Aro Data Privacy & Protection
- Aro
- The kind of personal data we collect & what we do with it
- Where do we collect your data from
- Who do we share your data with
- Transfers within the EEA and outside the EEA
- Data Security
- Your data rights
- How to make a data related complaint
1. Aro
1.1 ‘We’ Freedom Finance Limited t/a ‘Aro’.
1.2 We operate from and are registered at: Atlantic House, Atlas Business Park, Simonsway Manchester M22 5PR.
1.3 We are registered with the Information Commissioners Office (‘ICO’) Z120757X and regulated by them for the purposes of data protection. We are also authorised and regulated by the Financial Conduct Authority (‘FCA’) in relation to our services.
1.4 Our services are to offer personal credit solutions 24/7, we do this by matching data provided by customers in their ‘Eligibility Check’ (‘EC’) profile to suitable credit products. Where there isn’t a suitable credit product we may show an alternative product.
1.5 We act as a credit broker, not a lender and are paid for the introductions we make. Check out our Terms & Conditions page for more info.
1.6 Part of the EC process involves a ‘soft credit check’ – this means that it has no impact on your credit rating and is not visible to anyone other than you. Further information can be found below in regard to who we work with and what data we share.
2. The kind of personal data we collect & what we do with it
2.1 In order to offer our services, we have to collect data from you, including personal and in some cases sensitive data also known as ‘special category’.
2.2 Set out below, are the kinds of data we collect, for what purpose it is collected and the lawful basis*:
| Purpose | Data we process | Lawful basis | Retention of data |
| To offer our services as set out in 1.5 and 1.6 above. | Full name; previous name; age; DOB; marital/ relationship status; residential address; dependents; employment status and employer; Financial information (where applicable) for you and any financial associates; including bank statements; payment card details; current debts; financial commitments; savings; income & expenditure and in some instances health conditions (‘EC profile information’). | Performance of a contract Legal obligation | 6 years from the date you provided your information. |
| Marketing our own products and services by way of email and or SMS as well as provide you with alerts such as when we believe there is another suitable product you could apply for. | Email address and telephone number. | Consent by way of specific opt-in. | On-going unless withdrawn or no contact in the past 12 months. |
| Service communications | Email address, telephone number and where specified, address. | Performance of a contract. Legal obligation. | 6 years from the date you provided your information and where relevant. |
| Third parties for marketing | Email address, telephone number and where specified, address. | Consent | 6 years from the date you provided your information and where relevant. |
| Data analytics: to undertake analytics and product development to continually improve the services we offer | Products you viewed or searched for; length of visits to certain pages and page interaction (such as scrolling, clicks and mouse-overs). EC profile information. | Legitimate interests | After 6 years data will be anonymised. |
| Profiling – analysis and profiling in order to provide comparison and eligibility services. | Products you viewed or searched for; length of visits to certain pages and page interaction (such as scrolling, clicks and mouse-overs). EC profile information. | Legitimate interests Performance of a contract | 6 years data after which will be anonymised. |
| The running of the website and to aid in the services we offer | Cookies; IP address; browser type and version; time zone setting and location; browser plug- in types and versions; operating system and platform and other technology on the devices used to access the website; page response times; download errors; length of visits to certain pages and page interaction (such as scrolling, clicks and mouse-overs). | Consent and performance of a contract. | 6 years data after which will be anonymised. |
| Call recordings | All calls and their contents to the Aro group will be recorded. | Regulatory and Legal requirements | 6 years from the date you provided your information. |
*Lawful basis: The UK Data Protection Act tells us we must have a lawful basis as to why we collect data and process it
3.Where do we collect your data from
3.1 Most of the personal information we collect and process is provided to us directly by you.
3.2 We will receive information from credit reference agencies and fraud prevention agencies, Aro uses soft searches to work out whether you’re eligible for a product or service.
3.3 We may also receive personal information indirectly from third party firms you may have contacted directly and provided your consent to share your data with. For example, where a loan provider may have been unable to help you and has suggested us as an alternative. The data transferred in these occasions is usually limited to the same information as your EC profile.
4. Who do we share your data with
Data Processors
4.1 Companies such as us, may use third parties to help them with things they are unable to do. These companies are referred to as data ‘Processors’. Processors can only do what the company (data Controller) has told them to do with the data, unless a legal exemption applies.
4.2 Listed below, are the names of the Processors we work with in the capacity set out above, along with some other important information we think you should know:
| Name of third party Processor | What data we share | Why we share it | Lawful basis | Retention of data |
| Consents Online | EC profile information. | For the purposes of facilitating Open Banking. | Consent | 6 years |
| Blueshift Inc. | EC profile information. | We use Blueshift as a database in which it both houses are customers marketing preferences including opt in and opt out as well as aiding with our internal marketing strategy. | Performance of a contract | 6 years or on-going where not opted out from marketing. |
| The Personal Finance Centre | EC profile information | Outsourced call centre | Performance of a contract | 30 days |
| Pure 360 | EC profile information | We use Pure 360 as a database in which it both houses are customers marketing preferences including opt in and opt out as well as aiding with our internal marketing strategy. | Performance of a contract and Legal obligation | For the performance of the contract |
| Esendex | Telephone number | SMS communications facilitator and data base. | Consent Performance of a contract | For the performance of the contract |
| Credit Reference Agencies Equifax and Accountscore. | EC profile information | To undertake a soft credit check. | Legal obligation | 6 years |
Data Controllers
4.3 In addition to the Processors above; we also share information with third parties for other reasons, please see below. These are known as joint Controllers or simply, data’ Controllers’ and so may process your data for their own purposes. For example, the Police may request data from us, then further process it as part of a criminal investigation.
4.4 Listed below, are the names of the Controllers we work with in the capacity set out above, along with some other important information we think you should know:
| Name of third party | What data we share | Why we share it | Lawful basis | Retention of data |
| Third parties that make up the panel of providers within this website | EC profile information | To facilitate your request to be introduced | Performance of a contract | 6 years or longer where retained for marketing purposes. |
| Third parties performing roles in fraud prevention and credit reference agencies | EC profile information | For product development purposes and to evaluate new products and services | Legitimate interest | 6 years |
| Regulators: ICO; FCA; ASA | Any data concerned with any visitor to our site. This may include those who took out products via our platform or those who merely entered partial details then left the site. This further includes customers who received advice from us. | To comply with the legal requirements placed on us as a regulated company. | Legal obligation | NA |
| Law enforcement: NCA; Police | The same as the above. | To assist with criminal investigations. | Legal obligation | NA |
| Credit Reference Agencies: Equifax | Cookies served by Equifax are held on Aro’s website. Equifax is a consumer credit reporting agency. These cookies will be used to serve adverts to visitors based upon the websites they’ve been to previously. | To serve adverts based on previous history | Legitimate intertest | 6 years |
5.Transfers within the EEA and outside the EEA
5.1 Whilst the majority of the data we process is within the EEA, we do use Processors whose head offices are based outside the EEA. This means we are to take extra assurance prior to any data transfers.
5.2 Should you wish to review your safeguards please contact us on the details below.
6. Data Security
How we store your personal information
6.1 All information you provide to us is stored on our secure servers. We take all reasonable steps to maintain the security of your data, and we are ISO27001 accredited
6.2 Whilst we do our best to protect your personal data; we cannot guarantee the security of your data transmitted within our systems, any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access, loss or damage.
7. Your data rights
7.1 Under data protection law, you have rights including:
Your right to be informed – You have the right to know what we do with any data you provide us or that we collect from you or other sources.
Your right of access – You have the right to ask us for copies of your personal information.
Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances. You also have the right to object to the processing of your personal information in certain circumstances.
Your right to not be subject to automated decision-making – You have the right not to be subject to automated decision-making yet for some services this may mean we are unable to fulfil your objectives.
Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
7.2 You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
8.How to make a data related complaint
8.1 If you have any concerns about our use of your personal information, you can contact us using any of the following –
Phone: 0161 498 7739
Email: complaints@aro.co.uk
Post: Aro Complaints, Atlantic House, Atlas Business Park, Simonsway, Manchester M22 5PR
8.2 You can also complain to the ICO if you are unhappy with how we have used your data:
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO Website: www.ico.org.uk