legitimate interests (if applicable)
Your application:
  • generating a quote.
  • assessing the suitability of a product or service for you.
  • making a decision about whether to offer a product or service to you.
  • carrying out credit checks with credit reference agencies to assess your creditworthiness.
  • managing the application process
  • communicating with you about your application.
Necessary for a contract. Not applicable.
Checking your identity to confirm that it is you. Necessary to comply with the law. Not applicable.
Manage your account and your relationship with us. Necessary for a contract. Not applicable.
Preventing and detecting fraud and financial crime. Necessary to comply with the law. Not applicable.
Sharing relevant marketing about our products and services. Consent. Not applicable.
Meet our legal and regulatory obligations obligations Necessary to comply with the law. Not applicable.
To improve our existing products and services, and to help develop new products and services. Necessary for our legitimate interests. To ensure our products and services meet the needs and financial objectives of the target market, so we can consistently deliver good customer outcomes and positive customer experiences.
To enhance customer experiences.
To enable us to manage risk more effectively, mitigating the risk of foreseeable harm.
Provide information you request from us. Necessary for a contract. Not applicable.
To provide additional support to you in challenging times.

Necessary for our legitimate interests.

Necessary for reasons of substantial public interest.

To ensure that you are provided with additional signposting and support where required, to protect your economic wellbeing.

Who we share your personal data with and why

We sometimes need to share your personal data with other organisations, so that we can continue to provide our services to you or for other legitimate reasons. This can include suppliers, brokers, regulators, government/law enforcement agencies and other professional advisors. We will take reasonable steps to make sure that whoever we share your personal data with protects it as well as we do.

Who we share your personal data with Why we share it
Suppliers who provide services to us that require them to use your personal data. In these cases, the supplier acts as a “data processor” on our behalf. The suppliers we share your personal data with include:
  • email marketing services;
  • survey providers;
  • research and data analytics providers;
  • automated decisioning software providers;
  • companies within our group that provide information technology services to us.
We share personal data to enable these suppliers to provide their services to us. This, in turn, allows us to continue to operate as a business and provide our products and services to you.

They are not allowed to use your personal data for any purposes other than to provide their services to us.
Other providers of financial services products.

We share personal data with providers of financial services products which we recommend from our panel. We only share the relevant amount of information required in order for them to consider your application with them.

We may also need to contact your existing creditors, such as other lenders who have a charge on the property.

The provider of the financial product is a data controller. Links to the privacy notices of lenders on our panel can be found on our website:

Secured Lenders Privacy Policies

Unsecured Lenders Privacy Policies

Bridging Lenders Privacy Policies

Mortgage Lenders Privacy Policies

Credit Reference Agencies We share personal data with the Credit Reference Agencies to carry out credit and identity checks so we can assess the suitability of the products recommended and comply with our legal obligations.
Please see the section below for more detail.
Fraud Prevention Agencies We may share information with external third party fraud prevention agencies, to help detect, investigate and prevent fraud. Please see the section below for more detail.
Mortgage/Loan Brokers/Financial Advisers We may share information with other mortgage/loan brokers or financial advisers upon referral when we are unable to assist you in finding a suitable product from our panel. We will only share personal data that is relevant to your application, and which allows the company to contact you to discuss in further detail.
Introducers We share your information with other companies and organisations that introduce you to us, such as credit brokers and price comparison websites.
Valuation/Survey Firms We share personal data with third party firms providing professional valuation services, so we can assess the security that is being used for a proposed loan.
Solicitors/Professional Third Parties We may need to share your information with solicitors used in a conveyancing transaction, in order for your application to progress.
Government Bodies and Agencies We may need to share your data with government agencies, or public authorities, as part of our financial crime obligations.
Payment Processors/Card Associations We may need to share information with payment processors (e.g., BACS) or card associations (e.g. Visa) in order to take payments from you.

Credit reference agengies

We use credit reference agencies (“CRAs”) to help us carry out credit and identity checks when you apply for a product or service with us. This involves us sharing your personal data with CRAs and receiving personal data back from them. We use the personal data they send us to assess our credit risk and make sure what you’ve told us is true.

CRAs link your records with other people who are associated with you – including people you make a joint application with and any spouse, civil partner or partner.

5.1    We share your personal data (and that of any joint applicants) with CRAs. We send your personal data to them when you apply for a product or service and during our relationship.

5.2    You must make sure that any joint applicants and associated partners are aware of the checks being undertaken before applying. You must not submit personal data about a third party without providing this privacy notice to them and ensuring they are happy to proceed.

5.3    When we ask CRAs about you and joint applicants, they will note it on your credit file. This is called a credit search. Other organisations (including lenders or providers of goods or services) will see this credit search or previous footprint on any report prepared for their own purposes and prospective relationship with you.

Personal data we send to the CRAs Personal data we receive from the CRAs How we use the information we receive from CRAs
Name, address, date of birth, credit application.

We will give the CRAs details about settled amounts that were due to us. The CRAs may give this information to other organisations that want to check credit status.

We will also report to the CRAs if you default on any payments due to us. This may negatively affect your credit score and limit your ability to obtain credit in the future.
Name, address, date of birth.

Credit score.

Details of any shared credit.

Financial situation and history.

Public information from sources such as the electoral roll and Companies House.
To verify your identity and the information you have provided to us.

To assess our credit risk and decide whether to offer you a product or service.

To help detect and prevent financial crime.

To manage our contractual relationship with you.

To trace and recover debts.

5.4    Linked records and associated individuals:

If you make a joint application with someone else, we and the CRAs will link your records with the joint applicant’s records. We will do the same if you tell us you have a spouse, partner or civil partner. These linked records are called associated records. Enquiries made with CRAs may be answered from both your record and any associated records. Two people’s records will be associated when they make a joint application, you tell us about a financial association or the CRA has associated records.

You should tell associated individuals about this before you apply for a product or service. It is important that they know your records will be linked together, and that credit searches may be made on them.

These links will stay on your files unless one of you asks the CRAs to break the link. You will normally need to give proof that you no longer have a financial link with each other to successfully disassociate or break the linked record.

5.5    Where to find out more:

The CRAs have created a “Credit Reference Agency Information Notice” or “CRAIN”) which includes more details about how the CRAs use and share your personal data, as well as their role as fraud prevention agencies

The CRAINs for each of the three main CRAs are available on their websites, which we have linked below:

You can also find more information about how the CRAs use personal data, and your data protection rights with the CRAs, here:

Fraud prevention agencies

We are, or may in the future become, members of certain anti-fraud organisations known as “fraud prevention agencies” or “FPAs”. If we identify evidence of any financial crime on your account, we will share this information with FPAs. This helps other members of the FPAs and law enforcement agencies, to detect, investigate and prevent fraud and other financial crime.

If we, or an FPA, believe that you have committed fraud or another type of financial crime, the FPA will keep a record of this and you could be refused certain services or finance.

What happens if you don’t give us personal data we need

If we need personal data in connection with our contract with you (including for your application) or to comply with a legal requirement, and you do not provide it, this may delay or prevent us from meeting our obligations. It may mean that we cannot provide your product or service.

What rights you have over your personal data

You have certain rights over your personal data. These include rights to access a copy of your personal data, to ask us to erase your personal data and ask us to correct inaccurate personal data. You can ask to exercise these rights by contacting us at There are some circumstances in which we do not need to comply with all or part of your request. If this is the case, we will explain this to you.

8.1    The rights you have, and what each of these mean, are explained in the table below.

Your right What this means
Right to access personal data You can ask us to send you a copy of the personal data we hold about you. We will carry out a reasonable search for personal data and send you the personal data that we locate within one month, or three months if your request is complex. We are allowed to withhold information in some circumstances, for example to protect other individuals’ privacy or in the event of a criminal investigation.
Right to correct inaccurate personal data You can ask us to correct, clarify or amend your personal data if it is inaccurate, incomplete or otherwise out of date.
Right to erasure You can ask us to delete your personal data in certain circumstances, for example if we no longer need it or if we have collected it unlawfully.
Right to restrict use of your personal data You can ask us to limit how we use your personal data in certain circumstances. For example, if you think your personal data is inaccurate but we disagree, you can ask us to stop using it to make decisions until we can verify if it is accurate or not.
Right to data portability Where personal data is necessary for a contract, or where we collected it based on your consent, you can ask us to move, copy or transfer it to another provider.
Right to object Where the use of personal data is necessary for our legitimate interests, you can ask us to stop using it for those purposes. We can continue to use it if we can show that we have a compelling, legitimate reason to do so.
Right to opt out of direct marketing You can always ask us not to continue to send direct marketing to you. You can do this by clicking on the “unsubscribe” link in marketing emails or contacting us using the details above.
Right to withdraw consent If we have asked you for your consent to use personal data in a particular way, you can withdraw that consent at any time.

8.2    If you ask to exercise one of the rights above, we may ask you to verify your identity before we process your request. This is to avoid confidentiality breaches and make sure we do not disclose personal data to the wrong person.

How we use your personal data to make automated decisions

We sometimes use your personal data to make automated decisions. This helps us to make sure our decisions are quick, fair, efficient and correct, based on what we know about you.

9.1    When you apply for a product or service, we make the following decisions electronically based on the personal data we know about you:

  • deciding whether the product or service is relevant for you; and
  • checking whether you meet the conditions to enter into the contract, which may include checking information such as your age, residency or nationality, as well as carrying out a credit check with credit reference agencies (see the section headed “Credit reference agencies” for more information about how this works).

9.2    These decisions are necessary to allow us to decide whether a lender will be willing to enter into a contract with you. We have to make them electronically to make sure that the decision is made quickly enough and is correct.

9.3    If our systems decide that the product or service is not relevant, or that you do not meet the relevant conditions, we will not be able to offer you that product or service.

9.4    You can:

  • ask us not to make the decision based on the automated score alone; or
  • object to an automated decision and ask that a person reviews it.

9.5    If you want to know more about our automated decisions or wish to exercise these rights, please contact us using the contact details above.

How long we keep your personal data for

We only keep your personal data for as long as necessary for the purposes for which it was collected and used. When it is no longer needed, we securely delete it or anonymise it.

10.1    The period for which we keep personal data varies depending on the nature and context of the relevant personal data. When we decide how long to keep personal data, we take into account:

  • how long we need to keep it to fulfil the original purpose of collecting it;
  • whether there could be any claims, complaints or litigation that require us to use that personal data;
  • any relevant guidance from official bodies such as regulators;
  • how sensitive the personal data is; and
  • whether there are any relevant legal obligations that we need to comply with.

10.2    Generally speaking, we keep personal data for 6 years after your relationship ends with us. We may keep your information for longer than indicated if we cannot delete it for legal, regulatory, or technical reasons. We may also keep it for research or statistical purposes. If we do, we'll make sure that your privacy is protected and only use it for those purposes.

Where we store and send your personal data

The personal data we collect is stored in the UK and the European Economic Area (EEA). Your data receives the same level of protection in the EEA as it does in the UK through the safeguard of Adequacy Decisions.

11.1    We carry out due diligence on all suppliers we appoint to check where they send personal data and, if personal data is transferred outside the UK, to make sure that appropriate protections are in place.

11.2    Those protections could be:

  • 11.2.1    making sure the country your data is sent to is designated as an “adequate” country by the UK government. This means that the government has reviewed that country’s data protection laws and decided that it provides an equivalent level of protection of personal data to the UK; or
  • 11.2.2    if the transfer of personal data is between group companies, making sure that there are “binding corporate rules” in place. These are sets of policies and rules between group companies that ensure that companies in other countries protect personal data in the same way that it is protected in the UK; or
  • 11.2.2    making sure that there is an “international data transfer agreement” in place to cover the transfer. This is an agreement that places obligations on the recipient of the personal data outside the UK to protect personal data as would be required by UK data protection laws.

Lending Companies

All lending companies have their own individual privacy policies and customers should refer to these in respect of how they will use personal data.

Lenders to whom the application is passed, will make wider use of the information than a broker. If you have received any lender documents, they should include a statement telling you what they will do with the information or telling you where to look to find out what use they will make of it.

Both we and almost all lending companies will check the information supplied on loan or mortgage applications with data held by credit reference agencies. The lender may search on more than one occasion. Every time a search is made it is recorded by the agency and disclosed to other organisations on any later searches. Lenders will use the information obtained in the credit reference searches to help them assess the application and they may use the result of any search in a credit scoring system.

The lender may check your details with the credit reference agency or with other agencies to satisfy itself that all the details on the application are true, and that the application has been really made by you.

If it suspects information is false or inaccurate it may report it to a fraud prevention agency.

Sometimes a lender may not wish to lend. This may be for a number of reasons. The lender may think you cannot afford the loan. If it is a secured loan, your property may not be of sufficient value. A lender does not have to tell you exactly why you have been refused a loan but you can ask them for the name and address of any credit reference agency used and they will supply this information free of charge. Nobody has a right to receive a loan. Loans are always granted at the discretion of the lending company.

Changes to this privacy notice

We might change this privacy notice from time to time, to make sure it is up-to-date with the law and with the ways we use your personal data. You should check the privacy notice from time to time to see if anything has changed.

The privacy notice was last updated on 14th December 2023.

What you can do if you have any questions or complaints

If you have any questions about this privacy notice or how we use personal data, or if you are not happy with how we have processed your personal data, you can contact our DPO using the following details:


Telephone number: 0808 231 5530

Post: Norton House, Mansfield Rd, Rotherham, S60 2DR

You also have the right to make a complaint to the Information Commissioner’s Office, which is the data protection regulator. You can find out on their website how to make a complaint:

For your FREE, no-obligation quote

Get a Quote Now

Alternatively, call FREE on 0800 694 5566 Open 24 hours a day.


Featured Articles

Call us FREE on 0800 694 5566

24 hours a day, 7 days a week.

Complete our quick online form.

Get a Quote Now