Privacy and Fair Processing Notice

Last updated 09/11/2023

How we use your personal information

The Mortgage Lender Ltd Limited (we, us and our) is committed to protecting your privacy.

We have produced this notice to explain to you what personal information we have, how we get it and how and why we use that information.

For the purpose of this notice, where we refer to “you” or “your” this will also include (where the context permits, such as intermediaries/brokers) your principals, directors, shareholders, employees, contractors, and workers (together your “related parties”).

The Mortgage Lender Limited is a wholly owned subsidiary of Shawbrook Bank limited, with our own separate legal and regulatory status. We are registered as a data controller with the Information Commissioner’s Office (ICO) under registration number ZA136175.

Under data protection laws, we are a controller of the personal information that we collect and hold about you. This is because we decide how and why your personal information is used.

If you have made an application on behalf of another individual, a joint application with another individual, or an application on behalf of a business or other organisation and have provided us with information in relation to its directors, shareholders, owners, trustees or beneficiaries (as applicable), then this privacy notice will also apply to them. It is important that they read this notice and we will assume that you have told them that their details will be shared with us and that you have shown them this notice.

Note for Intermediaries

You should not share any related party’s personal information with us except where you have shown them a copy of this privacy notice and obtained their confirmation that they know you will share it with us for the purposes described (and where you have their consents, as relevant, for the processing described).

How to contact us

If you want to receive a copy of the information we hold, exercise any of your information rights as explained in the notice, please contact us by writing to;

Compliance Department
The Mortgage Lender Limited
PO Box 27135
G1 9EG

By email:

Or by telephone 0344 257 0428

If we cannot resolve your enquiry to your satisfaction, you can contact the ICO at or by telephoning 0303 123 1113 if you have a complaint that relates to the way we have handled your personal information.

In this notice, we will let you know more about how we use your information including

  • Your information rights
  • The information we process about you
  • Why we process your personal information
  • Who your personal information may be shared with
  • How we collect and obtain your personal information
  • Credit Reference Agencies
  • Fraud Prevention Agencies
  • International transfers of your personal information
  • Automated processing
  • How long your personal information will be stored for
  • Keeping your information secure
  • Keeping your information accurate
  • How we monitor your communications
  • Changes to our Privacy Notice

Your information rights

You have a number of rights which are explained below, if you wish to exercise any of these rights you can do so by using the contact details at the start of this notice. We will explain whether the right applies to you as these rights do not apply in all circumstances. You will not have to pay a fee for exercising your rights. We try to respond within one month however if we think it will take longer than one month we will notify you and keep you updated. We will need to verify your identity before we can act on any request you make to us under this notice.

Right to access

You have the right to access the personal information held about you and to obtain certain prescribed information about how we process it. This is commonly known as submitting a 'data subject access request'.

Right to rectify your personal information

If you discover that the information we hold about you is inaccurate or incomplete, you have the right to have this information corrected.

Right to erasure

You may ask us to delete information we hold about you in certain circumstances; this is often referred to as the 'right to be forgotten’. This right is not absolute and only applies in particular circumstances. It may not always be possible for us to delete the information we hold about you, for example, if we have an ongoing relationship with you or we are required to retain information to comply with our legal obligations or to exercise or defend legal claims.

Right to restriction of processing

In some cases, you may have the right to have the processing of your personal information restricted. For example, where you contest the accuracy of your personal information, it may be restricted until the accuracy is verified, or where the processing is unlawful but you object to it being deleted and request that it is restricted instead.

Right to object to processing

You may object to the processing of your personal information (including profiling) when it is based upon our legitimate interests or for the purposes of statistical analysis.

Right to object to direct marketing

You may also object to the processing of your personal information for the purposes of direct marketing and you can do this at any time.

Our direct marketing activities are limited to intermediaries only.

Right to data portability

You have the right to receive, move, copy or transfer your personal information to a controller which is also known as 'data portability’. This only applies to information you have given us and if we are processing your personal information based on consent or contract and the processing is automated.

The information we process about you

The following list describes the different types of information we process about you. We explain why we process this information later in this notice:

  • Identity data including first name, last name, previous names, username or similar identifier, gender, marital status, title, nationality and date of birth.
  • Contact data including postal addresses, email address and telephone numbers.
  • Financial data including bank account and payment card details and details of your employment, financial position, and history.
  • Transaction data including details about payments to and from you.
  • Identification data including a photo of yourself, passport details, driving licence or other identification documents.
  • Special categories of data such as details about your health.
  • Details of any criminal convictions or alleged criminal offences.
  • Information that you provide to us when you contact us by any means, including by telephone and email, or when you submit queries to us. We will keep a record of correspondence and the information that you provide to us in that correspondence.
  • Details of the devices you use to access our websites and how you use our websites (please see our Cookie Notice).
  • Profile data including products and services you use, your interests, marketing and communications data including your preferences in receiving marketing from us, your communication preferences, feedback and survey responses.
  • Publicly available information such as the Electoral Register, Companies House, social media, internet news articles.
  • For intermediaries registered on our portal, memorable information, including names, places, schools and date of birth which we use to verify your identity.

Why we process your personal information

The table below sets out the main ways we process your information, including for our legitimate interests. Processing necessary for the purposes of our legitimate interests, or those of a third party, is a type of lawful basis which applies to much of our processing. When we process your personal information for our legitimate interests, we make sure to consider and balance any potential impact on you and your rights under data protection laws.

Where we need to collect personal information by law, or under the terms of a contract we have with you, and you choose not to provide it, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

If you have any concerns about the processing below, you have the right to object to processing that is based on our legitimate interests. For more information on your rights, please see “Your Information Rights” section above.

To perform our contract with you.

Our legitimate interests

Deciding whether we can offer you the product you have applied for and to evaluate any security and/or guarantee arrangements relating to a product.

This is necessary to comply with our legal obligations.


We also verify your identity as a donor or lender of deposit monies or equity to ensure that there is no conflict in respect of parties' rights over the relevant security property.

Our legitimate interests

Ensuring we act as a responsible lender, including with regards to fraud prevention and identity theft.

Ensuring we can enforce our rights in respect of the security property through security provided.

We will use your information in several ways which includes:

  • - collecting payments;
  • - providing you with account statements, notices;
  • - providing you with information such as changes to your interest rate;
  • - managing any changes you ask us to make to your account;
  • - managing any arrears on your account;
  • - enforcing any security that we have in place; and
  • - dealing with any queries or complaints that you may have.

We will do this to perform our contract with you and to comply with our legal obligations.

Our legitimate interests

Recovering debts due to us and keeping our records updated.

We will use your information for the following purposes:

  • - monitoring communications and activities in relation to your account;
  • - accounting and audit purposes;
  • - complying with our corporate governance requirements;
  • - providing you with relevant products and services; and
  • - business support services.

We will do this to comply with our legal obligations and to perform our contract with you.

Our legitimate interests

Measuring our operations and performance against our business and compliance aims.

Running our business in an efficient and proper way.

This includes those referred to in the ‘Your rights under applicable data protection law’ above.

This is necessary to comply with our legal obligations.

Our legitimate interests

To provide you with information about products and services that you may be interested in and to develop our products and services and grow our business.


Our direct marketing activities are limited to intermediaries only.

Our legitimate interests

Helping us to better understand our customer base and the markets in which we operate or may wish to operate.

Our legitimate interests

So we can provide you with a good experience when you browse our website and to allow us to improve our website and our service. See our cookie notice for more information.

To assist intermediaries or brokers with their management operations and managing our use of third parties, which includes:

  • - managing records about you;
  • - ensuring the type of business that third parties refer to us is appropriate; and
  • - resolving any complaint made by you about a third party and/or any dispute between you and us regarding a third party.

This is necessary to comply with our legal obligations.


Our legitimate interests

Ensuring that the third party is fulfilling the terms of their contract with us and that we act as a responsible lender.

Our legitimate interests

Ensuring the security, efficiency and reliability of our products, services and systems.

Criminal Conviction and Special Category Data

We will only process personal data relating to criminal convictions or offences and alleged offences where the law permits us to do so e.g. to perform checks to prevent and detect crime and to comply with laws relating to money laundering, fraud, terrorist financing, bribery and corruption and international sanctions or where we have your consent to do so.

Data protection law defines certain types of information as ‘special category data’. This includes details about your health and medical conditions. We will only process special category data where we have obtained your explicit consent to do so or another lawful basis exists, for example, where it is necessary for reasons of substantial public interest, namely to safeguard the economic well-being of individuals, preventing or detecting unlawful acts or preventing fraud.

Withdrawing Consent

You have the right to withdraw your consent for us to process personal data relating to Criminal Convictions and Special Category Data at any time. Please contact us using the details at the start of this notice if you wish to do so. This will not affect the lawfulness of any processing which has already happened based on that consent.

How we collect and obtain your personal information

We collect your personal information directly in several ways, including:

  • when you apply for a mortgage product through an intermediary;
  • when you provide it by telephone, in writing or by any other method of communication, for example by email or through our online portal, or when you provide it through the course of our relationship, for example, if you inform us of a change in your circumstances;
  • information you make public when you interact with our social media profiles or reference us in your communication; and
  • technical information, including the Internet Protocol (IP) address used to connect to the internet, may be collected from you when you visit our website.

We obtain your personal information indirectly from third parties including:

  • if another person provides your information to us when they apply to obtain a product from us on your behalf; or that is to be held jointly with you; or on behalf of a business of which you are a director, shareholder, owner, trustee or beneficiary (as applicable);
  • from fraud prevention agencies, credit reference agencies, tracing and debt recovery agents, government bodies and agencies, the electoral roll, Companies House and other sources of publicly available information (e.g., sanctions list, media) when we carry out searches for the purposes of processing your application and/or during your relationship with us;
  • if you occupy a property which we hold or propose to hold as security.

If you are applying to us indirectly through a third party, then they should have provided you with their own privacy notice and if they did not, you should ask them for a copy.

Who your personal information may be shared with

So that we can provide you with products and services, meet our legal obligations and manage our business, it may be necessary to share your personal information with other third parties including:

  • Shawbrook Group parent entities for the purposes of enabling our parent entities to exercise oversight of our business.
  • Our funding partners
  • Anyone acting on your behalf with authority to do so, such as a debt charity, insolvency practitioners, The Insolvency Service, power of attorney or your professional advisors.
  • Credit reference agencies (CRAs), fraud prevention agencies and law enforcement agencies.
  • Field agents and tracing agents to seek to recover any debt owed to us.
  • Agents or third party contractors including data processors who we appoint to administer or operate your account, including any person who may replace us in the administration of your account.
  • Other financial service companies, such as other lenders.
  • Our insurers
  • Legal and regulatory bodies, such as the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA), HMRC, the Information Commissioner's Office (ICO), the UK Financial Services Compensation Scheme (FSCS), the Financial Ombudsman Service (FOS), our professional advisors and/or the courts.
  • Organisations that provide us with business support services. For example, account service and administration companies, back-up and server hosting, IT software and maintenance platforms, document storage and management services, receivers, repossession agents, recoveries agents and property valuers.
  • Third parties who have introduced you to us or are involved in the introduction process (e.g. an intermediary, broker, network, or Mortgage Club).
  • Market research organisations who we engage to assist us in developing and improving our products and services.
  • Any person or entity that is to provide, or has provided, any security or guarantee (and their professional advisors) in respect of your agreement with us and their professional advisors.
  • Any entity (and their professional advisors) that provides funding to us or members of the Shawbrook Group (for example, the Bank of England) and any entity that provides us with debt or equity finance.
  • Our PR and Communications partners when you enter our prize draws.
  • Payment service providers whose services include money laundering and credit checks.

Please note that our website may contain links to other third-party websites. These websites will not be governed by this notice and we therefore recommend that you read the privacy and cookie notices on the other websites you visit.

Credit Reference Agencies (CRAs)

To process your application, we will perform credit and identity checks on you with one or more CRAs. Where you have a mortgage with us we may also make periodic searches at CRAs to manage your account with us. To do this, we will share your personal information with CRAs and they will give us information about you. This will include:

  • Identity and contact data;
  • Information from your credit application;
  • Information about your financial situation and financial history;
  • Public information (including the electoral register);
  • Shared credit details; and
  • Fraud prevention information.

We will use this information to:

  • Assess your creditworthiness and whether you can afford to take the product;
  • Verify the accuracy of the data you have provided to us;
  • Prevent criminal activity, fraud and money laundering;
  • Manage your account(s);
  • Trace and recover debts; and
  • Ensure any offers provided to you are appropriate to your circumstances.

We will continue to share information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs. When CRAs receive a search from us they will place a search footprint on your credit file that maybe seen by other lenders.

If you are making a joint application or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until you or your partner successfully files for a disassociation with the CRAs to break that link.

The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail in the CRA information notice (CRAIN) which is accessible from each of the three CRAs:

TransUnion (formerly Callcredit)



Fraud Prevention Agencies

The personal information we have collected from you will be shared with fraud prevention agencies to help us make credit related decisions. Fraud prevention agencies will also use your personal information to prevent fraud and money-laundering and to verify your identity.

We may automatically decide that you pose a fraud or money laundering risk because of our fraud prevention searches or if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services and financing you have requested, or to employ you, or we may stop providing existing services to you. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies and may result in others refusing to provide services, financing or employment to you.

Fraud prevention agencies can hold your personal data for different periods of time; if you are considered to pose a fraud or money laundering risk, note that your data can be held by them for up to six years.

International transfers of your personal information

We will only transfer your information outside the European Economic Area (EEA) when the law permits us to do so and to:

  • Follow your instructions
  • Share data with our suppliers who support our business

Should we transfer your personal information to any other territories or countries outside the EEA we ensure appropriate safeguards are in place to maintain the same levels of protection as are needed under data protection laws in the UK.

Automated processing

We use systems to make automated decisions about you or your business when:

  • We undertake credit checks to assess creditworthiness and affordability when you apply for a mortgage;
  • We carry out assessments to help decide if your account(s) may be being used for fraud or other Financial Crime;
  • We undertake anti-money laundering and sanctions checks; and
  • We verify your identity.

Our automated decisions use profiling which means that we use your personal information to make decisions that can affect the products, services or features we may offer you now or in the future, or the price that we charge you for them. For example, if you do not meet an element of our lending criteria (such as being over 18 or being a resident in the UK) any application for credit will be automatically declined. If you do meet our lending criteria, the amount we lend, the term of your loan and the interest we charge on your loan will be determined by your credit status.

Reviewing an Automated Decision

  • You may have rights over automated decisions depending on the lawful basis upon which we process your information.
  • You can ask that we do not make our decision based on output of the automated process alone.
  • You can object to an automated decision and ask that a person reviews it.

For more information or to exercise these rights please contact us using the details at the start of this notice, or via your mortgage intermediary.

How long your personal information will be stored for

We only keep your personal information for as long as it is reasonably necessary to fulfil the purposes for which it is processed (as described above).

If your application is declined, we will store your personal information in accordance with our record retention procedures and to comply with our legal obligations.

In accordance with our retention policy, we will retain your personal information for a minimum of six years from the end of our business relationship with you. Our business relationship will be deemed to be at an end on the date upon which your account is closed (which will either be when all outstanding sums under the agreement have been repaid or when we stop pursuing arrears on the account) or when your application has been declined. Please note that if your personal information is shared with third parties (as detailed above) they may have different retention policies.

Keeping your information secure

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Keeping your information accurate

We strive to ensure that your personal information is kept up to date and accurate. If any of the personal information you have given to us or third parties changes, such as your contact details, homeownership status, employment status or marital status, please promptly inform us in accordance with the terms and conditions of your agreement with us.

How we monitor your communications

Subject to applicable laws, we will monitor and record calls, emails, text messages, social media messages and other communications. We will do this for the purposes of complying with applicable laws and regulations and our own internal policies and procedures, to prevent or detect crime, to protect the security of our communications systems and procedures and for quality control and staff training purposes.

Changes to our Privacy Notice

We keep this Notice under regular review and any updates will be posted on our website in the most recent version of the Privacy Notice. Where appropriate changes may be notified to you by post or email.

Last updated: 09/11/23