Aro Data Privacy & Protection
- Aro
- The kind of personal data we collect & what we do with it
- Where do we collect your data from
- Who do we share your data with
- Transfers within the EEA and outside the EEA
- Data Security
- Your data rights
- How to make a data related complaint
1. Aro
1.1 ‘We’ are Aro Finance Limited t/a ‘Aro’.
1.2 We operate from and are registered at: Atlantic House, Atlas Business Park, Simonsway, Manchester M22 5PR.
1.3 We are registered with the Information Commissioners Office (‘ICO’) Z120757X and regulated by them for the purposes of data protection. We are also authorised and regulated by the Financial Conduct Authority (‘FCA’) in relation to our services.
1.4 Our services are to offer personal credit solutions 24/7, we do this by matching data provided by customers in their ‘Eligibility Check’ (‘EC’) and as part of the overall Eligibility Check process (see below) with suitable credit options. Where there isn’t a suitable credit option we may show an alternative option.
1.5 Upon completion of an Eligibility Check and where you have provided a valid email address or mobile telephone number, we will send you a copy of the options presented to you via email or as a link within an SMS (or both); that way you will have a record in which you can access again or retain for your own records. Should you wish not to receive such correspondence, please do not submit your consent to the Eligibility Check. Alternatively, you can contact us (and undertake your Eligibility Check) by telephone on the following number: 0800 432 0142.
1.6 We act as a credit broker, not a lender and are paid for the introductions we make. Check out our Terms & Conditions page for more info.
1.7 Part of the EC process involves us undertaking a ‘soft credit check’ and in some cases, the credit providers may also undertake a soft credit check at the same time. A soft credit check although visible to you on your credit report has no impact on your credit rating and is not visible to anyone else. Further information can be found below in regard to who we work with and what data we share.
2. The kind of personal data we collect & what we do with it
2.1 In order to offer our services, we have to collect data from you, including personal and in some cases sensitive data also known as ‘special category’.
2.2 Set out below, are the kinds of data we collect, for what purpose it is collected and the lawful basis*:
Purpose | Data we process | Lawful basis | Retention of data |
To offer our services as set out in 1.5 and 1.6 above. To comply with regulatory obligations. | Full name; previous name; age; DOB; Email address; Telephone number; marital/ relationship status; residential address; dependents; employment status and employer; Financial information (where applicable) for you and any financial associates; including bank statements; payment card details; current debts; financial commitments; savings; income & expenditure and in some instances health conditions (‘EC profile information’). | Performance of a contract Legal obligation Consent | 6 years from the date you provided your information. |
Marketing our own products and services by way of email and or SMS as well as provide you with alerts such as when we believe there is another suitable product you could apply for. | Email address and telephone number. | Consent | On-going unless withdrawn. |
Service communications | Email address, telephone number and where specified, address. | Performance of a contract. Legal obligation. | 6 years from the date you provided your information and where relevant. |
Service communications on behalf of the third parties we work with on panel including for example: scope of service or terms and conditions. | (Where applicable): Email address and telephone number. | Consent | 6 years. |
Third parties for marketing | Email address, telephone number and where specified, address. | Consent | 6 years from the date you provided your information and where relevant. |
Data analytics: to undertake analytics and product development to continually improve the services we offer | Products you viewed or searched for; length of visits to certain pages and page interaction (such as scrolling, clicks and mouse-overs). EC profile information. | Legitimate interests | After 6 years data will be anonymised. |
Profiling – analysis and profiling in order to provide comparison and eligibility services. | Products you viewed or searched for; length of visits to certain pages and page interaction (such as scrolling, clicks and mouse-overs). EC profile information. | Legitimate interests Performance of a contract | 6 years data after which will be anonymised. |
The running of the website and to aid in the services we offer | Cookies; IP address; browser type and version; time zone setting and location; browser plug- in types and versions; operating system and platform and other technology on the devices used to access the website; page response times; download errors; length of visits to certain pages and page interaction (such as scrolling, clicks and mouse-overs). | Consent and performance of a contract. | 6 years data after which will be anonymised. |
Call recordings | All calls and their contents to the Aro group will be recorded. | Regulatory and Legal requirements | 6 years from the date you provided your information. |
*Lawful basis: The UK Data Protection Act tells us we must have a lawful basis as to why we collect data and process it
3. Where do we collect your data from
3.1 Most of the personal information we collect and process is provided to us directly by you. For example, you may complete our Eligibility Check or provide consent for/ share with us access to information from your bank account via Open Banking.
3.2 We will receive information from credit reference agencies and fraud prevention agencies, Aro uses soft searches to work out whether you’re eligible for a product or service.
3.3 We may also receive personal information indirectly from you via third party firms you may have contacted directly and provided your consent to share your data with. For example, where a loan provider may have been unable to help you and has suggested us as an alternative. The data transferred in these occasions is usually limited to the same information as your EC profile.
4. Who do we share your data with
Data Processors
4.1 Companies such as us, may use third parties to help them with things they are unable to do. These companies are referred to as data ‘Processors’. Processors can only do what the company (data Controller) has told them to do with the data, unless a legal exemption applies.
4.2 Listed below, are the names of the Processors we work with in the capacity set out above, along with some other important information we think you should know:
Name of third party Processor | What data we share | Why we share it | Lawful basis | Retention of data |
Consents Online | EC profile information. | For the purposes of facilitating Open Banking. | Consent | 6 years |
Blueshift Inc. | EC profile information. | We use Blueshift as a database in which it both houses are customers marketing preferences including opt in and opt out as well as aiding with our internal marketing strategy. | Performance of a contract | 6 years or on-going where not opted out from marketing. |
The Personal Finance Centre | EC profile information | Outsourced call centre | Performance of a contract | 30 days |
Esendex | Telephone number | SMS communications facilitator and data base. | Consent Performance of a contract | 6 years |
Credit Reference Agencies To find out more about what Equifax and the other Credit Reference Agencies do with your data, please see links below: https://www.equifax.co.uk/crain https://www.transunion.co.uk/legal/privacy-centre/pc-credit-reference https://www.experian.co.uk/legal/crain/ | EC profile information | To undertake a soft credit check. | Legal obligation | 6 years |
Experian | EC profile information | To facilitate the transfer of data between the Aro platform and Experian’s panel of lenders in order to facilitate eligibility checks for Aro customers; Experian returns the results of their panel by way of API. | Performance of a contract | 7 Years |
Choose Wisely | EC profile information | To facilitate the transfer of data between the Aro platform and Choose Wisely’s panel of lenders in order to facilitate eligibility checks for Aro customers. Choose Wisely returns results of their panel by way of API. | Performance of a contract | 6 Years |
Telephony infrastructure providers (various) | EC Profile information Voice recordings | For the purposes of operating our Contact Centre and Compliance purposes. | Legal obligation | 6 years |
Amazon Web Services (AWS) | EC Profile information | In its capacity as a data storage and infrastructure provider including data analytics. | Legal obligation Legitimate interests | 6 years, as above, data used for analytics purposes will be anonymised after 6 years. |
Google Analytics | Products you viewed or searched for; length of visits to certain pages and page interaction (such as scrolling, clicks, and mouse-overs). EC profile information. | To facilitate us in undertaking analytics and product development to continually improve the services we offer. See above for further details. | Legitimate interests | After 6 years data will be anonymised. |
Data Controllers
4.3 In addition to the Processors above; we also share information with third parties for other reasons, please see below. These are known as joint Controllers or simply, data’ Controllers’ and so process data jointly with us for the purposes of the services set out above, yet may also process your data for their own purposes. For example, the Police may request data from us, then further process it as part of a criminal investigation.
4.4 Listed below, are the names of the Controllers we work with in the capacity set out above, along with some other important information we think you should know:
Name of third party | What data we share | Why we share it | Lawful basis | Retention of data |
Third parties that make up the panel of providers within this website | EC profile information and where applicable, a record in which details that we have sent information about a third party to you. For example, in the form of their terms and conditions or scope of service. | To facilitate your request to be introduced. To keep a record of information we have sent to you. To keep a record of any products or services you took out with/through them. For the provider (where applicable) to undertake their own soft search in order to assess credit eligibility against their own lending/service criteria. | Performance of a contract Legal obligation | 6 years or longer where retained for marketing purposes. |
Third parties in relation to the introduction of you to our services, for example via a click through on their website or any other form of online interaction. | EC profile information | For the third party to hold a record of any interaction you have had with us including the final status of that introduction. | Legal obligation | NA |
Third parties performing roles in fraud prevention and credit reference agencies | EC profile information | For product development purposes and to evaluate new products and services | Legitimate interest Legal obligation | 6 years |
Regulators: ICO; FCA; ASA | Any data concerned with any visitor to our site. This may include those who took out products via our platform or those who merely entered partial details then left the site. This further includes customers who received advice from us. | To comply with the legal requirements placed on us as a regulated company. | Legal obligation | NA |
Law enforcement: NCA; Police | The same as the above. | To assist with criminal investigations. | Legal obligation | NA |
Credit Reference Agencies: Equifax | Cookies served by Equifax are held on Aro’s website. Equifax is a consumer credit reporting agency. These cookies will be used to serve adverts to visitors based upon the websites they’ve been to previously. | To serve adverts based on previous history | Legitimate intertest | 6 years |
5. Transfers within the EEA and outside the EEA
5.1 Whilst the majority of the data we process is within the EEA, we do use Processors whose head offices are based outside the EEA including the USA. This means we are to take extra assurance prior to any data transfers.
5.2 Should you wish to review your safeguards please contact us on the details below.
6. Data Security
How we store your personal information
6.1 All information you provide to us is stored on our secure servers. We take all reasonable steps to maintain the security of your data, and we are ISO27001 certified.
6.2 Whilst we do our best to protect your personal data; we cannot guarantee the security of your data transmitted within our systems, any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access, loss or damage.
7. Your data rights
7.1 Under data protection law, you have rights including:
Your right to be informed – You have the right to know what we do with any data you provide us or that we collect from you or other sources.
Your right of access – You have the right to ask us for copies of your personal information.
Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances. You also have the right to object to the processing of your personal information in certain circumstances.
Your right to not be subject to automated decision-making – You have the right not to be subject to automated decision-making yet for some services this may mean we are unable to fulfil your objectives.
Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
7.2 You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
8. How to make a data related complaint
8.1 If you have any concerns about our use of your personal information, you can contact us using any of the following –
Phone: 0161 498 7739
Email: complaints@aro.co.uk
Post: Aro Complaints, Atlantic House, Atlas Business Park, Simonsway, Manchester M22 5PR
8.2 You can also complain to the ICO if you are unhappy with how we have used your data:
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO Website: www.ico.org.uk