Redwood Bank (we, us, our) is committed to protecting and respecting your privacy.
This Privacy Notice explains how we collect, use and protect your data with regards to the services or products we provide to you.
Please ensure you read this Privacy Notice carefully to understand how we will process your data. Please note we process your personal information or information about individuals connected to you if we have a lawful basis to do so.
Redwood Bank will be responsible for the processing of your information unless otherwise stated and shall be processed for the purposes of the Data Protection Legislation such as the UK Data Protection Act 2018 and the UK GDPR. Redwood Bank will be the Data Controller of your information unless we notify you otherwise. This means as a Data Controller we determine the purpose and means of processing personal data.
For further information on how your information is used you can contact our Data Protection Officer (DPO) by email at DPO@RedwoodBank.co.uk or in writing to Data Protection Officer at Redwood Bank Limited - 101, The Nexus Building, Broadway, Letchworth Garden City, SG6 3TA.
Please refer to the Recruitment Privacy Notice if you have enquired or applied for a vacancy at Redwood Bank.
Your data subject rights
In accordance with Data Protection Legislation individuals known as data subjects are provided with various rights known as data subject rights. Some of these rights are not absolute and will depend on the circumstances of how and why we process your personal data.
- The right to access your personal information – known as subject access request;
- The right to object;
- The right to erasure;
- The right to rectification;
- The right to restrict processing of personal data;
- The right to data portability;
- Rights relating to automated decision-making including profiling.
You have the right to withdraw consent where processing is based on consent. Your withdrawal of consent will not affect the lawfulness of processing performed prior to withdrawal of your consent.
You will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in certain circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data or to exercise any of your other rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer and we will notify you and keep you updated if this is the case.
Complaints and concerns
We would appreciate the chance to deal with your concerns in the first instance. You have the right to complain directly to the supervisory authority. For the UK, this is the Information Commissioner's Office (ICO) - www.ico.org.uk.
Processing of personal data
Where we need to collect personal data by law or under the terms of a contract, we have with you and you do not provide that information when requested we may not be able to perform the contract we have or are trying to enter into with you for example to provide you with our services. In this case we may have to cancel our service, but we will notify you if this is the case at the time.
Savings and Lending products or services:
We may collect information in several ways, for example, when dealing with your application, operating your account, providing services to you, verifying your identity and contacting credit reference and fraud prevention agencies.
We will ensure that the processing of all personal information is lawful and will only process the information if we have the relevant consent, if the processing is required for the performance of a contract, if the processing is in our legitimate interests, or to ensure compliance with our legal and regulatory obligations.
We have set out in a table below why we process your personal data, the types of personal data we may process and our lawful basis under Data Protection Legislation. This information is what you provide to us.
| Processing Activities |
Categories of Personal Data |
Lawful Basis |
| To set up and administer your account | Identity Data, Contact Data, Verification (ID) Data | Performance of a contract |
| If you provide information about a third party for example including details of appointed authorised users, directors, shareholders, associated parties and named individuals (You must make them aware that you have done so and advise them of this privacy notice) |
Identity Data, Contact Data | Performance of a contract or necessary for our legitimate interest so we can interact with the third party where you have given their details to us |
| Processing of transaction details | Transaction Data | Performance of a contract |
| Processing on how you use our services | Identity Data, Transaction Data | Performance of a contract or necessary for our legitimate interest so we can improve our services to you |
| Processing for AML (Anti-money laundering) purposes and KYC (Know Your Customer) Purposes If fraud or any other adverse information is detected, you or the relevant related parties, could be refused certain services or finances On some occasions we may need to request further information. We will be in contact if that is the case. |
Identity Data, Contact Data, Verification (ID) Data | Legal obligation under the anti-money laundering regulations |
| To tell you about important changes or developments to our services. | Identity Data, Contact Data | Performance of a contract |
| To trace your whereabouts should we need to contact you and you have been a “dormant” customer for a period of time. | Identity Data, Contact Data | Performance of a contract or it is necessary to contact you to be able to update our records or carry our services to you |
| Conduct research or undertake training and statistical analysis with the aim of improving the use of our services. | Identity Data, Anonymised Data* (for statistical analysis) | For our legitimate interests so that we can evolve and give you a better experience and ensure our services continuously evolving due to market demand. |
*Anonymised Data means data which cannot be directly identifiable to you. Anonymised Data is outside the scope of Data Protection Legislation.
Website processing activities
We have set out in a table below why we process your personal data, the types of personal data we may process and our lawful basis under Data Protection Legislation when you visit or use our website to contact us.
| Information you give us via our website to contact us This is information about you that you give us by filling in forms on our site www.redwoodbank.co.uk (our site) or by corresponding with us by phone, e-mail or otherwise It includes information you provide when you register to use our site, subscribe to our service, submit a question and if you report a problem with our site. The information you give us may include your name, address, e-mail address, business details and phone number, financial information or information about a third party |
Identity Data, Contact Data | Necessary for our legitimate interests so that we can respond to you when you contact us |
| Monitoring and analysis of visits to our website |
Technical Data including the full Uniform Resource Locators (URL), clickstream to, through and from our site including date and time, products you viewed, or searched for page response times, download errors, length of visits to certain pages, page interaction information such as scrolling, clicks, and mouse-overs and methods used to browse away from the page | Necessary for our legitimate interests to ensure we provide you with the best experiences on our website |
| Processing for Cookies |
For detailed information on cookies and how they are used, please see our cookie policy. | Consent for non-essential cookies |
| To administer and protect our business and this website including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data | Technical Data (including the Internet protocol (IP) address used to connect your device to the Internet, your login information, browser type and version and time zone setting) | Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) Necessary to comply with a legal obligation |
| To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the content we serve to you |
Technical Data including the Internet protocol (IP) address used to connect your device to the Internet, your login information, browser type and version and time zone setting | Necessary for our legitimate interests to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy |
| To use data analytics to improve our website, products/services, marketing, customer relationships and experiences | Technical Data including the Internet protocol (IP) address used to connect your device to the Internet, your login information, browser type and version and time zone setting | Necessary for our legitimate interests to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy |
| To make suggestions and recommendations to you about goods or services that may be of interest to you this will only be the case if you are a customer, or have expressed an interest in our products | Identity Data, Contact Data where you give us that information | Necessary for our legitimate interests (to develop our products/services and grow our business |
Further information on the use of fraud prevention agencies
Further details on how your information will be used by us and the fraud prevention agencies, and your data protection rights can be found in the product terms and conditions and via the following link www.cifas.org.uk/fpn
Special categories of personal data
In limited circumstances we may receive information containing racial or ethnic origin, religious beliefs, political opinions or physical or mental health information, we will only process this data when we have your explicit consent to do so. This could be when the information is provided by yourself or a representative as part of the application or servicing, or where we complete ongoing monitoring of your account(s). Unless otherwise specified we will retain responsibility for the processing of your information however in order for us to provide a streamlined service there will be occasions where we will require assistance from third parties and will need to share information with them.
Sharing of information
We may share information with:
- Members of our group provided that it is necessary to do so in order to provide the services to facilitate the account.
- Our administrative service providers - This would include service providers who support our business including IT and communication suppliers and outsourced business support to ensure our service runs smoothly.
- Regulators – This will include where necessary the Financial Conduct Authority (FCA), HM Revenue & Custom (HMRC), National Crime Agency (NCA) and the Police (whether in the UK or abroad).
- Any successor business to our business.
- Anyone to whom we assign or transfer or may assign or transfer our rights and obligations relating to the account.
- Companies, organisations and associations to prevent, detect or investigate criminal activity.
- Professional advisers - This would include lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
- Analytics and search engine providers that assist us in the improvement and optimisation of our site.
Additional information:
Disclosing your personal information to third parties
We may share and disclose information in the following ways:
- In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets
- If Redwood Bank or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of Redwood Bank, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
When data is shared with third parties, we will only share the minimum and impose strict requirements on how data is stored and the reasons it is processed.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
International Transfers
We may transfer and process your personal data outside of the United Kingdom (UK) to countries where data protection laws are less stringent than those in the UK. When we transfer your personal data outside of the UK we only do so to entities that offer our users the same level of data protection as that afforded by Data Protection Legislation.
- We will only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal information; or
- We will use specific contracts approved for use in the UK which give personal information the same protection it has in the UK. For example, the use of Article 46 UK GDPR safeguard mechanisms to transfer personal data endorsed by the UK Government.
For other countries we will use local law guidance to ensure personal data is transferred securely where there is a requirement in law to do so.
To find out more about the transfer mechanism used please contact us.
Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
Storage and retention of your personal data
All personal data supplied to Redwood Bank via the website will be stored within the UK or the EEA and will be held securely. The data will only be held for a specified period of time which will be in line with regulatory requirements or best business practice.
To determine the appropriate retention period for personal information we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means and the applicable legal, regulatory, tax, accounting or other requirements.
We may anonymise your personal data so that it can no longer be associated with you for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Third party links
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy notice and that we do not accept any responsibility or liability for these. Please check this information before you submit any personal data to these websites.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
This notice was last updated January 2025.