Our Privacy Policy

Privacy Policy

This Privacy Policy indicates how your personal information is used by First Response Finance and sets out your rights under General Data Protection Regulation (GDPR).

Who we are

Your personal information will be held by First Response Finance Limited. If you have any questions, or would like to find out more about how we use your personal information, please contact our Operational Risk team.

Phone number

0115 946 6368

Email address

dataprotection@frfl.co.uk

How your data's protected

For First Response Finance to use your personal information, we must have a lawful basis for doing so, including the sharing of your information outside of First Response Finance Limited. The legal basis for which we may use your data must fall into one or more of these reasons:

• To enter into a contract with you
• When it is our legal duty
• Where there is a legitimate interest
• When you consent to it

Legitimate interests explained

Legitimate interests mean we may process your information for reasons that are important to running our business, improving our services, or ensuring responsible lending, as long as this does not unfairly impact your rights.

Recognised Legitimate Interests

• Crime prevention & fraud prevention
• Network and information security
• Direct marketing

How we may use your personal information

Below is a list of the ways in which we will use your personal information, the lawful basis we rely on to process it, and where we process based on legitimate interests.

To provide you with our products and services

To allow us to process your application, we will use your personal information to assess your suitability for finance.

Lawful basis: fulfilling a contract, legal duty, and legitimate interests.

Our legitimate interests: promoting responsible lending and helping to prevent over‑indebtedness.

To prevent, detect, investigate and report financial crime.

Managing our agreement and relationship with you

We will process your information to ensure that you're able to fulfil your obligations under your credit agreement and to communicate with you to provide and manage your needs.

Lawful basis: fulfilling a contract, legal duty, and legitimate interests.

Our legitimate interests: make and manage your payments required under your agreement and to recover money and assets that are owed to us.

Our legal obligations

We may process your information for the prevention, detection, and investigation of fraud and money laundering; to comply with laws and regulations that we have to adhere to for auditing purposes. If we're obliged to disclose information by reason of any law, regulation, or court order.

Lawful basis: legal duty.

Our legitimate interests: to defend any legal claims made against our company.

Staff training and awareness

To provide training to our employees to enhance or review the service we provide, or have provided, to you.

Lawful basis: legitimate interests.

Our legitimate interests: developing and improving our employees' knowledge and expertise to ensure you're provided with the most efficient service.

To send you marketing material

To provide you with information on other products and services we can offer you.

Lawful basis: legitimate interests.

Our legitimate interests: to send information on similar products to individuals who have not previously objected to receiving marketing material.

You can ask us to stop sending you marketing at any time by contacting us using the details below.

Use of anonymised and aggregated data

We may use or share anonymised or aggregated information to help us analyse trends, improve our products and services, and understand how customers use our services. This information does not identify you and is not considered personal data under data protection laws. We may work with carefully selected third‑party partners to carry out analysis or research using this anonymised information, and these partners will not be able to identify you from the data we provide.

What personal information will we collect and process?

The types (or categories) of personal information we'll collect about you and process are:

• Personal identifiers - information which can identify you, such as your name and date of birth
• Contact details - information on where you live and how we may contact you to discuss your agreement
• Financial details - your financial position, history, and bank account information
• Employment - your current employment status and employment history
• Documentary data - documents provided by you, i.e., passport, driving licence, payslip(s), and/or bank statement(s)
• Public records and open data - information about you on public records such as the Electoral Register and information openly available on the internet
• Location data - information we receive from your device when you visit our website or log in to your online account
• Special category data - sensitive personal information provided with your consent

Why we need your personal information

We need to collect your personal information in order to enter into a finance contract with you. If you choose not to provide this, we may not be able to offer you our products and services.

Where we collect your personal information from

We may collect personal information directly from you, from dealers, credit reference agencies, fraud prevention agencies, agents working on our behalf and other sources such as public databases.

Who we share your personal information with

Below is a list of organisations in which First Response Finance Limited may share your personal information with

• Agents (tracing, debt collection, vehicle repossession, and car auction) who assist us in ensuring you fulfil your obligations under your finance agreement
• Government and law enforcement agencies
• Regulators and other authorities, i.e., DVLA
•  Independent vehicle inspection companies
• Feedback service providers
• Communication management companies
• Payment system providers, including the Direct Debit Scheme and BACS
• Legal and professional advisors including auditors
• Courts to comply with legal requirements
• Technology business partners
• Vehicle dealerships

We also share your personal information with the following agencies:

Credit reference agencies

When you apply for a product or service, we'll carry out credit and identity checks on you with one or more credit reference agencies.

To do this, we will supply your personal information to credit reference agencies and they will give us information about you. This will include information from your credit application and facts about your financial situation and financial history. Credit reference agencies will supply to us both public (including the electoral register) and shared credit, financial situation information, financial history information, and fraud prevention information.

We will use this information to:

• Assess your creditworthiness and whether you can afford to take the product
• Verify the accuracy of the data you have provided to us
• Prevent criminal activity, fraud and money laundering
• Manage your account(s)
• Trace and recover debts
• Ensure any offers provided to you are appropriate to your circumstances

We will continue to exchange information about you with credit reference agencies while you have a relationship with us. We will also inform credit reference agencies about your settled accounts. If you borrow and do not repay in full and on time, credit reference agencies will record the outstanding debt. This information may be supplied to other organisations by credit reference agencies.

When credit reference agencies receive a search from us, they will place a search footprint on your credit file that may be seen by other lenders.

If you're making a joint application, we will link your records together, so you should discuss this with them and share with them this information before lodging the application. Credit reference agencies will also link your records together and these links will remain on yours and their files until such time as you or your partner successfully files for a disassociation with the credit reference agencies to break that link.

The identities of the credit reference agencies, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods, and your data protection rights with the credit reference agencies are explained in more detail within the Credit Reference Agency Information Notice (CRAIN).

This notice is accessible from the following credit reference agencies:

• TransUnion
• Equifax
• Experian

Fraud prevention agencies

General

Before we provide services, goods, or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.

The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.

Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers (including IP address), and vehicle details.

We, and fraud prevention agencies, may also enable law enforcement agencies to access and use your personal data to detect, investigate, and prevent crime.

We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested.

Fraud prevention agencies can hold your personal data for different periods of time, and if you're considered to pose a fraud or money laundering risk, your data can be held for up to six years.

Data transfers

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to 'international frameworks' intended to enable secure data sharing.

Your rights

Your personal data is protected by legal rights, which include your rights to object to our processing of your personal data, the request that your personal data is erased or corrected, and to request access to your personal data.

Transfer of data outside of the European Economic Area

When transferring personal data outside the UK, we apply the DUAA‑updated adequacy framework, including assessment of proportionality, regulatory environment, and safeguards
If in the event First Response Finance Limited are required to transfer data outside of the European Union, we will:

• Only do so with either your consent, or where we have a legal basis for processing
• Put in place a contract with the organisation to ensure the data is protected to the same standards as if it were still within the European Union

Any international transfer assessments reflect the updated Data Use and Access Act 2025 (DUAA) adequacy test.

How long we retain your personal information for

We'll keep your personal information for as long as you're a customer of First Response Finance Limited.

Once you're no longer a customer, we may retain your personal information for up to seven years. The reason for this is:

• Adherence to regulations applicable to us
• To respond to questions or complaints from when you were a customer

Your rights as an individual

How to access your personal information

You have the right to access the personal information we hold on you. To exercise this right, please contact our Operational Risk team.

Under the Data (Use and Access) Act 2025, we are required to carry out a reasonable and proportionate search when responding to a subject access request. This means we may not search systems or archives where the effort would be disproportionate to the benefit for the individual.

Address

Operational Risk
First Response Finance Limited
Chetwynd Business Park
5 Regan Way, Chilwell
Nottingham
NG9 6RZ

Phone number

0115 946 6368

What if your personal data is incorrect?

You have the right to have your data corrected if it's inaccurate or incomplete. Contact us if you would like us to do this, and we will take reasonable steps to check its accuracy and correct it.

Deleting your personal data

You have the right to ask us to erase your personal data. Contact us if you would like us to consider your request. If we're unable to comply with your request for erasure, we will explain to you why.

How to restrict the processing of your personal information

You have the right to request that we cease processing the personal information we hold about you if it is not accurate, it has been used unlawfully and you don’t want us to delete it, or your information is no longer relevant but you wish for us to keep it for use in legal claims. Contact us if you would like to exercise this right.

Data portability

You have the right to ask us to provide you with a copy of the personal information you provided to us or to request that we transfer this data to another organisation in a format that can be easily re-used. Contact us if you would like to exercise this right.

If you want us to stop using your personal information...

You have the right to object to our use of your personal information. There may be legal reasons as to why we may need to keep your data, however, contact us if you think we should not be using it.

Automated decision making (including profiling)

What do we mean by automated decisions?

An automated decision is a decision made solely by automated means (using computer systems and algorithms) without human involvement, which produces legal effects about you or similarly significantly affects you (for example, a decision to approve or decline credit). Under changes introduced by the Data (Use and Access) Act 2025 (DUAA), organisations may make significant automated decisions in wider circumstances, provided specific safeguards are in place.

When we make automated decisions

We may use automated decision‑making to:

• Assess credit applications and the risk of non‑payment using information you provide, information we already hold, and information obtained from credit reference agencies (e.g., credit history, indebtedness indicators, and affordability signals).
• Price and tailor offers where permitted, using risk‑based models to help ensure fair and consistent outcomes.
• We do not use special category personal data (e.g., health, biometrics) to make these decisions. Where any processing could involve special category data, it would not be used to make a solely automated decision with legal or similarly significant effects. 

Why we do this (lawful bases)

We rely on:

• Contract – to take steps at your request before entering a credit agreement and to make and manage your agreement if approved.
• Recognised legitimate interests – to protect the security of our systems and prevent fraud, and to ensure consistent, objective credit decisions (DUAA recognises certain legitimate interests, including fraud prevention and network/security).

The logic involved (in brief)

Our credit and pricing models evaluate factors such as the information in your application, your prior history with us (if any), and information from credit reference agencies (including repayment history and outstanding obligations). These models apply statistically‑derived rules and thresholds to estimate affordability and likelihood of repayment; if a result crosses a threshold, the decision may be to approve, decline, or refer for review.

Your rights where a significant automated decision is made about you

Whenever we make a decision based solely on automated processing that has legal or similarly significant effects, you have the right to:

• Obtain human intervention – ask us to have a qualified colleague review the decision.
• Make representations – provide additional information or context you believe we should consider.
• Challenge the decision – ask us to re‑assess the outcome.

These safeguards reflect the DUAA’s updated framework for automated decision‑making.

How to exercise these rights

If you want a human to review a decision, to make representations, or to challenge an outcome, please contact us using the details in “How to contact us”. We will explain the decision we reached, the key factors considered, and the steps we will take to review it. We will respond without undue delay and within applicable statutory timeframes. 

Marketing‑related profiling (not significant decisions)

We may use profiling to help us tailor marketing and measure campaign effectiveness. These activities do not produce legal or similarly significant effects; you can opt out of marketing at any time, and we will stop such profiling for marketing purposes. (Consent remains required for certain marketing cookies and tracking technologies.)

Why the DUAA matters here

From 5 February 2026, the DUAA expanded when UK organisations may rely on automated decision‑making, provided they implement the safeguards listed above and maintain high standards of transparency and fairness. Our approach reflects this updated framework

Cookies and tracking technologies

Our use of cookies complies with the Privacy and Electronic Communications Regulations (PECR), as amended by the Data (Use and Access) Act 2025

What Are Cookies? 

Cookies are small text files stored on your device when you visit our website. They help our site function properly, improve performance, and allow us to understand how visitors use the website. Some cookies are essential for our services to work; others help us improve your experience.

Types of Cookies We Use

Strictly Necessary Cookies

These cookies are essential for core site functionality, security, and network management. You cannot turn these off, as the site will not work without them. 

Analytics & Performance Cookies

These help us understand how users interact with our website—for example, which pages are visited and how long people spend on them. Under the Data (Use and Access) Act 2025, we may set certain analytics and statistical cookies without requiring your consent, as long as they are used to improve site functionality and do not identify you directly.  

Functionality Cookies 

These enable enhanced features such as remembering your preferences or improving the quality of customer interactions. The DUAA now allows some functionality cookies to be used without opt‑in consent, provided they are genuinely necessary to improve the website experience.  

Marketing & Targeting Cookies 

These cookies help us deliver relevant advertising or track the effectiveness of marketing campaigns. We will always request your consent before placing these cookies on your device, as required under PECR and the UK GDPR

Why We Use Cookies

We use cookies to:

• Ensure the website functions securely and reliably.
• Improve site performance and user experience.
• Measure usage to help us develop and refine content.
• Support fraud prevention, Network security, and system reliability, which align with recognised legitimate interests under the DUAA.
• Deliver relevant marketing (only where consent is provided). 

Legal Basis for Using Cookies

Depending on the category of cookie:

Strictly necessary cookies – used as part of our legitimate interest in ensuring the IT security, functionality, and stability of our digital services.

Analytics and functionality cookies – may be used without consent under the DUAA where they support statistical or functional improvements.  

Marketing cookies – used only with your explicit consent. 

Managing Your Cookies

You can manage your cookie settings at any time through your browser or device controls. Most browsers allow you to: - Block all cookies, - Block cookies from specific sites, or - Delete cookies when you close your browser. If you disable certain categories of cookies, parts of the site may not function as intended. 

Third‑Party Cookies

Some cookies are provided by trusted external partners (for example, analytics or advertising providers). These third parties may process information in line with their own privacy notices. We review these partners to ensure appropriate safeguards are in place.

Updates to This Section 
We may update this Cookies section to reflect changes in law, technology, or our practices. Material changes will be clearly indicated on this page.

Links to other websites

Where we provide links to websites of other organisations, this Privacy Notice does not cover how that organisation processes personal information. We encourage you to read the Privacy Notices on the other websites you visit.

First Response Finance is a responsible vehicle finance lender, and all decisions are made in the best interests of the customer; based on credit scores, status, and income at the time of application. We'll never approve an application if we believe you might struggle with repayments.

Get independent advice on money, finance products, debt management and budgeting through Citizens Advice and MoneyHelper.