Zuto Logo
Call us
Menu
Zuto Logo
01625 619 944

Privacy Policy

This website is operated by Zuto Limited ("we", "us" or "our"). We are a company registered in England and Wales under company registration number 05722976.

We respect the privacy of visitors to our website and who use our services. This privacy policy tells you how we use your personal data to provide our services and what happens when you give us personal data, or we receive your personal data from other sources like credit reference agencies.

We are registered as a data controller with the Information Commissioner’s Office with the registration number Z9481655. Our registered office address is Winterton House, Winterton Way, Macclesfield, SK11 0LP.

We use some words and phrases in this privacy notice that have specific meanings under data protection law. We’ve put these words and phrases in bold. We have explained what they each mean in the Glossary at the end of this privacy notice.

We are the data controller of personal data we collect and use about you in connection with your application.

If you have any questions or complaints, please contact us at customerdata@zuto.com.

We collect most of the personal data we process directly from you, for example when you complete an application or contact us. We may collect some personal data from third parties, including price comparison websites, credit reference agencies, and fraud prevention agencies as part of our services.

We collect personal data from you when you:

  • enquire about, apply for, and use our products and services;
  • talk to us on the phone (we do record calls; we will tell you about this when we speak to you);
  • send us an email or letter;
  • use our website;
  • communicate with us via social media;
  • complete a customer survey; and/or
  • make an enquiry or complaint.

Third parties making an application on your behalf If someone is making an application on your behalf (for example, someone who has a power of attorney, or a parent), we will receive personal data on you from that person.

If your application results in you borrowing from one of our panel of lenders, and/or taking out any other products, such as warranties, the lender or other provider will let us know if you default on your payment obligations.

CRAs hold personal data about individuals’ credit accounts (such as credit cards and loans) and publicly available information (for example, from the electoral roll). When you make an application, we receive information from the CRAs including your financial status and financial history. We also receive information like your address so that we can verify your identity.

If you want to know more about how we exchange data with CRAs, please see the section headed “Credit reference agencies” below.

We are regulated by the Financial Conduct Authority, the Financial Ombudsman Service and the Information Commissioner’s Office. If you make a complaint to any of these regulators, or otherwise speak to them about us, we may receive some of your personal data from them to enable us and them to manage your complaint or enquiry.

Each of these regulators has their own privacy notice on their website, which will tell you more about how they use and share personal data.

We will use the information you share with price comparison websites; where that data is passed to us for us to share with selected lenders to return a finance quote or eligibility check for you which you can choose whether to proceed with.

We work with lead generation partners who will pass us personal data about potential customers. If you have submitted your details to one of these partners, they will tell you if they are going to share your information with us.

In rare circumstances, we might receive personal data from other third parties not mentioned above. This could include law enforcement and government authorities, if they make enquiries about you, or the Court if you are involved in legal proceedings with us.

When you make an application, you voluntarily supply us with some of your personal data. This may include (among others) your contact information, employment details, financial information, identity information and marketing preferences. We also collect data that you voluntarily provide us with in communications that you have with us, and sometimes we might need to collect sensitive data about you.

Contact information

Contact details that we ask you for, or that you provide to us, including your name (and any previous names), date of birth, address, previous addresses from the last three years, email address, contact telephone number.

Application details

Information we ask you to provide as part of your application. This will be made clear in our application form, but could include details of your employment, your financial details and information about your identity (including identity confirmation documents).

Consent information

Permissions, consents, or preferences that you give us, for example how you want to be contacted and whether you want to receive marketing from us.

Sensitive information

Sometimes, we need to collect personal data that is more sensitive than usual, or you might provide this to us in communications. This could include:

  • personal data that is classified as special categories of data, such as information about your health; and
  • information about criminal convictions or criminal offences you have committed, for example if you have previously been convicted of fraud.

We will only use the personal data you give to us if we have a lawful basis to do so. We use your personal data to provide and manage our service and our relationship with you, which we need to do so that we can fulfill our contractual obligations to you. We also use your personal data to comply with our legal and regulatory obligations (for example, to keep accurate records and prevent and detect fraud) and where we have an interest in using your personal data (for example, monitoring our products and services so that we can improve them).

If you consent to receive marketing from us, we will also use your personal data to market our products/services to you. Please see ‘How we use your personal data for marketing’ below for more details.

What we use your personal data for:
  • to consider and process your application for our products and or services;
  • to communicate with you by telephone, email, text (SMS) message or other electronic means to discuss your application;
  • to carry out credit checks with credit reference agencies to match you with the most appropriate product and/or service in line with your application terms;
  • to notify you of changes to our services; and
  • to manage our ongoing relationship with you.
Our lawful basis
  • Necessary for a contract.
  • to detect, investigate, report, prevent and detect fraud and other financial crime.
  • to communicate with our regulators.
  • to deal with regulatory investigations and complaints.
Our lawful basis
  • Necessary to comply with the law
  • Necessary for our legitimate interests
Our legitimate interests
  • Complying with our regulatory obligations.
  • Protecting our business and other organizations from financial crime and regulatory action.
  • to keep accurate and up-to-date records.
  • to run our business in a compliant and efficient way.
Our lawful basis
  • Necessary to comply with the law.
  • to undertake analysis and profiling of your credit information to identify and inform you of credit products that are suited to your credit circumstances and may interest you;
  • to ensure that our content, services, and advertising are tailored to your needs and interests;
  • to provide products and services that meet the needs and requirements of our customers and to improve how we operate as a business;
  • to process feedback from customers, including through complaints;
  • to aggregate your information on an anonymous basis with other data for data analytical and reporting purposes.
Our lawful basis
  • Necessary for our legitimate interests
Our legitimate interests
  • Making sure that we provide the best possible service to our customers.
  • Ensuring that we design products to meet the needs and objectives of consumers.
Our lawful basis
  • Necessary to comply with the law.
  • Necessary for our legitimate interests.
Our legitimate interests
  • Protecting our business and engaging with legal claims and rights.
Our lawful basis
  • Necessary for our legitimate interests.
Our legitimate interests
  • Promoting our business and our products and services, to improve our business’s performance.

We record calls and use recordings and transcripts to check your instructions to us, analyse, assess and improve our services, for training and quality purposes, to investigate complaints you make, as evidence in any dispute between you and us, and to comply with our legal and regulatory obligations.

Our lawful basis
  • Necessary to comply with the law.
  • Necessary for our legitimate interests
Our legitimate interests
  • Protecting and improving our business and training our staff, as well as ensuring that complaints and disputes are dealt with appropriately.

We may use key stroke recording technology on our website. This technology records the information you fill in on our website as you complete it. If you do not proceed to submit your application, we may contact you using the details you added on the application form, to see if you would like to complete your application.

Our lawful basis
  • Necessary for our legitimate interests

We may use a third-party supplier to carry out validation checks before you submit your application, to make sure that your details are valid. We do this to make sure that it is a human making the application and to reduce the risk of fraudulent applications.

Our lawful basis
  • Necessary for our legitimate interests
Our legitimate interests
  • Preventing and detecting fraud and protecting our business by making sure that false applications are not being made.

We may need to disclose your personal data to others to ensure we can efficiently provide the products, services, and information you request.

In particular, please note that when you make an application, we will share personal data you submit during the application process with our panel of lenders to process your application and generate a quote. Lenders may contact you directly and may share your personal data with fraud prevention agencies as part of assessing your application.

We also need to share your data with some of our suppliers, who act as data processors on our behalf.

We will share personal data to process your application for finance products / services and to generate a finance quotation. Our lenders may carry out additional credit reference searches. They may also share your personal data with fraud prevention agencies to prevent and detect fraud and help them make credit decisions.

As part of your application for credit, some lenders may use Open Banking solutions. If this is the case, your personal data will be shared with the relevant Open Banking provider. This will be made clear in the application process.

If your application is declined by our available lenders, and if you give us consent to do so, we may pass your personal data to another credit provider (such as a lender, broker, or price comparison sites) to allow them to consider your eligibility for alternative finance products. These providers may carry out additional credit reference searches.

We may share your personal data with the following types of third party organisations for the following reasons:

  • Online advertising solutions - To allow us to show you relevant content about our finance products/services.
  • Customer feedback tools, live chat services and marketing communications software- To ensure we get your feedback to help us improve our service to you, help us speak to each other and contact you more effectively.
  • Communication platforms and cloud hosting platforms - To allow us to contact you and securely store your data.
  • Social media sites - To show you relevant content about our finance products /services.
  • Vehicle valuation tools and car dealerships - To allow you to value your vehicle as part of the finance process and to facilitate selecting a vehicle as part of your application, including arranging test drives for your selected vehicle.

In assessing your application for credit, we share personal data with CRAs to carry out credit checks, verify your identity, and to prevent fraud and money laundering.

Please see the section headed “Credit reference agencies” below for more information.

We will share your personal data obtained through our application process with our KYC ID verification partner for the purposes of verifying your identity.

We offer additional products, including warranty, and your personal data may be passed to the providers of these additional products for the purposes of providing you with these products. You can control whether this happens when speaking to your car buying expert. These providers may carry out additional credit reference searches against you.

Please note that we or our warranty provider may contact you directly to discuss renewals of your warranty, if relevant.

We may share your personal data with our affiliates solely for analysis purposes, to assess how you interact with our site and which products and services you are interested in or choose, in order to tailor and adapt our offerings to customers and to improve customer experience.

If you opt into marketing, we may share an encrypted version of your personal data with third party advertising providers (using a process called hashing), to allow us to target our advertising more accurately.

We share personal data with these agencies where we are required to do so by law or where information is required in connection with a crime or investigation. For example, we will report suspicions of money laundering to the National Crime Agency or Action Fraud in accordance with our legal and regulatory obligations.

Regulators, including the Financial Conduct Authority, Financial Ombudsman Service, and Information Commissioner’s Office We share personal data where required to comply with our regulatory obligations, including communicating with our regulators and responding to complaints and enquiries from them.

We may share personal data to comply with our audit and reporting obligations. We will only provide information that is necessary for the purposes of fulfilling our obligations.

You should note that if our business (or any part of it) is sold or transferred at any time, the information we hold may form part of the assets transferred although your personal information will still only be used in accordance with this policy.

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with financing or other services). In this case, we may have to cancel such financing or service you have with us, but we will notify you if this is the case at the time.

Your personal data provided in line with the purposes detailed in this privacy policy will be stored on servers based in the UK. Some of the suppliers we use may transfer personal data to other countries and may not have the same level of protection as UK data protection laws. Where this is the case we make sure that the supplier has an appropriate contract in place to ensure your personal data is protected in a similar way as if it were stored in the UK, or that there are other mechanisms in place to make sure your personal data is adequately protected.

We carry out due diligence on all suppliers we appoint to check where they send personal data and, if personal data is transferred outside the UK, to make sure that appropriate protections are in place.

Those protections could be:

  • making sure the country your data is sent to is designated as an “adequate” country by the UK government. This means that the government has reviewed that country’s data protection laws and decided that it provides an equivalent level of protection of personal data to the UK; or
  • if the transfer of personal data is between group companies, making sure that there are “binding corporate rules” in place. These are sets of policies and rules between group companies that ensure that companies in other countries protect personal data in the same way that it is protected in the UK; or
  • making sure that there is an “international data transfer agreement” in place to cover the transfer. This is an agreement that places obligations on the recipient of the personal data outside the UK to protect personal data as would be required by UK data protection laws.

We will only keep your information for as long as we reasonably need it. In relation to personal data that we use for marketing purposes, we may process this personal data for the duration of your finance agreement plus two years. Alternatively, if you have not taken out a finance product, we may process this personal data for a period of up to three years following your application.

In relation to all other personal data, we will keep this for as long as necessary to manage our relationship with you and to comply with our regulatory and legal obligations.

You have certain rights over your personal data. These include rights to access a copy of your personal data, to ask us to erase your personal data and ask us to correct inaccurate personal data. You can ask to exercise these rights by contacting us at customerdata@zuto.com. There are some circumstances in which we do not need to comply with all or part of your request. If this is the case, we will explain this to you.

The rights you have, and what each of these means, are explained in the table below. If you ask to exercise one of these rights, we may ask you to verify your identity before we process your request. This is to avoid confidentiality breaches and make sure we do not disclose personal data to the wrong person.

You can ask us to send you a copy of the personal data we hold about you. We will carry out a reasonable search for personal data and send you the personal data that we locate within one month, or three months if your request is complex. We are allowed to withhold information in some circumstances, for example to protect other individuals’ privacy or in the event of a criminal investigation.

You can ask us to correct, clarify or amend your personal data if it is inaccurate, incomplete, or otherwise out of date.

You can ask us to delete your personal data in certain circumstances, for example if we no longer need it or if we have collected it unlawfully.

You can ask us to limit how we use your personal data in certain circumstances. For example, if you think your personal data is inaccurate but we disagree, you can ask us to stop using it to make decisions until we can verify if it is accurate or not.

Where personal data is necessary for a contract, or where we collected it based on your consent, you can ask us to move, copy or transfer it to another provider.

Where the use of personal data is necessary for our legitimate interests, you can ask us to stop using it for those purposes. We can continue to use it if we can show that we have a compelling, legitimate reason to do so.

You can always ask us not to continue to send direct marketing to you. You can do this by clicking on the “unsubscribe” link in marketing emails or contacting us using the details above.

If we have asked you for your consent to use personal data in a particular way, you can withdraw that consent at any time.

We use CRAs to help us carry out credit and identity checks when you apply for a product or service with us. This involves us sharing your personal data with CRAs and receiving personal data back from them. We use the personal data they send us to assess our credit risk and make sure what you’ve told us is true.

We share your personal data with CRAs to ask them to provide a credit scoring computation when you make an application. Credit scoring uses several factors to work our risks involved in any application. A score is given to each factor and a total score obtained. Where automatic credit scoring computations are used, acceptance or rejection of your application will not depend only on the results of the credit scoring process.

When we ask CRAs about you, they will note it on your credit file. This is called a credit search. Other organisations (including lenders or providers of goods or services) will see this credit search or previous footprint on any report prepared for their own purposes and prospective relationship with you. The CRAs have created a “Credit Reference Agency Information Notice” or “CRAIN” which includes more details about how the CRAs use and share your personal data, as well as their role as fraud prevention agencies. The CRAINs for each of the three main CRAs are available on their websites, which we have linked below:

You can also find more information about how the CRAs use personal data, and your data protection rights with the CRAs, here: https://ico.org.uk/for-the-public/credit/

We’ll send you marketing information if you agree to receive it, from us or from our partners. You can unsubscribe at any time. You should be aware that if you opt out of marketing, you may continue to receive communications from us about your own products. These are called “service messages” and are not marketing communications.

Where you have agreed, we may:

  • contact you by mail, telephone, email, SMS, or other electronic messaging service with offers of products, services or information that may be of interest to you; and/or
  • send you information about goods and services provided by our Zuto Partners (please see below for more information on our Zuto Partners).

Before we send you any marketing communications, we will make sure that either:

  • you have given us your consent;
  • you have given consent to the company that shared your personal data with us, allowing Zuto to contact you for marketing purposes; or
  • if we have collected your information whilst selling, or negotiating to sell, our products or services, we have given you the opportunity to opt out of receiving marketing from us.

Our Zuto Partners include third parties who provide products which may be relevant and helpful for you:

  • Insurance comparison providers - This allows you to compare insurance products so you can make an informed decision.
  • Vehicle maintenance & roadside assistance providers - This enables you to review complementary products that you may wish to purchase after financing a new vehicle.
  • Credit score companies – to help you keep up to date with your credit score and improve it going forward.
  • Alternative finance providers – if our main panel of lenders are unable to help you, we may be able to offer you some other alternatives, or present you with other products you may also be interested in.
  • Car selling providers – to help you consider your options if you have a vehicle you wish to sell or part exchange.

We do not share your personal data with Zuto Partners, but we may send you information about their products and services if you have consented.

If you do not wish to receive marketing information from us, please DO NOT tick the relevant boxes when submitting your personal information by application, or on one of our sign up forms. Alternatively, please contact us using the details below or simply unsubscribe from any email that is sent to you by Zuto (which will be located at the bottom of the email).

Like most organisations, we use cookies on our website. Please see our cookies policy here

If you have any questions about this privacy notice or how we use personal data, or if you wish to make a complaint about how your personal data is being processed by us (or third parties), or how your complaint has been handled, please contact us using the following details:

For more details on how we handle complaints, please visit our complaints policy and procedure here.

You also have the right to lodge a complaint directly with the UK supervisory authority which is the Information Commissioner’s Office and can be contacted via the details at www.ico.org.uk.

We reserve the right, at our discretion to change, modify, add, or remove portions of this policy at any time so are encouraged to review this policy from time to time.

The privacy notice was last updated on 29th August 2024.

This means the company that is legally responsible for making sure your personal data is protected in accordance with legal requirements.

This means an organisation that processes personal data on our behalf. Data processors only use personal data in ways that we tell them to (on our instructions). We have a contract with all suppliers that tells them how they must use and protect your personal data.

Data protection law sets out certain legal grounds which allow us to use personal data. These include where using personal data is necessary to fulfil a contract or to comply with laws, where we have your consent, or where we have a legitimate interest in using your personal data. We refer to the following lawful bases in our privacy notice:

Necessary for a contract

This means that we need to process your personal data either to:

  • Decide whether to enter a contract with you (i.e., whether to offer you a product); or
  • Fulfil our obligations under a contract with you (i.e., provide our products and services to you and manage these).
Necessary for our legitimate interests

This means that we need to use your personal data for our business interests, or for the interests of another person such as our suppliers (including you). We make sure that we balance those interests with your own rights, and we only use personal data if your rights and freedoms don’t outweigh our interests. We only use personal data in ways that you would reasonably expect to fulfil those interests.

Necessary to comply with the law

This means that we need to use your personal data to comply with legal obligations that we have. For example, we have legal obligations to take certain steps to prevent money laundering, which requires us to verify your identity.

Consent

This means you have given us express permission to use your personal data for a particular purpose. You have the right to withdraw or decline your consent at any time.

This means information about you, like your name, contact details, financial information, identity documents and details of your employment.

Some personal data is classified as “special categories” of personal data. This means information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation. It also includes genetic data and biometric data used to identify someone. If you are not happy with this, you can withdraw your consent.