Privacy Policy


We are Burnley Savings and Loans Limited (BSAL), company number 7640762 and whose registered office is at 30 Keirby Walk, Burnley, Lancashire. BB11 2DE (‘we’, ‘us’ or ‘our’). We take the privacy of our customers very seriously. We ask that you read this Privacy Policy (‘the Policy’) carefully, as it contains essential information about how we will use your personal data.

For the purposes of the Data Protection Act (‘DPA’), we are the ‘Data Controller’ (i.e. the company who is responsible for, and controls the processing of, your personal data).

This Policy was last updated in January 2025 in line with the General Data Protection Regulation (GDPR) reform that came into effect in May 2018. The reform sets out more rights for individuals and greater transparency in how personal data is processed by Data Controllers, such as consent, distribution, marketing and deletion. As we are a credit intermediary, we undertake a number of financial tasks that relate to consumer credit. Our firm’s lawful basis for processing your personal data is done so under a Legitimate Interest – Article 6(1)(f) – “the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.”

Personal data we may collect

We will obtain personal data about you (including your name, address, date of birth, contact information, interests, payment details, and financial information) and those whose personal data you have with express authority disclosed to us (‘others’) whenever you complete an online or paper form, make a telephone enquiry with us, or visit our office to receive our services. If you submit an online enquiry, you will be required to agree to the terms of this Policy which include permitting us to contact you for the purposes of the finance related enquiry via the contact means of which you provide us with the details of. I.e. email address, telephone number, etc.

For example, we will obtain personal data when you (e.g. contact us for any reason, or purchase services). In certain circumstances, we may hold sensitive personal data if you provide us with such information if you feel that it is relevant for the purpose of your enquiry, but we will not ask for such information. Any sensitive personal data obtained and recorded will only be done so with your explicit consent.

How we use personal data

We will use the personal data you disclose to us for the purposes described in Our Terms. These purposes include:

  • to assist us in processing your enquiries and obtaining the services which you require.
  • to help us identify you and any accounts that you hold with us.
  • undertaking credit checks.
  • undertaking affordability checks
  • administration.
  • research, statistical analysis and behavioural analysis.
  • customer profiling and analysing your preferences.
  • marketing (providing you have opted-in) [for further information see ‘Marketing and opting-in’ below]
  • fraud prevention and detection.
  • billing and order fulfilment.
  • customising our website and its content to your particular preferences.
  • to notify you of any changes to our website or to our services which may affect you.
  • security vetting; and
  • improving our services.
 

Legal Basis for Processing

Our legal basis for processing your personal data for the purposes described within this Privacy Policy will typically be one of the following:

Legitimate interests:  We have a legitimate interest in providing and improving our services and personalising your experience of our services, this interest in not outweighed by your rights or any negative impacts on you.

Examples of processes where we rely on legitimate interest include:

  • Fraud detection and prevention
  • Engaging and contacting you throughout the lifecycle of your BSAL account to ensure you have a good customer experience.
  • Engaging you and contacting you towards the end of your agreement to advise of the services we provide and to offer a renewal quote if required.
  • Internally auditing our processes to maintain high standards.
  • Market research, statistical analysis, product development and sharing data with selected third parties to add value to our products and services and those provided by our partners.
  • To carry out monitoring and to keep records.
  • To protect you from unnecessary harm or risks.
  • Help us develop new and innovative products.
  • Protect ourselves, other and property.
  • Industry news, tips and relevant news from brokers.

Contract: It is necessary for us to process your personal data to perform a contract to which you are party, or to take steps at your request prior to you entering into a contact.

Examples of processes where we rely on Contract include:

  • Administering and managing your account and associated services, updating your records, tracing your whereabouts to contact you about your account and doing this for the recovery of debt.
  • Sharing your personal data with certain third-party service suppliers such as payment service providers or a debt collection agency.
  • To exercise our rights set out in agreement and contracts.

Consent: You have consented to us using your personal data for specific purpose. You can withdraw your consent at any time by contacting the BSAL Data Protection Officer.

Examples of processes where we rely on Consent include:

  • For some of our processing of special categories of personal data such as about your health (and it will be explained to you when we ask for that explicit consent what purposes, sharing and use it is for).
  • For marketing purposes.

Legal Obligations: When processing is necessary in order for BSAL to adhere with legal and regulatory obligations.

Examples of processes where we rely on Legal Obligations include:

  • To carry out identity checks, anti-money laundering checks and checks with fraud prevention agencies pre-application, at the application stage and periodically after that.
  • For compliance with laws that apply to us.
  • For establishment, defence and enforcement of our legal rights.
  • For activities relating to the prevention, detection and investigation of crime.
  • To deal with requests under data protection laws.
  • To process information about a crime or offence and proceedings.
 

Fraud Prevention Agencies and Credit Referencing

Credit Reference Agencies (CRAs)

We use CRAs to help us carry out credit and identity checks when you apply for a product or service with us. This involves us sharing your personal data with CRAs and receiving personal data back from them. We use the personal data they send us to assess our credit risk and make sure what you’ve told us is true.

We share your personal data with CRAs to ask them to provide a credit scoring computation when you make an application. Credit scoring uses several factors to work our risks involved in any application. A score is given to each factor and a total score obtained. Where automatic credit scoring computations are used, acceptance or rejection of your application will not depend only on the results of the credit scoring process.

When we ask CRAs about you, they will note it on your credit file. This is called a credit search. Other organisations (including lenders or providers of goods or services) will see this credit search or previous footprint on any report prepared for their own purposes and prospective relationship with you. The CRAs have created a “Credit Reference Agency Information Notice” or “CRAIN” which includes more details about how the CRAs use and share your personal data, as well as their role as fraud prevention agencies. The CRAINs for each of the three main CRAs are available on their websites, which we have linked below:

You can also find more information about how the CRAs use personal data, and your data protection rights with the CRAs, here: https://ico.org.uk/for-the-public/credit/

  • When this type of check is made a footprint will appear on your credit file which can be seen by other lenders. CRAs provide us with shared credit information, fraud prevention information and public information; this information will include what is held about you on the electoral register.
  • Information received by CRA’s will be recorded by them.
  • If the finance agreement is live, the activity and details of management of your account will be passed onto them. In the event that you take out a finance agreement and fail to repay back the full funds required, this will be recorded with the CRA. In this case information may be passed onto other companies by CRA’s to locate and trace you with a view to recovering any outstanding debts. We must warn you that if this does occur then this will remain on your credit record for six years once an account has been closed by either settlement or default.
 

Fraud Prevention Agencies (FPAs)

  • When we assess your application and it has been approved in principle, we may also check your identity to prevent fraud and crime; this includes money laundering. This information will then be used to ascertain whether to offer any future credit that may be available. This is to comply with our regulatory obligations for responsible lending. FPAs and CRAs assist us in fulfilling this.
  • The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment.
  • Further information on fraud prevention agencies can be obtained by contacting Burnley Savings and Loans Data Protection Officer at info@bsal.co.uk
  • You may contact any / all of the credit reference agencies directly. If you choose to contact a Credit Reference Agency, please bear in mind that the information held may not be the same so it may be useful to contact them all.
 

If you have been refused credit you can get advice from your local Trading Standards Department, Citizens Advice Bureau Consumer Advice Centre and the agency’s websites. The Information Commissioner also produces a useful leaflet entitled ‘Credit Explained’. You can obtain a free copy on the Information Commissioner’s website or by telephoning 0870 600 8100.

Open Banking

The Information we collect:

You may give us information about you when you use Open Banking Services, and when you communicate with us. This includes information you input during registration, providing us with feedback, participating in surveys, and when you report a problem.

The information you give us may include:

  • Your banking provider(s)
  • Monthly expenditure
  • Personal information or documents required to identify you
  • Financial goals and budgets
  • Lifestyle information
 

Information that we will receive from your bank or credit account provider (“Account Provider”).

Your Account Provider may share with us information about you contained in your account, which could include:

  • Your bank account type and details
  • Account number and sort code
  • Account balance
  • Bank account transactions (incoming and outgoing)
  • Card balance
  • Card transactions (incoming and outgoing)
  • Account statements, including charges, rewards, statement period and account balance
  • Details of pricing, fees, interest rates, name and type of account, products or offers that may be available to you
  • Any offer available to you on your account e.g. a balance transfer
  • Other details from your account, such as standing orders or direct debits or scheduled payments, including dates, payees and amounts, and reference
 

Marketing and opting-in

 

We may share your personal data with organisations as set out in the ‘Disclosure of personal data’ section below. If you have opted-in to receive our marketing material, we will ensure that it is to your requirements and granular. We or they may contact you or others (unless you have asked us or them not to do so) by mail, telephone, text message, email, (each contact method requires its own consent via an opt-in selection) The nature of these marketing communications relate to information on products, services, promotions and special offers which we believe may be of interest to you or others. If you or others would prefer not to receive any further direct marketing communications from us or our business partners, it is possible to opt out at any time. See further ‘Your rights’ below.

Sharing and Disclosing Your Personal Information

We may disclose personal data which you provide to us to:

  • Our agents and service providers (e.g. providers of web hosting, maintenance services);
  • Law enforcement agencies in connection with any investigation to help prevent unlawful activity, suspicion of fraud or a security threat;
  • Our group companies (as defined in the Companies Act 2006);
  • Other third parties with whom we deal with in the course of providing our services to you;
  • Our Financial Conduct Authority regulatory permissions operate regarding the provision of consumer credit, for the purposes of regulatory supervision and oversight, reporting and handling relevant complaints.
  • Any other Regulatory Body who can demonstrate that there is a legitimate purpose for the processing of your personal data.
 

We may also disclose personal information on a discretionary basis for the purpose of, and in connection with, any legal proceedings or for obtaining legal advice.

We only share the personal data provided if we are satisfied that our partners or suppliers have sufficient measures in place to protect your information in the same way that we do.

We never share personal data outside our organisation for marketing purposes.

Keeping data secure

 

We currently safeguard personal data by storing it on a CRM protected by password and shall ensure that from time to time we use no lesser technical and organisational measures to safeguard personal data which is disclosed to us. Whilst we will use all reasonable efforts to safeguard such personal data, you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data which are transferred from you or to you via the internet.

Monitoring

 

We may monitor and record communications with you (such as telephone conversations and emails) for the purpose of quality assurance, training, fraud prevention or compliance purposes.

Information about other individuals

 

If you give us information about others, you confirm that the other third party person has appointed you to act on his/her behalf. This is also relevant where others are concerned if you indeed ask another person to act on your behalf as a third party.

Under the third party authorisation, the other person can:

  • Give consent on his/her behalf to the processing of his or her personal data for the purposes and reasons set out in this Policy; and
  • Receive on his/her behalf any data protection notices.
 

Such authorisation will remain in place until this has been revoked, either by verbal or written communication.

Use of Google Analytics Advertising

We use Google Analytics Advertising Features (‘GAAF’) through our website, which means that certain information about the traffic on our website is collected. In light of using GAAF, We will not facilitate the merging of personally-identifiable information with non-personally identifiable information collected through GAAF unless we receive your express consent to that merger.

Furthermore, We are hereby notifying You that:

  • The specific GAAF feature(s) which we have implemented are:
    • Remarketing with Google Analytics
    • Google Display Network Impression Reporting
    • Google Analytics Demographics and Interest Reporting
  • We use first-party cookies (such as GAAF cookies) or other first-party identifiers, and third-party cookies (such as advertising cookies) or other third-party identifiers together and that this is done in the ways detailed under the sub-heading ‘Use of First & Third Party Cookies and Identifiers’ below; and
  • You can opt-out of the GAAF you use, including through Ads Settings, Ad Settings for mobile apps, or any other available means such as the Google Analytics currently available opt-outs accessible via tools.google.com/dlpage/gaoptout
 

Your rights

 

You have the right to ask us not to contact you for marketing purposes either by unsubscribing from any emails you receive or by contacting us by post at Burnley Savings and Loans Limited, 30 Keirby Walk, Burnley, Lancashire. BB11 2DE or by calling us on 01282 454744. Calls to this number are normally charged at a local rate – charges may apply if you call from a mobile telephone.

You also have the right to access the information that we hold on you and request details of the third parties with whom we have shared your information with us contacting us using the details provided in the previous paragraph. We do not charge a fee for this service in accordance with the General Data Protection Regulations (UK GDPR), unless the request is deemed to be unreasonable by the company. In the event that the request is deemed unreasonable, BSAL will inform you of the intent to charge a fee and outline the reasons for this.

All information relevant to you will be released upon request within 30 Days of your request being received. 

You may also correct errors in, or update your information, or request that we remove information about you form our records by sending us a request to the postal address provided above or by emailing our data protection officer at info@bsal.co.uk  In most cases we will comply promptly with your request and let you know when we have done so. However, sometimes we will not be legally obliged to comply with your request. If this is the case, we will inform you of our decision and the reasons for that decision.

To protect your privacy and the security of your information, we are required to take reasonable steps to verify your identity before we act on any request which you may make in respect of your information.

In accordance with the UK GDPR you have the following rights:

  • Right to be informed. You have the right to be fully informed regarding your information throughout our whole journey.
  • Right to rectification. You have the right to request that we correct any inaccurate personal information we hold about you.
  • Right to data portability. You have the right to obtain a copy of your personal information in a legible and compatible format such as Excel or Word.
  • Right of access. You have the right to request copies of the personal information we hold about you at any time.
  • Right to restrict processing. You have the right to request that we restrict how we use your personal information.
  • Right not to be subject to automated decision making and profiling. If a decision has been made electronically by automated means, you have the right to contest this decision.
  • Right to erasure (right to be forgotten). You have the right to request for all information to be removed. We will suppress and remove all data held, upon request. We will, however, keep the request from you in which you have asked for your information to be removed, so that Marsh Finance meets its compliance obligations under the GDPR. All other information will be removed in accordance with your right. 

We would like to draw your specific attention to this final right. If you have any questions about this right or any others, then please contact our Data Protection Officer.

  • Right to object. You have the right to object to the collection and use of your personal information at any time.

This is a summary of your rights under data protection law. Some of these rights are very complex so we have just summarised them. You may obtain guidance from the ICO for a more detailed explanation. Where you contact us to affect a right, we will seek to deal with your request without undue delay, and in any event within any time limits provided for in applicable data protection law.

  • You can ask us to confirm if we are processing your information.
  • You can ask for access to your information.
  • You can ask to correct your information if it’s wrong.
  • You can ask us to delete your information.
  • You have a right to be forgotten and you can ask that our systems stop using your information.
  • You can ask us to restrict how we use your information.
  • You can ask us to help you move your information to other companies.
  • You can ask us to stop using your personal information, but only in certain cases.
  • You have the right to complain to the relevant supervisory authority.
 

You have the right to request access to your personal data which we process. This formal request is made under the DPA and is referred to as a Subject Access Request. If you wish to exercise this right and make a Subject Access Request, you should:

  • Put your request in writing, either by email or by letter.
  • Include proof of your identity and address (e.g. a copy of your driving licence or passport, and a recent utility or credit card bill).
  • Specify the personal data you want access to, including any account or reference numbers where applicable. You have the right to require us to correct any inaccuracies in your data free of charge. If you wish to exercise this right, you should:
 

Data Retention

 

We will only process your personal data providing you have given your consent for us to do so. Under the provisions of the DPA, our firm’s lawful basis for processing personal data is based on a Legitimate Interest.

The legitimate interest relates to a legal requirement for the firm to hold your personal data and financial information on record for up to a total of six years. This six-year period satisfies the requirement of our regulator, The Financial Conduct Authority and is also in line with other financial industry retention periods.

International Transfers

 

In the normal course of business there may be a need for Burnley Savings and Loans Limited or any other firm associated to the business, usually when processing an application for credit, personal data would have to be transferred outside of the European Economic Area (EEA) where those countries do not typically have the same protections and safeguards in place for the protection of personal data to those countries within the EEA.

Burnley Savings and Loans Limited deal with a number of large, international corporations where data is likely to be transferred in this way. Assurances and processes will always be put in place and considered before any international transfer to a non-EEA country is undertaken to ensure the protection and security of the personal data.

Complaints/spam

 

Under the GDPR, you have the right to lodge a complaint with the Supervisory Authority, the Information Commissionaires Office (ICO), who are the national authority responsible for the protection of personal data. A complaint can be made to the ICO via their website: ico.org.uk or through their helpline: 0303 123 1113.

If you have a received an email or other communication sent by us that you believe is spam or in violation of our acceptable use policies, please contact us via one of the methods below.

Our contact details

We welcome your feedback and questions. If You wish to contact us, please send an email to info@bsal.co.uk or you can write to us at 30 Keirby Walk, Burnley, Lancashire. BB11 2DE or call us on 01282 454744. We may change this Policy from time to time. You should check this policy occasionally to ensure you are aware of the most recent version which will apply each time you deal with us.

Changes to this statement

Our privacy policy may be updated from time to time and the latest version will always appear on our website.