WestfieldCapital
Legal Document

Privacy Policy

Last updated: January 2026 · Westfield Capital Group

This Privacy Policy ("Policy") describes the manner in which Westfield Capital Group ("the Company", "we", "us", "our") collects, uses, discloses, retains and otherwise processes personal data relating to applicants, customers, prospective customers, website visitors, business contacts and other identifiable individuals (each, a "Data Subject"). The Policy has been adopted in accordance with the United Kingdom General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and other applicable laws.

By submitting personal data to the Company or by using our website, products or services, the Data Subject acknowledges the practices described in this Policy. Where consent is required for any specific processing activity, that consent will be obtained separately and may be withdrawn at any time.

Identity and Contact Details of the Controller

The data controller for the purposes of UK data protection legislation is Westfield Capital Group, an Appointed Representative of Westfield Leasing Limited (Financial Conduct Authority reference number 717880; company registration number 4944404). The Company is registered with the Information Commissioner's Office under registration number Z9440577.

Correspondence in relation to this Policy or to the exercise of any data protection right may be addressed to: Data Protection Officer, Westfield Capital Group, 45 Main Road, Naphill, Buckinghamshire, HP14 4QD, or by email to dpo@westfieldcapitalgroup.co.uk.

Categories of Personal Data Collected

The Company may collect and process the following categories of personal data:

  • Identity data, including title, full name, date of birth, gender, nationality, identification document numbers and copies of identification documents;
  • Contact data, including residential address, correspondence address, email addresses and telephone numbers;
  • Financial data, including bank account details, employment status, income, expenditure, assets, liabilities, credit history and tax information;
  • Transaction data, including details of products applied for, loans drawn down, repayments made and any defaults or arrears;
  • Profile data, including username and password, preferences, feedback and survey responses;
  • Technical data, including internet protocol address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices used to access this website;
  • Usage data, including information about how the Data Subject uses our website, products and services;
  • Marketing and communications data, including preferences for receiving marketing and communications.

The Company does not routinely collect special categories of personal data. Where such data is required (for example, for the purpose of identifying a vulnerable customer), it will be collected only with the explicit consent of the Data Subject or where another lawful condition for processing is satisfied.

Sources of Personal Data

Personal data is obtained from the following sources:

  • Directly from the Data Subject when applying for a product, opening an account, completing a form on our website or otherwise corresponding with us;
  • From third parties, including credit reference agencies, fraud prevention agencies, identity verification providers, brokers, introducers and joint applicants;
  • From publicly available sources, including the Companies House register, the electoral roll, sanctions lists and the Land Registry;
  • Automatically when the Data Subject interacts with our website, by means of cookies and similar technologies (see our Cookie Policy).

Purposes and Legal Bases for Processing

Personal data is processed for the following purposes and on the following legal bases:

  • To take steps at the request of the Data Subject prior to entering into a contract, including assessing applications for credit, performing identity, credit and affordability checks and providing quotations (Article 6(1)(b) UK GDPR);
  • To perform a contract with the Data Subject, including the administration of loan accounts, the collection of repayments and the provision of customer service (Article 6(1)(b));
  • To comply with legal and regulatory obligations, including obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, the Consumer Credit Act 1974 and the rules of the Financial Conduct Authority (Article 6(1)(c));
  • For the purposes of legitimate interests pursued by the Company or by a third party, including the prevention and detection of fraud, the management of credit risk, the maintenance and improvement of our products and services, the conduct of internal management reporting and the establishment, exercise or defence of legal claims (Article 6(1)(f));
  • With consent, for the purpose of sending direct marketing communications by electronic means and for the use of non-essential cookies (Article 6(1)(a)).

Disclosure of Personal Data

The Company may disclose personal data to the following categories of recipient:

  • Westfield Leasing Limited and other entities within our corporate group;
  • Credit reference agencies and fraud prevention agencies, who may retain and use the data in accordance with their own published statements;
  • Service providers acting as processors who provide information technology, hosting, payment processing, identity verification, document management, professional advisory and similar services;
  • Brokers, introducers and intermediaries through which an application has been received;
  • Regulators, law enforcement agencies, courts and other public authorities where disclosure is required by law;
  • Prospective purchasers of all or part of our business or assets, subject to appropriate confidentiality undertakings.

The Company does not sell personal data to third parties for the purpose of independent marketing.

Credit Reference Agencies and Fraud Prevention Agencies

In order to process applications, the Company will perform credit and identity checks with one or more credit reference agencies. Where such a search takes place a record will be retained by the credit reference agency. The Company and the credit reference agencies will exchange information about the Data Subject for the purpose of assessing creditworthiness and verifying identity. This exchange may continue for the duration of the relationship and for a period thereafter, in accordance with the Credit Reference Agency Information Notice ("CRAIN"), a copy of which is available from each of the principal credit reference agencies operating in the United Kingdom.

If fraud is detected or suspected, the Company will share information with fraud prevention agencies. Records held by fraud prevention agencies may be used by other organisations for the prevention of fraud and money laundering and to verify identity, in accordance with the relevant Fair Processing Notice.

International Transfers

The Company processes personal data primarily within the United Kingdom. Where personal data is transferred outside the United Kingdom, the Company will ensure that appropriate safeguards are in place, including the use of adequacy regulations or the International Data Transfer Agreement (or the EU Standard Contractual Clauses with the UK Addendum) issued under section 119A of the Data Protection Act 2018.

Retention

Personal data is retained for no longer than is necessary for the purposes for which it was collected, having regard to applicable legal, accounting, regulatory and operational requirements. In general, application and account data is retained for a period of six (6) years following the closure of the relationship. Recordings of telephone calls are retained for a period of twelve (12) months unless required for the investigation of a complaint or for regulatory purposes.

Rights of Data Subjects

Subject to the conditions set out in the UK GDPR, Data Subjects have the right to:

  • Request access to their personal data and to receive a copy thereof;
  • Request the rectification of inaccurate or incomplete personal data;
  • Request the erasure of personal data in certain circumstances;
  • Request the restriction of processing in certain circumstances;
  • Object to processing based on the legitimate interests of the Company;
  • Object at any time to the processing of personal data for direct marketing purposes;
  • Receive personal data in a structured, commonly used and machine-readable format and to transmit that data to another controller (the right to data portability);
  • Withdraw consent at any time, where processing is based on consent;
  • Lodge a complaint with the Information Commissioner's Office (Wycliffe House, Water Lane, Wilmslow, SK9 5AF; telephone 0303 123 1113; ico.org.uk).

Requests in relation to these rights should be addressed to the Data Protection Officer at the address set out above. The Company will respond to a valid request within one (1) month of receipt, subject to permitted extension.

Security

The Company maintains appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. These measures include access controls, encryption in transit and at rest, network security and regular review of information security policies. Employees and contractors of the Company are subject to a duty of confidentiality.

Automated Decision-Making

The Company uses automated processing, including profiling, to assess credit applications. Such processing is necessary for entering into and performing a contract with the Data Subject. The Data Subject has the right to obtain human intervention, to express his or her point of view and to contest any decision taken solely on the basis of automated processing which produces legal effects concerning him or her or which similarly significantly affects him or her.

Changes to this Policy

The Company may update this Policy from time to time. The current version is identified by the date set out at the top of this document. Material changes will be communicated to Data Subjects by appropriate means.