Download a print friendly version of this notice

Your right to privacy is important to us. We know that your personal data belongs to you and not to us. That’s why we take the security of your information seriously and have strict policies and processes in place to ensure it is kept private and safe.

This privacy notice describes the way we collect your information, how we use it and why.

This notice is applicable but not limited to anyone who:

  • Is a Paragon Banking Group customer
  • Is an Introducer of business e.g. a broker
  • Browses our website
  • Has made an application for one of our products or services
  • Has specific permissions on an account
  • Has made contact with us via phone, post, email or webchat

Who we are

The Group is made up of many different legal entities. The letterhead we use when we write to you will let you know which entity you have a relationship with.

More information on the Group can be found at

Where we use the term ‘we’ in this notice we mean the relevant member of the Group who is processing your personal information.

The entity you have a relationship with will be the controller of any personal information you provide to us. The Group’s Company Registration number is 2336032 and its registered address is 51 Homer Road, Solihull, B91 3QJ.

If you have any queries about how your personal information is used by us, which are not answered in this notice, please contact the Data Protection Officer (DPO) at 51 Homer Road, Solihull, B91 3QJ or email [email protected].

What is personal data?

Personal data is considered to be any information that either alone, or in combination with other information, would identify you as a living individual. For example, your name and date of birth.

How do we collect your information?

The type of loan or other product you have with us will dictate how your personal information is collected.

Personal information may be provided to us by;

  • You
  • A third party
  • Information we learn about you throughout your relationship with us

And may be provided;

  • electronically
  • by telephone
  • within paper correspondence

We may also obtain information about you from:

  • cookies or tracking pixels, where we have your consent, see the Cookies section below and our cookie policy for information on how we use cookies and similar technologies
  • the technology you use to access our services
  • publicly available sources

When applying for a product or service we will ask you to provide some information about yourself for security, identification and verification purposes.

When completing any forms, we will always tell you how your information will be used in relation to the product or service you are applying for within the declaration and in any associated terms and conditions.

When you provide any information about others (eg for a joint account) you must ensure that you have their consent or are otherwise entitled to provide the information to us.

If you are an introducer of business, the information provided in this notice also explains how we manage your personal data, as well as any business you provide.

We may monitor or record phone calls or webchat conversations with you to ensure we have carried out your instructions correctly, to resolve queries or issues, to improve our quality of service, for regulatory purposes and to help prevent or detect fraud or other crimes. We also record conversations for employee training purposes.


When we ask you for personal information online it will only be in response to you applying for, or using, one of our digital products or services.

If you are visiting our site or mobile app, please review our Cookie Policy at to see what information may be recorded.

What personal data do we process?

The types of personal information we capture about you will vary depending on your relationship with us. We may process the following personal information;

  • Account Number
  • Full name
  • Gender
  • Date of birth
  • Address (both security and residential)
  • Address history
  • Country of birth
  • Nationality
  • National Insurance Number
  • Tax details such as tax reference numbers and tax residency
  • Any User ID you may provide or create
  • Any password or PIN number you may provide or create
  • Memorable Information (provided to us to in some instances to be used as a security check for account access)
  • Employment details
  • Income
  • Corporate Directors – position within the company
  • Contact details, including phone number and email address
  • Bank account number and sort code
  • Source of funds
  • Third party reference numbers
  • Passport information
  • Vehicle details
  • Driving licence information
  • Technical data including details on the device you use e.g IP addresses
  • Transactional data including details about any payments you make
  • Any additional information we request to confirm your identity, this may include bank statements or proof of address
  • If you have requested a third party act on your behalf, the name and contact details of this party

Throughout the life of your account, you may provide the following information to us:

  • Your racial or ethnic origin
  • Political opinions
  • Your religious or philosophical beliefs
  • Trade union membership
  • Data concerning your health
  • Data concerning your sex life or sexual orientation

These pieces of information are considered to be special categories of data. We will only record them if they are relevant to the management of your account (for example, if you have a medical condition which means you require a bespoke communication approach) and we will not record this information without your explicit consent. You are able to withdraw this consent at any time, just get in touch.

On what basis are we allowed to process your personal data?

Under Data Protection law we are only allowed to process your personal data if we have a proper reason to do so. This includes sharing it outside the Group. The law allows us to process your data for one or more of the following reasons;

  • to fulfil a contract we have with you
  • when it is our legal duty
  • when it is in our legitimate interest
  • when you consent to it

A legitimate interest is when we have a business or commercial reason to use your information. This reason must not unfairly go against what is right and best for you.

The table below shows the ways we may use your personal information and why;

What we use your personal information for The reason/s why we can use your personal information
  • To verify your identity
  • To manage our relationship with you
  • To find new ways to meet our customers’ needs and to grow our business
  • To develop and carry out marketing activities
  • To understand how our customers use our products and services
  • Fulfil a contract
  • Legal duty
  • Legitimate interest
  • Your consent
  • To develop and manage our products and services
  • To manage how we work with other companies that provide services to us and our customers
  • Fulfil a contract
  • Legal duty
  • Legitimate interest
  • To deliver our products and services
  • To make and manage customer payments
  • To manage fees, charges and interest due on customer accounts
  • To collect and recover money that is owed to us
  • Fulfil a contract
  • Legal duty
  • Legitimate interest
  • To respond to complaints and seek to resolve them
  • To detect, investigate, report and seek to prevent financial crime
  • To comply with laws and regulations that apply to us
  • To manage risk for us and our customers
  • To prevent fraud and money laundering
  • Fulfil a contract
  • Legal duty
  • Legitimate interest
  • To exercise our rights set out in agreements or contracts
  • To run our business in an efficient and proper way. This includes managing our financial position, business capability, planning, communications, corporate governance and audit requirements
  • Legal duty
  • Legitimate interest
  • To exercise our rights set out in agreements or contracts
  • Fulfil a contract

Who do we share your personal data with and why?

We may share your personal information with the following third parties;

  • other companies within the Paragon Banking Group
  • with your employer(s), landlord, accountant, banker, current and previous lenders and HMRC to request information from them so that we can assess whether you meet the eligibility criteria if you have applied for a mortgage or loan
  • with businesses who may process data on our behalf as part of a contract
  • with our insurers for insurance purposes
  • with valuers and other organisations involved in the provision of valuation services to enable them to carry out valuations of your property
  • if you use Direct Debits, with the Direct Debit Scheme
  • with third parties to whom your mortgage, loan or account is, or may be, assigned or transferred
  • with identification checking agencies who will carry out electronic identity checks on you and who will record details of the check, regardless of whether your application proceeds
  • with third parties where we are legally required or permitted to do so, for example for crime prevention purposes or to protect our right or the rights of our group companies, employees or customers
  • with regulators, government and public sector agencies as and when required and where a lawful basis for the transfer of personal data exists if you have a mortgage or second charge mortgage with us, we may share information with other lenders who also hold a charge on the property
  • with regulatory bodies where we are required to do so for legal and regulatory purposes for example, the Financial Services Compensation Scheme (FSCS)
  • if we buy or sell any business or assets we may share your information with the prospective seller or buyer of the business or assets. If we go through a corporate merger, consolidation, sale of assets or other corporate change, we may also pass your information on to the buyer or our successors in business to ensure they can continue to operate the business effectively or make full use of the assets sold.
  • all of the interest paid to you will be disclosed to HMRC. However this does not remove any obligations you have to declare it to HMRC yourself if required by law.
  • with other banks to perform services such as Confirmation of Payee (CoP) checks
  • with Moneyhub for the purpose of carrying out Open Banking
  • fraud monitoring services such as ACI worldwide

If you would like to know which specific third parties process data on our behalf, please contact our Data Protection Officer (DPO) 51 Homer Road, Solihull, B91 3QJ or email [email protected].

Fraud prevention agencies (FPAs) and credit reference acencies (CRAs)

We may share your personal information with credit reference agencies (CRAs) to carry out credit checks and record details of your repayment history. The CRA’s have drafted a notice called ‘Credit Reference Agency Information Notice’ (CRAIN) which sets out how your data will be processed.

The credit reference agencies we normally use are:

Credit Reference Agency Contact details

Equifax Ltd



If you are a Limited Company Director, in addition to the above we may also share your information with Creditsafe. They can be contacted at Bryn House, Caerphilly Business Park, Van Road, Caerphilly, CF83 3GR

If you would like to see the information that these credit reference agencies hold about you, please contact them directly; they will be able to explain how you may progress your request and any charges that may apply.

We may share your personal information and some of the personal data from your online interactions with fraud prevention agencies, the National Crime Agency, Action Fraud and the Home Office to protect us from fraud and money laundering. We may also pass information to financial and other organisations involved in fraud prevention including law enforcement agencies who may also access and use this information to detect, investigate and prevent crime. Fraud Prevention Agencies we typically use and their contact details are as follows:

Fraud Prevention Agency Contact details

Synectics Solutions

National Hunter


Lexis Nexis Risk Solution Group

We may decide that you pose a fraud or money laundering risk or if our processing reveals your behaviour to be consistent with that of known fraudsters or money launderers; or is inconsistent with your previous submissions; or you appear to have deliberately hidden your true identity. If you give false or inaccurate information and we suspect fraud we will record this. Please go to to read the Cifas privacy notice in full

Possible consequences of us processing your personal data

The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, finance or employment to you. If you have any questions about this, please contact us.


From time to time we may make you aware of products or services which are similar to the ones you currently hold with us that may be of interest to you. We will only do this if we consider this type of processing to be a legitimate business interest or with your consent.

You are able to get in touch and ask us to stop sending you these messages at any time or you can unsubscribe by selecting the link at the bottom of any marketing email from us. If you chose not to receive marketing information you will still receive important information about your product or service.

When you receive emails from us, they may contain tracking pixels or other similar technology. We use these pixels to help us understand if you have opened the email and how you have interacted with it.

How long will we keep your personal information?

We will keep your personal information for as long as you are a customer of Paragon Banking Group. After you stop being a customer, we may keep your data for up to 12 years for one of these reasons;

  • to respond to any questions or complaints
  • to show that we treated you fairly
  • to maintain records according to our regulatory and statutory obligations

We will keep your data for longer than this if we cannot delete it for legal, regulatory or technical reasons. We may also keep it for the following purposes:

  • research
  • fraud prevention
  • money laundering
  • capital and liquidity risk
  • statistical analysis
  • business forecasting purposes

When this happens, we will make sure that your privacy is protected and we will only use it for these purposes.

You or a third party may send information to us as a prospective customer. If we do not have any products that are suitable for you, or you decide not to proceed with your application for any reason, we will store the personal information provided to us for no longer than two years.

Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to 6 years. In some cases, Paragon may hold your data for an indefinite period.

Your information rights

You have various rights in terms of how and why your personal data is processed. Please contact us at any time if you wish to exercise these rights:

  • You have the right to rectify and correct inaccurate or out of date information at no extra cost
  • You may be able to request the deletion or removal of personal data where there is no compelling reason for its continued processing. You don’t have an absolute ‘right to be forgotten’ but we will consider the request in specific circumstances
  • You have the right to ask us not to use your information for marketing purposes and to ask us to stop sending you marketing communications
  • You have the right to restrict and/or object to certain processing, providing it meets the requirements set out in law
  • You have the right to obtain human intervention if contesting a decision based on any automated decision-making means. For example, before offering you a loan, we may carry out an automated credit search. CRA’s provide us with data and analytics that may help us with this search and our own data, knowledge, processes and practices will also play a significant role in our decision to lend. If you contest the automated decision, we are able to carry out a manual review of your data. However, this may not change the outcome of the initial automated decision and this may still result in you being refused a product or service
  • You have the right to move, copy or transfer personal data. If we are processing data to perform our obligations to you, or because you consented, if that processing is carried out by automated means, we will help you to move, copy or transfer your personal data to other IT systems. If you request, we will supply you with the relevant personal data in a format which is readily accessible by most IT systems
  • You have a right to access the personal information that we hold about you. We won’t charge you for this request, however, we may charge a reasonable fee if your request is largely unfounded or if you make repeated requests. Please make your request to the team that services your account. If you require a specific document please make this clear. Telephone calls will not be provided as standard as not all departments will record their calls. If you require a specific conversation, please provide as much detail as possible to enable us to locate this on your behalf

Transfer of your personal information overseas

There may be times when some or all of your personal information may be transferred to, stored or processed by third-party suppliers located in countries outside the UK.

In these circumstances we will take the necessary steps to ensure that the transfer of your data is in line with UK data protection requirements and that your information is treated securely and protected to a similar standard. We may need to transfer your information in this way to carry out our contract with you, to fulfil a legal obligation, to protect the public interest and/or for our legitimate interests.

We’ll put in place the approved standard contractual clauses (as approved by the UK and European Commission) or any other appropriate safeguard which constitute appropriate measures to ensure that your personal data is treated by those third parties in a way that is consistent with, and which respects the European Union (EU) and UK laws on data protection.

If you are an Expatriate, due to the nature of the product you have chosen, a set of transfers of your personal information to countries outside of the UK may be required. Our lawful basis for these transfers is because they are necessary to implement precontractual measures and for the performance of a contract between you and Paragon.

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area (EEA), they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the EEA. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing. For further information please contact the fraud prevention agencies listed within this notice.

If you chose not to give personal information

We may need to collect personal information by law, under the terms of a contract we have with you. If you chose not to give us this personal information it may delay, or prevent us from meeting our obligations. It may also mean that we cannot perform services needed to run your accounts. It could mean that we cancel a product or service that you have with us.


If you wish to complain about how we have treated your personal data you can:

  • contact the complaints team within your usual servicing department to discuss your concerns; and/or
  • refer your concerns to the Information Commissioner’s Officer (ICO), the body that regulates the handling of personal data in the UK. You can contact them by:
    • Phone: 0303 123 1113
    • Writing: Information Commissioner’s Officer, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
    • Website:

Changes to our notice

This notice was last updated in March 2024

We may make updates to this notice from time to time however if we make major changes to the way in which we process your personal data we will inform you directly.

Download a print friendly version of this notice

Paragon Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Registered in England number 05390593. Registered office 51 Homer Road, Solihull, West Midlands B91 3QJ. Paragon Bank PLC is registered on the Financial Services Register under the firm reference number 604551