Introduction
The Data Protection Act 2018 (DPA 2018) sets out the data protection framework in the UK and incorporates the Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”) into the national law. Its purpose is to protect the “rights and freedoms” of natural persons (living individuals), and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.
AE3 Media Limited is committed to protecting and respecting your privacy.
This policy (together with our terms of Use and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
AE3 Media is part of Mortgage Brain Limited and these GDPR principles apply across the business.
The Mortgage Brain Privacy Policy covers the way in which we use and disclose personal information that customers, employees, and any other third parties may provide us with.
Personal information includes any information that identifies you personally, such as your name, address, email address, internet protocol address or telephone number.
Under the DPA 2018 and the GDPR, Mortgage Brain is defined as the Data Processor and therefore has a legal duty to protect any information we collect and process from you as customers.
We use appropriate technologies to safeguard your details and keep to strict security standards to prevent unauthorised access to it.
We recognise that your privacy is very important and so we want you to be confident with the way Mortgage Brain and any of its Partners, Associates & 3rd Parties handle your personal information.
We have outlined below how Mortgage Brain collects, uses, discloses, and protects this information.
Our nominated representative for the purpose of the Act is Lorraine Francisco. Lorraine.francisco@ae3media.co.uk
Lawful basis for the processing of personal data
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. Relevant provisions in the GDPR – See Article 6 and Recitals 39, 40, and Chapter III (Rights of the data subject)
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
All our data we collect is based on Legitimate Interest & forms part of a contract with our customers where they are Data Controller.
Our business architecture, accounting and systems infrastructure and compliance organisation means that all personal data is processed on common, group-wide platforms. We have processes in place to make sure that only those people in our organisation who need to access your data can do so. A number of data elements are collected for multiple purposes, as the table below shows. Some data may be shared with third parties, this will be shown in your contract with Mortgage Brain.
When we process on the lawful basis of legitimate interest, we apply the following test to determine whether it is appropriate:
The purpose test – is there a legitimate interest behind the processing?
Necessity test – is the processing necessary for that purpose?
Balancing test – is the legitimate interest overridden, or not, by the individual’s interests, rights or freedoms?
Collection of personal data
We collect personal data from you for one or more of the following purposes:
- To provide you with information and service that you have requested or that we think may be relevant to a subject in which you have demonstrated an interest.
- To fulfil a contract that we have entered into with you.
- To ensure the security and safe operation of our systems, websites and underlying business infrastructure.
- To manage any communication between you and us.
- We use third-party advertising companies to serve ads when you visit our Web site. These companies may use aggregated information (not including your name, address, email address or telephone number) about your visits to this and other Web sites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies. please see: [http://www.networkadvertising.org/managing/opt_out.asp][http://www.networkadvertising.org/managing/opt_out.asp]
Below table shows our Business areas, what data we collect and where it is stored:
Mortgage Brain Systems/Areas | Data Collected | Data Stored |
The Key | Applicants- Name, date of birth, marital status, sex, nationality, Address and contact data, Employment details including National Insurance number and salary, Loans, credit cards and monthly outgoings, Adverse credit data, Previous name, Previous addresses, Previous employers, New property details, New property details, Bank details including account number and sort code, Contact details for Estate Agent, Solicitor, Landlord, current mortgage lender, Accountant, Doctor, health information, convictions
|
Navisite & Claranet |
Mortgage Brain Classic | Applicants- Name, date of birth, marital status, sex, nationality, Address and contact data, Employment details including National Insurance number and salary, Loans, credit cards and monthly outgoings, Adverse credit data, Previous name, Previous addresses, Previous employers, New property details, New property details, Bank details including account number and sort code, Contact details for Estate Agent, Solicitor, Landlord, current mortgage lender, Accountant, Doctor, health information, convictions
|
Customer own desktop |
Mortgage Brain Anywhere | Applicants- Name, date of birth, marital status, sex, nationality, Address and contact data, Employment details including National Insurance number and salary, Loans, credit cards and monthly outgoings, Adverse credit data, Previous name, Previous addresses, Previous employers, New property details, New property details, Bank details including account number and sort code, Contact details for Estate Agent, Solicitor, Landlord, current mortgage lender, Accountant, Doctor, health information, convictions
|
Navisite & Claranet |
MTE & URD | First Name, Surname, Date of birth, address, email address, FCA Number, Telephone number
|
Navisite ELP Server, Navisite test server, Claranet |
Lendex & URD | First Name, Surname, Date of birth, address, email address, FCA Number, Telephone number
|
Claranet |
Mortgage Brain Marketing & B2C (websites) | First Name, Surname, company, emails, postcode, phone numbers,
|
Navisite, Eshot Servers |
Mailchimp | Name, company, emails, postcode, phone numbers.
|
The Rocket Science Group LLC server in United States (covers EU & Privacy Shield Framework)
|
Affordability Hub |
Applicant Data: Postcode, DOB, incomes, expenses, credit, debit values. Financial information credit/debit card numbers, FCA number, Name, email, phone number, device information, actions throughout the site and we monitor your sessions using our A-Hub Website including your searches, pages visited and information collected (automatically collected); company related information, associated Network/Club partnerships, compliance authority stance (AR/DA); IP Addresses
|
UK Fast, AWS, Google Server Suite, |
Criteria Hub | Customer: First name, last name, telephone, office telephone, email, company fca no, company name, network/club identification, office postcode, office address
|
UK Fast, AWS, Google Server Suite, |
Conveyancing Brain | First name, Surname, Email, Telephone number, Company, FCA Number, Authorised type, Network/Corporate, Address, Postcode, Type of business
|
IFA Conveyancing |
AE3 Media | Name, company name, address, postcode, contact details-telephone, mobile, email. Bank details, firmographic information, details of newsletter subscriptions and event engagement (register, declined, no show, attended)
|
AE3 Media server Holborn, Pathfinder Server, Ivent Server, CSV Database
|
Your Mortgage Finder | Property price/value, Sale price, Loan amount, Loan purpose, Term, Mortgage length, Outstanding mortgage, Mortgage type, Mortgage payment, Payment type, Existing lender, First name, Surname, Email, Telephone number, House number, Postcode, Property (type, construction/residency), Country, Age, Employment, Salary, Adverse credit, Sale tenure, Purchase tenure
|
Mortgage Brain web server, London & Country Mortgages,
Fluent Money, Blacks Solicitors LLP |
Loans Brain | Loan amount, Loan purpose, Term, Mortgage type, Income, Property value, Mortgage amount, DOB, Employment status, Time in employment, Adverse credit history.
Broker: Name, Company, Telephone, Email, FCA. Client: Name, Address, Telephone number, Email
|
Mortgage Brain web server, Fluent Money |
Administration Systems | Name, address, contact details, bank details, emails, FCA numbers, customer information related to query | Croydon Internal Server |
Should you have any queries on the above please email GDPR@mortgage-brain.co.uk.
Technical information
- In addition, to ensure that each visitor to any of our websites can use and navigate the site effectively, we collect the following:
- Technical information, including the IP (Internet Protocol) address used to connect your device to the Internet.
- Your login information, browser type and version, time zone setting, browser plug-in types and versions.
- Operating system and platform.
- Information about your visit, including the URL (Uniform Resource Locators) clickstream to, through, and from our site.
Security measures
The security of your personal information is of the utmost importance and Mortgage Brain is committed to protecting the personal data we process. We maintain administrative, technical and physical safeguards designed to protect against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use. We use SSL encryption on a number of our websites from which we transfer certain personal information. We take measures to destroy or permanently de-identify personal information if required by law or the personal information is no longer required for the purpose for which we collected it. In addition, access to personal data is restricted only to those who have a legitimate business need and data processed by third parties is only done so under strict instruction from Mortgage Brain, as per the terms of their contract. Procedures are in place to ensure breaches, or suspected breaches, are dealt with in a timely and secure manner and applicable notification applied within the required timeframes.
We do not, however, have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many information security risks that exist and take appropriate steps to safeguard your own information. We accept no liability in respect of breaches that occur beyond our sphere of control.
Your rights as a data subject
As a data subject whose personal information we hold, you have certain rights. If you wish to exercise any of these rights, please email GDPR@mortgage-brain.co.uk or use the information supplied in the Contact Us section below. To process your request, we will ask you to provide two valid forms of identification for verification purposes. Your rights are as follows:
- The right to be informed
As a data controller and processor, we are obliged to provide clear and transparent information about our data processing activities. This is provided by this privacy policy and any related communications we may send you.
- The right of access
You may request a copy of the personal data we hold about you free of charge. Once we have verified your identity and, if relevant, the authority of any third-party requestor, we will provide access to the personal data we hold about you as well as the following information:
- a) The purposes of the processing
b) The categories of personal data concerned
c) The recipients to whom the personal data has been disclosed
d) The retention period or envisioned retention period for that personal data
e) When personal data has been collected from a third party, the source of the personal data
If there are exceptional circumstances that mean we can refuse to provide the information, we will explain them. If requests are frivolous or vexatious, we reserve the right to refuse them. If answering requests is likely to require additional time or occasions unreasonable expense (which you may have to meet), we will inform you.
- The right to rectification
When you believe we hold inaccurate or incomplete personal information about you, you may exercise your right to correct or complete this data. This may be used with the right to restrict processing to make sure that incorrect/incomplete information is not processed until it is corrected.
- The right to erasure (the ‘right to be forgotten’)
Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data. This includes personal data that may have been unlawfully processed. We will take all reasonable steps to ensure erasure.
- The right to restrict processing
You may ask us to stop processing your personal data. We will still hold the data but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies you may exercise the right to restrict processing:
- a) The accuracy of the personal data is contested.
b) Processing of the personal data is unlawful.
c) We no longer need the personal data for processing but the personal data is required for part of a legal process.
d) The right to object has been exercised and processing is restricted pending a decision on the status of the processing.
- The right to data portability
You may request your set of personal data be transferred to another controller or processor, provided in a commonly used and machine-readable format. This right is only available if the original processing was on the basis of consent, the processing is by automated means and if the processing is based on the fulfilment of a contractual obligation.
- The right to object
You have the right to object to our processing of your data where…
Processing is based on legitimate interest;
Processing is for the purpose of direct marketing;
Processing is for the purposes of scientific or historic research; or
Processing involves automated decision-making and profiling.
Cookie Policy
COOKIES
We may obtain information about your general internet usage by using a cookie file which is stored on your browser or the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive. They help us to improve our site and to deliver a better and more personalised service. Some of the cookies we use are essential for the site to operate. The cookies we use can be grouped into four separate categories:
- Strictly necessary
- Performance
- Functionality
- Targeting
Strictly Necessary
‘Strictly Necessary’ cookies allow you to navigate the website and use essential features like secure areas and online registration. These cookies don’t gather any information about you that could be used for marketing or remembering where you’ve been on the internet.
Since these cookies are essential in our being able to guarantee the performance of our website, should you disable them we won’t be able to ensure your security or predict how our website will perform during your visit.
Performance
This type of cookie collects information about how you use our website e.g. which pages you visit, and if you experience any errors. The information collected is anonymous and is only used to help us improve how our website works, gauge what interests our users and assess the effectiveness of advertising.
Functionality
This type of cookie remembers your preferences for tools found on our websites, so you don’t have to re-set them each time you visit. Some of them are managed by third parties. They may for instance determine whether you see the latest or oldest comments made in relation to an article first.
Targeting
These cookies are used to analyse what advertising might be most relevant to a user of the website based on the areas of the website that the user visits.
Please note that any advertisers featured on our site may also use cookies, over which we have no control.
You block cookies by activating the setting on your browser which allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be to access all or parts of our site. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies as soon you visit our sites.
Contact us
Questions, comments, and requests regarding this privacy policy are welcomed and should be addressed to lorraine.francisco@ae3media.co.uk.
Alternatively, you can contact us using the following postal address or telephone number:
AE3 Media Limited,
21 Great Winchester Street,
London, EC2N 2JA,
United Kingdom,
Telephone: 020 3815 3682
Complaints
Should you wish to discuss a complaint, please feel free to contact us using the details provided above. All complaints will be treated in a confidential manner.
Should you feel unsatisfied with our handling of your data, or about any complaint that you have made to us about our handling of your data, you are entitled to escalate your complaint to a supervisory authority within the European Union. For the UK, this is the ICO (Information Commissioner’s Office), which is also our lead supervisory authority. Its contact information can be found at https://ico.org.uk/global/contact-us/