Aro Data Privacy & Protection

  1. Aro
  2. The kind of personal data we collect & what we do with it
  3. Where do we collect your data from
  4. Who do we share your data with
  5. Transfers within the EEA and outside the EEA
  6. Data Security
  7. Your data rights
  8. How to make a data related complaint

1. Aro

1.1 ‘We’ Freedom Finance Limited t/a ‘Aro’.  

1.2 We operate from and are registered at: Atlantic House, Atlas Business Park, Simonsway Manchester M22 5PR.

1.3 We are registered with the Information Commissioners Office (‘ICO’) Z120757X and regulated by them for the purposes of data protection. We are also authorised and regulated by the Financial Conduct Authority (‘FCA’) in relation to our services. 

1.4 Our services are to offer personal credit solutions 24/7, we do this by matching data provided by customers in their ‘Eligibility Check’ (‘EC’) profile to suitable credit products. Where there isn’t a  suitable credit product we may show an alternative product.

1.5 We act as a credit broker, not a lender and are paid for the introductions we make. Check out our Terms & Conditions page for more info.

1.6 Part of the EC process involves a ‘soft credit check’ – this means that it has no impact on your credit rating and is not visible to anyone other than you. Further information can be found below in regard to who we work with and what data we share.

2. The kind of personal data we collect & what we do with it

2.1 In order to offer our services, we have to collect data from you, including personal and in some cases sensitive data also known as ‘special category’.

2.2 Set out below, are the kinds of data we collect, for what purpose it is collected and the lawful basis*:

Purpose Data we processLawful basisRetention of data
To offer our services as set out in 1.5 and 1.6 above.Full name; previous name; age; DOB; marital/ relationship status; residential address; dependents; employment status and employer; Financial information (where applicable) for you and any financial associates; including bank statements; payment card details; current debts; financial commitments; savings; income & expenditure and in some instances health conditions (‘EC profile information’).Performance of a contract Legal obligation  6 years from the date you provided your information.
Marketing our own products and services by way of email and or SMS as well as provide you with alerts such as when we believe there is another suitable product you could apply for.Email address and telephone number.Consent by way of specific opt-in.On-going unless withdrawn or no contact in the past 12 months.
Service communicationsEmail address, telephone number and where specified, address.Performance of a contract. Legal obligation.6 years from the date you provided your information and where relevant.
Third parties for marketingEmail address, telephone number and where specified, address.Consent  6 years from the date you provided your information and where relevant.
Data analytics: to undertake analytics and product development to continually improve the services we offerProducts you viewed or searched for; length of visits to certain pages and page interaction (such as scrolling, clicks and mouse-overs). EC profile information.Legitimate interestsAfter 6 years data will be anonymised.
Profiling – analysis and profiling in order to provide comparison and eligibility services.Products you viewed or searched for; length of visits to certain pages and page interaction (such as scrolling, clicks and mouse-overs). EC profile information.Legitimate interests Performance of a contract6 years data after which will be anonymised.
The running of the website and to aid in the services we offerCookies; IP address; browser type and version; time zone setting and location; browser plug- in types and versions; operating system and platform and other technology on the devices used to access the website; page response times; download errors; length of visits to certain pages and page interaction (such as scrolling, clicks and mouse-overs).Consent and performance of a contract.6 years data after which will be anonymised.
Call recordings All calls and their contents to the Aro group will be recorded.Regulatory and Legal requirements6 years from the date you provided your information.

*Lawful basis: The UK Data Protection Act tells us we must have a lawful basis as to why we collect data and process it

3.Where do we collect your data from

3.1 Most of the personal information we collect and process is provided to us directly by you.

3.2 We will receive information from credit reference agencies and fraud prevention agencies, Aro uses soft searches to work out whether you’re eligible for a product or service. 

3.3 We may also receive personal information indirectly from third party firms you may have contacted directly and provided your consent to share your data with. For example, where a loan provider may have been unable to help you and has suggested us as an alternative. The data transferred in these occasions is usually limited to the same information as your EC profile.

4. Who do we share your data with

Data Processors

4.1 Companies such as us, may use third parties to help them with things they are unable to do. These companies are referred to as data ‘Processors’. Processors can only do what the company (data Controller) has told them to do with the data, unless a legal exemption applies.

4.2 Listed below, are the names of the Processors we work with in the capacity set out above, along with some other important information we think you should know:

Name of third party ProcessorWhat data we shareWhy we share itLawful basisRetention of data
Consents OnlineEC profile information.For the purposes of facilitating Open Banking.Consent  6 years
Blueshift Inc.EC profile information.We use Blueshift as a database in which it both houses are customers marketing preferences including opt in and opt out as well as aiding with our internal marketing strategy.Performance of a contract6 years or on-going where not opted out from marketing.
The Personal Finance CentreEC profile informationOutsourced call centrePerformance of a contract30 days
Pure 360 EC profile informationWe use Pure 360 as a database in which it both houses are customers marketing preferences including opt in and opt out as well as aiding with our internal marketing strategy.Performance of a contract and Legal obligationFor the performance of the contract
EsendexTelephone numberSMS communications facilitator and data base.Consent Performance of a contractFor the performance of the contract
Credit Reference Agencies Equifax and Accountscore.EC profile informationTo undertake a soft credit check. Legal obligation6 years

Data Controllers

4.3 In addition to the Processors above; we also share information with third parties for other reasons, please see below. These are known as joint Controllers or simply, data’ Controllers’ and so may process your data for their own purposes. For example, the Police may request data from us, then further process it as part of a criminal investigation.

4.4 Listed below, are the names of the Controllers we work with in the capacity set out above, along with some other important information we think you should know:

Name of third partyWhat data we shareWhy we share itLawful basisRetention of data
Third parties that make up the panel of providers within this websiteEC profile informationTo facilitate your request to be introducedPerformance of a contract6 years or longer where retained for marketing purposes.
Third parties performing roles in fraud prevention and credit reference agenciesEC profile informationFor product development purposes and to evaluate new products and servicesLegitimate interest6 years
Regulators: ICO; FCA; ASAAny data concerned with any visitor to our site. This may include those who took out products via our platform or those who merely entered partial details then left the site. This further includes customers who received advice from us.To comply with the legal requirements placed on us as a regulated company.Legal obligationNA
Law enforcement: NCA; PoliceThe same as the above.To assist with criminal investigations.Legal obligationNA
Credit Reference Agencies: EquifaxCookies served by Equifax are held on Aro’s website. Equifax is a consumer credit reporting agency. These cookies will be used to serve adverts to visitors based upon the websites they’ve been to previously.To serve adverts based on previous historyLegitimate intertest6 years

5.Transfers within the EEA and outside the EEA

5.1 Whilst the majority of the data we process is within the EEA, we do use Processors whose head offices are based outside the EEA. This means we are to take extra assurance prior to any data transfers.

5.2 Should you wish to review your safeguards please contact us on the details below.

6. Data Security

How we store your personal information

6.1 All information you provide to us is stored on our secure servers. We take all reasonable steps to maintain the security of your data, and we are ISO27001 accredited

6.2 Whilst we do our best to protect your personal data; we cannot guarantee the security of your data transmitted within our systems, any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access, loss or damage.

7. Your data rights

7.1 Under data protection law, you have rights including:

Your right to be informed – You have the right to know what we do with any data you provide us or that we collect from you or other sources.

Your right of access – You have the right to ask us for copies of your personal information.

Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances. You also have the right to object to the processing of your personal information in certain circumstances.

Your right to not be subject to automated decision-making – You have the right not to be subject to automated decision-making yet for some services this may mean we are unable to fulfil your objectives.

Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

7.2 You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

8.1 If you have any concerns about our use of your personal information, you can contact us using any of the following –

Phone: 0161 498 7739

Email: complaints@aro.co.uk                                                                                                                                       

Post: Aro Complaints, Atlantic House, Atlas Business Park, Simonsway, Manchester M22 5PR

8.2 You can also complain to the ICO if you are unhappy with how we have used your data:

The ICO’s address:           

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

ICO Website: www.ico.org.uk