Privacy Notice

Read about how we use your information.

Privacy Notice for ages 7-11

Privacy Notice for ages 12-17

Your parent or guardian should read this Privacy Notice and/or the above notices on your behalf, or with you if you're old enough to understand it.

We never send information about new mortgages or savings products and services we’ve developed to anyone under age 18.

Your right to privacy is important to us. When you share your details with us, we want you to be confident that we look after the information securely and we only use or share it in the ways we set out in this Notice.

There are also several things that, by law, we have to explain to you.

We’re Coventry Building Society Group.

The Group includes Coventry Building Society and its subsidiaries:

• Godiva Mortgages Limited
• ITL Mortgages Limited
• The Co-operative Bank Holdings plc and its subsidiaries
• The Co-operative Bank plc (also trading as smile, Britannia, and Platform) and its subsidiaries

When we use the terms we, us, our and the Group in this Notice, we mean any of the entities within the Coventry Building Society Group, as applicable and relevant, and as may be updated from time to time.

Under data protection law, an organisation that determines how and why your personal information is collected, used and stored this is known as a ‘data controller’.

If you’re a member or customer of Coventry Building Society, or Godiva Mortgages Ltd, or ITL Mortgages Ltd, the data controller of your personal information is the relevant organisation you interact with.

If you're a customer of the The Co-operative Bank plc (including its brands Smile, Britannia, and Platform) or its subsidiaries the data controller of your personal information is the Bank. 

In some cases, when we share your personal data with regulators, supervisory authorities, similar agencies, and third parties, they may act as data controllers for the data they receive in accordance with their own legal responsibilities. 

We will only share your information with other organisations for the reasons detailed in this Notice.

We may share your personal data between entities within our Group and across our Group where we have a lawful basis to do so.

Why we need to collect information

To set up and run accounts and services for you, we need specific details.

If you don’t give us the information we need, or if you don’t allow us to ‘process’ your information, we can’t open an account or set up a service for you. For what we mean by ‘process’, see ‘How we use your information’.

We’ll ask you directly for most of the information we need. Sometimes we also collect more data about you from external sources, such as credit reference agencies. At times we may be given data by a third party such as a family member and we'll record this information where we feel it's necessary.

There may also be times when you may not be a customer of the Society and we hold and use your personal information as a result of your appointment and/or relationship to a customer/their account.

For the purposes of promotional and marketing activities, including running competitions, prize draws and ticket giveaways, we may ask for information from you to be able to participate or opt in to receive information from us.

The parts of this Privacy Notice that apply will depend on the reason why we hold your personal information.
 

If you give us information about someone else 

You might give us information about another person, for example, if you’re applying for a joint account or for an account on behalf of a child.

We expect that:

• You have their permission to give us this information
• The other person understands how we’ll use their information
• The other person has no objection to us holding and using their information.

What information we hold about you

The type of personal information you can expect us to hold and collect includes:

When we talk about ‘information’ throughout this page, we’re referring to all of these items.

The above isn't exhaustive and there may be other personal information that we process during our relationship with us.

We collect personal information from a variety of sources to provide you with products and services, meet our legal obligations, and manage our relationship with you. These sources include:

• Directly from you – When you apply for a product or service, communicate with us, visit a branch, use our website or app, or provide information through forms, surveys, or correspondence.
• From your use of our services – Including transaction data, account activity, and interactions with our digital platforms (e.g. online banking, mobile app).
• From third parties – Such as credit reference agencies, fraud prevention agencies, payment service providers, and other financial institutions.
• From individuals acting on your behalf – Such as joint applicants, trustees, parents, guardians, or those with Power of Attorney. We record who provided the information and what was shared.
• From publicly available sources – Including social media platforms, public registers, and online directories.
• From other organisations within our Group – Where relevant to your relationship with us and permitted by law.
• From devices and technology – Including IP address, device type, location data, and cookies when you use our digital services. For more information, please see our (Cookie Policy).

In some cases, we may also receive information about you from regulators, supervisory authorities, or law enforcement agencies, where required or permitted by law.

We use your personal information to provide you with products and services, manage your accounts, and operate our business responsibly and securely. This includes:

• Assessing applications – To review applications for accounts or services (including those made via Online Services), verify your identity, and carry out checks to prevent fraud and money laundering. If you apply through a third party, they may carry out some of these checks on our behalf.
• Managing your accounts and relationship – To administer your accounts, respond to queries, and support your ongoing relationship with us.
• Supporting you in challenging times – Including debt recovery and financial assistance.
• Preventing and detecting financial crime – To identify and respond to fraud, money laundering, and other financial risks.
• Tracing and recovery – To locate individuals for debt recovery purposes.
• Driving innovation and service  improvement – To explore new ways of delivering services, improve customer experience, and develop new products and technologies. This may include analysing trends, testing new systems, and using anonymised or aggregated data to inform innovation.
• Managing preferences – To record and respect your marketing and communication choices.
• Engaging with you – When you participate in competitions, prize draws, or ticket giveaways.
• Meeting legal obligations – To comply with laws and regulations that apply to our business.
• Risk and regulatory management – Including credit and liquidity modelling, regulatory reporting, and auditing. This may involve profiling based on your account activity.
• System testing – To ensure our systems and processes work effectively and securely.
• Processing for integration – To support the integration of systems, services, and customer records across our Group, including The Co-operative Bank and its subsidiaries. This helps ensure a consistent experience, maintain accurate records, and deliver services efficiently across the Group.

We’re able to use your information for the purposes outlined above, where one of the following applies:

• We use the information to carry out obligations to you, as part of a contractual agreement between you and us (e.g. your mortgage or savings account).
• We have to use the information to comply with the law or regulations. 
• We use the information to carry out our legitimate interests where we are able to by law.
  
• You've given us your consent to use the information.
• We may also use your information to protect your vital interests (in very exceptional circumstances).
• These are known as lawful bases for processing personal data. the following section provides more detail on how each basis applies.

In some circumstances you have rights in relation to these lawful basis – in particular consent and legitimate interests. For more information, please see the section ‘What are your rights around personal information?’ 

Lawful Basis for Processing Your Infomation

Accessing Services Across Our Group

As part of our group structure, customers of the Society may be supported in bank branches, and vice versa. To provide a seamless service, staff in either part of the group may access your personal data where necessary for example, to verify your identity, manage your account, or respond to queries.

This data sharing is carried out securely and in line with data protection laws, ensuring you receive consistent and efficient support regardless of which part of the Group you engage with.

Identity Checks and Fraud Prevention 

Under money laundering law, all financial organisations have to confirm a customer’s identity when you apply for an account and at various points throughout your journey as a customer. To do this, we may send your details to a specialist external agency or third-party supplier. If your details change, we’ll ask you to re-confirm your identity. For example, you apply for another account with us, or you change your name.

If you've provided us permission to use your biometrics (such as your voice data) in order to identity yourself, we'll also share your personal data to a specialist external organisation in order to prevent fraud and protect your personal data.

We may also need to check your identity even if you're not a customer of ours. (e.g. if you're an executor going through our bereavement process to close an account).

To support these checks, we may share your information with credit reference agencies and fraud prevention databases. This helps us comply with UK money laundering regulations, protect our services from misuse, and keep your money and personal details secure.

We may verify your identity electronically or request documents to confirm your details. In some cases, we may also carry out identity checks for our legitimate business interests.

We carry out these checks to:

• Make it harder for criminals to use false identities or impersonate others to access financial services.
• Help prevent fraud and stop money laundering.
• Meet our legal and regulatory obligations, including customer due diligence under UK money laundering regulations.

Credit checking

Sometimes, we'll need to share your personal information with a credit reference agency to check that a product or service is right for you.

If you apply for a mortgage, we contact a credit reference agency for details of your credit history. The agency keeps a record of our enquiry (‘search’) and your application, and whether or not you've taken out the mortgage.

We do this for the following reasons:

• Assess your credit worthiness and consider whether we believe you can afford to take out a product or service
• Check the accuracy of information you've provided to us
• Prevent criminal activity and financial crime
• Manage your ongoing relationship with us.

When your mortgage is set up, we give the agencies more information about you. For example, if you pay your mortgage on time. If you apply to another company for credit, they'll then be able to see this information.

Remember, if you apply for a joint mortgage account, your financial information will be ‘linked’ to the other applicant(s) by the credit reference agency, which creates an association between you. We, or other financial organisations, might take this into account when you or any of the other applicants are credit-checked again in future. To prevent this, you must ask the agency to unlink your financial records.

The credit reference agencies we normally use are below, along with how to find their ‘Credit Reference Agency Information Notice’ (CRAIN).

• Equifax Ltd
  www.equifax.co.uk/privacy-hub/crain
  Customer Service Centre
  PO Box 10036
  Leicester
  LE3 4FS

• Experian
  www.experian.co.uk/crain
  Consumer Help Service
  PO Box 8000
  Nottingham
  NG1 5GX

• TransUnion
  www.transunion.co.uk/crain
  One Park Lane
  Leeds
  LS3 1EP

You can see the information these agencies hold about you, and read their Privacy Notices, on the websites above. Contact them directly and they’ll explain how to make a request and how much it costs.

Fraud prevention and reporting:

Under money laundering law, all financial organisations have to report any suspicious transactions to help detect and prevent crime. When people give us false or inaccurate information and we identify it as fraud, we pass the details to fraud prevention agencies, such as Cifas, National Hunter, Synectics Solutions, National Crime Agency, the policy and other law enforcement agencies who may view and use this information.

We and other organisations may also use this information to:

• Detect, investigate and prevent crime, including fraud and money laundering
• Check details on applications for accounts with credit facilities
• Manage credit facilities
• Recover debt
• Check details on claims for all types of insurance.

We also use information recorded by fraud prevention agencies in other countries.

If we determine, based on our information or that of a fraud prevention agency, that you pose a fraud or money laundering risk, we may refuse you the services or financing you've asked for, stop any existing services or refuse to employ you.

The fraud prevention agencies will keep a record of any fraud or money laundering risk, and you may be refused services, financing or work. These agencies can hold your data for up to six years.

For the details of the relevant fraud prevention agencies, ask us. To see the information these agencies hold about you, you’ll need to contact them directly.

Using your data for test purposes

We may use your personal information for testing purposes to help improve our products, services, systems and tools or introduce new ways of working. This may include training AI systems and we'll ensure data minimisation at all times and only use identifiable data where absolutely necessary.

We have rigorous processes in place to keep your personal information safe and secure and we won’t use it in a way that’s unfair.

Using your information for testing is in our legitimate business interests as it helps us to maintain and improve the confidentiality, integrity, availability and performance of systems. It's also a benefit to members where we're able to develop systems to improve member experience with us.

Use of Artificial Intelligence (AI) - Our Commitment to Responsible Innovation

As a mutual organisation, we’re committed to responsibly improving our services and enhancing your experience as a member. As part of this commitment, we’re introducing artificial intelligence (AI) technologies, including generative AI, to help streamline operational processes and deliver better outcomes for our members and customers.

For example, we may use AI within our telephone systems to generate summaries of conversations,   help our staff access guidance information to help you quicker and   help our teams to ensure our complaints responses are fair and consistent. This enables us to improve customer service, support quality assurance, and develop member-focused solutions.

We take your privacy seriously and apply robust safeguards whenever we use AI. We apply strict data protection principles including data minimisation and anonymisation where possible. Any use of personal data for AI purposes is assessed against our legal obligations under UK data protection law, and we will always be transparent about how your data is used. We are also guided by the UK Government’s AI Regulatory Principles, and we have established an internal AI forum to oversee AI-related activities.

When we use AI, we ensure there is:

•  Human oversight: Our colleagues remain involved in reviewing and validating AI-generated outputs.
• Data minimisation: We only use the minimum amount of personal data necessary for the intended purpose.
• Trust in our partners: Where external service providers are involved, we select them carefully and require them to meet our strict data protection standards.
• Security: We apply strong technical and organisational measures to keep your personal data safe.

We rely on our legitimate business interests to use AI in ways that improve how we operate, serve our customers and members, and develop our systems. We ensure that any use of AI is proportionate, fair, and aligned with your rights under data protection law.

Automated decision-making

Sometimes we use technology to make some decisions about you without involving a person this is called automated decision-making. It helps us assess applications, manage accounts, and protect against fraud.

We may use automated decision-making to:

• Analyse lending risks
• Analyse transactions on your account
• Decide what happens when a bond matures
• Choose what information to send you about our accounts or services.
• Check for signs of fraud or suspicious activity on your account
• Help us meet legal and regulatory obligations, such as UK money laundering rules

We use information you’ve provided in your application, as well as data we already hold about you. In some cases, we may also use information from external sources, such as credit reference or fraud prevention agencies.

You have rights under data protection law concerning automated decisions. If you apply for an account and there’s something about it that means you’d prefer a human to assess it rather than a computer, please let us know before you submit the application. (For example, if you apply for a mortgage and you have a County Court Judgement registered against you). If we make a decision about you using automatic processing, you can also ask us to have one of our team reconsider the decision.

Profiling

We may use profiling to help us understand our customers better and improve the way we deliver our services. Profiling involves analysing your personal information and sometimes alongside data about others to identify patterns, behaviours, and preferences.

We use profiling to:

• Understand how members interact with our products and services
• Predict future needs or preferences
• Detect and prevent financial crime or suspicious activity
• Support fair and consistent decision-making across our services
• Improve member experience and develop new services

We rely on our legitimate business interests to use profiling in this way, and we always consider the impact on your privacy. In certain circumstances, profiling may also support automated decision-making — for example, when assessing applications or eligibility for specific products.

Supporting You in Challenging Times and Debt Recovery

We may collect and use your personal information to support you during financial difficulties and to recover money owed to us. This includes:

• Assessing whether your individual circumstances have changed.
• Working with you to understand and support your needs.
• Recovering outstanding balances, which may include tracing activity to locate you.
• Deciding on appropriate next steps, such as legal action or engaging a debt recovery agent.
• Where necessary, we may share your information with:
• Individuals or organisations acting on your behalf (e.g. Citizens Advice).
• Credit reference agencies, solicitors, tracing and debt collection agents, home visit agents, and debt purchasers.

We may also use profiling to group customers based on behaviours and interactions. This helps us treat customers fairly and consistently and identify those who may need additional support.

In some cases, we process your information under our legitimate business interests e.g. Field Visits. We always ensure that this processing is fair, proportionate, and respectful of your rights.

Defaults - If you're struggling to make repayments, please contact us as soon as possible and we will aim to work with you to make any repayments owed.

Inappropriate Behaviour

Protecting our colleagues, members, customers and visitors is necessary for our legitimate business interests and to meet our legal obligations to provide a safe and secure environment.

We define ‘Inappropriate Behaviour’ as any act where a person is abusive, threatening, intimidating, harassing or physically aggressive towards our colleagues, members, customers or visitors to our premises. We will not tolerate inappropriate behaviour in any form.

If an incident occurs, we may use personal data to identify the individual involved and report the matter to our central team. This may include:

• Reviewing CCTV or body-worn video footage
• Identifying individuals through account information, including card details used at ATMs
• Speaking to colleagues who witnessed the incident
• Using the telephone number used to contact us to trace a member profile
• Collecting witness statements

What happens if a report is made?

Our central team will assess the circumstances and severity of the incident and take appropriate action. This may include:

• Monitoring future interactions with our colleagues
• Issuing a written or verbal warning
• Restricting or closing accounts
• Placing an alert on our internal systems
• Reporting the incident to the police or relevant statutory body (e.g. in safeguarding cases)
• Record your name and details about the behaviour in an internal log. 

Unless further incidents occur, we will retain details of the inappropriate behaviour for six years, after which the record will be securely deleted.

This information may also be shared across the group.

CCTV

We use CCTV in our branches, offices, and other operational sites to help keep our customers, colleagues, and premises safe. CCTV may record images of individuals entering or moving within our locations.

We use this information to:

• Help prevent and detect crime
• Support investigations into incidents or complaints
• Assist with internal disciplinary processes where appropriate
• Maintain a safe and secure environment

We rely on our legitimate business interests to use CCTV in this way.

Access to footage is restricted and may be shared in limited circumstances for example, with the police, regulators, or other authorised bodies where we’re permitted or required to do so by law. In these cases, the lawful basis may be a legal obligation.

We only keep CCTV recordings for as long as necessary, for a minimum of 31-days and a maximum of 90-days, after which, if there is no legitimate purpose to retain the footage.

When we collect or use personal information from individuals who aren’t members or customers

From time to time, we will collect or use personal information from individuals who aren’t members or customers of the Coventry Building Society Group. This could happen when someone:

• Has a Power of Attorney or third-party mandate to act on a member’s behalf.
• Is a Personal Representative registering the death of a member or customer.
• Acts as a guarantor on a member’s mortgage.
• Is a donor contributing to a member’s mortgage deposit.
• Is a parent or guardian accompanying a child opening an account.
• Is supporting a member where they have a vulnerability
• Raises a complaint but isn’t a member or customer e,g you applied for an account but never opened one.
• Acts on behalf of a member in a professional capacity, such as a mortgage broker, financial adviser, solicitor, or accountant, or in a personal capacity, such as a family member.
• Acts on behalf of a member in a personal capacity, such as a family member or friend where someone needs additional help e.g. English is not their first language.
• Is a child with an account opened on their behalf by their responsible adult.
• Is a student attending an event hosted or sponsored by the Group, such as employability skills workshops, insight days, or educational outreach programmes.

In most cases, we’ll collect this information directly from the individual. However, there may be occasions where a member, customer, or event organiser provides someone else’s details. If you’re providing information about another person, we expect that you have their permission to share it and they understand how we may use it.

All individuals whether they are customers or not have the same data rights. For more information please see the section ‘your rights under data protection law’.

Processing for Integration Across the Group

As we bring together our businesses, some of your personal information may be processed by both Coventry Building Society and The Co-operative Bank (including its brands and subsidiaries) as joint data controllers.

This processing supports the integration of our systems, services, and customer records across the Group. It helps us:

• Streamline operations and improve efficiency
• Enhance customer experience across all channels
• Ensure regulatory compliance and effective risk management
• Support strategic planning and decision-making

This may include sharing relevant financial information, transaction histories, and customer profiles between Coventry Building Society and The Co-operative Bank. Both organisations are committed to protecting your data, respecting your rights, and being transparent about how your information is used.

If you are a customer of either organisation, your usual provider will remain your main point of contact for any questions or concerns about your personal information.

Meeting Our Legal and Regulatory Obligations

We are required to collect and use your personal information in a number of circumstances to meet our legal and regulatory obligations.

This includes using your information to comply with requirements set out by our regulators—such as the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA)—as well as relevant legislation, including UK Data Protection Law, Anti-Money Laundering Regulations, and schemes such as the Financial Services Compensation Scheme (FSCS). We may also disclose information to HMRC and other government bodies where required or permitted by law.

We may be required to produce reports or statistical models for regulators or government bodies (e.g. complaints reporting to the FCA or liquidity modelling for banking authorities). To do this, we may use profiling, which involves grouping customer behaviours, interactions, or characteristics to ensure our reporting is accurate and fair.

We also process your personal information to meet ongoing regulatory reporting requirements, which help demonstrate our compliance, financial stability, and customer outcomes.

Collecting Special Category and Sensitive Personal Information

Sometimes we need to collect personal details that are considered sensitive under data protection law. This includes information about your health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, biometric or genetic data, or details about criminal convictions.

We only collect this information when it’s necessary and for specific purposes, such as:

• Supporting your needs – For example, if you could benefit from our Specialist Support team because of health, memory, caring responsibilities, or other life challenges.
• Providing certain products or services – Such as insurance policies or investment products that require health details, or services that use biometric data (e.g., fingerprint access to our app).
• Meeting legal and regulatory obligations – Including checks required to identify criminal convictions or prevent financial crime, such as using behavioural biometrics for fraud prevention.
• Protecting economic well-being – In limited circumstances, we may process sensitive data without consent where the law allows us to do so for reasons of substantial public interest, such as safeguarding the economic well-being of individuals who may be at risk.

In most cases, we’ll ask for your explicit consent before collecting special category data.

If you provide this information in writing or via a secure message while signed in to Online Services, we’ll assume you’re happy for us to record it unless you tell us otherwise.

If someone acting on your behalf provides this information, we’ll record what’s shared and who provided it. Once recorded we will attempt to let you know we have the data and ask if you are happy for us to retain this.

You can withdraw your consent at any time. This won’t affect any use we’ve already made of the information before you withdrew consent.

For fraud prevention purposes, we may collect and use behavioural biometrics without asking for consent, as this is necessary to protect you, Coventry Building Society, and the wider financial system from crime. This data is not directly linked to your name or contact details and will never be used for any other purpose. 

Tax reporting

We have to give information about you and your savings accounts to HM Revenue & Customs. For example, to verify that our customers aren’t saving more than the annual allowance in ISAs, and to make sure people with tax residency in other countries are complying with the law.

Transferring data outside the EEA

Occasionally we or a supplier may need to transfer data to countries outside the European Economic Area (EEA). This could be, for example, for tax reporting purposes. 

Some of these countries may not have the same standard of data protection laws as we do here in the UK. In these circumstances, we use safeguards such as:

• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office
• The UK International Data Transfer Agreement (IDTA)
• Adequacy decisions where the UK government has recognised a country as providing an adequate level of protection
• Encryption and secure transfer protocols to protect your data in transit

Where fraud prevention agencies transfer your personal data outside the UK or EEA they are required to ensure appropriate safeguards are in place. This may include contractual obligations and participation in recognised international frameworks that ensure secure and lawful data sharing.

We’ve outlined below the types of organisations that we may share your personal information with. However we'll only share your information with other organisations for the reasons detailed in this notice. We'll never sell your information to anyone else and we'll never use your information to send you marketing selling products or services by other organisations.

1. Group Companies

Other organisations within our Group, including The Co-operative Bank plc and its subsidiaries, to support service integration, streamline operations, and deliver a consistent customer experience.

2. Service Providers and Partners

We share your personal information only with trusted organisations that help us run our business and provide services to you. These include:

• Financial service providers – for example, our clearing bank and payment service providers who process electronic payments into or out of your account, and insurance providers or administrators who need your information to create quotes, renew policies, and handle claims.
• Mailing, data management and IT service providers – to support secure communication and maintain our systems.
• Marketing agencies and promotional partners – for competitions, prize draws, ticket giveaways, and other promotions. Your data will only be used for these purposes and will never be sold to them.
• Market research companies – to carry out surveys, focus groups, or other research on our behalf.
• Organisations providing data services - to support our relationship with you and the operation of our business.
• Third-party processors who help manage accounts – This includes organisations that support account management and related services, such as customer verification and identity-check providers for fraud prevention and anti-money laundering compliance, outsourced customer service centres to handle account queries and specialist account management firms for complex or high-risk accounts.

We may change the companies we use or appoint new ones to provide services. When we do, they must meet our strict requirements for security and privacy to protect your personal information.

3. Authorised Third Parties

Individuals or organisations you’ve authorised us to deal with, such as family members, legal representatives, or financial advisers.

4. Regulatory and Legal Bodies

We may share your personal information with organisations that have a legal or regulatory role, including:

• Credit reference agencies – such as Equifax and Experian.
• Tax authorities – including HM Revenue & Customs (HMRC) and other relevant bodies.
• Financial protection schemes – such as the UK Financial Services Compensation Scheme (FSCS).
• Regulators – for example, the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and the Information Commissioner’s Office (ICO).
• Dispute resolution bodies – such as the Financial Ombudsman Service.
• Law enforcement agencies – where required by law or to prevent crime.
• Fraud prevention agencies – to help detect and prevent fraud.
• Government bodies and agencies – where necessary for compliance with legal obligations.

5. Mortgage-Related Sharing

If you apply for or hold a mortgage with us, we may share your information with:

• Your employer – to confirm your income and employment details.
• Your mortgage intermediary or broker – if you use one, so they can provide their services to you.
• Legal representatives – acting for you or for us in connection with your mortgage.
• Property valuers or surveyors – to assess the value of the property.
• Debt counsellors or specialist support services – if you experience payment difficulties or cannot repay your mortgage balance.
• Field agents - for home visits and customer support.
• A guarantor of your mortgage and their legal adviser – where applicable.
• Credit reference agencies – such as Equifax or Experian, for credit checks and ongoing account management.
• Other lenders – who also hold a charge on the property.
• Third parties involved in secured funding arrangements – where required under the terms of those programs.

6. Savings Account Applications via Third Parties

If you apply for a savings account through a third-party organisation, we may receive or share information to set up your account and manage it. This can include:

• Employee Benefits Schemes – where you apply through a third-party partner as part of a scheme provided by your employer.
• Investment Providers – where you apply via an investment platform or provider.

We only share the information necessary to process your application and administer your account, and all third-party partners must meet our strict security and privacy requirements.

7. Other Third Parties

Examples of organisations we may share your information with:

• Industry Crime Prevention - We may share your personal data with other financial institutions, industry bodies, and law enforcement agencies for the purposes of preventing and detecting crime, including fraud and financial crime. This helps protect you and the wider financial system.
• Insurers and reinsurers - if you apply for insurance through us or make a claim.
• Other financial services providers.
• Companies and organisations that introduce you to us.
• Land agents.
• Card schemes and associations (e.g. Visa).
• The Direct Debit scheme.
• Payment processors (e.g. BACS).
• Retailers.
• Comparison websites.
• Electoral service providers (e.g. Civica Electoral Services) to help us run our AGM.

In exceptional circumstances, and only with your authorisation or where it’s in your vital interests, we may share limited information (e.g. contact details) with healthcare or wellbeing organisations.

If we transfer, sell, or merge parts of our business, your information may be shared as part of that process.

We may share information with these groups at different times throughout the life of your mortgage.

How long we keep your information

We keep your personal data for as long as we need it to provide services to you and meet our legal and regulatory obligations.

We’ll keep your data while you:

• Have an open account with us.
• Have applied for or enquired about a product.
• Have made a complaint.

We’ll also keep it for a period after:

• You close your account.
• Your product application date.
• Your complaint has been resolved.

This extra time is required to meet legal, regulatory, and record-keeping requirements.

While we hold your data:

• We keep it safe and secure.
• We regularly review how long we keep it to make sure we only hold it for as long as necessary.

When we no longer need your data we’ll delete or destroy it securely, in line with our data retention rules.

If you’d like more details about how long we keep your information, please email us at: Data.Protection@thecoventry.co.uk

Keeping your information up to date  

To provide you with the best possible service and meet our legal and regulatory obligations, it’s important that the personal information we hold about you is accurate and current. Out-of-date information can affect how we communicate with you, manage your accounts, and protect your data.

We ask that you let us know promptly if any of your details change such as your name, address, contact information, or other relevant personal data. Keeping your information up to date helps us:

• Ensure you receive important updates and account information.
• Protect your privacy and security by reducing the risk of misdirected communications.
• Comply with legal and regulatory requirements.

Withdrawing your consent

Where we’re relying on your consent to process any of your information you have the right to withdraw it at any time.

If you’re a member or customer and you’ve consented to marketing, you can change your preferences at any time via Online Services, by post, phone or by popping into branch.

Remember, that it’s often essential that we hold or share your information. For examples, if you’re applying for a mortgage and don't want us to share your details with a credit reference agency, then we can't go ahead with your application.

Data Subject Rights

You have a number of rights relating to the personal information that we hold about you. These rights are:

• The right to be informed about how we process your personal information
• The right to have your personal information corrected or updated if it’s inaccurate or incomplete
• The right to object to us processing your personal information
• The right to restrict how we process your personal information
• The right to erasure (also called the right to be forgotten)
• The right of access to your personal information and details about how we process it
• The right to move, copy or transfer your personal information (this is called the ‘right to portability’)

You can make a request in relation to your rights at any time. However, some of these rights are only available in specific circumstances and sometimes we won’t be able to complete your request because of another obligation or exemption. For example, if we are legally obliged to process certain information the right of erasure will not apply.

If you make a request, we’ll review it and get back to you as soon as possible – always within one month unless we need to extend this for any reason. We’ll let you know if we need more time to respond.

For more detail on these rights please visit our data rights page on our website at https://coventrybuildingsociety.co.uk/member/help/your-data-rights.html

How to make a request under any of these rights

To ask us about these right or to make a request, get in touch via one of the options listed below.

For security, we’ll need to confirm a few details before we can share any information.

Ways to make a request:

• Online portal
  Submit request
• By post
  Download the Data Subject Rights Request form
  Send it to:
  FREEPOST CBS CUSTOMER SERVICES
  (Write the address exactly like this – in capital letters and all on one line)
• By email
  Email the completed form to Data.Protection@thecoventry.co.uk

Got a question?

We’re here to help. You can contact us:

• By email: support@thecoventry.co.uk
• By phone: 0800 121 8899
• At a branch: Find opening hours

To make a request to credit reference agencies, fraud prevention organisations or brokers, please contact them directly.

If you’re not happy

If you’re not happy about something we’re doing, please let us know. We sort out most problems very quickly. We aim to resolve any concerns promptly and fairly.

If you have a complaint about data protection or how we use your data, contact our Data Protection Office at Data.Protection@thecoventry.co.uk.

Or you can complain at any time to the Information Commissioner’s Office, an independent government organisation.

Find out more at:

ICO.org.uk

Or write to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow SK9 5AF